Environ Syst Decis (2013) 33:517–529
DOI 10.1007/s10669-013-9473-2
Heuristics and biases in cyber security dilemmas
Heather Rosoff • Jinshu Cui • Richard S. John
Published online: 28 September 2013
Ó Springer Science+Business Media New York 2013
Abstract Cyber security often depends on decisions
made by human operators, who are commonly considered a
major cause of security failures. We conducted 2 behav-
ioral experiments to explore whether and how cyber
security decision-making responses depend on gain–loss
framing and salience of a primed recall prior experience. In
Experiment I, we employed a 2 9 2 factorial design,
manipulating the frame (gain vs. loss) and the presence
versus absence of a prior near-miss experience. Results
suggest that the experience of a near-miss significantly
increased respondents’ endorsement of safer response
options under a gain frame. Overall, female respondents
were more likely to select a risk averse (safe) response
compared with males. Experiment II followed the same
general paradigm, framing all consequences in a loss frame
and manipulating recall to include one of three possible
prior experiences: false alarm, near-miss, or a hit involving
a loss of data. Results indicate that the manipulated prior
hit experience significantly increased the likelihood of
respondents’ endorsement of a safer response relative to
the manipulated prior near-miss experience. Conversely,
the manipulated prior false-alarm experience significantly
decreased respondents’ likelihood of endorsing a safer
H. Rosoff (&)
Sol Price School of Public Policy, University of Southern
California, Los Angeles, CA, USA
e-mail: rosoff@usc.edu
H. Rosoff
J. Cui
R. S. John
Center for Risk and Economic Analysis of Terrorism Events
(CREATE), University of Southern California, Los Angeles,
CA, USA
J. Cui
R. S. John
Department of Psychology, University of Southern California,
Los Angeles, CA, USA
response relative to the manipulated prior near-miss
experience. These results also showed a main effect for age
and were moderated by respondent’s income level.
Keywords Cyber security
Framing effect

Near-miss
Decision making
1 Introduction
Individual users regularly make decisions that affect the
security of their personal devices connected to the internet
and, in turn, to the security of the cybersphere. For
example, they must decide whether to install software to
protect from viruses and hackers, download files from
unknown sources, or submit personal identification infor-
mation for web site access or online purchases. Such
decisions involve actions that could result in various neg-
ative consequences (loss of data, reduced computer per-
formance or destruction of a computer’s hard drive).
Conversely, other alternative actions are available that
could protect individuals from negative outcomes, but also
could limit the efficiency and ease of use of the personal
device.
Aytes and Connolly (2004) propose a decision model of
computer-related behavior that suggests individuals make a
rational choice to either engage in safe or unsafe cyber
behavior. In their model, individual behavior is driven by
perceptions of the usefulness of safe and unsafe behaviors
and the consequences of each. More specifically, the model
captures how information sources, the user’s base knowl-
edge of cyber security, the user’s relevant perceptions (e.g.,
interpretations of the applicability of the knowledge), and
the user’s risk attitude influence individual cyber decision
making.
123
518
This paper reports on two behavioral experiments, using
over 500 respondents, designed to explore whether and
how recommended cyber security decision-making
responses depend on gain–loss framing and salience of
prior cyber dilemma experiences. More specifically, we
explored whether priming individuals to recall a prior
cyber-related experience influenced their decision to select
either a safe versus risky option in responding to a hypo-
thetical cyber dilemma. We hypothesized that recall of a hit
experience involving negative consequences would
increase feelings of vulnerability, even more so than a
near-miss, and lead to the endorsement of a risk averse
option. This result has been reported in the disaster liter-
ature, which has shown that individual decision making
depends on prior experiences, including hits, near-misses
(events where a hazardous or fatal outcome could have
occurred, but do not), and false alarms (Barnes et al. 2007;
Dillon et al. 2011; Siegrist and Gutscher 2008). Further-
more, damage from past disasters has been shown to sig-
nificantly influence individual perceptions of future risk
and to motivate more protective and mitigation-related
behavior (Kunreuther and Pauly 2004; Siegrist and Gut-
scher 2008; Slovic et al. 2005).
We anticipated that the effect of prior near-miss expe-
riences would depend on the interpretation of the prior
near-miss event by the respondent. This expectation was
based on near-miss research that has shown that future-
intended mitigation behavior depends greatly on the per-
ception of the near-miss event outcome. Tinsley et al.
(2012) describe two near-miss types—a resilient and vul-
nerable near-miss. A resilient near-miss is as an event that
did not occur. In these situations, individuals were found to
underestimate the danger of subsequent events and were
more likely to engage in risky behavior by choosing not to
take protective action. A vulnerable near-miss occurs when
a disaster almost happened. New information is incorpo-
rated into the assessment that counters the basic ‘‘near-
miss’’ definition and results in the individual being more
inclined to engage in risk averse behavior (the opposite
behavior related to a resilient near-miss interpretation). In
the cyber context, we expected that respondents who fail to
recognize a prior near-miss as a cyber threat would be more
likely to recommend the risky course of action. However, if
respondents view a recalled near-miss as evidence of vul-
nerability, then they would be more inclined to endorse the
safer option.
In the case of a recalled prior false-alarm experience,
one hypothesis known as the ‘‘cry-wolf effect’’ (Breznitz
2013) suggests that predictions of disasters that do not
materialize affect beliefs about the uncertainty associated
with future events. In this context, false alarms are believed
to create complacency and reduce willingness to respond to
future warnings, resulting in a greater likelihood of
123
Environ Syst Decis (2013) 33:517–529
engaging in risky behavior (Barnes et al. 2007; Donner
et al. 2012; Dow and Cutter 1998; Simmons and Sutter
2009). In contrast, there is research showing that the public
may have a higher tolerance for false alarms than antici-
pated. This is because of the increased credibility given to
the event due to the frequency with which it is discussed,
both through media sources and informal discussion, thus,
suggesting that false alarms might increase individuals’
willingness to be risk averse (Dow and Cutter 1998). We
anticipated that recall of prior false alarms would likely
make respondents feel less vulnerable and more willing to
prefer the risky option, compared with the near-miss and
hit conditions.
In our research, we also anticipated that there would be
some influence of framing on individual cyber decision
making under risk. Prospect theory and related empirical
research suggest that decision making under risk depends
on whether potential outcomes are perceived as a gain or as
a loss in relation to a reference point (Kahneman and
Tversky 1979; Tversky and Kahneman 1986). A common
finding in the literature on individual preferences in deci-
sion making shows that people tend to avoid risk under
gain frames, but seek risk when outcomes are framed as a
loss.
Prospect theory is discussed in the security literature,
but empirical studies in cyber security contexts are limited
(Acquisti and Grossklags 2007; Garg and Camp 2013;
Helander and Khalid 2000; Shankar et al. 2002; Verendel
2008). Among the security studies that have been con-
ducted, the results are mixed. The work by Schroeder and
colleagues on computer information security presented at
the 2006 Information Resources Management Association
International Conference found that decision makers were
risk averse in the gain frame, yet they showed no risk
preference in the loss frame. Similarly, in a 1999 presen-
tation about online shopping behavior by Helander and Du
at the International Conference on TQM and Human Fac-
tors, perceived risk of credit card fraud and the potential for
price inflation did not negatively affect purchase intention
(loss frame), while perceived value of a product was found
to positively affect purchase intention. We anticipated that
gain-framed messages in cyber dilemmas would increase
endorsement of protective responses and loss-framed
messages would have no effect on the endorsement of
protective options.
We also explored how subject variables affect the
strength and/or the direction of the relationship between the
manipulated variables, prior experience and gain–loss
framing, and the dependent variable, endorsement of safe
or unsafe options in response to cyber dilemmas. For
example, one possibility is that the relationship between
prior experience and risk averse behavior is greater for
individuals with higher self-reported victimization given
Environ Syst Decis (2013) 33:517–529
their increased exposure to cyber dilemma consequences.
Another possibility is that the relationship between the gain
frame and protective behavior would be less for younger
individuals because they are more familiar and comfortable
with the nuances of internet security. We anticipated that
there would be some difference in the patterns of response
as a function of sex, age, income, education, job domain,
and self-reported victimization.
The next section of this article describes the methods,
results, and a brief discussion for Experiment I, and Sect. 3
describes the methods, results, and a brief discussion for
Experiment II. The paper closes with a discussion of
findings across both experiments and how these results
suggest approaches to enhance and improve cyber security
by taking into account user decision making.
2 Experiment I
We conducted an experiment of risky cyber dilemmas with
two manipulated variables, gain–loss framing and primed
recall of a prior personal near-miss experience, to evaluate
individual cyber user decision making. The cyber dilem-
mas were developed to capture commonly confronted risky
cyber choices faced by individual users. In addition, in
Experiment I, the dependent variable focused on the advice
the respondent would provide to their best friend so as to
encourage more normative thinking about what might be
the correct response to the cyber dilemma. As such, each
cyber scenario described a risky choice dilemma faced by
the respondent’s ‘‘best friend,’’ and the respondent was
asked to recommend either a safe but inconvenient course
of action (e.g., recommend not downloading the music file
from an unknown source), or a risky but more convenient
option (e.g., recommend downloading the music file from
an unknown source).
2.1 Method
2.1.1 Design overview
In Experiment I, four cyber dilemmas were developed to
evaluate respondents’ risky choice behavior using a 2
(recalled personal near-miss experience or no recall control
condition) by 2 (gain versus loss-framed message) mixed
model factorial design with two dichotomous subject
variables: sex and self-reported victimization. Each par-
ticipant received all four dilemmas in a constant order.
Within this order, each of the four treatment conditions was
paired with each of the four dilemmas and counterbalanced
such that each of the dilemmas was randomly assigned to
each of the four treatment conditions.
519
After each cyber dilemma, respondents were asked to
respond on a 6-point scale (1 = strongly disagree to
6 = strongly agree) whether they would advise their ‘‘best
friend’’ to proceed in taking a risky course of action.
Responses of 1–3 indicated endorsement of the safe but
inconvenient option, while responses of 4–6 indicated
endorsement of the risky but expedient option. Following
the four cyber dilemmas, respondents were given four
attention check questions to determine whether they were
reading the cyber scenarios carefully. In addition, basic
demographic information was collected as well as infor-
mation on each respondent’s personal experience and self-
reported victimization, if any, with the topics of the cyber
dilemmas.
2.1.2 Scenarios and manipulations
The four cyber dilemma scenarios involved the threat of a
computer virus resulting from the download of a music file,
the use of an unknown USB drive device, the download of
a Facebook application, and the risk of financial fraud from
an online purchase. Gain–loss framing and primed recall of
a prior personal experience were manipulated independent
variables. The framing messages were used to describe the
potential outcome of the risky cyber choice. The gain-
framed messages endorsed the safe, more protective rec-
ommendation. For example, for the download of a music
file scenario, the gain frame was worded as ‘‘If she presses
‘do not proceed,’ she may avoid the risk of acquiring a
virus that will cause serious damage to her computer.’’
Conversely, the loss-framed messages endorsed the risky
option/choice. For the download of a music file scenario,
the loss frame was worded as ‘‘If she presses ‘proceed,’ she
may risk acquiring a virus that will cause serious damage to
her computer.’’ The experimental design also included a
manipulation of primed recall of a prior personal experi-
ence. Respondents either recalled a near-miss experience of
their own before advising their friend, or did not (a control
condition). In each near-miss experience, the respondent’s
dilemma was similar to the situation faced by their best
friend and the consequences of the threat were benign. A
complete description of the four scenarios, including the
near-miss and gain–loss framing manipulations, is pro-
vided in Table 1.
2.1.3 Subjects
The experiment was conducted using the University of
Southern California’s Psychology Subject Pool. Students
participated for course credit. Of the 365 students who
participated in the experiment, 99 were omitted for not
answering all 4 of the attention check questions correctly,
resulting in a sample of 266 respondents. Most, 203 (76 %)
123
520
Table 1 Summary of four scenarios and manipulations (Experiment I)
Scenario 1: Music File
Scenario Your best friend has contacted you
for advice. She wants to open a
music file linking to an early
release of her favorite band’s
new album. When she clicks on
the link, a window pops up
indicating that she needs to turn
off her firewall program in order
to access the file
Gain If she presses ‘‘do not proceed,’’
framing she may avoid the risk of
acquiring a virus that will cause
serious damage to her computer
Loss If she presses ‘‘proceed,’’ she may
framing risk acquiring a virus that will
cause serious damage to her
computer
Near-miss As you consider how to advise
experience your friend, you recall that you
were confronted by a similar
situation in the past. You
attempted to open a link to a
music file and a window popped
up saying that you need to turn
off your firewall program in
order to access the file. You
pressed ‘‘proceed’’ and your
computer immediately crashed.
Fortunately, after restarting your
computer everything was
functioning normally again
Question Below please indicate your level
of agreement with the statement
‘‘You will advise your best
friend to press ‘‘proceed’’ and
risk acquiring a virus that will
cause serious damage to her
computer’’
123
Scenario 2: USB
Your best friend has contacted you
for advice. Her computer keeps
crashing because it is overloaded
with programs, documents and
media files. She consults a
computer technician who
advises her to purchase a 1
terabyte USB drive (data storage
device) to free up space on her
computer. She does her research
and narrows down the selection
to two choices
The first USB drive when used on
a computer other than your own
has a 10 % chance of becoming
infected with a virus that will
delete all the files and programs
on the drive. The second drive is
double the price, but has less
than a 5 % chance of becoming
infected with a virus when used
on a computer other than your
own
The first USB drive when used on
a computer other than her own
has a 5 % chance of becoming
infected with a virus that will
delete all the files and programs
on the drive. The second drive is
half the price but has more than
a 5 % chance of becoming
infected with a virus when used
on a computer other than her
own
As you consider how to advise
your friend, you recall that your
USB drive recently was infected
with a virus after being plugged
into a computer at work. You
contacted a computer technician
to see if there was any way to
repair the drive. The technician
was able to recover all the files
and told you that you were really
lucky because normally such
drives cannot be restored
Below please indicate your level
of agreement with the statement
‘‘You will advise your best
friend to buy the first USB drive
that has a 10 % chance of
becoming infected with a
virus.’’/’’You will advise your
best friend to buy the second
USB drive that has a greater than
5 % chance of becoming
infected with a virus’’
Environ Syst Decis (2013) 33:517–529
Scenario 3: Facebook
Your best friend has contacted you
for advice. She has opened her
Facebook page to find an app
request for a game that her
friends have been really excited
about. In order to download the
app, access to some of her
personal information is required
including her User ID and other
information from her profile
If she chooses not to agree to the
terms of the app, she is
protecting her private
information from being made
available to the developer of the
app
If she chooses to agree to the terms
of the app, she risks the chance
of her private information being
made available to the developer
of the app
As you consider how to advise
your friend, you recall that you
once agreed to share some of
your personal information in
order to download an app on
Facebook. The developers of the
app made your User ID publicly
available and because of this you
started to receive messages from
strangers on your profile page.
You were very upset about the
invasion of your privacy.
Fortunately, you discovered that
you could change the privacy
settings of your profile so that
only your friends could access
your page
Below please indicate your level
of agreement with the statement
‘‘You will advise your best
friend to download the app and
risk having her private
information made available to
the app developer’’
Scenario 4: Rare Book
Your best friend has contacted you
for advice. She is going to buy a
rare book from an unknown
online store. The book is highly
desirable, expensive and only
available from this online store’s
website. By deciding to purchase
the book online with her credit
card, there is a risk that her
personal information will be
exploited which can generate
unauthorized credit card
charges. Her credit card charges
$50 for the investigation and
retrieval of funds expended
when resolving fraudulent credit
card issues
If she decides not to buy the book,
she may save up to $50 and the
time spent talking with the credit
card company
If she decides to buy the book, she
may lose up to $50 and the time
spent talking with the credit card
company
As you consider how to advise
your friend, you recall that you
once purchased a rare book from
an unknown online store. You
were expecting the book to
arrive 1 week later. About
2 weeks later, you had yet to
receive the book. You were very
concerned that you had done
business with a fake online store.
You contacted the store’s
customer service who
fortunately tracked down the
book’s location and had it
shipped with overnight delivery.
Below please indicate your level
of agreement with the statement:
‘‘You will advise your best
friend to purchase the book
online and risk having her
personal information exploited’’
Environ Syst Decis (2013) 33:517–529 521

of the respondents, were female. Respondents ranged in Table 2 Summary of experience and victimization
age from 18 to 41 years (95 % percentile is 22 years old). Scenario (N = 266) Personal Previous
Table 2 shows a summary of personal experience and experience victimization
self-reported victimization associated with each of the four
Music file download 205 (77 %) 40 (15 %)
cyber dilemmas. All respondents reported having been a
victim of one of the four cyber dilemmas. Twenty-four USB drive 110 (41 %) 12 (4.5 %)
percent of respondents further reported being a victim of Facebook App 253a (95 %) 3 (1 %)
download
one or more of the four cyber dilemmas. We coded whether
Online purchase 259 (97 %) 18 (7 %)
the respondent had ever been victimized by one of the four
Overall (at least once) 265b (100 %) 64 (24 %)
scenarios as a variable of self-reported victimization.
a
An app is downloaded from Facebook at least once a week
b
2.2 Results There is one missing value

Raw responses (1–6) were centered around the midpoint

(3.5) such that negative responses indicate endorsement of
Risky
the safe option, and positive responses indicate endorse- Advice by Framing and Near-miss

Mean Endorsement of Safe vs. Risky Advice

0.4
ment of the risky option. Mean endorsement responses for
each of the four treatment conditions are displayed in 0.2
Fig. 1. The negative means in all four conditions indicate 0
that subjects were more likely to endorse risk averse
-0.2
actions compared with the risky alternative.1
In addition, a 2 (recalled personal near-miss experience -0.4
or no recall control condition) by 2 (gain vs. loss-framed -0.6
message) by 2 (sex) by 2 (self-reported victimization)
-0.8
4-way factorial ANOVA was used to evaluate respondents
Framing
endorsement of risky versus safe options in cyber dilem- -1
mas. Analyses were specified to only include main effects Gain
-1.2
and 2-way interactions with the manipulated variables. Loss
-1.4
Preliminary data screening was conducted, and q–q plots Control Near-miss
indicated that the dependent variable is approximately Safe
Near- miss
normally distributed.
Results indicated that the near-miss manipulation was Fig. 1 Mean endorsement of risky versus safe responses to cyber
significant, F (1, 260) = 7.42, p = .01, g2 = .03. threats by gain–loss frame and prior near-miss
Respondents who received a description of a recalled near-
miss experience preferred the safe but inconvenient option
to the risky, more expedient option. No main effect was gains or losses from a reference point. There also was a
found for the gain–loss framing manipulation, suggesting significant interaction between the framing and near-miss
that respondents were indifferent between safe versus risky manipulations: F (1, 260) = 4.01, p = .05, g2 = .02. As
decision options when the outcomes were described as seen in Fig. 1, the near-miss manipulation was much larger
under the gain frame compared with the loss frame.
Basic demographic data also was collected to assess
whether individual differences moderated the effect of the
1 two manipulations. A significant main effect was found for
Since the four scenarios are in a constant order, a second analysis
was run that ignored the manipulated factors and included scenario/ sex: F (1, 260) = 3.81, p = .05, g2 = .01; Sex’s cohen’s
order as a repeated factor. A one-way repeated measure ANOVA d are 0.33 for gain framing without near-miss, 0.09 for gain
found a significant scenario/order effect: F (3, 265) = 30.42, framing with near-miss, 0.18 for loss framing without near-
p \ .001, g2 = .10. Over time, respondents were more likely to
miss, and 0.19 for loss framing with near-miss. Female
endorse the risky option. Because the nature of the dilemma scenario
and order are confounded, it is impossible to determine whether the respondents were more likely to avoid risks and choose the
significant main effect indicates an order effect or a scenarios effect or safe option. No significant main effect was found for self-
a combination of both. The counterbalanced design distributed all 4 reported victimization. Also, none of the interactions were
combinations of framing and prior experience recall evenly across the
significant; sex and framing, sex and near-miss experience,
four scenario dilemmas. Order and/or scenario effects are independent
of the manipulated factors, and thus are included in the error term in victimization and framing, and victimization and near-
the ANOVA. miss.

123
522
2.3 Discussion
The results of Experiment I suggest that respondents’ cyber
security recommendations to their best friend were signif-
icantly influenced by the personal experience recall
manipulation. More specifically, respondents who recalled
a near-miss experience were more likely to advise their
best friend to avoid making the risky cyber choice com-
pared with their no recall counterpart. This finding is
consistent with Tinsley et al. (2012) definition of a vul-
nerable near-miss—an ‘‘almost happened’’ event that
makes individuals feel vulnerable and, in turn, leads to a
greater likelihood of endorsing the safer option.
Respondents who recalled a near-miss experience were
even more likely to advise their best friend to take the safer
course of action if they also received the gain message.
Comparatively, the loss frame had a negligible effect on
the primed recall prior experience manipulation. That is,
respondents who received the loss frame were as likely to
recommend the risk averse course of action to their best
friend regardless of whether their prior experience was a
near-miss or not. This finding suggests that people will be
more risk averse when they are exposed either to a recall of
a prior near-miss and/or a loss frame. The combination of
no prior recall of a near-miss and a gain frame did produce
less risk averse responses. This suggests a highly interac-
tive, synergistic effect, in which the frame and the near-
miss recall substitute for each other.
In addition, sex and prior victimization were found to
have no moderating effect on the relationship between cyber
dilemma responses and the two manipulated variables.
Cyber dilemma decision making was found to significantly
vary by respondents’ sex, but not by self-reported victim-
ization. The results suggest that females make more pro-
tective decisions when faced with risky cyber dilemmas
compared with males. This pattern has been replicated in
cyber research in an experiment of online shopping services
where males demonstrated a greater tendency to engage in
risky behavior online (Milne et al. 2009). Disaster risk per-
ception studies also have shown that risks tend to be judged
higher by females (Flynn et al. 1994; Bateman and Edwards
2002; Kung and Chen 2012; Bourque et al. 2012) and that
females tend to have a stronger desire to take preventative
and preparedness measures compared with males (Ho et al.
2008; Cameron and Shah 2012).
3 Experiment II
The primary purpose of Experiment II was to expand the
primed recall prior experience manipulation to compare
three prior cyber experiences: a near-miss, a false alarm,
123
Environ Syst Decis (2013) 33:517–529
and a hit involving a loss of data. The prior cyber experi-
ence recall prime for Experiment II involved experiences
of a good friend, rather than the respondents’ past experi-
ences (used in Experiment I). We also posed all questions
using a loss frame to enhance the ecological validity of the
cyber dilemmas posed, the consequences of which are
naturally perceived as losses from a status quo. The
dependent variable was also changed for Experiment II.
Each respondent was asked to report whether they would
select the safe or risky option in response to their own
cyber dilemma, as opposed to providing advice to their best
friend involved in a risky cyber dilemma as in Experiment
I. One interpretation of the finding from Experiment I that
respondents generally favored the safe option was that they
were possibly more risk averse in advising a friend com-
pared to how they would respond to their own cyber
dilemma. By posing the dilemma in the first person, we
sought to characterize how respondents would be likely to
respond when facing a cyber dilemma. The cyber dilemmas
were also described in a more concrete fashion for
Experiment II, including a ‘‘screenshot’’ of the dilemma
facing the respondent.
3.1 Method
3.1.1 Design overview
In Experiment II, three cyber dilemmas were constructed to
evaluate respondents’ risky choice behavior using one
manipulated variable, recall of a friend’s false alarm, near-
miss or hit experience. In addition, six individual differ-
ence variables were included in the design: sex, age,
income, education, job domain, and self-reported victim-
ization. Each participant received all three dilemmas in a
constant order. Each of the three primed recall prior cyber
experiences was paired with one of the three scenarios in a
counterbalanced design such that each of the cyber
dilemmas appeared in each of the three treatment condi-
tions with equal frequency.
After each cyber dilemma, respondents were asked to
respond on a 6-point scale (1 = strongly disagree to
6 = strongly agree) regarding their intention to ignore the
warning and proceed with the riskier course of action.
Following all three cyber dilemmas, respondents were
given three attention check questions related to the nature
of each dilemma. Respondents also were asked to provide
basic demographic information and answer a series of
questions about their experience with computers and cyber
dilemmas, such as their experience with purchasing from a
fraudulent online store, being locked out from an online
account, or having unauthorized withdrawals made from
their online banking account.
Environ Syst Decis (2013) 33:517–529
3.1.2 Scenarios and manipulations
The three cyber dilemma scenarios involved the threat of
causing serious damage to the respondents’ computer as a
result of downloading a music file, installing a plug-in for
an online game, and downloading a media player to legally
stream videos. The scenarios were written to share the
same possible negative outcome—the computer’s operat-
ing system crashes, resulting in an unusable computer until
repaired. Establishing uniformity of consequences across
the three scenarios reduced potential unexplained variance
across the three levels of the manipulated variable.
Experiment II also included screenshots of ‘‘pop-up’’
window images similar to those that would appear on the
computer display when the cyber dilemma is presented.
These images were intended to make the scenarios more
concrete and enhance the realism of the cyber dilemma
scenarios.
Primed recall of a friend’s prior cyber experience was
the only manipulated variable in this experiment.
Respondents either recalled their friend’s near-miss, false
alarm or hit experience before deciding whether to select
the safe or risky option in response to the described cyber
dilemma. All potential outcomes were presented in a loss
frame, with wording held constant except for details spe-
cific to the scenario under consideration. For example, the
wording of the loss frame for the hit outcome of the
download a music file scenario was ‘‘She pressed ‘allow
access’ and her computer immediately crashed. She ended
up having to wipe the computer’s hard drive clean and to
reinstall the operating system.’’ The only modification
made for the installation of the plug-in scenario was
switching the words ‘‘allow access’’ to ‘‘run.’’ A complete
description of the scenarios, including the primed recall of
the friend’s prior experiences, is provided in Table 3.
3.1.3 Subjects
Three hundred and seventy-six US residents were recruited
through Amazon Mechanical Turk (AMT) to participate in
the experiment. Researchers have assessed the representa-
tiveness of AMT samples compared with convenience
samples found locally and found AMT samples to be
representative (Buhrmester et al. 2011; Mason and Suri
2012; Paolacci et al. 2010) and ‘‘significantly more diverse
than typical American college samples’’ (Buhrmester et al.
2011). Each respondent earned $1 for completion of the
experiment. After removing respondents who did not
answer all three of the attention check questions correctly
or completed the experiment in less than 7 min, the sample
consisted of 247 respondents. Five additional respondents
skipped questions, resulting in a final sample size of
N = 242. Table 4 includes a summary of sample
523
characteristics, including sex, age, income, education, job
domain, and self-reported victimization. Self-reported
victimization is defined in terms of experiences with four
types of negative cyber events: (1) getting a virus on an
electronic device, (2) purchasing from a fraudulent online
store, (3) being locked out from an online account, or (4)
having unauthorized withdrawals made from their online
banking account. Respondents also responded to a number
of experience questions that are summarized in Table 5 as
additional detail about the study sample.
3.2 Results
A mixed model ANOVA with one within-subject factor
(primed recall of a prior experience) and six individual
difference variables as between-subject factors were used.
This model included only the seven main effects and the
six 2-way interactions involving the manipulated within-
subject variable and each of the six between-subject vari-
able. Preliminary data screening was done; q–q plots
showed the scores on the repeated measures variable, prior
salient experience, to have an approximately normal
distribution.2
Results show that the primed recall prior experience
manipulation had a significant effect on how respondents
intended to respond to the cyber dilemmas, F (1,
231) = 31.60, p \ .00, g2 = .12. Moreover, post hoc
comparisons using the least significant difference (LSD)
test indicate that the mean score for the false-alarm con-
dition (M = 3.65, SD = 0.11) was significantly different
from the near-miss condition (M = 2.97, SD = 0.11) with
p \ .01, and the hit condition (M = 2.34, SD = 0.11)
significantly differed from the near-miss and false-alarm
conditions with p \ .01. This suggests that respondents
who received a description of a friend’s near-miss experi-
ence recall preferred the safer, risk averse option compared
with respondents who were primed to recall a friend’s prior
false-alarm experience. Respondents were found to be even
more likely to select the safe option when they were primed
to recall a friend’s prior hit experience. As displayed in
Fig. 2, the positive means for the false-alarm condition
indicate that respondents were more likely to engage in
risky behavior compared with the negative means for the
near-miss and hit conditions.
The analysis also included both main effects and inter-
action terms for six different subject variables, including
2
As in Exp I, a one-way repeated measure ANOVA shows there is a
significant scenario/order effect: F (2, 265) =4.47, p = .035, g2 = .02.
Over time and/or scenario, respondents were more likely to endorse the
risky option. However, as in Experiment I, it is difficult to determine
whether the main effect is for the scenarios or the order effect. The study
design we used overcame this limitation by using a counterbalanced
design.
123
 Table 3 Summary of three scenarios and manipulations (Experiment II)
Scenario 1: Music File
123
Scenario You want to download a music file linking to an early
release of your favorite band’s new album. When you
click on the link, the following window pops up:
If you press ‘‘allow access,’’ you may risk causing
serious damage to your computer
Your You recall that your friend told you she was confronted
experience by a similar situation in the past. She was attempting to
open a music file and a window popped up saying the
program was blocked by a firewall
False alarm She pressed ‘‘allow access’’ and successfully downloaded
the music file without any damage occurring to her
computer
Near-miss She pressed ‘‘allow access’’ and her computer
immediately flashed a blue screen and automatically
rebooted before she had time to read anything.
Fortunately, following the reboot her computer was
operating normally
Hit She pressed ‘‘allow access’’ and her computer
immediately crashed. She ended up having to wipe the
computer’s hard drive clean and to reinstall the
operating system
Question Below please indicate your level of agreement with the
statement ‘‘You will press ‘‘allow access’’ and risk
installing a file that could seriously damage your
computer’’
Scenario 2: Plug-in Install
You are interested in playing an online game that
requires a plug-into run. Before installing the plug-in,
the following window pops up:
If you click ‘‘run,’’ you may risk installing a plug-in that
could seriously damage your computer
You recall that your friend told you she once downloaded
a plug-into play an online game and was warned prior
to installation that the publisher could not be verified
She clicked ‘‘run,’’ and successfully played the game
without causing any damage to her computer
She clicked ‘‘run’’ and her computer immediately flashed
a blue screen and automatically rebooted before she
had time to read anything. Fortunately, following the
reboot her computer was operating normally
She clicked ‘‘run’’ and her computer immediately
crashed. She ended up having to wipe the computer’s
hard drive clean and to reinstall the operating system
Below please indicate your level of agreement with the
statement ‘‘You will click ‘‘run’’ and risk installing a
plug-in that could seriously damage your computer’’
524
Scenario 3: Unknown Network
You have downloaded a media player to legally stream
videos from your computer. When you open the player,
the following window pops up:
If you press ‘‘yes, you may risk using a media player that
could seriously damage your computer
You recall that your friend told you she once installed a
media player and received a warning about allowing an
unknown publisher to make changes to her computer
She pressed ‘‘allow’’ and successfully used the player to
watch videos without any damage occurring to her
computer
She pressed ‘‘allow’’ and her computer immediately
flashed a blue screen and automatically rebooted before
she had time to read anything. Fortunately, following
the reboot her computer was operating normally
She pressed ‘‘allow’’ and her computer immediately
crashed. She ended up having to wipe the computer
clean and to reinstall the operating system
Below please indicate your level of agreement with the
statement: ‘‘You will press ‘‘allow’’’ and risk using a
media player that could seriously damage your
computer’’
Environ Syst Decis (2013) 33:517–529
Environ Syst Decis (2013) 33:517–529 525

Table 4 Demographic information for AMT respondents

Demographic variable (N = 242) Variable response category Number and percentage of sample

Sex Male 108 (44.6 %)

Female 134 (55.4 %)
Highest level of education High school 65 (26.9 %)
2-year college 38 (15.7 %)
4-year college 102 (42.1 %)
Master’s degree 30 (12.4 %)
Professional (e.g., M.D., 7 (2.9 %)
Ph.D., J.D.) degree
Personal gross annual income range Below $20,000/year 66 (27.3 %)
$20,000–$29,999/year 31 (12.8 %)
$30,000–$39,999/year 35 (14.5 %)
$40,000–$49,999/year 28 (11.6 %)
$50,000–$59,999/year 15 (6.2 %)
$60,000–$69,999/year 23 (9.5 %)
$70,000–$79,999/year 13 (5.4 %)
$80,000–$89,999/year 10 (4.1 %)
$90,000/year or more 21 (8.7 %)
Does your work relate to technology? I use computers normally but my 172 (71.1 %)
work has nothing to do with
technology.
My work is about technology 70 (28.9 %)
Victim of getting a virus on an electronic device Yes 165 (68.2 %)
No 77 (31.8 %)
Victim of purchasing from a fake online store Yes 15 (6.2 %)
No 221 (91.3 %)
I don’t shop online 6 (2.5 %)
Victim of failure to log into an online account Yes 85 (35.1 %)
No 157 (64.9 %)
Victim of unauthorized withdrawals from an online banking account Yes 44 (18.2 %)
No 198 (81.8 %)
Overall self-reported victimization None 46 (19.0 %)
One type 104 (43.0 %)
Two or more types 92 (38.0 %)
Age (years) Range 18–75
Percentiles 25th 27
50th 33
75th 44

sex, age, level of education, income level, job domain, and
self-reported victimization. For the purpose of analysis, age
was collapsed into three levels: 18–29, 30–39, and 40 years
and older; education level was collapsed into three cate-
gories: high school and 2-year college, 4-year college, and
master’s degree or higher; and annual income level was
collapsed into three categories: below $30,000/year,
$30,000–$59,999/year, and $60,000/year and more.
The results of the ANOVA indicated there was a sig-
nificant main effect for age: F (2, 231) = 4.9, p = .01,
g2 = .04, and no significant main effects for sex,
education, income, job domain, and self-reported victim-
ization. Figure 2 suggests that younger respondents com-
pared with older respondents were more likely to choose
the riskier option in cyber dilemmas across all 3 levels of
the primed prior recall experience manipulation.
Results also showed a significant interaction effect
between income and the primed prior recall experience
manipulation: F (2, 231) = 3.40, p = .01, g2 = .03. Fig-
ure 3 indicates that respondents with higher income levels
(greater than $60 K per year) were less sensitive to the
primed recall of a friend’s experience. There was no

123
526 Environ Syst Decis (2013) 33:517–529

Table 5 Cyber-related responses for AMT respondents Risky

Endorsement by Age
1
Questions Response Number and

Mean Endorsement of Safe vs. Risky Option

category percentage of
sample
0.5
Personal computer PC 213 (88.0 %)
Mac 28 (11.6 %)
0
Do not have a 1 (0.4 %)
personal
computer -0.5
Smartphone iOS 67 (27.6 %)
Android 95 (39.3 %) Age
-1
Do not have a 80 (33.1 %) 18 - 29 years old
smartphone 30 - 39 years old
Protection software Yes 211 (87.2 %) -1.5 40 years old and
No 31 (12.8 %) older
Have you ever downloaded free Yes 135 (55.8 %)
music, an e-book, a movie, or a -2
No 107 (44.2 %)
television show from an False-alarm Near-miss Hit
unfamiliar website found Safe
Salient Prior Experience
through a Google search?
How often do you access your Every day 150 (62.0 %) Fig. 2 Mean endorsement of risky versus safe responses to cyber
social networking accounts Once a week 35 (14.5 %) threats by primed recall of friend’s prior experience and age
(Facebook, Twitter, Myspace,
Once a month 8 (3.3 %)
MSN, Match.com, etc.)?
2-3 times a 10 (4.1 %)
month
Every couple 14 (5.8 %) Endorsement by Income Level
Mean Endorsement of Safe vs. Risky Option

months
Once a year 4 (1.7 %)
Never 21 (8.7 %)
Have you ever clicked on an Yes 122 (50.4 %)
advertisement and a window No 120 (49.6 %)
popped up saying something
along the lines of
‘‘Congratulations, you are
eligible to win an iPad!’’? Income
Have you ever clicked on a link in Yes 32 (13.2 %)
a suspicious email (e.g., an No 210 (86.8 %)
email in a different language,
with an absurd subject)?

significant interaction effect between the manipulation and

the other five individual difference variables, including sex:
F (1, 231) \1, age: F (2, 231) = 1.84, p = .12, g2 = .02,
education: F (2, 231) \1, job domain, F (1, 231) = 2.01,
p = .14, g2 = .01, and self-reported victimization, F (2,
231) = 2.03, p = .09, g2 = .02.
3.3 Discussion
Responses to risky cyber dilemmas in Experiment II were
significantly predicted by the primed recall of a friend’s
prior cyber experience. Consistent with our hypotheses, the
more negative the consequence associated with the prior
cyber experience, the more likely the respondents were to
Salient Prior Experience
Fig. 3 Mean endorsement of risky versus safe responses to cyber
threats by primed recall of friend’s prior experience and income level
choose the safer course of action. In particular, respondents
who were primed to recall a prior near-miss or hit event
interpreted the experience as a sign of vulnerability com-
pared with the recall of a prior false alarm and, in turn,
were more likely to promote more conservative (safe)
endorsements of actions. In the case of false alarms, our
findings suggest that respondents were more likely to
endorse the risky alternative.

123
Environ Syst Decis (2013) 33:517–529
In addition, endorsement of safe versus risky resolutions
to the cyber dilemmas varied by respondents’ age,
regardless of the primed recall of a friend’s prior experi-
ence. Middle-aged and older respondents were more likely
to endorse the safe choice option compared with younger
respondents. Research on age differences is inconsistent in
the domain of cyber security related to privacy (Hoofnagle
et al. 2010), risk of data loss from a cyber threat (Howe
et al. 2012—‘‘The psychology of security for the home
computer user’’ in Proceedings of 2012 IEEE Symposium
on the Security and Privacy) or fear of a cyber threat
(Alshalan 2006). Our findings suggest that younger indi-
viduals’ extensive use and dependence on computers for
daily activities may result in the association of a greater
cost with being risk averse in response to cyber dilemmas.
Younger individuals’ familiarity with computers likely
makes it easier for them to determine whether a cyber
dilemma is a real threat or a computer’s standard warning
message. In the same vein, their familiarity with computers
may also lead to a greater awareness of a major cyber
dilemma being a small probability event, the consequences
of which are likely to be repairable. Ultimately, younger
individuals do not perceive the unsafe option as overly
risky compared with the safe option.
Respondents’ income was also found to moderate the
effect of the primed recall of a friend’s prior experience
on respondents’ endorsement of safe versus risky
options. Of the three income levels, the wealthiest
respondents were the least sensitive to variations in the
primed recall of a friend’s prior cyber experience. In
the literature on cyber security, only a significant main
effect for income is reported. In a 2001 presentation by
Tyler, Zhang, Southern and Joiner at the IACIS Con-
ference, the research team reported findings suggesting
that higher income individuals have a lower probability
of considering e-commerce to be safe and therefore
avoid e-commerce transactions. Similarly, in a study by
Downs et al. (2008), respondents from more affluent
areas were reported to update their anti-virus program
more frequently than respondents from poorer areas,
further validating the tendency toward risk averse cyber
behavior for higher income individuals. Our finding
suggests that wealthier respondents were not as
impacted compared with the low and medium income
respondents by the primed prior recall experience
manipulation because they can afford to be riskier.
Their wealth allows them to have access to enhanced
baseline security measures. This creates a sense that
they are exempt from risks that apply to others and for
this reason, do not need to pay much attention to the
primed prior recall experiences and consequences.
Interestingly, there were no significant main effects or
interactions for the remaining four individual difference
527
variables, including sex, education, work domain, or
previous cyber victimization. The absence of main effects
for five of the six individual difference variables suggests
that respondents’ cyber dilemma decisions are determined
more by recall of prior cyber-related experiences, and not
by background of the decision maker, with the sole
exception of respondent age. The absence of interaction
effects for five of the six individual difference variables
suggests that the effect of primed recall of a prior expe-
rience is robust; respondent income was the sole moder-
ator identified.
4 Conclusion
Experiments I and II were designed to explore how com-
puter users’ responses to common cyber dilemmas are
influenced by framing and salience of prior cyber experi-
ences. Despite using two different dependent variables, the
advice the respondent would give to a friend (Experiment
I), and how the respondents themselves would respond to
cyber dilemmas (Experiment II), the extent to which the
two different questions elicit more or less risk averse
responses was found to be similar. The results indicate that
for prior near-miss experiences (the one manipulation
condition included in both experiments), the mean
responses were 2.39 and 2.97 for Experiments I and II,
respectively. This finding suggests that whether the
respondent was making a personal recommendation or
providing advice to a friend; the recalled experience
manipulation was found to significantly influence the
respondent’s endorsement of the safer cyber option. Simi-
larly, in prior cyber research, Aytes and Connolly (2004)
found that students were more attuned to cyber risks and
likely to take action against them when the primary source
of information was their own or friends’ experiences with
security problems.
The one inconsistent finding between the two experi-
ments is the effect of respondent sex on risky cyber choice
behavior. In Experiment I, females were found to be more
risk averse than males, while in Experiment II, sex was
found to be unrelated to whether respondents endorsed a
risky or safe option. Previous studies are also inconsistent
with respect to the role of sex in predicting cyber-related
behavior and decision making. At the 2012 Annual Con-
ference of the Society for Industrial and Organizational
Psychology, Byrne et al. report that women provided
slightly higher scores of behavioral intentions to click on a
risky cyber link, while Milne et al. (2009) found that males
had a greater tendency to engage in risky behaviors online.
In the context of security compliance, Downs et al. (2008)
report that males were more involved in computer security
management, such as updating their anti-virus software and
123
528
using pop-up blockers, while Herath and Rao (2009) found
women to have higher security procedure compliance
intentions, but were less likely to act on them.
One explanation for our inconsistent results related to
sex may be differences in the two populations sampled:
college students in Experiment I and a more diverse, AMT
sample in Experiment II. College samples tend to be more
sex stereotyped, such that risk tends to be judged lower by
men than by women, and females tend to have a stronger
desire to take preventative and preparedness measures
(Harris et al. 2006). This tends to be attributed to their lack
of real-world experiences; as evidenced by only a small
percentage of the sample, 24 %, have previously experi-
enced a cyber dilemma. By these assumptions, males
would be expected to be more risk seeking than females in
Experiment I. Conversely, the AMT sample consists of
older adults with more diverse backgrounds, as evidenced
in Table 5, which tends to blur the line between traditional
male and female stereotypes. In addition, 80 % of the AMT
sample had previously experienced a cyber dilemma, fur-
ther suggesting that shared experiences of males and
females could lead to the lack of sex differences found in
Experiment II.
Overall, these two experiments indicate that recall of prior
cyber experiences and framing strongly influence individual
decision making in response to cyber dilemmas. It is useful to
know about how prior experience and framing jointly
influence responses to cyber dilemmas. The implications of
our findings are that salience of prior negative experiences
certainly attenuates risky cyber behavior. We found that this
attenuation is greater for gain-framed decisions, and for low-
and middle-income respondents. Responses to cyber
dilemmas were determined more by proximal variables, such
as recall of prior experiences and framing, and were largely
robust to individual difference variables, with only a couple
of exceptions.
Given that safety in the cyber context is an abstract
concept, it would be worthwhile to further explore how
framing influences cyber dilemma decision making.
Additionally, this research design could be used to evaluate
differences across cyber dilemma contexts to examine the
robustness of the relationships identified in our research.
Such further research is warranted to better understand how
individual users respond to cyber dilemmas. This infor-
mation would be useful to cyber security policymakers
faced with the task of designing better security systems,
including computer displays and warning messages rele-
vant to cyber dilemmas.
Acknowledgments This research was supported by the U.S.
Department of Homeland Security (DHS) through the National Center
for Risk and Economic Analysis of Terrorism Events. However, any
opinions, findings, conclusions, and recommendations in this article
123
Environ Syst Decis (2013) 33:517–529
are those of the authors and do not necessarily reflect the views of
DHS. We would like to thank Society for Risk Analysis (SRA)
conference attendees for their feedback on this work at a session at the
2012 SRA Annual Meeting in San Francisco. We would also thank
the blind reviewers for their time and comments, as they were
extremely valuable in developing this paper.
References
Acquisti A, Grossklags J (2007) What can behavioral economics
teach us about privacy. In: Acquisti A, Gritzalis S, Lambrino-
udakis C, Vimercati S (eds) Digital privacy: theory, technologies
and practices. Auerbach Publications, Florida, pp 363–377
Alshalan A (2006) Cyber-crime fear and victimization: an analysis of
a national survey. Dissertation, Mississippi State University
Aytes K, Connolly T (2004) Computer security and risky computing
practices: a rational choice perspective. J Organ End User
Comput 16:22–40
Barnes LR, Gruntfest EC, Hayden MH, Schultz DM, Benight C
(2007) False alarms and close calls: a conceptual model of
warning accuracy. Weather Forecast 22:1140–1147
Bateman JM, Edwards B (2002) Gender and evacuation: a closer look
at why women are more likely to evacuate for hurricanes. Nat
Hazard Rev 3:107–117
Bourque LB, Regan R, Kelley MM, Wood MM, Kano M, Mileti DS
(2012) An examination of the effect of perceived risk on
preparedness behavior. Environ Behav 45:615–649
Breznitz S (2013) Cry wolf: the psychology of false alarms.
Psychology Press, Florida
Buhrmester M, Kwang T, Gosling SD (2011) Amazon’s Mechanical
Turk: a new source of inexpensive, yet high-quality, data?
Perspect Psychol Sci 6:3–5
Cameron L, Shah M (2012) Risk-taking behavior in the wake of
natural disasters. IZA Discussion Paper No. 6756. http://ssrn.
com/abstract=2157898
Dillon RL, Tinsley CH, Cronin M (2011) Why near-miss events can
decrease an individual’s protective response to hurricanes. Risk
Anal 31:440–449
Donner WR, Rodriguez H, Diaz W (2012) Tornado warnings in three
southern states: a qualitative analysis of public response patterns.
J Homel Secur Emerg Manage 9:1547–7355
Dow K, Cutter SL (1998) Crying wolf: repeat responses to hurricane
evacuation orders. Coast Manage 26:237–252
Downs DM, Ademaj I, Schuck AM (2008) Internet security: who is
leaving the ‘virtual door’ open and why? First Monday 14.
doi:10.5210%2Ffm.v14i1.2251
Flynn J, Slovic P, Mertz CK (1994) Gender, race, and perception of
environmental health risks. Risk Anal 14:1101–1108
Garg V, Camp J (2013) Heuristics and biases: implications for
security design. IEEE Technol Soc Mag 32:73–79
Harris C, Jenkins M, Glaser D (2006) Gender differences in risk
assessment: why do women take fewer risks than men? Judgm
Decis Mak 1:48–63
Helander MG, Khalid HM (2000) Modeling the customer in
electronic commerce. Appl Ergon 31:609–619
Herath T, Rao HR (2009) Encouraging information security behaviors
in organizations: role of penalties, pressures and perceived
effectiveness. Decis Support Syst 47:154–165
Ho MC, Shaw D, Lin S, Chiu YC (2008) How do disaster
characteristics influence risk perception? Risk Anal 28:635–643
Hoofnagle C, King J, Li S, Turow J (2010) How different are young
adults from older adults when it comes to information privacy
attitudes and policies? April 14, 2010. http://ssrn.com/abstract=
1589864
Environ Syst Decis (2013) 33:517–529
Kahneman D, Tversky A (1979) Prospect theory: an analysis of
decision under risk. Econom J Econom Soc 47:263–291
Kung YW, Chen SH (2012) Perception of earthquake risk in Taiwan:
effects of gender and past earthquake experience. Risk Anal
32:1535–1546
Kunreuther H, Pauly M (2004) Neglecting disaster: why don’t people
insure against large losses? J Risk Uncertain 28:5–21
Mason W, Suri S (2012) Conducting behavioral research on
Amazon’s Mechanical Turk. Behav Res Methods 44:1–23
Milne GR, Labrecque LI, Cromer C (2009) Toward an understanding
of the online consumer’s risky behavior and protection practices.
J Consum Aff 43:449–473
Paolacci G, Chandler J, Ipeirotis P (2010) Running experiments on
Amazon Mechanical Turk. Judgm Decis Mak 5:411–419
Shankar V, Urban GL, Sultan F (2002) Online trust: a stakeholder
perspective, concepts, implications, and future directions. J Stra-
teg Inf Syst 11:325–344
529
Siegrist M, Gutscher H (2008) Natural hazards and motivation for
mitigation behavior: people cannot predict the affect evoked by a
severe flood. Risk Anal 28:771–778
Simmons KM, Sutter D (2009) False alarms, tornado warnings, and
tornado casualties. Weather Clim Soc 1:38–53
Slovic P, Peters E, Finucane ML, MacGregor DG (2005) Affect, risk,
and decision making. Health Psychol 24:S35–S40
Tinsley CH, Dillon RL, Cronin MA (2012) How near-miss events
amplify or attenuate risky decision making. Manage Sci
58:1596–1613
Tversky A, Kahneman D (1986) Rational choice and the framing of
decisions. J Bus 59:S251–S278
Verendel V (2008) A prospect theory approach to security. Technical
Report No. 08-20. Sweden. Department of Computer Science
and Engineering, Chalmers University of Technology/Goteborg
University. http://citeseerx.ist.psu.edu/viewdoc/download?doi=
10.1.1.154.9098&rep=rep1&type=pdf
123