UBC Theses and Dissertations

UBC Theses Logo

UBC Theses and Dissertations

Role of heuristics and biases in information security decision making Fard Bahreini, Amir


Inadvertent and Irrational human errors (e.g., clicking on phishing emails) have been the primary cause of security breaches in recent years. It has been estimated that these errors are a source of approximately 84% of all breaches in 2017 (Sher-Jan, 2018). To understand the root cause of these errors and examine practical solutions for personal users, I applied the theory of bounded rationality (Simon, 1972, 2000). In the second chapter, I examined the role of several factors (i.e., objective knowledge, subjective knowledge, and default security level) on how secure a decision made by a personal user is (i.e., security level of user’s decision). I discovered that the default security level has the most significant influence on the security level of a user’s decision. Furthermore, the results illustrated that subjective security knowledge mediates the impact of objective security knowledge on security decisions. In Chapter 3, I explored the role of heuristics (i.e., short mental processes) in security decision making. Interviews conducted reveal that users rely on various heuristics to simplify their decision making. Specifically, users rely on experts’ comments (i.e., expertise heuristic), information at hand, such as recent events (i.e., availability heuristic), and security-representative visual cues (i.e., representativeness heuristic). Findings also showed the use of other heuristics, including affect, brand, and anchoring, to a lesser degree. In Chapter 4, I examined the impact of several nudging strategies by using the most prevalent heuristic cues discovered in Chapter 3 and the construal level (i.e., level of abstraction) of messages on users’ security decisions. Using the security level of settings and password entropy as measures of the overall degree of security, users made more secure decisions in the presence of any of the heuristic cues irrespective of the construal level compared to the baseline group (i.e., no-message group). Additionally, with respect to the security level of settings, low-level construal availability, low-level construal representativeness, and high-level construal expertise had the highest impact. For password entropy, low-level construal availability and low-level construal representativeness were also the most effective combination. However, there was no significant difference between high-level and low-level construal expertise conditions.

Item Citations and Data


Attribution-NonCommercial-NoDerivatives 4.0 International