When it comes to social interactions involving information technology, it is important to understand that different entities have different and often conflicting goals and interests. It is puzzling to know that the same people who make the smart business decisions, behave irrationally when information security is concerned. For example, a recent survey shows that 12% of information technology users admitted to knowingly violating security policies to get their work done, while various reports attribute between 4% and 40% of all security incidents to the acts of insiders – ignorant or malicious.The situation is not much better at the corporate levels. For example, software manufacturers often have incentives to introduce new products as early as possible, while there are still many bugs that have to be patched later.
A shared belief is developing that information security is not solely a technology issue but should involve economic and behavioral considerations. A big question is - why do people and organizations that behave rationally and efficiently in other situations, fail miserably when information security is concerned? In this talk, I would like to put together several sets of ideas from economics and psychology that may explain seemingly irrational behavior of individuals as well as organizations. The ultimate goal is to have a better understanding of human factors of information security and lay the groundwork for the development of security-conscious culture, both at the individual and the society level.