More Web Proxy on the site http://driver.im/

research-article

“This is the way ‘I’ create my passwords” ... does the endowment effect deter people from changing the way they create their passwords?

Authors:

Merrill WarkentinAuthors Info & Claims

Volume 82, Issue C

Pages 241 - 260

https://doi.org/10.1016/j.cose.2018.12.018

Published: 01 May 2019 Publication History

Abstract

The endowment effect is the term used to describe a phenomenon that manifests as a reluctance to relinquish owned artifacts, even when a viable or better substitute is offered.It has been confirmed by multiple studies when it comes to ownership of physical artifacts. If computer users also “own”, and are attached to, their personal security routines, such feelings could conceivably activate the same endowment effect. This would, in turn, lead to their over-estimating the “value” of their existing routines, in terms of the protection they afford, and the risks they mitigate. They might well, as a consequence, not countenance any efforts to persuade them to adopt a more secure routine, because their comparison of pre-existing and proposed new routine is skewed by the activation of the endowment effect.

In this paper, we report on an investigation into the possibility that the endowment effect activates when people adopt personal password creation routines. We did indeed find evidence that the endowment effect is likely to be triggered in this context. This constitutes one explanation for the failure of many security awareness drives to improve password strength. We conclude by suggesting directions for future research to confirm our findings, and to investigate the activation of the effect for other security routines.

References

[1]

H. Aarts, B. Verplanken, A. Knippenberg, Predicting behavior from actions in the past: repeated decision making or a matter of habit?, J Appl Soc Psychol 28 (15) (1998) 1355–1374.

[2]

W.L. Adamowicz, V. Bhardwaj, B. Macnab, Experiments on the difference between willingness to pay and willingness to accept, Land Econ 69 (4) (1993) 416–427.

[3]

E. Albrechtsen, A qualitative study of users’ view on information security, Comput Secur 26 (4) (2007) 276–289.

Digital Library

[4]

E. Albrechtsen, J. Hovden, The information security digital divide between information security managers and users, Comput Secur 28 (6) (2009) 476–490.

Digital Library

[5]

C.S. Alexander, H.J. Becker, The use of vignettes in survey research, Public Opin Q 42 (1) (1978) 93–104.

[6]

T. Alexopoulos, M. Šimleša, M. Francis, Good self, bad self: initial success and failure moderate the endowment effect, J Econ Psychol 50 (2015) 32–40.

[7]

V. Anderhub, W. Güth, U. Gneezy, D. Sonsino, On the interaction of risk and time preferences: an experimental study, German Econ Rev 2 (3) (2001) 239–253.

[8]

D. Ariely, M.I. Norton, How actions create – not just reveal – preferences, Trends Cogn Sci 12 (1) (2008) 13–16.

[9]

H.R. Arkes, P. Ayton, The sunk cost and concorde effects: are humans less rational than lower animals?, Psychol Bull 125 (5) (1999) 591–600.

[10]

J. Arlen, S. Tontrup, Does the endowment effect justify legal intervention? The debiasing effect of institutions, J Legal Stud 44 (1) (2015) 143–182.

[11]

M. Bada, A. Sasse, Cyber security awareness campaigns: why do they fail to change behaviour? Global Cyber Security Capacity Centre, University of Oxford, 2014.

[12]

Y. Bar-Anan, N. Liberman, Y. Trope, The association between psychological distance and construal level: evidence from an implicit association test, J Exp Psychol: General 135 (4) (2006) 609–622.

[13]

J.A. Bargh, P.M. Gollwitzer, Lee-Chai A., K. Barndollar, R. Trötschel, The automated will: nonconscious activation and pursuit of behavioral goals, J Personal Soc Psychol 81 (6) (2001) 1014–1027.

[14]

J.B. Barlow, M. Warkentin, D. Ormond, A.R. Dennis, Don’t make excuses! Discouraging neutralization to reduce IT policy violation, Comput Secur 39 (B) (2013) 145–159.

[15]

J.B. Barlow, M. Warkentin, D. Ormond, A.R. Dennis, Don’t even think about it! The effects of anti-neutralization, informational and normative communication on information security compliance, J Assoc Inf Syst 19 (8) (2018) 308–327.

[16]

M.H. Bazerman, J.J. Gillespie, Betting on the future: the virtues of contingent contracts, Harv Bus Rev 77 (5) (1999) 155–160.

[17]

A. Beautement, M.A. Sasse, M. Wonham, The compliance budget: managing security behaviour in organisations, Proceedings of the 2008 workshop on new security paradigms, ACM, 2009, pp. 47–58.

[18]

J.K. Beggan, On the social nature of nonsocial perception: the mere ownership effect, J Personal Soc Psychol 62 (2) (1992) 229–237.

[19]

L.E. Beutler, T.M. Harwood, A. Michelson, Song X., J. Holman, Resistance/reactance level, J Clin Psychol 67 (2) (2011) 133–142.

[20]

G. Binder, J.M. Boldero, Planning for change: the roles of habitual practice and habitus in planning practice, Urban Policy Res 30 (2) (2012) 175–188.

[21]

S.A. Birch, P. Bloom, The curse of knowledge in reasoning about false beliefs, Psychol Sci 18 (5) (2007) 382–386.

[22]

J. Blythe, R. Koppel, S.W. Smith, Circumvention of security: good users do bad things, IEEE Secur Privacy 11 (5) (2013) 80–83.

[23]

P. Bordalo, N. Gennaioli, A. Shleifer, Salience in experimental tests of the endowment effect, Am Econ Rev 102 (3) (2012) 47–52.

[24]

S. Boss, D. Galletta, P.B. Lowry, G.D. Moody, P. Polak, What do systems users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors, MIS Q 39 (4) (2015) 837–864.

Digital Library

[25]

J.C. Brancheau, B.D. Janz, J.C. Wetherbe, Key issues in information systems management: 1994-95 SIM Delphi results, MIS Q 20 (2) (1996) 225–242.

[26]

J.W. Brehm, Postdecision changes in the desirability of alternatives, J Abnormal Soc Psychol 52 (3) (1956) 384–389.

[27]

T.J. Brennan, Discounting the future: economics and ethics, The RFF reader in environmental and resource policy, Routledge, 2010, pp. 48–54.

[28]

Bright P. 2016 sees Internet Explorer usage collapse, Chrome surge. 2017. 7 January. Retrieved 29 Sept 2018 from: https://arstechnica.com/information-technology/2017/01/2016-on-the-web-firefox-fights-back-as-microsofts-share-slumps/.

[29]

S.A. Buetow, Unsolicited GP advice against smoking: to give or not to give?, J Health Commun 4 (1) (1999) 67–74.

[30]

E. Burke, Reflections on the revolution in france and other writings, 365, Everyman’s Library, Cambridge, UK, 2015.

[31]

A. Burton-Jones, E.R. McLean, E. Monod, Theoretical perspectives in IS research: from variance and process to conceptual latitude and conceptual fit, Eur J Inf Syst 24 (6) (2015) 664–679.

[32]

B.M. Byrne, Structural equation modeling with AMOS: basic concepts, applications, and programming, Routledge, New York, NY, 2016.

[33]

Z.S. Byrne, K.J. Dvorak, J.M. Peters, I. Ray, A. Howe, D. Sanchez, From the user’s perspective: perceptions of risk relative to benefit associated with using the internet, Comput Hum Behav 59 (2016) 456–468.

[34]

Z. Carmon, D. Ariely, Focusing on the forgone: how value can appear so different to buyers and sellers, J Consum Res 27 (3) (2000) 360–370.

[35]

P. Chatterjee, C. Irmak, R.L. Rose, The endowment effect as self-enhancement in response to threat, J Consum Res 40 (3) (2013) 460–476.

[36]

R. Chung, D.F. Galletta, Genetic basis of behavioral security, In Proceedings of the twelfth annual workshop on HCI research in management information systems, Milan, Italy, December, 15, 2013, pp. 9–13.

[37]

R.B. Cialdini, M.R. Trost, J.T. Newsom, Preference for consistency: the development of a valid measure and the discovery of surprising behavioral implications, J Personal Soc Psychol 69 (2) (1995) 318–328.

[38]

D.K. Clark, The city government’s role in community health improvement, Public Health Rep 115 (2-3) (2000) 216–221.

[39]

Coventry L, Briggs P, Blythe J, Tran M. Using behavioural insights to improve the public’s use of cyber security best practices. 2014. GOV.UK report, Government Office for Science. Retrieved 7 August 2018 from: https://www.gov.uk/government/publications/cyber-security-using-behavioural-insights-to-keep-people-safe-online.

[40]

S. Creese, D. Hodges, S. Jamison-Powell, M. Whitty, Relationships between password choices, perceptions of risk and security expertise, Proceedings of international conference on human aspects of information security, privacy, and trust, Springer, 2013, pp. 80–89.

[41]

M.L. Crossley, Introduction to the symposium ‘Health Resistance’: the limits of contemporary health promotion, Health Educ J 61 (2) (2002) 101–112.

[42]

M.J. Culnan, P.K. Armstrong, Information privacy concerns, procedural fairness, and impersonal trust: an empirical investigation, Organ Sci 10 (1) (1999) 104–115.

Digital Library

[43]

Cyber Essentials. Retrieved 2 June 2018 from: https://www.cyberessentials.ncsc.gov.uk/.

[44]

J. D’Arcy, A. Hovav, D. Galletta, User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach, Inf Syst Res 20 (1) (2009) 79–98.

[45]

E.L. Deci, R.M. Ryan, Self-determination theory, Handbook of theories of social psychology, vol. 1, SAGE Publishing, 2011, pp. 416–433.

[46]

N. Dhingra, Z. Gorn, A. Kener, J. Dana, The default pull: an experimental demonstration of subtle default effects on preferences, Judgm Decis Mak 7 (1) (2012) 69–76.

[47]

T. Dinev, P. Hart, An extended privacy calculus model for e-commerce transactions, Inf Syst Res 17 (1) (2006) 61–80.

Digital Library

[48]

G.B. Duggan, H. Johnson, B. Grawemeyer, Rational security: modelling everyday password use, Int J Hum-Comput Stud 70 (6) (2012) 415–431.

[49]

C. Duhigg, The power of habit: why we do what we do and how to change, William Heinemann, London, U.K., 2013.

[50]

D.Y. Dupont, Lee G.S., The endowment effect, status quo bias and loss aversion: rational alternative explanation, J Risk Uncertain 25 (1) (2002) 87–101.

[51]

S. Egelman, A. Sotirakopoulos, I. Muslukhov, K. Beznosov, C. Herley, Does my password go up to eleven: the impact of password meters on password selection, Proceedings of the SIGCHI conference on human factors in computing systems, ACM, 2013, pp. 2379–2388.

[52]

S. Eidelman, C.S. Crandall, Bias in favor of the status quo, Soc Personal Psychol Compass 6 (3) (2012) 270–281.

[53]

Erdley D. Computer hack cost Pennsylvania’s senate democrats $700,000; others pay less-costly ransoms. 2018. Sept. 22. Retrieved 29 Sept 2018 from: https://triblive.com/state/pennsylvania/14107828-74/computer-hack-cost-pennsylvanias-senate-democrats-700000-others-pay-less-costly-ransoms.

[54]

T. Eyal, N. Liberman, Y. Trope, Judging near and distant virtue and vice, J Exp Soc Psychol 44 (4) (2008) 1204–1209.

[55]

A. Farooq, J. Isoaho, S. Virtanen, J. Isoaho, Information security awareness in educational institution: an analysis of students’ individual factors, Proceedings of the 2015 IEEE trustcom/BigDataSE/ISPA, 1, 2015, pp. 352–359.

[56]

L. Festinger, A theory of cognitive dissonance, 2, Stanford University Press, 1962.

[57]

M.L. Finucane, J.L. Holup, Risk as value: combining affect and analysis in risk judgments, J Risk Res 9 (2) (2006) 141–164.

[58]

G.J. Fitzsimons, D.R. Lehmann, Reactance to recommendations: when unsolicited advice yields contrary responses, Mark Sci 23 (1) (2004) 82–94.

[59]

R. Franciosi, P. Kujal, R. Michelitsch, V. Smith, Deng G., Experimental tests of the endowment effect, J Econ Behav Organ 30 (2) (1996) 213–226.

[60]

L.P. Frankel, K.L. Otazo, Employee coaching: the way to gain commitment, not just compliance, Employ Relat Today 19 (3) (1992) 311–320.

[61]

K. Fujita, Y. Trope, N. Liberman, M. Levin-Sagi, Construal levels and self-control, J Personal Soc Psychol 90 (3) (2006) 351–367.

[62]

S. Furman, M.F. Theofanos, Choong Y.Y., B. Stanton, Basing cybersecurity training on user perceptions, IEEE Secur Privacy 10 (2) (2012) 40–49.

[63]

S. Furnell, Assessing website password practices–over a decade of progress?, Comput Fraud Secur 2018 (7) (2018) 6–13.

[64]

B. Gardner, C. Abraham, What drives car use? A grounded theory analysis of commuters’ reasons for driving, Transp Res Part F: Traffic Psychol Behav 10 (3) (2007) 187–200.

[65]

B. Gardner, P. Lally, J. Wardle, Making health habitual: the psychology of habit-formation and general practice, Br J Gen Pract 62 (605) (2012) 664–666.

[66]

P.H. Gardner, D.C. Berry, The effect of different forms of advice on the control of a simulated complex system, Appl Cogn Psychol 9 (7) (1995) S55–S79.

[67]

V. Garg, J. Camp, End user perception of online risk under uncertainty, Proceedings of the 45th Hawaii international conference on system science, HICSS, IEEE, 2012, pp. 3278–3287.

[68]

Gaskin J. Validity master, stats tool package. 2016. Retrieved 7 August 2018 from: https://www.scribd.com/document/81631601/Stats-Tools-Package.

[69]

E.S. Geller, Evaluating energy conservation programs: is verbal report enough?, J Consum Res 8 (3) (1981) 331–335.

[70]

E.S. Geller, J.B. Erickson, B.A. Buttram, Attempts to promote residential water conservation with educational, behavioral and engineering strategies, Popul Environ 6 (2) (1983) 96–112.

[71]

A.G. Greenwald, The totalitarian ego: fabrication and revision of personal history, Am Psychol 35 (7) (1980) 603–618.

[72]

A. Hanamsagar, Woo S.S., C. Kanich, J. Mirkovic, Leveraging semantic transformation to investigate password habits and their causes, Proceedings of the 2018 CHI conference on human factors in computing systems, ACM, 2018, p. 570.

Digital Library

[73]

Her Majesty’s Government. Security features. Retrieved 2 June 2018 from: https://www.cyberaware.gov.uk/security-features.

[74]

C. Herley, So long, and no thanks for the externalities: the rational rejection of security advice by users, Proceedings of the 2009 workshop on new security paradigms, ACM, 2009, pp. 133–144.

[75]

V. Hoorens, N. Remmers, K. Van De Riet, Time is an amazingly variable amount of money: endowment and ownership effects in the subjective value of working time, J Econ Psychol 20 (4) (1999) 383–405.

[76]

Horne C. Lack of cyber security knowledge leads to lazy decisions from executives. 2 November. Retrieved 2 June 2018 from: https://theconversation.com/lack-of-cyber-security-knowledge-leads-to-lazy-decisions-from-executives-68065; 2016.

[77]

J.K. Horowitz, K.E. McConnell, A review of WTA/WTP studies, J Environ Econ Manag 44 (3) (2002) 426–447.

[78]

A. Hovav, J. D’Arcy, Applying an extended model of deterrence across cultures: an investigation of information systems misuse in the US and South Korea, Inf Manag 49 (2) (2012) 99–110.

[79]

D.L. Huang, P.L.P. Rau, G. Salvendy, Gao F., Zhou J., Factors affecting perception of information security and their impacts on it adoption and security practices, Int J Hum-Comput Stud 69 (12) (2011) 870–883.

[80]

H.T. Hurt, K. Joseph, C.D. Cook, Scales for the measurement of innovativeness, Hum Commun Res 4 (1) (1977) 58–65.

[81]

B. Inder, T. O’Brien, The endowment effect and the role of uncertainty, Bull Econ Res 55 (3) (2003) 289–301.

[82]

Information Commissioner’s Office. A practical guide to IT security: ideal for the small business. Retrieved 2 June 2018 from https://ico.org.uk/media/for-organisations/documents/1575/it_security_practical_guide.pdf.

[83]

M. Jakobsson, The human factor in phishing, Privacy Secur Consum Inf 7 (1) (2007) 1–19.

[84]

W James, The principles of psychology, 1, Dover Publications, New York, NY, 1890.

[85]

R. Janoff-Bulman, S.S. Schwartzberg, Toward a general model of personal change, in: Snyder C., Forsyth D.R. (Eds.), Handbook of social and clinical psychology: the health perspective, Pergamon Press, 1991, pp. 488–508.

[86]

T. Jefferson, R. Taplin, An investigation of the endowment effect using a factorial design, J Econ Psychol 32 (6) (2011) 899–907.

[87]

A.C. Johnston, M. Warkentin, Fear appeals and information security behaviors: an empirical study, MIS Q 34 (3) (2010) 549–566.

[88]

J.R. Jordan, H.R. Hungerford, A.N. Tomera, Effects of two residential environmental workshops on high school students, J Environ Educ 18 (1) (1986) 15–22.

[89]

D. Kahneman, J.L. Knetsch, R.H. Thaler, Experimental tests of the endowment effect and the Coase theorem, J Political Econ 98 (6) (1990) 1325–1348.

[90]

D. Kahneman, J.L. Knetsch, R.H. Thaler, Anomalies: the endowment effect, loss aversion, and status quo bias, J Econ Perspect 5 (1) (1991) 193–206.

[91]

D. Kahneman, A. Tversky, Prospect theory: an analysis of decision under risk, Econom: J Econom Soc 47 (2) (1979) 263–291.

[92]

F. Kehr, T. Kowatsch, D. Wentzel, E. Fleisch, Blissfully ignorant: the effects of general privacy concerns, general institutional trust, and affect in the privacy calculus, Inf Syst J 25 (6) (2015) 607–635.

Digital Library

[93]

Kim H.W., A. Kankanhalli, Investigating user resistance to information systems implementation: a status quo bias perspective, MIS Q 33 (3) (2009) 567–582.

[94]

I. Kirlappos, M.A. Sasse, Security education against phishing: a modest proposal for a major rethink, IEEE Secur Privacy 10 (2) (2012) 24–32.

[95]

T. Klaus, J.E. Blanton, User resistance determinants and the psychological contract in enterprise system implementations, Eur J Inf Syst 19 (6) (2010) 625–636.

[96]

J.L. Knetsch, The endowment effect and evidence of nonreversible indifference curves, Am Econ Rev 79 (5) (1989) 1277–1284.

[97]

J.L. Knetsch, J.A. Sinden, Willingness to pay and compensation demanded: experimental evidence of an unexpected disparity in measures of value, Q J Econ 99 (3) (1984) 507–521.

[98]

H. Kruger, L. Drevin, T. Steyn, A vocabulary test to assess information security awareness, Inf Manag Comput Secur 18 (5) (2010) 316–327.

[99]

L. Lapointe, S. Rivard, A multilevel model of resistance to information technology implementation, MIS Q (2005) 461–491.

[100]

S. Laumer, A. Eckhardt, Why do people reject technologies: a review of user resistance theories, Information systems theory, Springer, 2012, pp. 63–86.

[101]

J.S. Lerner, D.A. Small, G. Loewenstein, Heart strings and purse strings: carryover effects of emotions on economic decisions, Psychol Sci 15 (5) (2004) 337–341.

[102]

K. Lewin, Frontiers in group dynamics: concept, method and reality in social science; equilibrium and social change, Hum Relat 1 (1) (1997) 5–41.

[103]

Liang H., Xue Y., Understanding security behaviors in personal computer usage: a threat avoidance perspective, J Assoc Inf Syst 11 (7) (2010) 394–413.

[104]

M. Limayem, S.G. Hirt, Force of habit and information systems usage: theory and initial validation, J Assoc Inf Syst 4 (1) (2003) 65–87.

[105]

B. Lorenz, K. Kikkas, A. Klooster, “The four most-used passwords are love, sex, secret, and god”: password security and training in different user groups, Proceedings of international conference on human aspects of information security, privacy, and trust, Springer, 2013, pp. 276–283.

[106]

M.L. Markus, Power, politics, and MIS implementation, Commun ACM 26 (6) (1983) 430–444.

Digital Library

[107]

M.L. Markus, D. Robey, Information technology and organizational change: causal structure in theory and research, Manag Sci 34 (5) (1988) 583–598.

[108]

L.E. Marsh, P. Kanngiesser, B. Hood, When and how does labour lead to love? The ontogeny and mechanisms of the IKEA effect, Cognition 170 (2018) 245–253.

[109]

M.J. Martinko, R.W. Zmud, J.W. Henry, An attributional explanation of individual resistance to the introduction of information technologies in the workplace, Behav Inf Technol 15 (5) (1996) 313–330.

[110]

A. McCluskey, M. Lovarini, Providing education on evidence-based practice improved knowledge but did not change behaviour: a before and after study, BMC Med Educ 5 (1) (2005) 40.

[111]

D. McKenzie-Mohr, Fostering sustainable behavior: an introduction to community-based social marketing, New Society Publishers, Gabriola Island, Canada, 2013.

[112]

P. Menard, M. Warkentin, P.B. Lowry, The impact of collectivism and psychological ownership on protection motivation: a cross-cultural examination, Comput Secur 75 (2018) 147–166.

[113]

J. Meyerhoff, U. Liebe, Status quo effect in choice experiments: empirical evidence on attitudes and choice task complexity, Land Econ 85 (3) (2009) 515–528.

[114]

C.J. Midden, J.F. Meter, M.H. Weenig, H.J. Zieverink, Using feedback, reinforcement and information to reduce energy consumption in households: a field-experiment, J Econ Psychol 3 (1) (1983) 65–86.

[115]

D.T. Miller, M. Ross, Self-serving biases in the attribution of causality: fact or fiction?, Psychol Bull 82 (2) (1975) 213–225.

[116]

D. Mochon, M.I. Norton, D. Ariely, Bolstering and restoring feelings of competence via the IKEA effect, Int J Res Mark 29 (4) (2012) 363–369.

[117]

C.K. Morewedge, C.E. Giblin, Explanations of the endowment effect: an integrative review, Trends Cogn Sci 19 (6) (2015) 339–348.

[118]

C.K. Morewedge, Shu L.L., D.T. Gilbert, T.D. Wilson, Bad riddance or good rubbish? Ownership and not loss aversion causes the endowment effect, J Exp Soc Psychol 45 (4) (2009) 947–951.

[119]

S. Muehlbacher, E. Kirchler, Origin of endowments in public good games: the impact of effort on contributions, J Neurosci Psychol Econ 2 (1) (2009) 59–67.

[120]

National Cyber Security Centre. 10 steps to cyber security. 2015. Retrieved 2 June 2018 from: https://www.ncsc.gov.uk/guidance/10-steps-cyber-security.

[121]

D. Nayakankuppam, H. Mishra, The endowment effect: rose-tinted and dark-tinted glasses, J Consum Res 32 (3) (2005) 390–395.

[122]

D.T. Neal, W. Wood, A. Drolet, How do people adhere to goals when willpower is low? The profits (and pitfalls) of strong habits, J Personal Soc Psychol 104 (6) (2013) 959–975.

[123]

J.C. Norcross, P.M. Krebs, J.O. Prochaska, Stages of change, J Clin Psychol 67 (2) (2011) 143–154.

[124]

Norton MI, Mochon D, Ariely D. The ‘IKEA effect’: when labor leads to love. Harvard Business School Marketing Unit Working Paper2011; 11(091).

[125]

G. Ortona, F. Scacciati, New experiments on the endowment effect, J Econ Psychol 13 (2) (1992) 277–296.

[126]

M. Osman, Lin Y., R. Ashcroft, Nudging: a lesson in the theatrics of choice, Basic Appl Soc Psychol 39 (6) (2017) 311–316.

[127]

A.S. Patrick, Long A.C., S. Flinn, HCI and security systems, Proceedings of extended abstracts on human factors in computing systems, CHI’03, ACM, 2003, pp. 1056–1057.

[128]

J. Peck, Shu S.B., The effect of mere touch on perceived ownership, J Consum Res 36 (3) (2009) 434–447.

[129]

Petru A. Can companies restore consumer confidence after a data breach? 2014. Security Magazine, Jul 8. Retrieved 29 Sept 2018 from: https://www.triplepundit.com/special/internet-security/can-companies-restore-consumer-confidence-data-breach/.

[130]

S.K. Piderit, Rethinking resistance and recognizing ambivalence: a multidimensional view of attitudes toward an organizational change, Acad Manag Rev 25 (4) (2000) 783–794.

[131]

C. Pinder, J. Vermeulen, B.R. Cowan, R. Beale, Digital behaviour change interventions to break and form habits, ACM Trans Comput-Hum Interact 25 (3) (2018) 15:1–15:66.

[132]

G.L. Polites, E. Karahanna, Shackled to the status quo: the inhibiting effects of incumbent system habit, switching costs, and inertia on new system acceptance, MIS Q 36 (1) (2012) 21–42.

[133]

A. Prestwich, M. Perugini, R. Hurling, J. Richetin, Using the self to change implicit attitudes, Eur J Soc Psychol 40 (1) (2010) 61–71.

[134]

J.O. Prochaska, W.F. Velicer, The transtheoretical model of health behavior change, Am J Health Promot 12 (1) (1997) 38–48.

[135]

C.A. Quinsey, Time for a HIPAA tune-up? Penalties now in effect for noncompliance, J AHIMA 77 (5) (2006) 64–65.

[136]

A.E. Rafferty, N.L. Jimmieson, A.A. Armenakis, Change readiness: a multilevel review, J Manag 39 (1) (2013) 110–135.

[137]

J. Reb, T. Connolly, Possession, feelings of ownership and the endowment effect, Judgm Decis Mak 2 (2) (2007) 107–114.

[138]

E.M. Redmiles, S. Kross, M.L. Mazurek, How I learned to be secure: a census-representative survey of security advice sources and behavior, Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, CCS ’16, 2016, pp. 666–677.

[139]

K. Renaud, Blaming noncompliance is too convenient: what really causes information breaches?, IEEE Secur Privacy 10 (3) (2012) 57–63.

[140]

K. Renaud, How smaller businesses struggle with security advice, Comput Fraud Secur 2016 (8) (2016) 10–18.

[141]

K. Renaud, S. Flowerday, M. Warkentin, P. Cockshott, C. Orgeron, Is the responsibilization of cyber security risk reasonable and judicious?, Comput Secur 78 (2018) 198–211.

[142]

K. Renaud, M. Warkentin, Risk homeostasis in information security: challenges in confirming existence and verifying impact, Proceedings of the new security paradigms workshop, ACM, 2017, pp. 57–69.

[143]

K. Renaud, M. Warkentin, Using intervention mapping to breach the cyber-defense deficit, Proceedings of the 12th annual symposium on information assurance (ASIA ’17) June 7-8. Empire State Plaza in Albany, NY, 2017.

[144]

K. Renaud, V. Zimmermann, Nudging folks towards stronger password choices: providing certainty is the key, Behav Public Policy (2018) 1–31,.

[145]

P. van Schaik, D. Jeske, J. Onibokun, L. Coventry, J. Jansen, P. Kusev, Risk perceptions of cyber-security and precautionary behaviour, Comput Hum Behav 75 (2017) 547–559.

Digital Library

[146]

A. Schurr, I. Ritov, The effect of giving it all up on valuation: a new look at the endowment effect, Manag Sci 60 (3) (2013) 628–637.

[147]

Scottish Business Resilience Centre. Cyber security resources. Retrieved 2 June 2018 from: http://www.sbrcentre.co.uk/resources.

[148]

See K.E., E.W. Morrison, N.B. Rothman, J.B. Soll, The detrimental effects of power on confidence, advice taking, and accuracy, Organ Behav Hum Decis Process 116 (2) (2011) 272–285.

[149]

T. Sharot, C.M. Velasquez, R.J. Dolan, Do decisions shape preference? Evidence from blind choice, Psychol Sci 21 (9) (2010) 1231–1235.

[150]

T. Shavit, D. Sonsino, U. Benzion, On the evaluation of options on lotteries: an experimental study, J Psychol Financ Mark 3 (3) (2002) 168–181.

[151]

D.K. Sherman, G.L. Cohen, The psychology of self-defense: self-affirmation theory, Adv Exp Soc Psychol 38 (2006) 183–242.

[152]

J. Shropshire, M. Warkentin, S. Sharma, Personality, attitudes, and intentions: predicting initial adoption of information security behavior, Comput Secur 49 (2015) 177–191.

[153]

Shu S.B., J. Peck, Psychological ownership and affective reaction: emotional attachment process variables and the endowment effect, J Consum Psychol 21 (4) (2011) 439–452.

[154]

R.C. Solomon, Envy and resentment: corporate poison, Ethics and excellence, the ruffin series in business ethics, Oxford University Press, New York, USA, 1993, pp. 242–245.

[155]

E.H. Spafford, OPUS: preventing weak password choices, Comput Secur 11 (3) (1992) 273–278.

[156]

M.A. Strahilevitz, G. Loewenstein, The effect of ownership history on the valuation of objects, J Consum Res 25 (3) (1998) 276–289.

[157]

D.W. Straub, R.J. Welke, Coping with systems risk: security planning models for management decision making, MIS Q 22 (4) (1998) 441–469.

Digital Library

[158]

K. Sweeny, D. Melnyk, W. Miller, J.A. Shepperd, Information avoidance: who, what, when, and why, Rev General Psychol 14 (4) (2010) 340–353.

[159]

S.E. Taylor, Adjustment to threatening events: a theory of cognitive adaptation., Am Psychol 38 (11) (1983) 1161–1173.

[160]

M. Thomson, D.J. MacInnis, C. Whan Park, The ties that bind: measuring the strength of consumers’ emotional attachments to brands, J Consum Psychol 15 (1) (2005) 77–91.

[161]

L.K. Trevino, Experimental approaches to studying ethical-unethical behavior in organizations, Bus Ethics Q 2 (2) (1992) 121–136.

[162]

B. Trinkle, R.E. Crossler, M. Warkentin, I’m game, are you? Reducing real-world security threats by managing employee activity in virtual environments, J Inf Syst 28 (2) (2014) 307–327.

[163]

Y. Trope, N. Liberman, Construal-level theory of psychological distance, Psychol Rev 117 (2) (2010) 440–463.

[164]

Y. Trope, N. Liberman, C. Wakslak, Construal levels and psychological distance: effects on representation, prediction, evaluation, and behavior, J Consum Psychol 17 (2) (2007) 83–95.

[165]

Tsai H-y S., Jiang M., S. Alhabash, R. LaRose, N.J. Rifon, S.R. Cotten, Understanding online safety behaviors: a protection motivation theory perspective, Comput Secur 59 (2016) 138–150.

Digital Library

[166]

A. Tsohou, M. Karyda, S. Kokolakis, Analyzing the role of cognitive and cultural biases in the internalization of information security policies: recommendations for information security awareness programs, Comput Secur 52 (2015) 128–141.

Digital Library

[167]

A. Tversky, D. Kahneman, Loss aversion in riskless choice: a reference-dependence model, Q J Econ 106 (4) (1991) 1039–1061.

[168]

L. Van Dyne, J.L. Pierce, Psychological ownership and feelings of possession: three field studies predicting employee attitudes and organizational citizenship behavior, J Organ Behav 25 (4) (2004) 439–459.

[169]

J. Van Niekerk, R. von Solms, A holistic framework for the fostering of an information security sub-culture in organizations, Information security South Africa, Johannesburg, 2005, pp. 1–13.

[170]

A. Vance, M. Siponen, S. Pahnila, Motivating IS security compliance: insights from habit and protection motivation theory, Inf Manag 49 (3) (2012) 190–198.

Digital Library

[171]

Varian H. Managing online security risks. 2000. The New York Times, 1 June. Retrieved 19 Sept 2018 from: https://archive.nytimes.com/www.nytimes.com/library/financial/columns/060100econ-scene.html.

[172]

N. van de Ven, M. Zeelenberg, E. van Dijk, Buying and selling exchange goods: outcome information, curiosity and the endowment effect, J Econ Psychol 26 (3) (2005) 459–468.

[173]

W.K. Viscusi, W.A. Magat, J. Huber, An investigation of the rationality of consumer valuations of multiple health risks, RAND J Econ 18 (4) (1987) 465–479.

[174]

P. Walla, Non-conscious brain processes revealed by magnetoencephalography (MEG), Magnetoencephalography, 2011, pp. 235–252,.

[175]

B.N. Waller, Deep thinkers, cognitive misers, and moral responsibility, Analysis 59 (264) (1999) 223–229.

[176]

M. Warkentin, K. Davis, E. Bekkering, Introducing the check-off password system (COPS): an advancement in user authentication methods and information security, J Organ End User Comput 16 (3) (2004) 41–58.

[177]

M. Warkentin, A.C. Johnston, J. Shropshire, The influence of the informal social learning environment on information privacy policy compliance efficacy and intention, Eur J Inf Syst 20 (3) (2011) 267–284.

[178]

D. Whitehead, G. Russell, How effective are health education programmes resistance, reactance, rationality and risk? Recommendations for effective practice, Int J Nurs Stud 41 (2) (2004) 163–172.

[179]

R. Willison, M. Warkentin, Beyond deterrence: an expanded view of employee computer abuse, MIS Q 37 (1) (2013) 1–20.

[180]

R. Willison, M. Warkentin, A.C. Johnston, Examining employee computer abuse intentions: insights from justice, deterrence, and neutralization perspectives, Inf Syst J 28 (2) (2018) 266–293.

[181]

C.C. Wood, Policies alone do not constitute a sufficient awareness effort, Comput Fraud Secur 1997 (12) (1997) 14–19.

[182]

W. Wood, D.T. Neal, A new look at habits and the habit-goal interface., Psychol Rev 114 (4) (2007) 843–863.

[183]

M. Workman, W.H. Bommer, D. Straub, Security lapses and the omission of information security measures: a threat control model and empirical test, Comput Hum Behav 24 (6) (2008) 2799–2816.

Digital Library

[184]

J. Yan, S. Early, R. Anderson, The XenoService – a distributed defeat for distributed denial of service, Proceedings of the international workshop on information security, 2000.

[185]

I. Yaniv, Receiving other people’s advice: Influence and benefit, Organ Behav Hum Decis Process 93 (1) (2004) 1–13.

[186]

I. Yaniv, E. Kleinberger, Advice taking in decision making: egocentric discounting and reputation formation, Organ Behav Hum Decis Process 83 (2) (2000) 260–281.

[187]

M. Zeelenberg, E. Van Dijk, A reverse sunk cost effect in risky decision making: sometimes we have too much invested to gamble, J Econ Psychol 18 (6) (1997) 677–691.

[188]

Zhang W., Xu P., Do I have to learn something new? Mental models and the acceptance of replacement technologies, Behav Inf Technol 30 (2) (2011) 201–211.

[189]

Zhang Y., A. Fishbach, The role of anticipated emotions in the endowment effect, J Consum Psychol 15 (4) (2005) 316–324.

[190]

G.K. Zipf, Human behavior and the principle of least effort: an introduction to human ecology, Addison-Wesley, Cambridge, Massachussets, 1949.

Cited By

Nehme ALi MWarkentin M(2024)Adaptive and maladaptive factors behind password manager useComputers and Security10.1016/j.cose.2024.103941144:COnline publication date: 18-Oct-2024
https://dl.acm.org/doi/10.1016/j.cose.2024.103941
Das Chowdhury PRenaud K(2023)‘Ought’ should not assume ‘Can’? Basic Capabilities in Cybersecurity to Ground Sen’s Capability ApproachProceedings of the 2023 New Security Paradigms Workshop10.1145/3633500.3633506(76-91)Online publication date: 18-Sep-2023
https://dl.acm.org/doi/10.1145/3633500.3633506
Ogbanufe O(2023)Securing online accounts and assetsInternational Journal of Information Management: The Journal for Information Professionals10.1016/j.ijinfomgt.2022.10259068:COnline publication date: 1-Feb-2023
https://dl.acm.org/doi/10.1016/j.ijinfomgt.2022.102590
Show More Cited By

Index Terms

“This is the way ‘I’ create my passwords” ... does the endowment effect deter people from changing the way they create their passwords?

Index terms have been assigned to the content through auto-classification.

Recommendations

A general framework for endowment effects in combinatorial markets

The endowment effect, coined by Nobel Laureate Richard Thaler, posits that people tend to inflate the value of items they own. Recently, Babaioff, Dobzinski and Oren [EC'18] introduced the notion of endowed valuations --- valuations that capture the ...
Combinatorial Auctions with Endowment Effect
EC '18: Proceedings of the 2018 ACM Conference on Economics and Computation

We study combinatorial auctions with bidders that exhibit endowment effect. In most of the previous work on cognitive biases in algorithmic game theory (e.g., [Kleinberg and Oren, EC'14] and its follow-ups) the focus was on analyzing the implications ...
A General Framework for Endowment Effects in Combinatorial Markets
EC '20: Proceedings of the 21st ACM Conference on Economics and Computation

The endowment effect, coined by Nobel Laureate Richard Thaler, posits that people tend to inflate the value of items they own. This bias has been traditionally studied mainly using experimental methodology. Recently, Babaioff, Dobzinski and Oren (2018) ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Computers and Security

Computers and Security Volume 82, Issue C

May 2019

330 pages

ISSN:0167-4048

Issue’s Table of Contents

Elsevier Ltd.

Publisher

Elsevier Advanced Technology Publications

United Kingdom

Publication History

Published: 01 May 2019

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 05 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Nehme ALi MWarkentin M(2024)Adaptive and maladaptive factors behind password manager useComputers and Security10.1016/j.cose.2024.103941144:COnline publication date: 18-Oct-2024
https://dl.acm.org/doi/10.1016/j.cose.2024.103941
Das Chowdhury PRenaud K(2023)‘Ought’ should not assume ‘Can’? Basic Capabilities in Cybersecurity to Ground Sen’s Capability ApproachProceedings of the 2023 New Security Paradigms Workshop10.1145/3633500.3633506(76-91)Online publication date: 18-Sep-2023
https://dl.acm.org/doi/10.1145/3633500.3633506
Ogbanufe O(2023)Securing online accounts and assetsInternational Journal of Information Management: The Journal for Information Professionals10.1016/j.ijinfomgt.2022.10259068:COnline publication date: 1-Feb-2023
https://dl.acm.org/doi/10.1016/j.ijinfomgt.2022.102590
Renaud KSearle RDupuis M(2022)Cybersecurity Regrets: I’ve had a few.... Je Ne RegretteProceedings of the 2022 New Security Paradigms Workshop10.1145/3584318.3584319(1-20)Online publication date: 24-Oct-2022
https://dl.acm.org/doi/10.1145/3584318.3584319
Alkaldi NRenaud K(2022)MIGRANTACM SIGMIS Database: the DATABASE for Advances in Information Systems10.1145/3533692.353369853:2(63-95)Online publication date: 27-Apr-2022
https://dl.acm.org/doi/10.1145/3533692.3533698
Renaud KColes-Kemp L(2022)Accessible and Inclusive Cyber Security: A Nuanced and Complex ChallengeSN Computer Science10.1007/s42979-022-01239-13:5Online publication date: 22-Jun-2022
https://dl.acm.org/doi/10.1007/s42979-022-01239-1
Ogbanufe OBaham C(2022)Using Multi-Factor Authentication for Online Account Security: Examining the Influence of Anticipated RegretInformation Systems Frontiers10.1007/s10796-022-10278-125:2(897-916)Online publication date: 19-Apr-2022
https://dl.acm.org/doi/10.1007/s10796-022-10278-1
van der Kleij RWijn RHof T(2020)An application and empirical test of the Capability Opportunity Motivation-Behaviour model to data leakage prevention in financial organizationsComputers and Security10.1016/j.cose.2020.10197097:COnline publication date: 1-Oct-2020
https://dl.acm.org/doi/10.1016/j.cose.2020.101970
van Schaik PRenaud KWilson CJansen JOnibokun J(2020)Risk as affectComputers and Security10.1016/j.cose.2019.10165190:COnline publication date: 1-Mar-2020
https://dl.acm.org/doi/10.1016/j.cose.2019.101651

View Options

View options

Media

Figures

Other

Tables

View Issue’s Table of Contents