The Case against Commercial Antivirus Software: Risk Homeostasis and Information Problems in Cybersecurity

New cybersecurity technologies, such as commercial antivirus software (AV), sometimes fail to deliver on their promised benefits. This article develops and tests a revised version of risk homeostasis theory, which suggests that new cybersecurity technologies can sometimes have ill effects on securit...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Risk analysis 2020-08, Vol.40 (8), p.1571-1588
1. Verfasser: Jardine, Eric
Format: Artikel
Sprache:eng
Schlagworte:
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:New cybersecurity technologies, such as commercial antivirus software (AV), sometimes fail to deliver on their promised benefits. This article develops and tests a revised version of risk homeostasis theory, which suggests that new cybersecurity technologies can sometimes have ill effects on security outcomes in the short run and little‐to‐no effect over the long run. It tests the preliminary plausibility of four predictions from the revised risk homeostasis theory using new survey data from 1,072 respondents. The estimations suggest the plausible operation of a number of risk homeostasis dynamics: (1) commercial AV users are significantly more likely to self‐report a cybersecurity event in the past year than nonusers, even after correcting for potential reverse causality and informational mechanisms; (2) nonusers become somewhat less likely to self‐report a cybersecurity event as the perceived riskiness of various e‐mail‐based behaviors increases, while commercial AV users do not; (3) the negative short‐run effect of commercial AV use on cybersecurity outcomes fade over time at a predicted rate of about 7.03 percentage points per year of use; and (4) after five years of use, commercial AV users are statistically indistinguishable from nonusers in terms of their probability of self‐reporting a cybersecurity event as perceptions of risky e‐mail‐based behaviors increase.
ISSN:0272-4332
1539-6924
DOI:10.1111/risa.13534