10094_Impact of framing and base size of computer security risk information on user behavior

Scholars’ Mine
Scholars’ Mine
Masters Theses
Student Theses and Dissertations
Spring 2019
Impact of framing and base size of computer security risk
Impact of framing and base size of computer security risk
information on user behavior
information on user behavior
Xinhui Zhan
Follow this and additional works at: https://scholarsmine.mst.edu/masters_theses
Part of the Information Security Commons, and the Technology and Innovation Commons
Department:
Department:
Recommended Citation
Recommended Citation
Zhan, Xinhui, “Impact of framing and base size of computer security risk information on user behavior”
(2019). Masters Theses. 7896.
https://scholarsmine.mst.edu/masters_theses/7896
This thesis is brought to you by Scholars’ Mine, a service of the Missouri S&T Library and Learning Resources. This
work is protected by U. S. Copyright Law. Unauthorized use including reproduction for redistribution requires the
permission of the copyright holder. For more information, please contact scholarsmine@mst.edu.

IMPACT OF FRAMING AND BASE SIZE OF COMPUTER SECURITY RISK
INFORMATION ON USER BEHAVIOR

by

XINHUI ZHAN

A THESIS
Presented to the Faculty of the Graduate School of the
MISSOURI UNIVERSITY OF SCIENCE AND TECHNOLOGY
In Partial Fulfillment of the Requirements for the Degree
MASTER OF SCIENCE IN INFORMATION SCIENCE & TECHNOLOGY
2019

Approved by:
Dr. Fiona Fui-Hoon Nah, Advisor
Dr. Keng Siau
Dr. Richard Hall

Ó 2019
Xinhui Zhan
All Rights Reserved

iii
ABSTRACT
This research examines the impact of framing and base size of computer security
risk information on users’ risk perceptions and behavior (i.e., download intention and
download decision). It also examines individual differences (i.e., demographic factors,
computer security awareness, Internet structural assurance, self-efficacy, and general
risk-taking tendencies) associated with users’ computer security risk perceptions. This
research draws on Prospect Theory, which is a theory in behavioral economics that
addresses risky decision-making, to generate hypotheses related to users’ decision-
making in the computer security context. A 2 × 3 mixed factorial experimental design (N
= 178) was conducted to assess the effect of framing and base size on users’ download
intentions and decisions. The results show that framing and base size of computer
security risk information are associated with users’ perceived risk and risk-taking
behavior. More specifically, negative framing and large base size increase users’
perceived risk and reduce users’ risk-taking behavior. Moreover, users who have greater
general risk-taking tendencies and perceive higher Internet structural assurance exhibited
lower risk perceptions and greater risk-taking behavior in the computer security context.
The findings from this research suggest that using negative framing and large base size to
communicate computer security risk information is an effective way to lower risk-taking
behavior of users.
Keywords: Framing, Computer Security, Risk, Decision-making

iv
ACKNOWLEDGMENTS
I am extremely fortunate to have my committee members: Dr. Fiona Fui-Hoon
Nah, Dr. Keng Siau and Dr. Richard Hall. I have learned so much from these amazing
scholars and their guidance in my path to becoming a researcher. I am grateful to them
for their crucial remarks that shaped this thesis. I would like to express my gratitude to
my advisor, Dr. Fiona Nah. This thesis would have been impossible without her support,
guidance, and encouragement. Her patience, knowledge, and vast experience in research
have been exceptional. It has been a great learning experience under her guidance.
I am also grateful to have the learning environment offered by the Department of
Business and Information Technology and the professors who opened an academic
window for me. The opportunities created by the faculty, and supported by administrators
and staff, make learning a joyous and meaningful experience.
I would like to thank the Center for Technology Enhanced Learning (CTEL) for
the financial support in recruiting subjects. I would like to express my gratitude to all the
Laboratory of Information Technology and Evaluation (LITE) students for pilot testing
the experimental study. I also thank National Science Foundation for the research
funding.
I would like to thank all my friends for having faith in me and encouraging me
throughout my master’s degree program.
Finally. I am truly grateful to my parents, who provided me with endless love and
faith.

v
TABLE OF CONTENTS
Page
ABSTRACT
……………………………………………………………………………………………………….. iii
ACKNOWLEDGMENTS ……………………………………………………………………………………. iv
LIST OF ILLUSTRATIONS
………………………………………………………………………………. viii
LIST OF TABLES
………………………………………………………………………………………………. ix
SECTION
1. INTRODUCTION ……………………………………………………………………………………….. 1
2. LITERATURE REVIEW ……………………………………………………………………………… 3
2.1. COMPUTER SECURITY DECISION-MAKING …………………………………….. 3
2.2. SUSCEPTIBILITY TO COMPUTER SECURITY THREATS
…………………… 4
2.3. FRAMING EFFECTS IN CYBERSECURITY DECISION-MAKING ……….. 7
3. THEORETICAL FOUNDATION AND HYPOTHESES ……………………………….. 11
3.1. THEORETICAL FOUNDATION …………………………………………………………. 11
3.1.1. Prospect Theory …………………………………………………………………………. 11
3.1.2. Theory of Reasoned Action and Theory of Planned Behavior ………….. 14
3.1.3. Technology Acceptance Model ……………………………………………………. 17
3.2. HYPOTHESES AND RESEARCH MODEL
………………………………………….. 18
4. RESEARCH METHODOLOGY …………………………………………………………………. 23
4.1. SUBJECTS
…………………………………………………………………………………………. 23
4.2. RESEARCH PROCEDURES ……………………………………………………………….. 23
4.3. VARIABLES AND OPERATIONALIZATION
……………………………………… 24
4.3.1. Framing …………………………………………………………………………………….. 25

vi
4.3.2. Base Size
…………………………………………………………………………………… 25
4.4. MEASUREMENT
……………………………………………………………………………….. 27
4.4.1. Perceived Risk …………………………………………………………………………… 27
4.4.2. Download Intention ……………………………………………………………………. 28
4.4.3. Download Decision
…………………………………………………………………….. 28
4.4.4. General Information Security Awareness
………………………………………. 28
4.4.5. Self-Efficacy ……………………………………………………………………………… 29
4.4.6. Cybersecurity Awareness
…………………………………………………………….. 30
4.4.7. Internet Structural Assurance
……………………………………………………….. 30
4.4.8. General Risk-Taking Tendencies
………………………………………………….. 30
4.4.9. Computer Security Risk-Taking Tendencies ………………………………….. 31
4.4.10. Framing Manipulation Check
……………………………………………………… 32
4.4.11. Subject Background Questionnaire ……………………………………………… 32
5. DATA ANALYSIS ……………………………………………………………………………………. 33
5.1. DEMOGRAPHIC INFORMATION OF SUBJECTS ………………………………. 33
5.2. MEASUREMENT VALIDATION
………………………………………………………… 36
5.3. REPEATED MEASURES ANALYSIS OF VARIANCE
…………………………. 40
5.3.1. Check for Assumptions
……………………………………………………………….. 41
5.3.2. Results of Repeated Measures ANOVA
………………………………………… 43
5.3.2.1. Tests of between-subjects effects (framing) …………………………43
5.3.2.2. Tests of within-subjects effects (base size)
…………………………..47
5.4. MIXED MODEL REGRESSION ANALYSIS ……………………………………….. 50
6. DISCUSSIONS …………………………………………………………………………………………. 53
7. LIMITATIONS AND FUTURE RESEARCH ………………………………………………. 55

vii
8. CONCLUSIONS ……………………………………………………………………………………….. 57
APPENDICES
A. SCENARIO DETAILS ………………………………………………………………………………. 60
B. EXPERIMENTAL CONDITIONS ………………………………………………………………. 62
C. QUESTIONNAIRE ……………………………………………………………………………………. 66
D. QUESTIONNAIRE OF DEMOGRAPHICS INFORMATION ……………………….. 69
BIBLIOGRAPHY
………………………………………………………………………………………………. 72
VITA ……………………………………………………………………………………………………………….. 77

viii
LIST OF ILLUSTRATIONS

Page
Figure 3.1. Value Function ………………………………………………………………………………….. 14
Figure 3.2. Theory of Planned Behavior and Theory of Reasoned Action
………………….. 17
Figure 3.3. Technology Acceptance Model
……………………………………………………………. 18
Figure 3.4. Research Model …………………………………………………………………………………. 22
Figure 5.1. SPSS Explore Output: Boxplot for Perceived Risk in Small Base Size
……… 42
Figure 5.2. SPSS Explore Output: Boxplot for Perceived Risk in Medium Base Size …. 42
Figure 5.3. SPSS Explore Output: Boxplot for Perceived Risk in Large Base Size
……… 42
Figure 5.4. Main Effect of Framing Across Three Levels of Base Size
……………………… 44

ix
LIST OF TABLES

Page
Table 2.1. Summary of Research on Susceptibility to Computer Security Threats ……….. 7
Table 2.2. Summary of Research on Framing Effects on Decision-Making ……………….. 10
Table 4.1. Operationalization of Base Size in Positive Framing ……………………………….. 26
Table 4.2. Operationalization of Base Size in Negative Framing
………………………………. 26
Table 4.3. Measurement Scale for Perceived Risk ………………………………………………….. 27
Table 4.4. Measurement Scale for Download Intention …………………………………………… 28
Table 4.5. Measurement Scale for General Information Security Awareness
……………… 29
Table 4.6. Measurement Scale for Self-Efficacy …………………………………………………….. 29
Table 4.7. Measurement Scale for Cybersecurity Awareness …………………………………… 30
Table 4.8. Measurement Scale for Internet Structural Assurance ……………………………… 31
Table 4.9. Measurement Scale for General Risk-Taking Tendencies ………………………… 31
Table 4.10. Measurement Scale for Computer Security Risk-Taking Tendencies
……….. 32
Table 5.1. Summary of Demographic Details of Subjects
………………………………………… 33
Table 5.2. Results of Exploratory Factor Analysis (with all measurements) ………………. 36
Table 5.3. Results of Factor Analysis (after removing GISA, CSRT, and CA6) …………. 38
Table 5.4. Results of Reliability Analysis ……………………………………………………………… 40
Table 5.5. Descriptive Statistics of Between-Subjects Effects for Framing
………………… 44
Table 5.6. Tests of Between-Subjects Effects ………………………………………………………… 46
Table 5.7. Descriptive Statistics for Perceived Risk at Three Levels of Base Size
………. 47
Table 5.8. Tests of Within-Subjects Effects of Base Size ………………………………………… 48
Table 5.9. Results of the Bonferroni Post-Hoc Tests
……………………………………………….. 49

x
Table 5.10. Tests of Perceived Risk Effects on Download Decision …………………………. 50
Table 5.11. Tests of Download Intention Effects on Download Behavior
………………….. 51
Table 5.12. Results of Hypothesis Testing …………………………………………………………….. 52

1. INTRODUCTION
Computer security threats are common on the Internet. To reduce cybersecurity
risks and protect users’ private information, computer security scientists are working
toward providing security warnings, security indicators, pop-up windows, and other types
of warning systems when users are at risk of cybersecurity threats. Users play a
fundamental role in identification and prevention of computer threats (Stanton et al.,
2004). They are expected to assess cybersecurity threats before they conduct online
transactions, access a URL, or download files or applications. For example, users make
decisions related to downloading software from anonymous sources and providing
personal information to conduct online transactions. Their choices could bring negative
outcomes, such as data and information leakage and damage to their personal computer.
A report by IBM indicates that more than 95% of the security occurrences in IBM
were attributed to human errors (IBM Corporation, 2014). As the “weakest link” in the
security chain, people sometimes fail to detect threats. Users’ ability to identify security
risks is crucial in an online environment. Therefore, it is important to study users’
behavior in the computer security context.
Identification of security risks is dependent on users’ perceptions and behavior
toward potential threats. Some of the previous studies on cyber threats have focused on
comparing physical or structural cues and miscues (Jakobsson & Ratkiewicz, 2006;
Darwish & Bataineh, 2012; Smith et al., 2016). They also looked at Internet users’ ability
to interpret cues and miscues that are embedded in web pages or emails. Moreover,
researchers have studied human factors that are associated with users’ online behavior,
including individual differences, gender differences, human cognitive limitations, and

2
other factors influencing how users distinguish between legitimate and fraudulent
messages (Dhamija et al., 2006; Downs et al., 2006).
Aytes and Conolly’s (2004) decision model suggests that users’ online behavior is
driven by their assessment of the outcomes of risk-averse and risk-taking actions. Their
study shows the importance of cybersecurity knowledge and awareness, as well as the
impact of hazard attitudes on behavior. A crucial aspect of users’ behavior in
cybersecurity is how users assess and perceive the messages of computer threat warnings.
Thus, users’ risk perceptions play a crucial role in attaining computer security.
The goal of this research is to explore how computer security risk information can
be presented to reduce users’ risk-taking decision-making and behavior. A laboratory
experiment was conducted to examine the impact of framing of cyber security scenarios
and presentation of risk information of different base sizes on users’ risk perceptions and
behavior. Specifically, we are interested in studying whether negatively framed messages
give rise to risk-averse actions more than positively framed messages and whether
increasing the base size of the evidence of computer threats decreases users’ risk-taking
behavior.
This thesis is organized as follows. Section 2 presents a review of related
literature. Section 3 presents the theoretical foundation and hypotheses. Section 4
describes the research methodology, design, and procedure. Section 5 and Section 6
present and discuss the findings. The limitations and future research directions are
presented in Section 7. Section 8 concludes the thesis.

3
2. LITERATURE REVIEW
Research on usable computer security has focused on understanding human factors
and improving systems to foster safer user behavior in the context of computer security.
This section provides a review of the literature on human factors in computer security,
especially in the context of users’ susceptibility to cyber-attacks.

2.1. COMPUTER SECURITY DECISION-MAKING
Understanding the human cognition and decision-making process is key to explain
users’ behavior when faced with cybersecurity threats. Hence, we need to open up the
‘black box’ in order to understand users’ cyber decisions, such as decisions to click through
a link embedded in an email, download files from websites, or enter personal information
on e-commerce websites or social media.
Several studies have focused on developing better interface and warning design to
get the attention of users in order to foster safer cybersecurity behavior. Researchers have
studied security warnings from multiple perspectives. In a laboratory study to assess the
effectiveness of phishing warnings, it was found that more than 90% of the participants
fell into the trap of phishing emails without any warnings (Egelman et al., 2008). On the
contrary, when active warnings were popped up on the screen, 79% of the participants
avoided the phishing attack. Based on these findings, it was recommended that warnings
or indicators be provided to convey recommended actions to users even though they may
interrupt the users’ work. In a large-scale field study that assessed the effectiveness of
browser security warnings on the Firefox and Chrome’s telemetry platform, it was found
that more participants entered personal information when there were no active warning

4
indicators than when active warning indicators were provided (Akhawe & Felt, 2013).
The findings in another study indicate that opinionated framing or design increases
adherence by users through decreasing the rate of click-through of SSL warnings (Felt et
al., 2015).
Smith, Nah, and Cheng (2016) examined user assessment of security levels in e-
commerce by varying cues/miscues (i.e., HTTP vs. HTTPS, fraudulent vs. authentic
URL, padlocks beside fields) presented on web pages. They conducted a within-subjects
experiment where users rated their perceived security, trustworthiness, and safety after
examining each of the e-commerce web pages that vary in these cues/miscues. They
found that padlocks provided beside a field (i.e., miscues) do not affect user perceptions
of security but primed subjects to look for more important security cues, such as HTTP
vs. HTTPS.

2.2. SUSCEPTIBILITY TO COMPUTER SECURITY THREATS
Human factors, such as past experience, culture, and concerns with Internet
security, are expected to influence user security behaviors. In a study that investigated the
relationship between demographic characteristics and phishing susceptibility, participants
were asked to complete a background survey before they proceeded to a roleplay on
phishing, where they were asked to click on a phishing link or enter personal information
on phishing websites (Sheng et al., 2010). The study discovered two predictors of
phishing susceptibility: gender and age. Specifically, the results indicated that women
were more likely than men to fall into the phishing trap. The authors provided a possible
reason for the gender difference by suggesting that women tend to have less technical
knowledge than men. Moreover, individuals of 18-25 years of age were more susceptible

5
to phishing. This group appears to be more susceptible because participants in this age
group have lower levels of education, less experience on the Internet, and less of an
aversion to risks.
Flores, Holm, Nohlberg, and Ekstedt (2015) examined the influence of
demographic, cultural, and personal factors on phishing. Participants from nine
organizations in Sweden, USA, and India participated in their survey to compare users’
behavior in response to phishing attacks across users of different cultural backgrounds.
The results did not indicate any relationship between phishing and age or gender, but they
found that intention to resist social engineering, formal IS training, computer experience,
and computer security awareness have a significant effect on reactions to phishing.
Additionally, the results indicate that the correlation between phishing determinants and
employees’ actual phishing behavior differs between Swedish, US, and Indian
employees.
In a study by Goel, Williams, and Dincelli (2017), phishing emails were sent to
more than 7000 undergraduate students and their responses to the phishing emails were
recorded. The phishing message contained different rewards, such as a gift card, tuition
assist, and a bank card. The results show that susceptibility varies across users with
different demographics (i.e., major and gender). Females were more likely to open
phishing emails, with an overall rate of 29.9% compared to 24.4% among males, and the
rate varies based on the content in the emails. Participants with business education
background had the highest opening/clicking link rate compared to those with social
science, business and STEM background. Based on the results, the authors suggest
developing context-based education to decrease susceptibility to phishing attacks on the
Internet.

6
In another study that examined the effect of gender and personality on phishing,
females were found to be more vulnerable to phishing (Halevi et al., 2013). In their study,
53% of women were phished as compared to 14% of men. The authors attributed the
behavior to females being more comfortable with online shopping and digital
communication than males. Moreover, they found that people who fell into the phishing
trap have very high neuroticism. A possible explanation that neuroticism could result in
susceptibility to phishing attacks is that neuroticism may cause people to be more upset
when being deceived and therefore, people rather believe that things and people are
generally truthful.
Vishwanath (2015) studied the influence of e-mail habits and cognitive processing
on phishing susceptibility. Phishing emails were sent to college students to assess their
responses. The students were asked to complete a survey on their background and
demographic information. The results indicate that e-mail habits are determined by
individual personality traits of conscientiousness and emotional stability, and cognitive
processing was premised on information adequacy. Basically, there are two routes of
cognitive processing: heuristically and systematically (Chaiken & Eagly, 1989). Heuristic
processing uses judgmental rules that are learned and stored in memory, whereas
systematic processing includes comprehensive and analytic processing of judgement-
relevant information. This study found that heuristic processing and strength of email
habits led to an increase in victimization.
Table 2.1 provides a summary of the influence of user characteristics on
susceptibility to computer security threats.

7
Table 2.1. Summary of Research on Susceptibility to Computer Security Threats
Reference
Research Focus
Summary of Findings
Sheng et al.,
2010
Investigated the relationship
between demographic
characteristics and phishing
susceptibility
Females are more susceptible to phishing
email than males.18-25-year-old
individuals formed the most susceptible
age group.
Flores et al.,
2015
Examined the influence of
demographic, cultural, and
personal factors on phishing
The results did not find any relationship
between phishing and age or gender, but
they found that intention to resist social
engineering, formal IS training,
computer experience, and computer
security awareness have a significant
effect on reactions to phishing.
Goel et al.,
2017
Explored if susceptibility
varies across users with
different demographics (i.e.,
major and gender)
Females were more likely to open
phishing emails, with an overall rate of
29.9% comparing to 24.4% among
males, but the rate varies based on the
content in the emails. Participants with
business education background had the
highest opening/clicking link rate
compared to those with social science,
business and STEM background.
Halevi et al.,
2013
Examined the effect of
gender and personality on
phishing
Females were found to be more
vulnerable to phishing. Neuroticism is
correlated with susceptibility to
phishing.
Vishwanath,
2015
Studied the influence of e-
mail habits and cognitive
processing on phishing
susceptibility
Heuristic processing and email habits led
to an increase in victimization.

2.3. FRAMING EFFECTS IN CYBERSECURITY DECISION-MAKING
Prospect theory suggests that decision-making under risk depends on whether the
potential outcome is perceived as a gain or a loss (Kahneman & Tversky, 1979). Tversky
and Kahneman (1981) proposed that choices between options can be affected by the

8
framing of the options. Their findings indicate that people tend to avoid risks under gain
frames but seek risks under loss frames. Moreover, losses have a greater impact on
people’s decision-making than gains. In addition, when subjects were required to explain
their choices, the framing effect tended to be reduced (Larrick et al., 1992). The framing
effect could be eliminated if users are encouraged to think through the rationale
underlying their choices (Takemura, 1994). Also, if users are experts in a particular area,
the framing effect will also be reduced (Davis and Bobko, 1986).
Various researchers have utilized prospect theory to study users’ behavior in the
information science field. They evaluate the impact of positively vs. negatively framed
messages on users’ decision-making, including financial decisions (Brewer & Kramer,
1986), idealness of messages, perceived prominence (Aaker & Lee, 2001), and threat
awareness (Lee & Aaker, 2004).
However, the results of empirical studies on the effect of framing are not
consistent. An experiment conducted by Rosoff, Cui, and John (2013) examined the
effect of gain and loss framing on user decisions, including downloading a music file,
installing a plug-in for an online game, and downloading a media player to legally stream
video. The study investigated whether and how human decision-making depends on gain-
loss framing and the salience of a prior near-miss experience. They examined one kind of
near-miss experience, resilient near-miss, which refers to the case where a user had a
near-miss experience on a cyber-attack. They carried out a 2 x 2 factorial design and
manipulated two levels of each of the two independent variables: frame (gain vs. loss
framing) and previous near-miss experience (absence vs. presence). Their results indicate
that users tend to follow a safe practice when they have prior experience with a near-miss
cyber-attack. They also concluded that females are more likely to select a risky choice

9
compared to males. Unexpectedly, the results suggest that subjects were indifferent
between safe versus risky decision options when the outcomes were framed as gains or
losses.
Cybersecurity researchers also expand the definition of “gain-loss” framing. In
Valecha et al.’s (2016) study, “gain” was operationalized using a reward-based phishing
email and “loss” was operationalized using a risk-based phishing email. Reward-based
persuasion is designed to attract users by offering a reward or benefit. For example,
emails that inform the recipient about winning a lottery. On the other hand, risk-based
persuasion is designed to scare people by highlighting a potential risk. The study found
that the presence of both reward-based persuasion (gain frame) and risk-based persuasion
(loss frame) increase response likelihood.
Chen, Gates, Li, and Proctor (2015) conducted three experiments to assess the
influence of negatively and positively framed summary of risk information on app-
installation decisions. Risk information was framed as the amount of risk (negative
framing) or amount of safety (positive framing) in the experimental conditions. The
results suggest that the summary that was positively framed (as the amount of safety) has
a greater effect on app-installation decisions than the negatively framed (as the amount of
risk) summary. Hence, a valid index that is framed positively by focusing on safety can
be developed to increase users’ app-installation decisions.
Table 2.2 provides a summary of the literature on the effects of framing on
decision-making.

10
Table 2.2. Summary of Research on Framing Effects on Decision-Making
Reference
Research Focus
Summary of Findings
Tversky &
Kahneman,
1981
Impact of monetary losses
and gains on users’
behavior
Users perceived losses more seriously
than gains.
Beebe et al.,
2014
Effect of framing of
messages on user’s
financial decision
Users tend to be more risk-taking when
presented with a case of financial losses
than gains.
Chen et al.,
2015
The influence of summary
risk information on app-
installation decisions
Positive framing (safety index) decreases
users’ risk-taking behavior
Rosoff et al.,
2013
The influence of gain-loss
framing on decision-
making
Subjects were indifferent between safe
versus risky decision options when the
outcomes were framed as gains or losses.
Valecha et
al., 2016
The effect of reward-based
vs. risk-based phishing
email on response
Both reward-based and risk-based
phishing email in phishing increases
response likelihood.

11
3. THEORETICAL FOUNDATION AND HYPOTHESES
Section 3 review theories from behavioral science and psychology to provide the
foundation for this research.

3.1. THEORETICAL FOUNDATION
We draw on theories from behavioral science and psychology to provide the
foundation for this research. Specifically, we draw on the principles of decision making
under risks and uncertainty in Prospect Theory to analyze user perceptions associated
with computer security, and Theory of Reasoned Action, Theory of Planned Behavior,
and Technology Acceptance Model to generate hypotheses on user behavior in the
context of computer security.
3.1.1. Prospect Theory. People do not always make rational decisions because
they value gains and losses differently. Prospect theory is a descriptive theory that
focuses on this phenomenon and addresses how people make decisions when they are
facing choices involving risks and uncertainty (e.g., different likelihood of gains and
losses). Tversky and Kahneman (1981) proposed that people make choices based on the
phrasing or framing of the options. They also explored how different framing affects
choices in a hypothetical life and death situation in 1981, which is known as the “Asian
disease problem”. The subjects were told that “the U.S. is preparing for the outbreak of
an unusual Asian disease, which is expected to kill 600 people” (Tversky and Kahneman,
1981, p. 453). They were provided with two options, one predicted to result in 400
deaths, whereas the other one predicted 33% chance that everyone would live and 67%
chance that everyone would die.

12
Half of the subjects were given two positively framed options:
A. 200 people will be saved (a certain outcome)
B. 1/3 probability of saving 600 people and 2/3 probability of saving none
(an uncertain outcome)
The other half of the subjects were given two negatively framed options:
C. 400 people will die (a certain outcome)
D. 1/3 probability that none will die and 2/3 probability that 600 will die (an
uncertain outcome)
Expected Utility Theory (Mongin, 1997), which is an alternate theory to prospect
theory in decision-making, assumes that the choice people made is of the highest
satisfaction to the decision maker. From the perspective of Expected Utility Theory, the
two options (i.e., a certain one and an uncertain one) in positive framing are
mathematically equivalent to the two options in negative framing since they provide the
same utility (satisfaction). “200 people will be saved” implies that among 600 people,
there are 200 people will surely be saved, so one-third of the 600 people will not die.
While “400 people will die” in the negative frame implies that two-thirds of the 600
people will die. As a result, subjects are expected to choose the option in a similar way
regardless of the frame of the problem. In other words, based on Expected Utility Theory,
the percentage of risky choices is expected to be the same (or at least similar) in both
framing.
Surprisingly, in the positively framed scenario, 72% of the subjects selected the
certain option and 28% selected the risky option. On the contrary, in the negatively
framed scenario, only 22% of the subjects selected the certain outcome and 78% selected
the risky option. The results suggest that when provided with positive prospects, people

13
are more willing to go for the certainty of saving 200 people and refuse the possibility
that no one will be saved. On the other hand, when provided with negative prospects,
people would rather pursue the option with uncertainty, due to the fear of a large loss of
400 people’s lives. In other words, people have the tendency to avoid losses and optimize
for sure wins since the pain of losing is greater than the satisfaction of an equivalent gain.
Thus, people are risk-averse in positive framing and risk seeking in negative framing.
This phenomenon that is termed “Framing Effect” describes a common cognitive bias in
decision-making.
Prospect theory uses two factors to explain the framing effect: the reference point,
and the value function. The reference point refers to the status quo, determining how the
outcomes are framed, either positively or negatively. When outcomes are greater than the
reference point, they will be considered as gains, while they will be considered as losses
when the outcomes are less than the reference point. Kahneman and Tversky (1979) used
a value function to explain and depict the difference in risk preferences among choices
involving gains and losses. The value function is a cubic parabola type curve, which is
nearly asymmetrical in gain and loss domains (see Figure 3.1). The gain side is concave
which suggests that people are risk-averse when people make choices involving gains,
whereas the loss side of the curve is convex, indicating that people tend to be risk-seeking
when they make choices involving losses. Moreover, the value function is steeper for
losses than gains, representing individuals weighing losses more heavily than gains.
In the “Asian disease” problem, the reference points in each framing are different.
The positive framing refers to saving lives, so the status quo is “zero people saved”, thus
both options suggest a potential gain. In the opposite, the negatively framed problem
refers to death. The reference point, in this case, is “zero people died” so the two options

14
can be viewed as losses. Drawing on the value function, the result of the Asian Disease
problem can be explained as follows: the risky option is preferred in negative framing
because people are risk-seeking in order to avoid larger losses; the option with certainty
is preferred in positive framing because people are risk-averse and more willing to go
with sure gains.

Figure 3.1. Value Function

3.1.2. Theory of Reasoned Action and Theory of Planned Behavior. Theory of
Reasoned Action (TRA) and Theory of Planned Behavior (TPB) provide a theoretical
foundation for modelling users’ behavior in the computer security context.