10096_Impact of probable and guaranteed monetary value on cybersecurity behavior of users

Scholars’ Mine
Scholars’ Mine
Masters Theses
Student Theses and Dissertations
Summer 2018
Impact of probable and guaranteed monetary value on
Impact of probable and guaranteed monetary value on
cybersecurity behavior of users
cybersecurity behavior of users
Santhosh Kumar Ravindran
Follow this and additional works at: https://scholarsmine.mst.edu/masters_theses
Part of the Technology and Innovation Commons
Department:
Department:
Recommended Citation
Recommended Citation
Ravindran, Santhosh Kumar, “Impact of probable and guaranteed monetary value on cybersecurity
behavior of users” (2018). Masters Theses. 7808.
https://scholarsmine.mst.edu/masters_theses/7808
This thesis is brought to you by Scholars’ Mine, a service of the Missouri S&T Library and Learning Resources. This
work is protected by U. S. Copyright Law. Unauthorized use including reproduction for redistribution requires the
permission of the copyright holder. For more information, please contact scholarsmine@mst.edu.

IMPACT OF PROBABLE AND GUARANTEED MONETARY
VALUE ON CYBERSECURITY BEHAVIOR OF USERS
by
SANTHOSH KUMAR RAVINDRAN
A THESIS
Presented to the Faculty of the Graduate School of the
MISSOURI UNIVERSITY OF SCIENCE AND TECHNOLOGY
In Partial Fulfillment of the Requirements for the Degree
MASTER OF SCIENCE IN INFORMATION SCIENCE & TECHNOLOGY
2018
Dr. Fiona Fui-Hoon Nah, Advisor
Dr. Keng Siau
Dr. Richard Hall

ii

 2018
Santhosh Kumar Ravindran
All Rights Reserved

iii
ABSTRACT

This research examines the impact of probable and guaranteed monetary gains and
losses on users’ cybersecurity behavior. It also examines perceptual outcomes such as
threat severity, trust, and fear that are associated with users’ cybersecurity behavior.
Drawing on Prospect Theory in the behavioral economics and decision-making literature,
hypotheses were generated for the research. The hypotheses state that: (i) users are more
willing to engage in risky computer security behavior to avoid a loss than to receive a gain,
(ii) users exhibit a higher tipping point of expected monetary value to receive a gain than
to avoid a loss for engaging in risky computer security behavior, (iii) users are more willing
to engage in risky computer security behavior to avoid a guaranteed loss than a probable
loss, controlling for the amount of expected loss, (iv) users are more willing to engage in
risky computer security behavior to receive a guaranteed gain than a probable gain,
controlling for the amount of expected gain, and (v) users exhibit a higher tipping point of
expected monetary value to engage in risky computer security behavior when presented
with a probable gain (or loss) as compared to a guaranteed gain (or loss). A 2 x 2 between-
subjects experimental design was used to test the hypotheses. The findings indicate that
there is no difference in users’ risky computer security behavior between receiving a gain
and avoiding a loss. However, users exhibit a higher tipping point of expected monetary
value for probable gains and losses than guaranteed gains and losses.

Keywords: Cybersecurity, Prospect Theory, Gain, Loss, Monetary Value.

iv
ACKNOWLEDGMENTS

I would like to express my gratitude to my advisor, Dr. Fiona Fui-Hoon Nah, for
the endless support, guidance, and encouragement. Her patience, knowledge, and vast
experience in research has been exceptional. She helped me from the start till the end of
this research and provided me with all the guidance and help required to complete my
research as well as assisted me with data analysis. It has been a great learning experience
under her guidance.
I would like to express my gratitude to the rest of my thesis committee members,
Dr. Keng Siau and Dr. Richard Hall, for their support, feedback, and suggestions that
helped me to further improve and enhance this research.
I would like to thank Dr. Barry Flachsbart. Ms. Yu-Hsien Chiu, Dr. Steve Liu, Dr.
Chevy Fang, Dr. Sarah Stanley, Dr. Nathan Twyman, Dr. Richard Hall, Dr. Hongxian
Zhang, Dr. Keng Siau, and Dr. Carla Bates for allowing me to recruit subjects for the
experiment in their classes. I would also like to acknowledge the Psychology department
for offering subjects for the experiment.
I would like to express my gratitude to all the Laboratory of Information
Technology and Evaluation (LITE) students, especially to Cooper Broman, Alec Mcdaniel,
Kyle Johnson, Luis Emmanuel Ocampo, Bryan Fox, and Andrew Hackett, for pilot testing
the experimental study and in helping me to set up lab sessions for conducting the
experimental study. I also thank National Science Foundation for the research funding.
Finally, I would like to thank my family and all my friends for having faith in me
and encouraging me throughout my master’s degree program.

v
TABLE OF CONTENTS

Page
ABSTRACT
……………………………………………………………………………………………………….. iii
ACKNOWLEDGMENTS ……………………………………………………………………………………. iv
LIST OF ILLUSTRATIONS
………………………………………………………………………………. viii
LIST OF TABLES
………………………………………………………………………………………………. ix
SECTION
1. INTRODUCTION ……………………………………………………………………………………….1
2. LITERATURE REVIEW ……………………………………………………………………………..3
2.1. EFFECT OF USER BEHAVIOR ON INFORMATION SECURITY
………….3

2.2. MESSAGE FRAMING …………………………………………………………………………8
3. THEORETICAL FOUNDATION AND HYPOTHESES ……………………………….12
3.1. THEORETICAL FOUNDATION: PROSPECT THEORY
………………………12
3.2. HYPOTHESES …………………………………………………………………………………..15
4. RESEARCH METHODOLOGY …………………………………………………………………22
4.1. EXPERIMENTAL DESIGN ………………………………………………………………..22
4.2. RESEARCH PROCEDURES
……………………………………………………………….26
4.3. MEASUREMENT ………………………………………………………………………………28
4.3.1. Importance of Primary Computer …………………………………………………28
4.3.2. Threat Severity
…………………………………………………………………………..29
4.3.3. Trust
…………………………………………………………………………………………30
4.3.4. Fear ………………………………………………………………………………………….31

vi
4.3.5. Tolerance towards Ads ……………………………………………………………….31
4.3.6. Manipulation Check
…………………………………………………………………..32
4.3.7. Demographics and Subject’s Background Questionnaire ………………..33
4.3.8. Cybersecurity Awareness Questionnaire
……………………………………….33
4.3.9. Check Questions ………………………………………………………………………..34
4.4. PILOT TESTS ……………………………………………………………………………………35
5. DATA ANALYSIS ……………………………………………………………………………………36
5.1. DEMOGRAPHIC INFORMATION OF SUBJECTS ………………………………37
5.2. MEASUREMENT VALIDATION ……………………………………………………….39
5.3. MULTINOMIAL LOGISTIC REGRESSION ANALYSIS ……………………..43
5.4. CHI-SQUARE ANALYSIS………………………………………………………………….49
5.5. UNIVARIATE ANALYSIS OF VARIANCE FOR TIPPING POINT ………52
6. DISCUSSIONS………………………………………………………………………………………….58
7. LIMITATIONS AND FUTURE RESEARCH ………………………………………………61
8. CONCLUSIONS ……………………………………………………………………………………….63
APPENDICES
A. SCENARIO DETAILS
………………………………………………………………………………65
B. EXPERIMENTAL CONDITIONS
……………………………………………………………..67
C. MANIPULATION CHECK QUESTIONS …………………………………………………..72
D. CONTROL CONDITION ………………………………………………………………………….74
E. QUESTIONNAIRE TO ASSESS PERCEPTUAL OUTCOMES
…………………….79

F. QUESTIONNAIRE TO ASSESS DEMOGRAPHICS INFORMATION
………….82

vii
G. QUESTIONNAIRE TO ASSESS USERS’ CYBERSECURITY
AWARENESS ………………………………………………………………………………………….84

BIBLIOGRAPHY
………………………………………………………………………………………………..86
VITA ………………………………………………………………………………………………………………….92

viii
LIST OF ILLUSTRATIONS

Page
Figure 3.1. Prospect Theory
…………………………………………………………………………………..14
Figure 4.1. Logic of Experimental Scenarios …………………………………………………………..25
Figure 5.1. Interaction between Monetary Polarity and Certainty on Tipping Value …….56

ix
LIST OF TABLES

Page
Table 2.1. Summary of Literature Review on the Effect of User Behavior on
Information Security ………………………………………………………………………………6
Table 2.2. Summary of Literature Review on Message Framing ………………………………..10
Table 4.1. Measurement Scale for Importance of Primary Computer
………………………….29
Table 4.2. Measurement Scale for Threat Severity
……………………………………………………30
Table 4.3. Measurement Scale for Trust
………………………………………………………………….30
Table 4.4. Measurement Scale for Fear …………………………………………………………………..31
Table 4.5. Measurement Scale for Tolerance towards Ads ………………………………………..32
Table 4.6. Measurement Scale for Manipulation Check…………………………………………….33
Table 4.7. Measurement Scale for Cybersecurity Awareness …………………………………….34
Table 4.8. Measurement Scale for Check Questions …………………………………………………35
Table 5.1. Summary of Demographic Details of Subjects
………………………………………….37
Table 5.2. Results of Factor Analysis (with all measurements) ………………………………….40
Table 5.3. Results of Factor Analysis (after removing TA3 and IPC2) ……………………….41
Table 5.4. Results of Reliability Analysis ……………………………………………………………….42
Table 5.5. Results of Multinomial Logistic Regression Analysis for Expected
Monetary Value of $100 ……………………………………………………………………….45

Table 5.6. Results of Multinomial Logistic Regression Analysis for Expected
Monetary Value of $100 in Loss Conditions
…………………………………………….48

Table 5.7. Results of Multinomial Logistic Regression Analysis for Expected
Monetary Value of $100 in Gain Conditions
…………………………………………….48

Table 5.8. Descriptive Statistics of Chi-Square Analysis …………………………………………..50

x
Table 5.9. Results of Chi-Square Analysis ………………………………………………………………51
Table 5.10. Descriptive Statistics of the Univariate Analysis of Variance
……………………53
Table 5.11. Results of Tests of Between Subjects Effects for Tipping Point
………………..54
Table 5.12. Results of Hypothesis Testing ………………………………………………………………57
1

1. INTRODUCTION

The architecture of information security in an organization is dependent on the
users, technology, and cybersecurity policies. Users play a significant role as they interact
with the different components of an organization’s information security architecture. A
study by Sasse et al. (2001) indicates that users are a main cause of intrusions to the
cybersecurity infrastructure in organizations. They found that the actions of users toward
cybersecurity threats act as major causes of malicious intrusions and cybersecurity attacks.
Users are advised to follow standard information security policies framed by the
information security division of their organization, even though many do not, and instead,
they based their actions on personal judgements. Chan and Mubarak (2012) state that the
lack of cybersecurity knowledge is one of the main causes for cybersecurity threats in
organizations. Major cybersecurity vulnerabilities in organizations are mainly caused by
the lack of awareness about information security policies which can lead to attacks such as
phishing, malware, mal-advertising, and drive-by downloads.
Spontaneous actions or misjudgments of users in cybersecurity related scenarios,
such as those related to phishing emails or mal-advertisements, could pose a huge threat to
an organization’s security infrastructure. Chan and Mubarak (2012) found that despite
maintaining a highly secure infrastructure, the lack of security awareness about security
threats and attacks was the main reason for organizational vulnerability to cybersecurity
threats. For example: Users’ lack of awareness of phishing attacks or threats associated
with downloading software from untrusted developers could lead to loss of enterprise data
or data breaches in their organization. Although security awareness can be increased by

2
organizing training sessions and by explaining the information security policy to users,
improving security awareness alone does not guarantee that the rules in the organization’s
cybersecurity policy will be followed.
The literature indicates that users are the most vulnerable elements in the
cybersecurity infrastructure of an organization (Siponen, 2000a). Phishing attacks have
been the most common information security threat to organizations and have been the most
challenging attack to evade despite providing training to users. Most of the phishing
attacks that are targeted at users contain a persuasive message to either receive a benefit
(e.g., monetary gain) or overcome a threat (e.g., monetary loss). These messages persuade
users to take a risky cybersecurity action by downloading an uncertified software or visiting
a malicious website to avoid a loss or receive a benefit or gain. Such scenarios, which are
common online threats, warrant the need for further research to understand the impact of
monetary gains and losses on users’ cybersecurity risk taking behavior. For this thesis, we
conducted an experiment to assess the effect of probable and guaranteed monetary gains
and losses on users’ behavior in the context of cybersecurity.
This thesis is organized as follows. Section 2 presents a review of related literature.
Section 3 presents the theoretical foundation and hypotheses. Section 4 describes the
research methodology, design, and procedure. Section 5 provides the data analysis for the
research. Section 6 discusses the results. Section 7 provides the limitations and directions
for future research. Section 8 provides the conclusion for the thesis.

3
2. LITERATURE REVIEW

Chapter 2 provides a review of the literature on the effect of user behavior on
information security as well as on message framing in the context of information security.

2.1. EFFECT OF USER BEHAVIOR ON INFORMATION SECURITY
Various processes for managing cybersecurity, such as the standardized framework
for implementing security policies, exist in organizations. In this section, past empirical
studies that are related to factors influencing user behavior in the context of cybersecurity
will be reviewed. Siponen (2000a) states that users are the most vulnerable targets of
cybersecurity threats in an organization. His study indicates that end users in organizations
do not follow security guidelines, leading to cybersecurity threats such as phishing,
malware, and other attacks.
Siponen (2000b) also stresses that even though the importance of the role of
motivation in cybersecurity is largely understood, it is not practiced effectively in
organizations. A review of the existing literature also indicates that risk perception is a
factor influencing users’ course of actions. In the computer security domain, Farahmand
and Spafford (2013) state that individuals within an organization (i.e., insiders) may be
deterred from undesirable computer security behaviors by reducing their motivation to
misbehave and conveying that attempts to misbehave will present too much risk. As Vardi
and Weitz (2004) noted in their research, the role of the employees is significant for the
information security infrastructure of the organization, and it is very important for
employees to adhere to the organizational policies to avoid security threats. Shoshitaishvili

4
et al. (2014) analyzed a team competition in cybersecurity challenges. Tasks were used to
present different levels of risks to the teams, and it was found that teams were willing to
engage in riskier tasks if those tasks provided higher rewards, measured in terms of
competition points. In other words, the teams were willing to engage in riskier behavior
when they perceived a higher level of reward because of their actions. A study which was
based on Protection Motivation Theory (PMT) states that users’ behavior in information
security can be predicted using their self-efficacy (LaRose et al., 2008). Self-efficacy is
defined as a belief that a user possesses towards achieving or accomplishing certain goals
(LaRose et al., 2008). A survey-based research by Woon et al. (2005) indicates that
perceived severity, response cost, perceived susceptibility and self-efficacy have an effect
on cybersecurity behavior of users (Woon et al., 2005). Perceived severity refers to one’s
understanding of the severity of the consequences of an event. The authors found that users
decide on their choice of action based on perceived severity and perceived vulnerability.
Perceived vulnerability is defined as one’s assessment of the probability of a threatening
event and its effect on oneself. Response cost refers to perceived opportunity costs (which
can be either money, time, or effort) that the user experiences due to adoption of the
recommended behavior. The research study by Pahnila et al. (2007) on user behavior in
cybersecurity considers various other factors that include sanctions, information quality
and rewards to understand the possible effects of these factors on the cybersecurity
behavior of users (Pahnila et al., 2007).
Maddux and Rogers (1983) have shown that coping response has a positive
influence towards behavioral intents, which can result in implementation of the
recommended compliance behavior. Coping response refers to the behavioral responses

5
or actions that people take to overcome stressful situations (Maddux and Rogers, 1983).
Various studies in the literature have assessed the effect of fear appeal on cybersecurity
behavior of users when they are in a high-risk environment. Johnston and Warkentin
(2010) found that fear appeal could be used to persuade users to alter their cybersecurity
behavior in order to avoid cybersecurity threats and risks. The behavior of users also
depends on their self-efficacy and perceived threat vulnerability (Johnston & Warkentin,
2010).
In a review of the literature by Lebek et al. (2013), they summarized the reasons
for users’ security responses based on the most frequently applied theories in behavioral
sciences: Theory of Reasoned Action (TRA) / Theory of Planned Behavior (TPB), General
Deterrence Theory (GDT), Protection Motivation Theory (PMT), and Technology
Acceptance Model (TAM). Aurigemma & Panko (2010) found that the intentions of a user
to comply with information security policies (ISP) depends on his/her own evaluation and
belief towards the process.
Aurigemma and Panko (2010) also found that the greater the notion of control the
user develops over his or her actions, the greater is the intention to comply with the ISP of
the organization. Based on GDT, the research in criminal justice by D’Arcy et al. (2009)
indicates that the possible repercussions of a decision, such as perceived certainty of
sanctions or the loss that a user might face, influences his/her decision on ISP compliance.
In a study based on PMT by Bulgurcu et al. (2010), they found that a user’s attitude towards
the information security policies of an organization is often influenced by two factors,
threat appraisal and coping appraisal, where the user analyzes the threats involved and
adopts the technology to prevent cybersecurity threats.

6
Past literature also suggests that even though users possess prior knowledge about
cybersecurity threats and the suitable recommended actions, in some cases, the users take
risky cybersecurity actions for benefits or rewards (Lee & Kozar, 2005; Stanton et al.,
2005; Sasse et al., 2001). The Table 2.1 provides the summary of existing literature on the
effect of user behavior on information security.

Table 2.1. Summary of Literature Review on the Effect of User Behavior on
Information Security

Reference
Description
Theory
Aurigemma & Panko
(2010)
The authors found that
users’ intentions to comply
with information security
policies of the organization
depends on his/her own
evaluation and belief
towards the process.
Not Applicable
Bulgurcu et al. (2010)
The authors found that
users’ attitude is affected
by the cost associated with
the consequences of his/her
compliance/non-
compliance behavior.
Protection Motivation
Theory
D’Arcy et al. (2009)
The authors analyzed the
possible repercussions of a
decision such as the
perceived uncertainty of
sanctions or the loss that a
user might face and its
influence on his/her
decision on the ISP
compliance.
General Deterrence Theory

7
Table 2.1. Summary of Literature Review on the Effect of User Behavior on Information
Security (cont.)

Reference
Description
Theory
Johnston & Warkentin
(2010)

The authors proposed that
fear appeals affect users’
security behavioral intents,
but the effect is not
constant.
Fear Appeal Theory, and
Protection Motivation
Theory
LaRose et al. (2008)
The authors found that
users’ cybersecurity
behavior mainly depends
on social connections and
self-efficacy.
Protection Motivation
Theory and Social
Cognitive Theory

Lebek et al. (2013)
The authors identified the
reasons for users’ security
responses and summarized
them using four main
behavioral theories:
General Deterrence
Theory, Technology
Acceptance Model, Theory
of Planned Behavior, and
Protection Motivation
Theory.
Theory of Reasoned
Action, Theory of Planned
Behavior, Technology
Acceptance Model, and
General Deterrence Theory
Pahnila et al. (2007)
The authors found that
attitude, normative beliefs,
and habits influence ISP
compliance intention, and
threat appraisal and
facilitating conditions
influence attitude toward
compliance.
General Deterrence
Theory, Protection
Motivation Theory
Shoshitaishvili et al.
(2014)
The authors analyzed
users’ cybersecurity
behavior through a
competition in which teams
competed in cybersecurity
challenges. The study
observed that the teams
were willing to engage in
riskier behavior when they
perceived a higher level of
reward because of their
actions.
Not Applicable

8
Table 2.1. Summary of Literature Review on the Effect of User Behavior on Information
Security (cont.)

Reference
Description
Theory
Siponen (2000a)
The author analyzed
different methods to reduce
user related faults in
information systems
security and examined the
strengths and weaknesses
of these methods.
Theory of Planned
Behavior, Technology
Acceptance Model, Theory
of Reasoned Action, and
General Deterrence Theory
Woon et al. (2005)
The authors found that
users’ choice of action was
based on perceived severity
and perceived
vulnerability.
Protection Motivation
Theory

2.2. MESSAGE FRAMING
The literature has also examined the effect of positively and negatively framed
messages on users’ behavior (Aaker & Lee, 2001; Shiv, Edell & Payne, 2004). Various
studies have also been conducted to understand users’ behavior and decision-making
process based on Prospect Theory which states that the outcomes of an individual can be
influenced by the way the message is framed (Tversky & Kahneman, 1986). Users
generally select their choices by considering personal gains or losses conveyed in the
message. Prospect theory states that users tend to perceive losses more than gains, which
is also known as loss aversion (Tversky & Kahneman, 1984). Researchers explain loss
aversion as a behavior observed in people, where people try to avoid a loss in scenarios
where there is a risk involved (Tversky & Kahneman, 1984). The effect of message
framing across various decision-making perspectives has been studied from financial and
socio psychological standpoints, based on funds and social predicaments in a research

9
study by Brewer and Kramer (1986). Similarly, in the cybersecurity domain, researchers
have studied the impact of message framing on reliant variables covering threat awareness,
as stated in a research study by Lee and Aaker (2004). Message framing also includes
highlighting the advantages and the constructive aspects of selecting a choice or the
disadvantages of not selecting a choice (Aaker & Lee, 2001). Protection Motivation Theory
(PMT) based research studies related to health have been conducted to understand what
type of promotional messages would persuade a user, thereby preventing the user from
taking an action when confronted with a risk. Pechmann et al. (2003) examined the effects
of framing on decision-making behavior. Their study analyzed how antismoking messages
in a wellbeing context could spur a person when posed by a risk involving the harmful
effects of smoking. They found that negatively framed anti-smoking messages had more
impact on people compared to positively framed messages
Past research also suggests that users tend to be more inclined towards pursuing
risks, when they are presented with a case of financial losses which could affect the
financial budget of the organization (Beebe et al., 2014). Beebe et al. (2014) surveyed
industry professionals to understand their decision-making processes when responding to
information security budget requests. The findings suggest that decision makers may be
more inclined to take risks when presented with information security budget requests that
emphasize the financial losses (i.e., negative framing) that will impact the organization if
the budget requests are not met (Beebe et al., 2014).
The literature also indicates that users tend to show a high security behavior when
they are given a message that focuses on the benefits of performing a secure action, rather
than the negative outcomes of not performing it (Anderson & Agarwal, 2010). From the

10
findings of the study, the researchers found that users may perform cybersecurity actions
depending on how the potential gains or potential losses that would result from the actions
are presented to them (Anderson & Agarwal, 2010).
Research studies in the literature have examined the impact of message framing on
various reliant variables covering intents (Block & Keller, 1995) and threat awareness (Lee
& Aaker, 2003). Hence, we expect the cybersecurity behavior of users to be influenced by
the way messages are framed (LaRose et al., 2008). Table 2.2 provides a summary of the
literature on message framing.

Table 2.2. Summary of Literature Review on Message Framing

Reference
Description
Theory
Aaker & Lee (2001), Shiv
et al. (2004)
Impact of positively
expressed vs. negatively
expressed messages on
users’ decision making.
The authors found that
negatively expressed
messages had a significant
impact on people’s
decision making compared
to positively framed
messages.
Prospect Theory
Beebe et al. (2014)
The authors examined the
effect of negative framing
of messages on users and
how users tend to be more
inclined towards pursuing
risks when presented with
a case of financial losses.
Prospect Theory

11
Table 2.2. Summary of Literature Review for Message Framing (cont.)

Reference
Description
Theory
LaRose et al. (2008)
The authors highlight
individuals’ responsibilities
in a message to examine
and optimize the users’
cybersecurity behavior.
The authors found that
users’ cybersecurity
behavioral intentions can
be further swayed by
applying framing in
messages.
Protection Motivation
Theory and Social
Cognitive Theory

Pechmann, et al. (2003)
The authors examined how
antismoking messages in
the wellbeing context could
spur a person when posed
by a risk involving the
harmful effects of
smoking.
Protection Motivation
Theory
Tversky & Kahneman
(1984)
The authors studied the
impact of monetary losses
and gains on users’
behavior and found that
users’ perceived losses
more seriously than gains.
Prospect Theory
Tversky & Kahneman
(1986)
The authors analyzed the
impact of message framing
on individuals’ behavior
and their choices.
Prospect Theory

12
3. THEORETICAL FOUNDATION AND HYPOTHESES

To understand the cybersecurity behavior of users in monetary gain and loss
scenarios, we draw on the Prospect Theory, which is one of the most widely used theories
in economics. Prospect Theory is based on the economic principles of decision making
under uncertainty (Fishburn, 1970; Kahneman & Tversky, 1979).

3.1. THEORETICAL FOUNDATION: PROSPECT THEORY
Prospect Theory provides insights about the decisions people make when they are
under a state of threat or uncertainty, and where they are also aware of the probability of
the outcome (Tversky & Kahneman, 1984). The choices that are made by people are based
on their acumen, and the acumen which people perceive is based on the relative evaluation
of the external factors of the world. Making choices are hard, and can be difficult for users
who are confronted with risks, as it is difficult to predict the outcomes with certainty.
Making choices can be strenuous from a user’s perspective.
The process of decision-making by applying quantified risks as a metric involves
two steps (McDermott, 1991). In the first step, the users assess risks by evaluating the
vulnerabilities and by examining existing and possible hazards. The second step is about
the influence on decision making, caused by the way in which information is presented or
framed (McDermott, 1991).
Prospect theory mainly focuses on the process of decision making and how
confined those decisions are. Decision-making based on prospect theory involves two
phases. In the first phase, people assess the possible levels of risks involved in their given

13
choices based on their reference point (Tversky & Kahneman, 1984). The impact due to
this subjective assessment is known as framing, in which a prospect is subjectively
estimated as either a loss or a gain. This phase involves the organization and reformulation
of all the possible options to simplify the process of evaluation and decision making
(Tversky & Kahneman, 1984). After this phase, which involves the framing of all the
alternatives based on the given conditions, each of the possible alternatives is assessed
based on how they are perceived (either as gains or as losses). The choice with the highest
benefit is then selected by the user. During the second phase, judgements made are loss
aversive, i.e., people are more concerned about losses. The loss averse behavior indicates
that losses are perceived stronger than gains (Verendel, 2009). Prospect theory indicates
that users perceive a loss to be more substantial than a benefit of the same quantity (Tversky
& Kahneman, 1986). Prospect theory also explains loss aversion, which suggests that users
are more likely to react to losses than gains.
Tversky and Kahneman (1986), explain the outcome of people’s decisions based
on gains and losses in a value function. Figure 3.1 depicts the value function with value
on the vertical axis and outcome on the horizontal axis. If we observe from the reference
point (which is the point of origin of the axes), the value function in the loss condition is
different from the value function in the gain condition. The value function for the loss
condition shows a deeper curve, whereas the value function for the gain condition flattens
horizontally at a smaller value.

14

Figure 3.1. Prospect Theory

The value function is represented as a convex function for losses and a concave
function for gains. It shows that people are more likely to seek risks to avoid losses, which
is explained as loss aversion (Tversky & Kahneman, 1984). This loss aversion behavior
indicates that people are more likely to take risks to avoid or minimize losses. The value
function for the gain condition is a concave function, and it becomes parallel to the
horizontal axis (outcome) after a certain value (Tversky & Kahneman, 1986). The value
function for the gain condition shows that it curves at a lower value compared to the value
function for the loss condition. Hence, people tend to be less risk seeking (i.e., more risk
averse) when presented with a condition of receiving a gain than avoiding a loss (Tversky
& Kahneman, 1986).
Tversky and Kahneman (1986) observed that the value function reaches a state of
saturation or a state of diminishing sensitivity after reaching a certain value in the case of
gains and losses as depicted in Figure 3.1. This point of saturation or diminishing
sensitivity in the value function is the flattening of the value function in both the gain and