Risk Compensation in Information Security

Abstract

This thesis looks into the concept of risk compensation in information security. An understanding of risk compensation theory is provided along with an analysis of what elements to consider when looking at risk compensation in security cases. The research methods used for this project are literature study and a survey is conducted. The goal of the survey is to obtain information about people's internet habits and get an understanding of how they react to online risk. Some statistical calculations have been conducted on the survey answers in order to support the analysis of the results.\noindentA literature study has been included in order to provide an understanding of definitions and terms used in this report. In addition a literature study and analysis of three surveys mapping the threat situation in the business community is included.The results from this study show that risk compensation in information security is a complex area. It is difficult to determine the whether risk compensation applies because there are many of additional factors that have to be taken into account e.g. that new security threats emerge all the time making it necessary to adopt new security measures in order to prevent a decrease of the security level. However, the conclusion is that some degree of risk compensation occurs in information security.