The COVID-19 vaccination program designed to contain the pandemic is progressing rapidly across the globe. As the number of people who are vaccinated increases, experts have raised concerns about the Peltzman effect, wondering if people will feel more secure and engage in risky behaviors by not taking basic pandemic safety precautions, such as wearing a mask or washing hands.
The Peltzman effect, named after Sam Peltzman, who researched postulation about mandating the use of seatbelts in automobiles, states that people are more likely to engage in risky behavior when security measures have been mandated. According to Peltzman, introducing security devices will not reduce accidents, although the safety devices did reduce the fatality rate.
Do organizations also demonstrate behavior as theorized by Peltzman? Or, to rephrase, are organizations that have implemented strong, state-of-the-art security tools still likely to suffer cyberattacks due to the risky behavior of users? It should be understood that an organization is nothing but the group of people who are associated with, and working for, it. This group may consist of individuals from different cultures, and some individuals might be more accepting of risk knowing that the organization has put in place protective, state-of-the-art technologies. Such technologies include:
- Spam filters
- Antivirus software
- Antispyware software
- Firewalls
- Security information and event management (SIEM)
- Data loss/leak prevention (DLP)
- Automated data backups
However, as Peltzman argues, these secure technologies may induce individuals to exhibit risky behavior which, in turn, could leave organizations more vulnerable to information security threats.
The Peltzman effect increases users’ unsecure behavior, which must be controlled within the organization. To control this behavior, consider risk compensation and risk homeostasis.
Risk compensation theory states that people behave in response to the level of risk they perceive. They will be more careful when they face a greater risk and less careful if they feel secure.
Risk homeostasis suggests that people always compare the cost and benefits of secure behavior with riskier behavior and decide what to do based on the level of risk. There are 4 components of risk homeostasis:
- Expected benefits of risky behavior–Time saved in performing business operations, freedom from documentation, reduced latency, faster response
- Expected costs of risky behavior–Unauthorized access, operational errors delaying completion, data leakage
- Expected benefits of secure behavior–Assured completion of processes, less operational errors, controlled access, prevention of data breaches
- Expected costs of secure behavior–Failed or delayed operation due to error, delayed response or no response, data loss
Risk compensation and risk homeostasis should be leveraged by risk practitioners and security managers to analyze risk and determine the appropriate response, so that the users of controls will avoid risky behavior.
In a paper presented at an International Federation for Information Processing (IFIP) conference in 2012, Merrill Warkentin, Robert E. Crossler and Nirmalee Malimage concluded that “by gaining further understanding of the offsetting behaviours or risk compensatory behaviours of individuals, organizations and individuals can take precautionary measures to prevent the individual and organizational assets from being exposed to security vulnerabilities.”
In simple terms, if organizations wish to avoid the Peltzman effect in information security, they must implement both a risk management framework that will define risk response by considering risk compensation and risk homeostasis theories, and an awareness program that will ensure that users understand the effects of risky behavior.
Sunil Bakshi, CISA, CRISC, CISM, CGEIT, CDPSE, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP, is a consultant and trainer in IT governance and information security.