Measuring Psychological Variables Of Control In Information Security

For much of the last year, I have been exploring an idea. As of a few weeks ago, I completed a paper based on my explorations. To put it very succinctly, I have long wondered why small businesses do not suffer more security breaches than they do. As a group, they tend to have sloppy operations practices and poor to nonexistent controls. While they are a smaller and less-tempting target, that alone doesn’t seem to explain the lack of problems. One thing that might explain this is the tendency for people at lower risk to compensate for that lower risk by taking larger personal risks. So I decided to study the variables of psychological control within an information security context. The conclusions were somewhat surprising… but that may be due to the limited sample set.

Anyway, if you are interested in Likert scales, psychology or academic analysis of information security, the paper is available here.

If you like, you can just jump down to pages 26-28 and get my conclusions.

I welcome your thoughts.