The purpose of this paper is to discuss and theorise on the appropriateness and potential impact of risk homeostasis in the context of information security.
The discussion is mainly based on a literature survey backed up by illustrative empirical examples.
Risk homeostasis in the context of information security is an under-explored topic. The principles, assumptions and methodology of a risk homeostasis framework offer new insights and knowledge to explain and predict contradictory human behaviour in information security.
The paper shows that explanations for contradictory human behaviour (e.g. the privacy paradox) would gain from considering risk homeostasis as an information security risk management model. The ideas discussed open up the prospect to theorise on risk homeostasis as a framework in information security and should form a basis for further research and practical implementations. On a more practical level, it offers decision makers useful information and new insights that could be advantageous in a strategic security planning process.
This is the first systematic comprehensive review of risk homeostasis in the context of information security behaviour and readers of the paper will find new theories, guidelines and insights on risk homeostasis.
