Gerald Wilde had a theory called risk homeostasis. This theory hypothesizes that people have a level of acceptable risk. When they perceive that there is less risk, they will take more risky actions to bring them to an acceptable level and when they perceive more risk, they will be more cautious. Information security is very concerned with managing risk and reducing it to an organizationally acceptable level. However, an organization is made up of many people and they may have a different level of acceptable risk than the organization does. If the theory of risk homeostasis is applied to information security, individuals will take riskier actions when the organization implements controls to make them safer or when they perceive the environment to be safer.
This has far-reaching ramifications for those in information security because the perceptions of risk by the individual may differ greatly from the actual risk. Despite awareness of information security breaches in the news and the overwhelming statistics that a data breach is likely, people still have difficulty accepting that a breach could happen to them. It all comes down to perceptions. With Wilde’s theory, if a high risk is perceived then users will be more cautious and that is where the security minded organization wants to be. So the question is, does the risk homeostasis theory hold water and if so, how do organizations manage perceptions in information security?