Computer security and risky computing practices: A rational choice perspective

Kregg Aytes, Terry Connolly

Research output: Contribution to journalArticlepeer-review

100 Scopus citations


Despite rapid technological advances in computer hardware and software, insecure behavior by individual computer users continues to be a significant source of direct cost and productivity loss. Why do individuals, many of whom are aware of the possible grave consequences of low-level insecure behaviors such as failure to backup work and disclosing passwords, continue to engage in unsafe computing practices? In this article we propose a conceptual model of this behavior as the outcome of a boundedly-rational choice process. We explore this model in a survey of undergraduate students (N = 167) at two large public universities. We asked about the frequency with which they engaged in five commonplace but unsafe computing practices, and probed their decision processes with regard to these practices. Although our respondents saw themselves as knowledgeable, competent users, and were broadly aware that serious consequences were quite likely to result, they reported frequent unsafe computing behaviors. We discuss the implications of these findings both for further research on risky computing practices and for training and enforcement policies that will be needed in the organizations these students will shortly be entering.

Original languageEnglish (US)
Pages (from-to)22-40
Number of pages19
JournalJournal of Organizational and End User Computing
Issue number3
StatePublished - 2004
Externally publishedYes


  • Computer security
  • Information assurance
  • Risk management

ASJC Scopus subject areas

  • Human-Computer Interaction
  • Computer Science Applications
  • Strategy and Management


Dive into the research topics of 'Computer security and risky computing practices: A rational choice perspective'. Together they form a unique fingerprint.

Cite this