Decision making in a low probability, high risk setting: The case of computer viruses

Computer viruses pose a real threat to businesses in terms of their potential for wreaking havoc with one of a company’s most valuable resources, its information. The responses of firms to this threat have varied widely from doing almost nothing to greatly enhancing their computer security measures. Most people view the probability of a computer virus attack as very low; however, many also recognize that the risk is very high. This study explores how managers make decisions regarding how to protect the company’s information resource from a computer virus attack. A behavioral model of decision making is presented and tested through an empirical study of managers. Four major findings include (1) awareness of the computer virus problem in general is most influenced by experience with a computer virus attack (either in one’s company or in a friend’s firm) and by attendance at a conference concerning computer viruses; (2) awareness of protective options varies according to position of the individual within the firm; (3) awareness of curative measures that have been implemented within the firm is relatively low for managers; and (4) a major influence on the decision to take protective action comes from colleagues, supervisors and friends. Policy implications are discussed regarding what steps should be taken based on these results to help businesses protect themselves from the extensive damage that could result from a computer virus attack.