Are humans rational? When we see computer users to silly things which place themselves or their information at risk its easy to take a view that people are illogical. The problem is that logic can’t be examined separately from perception.
There is significant debate within psychology literature as to the extent to which humans can be described as rational. Rationality is sometimes described as the ability for individuals to select the “best” option when confronted with a set of choices. The best option is also referred to as a “value maximising” option when the most benefit is obtained for the least expenditure of resources or exposure to risk.
The problem is that people routinely fail to select a “value maximising” option and exhibit apparently illogical behaviour. Commonly, an option mathematically modelled as the best choice by the technical experts isn’t the choice chosen by information system users when responding to risk. However, humans can be considered rational in so far as they attempt to make the best choice they can in a given situation. Research on passwords has demonstrated that behaviour which initially appears irrational such as the writing down of passwords becomes logical and therefore predictable once the constraints of the user are understood (Adams 1999).
Herbert Simon, an American psychologist proposed the concept of Bounded Rationality to explain why apparently logical people can make seemingly irrational decisions (as perceived by an independent, objective observer). It identifies a set of limitations on people’s ability to make optimal decisions:
- That individuals make decisions based on their existing beliefs and attitudes. This is an important factor to help explain apparently illogical behaviour. Every individual approaching a decision will have a set of experiences in the form of beliefs and attitudes which frame their perception of the issue. Since all individuals have a unique set of experiences there will be an infinite range of beliefs and attitudes. Some will be helpful to information security risk management and others will be a hindrance.
- That individuals make decisions based on the limitations of their own actual and perceived cognitive ability. This helps explain why individuals may fail to attempt a task if they perceive it is beyond their ability to complete. This may be particularly relevant when an individual is confronted with technological complexity or a poor user interface.
- That individuals make decisions based on time and resource constraints in consideration of other tasks and objectives. Experimental settings are different than many “real life” decisions that individuals may face. Competing stimuli and time constraints in a real world scenario are likely to increase the likelihood of individuals relying on “rules of thumb” or heuristics when making decisions. While rules of thumb and heuristics are helpful and usually result in a reasonable outcome for the individual, they are unlikely to achieve an optimal one.
- That individuals learn to be content with a satisfactory outcome rather than an “optimal” one. “Satisficing” is a concept combining satisfactory and suffice which was proposed to explain why individuals were content with sub-optimal decisions. Simon demonstrated that in many situations, there was too much information that could realistically be processed by an individual in any meaningful way and this constraint leads to a search for satisfactory solutions, rather than optimal ones.
Bounded rationality has important implications for information security. In any risk communication situation it is important to consider the limitations of the audience. Since all audiences are unique, all audience limitations will be different and bounded rationality offers a way to recognise and predict the likely limitations of audiences so that the effectiveness of communications can be improved.
When computer users exhibit apparently illogical behaviour that behaviour is only illogical to the observer, given what the observer knows or perceives. To the computer user, their behaviour is logical given their perceptions. Maybe their understanding is that executing a task quickly is more important than being safe? Maybe they have an incorrect belief about the nature of the threats or the value of their information? You’ll have to ask them to find out…