CALL US: 216-397-4080  | CLIENT HELP DESK: 216-539-3686

Loss Aversion, endowment effect, and poor security hygiene

Loss Aversion, endowment effect, and poor security hygiene

My wife has the patience and smarts to understand financial investing, various funds, and all the other things that go into managing our retirement funding. She reads constantly about different investing strategies and fund managers – things I have no desire to learn. Occasionally, she will share some nuggets with me and the most recent one struck a cord when it comes to security.

This comes from an article titled “Secrets to self-improvement” in the Spring issue of On Investing from Charles Schwab & Co.

A large body of research has shown that people are far more motivated to avoid a loss than they are to rack up an equally large gain. Behavioral scientists call this loss aversion, and it’s a real bugbear for investors.  In (one) example, researchers found that charging shoppers 5 cents per disposable bag cut their use roughly in half, whereas paying them 5 cents per reusable bag had virtually no effect at all. In other words, the threat of losing a nickel proved more motivating than the prospect of gaining one. Loss aversion can also affect the way we invest. For example, research has shown that we’re far more likely to sell a winning stock than a losing one because we’re eager to realize a gain and reluctant to lock in a loss.

We will come back to this momentarily. A second article I read and found most interesting dealt with a study on the value of legroom in airplane seats and the endowment effect. This effect is generally understood to relate to resources that are supplied as a default. In this case, the right to recline your seat. Questions were asked such as: “How much would you pay to recline your seat on a 6-hour flight?” and “How much would you pay the person in front of you not to recline his seat?”. Two cases were considered; one where reclining was a given, and one where reclining had to be paid for. The results are in the table below.

Notice that depending on the ‘default’ condition the value of reclining is almost exactly opposite in value. One suggestion is that reclining does not induce the same amount of happiness as the unhappiness caused by being reclined upon.

So let’s apply this to the idea of security. Security is not free and it is not convenient. However, having your identity stolen, or your computer locked up by ransomware is not cheap or convenient. (Just ask the city of Atlanta about the $2.6 million they spent). So why is it so difficult to get businesses to spend money on security?  Back in the stone age of ARPANET, security was not even a concern. You knew who was out there. Today we have no idea who is on the internet, other than being sure that there are a LOT of bad guys. Today, the default condition is INSECURE. IoT devices are built with little or no thought to security. Apps flood the market with unsuspected malware slipped in, or design flaws that make the software insecure. Data breaches are common enough and of sufficient magnitude that it takes a monster one to get a headline.

So if the default condition is insecure, why is security so hard to fund? Why don’t businesses spend the money on security awareness training? Implementing good security, and training employees, diverts funds from profit-generating avenues. It is sort of like reasoning: “I can spend $10 here to make $20 or I can spend $10 on security, but what do I get?” The real question should be “How much would I spend not to be shut down for three days due to a ransomware attack”? Or, “How much would I spend to avoid sending a $100,000 wire transfer to a scammer”?

When security funding is not available, the assumption is that the default condition is SECURE, so no funding is needed. In the example from the Charles Schwab article, they found that charging shoppers a nickel for a grocery bag was more effective than paying a nickel every time the shopper used their own bag. Maybe if you look at your business from the position of potential loss, it might make security look attractive. If you have 10 people that can’t do any work for three days, how much does that cost your business? If you send that wire transfer to a scammer, what percentage of your profits for the quarter are lost? Instead of looking at the profit that is not made if security funding is spent, consider what you can lose if you don’t spend it.


Related Posts