Information security professionals are often frustrated when their concerns regarding vulnerabilities and associated threats appear to be ignored by the company’s executives. I already discussed 6 reasons why business managers ignore IT security risk recommendations. I’d like to add a few more to the list, based on recent research into the links between power, prestige and decision-making.
High-Status Individuals Are More Trusting
In one study, Lount and Pettit researched how a person’s social status might influence the extent of trusting someone. In one of their experiments “participants were primed to experience either high or low status and then given the opportunity to send money in a trust game.” In this context, high status might be associated with the prestige of being a business executive, while another extreme of a low status might be associated with an entry-level mail room clerk.
The participants who were assigned a high status were more trusting when sending money, hoping that the recipient would return the funds. Low-status individuals were more cautious. The researchers concluded from this and related experiments that “having status alters how we perceive others intentions” to believe “that others have positive intentions toward us.” They also pointed out that:
"The possession of status can fundamentally alter our expectations of peoples’ motives toward us, and in turn, influence our initial trust in others."
People with prestigious positions, such as executive managers, might be more trusting of others and, therefore, might be willing to accept more risks.
Power Leads to Overconfidence
In another study, Fast, Sivanathan, Mayer and Galinsky explored the links between an individual’s perception of power and self-confidence. Their research found that people who believed themselves to be powerful experienced more certainty in the accuracy of their believes and opinions. They confirmed that “power increases overconfidence in the accuracy of one’s thoughts and beliefs.” This matters in organizations because many “high-impact decisions are based on perceived precision of relevant knowledge.”
The effect of this phenomenon is magnified because not only the subjective sense of power causes people to become overconfident in their knowledge, but also “overconfident people tend to acquire roles that afford power.”
Prestige, Power And Decisions About Risk
My perspective on these findings through the lens of information security and related risks is as follows:
- Executive managers experience a sense of power and prestige associated with their decision-making abilities and responsibilities.
- Such individuals might be inclined to make risk decisions while being overly confident in the accuracy of their understanding of the issues.
- Such individuals are also likely to be more trusting than people whose positions aren’t as prestigious.
- The result is that executives might accept risks from a perspective that is too trusting or without spending enough effort to understand the issues.
So, there you have it: a few more reasons why executives are more prone to accept risks, in addition to the 6 explanations I offered earlier. You might also like to know that choice fatigue contributes to the willingness to accept risks and that sleep deprivation contributes to risk-taking behavior. We just cannot help it—it’s in our nature.