Date of Award


Document Type



Edith Cowan University

Degree Name

Bachelor of Information Technology Honours


School of Computer and Information Science


Faculty of Computing, Health and Science

First Supervisor

Sue Kennedy

Second Supervisor

William Huchinson


The scientific rationality used by experts towards risk evaluation is expressed as the product of its likelihood of occurrence with its consequences or impacts (ENISA, 2006a). This directly opposes the subjective nature of risk perception, often appearing as inconsistent if not completely irrational (Byrne, 2003). Risk perception theories are a pathway to explain the subjective nature of risk and a deeper insight into the human's cognitive system. Those theories may help to explain why people see, act and plan for risks in the way that they do, the weaknesses that exist in the human decision mechanisms and their impact on risk perceptions and decisions. By questioning the existence of risk perception in the information security field of study, this research acknowledges those risk perception theories and provides a measure of their influence when rating information security risks. The research measures the existence of risk perception issues by asking a participating sample of people to rate the likelihood of ten information security risks that carried previously measured statistics. In order to archive this, an online survey was designed to capture risk-rating information from an informed sample as well as a measure of their self-assessed information security knowledge. By measuring the gaps between the participants' answers and the known occurrences of those risks, the research highlighted a number of disparities revealing the existence of risk perception divergence. A statistical analysis of the results was performed with the intent of highlighting gaps in the perception of the given risks. This analysis also allowed the research to narrow down the scope of risks that may or may not have been perceived with higher or lower gaps than other risks. Further analysis specifically identified the risks affected by those gaps, their statistical significance, strength and direction. The areas displaying the highest perception gaps resided with risks that were generally rare, new and unfamiliar or were being publicised in the popular media. Finally, this research investigated whether or not the self-assessed respondents' knowledge is a factor influencing people's risk ratings in the online survey and thereby a factor in the way those risks are perceived. A correlation analysis was used to determine the degree of association between the participants' risk ratings and their perceived and self-rated information security knowledge.