Domain-Specific Risk Perception in IT Security Decisions: Empirical Examination of the Modified Domain-Specific Risk-Taking (DOSPERT) Framework

Abstract

The aim of this paper is to examine the applicability of a modified version of the Domain-Specific Risk-Taking (DOSPERT) questionnaire for measuring risk-taking decisions related to IT security. Based on a domain-specific decision theory approach, the research analyzes the internal structure of decisions related to information and communication technologies (ICT), with a particular focus on the role of perceived benefits, perceived risks, and the probability of action. The empirical study was conducted with 772 university students using a self-reported questionnaire. The results show that IT security risk-taking is primarily explained by perceived benefits, while the role of perceived risk and probability of action becomes secondary in a multivariate model. Based on psychometric analyses, the inclusion of the ICT-specific domain is theoretically justified in the DOSPERT framework, but further refinement of the measurement tool is warranted to more accurately capture the specificities of IT security decisions. The study contributes to the intersection of behavioral decision theory and information systems research by focusing on theoretical and methodological issues in the measurement of risk decisions.