The Case against Commercial Antivirus Software: Risk Homeostasis and Information Problems in Cybersecurity

New cybersecurity technologies, such as commercial antivirus software (AV), sometimes fail to deliver on their promised benefits. This article develops and tests a revised version of risk homeostasis theory, which suggests that new cybersecurity technologies can sometimes have ill effects on security outcomes in the short run and little-to-no effect over the long run. It tests the preliminary plausibility of four predictions from the revised risk homeostasis theory using new survey data from 1,072 respondents. The estimations suggest the plausible operation of a number of risk homeostasis dynamics: (1) commercial AV users are significantly more likely to self-report a cybersecurity event in the past year than nonusers, even after correcting for potential reverse causality and informational mechanisms; (2) nonusers become somewhat less likely to self-report a cybersecurity event as the perceived riskiness of various e-mail-based behaviors increases, while commercial AV users do not; (3) the negative short-run effect of commercial AV use on cybersecurity outcomes fade over time at a predicted rate of about 7.03 percentage points per year of use; and (4) after five years of use, commercial AV users are statistically indistinguishable from nonusers in terms of their probability of self-reporting a cybersecurity event as perceptions of risky e-mail-based behaviors increase.