Abstract: At the example of IDSs and manual investigation technology portfolio, the influences of risk preference on selection and configuration of information system security technologies were analyzed through a game model, considering that an organization’s risk preference would influence both of its own strategy and the opponent’s strategy. The conclusions of this paper showed us that risk aversion organizations would not always configure more IDSs than risk neutral ones, and the risk preference of organizations even has no direct influences on its selection of single IDS or multi IDSs. Organizations would investigate risk aversion intruders manually more than risk neutral ones when the intruders’ expected revenues were very low while they would investigate risk neutral intruders manually more than risk aversion ones when the intruders’ expected revenues were very high. Besides, intruders would intrude risk neutral organizations more probably when the costs of manual investigation were low while they would intrude risk aversion organizations more likely when the manual investigation costs were high enough.

Key words:  information system security, security technology strategy, manual investigation, configuration, risk preference