Steffi Haag,Mikko Siponen,Fufan Liu

DOI: https://doi.org/10.1145/3462766.3462770

2021-04-26

Abstract:Protection motivation theory (PMT) is one of the most commonly used theories to examine information security behaviors. Our systematic review of the application of PMT in information systems (IS) security and the comparison with its application for decades in psychology identified five categories of important issues that have not yet been examined in IS security research. Discussing these issues in terms of why they are relevant and important for IS security, and to what extent IS research has not considered them, offers new research opportunities associated with the study of PMT and IS security threats. We suggest how future studies can approach each of the open issues to provide a new road map for quantitative and qualitative IS scholars.

Kholekile L. Gwebu,Jing Wang,Michael Y. Hu

DOI: https://doi.org/10.1111/isj.12257

2020-01-01

Abstract:Despite the significant advancements made in understanding the factors that drive employees' compliance and noncompliance behaviours with information security policy (ISP), less is known about how different factors interact to impact such behaviours. Having been drawn on the social information processing theory, this research develops an integrative model that investigates how ethical work climate, beliefs, and neutralization interact to jointly explain ISP noncompliance. The model is tested via a survey of a broad cross section of employees. Neutralization, perceived cost of compliance, and perceived cost of noncompliance are found to significantly impact ISP noncompliance. Egoistic, benevolent, and principled climates are found to differentially influence neutralization and individuals' cognitive beliefs about the cost and benefit of ISP compliance versus noncompliance. Neutralization appears to be a more important moderator of the belief‐noncompliance relationship than the principled climate.

Paul Benjamin Lowry,Gregory D. Moody,Srikanth Parameswaran,Nicholas James Brown

DOI: https://doi.org/10.1080/07421222.2023.2267318

IF: 7.582

2023-12-12

Journal of Management Information Systems

Abstract:Most of the information security management research involving fear appeals is guided by either protection motivation theory or the extended parallel processing model . Over time, extant research has extended these theories, as well as their derivative theories, in a variety of ways, leading to several theoretical and empirical inconsistencies. The large body of fragmented, and sometimes conflicting, research has muddied the broader understanding of what drives protection- and defensive motivation. We provide guidance to the security discourse by offering the first study in the literature to employ two-stage meta-analytic structural equation modeling (TSSEM), which combines covariance-based structural equation modeling and meta-analysis. Information systems (IS) researchers have traditionally used meta-analysis for structural equation modeling for such purposes—an approach that has several serious statistical flaws. Using 341 systematically selected empirical security articles (representing 383 unique studies) and TSSEM, we pool a large series of five datasets to test six models, from which we examine the effects of constructs and paths in the security fear-appeals literature. We compare and test six versions of models inspired by issues in the broader fear-appeals literature. We confirm the importance of both the threat- and coping-appraisal processes; establish the central role of fear and that it has greater importance than threat; show that efficacy is a stronger predictor of protection motivation than is threat; demonstrate that response costs as currently measured are ineffective but that maladaptive rewards have a strong negative effect on protection motivation and a positive effect on defensive motivation; and provide evidence that dual models of danger control and fear control should be used.

information science & library science,management,computer science, information systems

Wenqin Li,Rongmin Liu,Linhui Sun,Zigu Guo,Jie Gao

DOI: https://doi.org/10.3390/ijerph192316038

IF: 4.614

2022-12-01

International Journal of Environmental Research and Public Health

Abstract:Employee security compliance behavior has become an important safeguard to protect the security of corporate information assets. Focusing on human factors, this paper discusses how to regulate and guide employees' compliance with information security systems through effective methods. Based on protection motivation theory (PMT), a model of employees' intention to comply with the information security system was constructed. A questionnaire survey was adopted to obtain 224 valid data points, and SPSS 26.0 was applied to verify the hypotheses underlying the research model. Then, based on the results of a regression analysis, fuzzy set qualitative comparative analysis (fsQCA) was used to explore the conditional configurations that affect employees' intention to comply with the information security system from a holistic perspective. The empirical results demonstrated that perceived severity, perceived vulnerability, response efficacy, and self-efficacy all positively influenced the employees' intention to comply with the information security system; while rewards and response costs had a negative effect. Threat appraisal had a greater effect on employees' intention to comply with the information security system compared to response appraisal. The fsQCA results showed that individual antecedent conditions are not necessary to influence employees' intention to comply with an information security system. Seven pathways exist that influence an employees' intention to comply with an information security system, with reward, self-efficacy, and response cost being the core conditions having the highest probability of occurring in each configuration of pathways, and with perceived severity and self-efficacy appearing in the core conditions of configurations with an original coverage greater than 40%. Theoretically, this study discusses the influence of the elements of PMT on employees' intention to comply with an information security system, reveals the mechanism of influence of the combination of the influencing factors on the outcome variables, and identifies the core factors and auxiliary factors in the condition configurations, providing a new broader perspective for the study of information security compliance behavior and providing some theoretical support for strengthening enterprise security management. Practically, targeted suggestions are proposed based on the research results, to increase the intention of enterprise employees to comply with information security systems, thereby improving the effectiveness of enterprise information security management and the degree of information security in enterprises.

public, environmental & occupational health,environmental sciences

Xiaofeng Chen,Liqiang Chen,Dazhong Wu

DOI: https://doi.org/10.1080/08874417.2016.1258679

2016-12-27

Journal of Computer Information Systems

Abstract:Information security policy (ISP) plays an important role in information security management in organizations. Past research investigated various factors that may impact employee behavior toward security policy compliance from the perspective of general deterrence theory (GDT), protection and motivation Theory (PMT), and rational choice theory (RCT). However, there is no unifying foundation/framework that examines all of those factors in a harmonic way so that the research findings can guide information security practices and research into the employee ISP compliance management context. Additionally, prior findings provided mixed results. This study proposes a research model based on the awareness-motivation-capability (AMC) framework, aiming to unify the factors to predict employee ISP compliance intention. We believe that a harmonic approach in managing employee ISP compliance can create optimal outcomes.

computer science, information systems

Jonas Hielscher,Simon Parkin

2024-04-29

Abstract:Security awareness campaigns in organizations now collectively cost billions of dollars annually. There is increasing focus on ensuring certain security behaviors among employees. On the surface, this would imply a user-centered view of security in organizations. Despite this, the basis of what security awareness managers do and what decides this are unclear. We conducted n=15 semi-structured interviews with full-time security awareness managers, with experience across various national and international companies in European countries, with thousands of employees. Through thematic analysis, we identify that success in awareness management is fragile while having the potential to improve; there are a range of restrictions, and mismatched drivers and goals for security awareness, affecting how it is structured, delivered, measured, and improved. We find that security awareness as a practice is underspecified, and split between messaging around secure behaviors and connecting to employees, with a lack of recognition for the measures that awareness managers regard as important. We discuss ways forward, including alternative indicators of success, and security usability advocacy for employees.

Cryptography and Security

Hwee‐Joo Kam,Dustin K. Ormond,Philip Menard,Robert E. Crossler

DOI: https://doi.org/10.1111/isj.12374

IF: 7.767

2021-12-30

Information Systems Journal

Abstract:Abstract With government and industry experiencing a critical shortage of trained cybersecurity professionals, organisations are spearheading various training programs to cultivate cybersecurity skills. With more people working from home and the existing cybersecurity staff shortages, cybercriminals are increasingly exploiting new and existing vulnerabilities by launching ubiquitous cyberattacks. This study focuses on how to close the gap in cybersecurity skills through interest cultivation and self‐determined motivation. Our study shows that situational interest (SI) in cybersecurity along with situational motivational determinants (i.e., perceived learning autonomy and perceived relatedness) engendered self‐determined motivation toward cybersecurity training. Consequently, self‐determined motivation facilitated actual learning behaviour. Meanwhile, individual interest in cybersecurity created positive moderating effects in the relationships between self‐determination and its key antecedents (i.e., perceived relatedness and situational interest). Based on these findings, we provide research implications accordingly.

information science & library science

Boon-Yuen Ng,Atreyi Kankanhalli,Yunjie (Calvin) Xu

DOI: https://doi.org/10.1016/j.dss.2008.11.010

IF: 6.969

2009-01-01

Decision Support Systems

Abstract:The damage due to computer security incidents is motivating organizations to adopt protective mechanisms. While technological controls are necessary, computer security also depends on individual's security behavior. It is thus important to investigate what influences a user to practice computer security. This study uses the Health Belief Model, adapted from the healthcare literature, to study users' computer security behavior. The model was validated using survey data from 134 employees. Results show that perceived susceptibility, perceived benefits, and self-efficacy are determinants of email related security behavior. Perceived severity moderates the effects of perceived benefits, general security orientation, cues to action, and self-efficacy on security behavior.

Yixin Zou,Khue Le,Peter Mayer,Alessandro Acquisti,Adam J. Aviv,Florian Schaub

2024-05-24

Abstract:We draw on the Protection Motivation Theory (PMT) to design nudges that encourage users to change breached passwords. Our online experiment ($n$=$1,386$) compared the effectiveness of a threat appeal (highlighting negative consequences of breached passwords) and a coping appeal (providing instructions on how to change the breached password) in a 2x2 factorial design. Compared to the control condition, participants receiving the threat appeal were more likely to intend to change their passwords, and participants receiving both appeals were more likely to end up changing their passwords; both comparisons have a small effect size. Participants' password change behaviors are further associated with other factors such as their security attitudes (SA-6) and time passed since the breach, suggesting that PMT-based nudges are useful but insufficient to fully motivate users to change their passwords. Our study contributes to PMT's application in security research and provides concrete design implications for improving compromised credential notifications.

Cryptography and Security,Human-Computer Interaction

Varun Shiri,Maggie Xiong,Jinghui Cheng,Jin L.C. Guo

DOI: https://doi.org/10.1145/3643834.3661544

2024-05-07

Abstract:In modern technology environments, raising users' privacy awareness is crucial. Existing efforts largely focused on privacy policy presentation and failed to systematically address a radical challenge of user motivation for initiating privacy awareness. Leveraging the Protection Motivation Theory (PMT), we proposed design ideas and categories dedicated to motivating users to engage with privacy-related information. Using these design ideas, we created a conceptual prototype, enhancing the current App Store product page. Results from an online experiment and follow-up interviews showed that our design effectively motivated participants to attend to privacy issues, raising both the threat appraisal and coping appraisal, two main factors in PMT. Our work indicated that effective design should consider combining PMT components, calibrating information content, and integrating other design elements, such as visual cues and user familiarity. Overall, our study contributes valuable design considerations driven by the PMT to amplify the motivational aspect of privacy communication.

Human-Computer Interaction

Ding-Long Huang,Pei-Luen Patrick Rau,Gavriel Salvendy,Fei Gao,Jia Zhou

DOI: https://doi.org/10.1016/j.ijhcs.2011.07.007

IF: 4.866

2011-01-01

International Journal of Human-Computer Studies

Abstract:The gap between the perceived security of an information system and its real security level can influence people' decisions and behavior. The objective of this study is to find effective ways to adjust people's perception of information security, in order to enhance their intention to adopt IT appliances and compliance to security practices. Two separate experiments were conducted. In experiment I, 64 participants were asked to transfer money through an e-banking system. Their intention to adopt e-banking was measured by a questionnaire. In experiment II, 64 participants were asked to register on an online forum. Their subjective intention to create a strong password was measured by a questionnaire, and the objective strength of the passwords they created was calculated. Results of the ANOVA and the path models derived from the path analysis indicated that people's adoption intention, such as their intention to adopt e-banking, can be enhanced by changing their perceived Knowledge, Controllability and Awareness, while changing the perceived Controllability is most effective. The results also indicated that people's compliance to security practices, such as setting strong passwords for IT systems, can be enhanced by changing their perceived Knowledge, Severity and Possibility, while changing their perceived Knowledge and Severity is most effective. Implications for further research and practice were also discussed.

Ashraf Mady,Saurabh Gupta,Merrill Warkentin

DOI: https://doi.org/10.1111/isj.12424

IF: 7.767

2023-01-11

Information Systems Journal

Abstract:Organisations implement a variety of knowledge mechanisms such as information security education, training and awareness (SETA) programs and information security policies, to influence employees' secure behaviour. Despite increased efforts to provide information systems (IS) security knowledge to employees, data breaches and other security incidents resulting from insider behaviour continue. Recent IS security research, primarily grounded on assumptions of employees' rational assessment of numerous factors, has yielded inconsistent results. Challenging this paradigm, we model secure behaviour on security knowledge mechanisms, which focuses on the multidimensional nature of security knowledge breadth, depth and finesse to represent the full array of managerial levers. We further draw on construal level theory to conceptualise users' perceptual judgements of security messages. Two studies support our model, with the second building on the first. Study 1, an experiment with 312 participants, focused on validating the treatments. Study 2, a survey with 219 participants, validated the entire model. Results showed that our model has significantly more explanatory and predictive power than the orthodox paradigm. Our results have practical implications for optimising the organisation of knowledge mechanisms by emphasising the personal relevance of threats and defining the factors that lead to secure behaviour. We also contribute to the discourse on information security research and provide a template for integrating theories, thus opening new avenues for future research.

information science & library science

Jan Boehmer,Robert LaRose,Nora Rifon,Saleem Alhabash,Shelia Cotten

DOI: https://doi.org/10.1080/0144929x.2015.1028448

2015-04-13

Behaviour and Information Technology

Abstract:How can young adults be motivated to enact security precautions? Communication about the risks of Internet use or online safety communication is a context in which personal responsibility is especially salient. The present research builds on Protection Motivation Theory (PMT) to examine the role of a previously unexplored variable, personal responsibility, in the protective behaviour of college students. Two studies are reported here. In the first (N = 565), the relationship of personal responsibility to safe (i.e. protective) online behaviour is tested in relationship to standard PMT variables. A multiple regression analysis of survey data shows that personal responsibility explained additional variance in protective behaviour after accounting for the effects of traditional threat and coping appraisal variables. Building on this, the second study (N = 206) examines the possibility of influencing personal responsibility through an intervention and experimental manipulation among college students. The experimental manipulation of personal responsibility found evidence of a causal relationship between personal responsibility and protective behaviour in the college student sample. Interactions with pre-existing levels of safety involvement and self-efficacy were uncovered. Based on the results, strategies for targeted online safety interventions are suggested.

ergonomics,computer science, cybernetics

Andreas Skalkos,Aggeliki Tsohou,Maria Karyda,Spyros Kokolakis

DOI: https://doi.org/10.1108/ics-08-2022-0142

2023-11-30

Information and Computer Security

Abstract:Purpose Search engines, the most popular online services, are associated with several concerns. Users are concerned about the unauthorized processing of their personal data, as well as about search engines keeping track of their search preferences. Various search engines have been introduced to address these concerns, claiming that they protect users' privacy. The authors call these search engines privacy-preserving search engines (PPSEs). This paper aims to investigate the factors that motivate search engine users to use PPSEs. Design/methodology/approach This study adopted protection motivation theory (PMT) and associated its constructs with subjective norms to build a comprehensive research model. The authors tested the research model using survey data from 830 search engine users worldwide. Findings The results confirm the interpretive power of PMT in privacy-related decision-making and show that users are more inclined to take protective measures when they consider that data abuse is a more severe risk and that they are more vulnerable to data abuse. Furthermore, the results highlight the importance of subjective norms in predicting and determining PPSE use. Because subjective norms refer to perceived social influences from important others to engage or refrain from protective behavior, the authors reveal that the recommendation from people that users consider important motivates them to take protective measures and use PPSE. Research limitations/implications Despite its interesting results, this research also has some limitations. First, because the survey was conducted online, the study environment was less controlled. Participants may have been disrupted or affected, for example, by the presence of others or background noise during the session. Second, some of the survey items could possibly be misinterpreted by the respondents in the study questionnaire, as they did not have access to clarifications that a researcher could possibly provide. Third, another limitation refers to the use of the Amazon Turk tool. According Paolacci and Chandler (2014) in comparison to the US population, the MTurk workers are more educated, younger and less religiously and politically diverse. Fourth, another limitation of this study could be that Actual Use of PPSE is self-reported by the participants. This could cause bias because it is argued that internet users' statements may be in contrast with their actions in real life or in an experimental scenario (Berendt et al., 2005, Jensen et al., 2005); Moreover, some limitations of this study emerge from the use of PMT as the background theory of the study. PMT identifies the main factors that affect protection motivation, but other environmental and cognitive factors can also have a significant role in determining the way an individual's attitude is formed. As Rogers (1975) argued, PMT as proposed does not attempt to specify all of the possible factors in a fear appeal that may affect persuasion, but rather a systematic exposition of a limited set of components and cognitive mediational processes that may account for a significant portion of the variance in acceptance by users. In addition, as Tanner et al. (1991) argue, the 'PMT's assumption that the subjects have not already developed a coping mechanism is one of its limitations. Finally, another limitation is that the sample does not include users from China, which is the second most populated country. Unfortunately, DuckDuckGo has been blocked in China, so it has not been feasible to include users from China in this study. Practical implications The proposed model and, specifically, the subjective norms construct proved to be successful in predicting PPSE use. This study demonstrates the need for PPSE to exhibit and advertise the technology and measures they use to protect users' privacy. This will contribute to the effort to persuade internet users to use these tools. Social implications This study sought to explore the privacy attitudes of search engine users using PMT and its constructs' association with subjective norms. It used the PMT to elucidate users' perceptions that motivate them to privacy adoption behavior, as well as how these perceptions influence the type of search engine they use. This research is a first step toward gaining a better understanding of the processes that drive people's motivation to, or not to, protect their privacy online by means of using PPSE. At the same time, this study contributes to search engine vendors by revealing that users' need to be persuaded not only about their policy toward privacy but also by considering and implementing new strategies of diffusion that could enhance the use of the PPSE. Originality/value This research is a first step toward gaining a better understanding of the processes that drive people's motivation to, or not to, protect their privacy online -Abstract Truncated-

Mansour Naser Alraja,Usman Javed Butt,Maysam Abbod

DOI: https://doi.org/10.1016/j.cose.2023.103208

IF: 5.105

2023-06-01

Computers & Security

Abstract:Information security threats have a severe negative impact on enterprises. Organizations rely on employee compliance with information security policies to eliminate or reduce these hazards. The Unified Model of Information Security Policies Compliance (UMISPC) is employed to identify the factors that may affect employees' intention towards compliance with information systems security policy and reactance in a global setting. The study was assessed in two phases. The model's validity and measurement reliability were evaluated in the first phase, while in the second phase, all preliminary model relationships were appraised. This was achieved utilizing structural equation modelling to establish whether the proposed constructs, i.e. neutralization, response efficacy, fear, threat, habit and role values were good predictors for intention or reactance towards compliance with information systems security policy. Participants included 348 employees from 7 nations, i.e. the USA, the UK, Oman, India, Pakistan, Malaysia, and the Philippines. SmartPLS v. 3.3.9 was used for data analysis. The models' measurement reliability and validity were affirmed. Fear and role values have a significant influence on intention toward ISPC. RE significantly predicted threat which in turn significantly predicted fear, and the latter demonstrated a significant effect on reactance as well as Neutralization predicted reactance. In contrast, habit failed to reach a significant influence on intention towards ISPC. The implications are presented, together with proposals for further studies. Our findings are helpful for ISS literature and application by supporting the crucial functions of role values in encouraging employees to behave in a compliant manner. Additionally, it is regarded as the first empirical attempt to estimate intended compliance concerning ISPs in higher education from a worldwide viewpoint.

computer science, information systems

Nader Sohrabi Safa,Carsten Maple,Steve Furnell,Muhammad Ajmal Azad,Charith Perera,Mohammad Dabbagh,Mehdi Sookhak

DOI: https://doi.org/10.1016/j.future.2019.03.024

IF: 7.307

2019-08-01

Future Generation Computer Systems

Abstract:Previous studies show that information security breaches and privacy violations are important issues for organisations and people. It is acknowledged that decreasing the risk in this domain requires consideration of the technological aspects of information security alongside human aspects. Employees intentionally or unintentionally account for a significant portion of the threats to information assets in organisations. This research presents a novel conceptual framework to mitigate the risk of insiders using deterrence and prevention approaches. Deterrence factors discourage employees from engaging in information security misbehaviour in organisations, and situational crime prevention factors encourage them to prevent information security misconduct. Our findings show that perceived sanctions certainty and severity significantly influence individuals’ attitudes and deter them from information security misconduct. In addition, the output revealed that increasing the effort, risk and reducing the reward (benefits of crime) influence the employees’ attitudes towards prevent information security misbehaviour. However, removing excuses and reducing provocations do not significantly influence individuals’ attitudes towards prevent information security misconduct. Finally, the output of the data analysis also showed that subjective norms, perceived behavioural control and attitude influence individuals’ intentions, and, ultimately, their behaviour towards avoiding information security misbehaviour.

Simon Trang,Benedikt Brendel

DOI: https://doi.org/10.1007/s10796-019-09956-4

2019-10-25

Information Systems Frontiers

Abstract:Enforcing information security policies is a key concern of information security managers. To deter employees from deviant behavior, organizations often implement sanction mechanisms. However, evidence from research regarding the efficiency of such a deterrence approach has been mixed. Drawing on this inconsistency, this paper examines the applicability of deterrence theory in information security policy compliance research. It is argued that contextual and methodological moderators play a crucial role when conceptualizing deterrence theory in security studies. Applying a meta-analysis, the results suggest that sanctions have an overall effect on deviant behavior. However, the results also indicate that this relationship is dependent on the study's context. Deterrence theory better predicts deviant behavior in malicious contexts, cultures with a high degree of power distance, and cultures with a high uncertainty avoidance. The meta-analysis also reveals no meaningful differences arising from the methodological context in terms of scenario-based and behavior-specific measurement.

Chi-Hoon Song,Ji-Hwan Lee,Taewoo Roh

DOI: https://doi.org/10.1080/10447318.2024.2327219

IF: 4.92

2024-03-19

International Journal of Human-Computer Interaction

Abstract:Cloud computing is spreading rapidly, but little research has been conducted to understand the effects of the protective perspective on acceptance by individuals. The goal of this study was to explore the impact of protective behavior on individuals' adoption of cloud computing. Specifically, the study will concentrate on personal cloud storage service (CSS), widely recognized as a protective technology. Our theoretical framework endeavored to combine protection motivation theory with the extended unified theory of acceptance and use of technology and focused on the effect of threat in the context of CSS. This study tested two proposed models (Model A, Model B) by structural equation modeling using data from 392 individuals. Data were collected for people in voluntary CSS-usage settings through an online survey. Model A and model B explained 61.0% and 60.4% of the variance in the behavioral intention to accept CSS, respectively. Results showed that CSS adoption is a protective measure against data loss and identified that threat influence CSS adoption. Threat elements directly do not influence behavioral intention to adopt CSS. Threat elements mostly acted as antecedents of independent variables; perceived severity and perceived vulnerability directly influenced technology attributes (performance expectancy, effort expectancy), and showed slightly different results in contextual attributes (facilitating conditions, social influence) and consumer attributes (hedonic motivation, habits). Our study offers a unique perspective for researchers and professionals in understanding the impact of threat factors on information technology domains where protective technologies are operated. Thus, we recommend that academics and business practitioners in the realm of cloud computing should consider user's protective motivation view of adopting CSS when designing, developing, delivering and spreading it.

computer science, cybernetics,ergonomics

Princely Ifinedo

DOI: https://doi.org/10.1080/08874417.2022.2065553

2022-04-20

Journal of Computer Information Systems

Abstract:Organizations whose employees participate in risky cybersecurity behaviors (RCySecB) could suffer disastrous consequences either directly or indirectly from actions linked to such behaviors. This study used conceptualizations facilitated by Attribution Theory to examine the effects of dispositional factors (self-control and knowledge of IS security threats/risks and their potential consequences) and situational factors (security, education, training, and awareness (SETA) programs and computer monitoring) in reducing employee participation in RCySecB. Data was collected from a survey of working professionals in India, and relevant hypotheses were formulated. The PLS technique was used for data analysis. This study investigated the direct effects of the factors on the dependent construct and analyzed the interacting effects of the constructs as well. The results indicate that all factors reduce employee participation in RCySecB. However, the joint effects of the situational factor elements and the dispositional factor of personal knowledge security threats/risks and their potential consequences were insignificant in the model.

computer science, information systems

B. Phillps,D. Kim,Young U. Ryu

DOI: https://doi.org/10.1109/NCS.2018.00014

2018-06-01

Abstract:Information risk is an increasing concern for researchers and practitioners. By utilizing Technology Threat Avoidance and Social Comparison Theory, we examine the role of perceived risk, perceived risk controllability and self-efficacy secure intention. Findings indicate that users optimistically biased in their risk perceptions and controllability compared with their social counterparts.

Psychology,Computer Science