Conference PaperPDF Available

Factors Influencing Protection Motivation and IS Security Policy Compliance

Authors:

Abstract and Figures

The key threat to IS security is constituted by careless employees who do not comply with IS security policies. To ensure that employees comply with organizations' IS security procedures, a number of IS security policy compliance means have been proposed in the past. Prior research has criticized these means as lacking theoretically and empirically grounded principles to ensure that employees comply with IS security policies. This paper advances a new model that explain employees' IS security compliance. In this model, we extend protection motivation theory (PMT) by introducing preceding factors (e.g., visibility and normative beliefs) of the protection motivation process. To test this model, we collected data (N=919) from five companies. The results suggest that the preceding factors have significant effect on threat appraisal, self-efficacy and response efficacy. Threat appraisal have significant effect on intention to comply with IS security policies. Intention to comply has significant effect on actual compliance towards IS security policies
Content may be subject to copyright.
Factors
Influencing
Protection
Motivation
and
IS
Security
Policy
Compliance
Mikko
Siponena,
Seppo
Pahnilaa
and
Adam
Mahmoodb
aUniversity
of
Oulu,
Department
of
Information
Processing
Science,
FINLAND.
E-mail.
tMikko.Siponen,
Seppo.Pahnila}@oulu.fi
bDepartment
of
Information
and
Decision
Sciences,
University
of
Texas
at
El
Paso
E-mail.
mmahmood@utep.edu
Abstract
The
key
threat
to
IS
security
is
constituted
by
careless
employees
who
do
not
comply
with
ISsecurity
policies.
To
ensure
that
employees
comply
with
organizations'
IS
security
procedures,
a
number
of
IS
security
policy
compliance
means
have been
proposed
in
the
past.
Prior
research
has
criticized
these
means
as
lacking
theoretically
and
empirically
grounded
principles
to
ensure
that
employees
comply
with
IS
security
policies.
This
paper
advances
a
new
model
that
explain
employees
'
IS
security
compliance.
In
this
model,
we
extend
protection
motivation
theory
(PMT)
by
introducing
preceding
factors
(e.g.,
visibility
and
normative
beliefs)
of
the
protection
motivation
process.
To
test
this
model,
we
collected
data
(N=919)
from
five
companies.
The
results
suggest
that
the
preceding
factors
have
significant
effect
on
hreat
appraisal,
self-efficacy
and
response
efficacy.
Threat
appraisal
have
significant
effect
on
intention
to
comply
with
IS
security
policies.
Intention
to
comply
has
significant
effect
on
actual
compliance
towards
IS
security
policies.
1.
Introduction
Most
of
the
organizations
encounter
more
than
one
IS
security
incidents
within
ayear
[4,10].
IS
security
literature
suggest
that
91
%
of
organizations
own
employees
frequently
fail
to
adhere
to
IS
security
procedures
[10],
paving
the
way
for
IS
security
incidents
to
occur
[16,3].
To
handle
this
situation,
a
number
of
means
to
ensure
that
employees
comply
with
IS
security
policies
have been
proposed.
Researchers
have
pointed
out
two
serious
we
aknesses
across
these
existing
approaches:
first,
they
are
atheoretical
and
second,
they
lack
empirical
evidence
on
their
effectiveness
in
practice
[3,13,16].
There
are,
however,
some
exceptions
in
the
literature
[3,18,19].
To
explain
IS
security
policy
compliance,
we
find
PMT
useful,
theoretically
solid,
and
empirically
testable.
PMT
was
originally
developed
for
communicating
fear
in
people.
It
was
later
used
to
motivate
people
to
avoid
unhealthy
behavior.
It
is
applicable
to
any
attitude-change
[14].
Recently,
PMT
has
also
applied
in
IS
field
[21].
However,
it
is
not
applied
to
explain
IS
security
policy
compliance
in
organizations.
Also,
its
preceding
factors
like
verbal
persuasion
have
not
been
studied
R5
p.
114].
This
paper
contributes
to
the
literature
in
the
area
by
first
extending
the
PMT
to
explain
employees'
IS
security
compliance.
The
extended
PMT
model
is
then
validated
using
an
empirical
study.
The
rest
of
the
paper
is
presented
as
follows:
the
second
section
discusses
prior
research.
The
third
section
present
the
research
model
while
fourth
discusses
the
data
collection.
The
empirical
results
of
the
study
are
presented
in
the
fifth
section.
Finally,
the
implications
of
the
findings
for
practice
and
research
are
outlined
in
the
sixth
section.
2.
The
theoretical
model
The
research
model
consists
of
Protection
Motivation
Theory
[15]
and
the
Theory
of
Reasoned
Action
(TRA)
[13]
(Fig
1).
The
protection
motivation
theory
focuses
on
threat
and
coping
appraisal
(cognitive
nediating
processes).
Environmental
effects
(normative
beliefs
and
visibility)
and
intrapersonal
variables
may
initiate
these
components
which
may
lead
to
the
protection
motivation.
Following
TRA
[8],
this
is
assumed
to
lead
to
intention
to
comply,
which,
in
turn,
is
assumed
to
lead
to
the
actual
compliance
IS
security
policy
compliance.
14244-0674-9/06/$20.00
C
2006
IEEE.
Authorized licensed use limited to: Jyvaskylan Yliopisto. Downloaded on November 08,2020 at 19:28:54 UTC from IEEE Xplore. Restrictions apply.
appraisal
Actual
compliance
Self-efficacy
with
IS
H
3
security
Response
efficacy
|
nolicies
Behavioral
change
Cognitive
in
protection
mediating
process
motivation
arch
model
Threat
appraisal
consists
of
perceived
vulnerability
and
perceives
severity
[15].
The
former
refers
to
conditional
probability
that
a
negative
event
will
take
place
if
no
measures
are
taken
to
encounter
it
[14].
In
the
context
of
our
study,
perceived
vulnerability
refer
to
employees'
assessment
of
whether
their
organization
is
vulnerable
to
IS
security
threats.
Perceived
severity
encompasses
the
degree
of
both
physical
and
psychological
harm.
In
our
study,
it
refers
to
harms
caused by
security
breaches
[21].
We
assume
that
if
workers
do
not
realize
that
they
are
truly
confronted
by
IS
security
threats
(threat
appraisal)
and
if
they
don't
feel
that
these
threats
can
cause
negative
consequences
(perceived
severity),
they
will
simply
not
comply
with
IS
security
policies.
HI:
Threat
appraisal
affects
employees'
intention
to
comply
with
IS
security
policies.
Coping
appraisal
consists
of
response
efficacy,
self
efficacy,
and
response
cost
[15].
Response
efficacy
relates
to
the
belief
that
the
coping
effect
is
effective
[14].
In
our
study,
it
means
that
adherence
to
IS
security
policies
is
an
effective
mechanism
for
detecting
an
IS
security
threat.
Self-efficacy,
originally
taken
from
[5],
refers
to
the
degree
to
which
one
can
successfully
take
the
coping
response
action
[15].
In
our
context,
self-efficacy
theory
suggests
that
employees'
beliefs
on
whether
they
can
apply
and
adhere
to
IS
security
policies
will
lead
to
compliance
with
these
policies.
The
response
costs
were
not
studied
in
this
paper.
Therefore,
we
hypothesize:
H2:
Selfefficacy
affects
employees'
intention
to
comply
with
IS
security
policies.
H3:
Response
efficacy
affects
employees'
intention
to
comply
with
IS
security
policies.
Normative
beliefs
refer
to
normative
expectations
of
colleagues
and
superiors,
which
may
have
a
persuasive
influence
on
whether
or
not
an
employee
will
carry
out
a
specific
behavior
[8].
In
this
study,
we
regard
normative
belief
as
an
environmental
factor,
which
initiates
the
cognitive
process
(Fig
1).
Environmental
information,
such
as
verbal
persuasion
or
the
behavior
of
others,
may
have
nifluence
on
cognitive
process
[15].
To
be
more
specific,
we
suggest
that
the
behavior
of
managers,
IS
security
staff
and
peers
will
have
a
persuasive
effect
on
employees'
IS
security
policy
compliance.
Visibility.
In
technology
acceptance
literature,
visibility
refers
to
the
degree
to
which
one
can
see
others
using
the
system
[12].
In
computer
abuse
content,
it
refers
to
the
overall
visibility
of
IS
security
in
an
organization
which,
through
different
IS
security
actions
(enforcement
of
IS
security
policies),
reduces
computer
abuse
in
organizations
[18].
In
our
study,
visibility
represents
environmental
information,
which
has
persuasive
effect
on
cognitive
process.
Accordingly,
IS
security
visibility
refers
to
the
degree
to
which
one
can
see
not
only
IS
security
actions,
campaigns,
advertisements,
and
formal
or
informal
information
communications
in
the
organization,
but
also
security
measures
outside
the
organization
via
media
[13].
Hence,
we
hypothesize:
H4,
H5,
H6:
Normative
beliefs
and
visibility
affect
employees'
threat
appraisal
and
coping
appraisal
processes.
Intention
indicates
what
one
plans
to
do
[1],
whether
one
plans
to
comply
with
IS
security
policies
in
this
case.
It
is
suggested
that
the
intentions
are
the
most
applicable
measure
of
protection
motivation
[37].
Prior
research
has
shown
that
intentions
are
good
predictors
of
actual
behavior,
adherence
to
IS
security
policies
in
this
case.
These
lead
to
the
following
hypothesis:
H7.
Employees'
intention
to
comply
with
IS
security
policies
have
a
significant
impact
on
actual
compliance
with
IS
security
policies.
3.
Research
design
The
use
of
previously
validated
and
tested
questions
is
reported
to
improve
the
reliability
of
constructs
and
results
[17].
Accordingly,
we
used
items
that
have
been
tried
and
tested
by
previous
studies,
Environmental
effect
Figure
1.
The
rese
Authorized licensed use limited to: Jyvaskylan Yliopisto. Downloaded on November 08,2020 at 19:28:54 UTC from IEEE Xplore. Restrictions apply.
when
available.
Normative
beliefs
are
taken
from
[11]
and
threat
appraisal
and
copying
appraisal
are
generated
from
[15].
All
the
items
are
measured
using
seven-point
Likert
scale
(strongly
disagree
-
strongly
agree).
Since
these
measures
are
not
previously
tested
in
the
context
of
IS
security
policy
compliance,
the
present
research
tests
these
measures
IS
security
context
in
the
Finnish
culture.
Hence,
the
questions
were
pilot
tested
using
15
people.
Based
on
their
feedback,
the
readability
factor
of
the
questions
was
improved.
The
data
was
collected
from
five
Finnish
companies.
The
respondents
were
asked
to
fill
out
the
web-based
questionnaire.
919
responses
were
returned.
Table
1.
Mean
and
standard
deviation
of
the
all
variables.
4.
Results
The
number
of
males
(56.1%)
and
females
(43.9%)
are
about
equally
distributed.
Most
of
the
respondents
are
middle-aged,
31.3%
representing
the
age
group
31-
40
and
30.0%
representing
the
age
group
41-50
(Table
1).
Table
1.
Descriptive
statistics
of
the
respondents
Most
respondents
have
long
working
experience.
Over
forty
six
percent
of
the
respondents
46.7
%)
have
served
the
company
for
more
than
ten
years.
Quite
often
selection
bias
(meaning
that
the
respondents
of
a
study
are
not
relevant
representatives
of
the
sample)
limits
the
generalizability
of
the
results
[6].
In
our
study,
gender
and
age
groups
of
the
respondents
were
fairly
equally
distributed,
and
they
covered
a
wide
geographical
area.
While
these
issues
are
important
to
minimizing
bias
[20],
nevertheless
the
selection
bias
has
to
be
mentioned
as
a
potential
limitation
in
generalizing
the
results
of
the
present
study.
Factor
analysis
is
used
to
reveal
the
latent
structure
of
the
independent
variables.
Five
independent
factors
accounted
for
63.4%
of
the
total
variance
(Table
2).
Analyses
were
conducted
using
the
principal
component
extraction
method
followed
by
Varimax
rotation.
The
convergent
validity
was
assessed
by
using
Cronbach's
alpha
and
factor
analysis
was
used
to
ascertain
the
discriminant
validity.
All
the
factor
loadings
are
acceptable.
There
was
no
cross-construct
loading
that
exceeded
0.50.
Two
items
were
dropped
due
to
high
cross
loadings.
Reliability
analysis
was
used
to
assess
the
consistency
of
the
factors.
Research
suggests
that
a
value
above
0.70
for
Cronbach's
alpha
is
desirable
[9].
Although,
the
Cronbach's
alpha
value
of
the
factor
visibility
is
not
desirable,
it
is
regarded
acceptable.
Table
2.
Factor
analysis
results.
Variable
Mean
Standard
Min
Max
deviation
Actual
compliance
6.1562
0.98422
1.00
7.00
Intention
to
6.3467
0.88287
1.00
7.00
comply
Threat
appraisal
5.7197
0.99238
1.00
7.00
Response
efficacy
4.7541
1.43380
1.00
7.00
Self-efficacy
5.8850
1.02419
1.00
7.00
Normative
beliefs
6.2852
0.96943
1.00
7.00
Visibility
4.5469
0.82113
1.00
7.00
Measure
Items
Frequency
Percent
Gender
(N=917)
Male
514
56.1
Female
403
43.9
Age
(N=919)
<30
135
14.7
31-40
288
31.3
41-50
276
30.0
>50
220
23.9
Years
in
service
in
the
existing
company
(N=670)
<5
202
30.1
5-10
155
23.1
>10
313
46.7
F
actors
Items
Factor
Cronbach's
loading
alpha
Threat
thrapprl
0.459
0.755
appraisal
thrappr2
0.5
65
thrappr3
0.656
thrappr4
0.812
thrappr5
0.797
thrappr6
dropped
Response
respeffi
1
0.840
0.797
efficacy
respeffi2
0.864
respeffi3
0.755
Self-efficacy
selfeffi
1
0.882 0.834
selfefi2
0.
885
selfeffi3
dropped
Normative
normbel
1
0.807 0.867
beliefs
normbel2
0.863
normbel3
0.783
normbel4
0.722
Visibility
visibil
0.728
0.607
visibi2
0.695
visibi3
0.584
visibi4
0.628
Authorized licensed use limited to: Jyvaskylan Yliopisto. Downloaded on November 08,2020 at 19:28:54 UTC from IEEE Xplore. Restrictions apply.
The
intercorrelation
among
the
factors
was
assessed.
All
the
correlation
coefficients
were
less
than
0.80,
which
is
normally
considered
as
a
critical
value
[3],
as
higher
correlation
coefficient
may
indicate
the
problem
of
multicollinearity.
Multiple
regression
analysis
was
used
to
find
a
predictive
model
that
describes
the
phenomena
as
comprehensively
as
possible
and
estimates
the
compatibility
of
the
research
model
and
the
collected
data.
Our
results
suggest
that
the
data
fully
supported
the
model,
and
all
the
hypotheses
were
supported
(Table
3).
Table
3.
Results
of
the
multiple
regressions.
First
variable
of
each
test
is
dependent
variable.
Regression
test
R'
F-value
Standardized
B
t
-value
Sig.
Hypothesis
result
coefficient
1.
Threat
appraisal
0.161
88.092(*
Normative
beliefs
0.297
9.186
0.000
supported
Visibility
0.191
5.897
0.000
supported
2.
Response
efficacy
0.111
57.268(*
Normative
beliefs
0.208
6.232
0.000
supported
Visibility
0.202
6.0669
0.000
supported
3.
Self-efficacy
0.174
95.869(*
Normative
beliefs
0.356
11.061
0.000
supported
Visibility
0.131
4.069
0.000
supported
4.
Intention
to
comply
0.221
86.319(*
Threat
appraisal
0.253
8.065
0.000
supported
Response
efficacy
0.071
2.300
0.022
supported
Self-efficacy
_______
___________
0.295
9.283
0.000
supported
5.
Actual
compliance
0.722
2360.713(
Intention
to
comply
e
0.850
48.587
0.000
supported
(=
P=0.001
The
first
three
models
depict
the
explanatory
power
of
the
preceding
variables
of
the
PMT
process
(Table
3).
Normative
beliefs
and
visibility
explain
16.1
percent
(R2
=
0.161)
of
the
variance
of
threat
appraisal.
Normative
beliefs
(13=0.297,
t-value
9.186,
p=0.001)
and
visibility
(B3-0.191,
t-value
-5.897,
p=0.001)
have
a
significant
direct
effect
on
threat
appraisal.
Normative
beliefs
(B=0.297,
t-value
9.186,
p=0.001)
and
visibility
(B=-0.191,
t-value
-5.897,
p=0.001)
also
have
a
significant
direct
effect
on
response
efficacy.
Variables
explain
1
1.1
percent
(R2
=
0.1
1
1)
of
the
variance
of
the
model.
The
third
model
explains
17.4
percent
of
the
variance.
Normative
beliefs
and
visibility
have
a
significant
effect
on
self-efficacy.
Threat
appraisal,
response
efficacy
and
self-efficacy
explains
22.1
(R2
=
0.221)
percent
of
the
total
variance
of
the
intention.
These
variables
have
also
a
significant
direct
impact
on
intention
to
comply.
Finally,
intention
to
comply
with
IS
security
policies
explains
72.2
percent
(R2
=
0.722)
of
the
total
variance
of
actual
compliance.
The
results
show
that
intention
has
a
strong
significant
impact
on
actual
compliance
(B=0.850,
t-value
48.587,
p=0.001).
5.
Conclusive
discussion
Prior
research
on
IS
security
compliance
has
criticized
that
extant
IS
security
policy
compliance
approaches
are
not
theoretically
and
empirically
grounded.
To
this
end,
we
extended
the
protection
motivation
theory
to
cover
preceding
factors
of
the
cognitive
mediating
processes
of
PMT.
This
model
was
empirically
tested
(N=919).
The
results
suggest
that
the
preceding
factors
(e.g.,
visibility
and
normative
beliefs)
have
a
significant
effect
on
threat
appraisal,
self-efficacy
and
response
efficacy.
Threat
appraisal,
in
turn,
have
a
significant
effect
on
intention
to
comply
with
IS
security
policies.
Intention
to
comply
with
IS
security
policies,
in
turn,
has
a
significant
effect
on
actual
compliance
towards
IS
security
policies.
These
findings
have
implications
for
practice.
First,
the
findings
suggest
that
social
pressure
within
the
organization
and
the
employees'
awareness
about
the
threats
of
IS
security
have
influence
on
cognitive
process
of
PMT.
For
practitioners,
this
means
that
IS
secufity
must
be
advocated
in
the
organization
through
education
and
campaigns
in
a
visible
manner.
External
IS
security
visibility
also
has
an
impact
on
cognitive
process
of
PMT.
Potential
sources
of
external
visibility
include
news
or
commercials
in
media.
For
practitioners,
this
means
that
IS
security
incidents
reported
in
media
should
be
made
visible
to
employees
and
these
should
be
discussed
in
organizations.
The
results
also
suggest
that
negative
social
reactions
towards
IS
security
policy
violations
create
IS
security
visibility,
which
may
increase
the
interest
of
users
on
IS
Authorized licensed use limited to: Jyvaskylan Yliopisto. Downloaded on November 08,2020 at 19:28:54 UTC from IEEE Xplore. Restrictions apply.
security.
These
findings
are
supported
by
[7],
who
found
that
social
reactions
explain
illegal
activities:
the
weaker
the
social
reactions
to
a
crime,
the
easier
it
is
to
commit
the
crime
[7
p.
285].
In
our
study,
threat
appraisal
has
a
significant
effect
on
intention
to
comply
with
IS
security
policies.
This
finding
stresses
the
need
to
emphasize
to
the
employees
that
not
only
IS
security
breaches
are
increasingly
becoming
more
and
more
serious
for
the
business
of
the
organizations,
but
also
their
severity
to
the
business
of
the
organization
is
increasing.
6.
References
[1]
Ajzen,
I.,
"The
Theory
of
Planned
Behavior",
Organizational
Behavior
and
Human
Decision
Processes
50,2,
1991,
179-211.
[2]
Aytes,
K.
and
Connolly,
T.,
"A
Research
Model
for
Investigating
Human
Behavior
Related
to
Computer
Security",
Proceedings
of
the
2003
American
Conference
On
Information
Systems,
Tampa,
FL,
August
4-6.
2003.
[3]
Aytes,
K.
and
Connolly,
T,
"Computer
and
Risky
Computing
Practices:
A
Rational
Choice
Perspective",
Journal
of
Organizational
and
End
User
Computing,
16,2,
2004,
22-40.
[4]
Bagchi,
K.
and Udo,
G.,
"An
analysis
of
the
growth
of
computer
and
Internet
security
breaches",
Communications
of
AIS
12,
2003,
684-700.
[5]
Bandura,
A.,
"Self-Efficacy:
Toward
a
Unifying
Theory
of
Behaviour
Change",
Psychological
Review
84,
2,
1977,
191
-215.
[6]
Eysenbach,
G.
and
J.
Wyatt,
Using
the
Internet
for
Surveys
and
Health
Research.
Journal
of
Medical
Internet
Research,
2002.
4(2).
[7]
Finney,
H.C.
&
Lesieur,
H.R.,
(1992),
A
Contingency
theory
of
organizational
crime.
Research
in
the
Sociology
of
Organizations,
vol.
1,
pp.
255-299.
[8]
Fishbein,
M.
and
Ajzen,
I.,
Belief,
Attitude,
Intention
and
Behavior:
An
Introduction
to
Theory
and
Research.
MA,
Addison-Wesley.
1975.
[9]
Hair,
J.F.J.,
Anderson,
R.E.,
Tatham,
R.L.,
and
Black,
W.
C.,
Multivariate
data
analysis.
5
ed:
Upper
Saddle
River,
New
Jersey,
Prentice
Hall
Inc.
1998.
[10]
Hinde,
S.,
"Security
surveys
spring
crop",
Computers
&
Security,
21,
4,
2002,
310-321.
[11]
Karahanna,
E.,
Straub,
D.
W.
aid
Chervany,
N.
L.,
"Information
technology
adoption
across
time:
A
cross-
sectional
comparison
of
pre-adoption
and
post-adoption
beliefs",
MIS
Quarterly,
23,
2,
1999,
183-213.
[12]
Moore,
G.C.
and
Benbasat,
I.,
"Development
of
an
Instrument
to
Measure
the
Perceptions
of
Adopting
an
Information
Technology
Innovation".
Information
Systems
Research,
1991.
2(3):
p.
191-222.
[13]
Pahnila,
S.,
Siponen,
M.,
Mahmood,
A.,
"Employees'
Behavior
towards
IS
Security
Policy
Compliance",
in
Proceedings
of
the
2007
Hawaii
International
Conference
on
System
Sciences
(HICSS
40),
January
3-6,
2007,
Hilton
Waikoloa
Village
on
the
Big
Island,
HI,
USA.
[14]
Rogers,
R.
W.,
"Cognitive
and
Physiological
Processes
in
Fear
Appeals
and
Attitude
Change:
A
Revised
Theory
of
Protection
Motivation
Theory",
in
Social
Psychophysiology,
J.
Cacioppo
and
R.
Petty
(Eds.),
Guilford,
New
York,
1983.
[15]
Rogers,
R.
W.
and
Prentice-Dunn,
S.,
"Protection
motivation
theory",
In
D.
S.
Gochman
(Ed.),
Handbook
of
Health
Behavior
Research
I:
Personal
and
Social
Determinants,
New
York,
NY:
Plenum
Press,
1997,
113-132.
[16]
Siponen,
M.,
"A
Conceptual
Foundation
for
Organizational
Information
Security
Awareness",
Information
Management
&
Computer
Security,
8,
1,
2000,
31
-41.
[17]
Straub,
D.
W.,
"Validating
Instruments
in
MIS
Research",
MIS
Quarterly,
13,
2,
1989,
147-169.
[18]
Straub,
D.W.,
"Effective
IS
Security:
An
Empirical
Study",
Information
Systems
Research,
1,
3,
1990,
255-276.
[19]
Straub,
DW.
and
Welke,
RJ.,
"Coping
with
Systems
Risk:
Security
Planning
Models
Br.
Management
Decision-
Making",
MIS
Quarterly,
22,
4,
1998,
441-469.
[20]
Wyatt,
J.,
When
to
Use
Web-based
Surveys.
Journal
of
the
American
Medical
Informatics
Association,
2000.
7(4):
p.
426-430.
[21]
Woon,
I.
M.
Y.,
Tan,
G.
W.
and
Low,
R.
T.,
"A
Protection
Motivation
Theory
Approach
to
Home
Wireless
Security",
Proceedings
of
the
Twenty-Sixth
International
Conference
on
Information
Systems,
Las
Vegas,
2005,
367-
380.
Authorized licensed use limited to: Jyvaskylan Yliopisto. Downloaded on November 08,2020 at 19:28:54 UTC from IEEE Xplore. Restrictions apply.
... Our model consists of hypothesized moderating effects of Response Efficacy on the well-established relationships between the Threat associated with fear appeals and both adaptive and maladaptive coping (Boss, et al., 2015;Chenoweth et al., 2009;Gurung et al., 2009;Rippetoe & Rogers, 1987;Siponen et al., 2006). In the context of the following hypotheses, the Threat condition is of an individual having their identity stolen. ...
... Prior research indicates that the coping appraisal is related to Behavioral Intention (Ho et al., 2005;Johnston & Warkentin, 2010;McMath & Prentice-Dunn, 2005;Siponen et al., 2006). This has been confirmed with two different meta-analyses on PMT research: Milne et al. (2000) and Floyd et al. (2000). ...
... In IS survey research based on PMT, Response Efficacy has been associated with intentions to comply with IS security policies (Herath & Rao, 2009;Siponen et al., 2006;Workman et al., 2008), intentions to adopt anti-spyware software (Chenoweth et al., 2009;Gurung et al., 2009;Johnston & Warkentin, 2010;Lee & Larsen, 2009), avoidance of IT threats (Liang & Xue, 2009), and security protection behaviors (Boss, et al., 2015;Lai et al., 2012;Yoon et al., 2012). In this research, we expect that when individuals believe that performing the recommended coping response will be effective in protecting them (Response Efficacy), they are more likely to react to a threat by taking protective action (Behavioral Intention), and less likely to develop Hopelessness. ...
... Previous research combined PMT and GDT to investigate issues in cybersecurity (e.g. Herath & Rao, 2009a;Siponen, Pahnila, & Mahmood, 2006). However, the GDT has not been applied in the context of investigating gender differences in employees' BYOD (smartphone) security behaviour. ...
... It also refers to the probability that the risk is realised by an individual. Previous studies showed that there is a strong relationship between perceived risk and precautionary behaviour (Siponen et al., 2006;Van Der Pligt, 1998). In addition, previous studies showed that females are less aware of and more concerned with security threats than males (Johnson & Koch, 2006). ...
... This contradicts with the findings of previous studies (e.g. Siponen et al., 2006). It indicates a general lack of awareness among both male and female employees in both countries of the risks associated with their use of smartphones in terms of security issues. ...
Article
Despite the benefits of bring your own device (BYOD) programmes, they are considered one of the top security risks companies are facing. Furthermore, there is a gap in the literature in understanding gender differences in employees' smartphone security behavioural intention. This research analyses gender differences in smartphone security behavioural intention among employees in the United Arab Emirates (UAE) and the United States (US). The research develops a new model, the behavioural model of cybersecurity (BMS), based on a combination of the protection motivation theory (PMT), the general deterrence theory (GDT) and Hofstede's cultural dimensions. A questionnaire was distributed to employees in both countries. A total of 1156 useable responses were analysed using partial least squares-structural equation modelling. The findings show that gender differences exist, but neither male nor female employees in either country are aware of the risks associated with their use of smartphones, despite their awareness of the existence of their company's BYOD security policies. The research provides theoretical and practical contributions by developing a new model combining the PMT, GDT and Hofstede's cultural dimensions and suggests gender differences in employees' smartphone security behavioural intention in a cross-national context. It has several practical implications for practitioners and policymakers.
... Prior research on user-centered security in organizations has mostly focused on how users perceive and interact with security measures [1,144,96,105,122,31], how they can be motivated to comply [184,183,89,202], factors influencing compliance [37,122], as well as advice for security managers on how to implement security in organizations [59,156,153,20]. However, there exists much less research regarding security managers' approaches of developing and implementing security in organizations. ...
Thesis
In the last ten years, smartphones revolutionized the way people are using and accessing the Internet. Today it is possible to go online (almost) anytime and anywhere. Furthermore, smartphones have become an integral part of our world influencing social contacts, media usage and business processes. This growing importance and usage of smartphones also leads to an increased demand in security and privacy measures. While in the private context, the smartphone operating system providers implement security and privacy mechanisms, in the business context organizational IT departments often take the role in providing appropriate additional security measures. In this thesis, we investigate how users in a private context as well as in a business context interact with security mechanisms. First, we consider private smartphone usage with special regard to user interaction with the permission systems and application handling of the different smartphone operating systems of Google and Apple. We examine security and privacy attitudes, behavior of smartphone users as well as the relationship between the different smartphone platforms (Android and iOS) and security and privacy aspects. We apply quantitative as well as qualitative research methods in order to gain these insights by conducting and analyzing online-based surveys and semi-structured interviews. According to our results, we conclude that iOS is considered more secure than Android, which results in a feeling of responsibility for security by Android users. Also, Android users seem to be more security and privacy aware than iOS users mostly because they notice Android permissions. Further, the runtime permission model is perceived as more useful and evokes a more positive emotional attitude than the former Android permission model. With this research, we contribute to a better understanding of the role of the specific security and privacy features, such as permission systems and application handling. In doing so, we facilitate improvements of the current and future development of security and privacy features of mobile systems, such that the systems can be better adjusted with perceptions, concerns and requirements of the users. Second, we investigate interactions of smartphone users with security mechanisms in an organizational context. We first conduct a structured literature review. We base our search on the Dynamic Security Success Model (DSSM), which we develop according to the Organizational Learning Theory and the Information Systems Success Model. The DSSM provides insights into organizational smartphone security processes and reveals research gaps. According to the identified research gaps, we conduct semi-structured interviews with security managers from large-scale German organizations as well as with employees from various companies. We investigate the process of smartphone security development and implementation in organizations and uncover effects of these security mechanisms on the behavior of employees. The results reveal that smartphone security development in organizations lacks organizational structures for including users into this process. This leads to a negative perception of users by security managers and consequently in a control-oriented, rather than a user-oriented approach. The insights gained through our research help organizations to reconsider the role of employees during the development phase of their security solutions as usability of security measures is essential for their effectiveness.
Article
Understanding employees’ motivations and behaviors toward compliance with information security policies (ISPs) remains a theoretical and practical challenge. Although previous information security researchers have investigated different motivational factors related to ISP compliance, most have not recognized different forms of ISP compliance behaviors characterized by their levels of willingness and persistence, nor have they noted the importance of adopting an other-oriented lens to examine such behaviors. In this paper, we propose and test an integrated model that investigates how various motivational factors affect different ISP compliance behaviors. Specifically, the model anchors on the prosocial motivational perspective in addition to the instrumental and self-regulatory motivational perspectives and investigates two types of compliance behaviors (voluntary ISP compliance and instrumental ISP compliance). We tested our model using survey data collected from 407 employee respondents. Our results show that the three sets of motivational factors have different effects on the two types of ISP compliance behaviors. Prosocial motivation and self-regulatory motivation positively affect voluntary ISP compliance behavior. Deterrence as an instrumental control leads to instrumental ISP compliance behavior but undermines voluntary ISP compliance behavior. Our study highlights that, to foster employees’ voluntary ISP compliance, organizations need to take a more holistic approach by integrating the prosocial approach with the instrumental and self-regulatory approaches in managing voluntary compliance behaviors, while being mindful of the negative effects of instrumental controls (e.g., deterrence) on such behaviors.
Article
Understanding users' individual differences may provide clues to help identify computer users who are prone to act insecurely. We examine factors that impact home users' reported computer security behaviour. We conducted two online surveys with a total of 650 participants to investigate the relationship between self-reported security behaviour and users' knowledge, motivation, confidence, risk propensity and sex-typed characteristics. We found that all of these factors impacted security behaviour, with knowledge as the most important predictor. We further show that a user's affinity to feminine or masculine characteristics is a better determinant of security behaviour than using binary male/female descriptors. Our study enabled us to confirm earlier results in the literature in a non-organisational setting, and to extend the literature by studying additional factors and by comparing the relative importance of each factor as a predictor of security behaviour.
Chapter
Through persuasive communications, information technology (IT) executives hope to align the actions of end users with the expectations of senior management and of the firm regarding technology usage. One highly influential factor of persuasive effectiveness is the source of the persuasive message. This study presents a conceptual model for explaining the influence of source credibility on end user attitudes and behavioral intentions to comply with organizationally motivated, recommended IT actions within a decentralized, autonomous environment. The results of this study suggest that the elements of source competency, trustworthiness, and dynamism are significant determinants of attitudes and behavioral intentions to engage in recommended IT actions. These findings reveal the importance of these elements of effective communication in persuading end users to follow recommended IT activities and advance IT acceptance and adoption research through the application of persuasive communication theory to the domain.
Article
Existing behavioral information security research proposes continuum or non-stage models that focus on finding static determinants for information security behavior (ISB) that remains unchanged. Such models cannot explain a case where the reasons for ISB change. However, the underlying reasons and motives for users’ ISB are not static but may change over time. To understand the change in reasoning between different antecedents, we examine stage theorizing in other fields and develop the requirements for an emergent theory of the development of employees’ ISB: (1) the content of stages based on the stage elements and their stage-specific attributes; (2) the stage-independent element explaining the instability of ISB; and (3) the temporal order of stages based on developmental progression. To illustrate the stage theory requirements in an information security context, we suggest four stages: intuitive thinking, declarative thinking, agency-related thinking, and routine-related thinking. We propose that learning is a key driver of change between the stages. According to our theorizing, employees start with intuitive beliefs and later develop routine-related thinking. Furthermore, using interview data collected from employees in a multinational company, we illustrate the differences in the stages. For future information security research, we conceptualize ISB change in terms of stages and contribute a theoretical framework that can be empirically validated. In relation to practice, understanding the differences between the stages offers a foundation for identifying the stage-specific challenges that lead to non-compliance and the corresponding information security training aimed at tackling these challenges. Given that users’ ISB follows stages, although not in a specific order, identifying such stages can improve the effectiveness of information security training interventions within organizations.
Article
Full-text available
The protection of organizational information and information systems (IS) is a socio-technical issue and requires insiders take on a more proactive set of security roles. Accordingly, we contend that insiders' abilities to enact these diverse information security roles can be explained by behavioral complexity theory. Adapted to the security context, behavioral complexity theory stipulates that insider's ability to take appropriate precautions against organizational security threats is explained by their (1) repertoire of security roles and associated behaviors (i.e., security behavioral repertoire) and their (2) ability to switch from role to role (i.e., security behavioral differentiation). However, beyond behavioral complexity, protecting against complex security-related threats in the workplace requires significant psychological resources of insiders. Thus, to examine the influence of behavioral complexity on insiders' protection motivation, we develop and examine an extended model of behavioral complexity including insiders' workplace resilience-a significant work-related psychological resource Our results fully support the extended security behavioral complexity model's role in driving an insider's protection motivation.
Article
Full-text available
Presents an integrative theoretical framework to explain and to predict psychological changes achieved by different modes of treatment. This theory states that psychological procedures, whatever their form, alter the level and strength of self-efficacy. It is hypothesized that expectations of personal efficacy determine whether coping behavior will be initiated, how much effort will be expended, and how long it will be sustained in the face of obstacles and aversive experiences. Persistence in activities that are subjectively threatening but in fact relatively safe produces, through experiences of mastery, further enhancement of self-efficacy and corresponding reductions in defensive behavior. In the proposed model, expectations of personal efficacy are derived from 4 principal sources of information: performance accomplishments, vicarious experience, verbal persuasion, and physiological states. Factors influencing the cognitive processing of efficacy information arise from enactive, vicarious, exhortative, and emotive sources. The differential power of diverse therapeutic procedures is analyzed in terms of the postulated cognitive mechanism of operation. Findings are reported from microanalyses of enactive, vicarious, and emotive modes of treatment that support the hypothesized relationship between perceived self-efficacy and behavioral changes. (21/2 p ref)
Article
Full-text available
The current approaches in terms of information security awareness and education are descriptive (i.e. they are not accomplishment-oriented nor do they recognize the factual/normative dualism); and current research has not explored the possibilities offered by motivation/behavioural theories. The first situation, level of descriptiveness, is deemed to be questionable because it may prove eventually that end-users fail to internalize target goals and do not follow security guidelines, for example - which is inadequate. Moreover, the role of motivation in the area of information security is not considered seriously enough, even though its role has been widely recognized. To tackle such weaknesses, this paper constructs a conceptual foundation for information systems/organizational security awareness. The normative and prescriptive nature of end-user guidelines will be considered. In order to understand human behaviour, the behavioural science framework, consisting in intrinsic motivation, a theory of planned behaviour and a technology acceptance model, will be depicted and applied. Current approaches (such as the campaign) in the area of information security awareness and education will be analyzed from the viewpoint of the theoretical framework, resulting in information on their strengths and weaknesses. Finally, a novel persuasion strategy aimed at increasing users' commitment to security guidelines is presented.
Article
Full-text available
Research dealing with various aspects of* the theory of planned behavior (Ajzen, 1985, 1987) is reviewed, and some unresolved issues are discussed. In broad terms, the theory is found to be well supported by empirical evidence. Intentions to perform behaviors of different kinds can be predicted with high accuracy from attitudes toward the behavior, subjective norms, and perceived behavioral control; and these intentions, together with perceptions of behavioral control, account for considerable variance in actual behavior. Attitudes, subjective norms, and perceived behavioral control are shown to be related to appropriate sets of salient behavioral, normative, and control beliefs about the behavior, but the exact nature of these relations is still uncertain. Expectancy— value formulations are found to be only partly successful in dealing with these relations. Optimal rescaling of expectancy and value measures is offered as a means of dealing with measurement limitations. Finally, inclusion of past behavior in the prediction equation is shown to provide a means of testing the theory*s sufficiency, another issue that remains unresolved. The limited available evidence concerning this question shows that the theory is predicting behavior quite well in comparison to the ceiling imposed by behavioral reliability.
Article
Despite rapid technological advances in computer hardware and software, insecure behavior by individual computer users continues to be a significant source of direct cost and productivity loss. Why do individuals, many of whom are aware of the possible grave consequences of low-level insecure behaviors such as failure to backup work and disclosing passwords, continue to engage in unsafe computing practices? In this article we propose a conceptual model of this behavior as the outcome of a boundedly-rational choice process. We explore this model in a survey of undergraduate students (N = 167) at two large public universities. We asked about the frequency with which they engaged in five commonplace but unsafe computing practices, and probed their decision processes with regard to these practices. Although our respondents saw themselves as knowledgeable, competent users, and were broadly aware that serious consequences were quite likely to result, they reported frequent unsafe computing behaviors. We discuss the implications of these findings both for further research on risky computing practices and for training and enforcement policies that will be needed in the organizations these students will shortly be entering.