Securing the Internet of Self
Twenty-fourth Americas Conference on Information Systems, New Orleans, 2018 1
Behind Cyber Doors:
Securing the Internet of Self
Emergent Research Forum (ERF)
Iowa State University
Joey F. George
Iowa State University
The role of citizens in securing their smart homes is critical. We develop a research model, based on health-
related fear appeal frameworks, to examine the factors that motivate users to take security precautions. Our
model synthesizes the protection motivation theory and the extended parallel process model. This synthesis
distinguishes between users’ danger-control and fear-control coping mechanisms. Further, we draw from
the criminology literature to refine fear’s compatibility with information threats as opposed to health ones.
We also develop and incorporate the Internet of Self into our model to account for smart homes’ personal
relevance to users. The theoretical foundation, contributions and hypotheses are discussed.
Internet of Things Security, smart homes, fear of cybercrime, Internet of Self, behavioral security.
The Internet of Things (IoT) has created socioeconomic benefits across different domains. Yet, its relative
lack of security has raised concerns among academics, professionals and government officials.
The up-surging diffusion of consumer IoT devices (McKinsey 2017; PlumChoice 2017) situates ‘smart’
homes (i.e. homes that integrate IoT devices such as smart TVs/thermostats) at the frontier of non-secure
IoT applications (Plachkinova et al. 2016). Further, citizens’ voluntary security behavior (Anderson and
Agarwal 2010) and the technical limitations in smart home security solutions (e.g. smart home hubs)
exacerbate the matter. As such, the role of citizens in protecting their smart homes against IoT menaces is
highly significant. Driven by this role, we investigate the following research questions: (1) What are the
factors that motivate citizens to take IoT security precautions? and (2) What are the unique IoT (i.e. smart
home) characteristics that strengthen these factors?
This paper belongs to the stream of literature that examines cybersecurity (1) via a behavioral viewpoint
(e.g. Wang et al. 2017) and (2) in home settings (Chen and Zahedi 2016). It also belongs to the IS Security
(ISSec) literature that relies on health-related fear appeal models, such as Rogers' (1975) protection
motivation theory (PMT), to explain user security behavior against information threats (for an extensive
review, see Boss et al. 2015). Fear appeal ISSec studies base their premises on three underlying
assumptions: (1) security behavior is a function of rational and problem-solving intent, (2) fear of health
threats is equivalent to fear of IT threats and (3) health threats are equivalent to IT threats in their personal
Our study is theoretically grounded in the full-nomological PMT (i.e. includes fear) (Floyd et al. 2000). We
synthesize PMT with the extended parallel process model (EPPM; Witte 1992) to examine fear’s role in
distinct coping mechanisms (i.e. to handle assumption 1). Further, we draw upon the criminology literature
to handle assumption 2. We also adopt elements from the relevant literatures (e.g. psychology) to handle
assumption 3. On that basis, we develop the ‘Internet of Self’ and incorporate it into our research model.
This paper’s contributions are twofold. From a theoretical viewpoint, we first refine the conceptualization
and operationalization of the ‘fear’ construct in ISSec fear appeal models. Second, we address two opposite
but concurrent user coping mechanisms against threats. Third, we develop the ‘Internet-of-Self’ (IoS)
construct. From a practical perspective, we present IoS as an opportunity that prompts smart home users
Securing the Internet of Self
Twenty-fourth Americas Conference on Information Systems, New Orleans, 2018 2
to behave securely. This approach aligns with opportunity framing (i.e. converting threats to opportunities)
theories, such as Meyer's (1982). Thus, our study provides a novel approach, seeking to raise IoT security
awareness among citizens.
Protection Motivation Theory & Extended Parallel Process Model
PMT postulates that individuals adhere to the cognitive processes, threat appraisal (TA) and coping
appraisal (CA), which prompt protective behavior (Rogers 1975, 1983). TA is a function of threat severity
(i.e. the perceived degree of threat harm) and susceptibility (i.e. the likelihood of threat occurrence), and
CA is a function of self-efficacy (individuals’ belief in their abilities to take protective actions), response
efficacy (i.e. the perceived effectiveness of a protective action) and response costs (i.e. costs or barriers that
inhibit performing adaptive behavior). TA elicits fear, “a negatively-valenced emotion” (Witte 1992). High
levels of CA and fear induce protection motivation (PM), the intention of performing protective behavior.
The fear-PM route represents the danger control process (Rippetoe and Rogers 1987). EPPM delineates
another route, the fear control process, by which fear induces defensive motivation (Witte 1996). Through
this route, individuals engage in emotional coping mechanisms to mitigate fear. Defensive motivation
comprises defensive avoidance (i.e. a reactive response to avoid mentally processing a fear appeal
message), perceived manipulation (i.e. perceiving the message as manipulative or misleading) and issue
derogation (i.e. perceiving an issue as trivial via viewing the message as an overstatement of the threat).
Fear of Crime Victimization
The ‘fear’ in fear appeal models (FAMs) parameterizes health threats rather than cyber ones. As such, ISSec-
FAMs rely on the assumption that individuals’ fear of cyber threats is equivalent to that of health threats.
Yet, this assumption may be invalid, as sources of health threats vs. cyber threats are starkly different. The
latter mainly includes cybercrime while the former embraces diseases. To resolve the discrepancy, we refer
to the criminology literature on fear of crime victimization (FoCV).
Spanning five decades, criminologists’ debate over FoCV has refined its conceptualization and
operationalization (Henson and Reyns 2015). Comprehensively, FoCV may be described as an emotional
response to a danger or threat of an actual or potential criminal incident. It is restricted to one negative
emotional reaction: being afraid (Henson and Reyns 2015). In contrast, health-FAMs’ ‘fear’ (i.e. “a
negatively-valenced emotion”; Witte 1992) broadens to other negative emotions, such as concern and
anxiety. By extension, health and ISSec studies’ operationalization of fear incorporates other feelings’
measurements (Boss et al. 2015; Milne et al. 2002). Contrarily, criminologists distinguish between fear and
other emotions. Concern, as opposed to fear, captures individuals’ irritation with a general or national crime
phenomenon instead of being afraid of falling victim to it (Furstenberg 1971). By the same token, FoCV is
different from anxiety (Clark 2003). Thus, FoCV researchers have contended that FoCV measures should
include a "how afraid” (or similar) phrase (Ferraro and LaGrange 1987; Hale 1996) and should explicitly
reference the term “crime.”
Internet of Self
Implicit to a source’s contribution to fear is its relevance to an individual. “Threats to data, information,
and systems do not carry the same personal relevance as threats that directly impact one’s self” (Johnston
et al. 2015). Thus, “enhanced fear appeal elements” (i.e. elements that evoke personal relevance) are
imperative to fear appeal models (Johnston et al. 2015). In the smart home context, cyber threats have
intense personal relevance to users, as they inherently incorporate an enhanced fear appeal element, the
Internet of Self (IoS).
The Internet of You/Me/Self terminologies have appeared in some reports and conventions (e.g. NCSA
2016). Although IoS is still a fuzzy concept, it may be described as a perceived relationship between one’s
self and her ‘smart’ environment.
The human-environment relationship undergoes two experiential phases (Belk 1988). The first phase
entails possessing objects, and the second entails controlling objects in the environment, which generates
Securing the Internet of Self
Twenty-fourth Americas Conference on Information Systems, New Orleans, 2018 3
a stronger “sense of self” (Belk 1988; Furby 1980). In the first phase, individuals satisfy psychological
ownership needs, namely effectance, self-identity and ‘having a place’ through the following mechanisms:
objects’ personalization, intimate knowledge of the target, control over the target and ‘investing the self in
the target’ (Pierce et al. 2003). In the second phase, these mechanisms, along with loss aversion, establish
self-extension (Belk 1988).
Smart home users undergo the aforementioned phases with their IoT environments. As such, a user
develops IoS as a cognitive schema of his/her relationship with the personalized smart environment. We
view this relationship as an aggregate abstraction of perceived personalization, psychological ownership
and self-extension. Perceived personalization refers to a user’s perception of the extent to which a digital
artifact understands and represents his or her personal needs (Komiak and Benbasat 2006). Psychological
ownership refers to a mental state, by which individuals enclose an intellectual perception, comprised of
feelings, thoughts, beliefs and awareness of what is “theirs” (Pierce et al. 2003). Self-extension relates to
the perceptual notion that “knowingly or unknowingly, intentionally or unintentionally,” individuals view
their possessions as extensions of themselves (Belk 1988).
Figure 1 illustrates our set of hypotheses. Smart home users undergo threat appraisal, which induces fear
and protective motivation. In alignment with (Liang and Xue 2009, 2010), we view threat appraisal as a
second-order formative construct, with severity and susceptibility as first-order constructs. We hypothesize
H1. IoT threat appraisal positively impacts protection motivation.
H2. IoT threat appraisal positively affects fear of cybercrime victimization.
Internet of Self (IoS) is a cognitive schema that aggregates IoT personalization, psychological ownership
and self-extension. We view that IoS’s three components are positively related to each other in causal loops.
Thus, we view IoS as a higher order reflective-reflective construct with psychological ownership, self-
extension and personalization as lower-order constructs (Hair et al. 2013). IoS intensifies the personal
relevance of cyber threats. As such, we hypothesize that:
H3a. A stronger sense of IoS exerts a stronger relationship between threat appraisal and protective
H3b. A stronger sense of IoS exerts a stronger relationship between threat appraisal and fear.
After appraising threat, individuals experience fear, which causes protective and defensive motivations
through the danger control and fear control cognitive routes respectively. Thus, users are motivated to
counter IoT threats with problem-focused coping and emotional coping mechanisms.
H4a. Fear of cybercrime victimization positively impacts protective motivation.
H4b. Fear of cybercrime victimization positively impacts defensive motivation.
After experiencing fear, individuals undergo the coping appraisal process, comprising response costs, self-
and response efficacies (Rogers 1983). If coping appraisal is stronger than fear, then the threatened
individual engages in the danger control process and thus in adaptive behavior (Witte 1996). Else, a user
engages in defensive motivation through the fear control process.
H5a. Coping appraisal positively moderates the relation between fear and protective motivation.
H5b. Coping appraisal negatively moderates the relation between fear and defensive motivation.
Protective and defensive motivations affect security behavior. We define IoT security behavior as a set of
precautions drawn from the National Cyber Security Alliance’s IoT security measures (NCSA 2015, 2016).
We hypothesize that:
H6a. Protective motivation positively affects IoT security behavior.
H6b. Defensive motivation negatively affects IoT security behavior.
Our research model’s significance lies in its nested contextualization. At a broad level, it accounts for
“context distinguishing features” between cybersecurity and healthcare through redefining fear to fit
cybercrime (Hong et al. 2014). At a narrower level, it accounts for smart homes’ “contextual effect” (Hong
et al. 2014) through incorporating the ‘Internet of Self’ construct. It also manifests the interrelationships
Securing the Internet of Self
Twenty-fourth Americas Conference on Information Systems, New Orleans, 2018 4
among the technology artifact characteristics (i.e. IoT threats), user characteristics (i.e. IoS, fear of
cybercrime and coping), and usage characteristics (i.e. IoT security behavior/intentions) (Hong et al. 2014).
Figure 1. Research Model and Hypotheses
Methodology and Conclusion
We will collect data via a questionnaire-based survey. Our questionnaire includes adapted scales from the
relevant literature, yet it differs in operationalizing security behavior. Previous security behavior scales
focus on one security action such as backing up data (e.g. Boss et al. 2015) or ask respondents whether they
globally comply to a holistic list of security measures (e.g. Chen and Zahedi 2016). In contrast, our scale
includes a list of security precautions, each of which is represented by an item independently, as we view
security behavior as an array of independent security precautions. Prior to primary data collection, we will
conduct a pilot study and a pretest. The study’s population sample will consist of smart home owners. After
data collection, we will employ Partial Least Squares to test our model.
The role of citizens in securing their connected homes is critical. As such, we propose a research model,
grounded in fear appeal frameworks, to examine the human factor in smart home security. We redefine the
‘fear’ construct in such frameworks to validate them in information security contexts. Further, we examine
the dual role of fear with respect to users’ different coping mechanisms. We also develop the ‘Internet of
Self’ construct to account for the personal relevance of IoT technologies to users. This work’s potential
theoretical contributions include handling the underlying assumptions in information security fear appeal
models. Its broader impacts lie in employing the proposed model for raising IoT security awareness among
Anderson, C. L., and Agarwal, R. 2010. “Practicing Safe Computing: A Multimethod Empirical Examination
of Home Computer User Security Behavioral Intentions,” MIS Quarterly (34:3), pp. 613-A15.
Belk, R. W. 1988. “Possessions and the Extended Self,” Journal of Consumer Research (15:2), pp. 139–168.
Boss, S. R., Galletta, D. F., Benjamin Lowry, P., Moody, G. D., and Polak, P. 2015. “What Do Systems Users
Have to Fear? Using Fear Appeals to Engender Threats and Fear That Motivate Protective Security
Behaviors,” MIS Quarterly (39:4), pp. 837–864.
Chen, Y., and Zahedi, F. M. 2016. “Individuals’ Internet Security Perceptions and Behaviors: Polycontextual
Contrasts Between the United States and China,” MIS Quarterly (40:1), pp. 205-A12.
Clark, J. 2003. “Fear in Fear-of-Crime,” Psychiatry, Psychology and Law (10:2), pp. 267–282.
Ferraro, K. F., and LaGrange, R. L. 1987. “The Measurement of Fear of Crime,” Sociological Inquiry (57:1),
Securing the Internet of Self
Twenty-fourth Americas Conference on Information Systems, New Orleans, 2018 5
Floyd, D. L., Prentice-Dunn, S., and Rogers, R. W. 2000. “A Meta-Analysis of Research on Protection
Motivation Theory,” Journal of Applied Social Psychology (30:2), pp. 407–429.
Furby, L. 1980. “Collective Possession and Ownership: A Study of Its Judged Feasibility and Desirability,”
Social Behavior & Personality: An International Journal (8:2), p. 165.
Furstenberg, F. F. 1971. “Public Reaction to Crime in the Streets,” The American Scholar (40:4), pp. 601–
Hair, J. F. J., Hult, G. T. M., Ringle, C., and Sarstedt, M. 2013. A Primer on Partial Least Squares Structural
Equation Modeling (PLS-SEM), SAGE Publications.
Hale, C. 1996. “Fear of Crime: A Review of the Literature,” International Review of Victimology (4:2), pp.
Henson, B., and Reyns, B. W. 2015. “The Only Thing We Have to Fear Is Fear Itself…and Crime: The Current
State of the Fear of Crime Literature and Where It Should Go Next,” Sociology Compass (9:2), pp. 91–
Hong, W., Chan, F. K. Y., Thong, J. Y. L., Chasalow, L. C., and Dhillon, G. 2014. “A Framework and
Guidelines for Context-Specific Theorizing in Information Systems Research,” Information Systems
Research (25:1), pp. 111–136.
Johnston, A. C., Warkentin, M., and Siponen, M. 2015. “An Enhanced Fear Appeal Rhetorical Framework:
Leveraging Threats to the Human Asset Through Sanctioning Rhetoric,” MIS Quarterly (39:1), pp. 113.
Komiak, S. Y. X., and Benbasat, I. 2006. “The Effects of Personalization and Familiarity on Trust and
Adoption of Recommendation Agents,” MIS Quarterly (30:4), pp. 941–960.
Liang, H., and Xue, Y. 2009. “Avoidance of Information Technology Threats: A Theoretical Perspective,”
MIS Quarterly (33:1), pp. 71–90.
Liang, H., and Xue, Y. 2010. “Understanding Security Behaviors in Personal Computer Usage: A Threat
Avoidance Perspective,” Journal of the Association for Information Systems (11:7), p. 394.
McKinsey. 2017. “McKinsey Connected Homes.” (http://www.mckinsey.com/connectedhome/, accessed
February 6, 2018).
Meyer, A. D. 1982. “Adapting to Environmental Jolts,” Administrative Science Quarterly (27:4), pp. 515–
Milne, S., Orbell, S., and Sheeran, P. 2002. “Combining Motivational and Volitional Interventions to
Promote Exercise Participation: Protection Motivation Theory and Implementation Intentions,”
British Journal of Health Psychology (7:2), pp. 163–184.
NCSA. 2015. “As the Internet of Things Grows Focus Is on Securing Our Devices,” Stay Safe Online.
(https://staysafeonline.org/press-release/securing-iot-devices/, accessed February 3, 2018).
NCSA. 2016. “Continued Growth of the ‘Internet of Me’ Has 88 Percent of Consumers Considering the Risks
of Using Connected Devices,” Stay Safe Online. (https://staysafeonline.org/press-release/continued-
Pierce, J. L., Kostova, T., and Dirks, K. T. 2003. “The State of Psychological Ownership: Integrating and
Extending a Century of Research.,” Review of General Psychology (7:1), pp. 84–107.
Plachkinova, M., Vo, A., and Alluhaidan, A. 2016. “Emerging Trends in Smart Home Security, Privacy, and
Digital Forensics,” AMCIS 2016 Proceedings.
PlumChoice. 2017. “IOT Adoption Benchmark,” PlumChoice. (https://www.plumchoice.com/iot-adoption-
benchmark-report-2016/, accessed February 6, 2018).
Rippetoe, P. A., and Rogers, R. W. 1987. “Effects of Components of Protection-Motivation Theory on
Adaptive and Maladaptive Coping with a Health Threat.,” Journal of Personality and Social
Psychology (52:3), p. 596.
Rogers, R. W. 1975. “A Protection Motivation Theory of Fear Appeals and Attitude Change,” Journal of
Psychology (91:1), p. 93.
Rogers, R. W. 1983. Cognitive and Physiological Processes in Fear Appeals and Attitude Change: A
Revised Theory of Protection Motivation, J. Cacioppo and R. Petty (eds.), New York: Guilford, pp. 153–
Wang, J., Li, Y., and Rao, H. R. 2017. “Coping Responses in Phishing Detection: An Investigation of
Antecedents and Consequences,” Information Systems Research (28:2), pp. 378–396.
Witte, K. 1992. “Putting the Fear Back into Fear Appeals: The Extended Parallel Process Model,”
Communication Monographs (59:4), pp. 329–349.
Witte, K. 1996. “Fear as Motivator, Fear as Inhibitor: Using the Extended Parallel Process Model to Explain
Fear Appeal Successes and Failures,” in Handbook of Communication and Emotion, P. A. Andersen
and L. K. Guerrero (eds.), San Diego: Academic Press, pp. 423–450.