Are we Predisposed to Behave Securely? Influence of Risk Disposition on Individual Security Behaviours

Employees continue to be the weak link in organizational security management and efforts to improve the security of employee behaviors have not been as effective as hoped. Researchers contend that security-related decision making is primarily based on risk perception. There is also a belief that, if changed, this could improve security-related compliance. The extant research has primarily focused on applying theories that assume rational decision making e.g. protection motivation and deterrence theories. This work presumes we can influence employees towards compliance with information security policies and by means of fear appeals and threatened sanctions. However, it is now becoming clear that security-related decision making is complex and nuanced, not a simple carrotand stickrelated situation. Dispositional and situational factors interact and interplay to influence security decisions. In this paper, we present a model that positions psychological disposition of individuals in terms of risk tolerance vs. risk aversion and proposes research to explore how this factor influences security behaviors. We propose a model that acknowledges the impact of employees’ individual dispositional risk propensity as well as their situational risk perceptions on security-related decisions. It is crucial to understand this decision-making phenomenon as a foundation for designing effective interventions to reduce such risk taking. We conclude by offering suggestions for further research.

[1]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[2]  Philip A. Horvath,et al.  Risk Aversion and Personality Type , 2005 .

[3]  Phyllis Butow,et al.  Is it worth the risk? A systematic review of instruments that measure risk propensity for use in the health setting. , 2005, Social science & medicine.

[4]  M. Zuckerman,et al.  Personality and risk-taking: common biosocial factors. , 2000, Journal of personality.

[5]  Tejaswini Herath,et al.  A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings , 2011, Eur. J. Inf. Syst..

[6]  S. Mukherjee,et al.  Happiness as a Driver of Risk‐Avoiding Behaviour: Theory and an Empirical Study of Seatbelt Wearing and Automobile Accidents , 2014 .

[7]  Julie Hatfield,et al.  The role of risk-propensity in the risky driving of younger drivers. , 2009, Accident; analysis and prevention.

[8]  Mikko T. Siponen,et al.  New insights into the problem of software piracy: The effects of neutralization, shame, and moral beliefs , 2012, Inf. Manag..

[9]  Dan J. Kim,et al.  Enforcing Information Security Protection: Risk Propensity and Self-Efficacy Perspectives , 2017, HICSS.

[10]  Merrill Warkentin,et al.  How Direct and Vicarious Experience Promotes Security Hygiene , 2015 .

[11]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[12]  Tom L. Roberts,et al.  Bridging the divide: A qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders , 2014, Inf. Manag..

[13]  W. H. Stewart,et al.  Risk propensity differences between entrepreneurs and managers: a meta-analytic review. , 2001, The Journal of applied psychology.

[14]  Michelle K. Ryan,et al.  Sex, Drugs, and Reckless Driving , 2018 .

[15]  R. Hoyle,et al.  Personality and sexual risk taking: a quantitative review. , 2000, Journal of personality.

[16]  Mikko T. Siponen,et al.  Guidelines for improving the contextual relevance of field surveys: the case of information security policy violations , 2014, Eur. J. Inf. Syst..

[17]  L. Cameron,et al.  Risk-Taking Behavior in the Wake of Natural Disasters , 2013, The Journal of Human Resources.

[18]  I. Ajzen The theory of planned behavior , 1991 .

[19]  D Begg,et al.  Personality differences predict health-risk behaviors in young adulthood: evidence from a longitudinal study. , 1997, Journal of personality and social psychology.

[20]  A. Tversky,et al.  The framing of decisions and the psychology of choice. , 1981, Science.

[21]  Jordan Shropshire,et al.  Impact of Negative Message Framing on Security Adoption , 2010, J. Comput. Inf. Syst..

[22]  Merrill Warkentin,et al.  Risk Homeostasis in Information Security: Challenges in Confirming Existence and Verifying Impact , 2017, NSPW.

[23]  E. Soane,et al.  Personality and domain‐specific risk taking , 2005 .

[24]  Xavier Sanchez,et al.  Individual differences and risk taking in rock climbing , 2008 .

[25]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[26]  Łukasz Markiewicz,et al.  You Only Live Once: Present-hedonistic time perspective predicts risk propensity , 2017 .

[27]  Lemuria Carter,et al.  Dispositional and situational factors: influences on information security policy violations , 2016, Eur. J. Inf. Syst..

[28]  M. Zuckerman,et al.  The sensation seeking motive. , 1974, Progress in experimental personality research.

[29]  S. Sitkin,et al.  Determinants of Risky Decision-Making Behavior: A Test of the Mediating Role of Risk Perceptions and Propensity , 1995 .

[30]  R. Jeffery Risk behaviors and health. Contrasting individual and population perspectives. , 1989, The American psychologist.

[31]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[32]  K. Dodge,et al.  Age Patterns in Risk Taking Across the World , 2018, Journal of youth and adolescence.

[33]  Susan J. Harrington,et al.  The Effect of Codes of Ethics and Personal Denial of Responsibility on Computer Abuse Judgments and Intentions , 1996, MIS Q..

[34]  H. Winklhofer,et al.  Index Construction with Formative Indicators: An Alternative to Scale Development , 2001 .

[35]  Gilbert A. Churchill A Paradigm for Developing Better Measures of Marketing Constructs , 1979 .

[36]  I. Ajzen,et al.  Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research , 1977 .

[37]  Sandeep Mishra,et al.  Individual differences in risk-propensity: Associations between personality and behavioral measures of risk , 2011 .

[38]  Kristopher J Preacher,et al.  Statistical mediation analysis with a multicategorical independent variable. , 2014, The British journal of mathematical and statistical psychology.

[39]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[40]  J. Michael Pearson,et al.  The effects of sanctions and stigmas on cyberloafing , 2013, Comput. Hum. Behav..

[41]  D. Kahneman,et al.  Heuristics and Biases: The Psychology of Intuitive Judgment , 2002 .

[42]  M. Zuckerman,et al.  DEVELOPMENT OF A SENSATION-SEEKING SCALE. , 1964, Journal of consulting psychology.

[43]  R. Rogers Cognitive and physiological processes in fear appeals and attitude change: a revised theory of prote , 1983 .

[44]  Jordan Shropshire,et al.  Personality, attitudes, and intentions: Predicting initial adoption of information security behavior , 2015, Comput. Secur..

[45]  A. Tversky,et al.  Prospect theory: an analysis of decision under risk — Source link , 2007 .

[46]  Merrill Warkentin,et al.  Beyond Deterrence: An Expanded View of Employee Computer Abuse , 2013, MIS Q..

[47]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[48]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[49]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[50]  Viswanath Venkatesh,et al.  Bridging the Qualitative-Quantitative Divide: Guidelines for Conducting Mixed Methods Research in Information Systems , 2013, MIS Q..

[51]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..