Avoidance of Information Technology Threats: A Theoretical Perspective

This paper describes the development of the technology threat avoidance theory (TTAT), which explains individual IT users' behavior of avoiding the threat of malicious information technologies. We articulate that avoidance and adoption are two qualitatively different phenomena and contend that technology acceptance theories provide a valuable, but incomplete, understanding of users' IT threat avoidance behavior. Drawing from cybernetic theory and coping theory, TTAT delineates the avoidance behavior as a dynamic positive feedback loop in which users go through two cognitive processes, threat appraisal and coping appraisal, to decide how to cope with IT threats. In the threat appraisal, users will perceive an IT threat if they believe that they are susceptible to malicious IT and that the negative consequences are severe. The threat perception leads to coping appraisal, in which users assess the degree to which the IT threat can be avoided by taking safeguarding measures based on perceived effectiveness and costs of the safeguarding measure and self-efficacy of taking the safeguarding measure. TTAT posits that users are motivated to avoid malicious IT when they perceive a threat and believe that the threat is avoidable by taking safeguarding measures; if users believe that the threat cannot be fully avoided by taking safeguarding measures, they would engage in emotion-focused coping. Integrating process theory and variance theory, TTAT enhances our understanding of human behavior under IT threats and makes an important contribution to IT security research and practice.

[1]  Norbert Wiener,et al.  Cybernetics: Control and Communication in the Animal and the Machine. , 1949 .

[2]  Janice C. Sipior,et al.  The Ethical and Legal Concerns of Spyware , 2007, Information Security Management Handbook, 6th ed..

[3]  R. E. Burnkrant,et al.  Informational and Normative Social Influence in Buyer Behavior , 1975 .

[4]  Geoff Shaw Spyware: Spyware & Adware: the Risks facing Businesses , 2003 .

[5]  R. Davidson Cerebral asymmetry, emotion, and affective style. , 1995 .

[6]  Peter A. Todd,et al.  Understanding Information Technology Usage: A Test of Competing Models , 1995, Inf. Syst. Res..

[7]  Philip Hunter New threats this year , 2004 .

[8]  W. James,et al.  The Principles of Psychology. , 1983 .

[9]  Viswanath Venkatesh,et al.  A Longitudinal Investigation of Personal Computers in Homes: Adoption Determinants and Emerging Challenges , 2001, MIS Q..

[10]  R. Rogers Cognitive and physiological processes in fear appeals and attitude change: a revised theory of prote , 1983 .

[11]  Anol Bhattacherjee,et al.  Understanding Changes in Belief and Attitude Toward Information Technology Usage: A Theoretical Model and Longitudinal Test , 2004, MIS Q..

[12]  Hal G. Gueutal,et al.  A Field Experiment Comparing Information-Privacy Values, Beliefs, and Attitudes Across Several Types of Organizations , 1983 .

[13]  A. Tversky,et al.  Advances in prospect theory: Cumulative representation of uncertainty , 1992 .

[14]  R. Power CSI/FBI computer crime and security survey , 2001 .

[15]  Alladi Venkatesh,et al.  Has the Internet become indispensable? , 2004, CACM.

[16]  A. Householder,et al.  Computer attack trends challenge Internet security , 2002 .

[17]  Viswanath Venkatesh,et al.  Determinants of Perceived Ease of Use: Integrating Control, Intrinsic Motivation, and Emotion into the Technology Acceptance Model , 2000, Inf. Syst. Res..

[18]  R Ho,et al.  The intention to give up smoking: disease versus social dimensions. , 1998, The Journal of social psychology.

[19]  N. Weinstein Testing four competing theories of health-protective behavior. , 1993, Health psychology : official journal of the Division of Health Psychology, American Psychological Association.

[20]  Peter A. Todd,et al.  Perceived Usefulness, Ease of Use, and Usage of Information Technology: A Replication , 1992, MIS Q..

[21]  E. Eugene Schultz Pandora's Box: spyware, adware, autoexecution, and NGSCB , 2003, Comput. Secur..

[22]  M Eagle,et al.  Repression. I. , 2000, Psychoanalytic review.

[23]  S. Hauser,et al.  Stress, coping, and adaptation. , 1990 .

[24]  M. Goldberg,et al.  What to Convey in Antismoking Advertisements for Adolescents: The use of Protection Motivation Theory to Identify Effective Message Themes , 2003 .

[25]  J. Gray The neuropsychology of anxiety. , 1985, Issues in mental health nursing.

[26]  Patrick Y. K. Chau,et al.  Influence of Computer Attitude and Self-Efficacy on IT Usage Behavior , 2001, J. Organ. End User Comput..

[27]  John Leubsdorf,et al.  Privacy and Freedom , 1968 .

[28]  I. Pavlov Conditioned Reflexes: An Investigation of the Physiological Activity of the Cerebral Cortex , 1929 .

[29]  R. Lazarus Psychological stress and the coping process , 1970 .

[30]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[31]  I. Ajzen,et al.  Understanding Attitudes and Predicting Social Behavior , 1980 .

[32]  R. W. Rogers,et al.  Effects of components of protection-motivation theory on adaptive and maladaptive coping with a health threat. , 1987, Journal of personality and social psychology.

[33]  L. Cosmides,et al.  The past explains the present: Emotional adaptations and the structure of ancestral environments , 1990 .

[34]  A. Elliot The Hierarchical Model of Approach-Avoidance Motivation , 2006 .

[35]  C. Carver,et al.  Behavioral inhibition, behavioral activation, and affective responses to impending reward and punishment: The BIS/BAS Scales , 1994 .

[36]  V. Vroom Work and motivation , 1964 .

[37]  E. Rogers Diffusion of Innovations , 1962 .

[38]  James B. Hunt,et al.  The Protection Motivation Model: A Normative Model of Fear Appeals: , 1991 .

[39]  Fred D. Davis Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology , 1989, MIS Q..

[40]  Susan A. Brown,et al.  Do I really have to? User acceptance of mandated technology , 2002, Eur. J. Inf. Syst..

[41]  J. Edwards A Cybernetic Theory of Stress, Coping, and Well-Being in Organizations , 1992 .

[42]  Steven Prentice-Dunn,et al.  Protection Motivation Theory and Adherence to Medical Treatment Regimens for Muscular Dystrophy , 1995 .

[43]  RICHAFID BASKERVILLE,et al.  Information systems security design methods: implications for information systems development , 1993, CSUR.

[44]  B. Skinner,et al.  Science and human behavior , 1953 .

[45]  N D Weinstein,et al.  Perceived probability, perceived severity, and health-protective behavior. , 2000, Health psychology : official journal of the Division of Health Psychology, American Psychological Association.

[46]  Anol Bhattacherjee,et al.  Understanding Information Systems Continuance: An Expectation-Confirmation Model , 2001, MIS Q..

[47]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[48]  R. Davidson,et al.  Prefrontal Brain Asymmetry: A Biological Substrate of the Behavioral Approach and Inhibition Systems , 1997 .

[49]  Detmar W. Straub,et al.  Discovering and Disciplining Computer Abuse in Organizations: A Field Study , 1990, MIS Q..

[50]  Deborah Compeau,et al.  Social Cognitive Theory and Individual Reactions to Computing Technology: A Longitudinal Study , 1999, MIS Q..

[51]  Melvin R. Crask,et al.  Protection motivation theory : An extension of fear appeals theory in communication , 1989 .

[52]  Irving L. Janis,et al.  Effects of Fear Arousal on Attitude Change: Recent Developments in Theory and Experimental Research1 , 1967 .

[53]  R. W. Rogers,et al.  Protection motivation and self-efficacy: A revised theory of fear appeals and attitude change , 1983 .

[54]  M. Culnan,et al.  Information Privacy Concerns, Procedural Fairness, and Impersonal Trust: An Empirical Investigation , 1999 .

[55]  Barbara O'Neill,et al.  Risk Tolerance, Projection Bias, Vividness, and Equity Prices , 2006 .

[56]  William L. Wilkie,et al.  Fear: The potential of an appeal neglected by marketing. , 1970 .

[57]  John E. Grable Financial Risk Tolerance and Additional Factors That Affect Risk Taking in Everyday Money Matters , 2000 .

[58]  Herbert C. Kelman,et al.  Social influence and linkages between the individual and the social system: Further thoughts on the processes of compliance, identification, and internalization , 2017 .

[59]  Hans van der Heijden,et al.  User Acceptance of Hedonic Information Systems , 2004, MIS Q..

[60]  Houston H. Carr,et al.  Threats to Information Systems: Today's Reality, Yesterday's Understanding , 1992, MIS Q..

[61]  C. Carver,et al.  Control theory: a useful conceptual framework for personality-social, clinical, and health psychology. , 1982, Psychological bulletin.

[62]  M. R. Fields HEALTH EDUCATION MONOGRAPHS , 1960 .

[63]  E. Higgins,et al.  Beyond pleasure and pain. , 1997, The American psychologist.

[64]  Detmar W. Straub,et al.  Security concerns of system users: A study of perceptions of the adequacy of security , 1991, Inf. Manag..

[65]  Philip K. Berger,et al.  A Path Analysis of Preventive Health Care Decision Models , 1979 .

[66]  D. Whetten What Constitutes a Theoretical Contribution , 1989 .

[67]  Sherman D. Hanna,et al.  Changes in Financial Risk Tolerance, 1983-2001 , 2004 .

[68]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[69]  Kallol Kumar Bagchi,et al.  An Analysis of the Growth of Computer and Internet Security Breaches , 2003, Commun. Assoc. Inf. Syst..

[70]  Philip A. Horvath,et al.  Risk Aversion and Personality Type , 2005 .

[71]  A. Tversky,et al.  Prospect theory: an analysis of decision under risk — Source link , 2007 .

[72]  Miles S. Kimball,et al.  Preference Parameters and Behavioral Heterogeneity: An Experimental Approach in the Health and Retirement Survey , 1995 .

[73]  H. Jeff Smith,et al.  Information Privacy: Measuring Individuals' Concerns About Organizational Practices , 1996, MIS Q..

[74]  R. Allers Cybernetics. Control and Communication in the Animal and the Machine by Norbert Wiener (review) , 2017 .

[75]  J CulnanMary How did they get my name , 1993 .

[76]  Deborah Compeau,et al.  Computer Self-Efficacy: Development of a Measure and Initial Test , 1995, MIS Q..

[77]  Everett M. Rogers,et al.  Diffusion of innovations (5. ed.) , 2003 .

[78]  K. Toll Privacy and Freedom. By Alan F. Westin. New York: Atheneum Press, 1967. $10.00 , 1968 .

[79]  Stephen G. Green,et al.  Cybernetics and Dependence: Reframing the Control Concept , 1988 .

[80]  Fred D. Davis,et al.  A Theoretical Extension of the Technology Acceptance Model: Four Longitudinal Field Studies , 2000, Management Science.

[81]  Richard Baskerville Designing information systems security , 1988 .

[82]  A. Bandura Self-efficacy: toward a unifying theory of behavioral change. , 1977, Psychological review.

[83]  M. Bradley,et al.  Emotion, attention, and the startle reflex. , 1990, Psychological review.

[84]  Detmar W. Straub,et al.  Information Technology Adoption Across Time: A Cross-Sectional Comparison of Pre-Adoption and Post-Adoption Beliefs , 1999, MIS Q..

[85]  Anne Beaudry,et al.  Understanding User Responses to Information Technology: A Coping Model of User Adaption , 2005, MIS Q..

[86]  Cornelius J. König,et al.  Integrating Theories of Motivation , 2006 .

[87]  Fred D. Davis,et al.  User Acceptance of Computer Technology: A Comparison of Two Theoretical Models , 1989 .

[88]  Richard Baskerville,et al.  Risk analysis: an interpretive feasibility tool in justifying information systems security , 1991 .

[89]  Gurpreet Dhillon,et al.  Technical opinion: Information system security management in the new millennium , 2000, CACM.

[90]  I. Ajzen The theory of planned behavior , 1991 .

[91]  I. Ajzen,et al.  Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research , 1977 .

[92]  Mary J. Culnan,et al.  "How Did They Get My Name?": An Exploratory Investigation of Consumer Attitudes Toward Secondary Information Use , 1993, MIS Q..

[93]  Robert W. Faff,et al.  An empirical investigation of personal financial risk tolerance , 2004 .

[94]  I. Rosenstock The Health Belief Model and Preventive Health Behavior , 1974 .

[95]  A. Bandura Self-efficacy mechanism in human agency. , 1982 .

[96]  M. Deutsch,et al.  A study of normative and informational social influences upon individual judgement. , 1955, Journal of abnormal psychology.

[97]  H. Klein,et al.  An Integrated Control Theory Model of Work Motivation , 1989 .

[98]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[99]  A. Tversky,et al.  Judgment under Uncertainty , 1982 .

[100]  Izak Benbasat,et al.  Development of an Instrument to Measure the Perceptions of Adopting an Information Technology Innovation , 1991, Inf. Syst. Res..

[101]  C. Carver Approach, Avoidance, and the Self-Regulation of Affect and Action , 2006 .

[102]  Vallabh Sambamurthy,et al.  Research Report: The Evolving Relationship Between General and Specific Computer Self-Efficacy - An Empirical Assessment , 2000, Inf. Syst. Res..

[103]  Gordon B. Davis,et al.  User Acceptance of Information Technology: Toward a Unified View , 2003, MIS Q..

[104]  Richard Baskerville,et al.  Risk analysis as a source of professional knowledge , 1991, Comput. Secur..

[105]  A. Elliot,et al.  Approach and Avoidance Motivation , 2001 .

[106]  Tom Stafford,et al.  Spyware: The Ghost in the Machine , 2004, Commun. Assoc. Inf. Syst..

[107]  M. Becker,et al.  The Health Belief Model: A Decade Later , 1984, Health education quarterly.

[108]  Debra L. Shapiro,et al.  The Future of Work Motivation Theory , 2004 .

[109]  A. Tversky,et al.  Judgment under Uncertainty: Heuristics and Biases , 1974, Science.