Maladaptive behaviour in response to email phishing threats: The roles of rewards and response costs

Abstract Email users are vulnerable to phishing threats and a greater understanding of how to protect them is needed. This research investigates how response costs and rewards influence users’ protective and maladaptive security behaviours in the domain of phishing by testing a model that extends Protection Motivation Theory to more explicitly consider the role of maladaptive behaviour. The results show that rewards influence maladaptive behaviour rather than protective behaviour in response to email phishing threats, and that response costs influence both maladaptive and protective behaviours. That is, any perceived benefits from not performing protective behaviours against email phishing threats will result in an increase in the performance of maladaptive behaviours. Similarly, any increases in costs perceived to be incurred for performing protective behaviours against email phishing threats will result in a decrease in protective behaviour and an increase in maladaptive behaviour. These findings have both practical implications and implications for future research into protections against phishing threats.

[1]  Xuequn Wang,et al.  "Security begins at home": Determinants of home computer and mobile device security behavior , 2017, Comput. Secur..

[2]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[3]  Yan Chen Examining Internet Users' Adaptive and Maladaptive Security Behaviors Using the Extended Parallel Process Model , 2017, ICIS.

[4]  M. Siponen,et al.  Protection Motivation Theory in Information Systems Security Research , 2021, Data Base.

[5]  H. Leventhal,et al.  Findings and Theory in the Study of Fear Communications , 1970 .

[6]  Karen Corral,et al.  Adaptive and Maladaptive Coping with an It Threat , 2019, Inf. Syst. Manag..

[7]  Ramakrishna Ayyagari,et al.  Risk and Demographics’ Influence on Security Behavior Intentions , 2020, Journal of the Southern Association for Information Systems.

[8]  K Witte,et al.  Predicting risk behaviors: development and validation of a diagnostic scale. , 1996, Journal of health communication.

[9]  Tamara Dinev,et al.  An Extended Privacy Calculus Model for E-Commerce Transactions , 2006, Inf. Syst. Res..

[10]  Yongqiang Sun,et al.  Location information disclosure in location-based social network services: Privacy calculus, benefit structure, and gender differences , 2015, Comput. Hum. Behav..

[11]  Xiaolin Lin,et al.  Examining gender differences in people's information-sharing decisions on social networking sites , 2020, Int. J. Inf. Manag..

[12]  Shuting Xu,et al.  Applying Protection Motivation Theory to Information Security Training for College Students , 2013 .

[13]  M. Lindell,et al.  Accounting for common method variance in cross-sectional research designs. , 2001, The Journal of applied psychology.

[14]  Norshidah Mohamed,et al.  Information privacy concerns, antecedents and privacy measure use in social networking sites: Evidence from Malaysia , 2012, Comput. Hum. Behav..

[15]  Dennis F. Galletta,et al.  What Do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear that Motivate Protective Security Behaviors , 2015, MIS Q..

[16]  Atreyi Kankanhalli,et al.  Studying users' computer security behavior: A health belief perspective , 2009, Decis. Support Syst..

[17]  Lauren I. Labrecque,et al.  Toward an Understanding of the Online Consumer's Risky Behavior and Protection Practices , 2009 .

[18]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[19]  Kent Marett,et al.  A quantitative textual analysis of three types of threat communication and subsequent maladaptive responses , 2019, Comput. Secur..

[20]  Tanya J. McGill,et al.  Short-term and Long-term Effects of Fear Appeals in Improving Compliance with Password Guidelines , 2018, Commun. Assoc. Inf. Syst..

[21]  Dominik J. Leiner Too Fast, too Straight, too Weird: Non-Reactive Indicators for Meaningless Data in Internet Surveys , 2019 .

[22]  Ranida B. Harris,et al.  Social Networking Websites and Posting Personal Information: An Evaluation of Protection Motivation Theory , 2011 .

[23]  Mo Adam Mahmood,et al.  Employees' adherence to information security policies: An exploratory field study , 2014, Inf. Manag..

[24]  Michael Workman,et al.  Gaining Access with Social Engineering: An Empirical Study of the Threat , 2007, Inf. Secur. J. A Glob. Perspect..

[25]  Shelia R. Cotten,et al.  Determinants of online safety behaviour: towards an intervention strategy for college students , 2015, Behav. Inf. Technol..

[26]  Robert P. Minch,et al.  Application of Protection Motivation Theory to Adoption of Protective Technologies , 2009, 2009 42nd Hawaii International Conference on System Sciences.

[27]  Tom L. Roberts,et al.  The Impact of Organizational Commitment on Insiders’ Motivation to Protect Organizational Information Assets , 2015, J. Manag. Inf. Syst..

[28]  Steve Love,et al.  Security awareness of computer users: A phishing threat avoidance perspective , 2014, Comput. Hum. Behav..

[29]  P. Sheeran,et al.  Combining motivational and volitional interventions to promote exercise participation: protection motivation theory and implementation intentions. , 2002, British journal of health psychology.

[30]  Siddhi Pittayachawan,et al.  Comparing intention to avoid malware across contexts in a BYOD-enabled Australian university: A Protection Motivation Theory approach , 2015, Comput. Secur..

[31]  Teodor Sommestad,et al.  A Meta-Analysis of Studies on Protection Motivation Theory and Information Security Behaviour , 2015, Int. J. Inf. Secur. Priv..

[32]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[33]  Miriam J. Metzger,et al.  An Extended Privacy Calculus Model for SNSs: Analyzing Self-Disclosure and Self-Withdrawal in a Representative U.S. Sample , 2016, J. Comput. Mediat. Commun..

[34]  Robert LaRose,et al.  Keeping our network safe: a model of online protection behaviour , 2008, Behav. Inf. Technol..

[35]  K. Witte Fear control and danger control: A test of the extended parallel process model (EPPM) , 1994 .

[36]  Adam N. Joinson,et al.  Exploring susceptibility to phishing in the workplace , 2018, International Journal of Human-Computer Studies.

[37]  Marko Sarstedt,et al.  Partial least squares structural equation modeling (PLS-SEM): An emerging tool in business research , 2014 .

[38]  Robert E. Crossler,et al.  Understanding Compliance with Bring Your Own Device Policies Utilizing Protection Motivation Theory: Bridging the Intention-Behavior Gap , 2014, J. Inf. Syst..

[39]  Yajiong Xue,et al.  What Users Do Besides Problem-Focused Coping When Facing IT Security Threats: An Emotion-Focused Coping Perspective , 2019, MIS Q..

[40]  Nik Thompson,et al.  Who are you talking about? Contrasting determinants of online disclosure about self or others , 2021, Inf. Technol. People.

[41]  Konstantin Beznosov,et al.  Phishing threat avoidance behaviour: An empirical investigation , 2016, Comput. Hum. Behav..

[42]  Cheolho Yoon,et al.  Exploring Factors That Influence Students’ Behaviors in Information Security , 2013 .

[43]  Nik Thompson,et al.  Gender Differences in Information Security Perceptions and Behaviour , 2018, ACIS.

[44]  Yajiong Xue,et al.  Avoidance of Information Technology Threats: A Theoretical Perspective , 2009, MIS Q..

[45]  Gürkan Gür,et al.  Don’t click: towards an effective anti-phishing training. A comparative literature review , 2020, Human-centric Computing and Information Sciences.

[46]  S. Upadhyaya,et al.  Internet and Online Information Privacy: An Exploratory Study of Preteens and Early Teens , 2009, IEEE Transactions on Professional Communication.

[47]  Adam N. Joinson,et al.  Developing a measure of information seeking about phishing , 2020, J. Cybersecur..

[48]  Steve Love,et al.  A game design framework for avoiding phishing attacks , 2013, Comput. Hum. Behav..

[49]  R. Rogers Cognitive and physiological processes in fear appeals and attitude change: a revised theory of prote , 1983 .

[50]  Thomas O. Meservy,et al.  Risky Behavior in Online Social Media: Protection Motivation and Social Influence , 2010, AMCIS.

[51]  Dominic Abrams,et al.  Exploring teenagers' adaptive and maladaptive thinking in relation to the threat of hiv infection. , 1994, Psychology & health.

[52]  Michel Cukier,et al.  Correlating human traits and cyber security behavior intentions , 2018, Comput. Secur..

[53]  Tom L. Roberts,et al.  Motivating the Insider to Protect Organizational Information Assets: Evidence from Protection Motivation Theory and Rival Explanations , 2011 .

[54]  H. Leventhal,et al.  Fear appeals and persuasion: the differentiation of a motivational construct. , 1971, American journal of public health.

[55]  Jacqueline Saleeby Health Beliefs About Mental Illness: An Instrument Development Study , 2000 .

[56]  Yajiong Xue,et al.  Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective , 2010, J. Assoc. Inf. Syst..

[57]  Scott B. MacKenzie,et al.  Common method biases in behavioral research: a critical review of the literature and recommended remedies. , 2003, The Journal of applied psychology.

[58]  K. Marett,et al.  Examining the Coping Appraisal Process in End User Security , 2012 .

[59]  K. Witte Putting the fear back into fear appeals: The extended parallel process model , 1992 .

[60]  Annette Mills,et al.  An Empirical Study of Home User Intentions towards Computer Security , 2019, HICSS.

[61]  Fatemeh Zahedi,et al.  Individuals' Internet Security Perceptions and Behaviors: Polycontextual Contrasts Between the United States and China , 2016, MIS Q..

[62]  William C. McDowell,et al.  Am I Really at Risk? Determinants of Online Users' Intentions to Use Strong Passwords , 2009 .

[63]  E. Vance Wilson,et al.  Cognitive factors that lead people to comply with spam email , 2017, J. Organ. Comput. Electron. Commer..