User Motivations in Protecting Information Security: Protection Motivation Theory Versus Self-Determination Theory

Abstract Managers desiring to protect information systems must understand how to most effectively motivate users to engage in secure behaviors. Information security researchers have frequently studied individuals’ performance of secure behaviors in response to threats. Protection motivation theory (PMT) has been used to explain individuals’ propensity to engage in voluntary secure behaviors, but the adaptation of this theory has yielded inconsistent results. Motivation as a measurable construct, as derived from self-determination theory (SDT), has never been included in or compared against PMT. In this study, we construct security messages that appeal to individuals’ intrinsic motivation, rather than fear, as a way to elicit secure responses. Using three sets of respondents, we integrated the SDT and PMT models and compared the native models in the context of security behaviors. We demonstrate that by using data- and individual-focused appeals and providing choices for users, managers may observe greater intention to engage in secure behavior among employees.

[1]  Keshnee Padayachee,et al.  Taxonomy of compliant information security behavior , 2012, Comput. Secur..

[2]  Anol Bhattacherjee Social Science Research: Principles, Methods, and Practices , 2012 .

[3]  R. Ryan,et al.  The Nature of the Self in Autonomy and Relatedness , 1991 .

[4]  Fred D. Davis,et al.  A Theoretical Extension of the Technology Acceptance Model: Four Longitudinal Field Studies , 2000, Management Science.

[5]  Guy Paré,et al.  Linking IT implementation and acceptance via the construct of psychological ownership of information technology , 2008, J. Inf. Technol..

[6]  Ryan T. Wright,et al.  Training to Mitigate Phishing Attacks Using Mindfulness Techniques , 2017, J. Manag. Inf. Syst..

[7]  Ryan T. Wright,et al.  Research Note - Influence Techniques in Phishing Attacks: An Examination of Vulnerability and Resistance , 2014, Inf. Syst. Res..

[8]  Dennis F. Galletta,et al.  What Do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear that Motivate Protective Security Behaviors , 2015, MIS Q..

[9]  R. Baumeister,et al.  The need to belong: desire for interpersonal attachments as a fundamental human motivation. , 1995, Psychological bulletin.

[10]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[11]  E. Deci,et al.  Self‐determination theory and work motivation , 2005 .

[12]  Viswanath Venkatesh,et al.  Creation of Favorable User Perceptions: Exploring the Role of Intrinsic Motivation , 1999, MIS Q..

[13]  E. Deci,et al.  Self-determination theory and the facilitation of intrinsic motivation, social development, and well-being. , 2000, The American psychologist.

[14]  E. Deci,et al.  Intrinsic and Extrinsic Motivations: Classic Definitions and New Directions. , 2000, Contemporary educational psychology.

[15]  Fred D. Davis,et al.  User Acceptance of Computer Technology: A Comparison of Two Theoretical Models , 1989 .

[16]  Russell S. Winer,et al.  A reference price model of brand choice for frequently purchased products. , 1986 .

[17]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[18]  Lujo Bauer,et al.  Of passwords and people: measuring the effect of password-composition policies , 2011, CHI.

[19]  Merrill Warkentin,et al.  Threat Protection and Convenience: Antecedents of Cloud-Based Data Backup , 2014, J. Comput. Inf. Syst..

[20]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[21]  Gordon B. Davis,et al.  User Acceptance of Information Technology: Toward a Unified View , 2003, MIS Q..

[22]  R. Rogers Cognitive and physiological processes in fear appeals and attitude change: a revised theory of prote , 1983 .

[23]  Richard H. Thaler,et al.  Mental Accounting and Consumer Choice , 1985, Mark. Sci..

[24]  Shirley Gregor,et al.  The Nature of Theory in Information Systems , 2006, MIS Q..

[25]  H J Motulsky,et al.  Fitting curves to data using nonlinear regression: a practical and nonmathematical review , 1987, FASEB journal : official publication of the Federation of American Societies for Experimental Biology.

[26]  Viswanath Venkatesh,et al.  Consumer Acceptance and Use of Information Technology: Extending the Unified Theory of Acceptance and Use of Technology , 2012, MIS Q..

[27]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[28]  Viswanath Venkatesh,et al.  Determinants of Perceived Ease of Use: Integrating Control, Intrinsic Motivation, and Emotion into the Technology Acceptance Model , 2000, Inf. Syst. Res..

[29]  R. W. Rogers,et al.  A meta-analysis of research on protection motivation theory. , 2000 .

[30]  R. Vallerand Toward A Hierarchical Model of Intrinsic and Extrinsic Motivation , 1997 .

[31]  Younghwa Lee,et al.  Threat or coping appraisal: determinants of SMB executives’ decision to adopt anti-malware software , 2009, Eur. J. Inf. Syst..

[32]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[33]  Janet H. Marler,et al.  The dual nature of prior computer experience: More is not necessarily better for technology acceptance , 2013, Comput. Hum. Behav..

[34]  Merrill Warkentin,et al.  An Enhanced Fear Appeal Rhetorical Framework: Leveraging Threats to the Human Asset Through Sanctioning Rhetoric , 2015, MIS Q..

[35]  Richard,et al.  Extrinsic and Intrinsic Motivation to Use Computers in the Workplace , 2022 .

[36]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[37]  R. Vallerand Deci and Ryan's self-determination theory: A view from the hierarchical model of intrinsic and extrinsic motivation. , 2000 .

[38]  Mohamed Sedky,et al.  Exploring the Adoption of Physical Security Controls in Smartphones , 2015, HCI.

[39]  Ritu Agarwal,et al.  Practicing Safe Computing: A Multimedia Empirical Examination of Home Computer User Security Behavioral Intentions , 2010, MIS Q..

[40]  V. Zeithaml Consumer Perceptions of Price, Quality, and Value: A Means-End Model and Synthesis of Evidence: , 1988 .

[41]  Detmar W. Straub,et al.  A Practical Guide To Factorial Validity Using PLS-Graph: Tutorial And Annotated Example , 2005, Commun. Assoc. Inf. Syst..

[42]  K. B. Monroe Buyers’ Subjective Perceptions of Price , 1973 .

[43]  David Hylender,et al.  Data Breach Investigations Report , 2011 .

[44]  Mar ianne Mise,et al.  Children Who Do Well in School : Individual Differences in Perceived Competence and Autonomy in Above-Average Children , 2001 .

[45]  Dimitris Gritzalis,et al.  Delegate the smartphone user? Security awareness in smartphone platforms , 2013, Comput. Secur..

[46]  Michael Workman,et al.  A test of interventions for security threats from social engineering , 2008, Inf. Manag. Comput. Secur..

[47]  Jintae Lee,et al.  Relating motivation to information and communication technology acceptance: Self-determination theory perspective , 2015, Comput. Hum. Behav..

[48]  Robert E. Crossler,et al.  The quest for complete security: An empirical analysis of users’ multi-layered protection from security threats , 2019, Inf. Syst. Frontiers.

[49]  H. Rao Unnava,et al.  Self-Referencing , 1989 .

[50]  Habib Ullah Khan,et al.  Security behaviors of smartphone users , 2016, Inf. Comput. Secur..

[51]  Robert E. Crossler,et al.  An Extended Perspective on Individual Security Behaviors: Protection Motivation Theory and a Unified Security Practices (USP) Instrument , 2014, DATB.

[52]  Irene Woon,et al.  A Protection Motivation Theory Approach to Home Wireless Security , 2005, ICIS.

[53]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[54]  Karen Renaud,et al.  Why do people adopt, or reject, smartphone password managers? , 2016 .

[55]  I. Ajzen,et al.  Understanding Attitudes and Predicting Social Behavior , 1980 .

[56]  Prashant Palvia,et al.  Control-Related Motivations and Information Security Policy Compliance: The Effect of Reflective and Reactive Autonomy , 2013, AMCIS.

[57]  Tom L. Roberts,et al.  The Impact of Organizational Commitment on Insiders’ Motivation to Protect Organizational Information Assets , 2015, J. Manag. Inf. Syst..

[58]  Shirley Gregor,et al.  Eight Obstacles to Overcome in the Theory Testing Genre , 2014, J. Assoc. Inf. Syst..

[59]  E. Deci,et al.  The support of autonomy and the control of behavior. , 1987, Journal of personality and social psychology.

[60]  Yajiong Xue,et al.  Employees’ Exploration of Complex Systems: An Integrative View , 2015, J. Manag. Inf. Syst..

[61]  Hans van der Heijden,et al.  User Acceptance of Hedonic Information Systems , 2004, MIS Q..

[62]  R. Paternoster,et al.  Sanction threats and appeals to morality : Testing a rational choice model of corporate crime , 1996 .

[63]  Edward L. Deci,et al.  The Empirical Exploration of Intrinsic Motivational Processes1 , 1980 .

[64]  Robert E. Crossler,et al.  Protection Motivation Theory: Understanding Determinants to Backing Up Personal Data , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[65]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[66]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[67]  Edgar Erdfelder,et al.  G*Power 3: A flexible statistical power analysis program for the social, behavioral, and biomedical sciences , 2007, Behavior research methods.

[68]  Fred D. Davis,et al.  Extrinsic and Intrinsic Motivation to Use Computers in the Workplace1 , 1992 .

[69]  R. Vallerand,et al.  Self-determination and persistence in a real-life setting: toward a motivational model of high school dropout. , 1997, Journal of personality and social psychology.

[70]  Li Zhao,et al.  Sharing Knowledge in Social Q&A Sites: The Unintended Consequences of Extrinsic Motivation , 2016, J. Manag. Inf. Syst..

[71]  Kennon M. Sheldon,et al.  Daily Well-Being: The Role of Autonomy, Competence, and Relatedness , 2000 .

[72]  Paul Benjamin Lowry,et al.  Using Accountability to Reduce Access Policy Violations in Information Systems , 2013, J. Manag. Inf. Syst..

[73]  Marko Sarstedt,et al.  Partial least squares structural equation modeling (PLS-SEM): An emerging tool in business research , 2014 .

[74]  HeijdenHans User acceptance of hedonic information systems , 2004 .

[75]  Joseph S. Valacich,et al.  The Behavioral Roots of Information Systems Security: Exploring Key Factors Related to Unethical IT Use , 2015, J. Manag. Inf. Syst..

[76]  Matthew Thomson Human Brands: Investigating Antecedents to Consumers’ Strong Attachments to Celebrities , 2006 .