Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective

This study aims to understand the IT threat avoidance behaviors of personal computer users. We tested a research model derived from Technology Threat Avoidance Theory (TTAT) using survey data. We find that users’ IT threat avoidance behavior is predicted by avoidance motivation, which, in turn, is determined by perceived threat, safeguard effectiveness, safeguard cost, and self-efficacy. Users develop a threat perception when they believe that the malicious IT is likely to attack them (perceived susceptibility) and the negative consequences will be severe if they are attacked (perceived severity). When threatened, users are more motivated to avoid the threat if they believe that the safeguarding measure is effective (safeguard effectiveness) and inexpensive (safeguard cost) and they have confidence in using it (self-efficacy). In addition, we find that perceived threat and safeguard effectiveness have a negative interaction on avoidance motivation so that a higher level of perceived threat is associated with a weaker relationship between safeguard effectiveness and avoidance motivation or a higher level of safeguard effectiveness is associated with a weaker relationship between perceived threat and avoidance motivation. These findings provide an enriched understanding about personal computer users’ IT threat avoidance behavior.

[1]  R. W. Rogers,et al.  Protection motivation and self-efficacy: A revised theory of fear appeals and attitude change , 1983 .

[2]  F. Bookstein,et al.  Two Structural Equation Models: LISREL and PLS Applied to Consumer Exit-Voice Theory , 1982 .

[3]  Yajiong Xue,et al.  Avoidance of Information Technology Threats: A Theoretical Perspective , 2009, MIS Q..

[4]  N D Weinstein,et al.  Perceived probability, perceived severity, and health-protective behavior. , 2000, Health psychology : official journal of the Division of Health Psychology, American Psychological Association.

[5]  S. West,et al.  Multiple Regression: Testing and Interpreting Interactions. , 1994 .

[6]  Houston H. Carr,et al.  Threats to Information Systems: Today's Reality, Yesterday's Understanding , 1992, MIS Q..

[7]  Qing Hu,et al.  Assimilation of Enterprise Systems: The Effect of Institutional Pressures and the Mediating Role of Top Management , 2007, MIS Q..

[8]  Geoff Shaw Spyware: Spyware & Adware: the Risks facing Businesses , 2003 .

[9]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[10]  Patrick Y. K. Chau,et al.  Influence of Computer Attitude and Self-Efficacy on IT Usage Behavior , 2001, J. Organ. End User Comput..

[11]  Detmar W. Straub,et al.  Structural Equation Modeling and Regression: Guidelines for Research Practice , 2000, Commun. Assoc. Inf. Syst..

[12]  Scott B. MacKenzie,et al.  Common method biases in behavioral research: a critical review of the literature and recommended remedies. , 2003, The Journal of applied psychology.

[13]  James B. Hunt,et al.  The Protection Motivation Model: A Normative Model of Fear Appeals: , 1991 .

[14]  E. Eugene Schultz Pandora's Box: spyware, adware, autoexecution, and NGSCB , 2003, Comput. Secur..

[15]  F. Bookstein,et al.  Two Structural Equation Models: LISREL and PLS Applied to Consumer Exit-Voice Theory: , 1982 .

[16]  Fred D. Davis Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology , 1989, MIS Q..

[17]  Fred D. Davis,et al.  User Acceptance of Computer Technology: A Comparison of Two Theoretical Models , 1989 .

[18]  Richard Baskerville,et al.  Risk analysis: an interpretive feasibility tool in justifying information systems security , 1991 .

[19]  Gurpreet Dhillon,et al.  Technical opinion: Information system security management in the new millennium , 2000, CACM.

[20]  I. Ajzen The theory of planned behavior , 1991 .

[21]  Jacqueline Saleeby Health Beliefs About Mental Illness: An Instrument Development Study , 2000 .

[22]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[23]  Ritu Agarwal,et al.  Practicing Safe Computing: Message Framing, Self-View, and Home Computer User Security Behavior Intentions , 2006, ICIS.

[24]  N. Weinstein Testing four competing theories of health-protective behavior. , 1993, Health psychology : official journal of the Division of Health Psychology, American Psychological Association.

[25]  P. M. Podsakoff,et al.  Self-Reports in Organizational Research: Problems and Prospects , 1986 .

[26]  Wynne W. Chin,et al.  A Partial Least Squares Latent Variable Modeling Approach for Measuring Interaction Effects: Results from a Monte Carlo Simulation Study and an Electronic - Mail Emotion/Adoption Study , 2003, Inf. Syst. Res..

[27]  I. Ajzen,et al.  Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research , 1977 .

[28]  Janice C. Sipior,et al.  The Ethical and Legal Concerns of Spyware , 2007, Information Security Management Handbook, 6th ed..

[29]  H. Jeff Smith,et al.  Information Privacy: Measuring Individuals' Concerns About Organizational Practices , 1996, MIS Q..

[30]  D. A. Kenny,et al.  The moderator-mediator variable distinction in social psychological research: conceptual, strategic, and statistical considerations. , 1986, Journal of personality and social psychology.

[31]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[32]  V. Champion,et al.  Reliability and validity of breast cancer screening belief scales in African American women. , 1997, Nursing research.

[33]  Kregg Aytes,et al.  Computer Security and Risky Computing Practices: A Rational Choice Perspective , 2004, J. Organ. End User Comput..

[34]  I. Rosenstock The Health Belief Model and Preventive Health Behavior , 1974 .

[35]  A. Bandura Self-efficacy mechanism in human agency. , 1982 .

[36]  Deborah Compeau,et al.  Computer Self-Efficacy: Development of a Measure and Initial Test , 1995, MIS Q..

[37]  Janice C. Sipior,et al.  The Ethical and Legal Concerns of Spyware , 2005, Inf. Syst. Manag..

[38]  Merrill Warkentin,et al.  IT Security Governance and Centralized Security Controls , 2006 .

[39]  J. Day,et al.  Computer and Internet Use in the United States: 2003 , 2005 .

[40]  Susannah Fox,et al.  Generations online in 2009 , 2009 .

[41]  Viswanath Venkatesh,et al.  Determinants of Perceived Ease of Use: Integrating Control, Intrinsic Motivation, and Emotion into the Technology Acceptance Model , 2000, Inf. Syst. Res..

[42]  Christy McGill State of the Net , 1999 .

[43]  A. Bandura Self-efficacy: toward a unifying theory of behavioral change. , 1977, Psychological review.

[44]  J. Edwards A Cybernetic Theory of Stress, Coping, and Well-Being in Organizations , 1992 .

[45]  C. Handy Trust and the virtual organization , 1999 .

[46]  RICHAFID BASKERVILLE,et al.  Information systems security design methods: implications for information systems development , 1993, CSUR.

[47]  Herman Aguinis,et al.  Statistical power problems with moderated multiple regression in management research. , 1995 .

[48]  Atreyi Kankanhalli,et al.  Studying users' computer security behavior: A health belief perspective , 2009, Decis. Support Syst..

[49]  R. Rogers Cognitive and physiological processes in fear appeals and attitude change: a revised theory of prote , 1983 .

[50]  Richard Baskerville,et al.  Risk analysis as a source of professional knowledge , 1991, Comput. Secur..

[51]  Tom Stafford,et al.  Spyware: The Ghost in the Machine , 2004, Commun. Assoc. Inf. Syst..

[52]  Deborah Compeau,et al.  Social Cognitive Theory and Individual Reactions to Computing Technology: A Longitudinal Study , 1999, MIS Q..

[53]  Craig J. Russell,et al.  On Theory, Statistics, and the Search for Interactions in the Organizational Sciences , 1994 .

[54]  Vallabh Sambamurthy,et al.  Research Report: The Evolving Relationship Between General and Specific Computer Self-Efficacy - An Empirical Assessment , 2000, Inf. Syst. Res..

[55]  Gordon B. Davis,et al.  User Acceptance of Information Technology: Toward a Unified View , 2003, MIS Q..

[56]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[57]  Kallol Kumar Bagchi,et al.  An Analysis of the Growth of Computer and Internet Security Breaches , 2003, Commun. Assoc. Inf. Syst..

[58]  Irene Woon,et al.  A Protection Motivation Theory Approach to Home Wireless Security , 2005, ICIS.

[59]  I. Ajzen,et al.  Understanding Attitudes and Predicting Social Behavior , 1980 .

[60]  R. W. Rogers,et al.  Effects of components of protection-motivation theory on adaptive and maladaptive coping with a health threat. , 1987, Journal of personality and social psychology.

[61]  Anne Beaudry,et al.  Understanding User Responses to Information Technology: A Coping Model of User Adaption , 2005, MIS Q..

[62]  W. James The principles of psychology , 1983 .

[63]  R. Lazarus Psychological stress and the coping process , 1970 .

[64]  P. Sheeran,et al.  Combining motivational and volitional interventions to promote exercise participation: protection motivation theory and implementation intentions. , 2002, British journal of health psychology.

[65]  R. Power CSI/FBI computer crime and security survey , 2001 .

[66]  M. Becker,et al.  The Health Belief Model: A Decade Later , 1984, Health education quarterly.

[67]  J. Nunnally Psychometric Theory (2nd ed), New York: McGraw-Hill. , 1978 .

[68]  C. Carver,et al.  Control theory: a useful conceptual framework for personality-social, clinical, and health psychology. , 1982, Psychological bulletin.

[69]  S. Hauser,et al.  Stress, coping, and adaptation. , 1990 .

[70]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[71]  L. J. Williams,et al.  Recent Advances in Causal Modeling Methods for Organizational and Management Research , 2003 .