Mitigating the Ransomware Threat: A Protection Motivation Theory Approach

Ransomware has emerged as one of the biggest security threats to organizations and individuals alike. As technical solutions are developed the creators of ransomware are also improving the sophistication of such attacks. A combination of technical and behavioral measures is required to deal with this problem. This study investigates computer users’ motivation to adopt security measures against ransomware, using protection motivation theory (PMT) as a theoretical foundation. We conducted empirical research, using a survey methodology, collecting data from 118 respondents. Using partial least squares structural equation modelling our analysis provides support for several factors influencing protection motivation in this context. These include perceived threat severity and perceived threat vulnerability, mediated by fear. Self-efficacy is shown as a significant coping factor. Maladaptive rewards and response costs both have a significant negative influence on protection motivation. The results provide support for the use of fear appeals and PMT to influence protection motivation in the context of ransomware threats.

[1]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[2]  Michael Fimin Are employees part of the ransomware problem , 2017 .

[3]  Mike Simmonds,et al.  How businesses can navigate the growing tide of ransomware attacks , 2017 .

[4]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[5]  Marko Sarstedt,et al.  Partial least squares structural equation modeling (PLS-SEM): An emerging tool in business research , 2014 .

[6]  Steve Mansfield-Devine,et al.  : taking , 2016 .

[7]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[8]  Dennis F. Galletta,et al.  What Do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear that Motivate Protective Security Behaviors , 2015, MIS Q..

[9]  R. Rogers Cognitive and physiological processes in fear appeals and attitude change: a revised theory of prote , 1983 .

[10]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[11]  Ross Brewer,et al.  Ransomware attacks: detection, prevention and cure , 2016, Netw. Secur..

[12]  Jack F. Bravo-Torres,et al.  Social engineering as an attack vector for ransomware , 2017, 2017 CHILEAN Conference on Electrical, Electronics Engineering, Information and Communication Technologies (CHILECON).

[13]  K. Witte Fear control and danger control: A test of the extended parallel process model (EPPM) , 1994 .

[14]  Bander Ali Saleh Al-rimy,et al.  Ransomware threat success factors, taxonomy, and countermeasures: A survey and research directions , 2018, Comput. Secur..

[15]  William K. Robertson,et al.  Protecting against Ransomware: A New Line of Research or Restating Classic Ideas? , 2018, IEEE Security & Privacy.

[16]  Robert E. Crossler,et al.  The quest for complete security: An empirical analysis of users’ multi-layered protection from security threats , 2019, Inf. Syst. Frontiers.

[17]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[18]  Thomas Mattson,et al.  Exploring the effect of uncertainty avoidance on taking voluntary protective security actions , 2018, Comput. Secur..