Can an Ego Defense Mechanism Model Help Explain Dysfunctional IS Security Behavior?

IS security behavior studies are becoming popular. To date, much of the research has been based on theories such as the Theory of Planned Behavior, Technology Adoption Model, Rational Choice theory and Theory of Reasoned Action. They view users as rational individuals making conscious utilitarian decisions when there is increasing evidence that security breaches are the result of human behavior such as carelessness, malicious intent, bad habits, and hostility. We propose the ego defense mechanism model, taken from the psychoanalytical world. This model makes no assumption of rationality and has been developed to help understand the roots of dysfunctional behavior such as fear, phobias, anger, forgetfulness, indifference and hostility. Our model shows that security threats trigger anxiety among users and the ego react by both functional and dysfunctional behavior. This could be the earliest if not the first paper to explore user behavior in IS security situations using this framework.

[1]  Rocio Garcia-Retamero,et al.  Identity, Power, and Threat Perception , 2007 .

[2]  L. McCracken,et al.  A short version of the Pain Anxiety Symptoms Scale (PASS-20): preliminary development and validity. , 2002, Pain research & management.

[3]  Dennis F. Galletta,et al.  What Do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear that Motivate Protective Security Behaviors , 2015, MIS Q..

[4]  Anna Freud,et al.  The Ego and the Mechanisms of Defense. New York (International Universities Press) 1946. , 1946 .

[5]  Kenneth G. Rice,et al.  Test anxiety, perfectionism, goal orientation, and academic performance , 2011, Anxiety, stress, and coping.

[6]  H. Steiner,et al.  Adolescent Defense Style and Life Stressors , 1999, Child psychiatry and human development.

[7]  Sanjay Goel,et al.  Got Phished? Internet Security and Human Vulnerability , 2017, J. Assoc. Inf. Syst..

[8]  Ahmed Waqas,et al.  Association of Ego Defense Mechanisms with Academic Performance, Anxiety and Depression in Medical Students: A Mixed Methods Study , 2015, Cureus.

[9]  Johann Kranz,et al.  Antecedents of Employees' Information Security Awareness - Review, synthesis, and Directions for Future Research , 2017, ECIS.

[10]  Ekaterina Stepanchuk,et al.  The Coping Strategies, Psychological Defense Mechanisms and Emotional Response to the Disease in Russian Patients with Chronic Leukemia , 2013 .

[11]  R. Lewthwaite,et al.  Threat Perception in Competitive Trait Anxiety: The Endangerment of Important Goals , 1990 .

[12]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[13]  Mari W. Buche,et al.  To Fear or Not to Fear? A Critical Review and Analysis of Fear Appeals in the Information Security Context , 2017, Commun. Assoc. Inf. Syst..

[14]  Andrew Hede,et al.  Resistance to organisational change: the role of defence mechanisms , 2001 .

[15]  Leiser Silva,et al.  Post-positivist Review of Technology Acceptance Model , 2007, J. Assoc. Inf. Syst..

[16]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[17]  Yajiong Xue,et al.  Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective , 2010, J. Assoc. Inf. Syst..

[18]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[19]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[20]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[21]  I. Ajzen,et al.  Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research , 1977 .

[22]  I. Ajzen The theory of planned behavior , 1991 .

[23]  Wynne W. Chin The partial least squares approach for structural equation modeling. , 1998 .

[24]  Julia B. Frank,et al.  The Wisdom of the Ego , 1993 .

[25]  Paul Milgrom,et al.  Introduction to Choice Theory , 2004 .

[26]  Thomas P. Beresford Psychological Adaptive Mechanisms: Ego Defense Recognition in Practice and Research , 2012 .

[27]  Humayun Zafar,et al.  Toward a More Secure HRIS: The Role of HCI and Unconscious Behavior , 2017, AIS Trans. Hum. Comput. Interact..

[28]  Elaine R Neiva,et al.  Attitudes towards organizational change: validation of a scale . , 2004 .

[29]  Fred D. Davis Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology , 1989, MIS Q..

[30]  Tejaswini Herath,et al.  A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings , 2011, Eur. J. Inf. Syst..

[31]  Paul Benjamin Lowry,et al.  Proposing the control‐reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policies , 2015, Inf. Syst. J..

[32]  G. Andrews,et al.  The Defense Style Questionnaire , 1993, The Journal of nervous and mental disease.

[33]  Nils Urbach,et al.  Structural Equation Modeling in Information Systems Research Using Partial Least Squares , 2010 .

[34]  Merrill Warkentin,et al.  An Enhanced Fear Appeal Rhetorical Framework: Leveraging Threats to the Human Asset Through Sanctioning Rhetoric , 2015, MIS Q..

[35]  Dorothy E. Leidner,et al.  IS Security Menace: When Security Creates Insecurity , 2016, ICIS.

[36]  Paul Benjamin Lowry,et al.  Cognitive‐affective drivers of employees' daily compliance with information security policies: A multilevel, longitudinal study , 2019, Inf. Syst. J..

[37]  Atreyi Kankanhalli,et al.  Studying users' computer security behavior: A health belief perspective , 2009, Decis. Support Syst..

[38]  J. Nunnally,et al.  Psychometric Theory: NY. , 1978 .