Exploring the effect of uncertainty avoidance on taking voluntary protective security actions

Abstract In this paper, we investigate the main and qualifying effect of Hofstede's uncertainty avoidance dimension (i.e., a culture's acceptance of ambiguous or uncertain situations) of national culture on an individual's protection motivation intentions (using protection motivation theory) to adopt an information security control voluntarily. Uncertainty avoidance is particularly relevant to protection motivation theory and voluntary security related actions, because individuals often perceive high levels of ambiguity related to the threat and the mitigating control that can be adopted voluntarily. The voluntary action that we investigated in this paper is the adoption of password managers due to the perceived uncertainty associated with the threat of having poor password management practices and the ambiguity related to the efficacy of adopting a password manager to mitigate this threat. Using a survey of 227 nationally diverse individuals, we found that uncertainty avoidance qualified the impact of perceived threat vulnerability and perceived threat severity on protection motivations to adopt a password manager voluntarily. In our data, the differential effect of uncertainty avoidance on perceived threat vulnerabilities was greater for those individuals reporting a below average level of uncertainty avoidance relative to an above average level of uncertainty avoidance, but we found the opposite qualifying effect on perceived threat severity. Counter to what we hypothesized, we found that the effect of uncertainty avoidance on protection motivations was negative. These results generally hold for the core and full PMT models. Our study suggests that a one-size fits all approach to security awareness education and training (especially for voluntary security actions) may not be appropriate due to the differential effect associated with individuals from different national cultures.

[1]  Christopher K. Hsee,et al.  Culture and Individual Judgment and Decision Making , 2008 .

[2]  S. Sundqvist,et al.  The effects of country characteristics, cultural similarity and adoption timing on the diffusion of wireless communications , 2005 .

[3]  Fatemeh Zahedi,et al.  Individuals' Internet Security Perceptions and Behaviors: Polycontextual Contrasts Between the United States and China , 2016, MIS Q..

[4]  A. Osman,et al.  The Pain Anxiety Symptoms Scale: Psychometric properties in a community sample , 1994, Journal of Behavioral Medicine.

[5]  Judy Drennan,et al.  Privacy, Risk Perception, and Expert Online Behavior: An Exploratory Study of Household End Users , 2006, J. Organ. End User Comput..

[6]  Steven Prentice-Dunn,et al.  Protection motivation theory. , 1997 .

[7]  P. Bentler,et al.  Cutoff criteria for fit indexes in covariance structure analysis : Conventional criteria versus new alternatives , 1999 .

[8]  I. Ajzen The theory of planned behavior , 1991 .

[9]  Anat Hovav,et al.  Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the U.S. and South Korea , 2012, Inf. Manag..

[10]  H. Marsh,et al.  In Search of Golden Rules: Comment on Hypothesis-Testing Approaches to Setting Cutoff Values for Fit Indexes and Dangers in Overgeneralizing Hu and Bentler's (1999) Findings , 2004 .

[11]  G. Hofstede Culture′s Consequences: Comparing Values, Behaviors, Institutions and Organizations Across Nations , 2001 .

[12]  Steven W. Floyd,et al.  Towards modelling the effects of national culture on IT implementation and acceptance , 2001, J. Inf. Technol..

[13]  Detmar W. Straub,et al.  An Update and Extension to SEM Guidelines for Admnistrative and Social Science Research , 2011 .

[14]  Joel Brockner,et al.  UNPACKING COUNTRY EFFECTS: ON THE NEED TO OPERATIONALIZE THE PSYCHOLOGICAL DETERMINANTS OF CROSS-NATIONAL DIFFERENCES , 2003 .

[15]  Tom L. Roberts,et al.  The Impact of Organizational Commitment on Insiders’ Motivation to Protect Organizational Information Assets , 2015, J. Manag. Inf. Syst..

[16]  Bryan Marshall,et al.  NATIONAL CULTURE AND TECHNOLOGY ACCEPTANCE: THE IMPACT OF UNCERTAINTY AVOIDANCE , 2008 .

[17]  Jordan Shropshire,et al.  Continuance of protective security behavior: A longitudinal study , 2016, Decis. Support Syst..

[18]  Naveen Donthu,et al.  Measuring Hofstede's Five Dimensions of Cultural Values at the Individual Level: Development and Validation of CVSCALE , 2011 .

[19]  Steven R. Ash,et al.  The effects of a group decision support system on culturally diverse and culturally homogeneous group decision making , 1996, Inf. Manag..

[20]  J. Hair Multivariate data analysis : a global perspective , 2010 .

[21]  Yajiong Xue,et al.  Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective , 2010, J. Assoc. Inf. Syst..

[22]  Anat Hovav,et al.  Employees' Compliance with BYOD Security Policy: Insights from Reactance, Organizational Justice, and Protection Motivation Theory , 2014, ECIS.

[23]  Dennis F. Galletta,et al.  Integrating National Culture into IS Research: The Need for Current Individual Level Measures , 2005, Commun. Assoc. Inf. Syst..

[24]  Robert E. Crossler,et al.  An Extended Perspective on Individual Security Behaviors: Protection Motivation Theory and a Unified Security Practices (USP) Instrument , 2014, DATB.

[25]  K Witte,et al.  Predicting risk behaviors: development and validation of a diagnostic scale. , 1996, Journal of health communication.

[26]  Jan Mendling,et al.  Enhancing understandability of process models through cultural-dependent color adjustments , 2016, Decis. Support Syst..

[27]  K. Sivakumar,et al.  The Stampede Toward Hofstede's Framework: Avoiding the Sample Design Pit in Cross-Cultural Research , 2001 .

[28]  Scott B. MacKenzie,et al.  Common method biases in behavioral research: a critical review of the literature and recommended remedies. , 2003, The Journal of applied psychology.

[29]  A. J. Gilbert Silvius,et al.  Exploring the Influence of National Cultures on Non-Compliance Behavior , 2010, Communications of the IIMA.

[30]  Merrill Warkentin,et al.  An Enhanced Fear Appeal Rhetorical Framework: Leveraging Threats to the Human Asset Through Sanctioning Rhetoric , 2015, MIS Q..

[31]  Richard T. Watson,et al.  Differences in national information infrastructures: the reflection of national cultures , 1997, J. Strateg. Inf. Syst..

[32]  C. Hampden-Turner,et al.  Riding the Waves of Culture. Understanding Cultural Diversity in Business (3rd ed) , 1993 .

[33]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[34]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[35]  B. Byrne Structural Equation Modeling With AMOS, EQS, and LISREL: Comparative Approaches to Testing for the Factorial Validity of a Measuring Instrument , 2001 .

[36]  Eirik Albrechtsen,et al.  A qualitative study of users' view on information security , 2007, Comput. Secur..

[37]  Thomas Mattson,et al.  Privilege or procedure: Evaluating the effect of employee status on intent to comply with socially interactive information security threats and controls , 2017, Comput. Secur..

[38]  Cheryl Burke Jarvis,et al.  A Critical Review of Construct Indicators and Measurement Model Misspecification in Marketing and Consumer Research , 2003 .

[39]  Robert LaRose,et al.  Keeping our network safe: a model of online protection behaviour , 2008, Behav. Inf. Technol..

[40]  Mark Srite,et al.  The Role of Espoused National Cultural Values in Technology Acceptance , 2006, MIS Q..

[41]  M. Bond,et al.  The Confucius connection: From cultural roots to economic growth , 1988 .

[42]  Kim Witte,et al.  Fear as motivator, fear as inhibitor: Using the extended parallel process model to explain fear appeal successes and failures. , 1996 .

[43]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[44]  Tom L. Roberts,et al.  Insiders' Protection of Organizational Information Assets: Development of a Systematics-Based Taxonomy and Theory of Diversity for Protection-Motivated Behaviors , 2013, MIS Q..

[45]  H. Rao,et al.  An examination of an e-authentication service as an intervention in e-mail risk perception , 2017 .

[46]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[47]  T. Fang A Critique of Hofstede’s Fifth National Culture Dimension , 2003 .

[48]  Elizabeth Stobert,et al.  The Password Life Cycle: User Behaviour in Managing Passwords , 2014, SOUPS.

[49]  E. Schein Organizational Culture and Leadership , 1991 .

[50]  Rodger W. Griffeth,et al.  Managing in the International Context: Testing Cultural Generality of Sources of Commitment to Multinational Enterprises , 1995 .

[51]  G. A. Marcoulides,et al.  A First Course in Structural Equation Modeling , 2000 .

[52]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[53]  Atreyi Kankanhalli,et al.  Cross-cultural differences and information systems developer values , 2004, Decis. Support Syst..

[54]  Kai H. Lim,et al.  Is eCommerce boundary-less? Effects of individualism–collectivism and uncertainty avoidance on Internet shopping , 2004 .

[55]  Daniel N. McIntosh,et al.  Facial Movement, Breathing, Temperature, and Affect: Implications of the Vascular Theory of Emotional Efference , 1997 .

[56]  Richard Baskerville,et al.  Generalizing Generalizability in Information Systems Research , 2003, Inf. Syst. Res..

[57]  Detmar W. Straub,et al.  The Effect of Culture on IT Diffusion: E-Mail and FAX in Japan and the U.S , 1994, Inf. Syst. Res..

[58]  Bernard C. Y. Tan,et al.  A Cross-Cultural Study on Escalation of Commitment Behavior in Software Projects , 2000, MIS Q..

[59]  Detmar W. Straub,et al.  Specifying Formative Constructs in Information Systems Research , 2007, MIS Q..

[60]  Jeffrey D. Wall,et al.  Control-Related Motivations and Information Security Policy Compliance: The Role of Autonomy and Efficacy , 2013 .

[61]  Bradley L. Kirkman,et al.  A quarter century of Culture's Consequences: a review of empirical research incorporating Hofstede's cultural values framework , 2006 .

[62]  Dennis F. Galletta,et al.  What Do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear that Motivate Protective Security Behaviors , 2015, MIS Q..

[63]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[64]  R. Stine,et al.  Bootstrapping Goodness-of-Fit Measures in Structural Equation Models , 1992 .

[65]  G. Kok,et al.  Sixty years of fear appeal research: current state of the evidence. , 2014, International journal of psychology : Journal international de psychologie.

[66]  Gary Meyer,et al.  Effective Health Risk Messages: A Step-By-Step Guide , 2001 .

[67]  H. Leventhal,et al.  Findings and Theory in the Study of Fear Communications , 1970 .

[68]  Joseph A. Onibokun,et al.  Risk perceptions of cyber-security and precautionary behaviour , 2017, Comput. Hum. Behav..

[69]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[70]  Jennifer A. Chatman,et al.  PEOPLE AND ORGANIZATIONAL CULTURE: A PROFILE COMPARISON APPROACH TO ASSESSING PERSON-ORGANIZATION FIT , 1991 .

[71]  R. Bennett,et al.  Is Your Banker Leaking Your Personal Information? The Roles of Ethics and Individual-Level Cultural Characteristics in Predicting Organizational Computer Abuse , 2013, Journal of Business Ethics.

[72]  Qing Hu,et al.  User behaviour towards protective information technologies: the role of national cultural differences , 2009, Inf. Syst. J..

[73]  Dorothy E. Leidner,et al.  Review: A Review of Culture in Information Systems Research: Toward a Theory of Information Technology Culture Conflict , 2006, MIS Q..

[74]  H. Triandis Culture and Social Behavior , 2019, Cross-Cultural Explorations.

[75]  K. Witte Putting the fear back into fear appeals: The extended parallel process model , 1992 .

[76]  Anat Hovav,et al.  How Espoused Culture Influences Misuse Intention: A Micro-Institutional Theory Perspective , 2017, HICSS.

[77]  P. Sheeran,et al.  Prediction and Intervention in Health-Related Behavior: A Meta-Analytic Review of Protection Motivation Theory , 2000 .

[78]  Salvatore Aurigemma,et al.  A Composite Framework for Behavioral Compliance with Information Security Policies , 2012, 2012 45th Hawaii International Conference on System Sciences.

[79]  Dennis F. Galletta,et al.  Applying TAM across cultures: the need for caution , 2007, Eur. J. Inf. Syst..

[80]  R. W. Rogers,et al.  A meta-analysis of research on protection motivation theory. , 2000 .

[81]  Lin Qiu,et al.  Cultural Differences and Switching of In-Group Sharing Behavior Between an American (Facebook) and a Chinese (Renren) Social Networking Site , 2013 .

[82]  P. Dorfman,et al.  Leadership and Organizations: The GLOBE Study of 62 Societies , 2004 .

[83]  H. Hasan,et al.  The impact of culture on the adoption of IT: an interpretive study , 1999 .

[84]  Mo Adam Mahmood,et al.  Employees' adherence to information security policies: An exploratory field study , 2014, Inf. Manag..

[85]  Suprateek Sarker,et al.  One Size Does Not Fit All: Different Cultures Require Different Information Systems Security Interventions , 2013, PACIS.

[86]  Marc Hermeking,et al.  Culture and Internet Consumption: Contributions from Cross-Cultural Marketing and Advertising Research , 2005, J. Comput. Mediat. Commun..

[87]  Suzanne Rivard,et al.  A Three-Perspective Model of Culture, Information Systems, and Their Development and Use , 2008, MIS Q..

[88]  Rex B. Kline,et al.  Principles and Practice of Structural Equation Modeling , 1998 .

[89]  R. Rogers Cognitive and physiological processes in fear appeals and attitude change: a revised theory of prote , 1983 .

[90]  Robert E. Crossler,et al.  Understanding Compliance with Bring Your Own Device Policies Utilizing Protection Motivation Theory: Bridging the Intention-Behavior Gap , 2014, J. Inf. Syst..

[91]  Beryl Hesketh,et al.  Power Distance, Individualism/Collectivism, and Job-Related Attitudes in a Culturally Diverse Work Group , 1994 .