Practicing Safe Computing: A Multimedia Empirical Examination of Home Computer User Security Behavioral Intentions

Although firms are expending substantial resources to develop technology and processes that can help safeguard the security of their computing assets, increased attention is being focused on the role people play in maintaining a safe computing environment. Unlike employees in a work setting, home users are not subject to training, nor are they protected by a technical staff dedicated to keeping security software and hardware current. Thus, with over one billion people with access to the Internet, individual home computer users represent a significant point of weakness in achieving the security of the cyber infrastructure. We study the phenomenon of conscientious cybercitizens, defined as individuals who are motivated to take the necessary precautions under their direct control to secure their own computer and the Internet in a home setting. Using a multidisciplinary, phased approach, we develop a conceptual model of the conscientious cybercitizen. We present results from two studies-a survey and an experiment-conducted to understand the drivers of intentions to perform security-related behavior, and the interventions that can positively influence these drivers. In the first study, we use protection motivation theory as the underlying conceptual foundation and extend the theory by drawing upon the public goods literature and the concept of psychological ownership. Results from a survey of 594 home computer users from a wide range of demographic and socio-economic backgrounds suggest that a home computer user's intention to perform security-related behavior is influenced by a combination of cognitive, social, and psychological components. In the second study, we draw upon the concepts of goal framing and self-view to examine how the proximal drivers of intentions to perform security-related behavior identified in the first study can be influenced by appropriate messaging. An experiment with 101 subjects is used to test the research hypotheses. Overall, the two studies shed important new light on creating more conscientious cybercitizens. Theoretical and practical implications of the findings are discussed.

[1]  James B. Hunt,et al.  The Protection Motivation Model: A Normative Model of Fear Appeals: , 1991 .

[2]  Scott B. MacKenzie,et al.  Common method biases in behavioral research: a critical review of the literature and recommended remedies. , 2003, The Journal of applied psychology.

[3]  Mary J. Culnan,et al.  Why IT Executives Should Help Employees Secure Their Home Computers , 2008, MIS Q. Executive.

[4]  Dale T. Miller,et al.  The norm of self-interest and its effects on social action. , 2001, Journal of personality and social psychology.

[5]  Grant Mccracken Culture and Consumption: A Theoretical Account of the Structure and Movement of the Cultural Meaning of Consumer Goods , 1986 .

[6]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[7]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[8]  R. Zajonc Attitudinal effects of mere exposure. , 1968 .

[9]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[10]  George W. Bush,et al.  National Strategy to Secure Cyberspace , 2003 .

[11]  Masoud Hemmasi,et al.  Statistical Power in Contemporary Management Research , 1987 .

[12]  Eric van Dijk,et al.  Is It Mine or Is It Ours? Framing Property Rights and Decision Making in Social Dilemmas☆☆☆ , 1997 .

[13]  J. Andreoni Warm-Glow versus Cold-Prickle: The Effects of Positive and Negative Framing on Cooperation in Experiments , 1995 .

[14]  Thomas H. Davenport,et al.  Rigor vs. relevance revisited: response to Benbasat and Zmud , 1999 .

[15]  J. L. Pierce,et al.  Toward a Theory of Psychological Ownership in Organizations , 2001 .

[16]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[17]  L. J. Williams,et al.  Recent Advances in Causal Modeling Methods for Organizational and Management Research , 2003 .

[18]  R. Lazarus Progress on a cognitive-motivational-relational theory of emotion. , 1991, The American psychologist.

[19]  J. Scott Armstrong,et al.  Estimating nonresponse bias in mail surveys. , 1977 .

[20]  Schneider,et al.  All Frames Are Not Created Equal: A Typology and Critical Analysis of Framing Effects. , 1998, Organizational behavior and human decision processes.

[21]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[22]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[23]  Maureen Morrin,et al.  Mapping Attitude Formation as a Function of Information Input: Online Processing Models of Attitude Formation , 2002 .

[24]  Younghwa Lee,et al.  Threat or coping appraisal: determinants of SMB executives’ decision to adopt anti-malware software , 2009, Eur. J. Inf. Syst..

[25]  Angela Y. Lee,et al.  Bringing the frame into focus: the influence of regulatory fit on processing fluency and persuasion. , 2004, Journal of personality and social psychology.

[26]  S. Rogelberg,et al.  Introduction Understanding and Dealing With Organizational Survey Nonresponse , 2007 .

[27]  T. Singelis,et al.  The Measurement of Independent and Interdependent Self-Construals , 1994 .

[28]  Peter A. Todd,et al.  Understanding Information Technology Usage: A Test of Competing Models , 1995, Inf. Syst. Res..

[29]  P. Ellen,et al.  The Role of Perceived Consumer Effectiveness in Motivating Environmentally Conscious Behaviors , 1991 .

[30]  Joan Meyers-Levy,et al.  The Influence of Message Framing and Issue Involvement , 1990 .

[31]  Carl Obermiller The Baby is Sick/The Baby is Well: A Test of Environmental Communication Appeals , 1995 .

[32]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[33]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[34]  Angela Y. Lee,et al.  The pleasures and pains of distinct self-construals: the role of interdependence in regulatory focus. , 2000, Journal of personality and social psychology.

[35]  X. T. Wang,et al.  Evolutionary hypotheses of risk-sensitive choice: Age differences and perspective change , 1996 .

[36]  Detmar W. Straub,et al.  A Practical Guide To Factorial Validity Using PLS-Graph: Tutorial And Annotated Example , 2005, Commun. Assoc. Inf. Syst..

[37]  Thomas S Turrentine,et al.  Effects of Vehicle Image in Gasoline-Hybrid Electric Vehicles , 2005 .

[38]  Tero Vartiainen,et al.  What levels of moral reasoning and values explain adherence to information security rules? An empirical study , 2009, Eur. J. Inf. Syst..

[39]  M. Conner,et al.  Interaction effects in the theory of planned behaviour: studying cannabis use. , 1999, The British journal of social psychology.

[40]  P. Sheeran,et al.  Predicting intentions to use condoms: a meta-analysis and comparison of the theories of reasoned action and planned behavior. , 1999 .

[41]  Martin Fishbein,et al.  The Relation Between Perceived Risk and Preventive Action: A Within-Subject Analysis of Perceived Driving Risk and Intentions to Wear Seatbelts , 1990 .

[42]  Irene Woon,et al.  A Protection Motivation Theory Approach to Home Wireless Security , 2005, ICIS.

[43]  Steven Furnell,et al.  Assessing the security perceptions of personal Internet users , 2007, Comput. Secur..

[44]  I. Ajzen,et al.  Understanding Attitudes and Predicting Social Behavior , 1980 .

[45]  R. W. Rogers,et al.  Effects of components of protection-motivation theory on adaptive and maladaptive coping with a health threat. , 1987, Journal of personality and social psychology.

[46]  Lauren G. Block,et al.  When to Accentuate the Negative: The Effects of Perceived Efficacy and Message Framing on Intentions to Perform a Health-Related Behavior , 1995 .

[47]  K. Witte Putting the fear back into fear appeals: The extended parallel process model , 1992 .

[48]  Ritu Agarwal,et al.  The Role of Innovation Characteristics and Perceived Voluntariness in the Acceptance of Information Technologies , 1997 .

[49]  Izak Benbasat,et al.  Development of an Instrument to Measure the Perceptions of Adopting an Information Technology Innovation , 1991, Inf. Syst. Res..

[50]  Rebecca W. Hamilton,et al.  Achieving Your Goals or Protecting Their Future? The Effects of Self-View on Goals and Choices , 2005 .

[51]  Abraham K. Korman,et al.  Toward an hypothesis of work behavior. , 1970 .

[52]  Fred D. Davis,et al.  A Theoretical Extension of the Technology Acceptance Model: Four Longitudinal Field Studies , 2000, Management Science.

[53]  A Firdaous,et al.  E-commerce safety guide , 2008 .

[54]  Susan Isaacs,et al.  Social Development in Young Children , 1934 .

[55]  E. Higgins Beyond pleasure and pain. , 1997, The American psychologist.

[56]  R. W. Rogers,et al.  A meta-analysis of research on protection motivation theory. , 2000 .

[57]  Roderick M. Kramer,et al.  Choice behavior in social dilemmas: Effects of social identity, group size, and decision framing. , 1986 .

[58]  P. Sheeran,et al.  Social Influences and the Theory of Planned Behaviour: Evidence for a Direct Relationship Between Prototypes and Young People's Exercise Behaviour , 2003 .

[59]  I. Ajzen Attitudes, Personality and Behavior , 1988 .

[60]  Robert LaRose,et al.  Promoting personal responsibility for internet safety , 2008, CACM.

[61]  Yajiong Xue,et al.  Avoidance of Information Technology Threats: A Theoretical Perspective , 2009, MIS Q..

[62]  D. R. Lehman,et al.  The cultural construction of self-enhancement: an examination of group-serving biases. , 1997, Journal of personality and social psychology.

[63]  David Trafimow,et al.  The Importance of Risk in Determining the Extent to Which Attitudes Affect Intentions to Wear Seat Belts , 1994 .

[64]  John W. Payne,et al.  Does Elaboration Increase or Decrease the Effectiveness of Negatively versus Positively Framed Messages , 2004 .

[65]  Viswanath Venkatesh,et al.  Model of Adoption and Technology in Households: A Baseline Model Test and Extension Incorporating Household Life Cycle , 2005, MIS Q..

[66]  Wanda J. Orlikowski,et al.  The Problem of Statistical Power in MIS Research , 1989, MIS Q..

[67]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[68]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[69]  Vallabh Sambamurthy,et al.  Sources of Influence on Beliefs about Information Technolgoy Use: An Empirical Study of Knowledge Workers , 2003, MIS Q..

[70]  Michael Rosemann,et al.  Toward Improving the Relevance of Information Systems Research to Practice: The Role of Applicability Checks , 2008, MIS Q..

[71]  Naresh K. Malhotra,et al.  Research Note - Two Competing Perspectives on Automatic Use: A Theoretical and Empirical Comparison , 2005, Inf. Syst. Res..

[72]  Robert L. Dipboye,et al.  A critical review of Korman's self-consistency theory of work motivation and occupational choice , 1977 .

[73]  Izak Benbasat,et al.  Empirical Research in Information Systems: The Practice of Relevance , 1999, MIS Q..

[74]  Gordon B. Davis,et al.  User Acceptance of Information Technology: Toward a Unified View , 2003, MIS Q..

[75]  A. Tversky,et al.  Choices, Values, and Frames , 2000 .

[76]  A. Tversky,et al.  Rational choice and the framing of decisions , 1990 .

[77]  Laurie J. Kirsch,et al.  If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security , 2009, Eur. J. Inf. Syst..

[78]  B. Frey,et al.  Pro-social behavior in a natural setting , 2004 .

[79]  J. Rise,et al.  Young adults' intention to eat healthy food: Extending the theory of planned behaviour , 2001 .

[80]  Jennifer Aaker,et al.  “I” Seek Pleasures and “We” Avoid Pains: The Role of Self-Regulatory Goals in Information Processing and Persuasion , 2001 .

[81]  C. Keser,et al.  Conditional cooperation and voluntary contributions to public goods , 2000 .

[82]  L. Furby Possession in humans: An exploratory study of its meaning and motivation. , 1978 .

[83]  Qing Chang,et al.  How Low Should You Go? Low Response Rates and the Validity of Inference in IS Questionnaire Research , 2006, J. Assoc. Inf. Syst..

[84]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[85]  M. Angela Sasse,et al.  Pretty good persuasion: a first step towards effective password security in the real world , 2001, NSPW '01.

[86]  Mary Frances Luce,et al.  Repeated-Adherence Protection Model: “I'm OK, and It's a Hassle” , 2006 .

[87]  Gary Klein,et al.  Leading the Horse to Water , 2006, Commun. Assoc. Inf. Syst..

[88]  J. Day,et al.  Computer and Internet Use in the United States: 2003 , 2005 .

[89]  R Ho,et al.  The intention to give up smoking: disease versus social dimensions. , 1998, The Journal of social psychology.

[90]  J. Senn,et al.  The challenge of relating IS research to practice , 1998 .

[91]  R. W. White Motivation reconsidered: the concept of competence. , 1959, Psychological review.

[92]  Kazuhisa Takemura,et al.  Influence of Elaboration on the Framing of Decision , 1994 .

[93]  Detmar W. Straub,et al.  Diffusing the Internet in the Arab world: the role of social norms and technological culturation , 2003, IEEE Trans. Engineering Management.

[94]  D. Campbell,et al.  Convergent and discriminant validation by the multitrait-multimethod matrix. , 1959, Psychological bulletin.

[95]  Kathleen M. Minke,et al.  An Investigation of the Factor Structure of the Teacher Efficacy Scale. , 1999 .

[96]  Detmar W. Straub,et al.  Specifying Formative Constructs in Information Systems Research , 2007, MIS Q..

[97]  Mark Vandenbosch,et al.  Research Report: Richness Versus Parsimony in Modeling Technology Adoption Decisions - Understanding Merchant Adoption of a Smart Card-Based Payment System , 2001, Inf. Syst. Res..

[98]  Paul A. Pavlou,et al.  Understanding and Predicting Electronic Commerce Adoption: An Extension of the Theory of Planned Behavior , 2006, MIS Q..

[99]  Detmar W. Straub,et al.  Information Technology Adoption Across Time: A Cross-Sectional Comparison of Pre-Adoption and Post-Adoption Beliefs , 1999, MIS Q..

[100]  Younghwa Lee,et al.  Investigating factors affecting the adoption of anti-spyware systems , 2005, CACM.

[101]  P. Sheeran,et al.  Does changing behavioral intentions engender behavior change? A meta-analysis of the experimental evidence. , 2006, Psychological bulletin.

[102]  P. Callero,et al.  Role identity and reasoned action in the prediction of repeated behavior , 1988 .

[103]  Harold Sigall,et al.  Measures of Independent Variables and Mediators Are Useful in Social Psychology Experiments: But Are They Necessary? , 1998, Personality and social psychology review : an official journal of the Society for Personality and Social Psychology, Inc.

[104]  J. L. Pierce,et al.  Psychological ownership and feelings of possession: three field studies predicting employee attitudes and organizational citizenship behavior , 2004 .

[105]  Uri Simonsohn,et al.  Friends of Victims: Personal Experience and Prosocial Behavior , 2006 .

[106]  Mohan J. Dutta-Bergman The Impact of Completeness and Web Use Motivation on the Credibility of e‐Health Information , 2004 .

[107]  R. E. Burnkrant,et al.  Informational and Normative Social Influence in Buyer Behavior , 1975 .

[108]  N. Anderson Foundations of information integration theory , 1981 .

[109]  M. Goldberg,et al.  What to Convey in Antismoking Advertisements for Adolescents: The use of Protection Motivation Theory to Identify Effective Message Themes , 2003 .

[110]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[111]  H. Dittmar The social psychology of material possessions: To have is to be , 1992 .

[112]  S. Levy Symbols for Sale , 1999 .

[113]  P. Sheeran,et al.  Descriptive norms as an additional predictor in the theory of planned behaviour: A meta-analysis , 2003 .

[114]  Naresh K. Malhotra,et al.  Internet Users' Information Privacy Concerns (IUIPC): The Construct, the Scale, and a Causal Model , 2004, Inf. Syst. Res..

[115]  Qing Hu,et al.  Assimilation of Enterprise Systems: The Effect of Institutional Pressures and the Mediating Role of Top Management , 2007, MIS Q..

[116]  John Mingers,et al.  Combining IS Research Methods: Towards a Pluralist Methodology , 2001, Inf. Syst. Res..

[117]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[118]  Young U. Ryu,et al.  International Conference on Information Systems ( ICIS ) December 2005 I Am Fine but You Are Not : Optimistic Bias and Illusion of Control on Information Security , 2017 .

[119]  H. Markus,et al.  Individual and collective processes in the construction of the self: self-enhancement in the United States and self-criticism in Japan. , 1997, Journal of personality and social psychology.

[120]  Ronald C. Dodge,et al.  Phishing for user security awareness , 2007, Comput. Secur..

[121]  A. Tversky,et al.  The framing of decisions and the psychology of choice. , 1981, Science.

[122]  Christopher J Armitage,et al.  Augmenting the theory of planned behaviour with the prototype/willingness model: predictive validity of actor versus abstainer prototypes for adolescents' health-protective and health-risk intentions. , 2006, British journal of health psychology.

[123]  J. L. Pierce,et al.  The State of Psychological Ownership: Integrating and Extending a Century of Research , 2003 .

[124]  Pascale G. Quester,et al.  Who's afraid of that ad? Applying segmentation to the protection motivation model , 2004 .

[125]  I. Ajzen,et al.  Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research , 1977 .