Security lapses and the omission of information security measures: A threat control model and empirical test

Organizations and individuals are increasingly impacted by misuses of information that result from security lapses. Most of the cumulative research on information security has investigated the technical side of this critical issue, but securing organizational systems has its grounding in personal behavior. The fact remains that even with implementing mandatory controls, the application of computing defenses has not kept pace with abusers' attempts to undermine them. Studies of information security contravention behaviors have focused on some aspects of security lapses and have provided some behavioral recommendations such as punishment of offenders or ethics training. While this research has provided some insight on information security contravention, they leave incomplete our understanding of the omission of information security measures among people who know how to protect their systems but fail to do so. Yet carelessness with information and failure to take available precautions contributes to significant civil losses and even to crimes. Explanatory theory to guide research that might help to answer important questions about how to treat this omission problem lacks empirical testing. This empirical study uses protection motivation theory to articulate and test a threat control model to validate assumptions and better understand the ''knowing-doing'' gap, so that more effective interventions can be developed.

[1]  M. Workman,et al.  Punishment and ethics deterrents: A study of insider security contravention , 2007 .

[2]  Detmar W. Straub,et al.  Discovering and Disciplining Computer Abuse in Organizations: A Field Study , 1990, MIS Q..

[3]  M. Goldberg,et al.  What to Convey in Antismoking Advertisements for Adolescents: The use of Protection Motivation Theory to Identify Effective Message Themes , 2003 .

[4]  Fred D. Davis,et al.  User Acceptance of Computer Technology: A Comparison of Two Theoretical Models , 1989 .

[5]  Meng Hsiang Hsu,et al.  An investigation of volitional control in information ethics , 2003, ICIS.

[6]  Irene Woon,et al.  A Protection Motivation Theory Approach to Home Wireless Security , 2005, ICIS.

[7]  James Backhouse,et al.  Current directions in IS security research: towards socio‐organizational perspectives , 2001, Inf. Syst. J..

[8]  Ted O’Donoghue,et al.  The economics of immediate gratification , 2000 .

[9]  A. Bandura Social cognitive theory of self-regulation☆ , 1991 .

[10]  A ToddPeter,et al.  Perceived usefulness, ease of use, and usage of information technology , 1992 .

[11]  Susan J. Harrington,et al.  The Effect of Codes of Ethics and Personal Denial of Responsibility on Computer Abuse Judgments and Intentions , 1996, MIS Q..

[12]  Tom Pyszczynski,et al.  Why Do We Need What We Need? A Terror Management Perspective on the Roots of Human Social Motivation , 1997 .

[13]  R. W. Rogers,et al.  Effects of components of protection-motivation theory on adaptive and maladaptive coping with a health threat. , 1987, Journal of personality and social psychology.

[14]  Robert D. Marx,et al.  Relapse Prevention for Managerial Training: A Model for Maintenance of Behavior Change , 1982 .

[15]  Alessandro Acquisti,et al.  Privacy and rationality in individual decision making , 2005, IEEE Security & Privacy.

[16]  T. Grothmann,et al.  People at Risk of Flooding: Why Some Residents Take Precautionary Action While Others Do Not , 2006 .

[17]  John T. Scholz Enforcement Policy and Corporate Misconduct: The Changing Perspective of Deterrence Theory , 1997 .

[18]  Fred D. Davis Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology , 1989, MIS Q..

[19]  Vincent J. Calluzzo,et al.  Ethics in Information Technology and Software Use , 2004 .

[20]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[21]  Peter Bodorik,et al.  Sociotechnical architecture for online privacy , 2005, IEEE Security & Privacy Magazine.

[22]  H. Winklhofer,et al.  Index Construction with Formative Indicators: An Alternative to Scale Development , 2001 .

[23]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[24]  I. Ajzen Perceived behavioral control, self-efficacy, locus of control, and the theory of planned behavior. , 2002 .

[25]  A. Bandura Social cognitive theory: an agentic perspective. , 1999, Annual review of psychology.

[26]  C. Tang,et al.  Responsibility Attribution for Violence Against Women: A Study of Chinese Public Service Professionals , 2002 .

[27]  P. Sheeran,et al.  Prediction and Intervention in Health-Related Behavior: A Meta-Analytic Review of Protection Motivation Theory , 2000 .

[28]  A. Mahmood,et al.  Factors Influencing Protection Motivation and IS Security Policy Compliance , 2006, 2006 Innovations in Information Technology.

[29]  S Roe-Berning,et al.  The association between illusions of invulnerability and exposure to trauma. , 1997, Journal of traumatic stress.

[30]  Charles Oppenheim,et al.  Legal aspects of the web , 2005, Annu. Rev. Inf. Sci. Technol..

[31]  Nancy B. Kurland Ethical Intentions and the Theories of Reasoned Action and Planned Behavior1 , 1995 .

[32]  R. Lazarus Emotion and Adaptation , 1991 .

[33]  Julie J. C. H. Ryan Information security tools and practices: what works? , 2004, IEEE Transactions on Computers.

[34]  Herbert W. Marsh,et al.  The Rotter locus of control scale: The comparison of alternative response formats and implications for reliability, validity, and dimensionality , 1986 .

[35]  Tom Thomas,et al.  Network security: first-step / Tom Thomas ; Penerjemah: Tim Penerjemah Andi ; Editor: Fidelis Chosa Prihandanu , 2006 .

[36]  Xiaoming Li,et al.  Protection motivation theory and adolescent drug trafficking: relationship between health motivation and longitudinal risk involvement. , 2005, Journal of pediatric psychology.

[37]  Eirik Albrechtsen,et al.  A qualitative study of users' view on information security , 2007, Comput. Secur..

[38]  Peter A. Todd,et al.  Perceived Usefulness, Ease of Use, and Usage of Information Technology: A Replication , 1992, MIS Q..

[39]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[40]  Elizabeth S. Rolph,et al.  Arbitration Agreements In Health Care: Myths and Reality , 1997 .

[41]  A. Bandura,et al.  Social learning and personality development , 1964 .

[42]  Rossouw von Solms,et al.  The 10 deadly sins of information security management , 2004, Comput. Secur..

[43]  Keven G. Ruby,et al.  The Insider Threat to Information Systems , 2022 .

[44]  J. Rotter Generalized expectancies for internal versus external control of reinforcement. , 1966, Psychological monographs.

[45]  Daniel M. Ogilvie,et al.  American Roulette: The Effect of Reminders of Death on Support for George W. Bush in the 2004 Presidential Election , 2005 .

[46]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[47]  R. Rogers Cognitive and physiological processes in fear appeals and attitude change: a revised theory of prote , 1983 .

[48]  Vernon J. Richardson,et al.  Information Transfer among Internet Firms: The Case of Hacker Attacks , 2003, J. Inf. Syst..

[49]  E. Seydel,et al.  Protection Motivation Theory , 2022 .

[50]  Joseph S. Sherif,et al.  Intrusion detection: the art and the practice. Part I , 2003, Inf. Manag. Comput. Secur..

[51]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[52]  Feng-Yang Kuo,et al.  Development and Validation of Ethical Computer Self-Efficacy Measure: The Case of Softlifting , 2001 .

[53]  Lisa Dorn,et al.  Making sense of invulnerability at work—a qualitative study of police drivers , 2003 .

[54]  Abhinav Rastogi,et al.  Secure Coding: Building Security into the Software Development Life Cycle , 2004, Inf. Secur. J. A Glob. Perspect..

[55]  A. Bandura Self-efficacy: toward a unifying theory of behavioral change. , 1977, Psychology Review.

[56]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[57]  Deborah Compeau,et al.  Computer Self-Efficacy: Development of a Measure and Initial Test , 1995, MIS Q..

[58]  N. Milgram,et al.  Typology in procrastination , 1996 .

[59]  Nicholas Alex,et al.  On Being Mugged , 1973 .

[60]  Dan Jong Kim,et al.  A Study of Online Transaction Self-Efficacy, Consumer Trust, and Uncertainty Reduction in Electronic Commerce Transaction , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[61]  Cherng G. Ding,et al.  Modeling Information Ethics: The Joint Moderating Role of Locus of Control and Job Insecurity , 2003 .

[62]  P. Pavlou,et al.  Perceived Information Security, Financial Liability and Consumer Trust in Electronic Commerce Transactions , 2002 .

[63]  Izak Benbasat,et al.  Explanations From Intelligent Systems: Theoretical Foundations and Implications for Practice , 1999, MIS Q..

[64]  Michael Workman,et al.  Gaining Access with Social Engineering: An Empirical Study of the Threat , 2007, Inf. Secur. J. A Glob. Perspect..

[65]  Alessandro Acquisti,et al.  When 25 Cents is Too Much: An Experiment on Willingness-To-Sell and Willingness-To-Protect Personal Information , 2007, WEIS.

[66]  Jorge Delva,et al.  The presidential election. , 2008, Social work.

[67]  William J. Buchanan,et al.  NetHost-Sensor: Investigating the capture of end-to-end encrypted intrusive data , 2006, Comput. Secur..

[68]  Hervé Debar,et al.  Security information management as an outsourced service , 2006, Inf. Manag. Comput. Secur..

[69]  M. Conner,et al.  Predicting health behaviour : research and practice with social cognition models , 2005 .

[70]  John Leach,et al.  Improving user security behaviour , 2003, Comput. Secur..

[71]  Alexander D. Stajkovic,et al.  Self-efficacy and work-related performance: A meta-analysis. , 1998 .

[72]  Hock-Hai Teo,et al.  An integrative study of information systems security effectiveness , 2003, Int. J. Inf. Manag..

[73]  Irene Hanson Frieze,et al.  A Theoretical Perspective for Understanding Reactions to Victimization , 1983 .

[74]  Kevin L. Blankenship,et al.  Relation of General Deviance to Academic Dishonesty , 2000 .

[75]  A. B. Ruighaver,et al.  Organisational security culture: Extending the end-user perspective , 2007, Comput. Secur..

[76]  Sebastiaan H. von Solms,et al.  Information Security Management: A Hierarchical Framework for Various Approaches , 2000, Comput. Secur..

[77]  Mikko T. Siponen,et al.  Six Design Theories for IS Security Policies and Guidelines , 2006, J. Assoc. Inf. Syst..

[78]  F. P. Bresz People – Often the Weakest Link in Security, but One of the Best Places to Start , 2004 .

[79]  Michael Workman,et al.  Observance and Contravention of Information Security Measures , 2005, Security and Management.

[80]  Gavriel Salvendy,et al.  Improving computer security for authentication of users: Influence of proactive password restrictions , 2002, Behavior research methods, instruments, & computers : a journal of the Psychonomic Society, Inc.