InfoSec Process Action Model (IPAM): Targeting Insiders' Weak Password Behavior

ABSTRACT The possibility of noncompliant behavior is a challenge for cybersecurity professionals and their auditors as they try to estimate residual control risk. Building on the recently proposed ...

[1]  Ralf Schwarzer,et al.  How to overcome health-compromising behaviors: The health action process approach , 2008 .

[2]  Benjamin Schüz,et al.  Adoption and maintenance of four health behaviors: Theory-guided longitudinal studies on dental flossing, seat belt use, dietary behavior, and physical activity , 2007, Annals of behavioral medicine : a publication of the Society of Behavioral Medicine.

[3]  Peter M. Sandman,et al.  The Precaution Adoption Process Model , 2020, The Wiley Encyclopedia of Health Psychology.

[4]  W F Velicer,et al.  Validation of decisional balance and situational temptations measures for dietary fat reduction in a large school-based population of adolescents. , 2001, Eating behaviors.

[5]  Ralf Schwarzer,et al.  Self-regulatory Processes in the Adoption and Maintenance of Health Behaviors , 1999, Journal of health psychology.

[6]  Ronald T. Cenfetelli,et al.  Interpretation of Formative Measurement in Information Systems Research , 2009, MIS Q..

[7]  Omar F. El-Gayar,et al.  Security Policy Compliance: User Acceptance Perspective , 2012, 2012 45th Hawaii International Conference on System Sciences.

[8]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[9]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[10]  Marko Sarstedt,et al.  The Use of Partial Least Squares Structural Equation Modeling in Strategic Management Research: A Review of Past Practices and Recommendations for Future Applications , 2012 .

[11]  M. Allen,et al.  A Meta-Analysis of Fear Appeals: Implications for Effective Public Health Campaigns , 2000, Health education & behavior : the official publication of the Society for Public Health Education.

[12]  Joseph F. Hair,et al.  Partial Least Squares : The Better Approach to Structural Equation Modeling ? , 2012 .

[13]  Ralf Schwarzer,et al.  Modelando el cambio en el comportamiento de salud: Cómo predecir y modificar la adopción y el mantenimiento de comportamientos de salud/Modeling Health Behavior Change: How to Predict and Modify the Adoption and Maintenance of Health Behaviors , 2009 .

[14]  S. Michie,et al.  Theories of behaviour and behaviour change across the social and behavioural sciences: a scoping review , 2014, Health psychology review.

[15]  Cheryl Burke Jarvis,et al.  A Critical Review of Construct Indicators and Measurement Model Misspecification in Marketing and Consumer Research , 2003 .

[16]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[17]  R. Schwarzer,et al.  Bridging the intention–behaviour gap: Planning, self-efficacy, and action control in the adoption and maintenance of physical exercise , 2005 .

[18]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[19]  Young U. Ryu,et al.  International Conference on Information Systems ( ICIS ) December 2005 I Am Fine but You Are Not : Optimistic Bias and Illusion of Control on Information Security , 2017 .

[20]  I. Ajzen The theory of planned behavior , 1991 .

[21]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[22]  Merrill Warkentin,et al.  An Enhanced Fear Appeal Rhetorical Framework: Leveraging Threats to the Human Asset Through Sanctioning Rhetoric , 2015, MIS Q..

[23]  Elizabeth Stobert,et al.  The Password Life Cycle: User Behaviour in Managing Passwords , 2014, SOUPS.

[24]  Qing Hu,et al.  Does deterrence work in reducing information security policy abuse by employees? , 2011, Commun. ACM.

[25]  Paul Jen-Hwa Hu,et al.  Extending the two‐stage information systems continuance model: incorporating UTAUT predictors and the role of context , 2011, Inf. Syst. J..

[26]  A. Bandura Self-efficacy: toward a unifying theory of behavioral change. , 1977, Psychological review.

[27]  Michael H. Breitner,et al.  Employees' Information Security Awareness and Behavior: A Literature Review , 2013, 2013 46th Hawaii International Conference on System Sciences.

[28]  Jacob Cohen Statistical Power Analysis for the Behavioral Sciences , 1969, The SAGE Encyclopedia of Research Design.

[29]  P M Sandman,et al.  A model of the precaution adoption process: evidence from home radon testing. , 1992, Health psychology : official journal of the Division of Health Psychology, American Psychological Association.

[30]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[31]  Gabriele Oettingen,et al.  Action control by implementation intentions : effective cue detection and efficient response initiation , 2007 .

[32]  Pushkin Kachroo,et al.  Understanding the Components of Information Privacy Threats for Location-Based Services , 2014, J. Inf. Syst..

[33]  Robert E. Crossler,et al.  An Extended Perspective on Individual Security Behaviors: Protection Motivation Theory and a Unified Security Practices (USP) Instrument , 2014, DATB.

[34]  Richard D. Johnson,et al.  The Evolving Nature of the Computer Self-Efficacy Construct: An Empirical Investigation of Measurement Construction, Validity, Reliability and Stability Over Time , 2007, J. Assoc. Inf. Syst..

[35]  Kara L. Hall,et al.  Meta-analytic examination of the strong and weak principles across 48 health behaviors. , 2008, Preventive medicine.

[36]  Robert E. Crossler,et al.  InfoSec Process Action Model (IPAM): Systematically Addressing Individual Security Behavior , 2018, DATB.

[37]  Jordan Shropshire,et al.  Continuance of protective security behavior: A longitudinal study , 2016, Decis. Support Syst..

[38]  W F Velicer,et al.  Testing 40 predictions from the transtheoretical model. , 1999, Addictive behaviors.

[39]  Laurie J. Kirsch,et al.  If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security , 2009, Eur. J. Inf. Syst..

[40]  E. Athanassoula Theoretical perspectives. , 1996, Occasional paper.

[41]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.

[42]  Helen Kelley,et al.  Research Commentary - Generalizability of Information Systems Research Using Student Subjects - A Reflection on Our Practices and Recommendations for Future Research , 2012, Inf. Syst. Res..

[43]  Jörg Henseler,et al.  Consistent and asymptotically normal PLS estimators for linear structural equations , 2014 .

[44]  Marko Sarstedt,et al.  Partial least squares structural equation modeling (PLS-SEM): An emerging tool in business research , 2014 .

[45]  Humayun Zafar,et al.  Current State of Information Security Research In IS , 2009, Commun. Assoc. Inf. Syst..

[46]  Benjamin Schüz,et al.  On the assessment and analysis of variables in the health action process approach conducting an investigation , 2003 .

[47]  Robert E. Crossler,et al.  Understanding Compliance with Bring Your Own Device Policies Utilizing Protection Motivation Theory: Bridging the Intention-Behavior Gap , 2014, J. Inf. Syst..

[48]  Wayne F. Velicer,et al.  Stage and Non‐stage Theories of Behavior and Behavior Change: A Comment on Schwarzer , 2008 .

[49]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[50]  Jeffry Stephen Babb,et al.  Examining the Continuance of Secure Behavior: A Longitudinal Field Study of Mobile Device Authentication , 2016, Inf. Syst. Res..

[51]  Gavriel Salvendy,et al.  A Survey of Factors Influencing People's Perception of Information Security , 2007, HCI.

[52]  P. Sheeran,et al.  Prediction and Intervention in Health-Related Behavior: A Meta-Analytic Review of Protection Motivation Theory , 2000 .

[53]  Traci Mann,et al.  From ‘I Wish’ to ‘I Will’: Social-Cognitive Predictors of Behavioral Intentions , 2003, Journal of health psychology.

[54]  R. W. Rogers,et al.  A meta-analysis of research on protection motivation theory. , 2000 .

[55]  Ritu Agarwal,et al.  Practicing Safe Computing: A Multimedia Empirical Examination of Home Computer User Security Behavioral Intentions , 2010, MIS Q..

[56]  Jacob Cohen,et al.  A power primer. , 1992, Psychological bulletin.

[57]  Younghwa Lee,et al.  Threat or coping appraisal: determinants of SMB executives’ decision to adopt anti-malware software , 2009, Eur. J. Inf. Syst..

[58]  A. Sowden,et al.  A systematic review of the effectiveness of interventions based on a stages-of-change approach to promote individual behaviour change. , 2002, Health technology assessment.

[59]  Dennis F. Galletta,et al.  What Do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear that Motivate Protective Security Behaviors , 2015, MIS Q..

[60]  Mladenka Tkalcic,et al.  Transtheoretical model of behavior change , 2011 .

[61]  Anol Bhattacherjee,et al.  Understanding Information Systems Continuance: An Expectation-Confirmation Model , 2001, MIS Q..

[62]  Lawrence A. Gordon,et al.  Return on information security investments: Myths vs. Realities. , 2002 .

[63]  R. W. Rogers,et al.  Protection motivation and self-efficacy: A revised theory of fear appeals and attitude change , 1983 .

[64]  P. Gollwitzer,et al.  Implementation intentions and goal achievement: A meta-analysis of effects and processes , 2006 .

[65]  P. Sheeran Intention—Behavior Relations: A Conceptual and Empirical Review , 2002 .

[66]  Tom L. Roberts,et al.  Insiders' Protection of Organizational Information Assets: Development of a Systematics-Based Taxonomy and Theory of Diversity for Protection-Motivated Behaviors , 2013, MIS Q..

[67]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[68]  P. Gollwitzer Implementation intentions: Strong effects of simple plans. , 1999 .

[69]  Icek Ajzen,et al.  Explaining the Discrepancy between Intentions and Actions: The Case of Hypothetical Bias in Contingent Valuation , 2004, Personality & social psychology bulletin.

[70]  W. Velicer,et al.  The Transtheoretical Model of Health Behavior Change , 1997, American journal of health promotion : AJHP.

[71]  Joshua K. Cieslewicz Collusive Accounting Supervision and Economic Culture , 2016 .

[72]  Alan R. Dennis,et al.  Security on Autopilot: Why Current Security Theories Hijack our Thinking and Lead Us Astray , 2018, DATB.