Using protection motivation theory in the design of nudges to improve online security behavior

Abstract We conducted an online experiment ( n  = 2024) on a representative sample of internet users in Germany, Sweden, Poland, Spain and the UK to explore the effect of notifications on security behaviour. Inspired by protection motivation theory (PMT), a coping message advised participants on how to minimize their exposure to risk and a threat appeal highlighted the potential negative consequences of not doing so. Both increased secure behavior – but the coping message significantly more so. The coping message was also as effective as both messages combined, but not so the threat appeal. Risk attitudes, age and country had a significant effect on behavior. Initiatives seeking to promote secure behavior should focus more on coping messages, either alone or in combination with fear appeals.

[1]  R. W. Rogers,et al.  Protection motivation and self-efficacy: A revised theory of fear appeals and attitude change , 1983 .

[2]  S. Dunwoody,et al.  Protection Motivation and Risk Communication , 2000, Risk analysis : an official publication of the Society for Risk Analysis.

[3]  E. Weber,et al.  A Domain-Specific Risk-Taking (DOSPERT) Scale for Adult Populations , 2006, Judgment and Decision Making.

[4]  P. Briggs,et al.  Behavior Change Interventions for Cybersecurity , 2017 .

[5]  J. Ezingeard,et al.  Individual information security, user behaviour and cyber victimisation: An empirical study of social networking users , 2016 .

[6]  G. Esposito,et al.  Nudging to prevent the purchase of incompatible digital products online: An experimental study , 2017, PloS one.

[7]  Viswanath Venkatesh,et al.  Why Don't Men Ever Stop to Ask for Directions? Gender, Social Influence, and Their Role in Technology Acceptance and Usage Behavior , 2000, MIS Q..

[8]  Yajiong Xue,et al.  Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective , 2010, J. Assoc. Inf. Syst..

[9]  P. Sheeran,et al.  Prediction and Intervention in Health-Related Behavior: A Meta-Analytic Review of Protection Motivation Theory , 2000 .

[10]  Lee Hadlington,et al.  The "Human Factor" In Cybersecurity: Exploring the Accidental Insider , 2018 .

[11]  Arun Vishwanath,et al.  Suspicion, Cognition, and Automaticity Model of Phishing Susceptibility , 2018, Commun. Res..

[12]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[13]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[14]  Paul M. B. Vitányi,et al.  Theories of learning , 2007 .

[15]  M. Allen,et al.  A Meta-Analysis of Fear Appeals: Implications for Effective Public Health Campaigns , 2000, Health education & behavior : the official publication of the Society for Public Health Education.

[16]  R. Schwarzer,et al.  Bridging the intention–behaviour gap: Planning, self-efficacy, and action control in the adoption and maintenance of physical exercise , 2005 .

[17]  Yu Andy Wu,et al.  Impact of Users’ Security Awareness on Desktop Security Behavior: A Protection Motivation Theory Perspective , 2016, Inf. Syst. Manag..

[18]  Pascale Carayon,et al.  Human and organizational factors in computer and information security: Pathways to vulnerabilities , 2009, Comput. Secur..

[19]  Serge Egelman,et al.  Scaling the Security Wall: Developing a Security Behavior Intentions Scale (SeBIS) , 2015, CHI.

[20]  Tian Lin,et al.  Dissecting Spear Phishing Emails for Older vs Young Adults: On the Interplay of Weapons of Influence and Life Domains in Predicting Susceptibility to Phishing , 2017, CHI.

[21]  Vicki S Conn,et al.  Meta-analysis research. , 2004, Journal of vascular nursing : official publication of the Society for Peripheral Vascular Nursing.

[22]  H. Raghav Rao,et al.  Online shopping intention in the context of data breach in online retail stores: An examination of older and younger adults , 2016, Decis. Support Syst..

[23]  William H. Dutton,et al.  Supporting a Cybersecurity Mindset: Getting Internet Users into the Cat and Mouse Game , 2016 .

[24]  Icek Ajzen,et al.  From Intentions to Actions: A Theory of Planned Behavior , 1985 .

[25]  A. Bandura Self-Efficacy: The Exercise of Control , 1997, Journal of Cognitive Psychotherapy.

[26]  Sadie Creese,et al.  Guidelines for usable cybersecurity: Past and present , 2011, 2011 Third International Workshop on Cyberspace Safety and Security (CSS).

[27]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[28]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[29]  Paul van Schaik,et al.  Comparing three models to explain precautionary online behavioural intentions , 2017, Inf. Comput. Secur..

[30]  R. W. Rogers,et al.  A meta-analysis of research on protection motivation theory. , 2000 .

[31]  Mo Adam Mahmood,et al.  Employees' adherence to information security policies: An exploratory field study , 2014, Inf. Manag..

[32]  Tom L. Roberts,et al.  Examining the Relationship of Organizational Insiders' Psychological Capital with Information Security Threat and Coping Appraisals , 2017, Comput. Hum. Behav..

[33]  Ruth Shillair,et al.  Multiple Sources for Security: Seeking Online Safety Information and their Influence on Coping Self-efficacy and Protection Behavior Habits , 2017, HICSS.

[34]  Chris Arney Nudge: Improving Decisions about Health, Wealth, and Happiness , 2015 .

[35]  Cormac Herley,et al.  More Is Not the Answer , 2014, IEEE Security & Privacy.

[36]  Matthew Tischer,et al.  The Danger of USB Drives , 2017, IEEE Security & Privacy.

[37]  G. Loewenstein,et al.  Privacy and human behavior in the age of information , 2015, Science.

[38]  E. Weber,et al.  A Domain-Specific Risk-Attitude Scale: Measuring Risk Perceptions and Risk Behaviors , 2002 .

[39]  Blanca Hernández,et al.  Age, gender and income: do they really moderate online shopping behaviour? , 2011 .

[40]  J. Olsen,et al.  The European Commission , 2020, The European Union.

[41]  Robert LaRose,et al.  Online safety begins with you and me: Convincing Internet users to protect themselves , 2015, Comput. Hum. Behav..

[42]  K. Ruyter,et al.  What drives consumers to shop online? A literature review , 2004 .

[43]  Irene Woon,et al.  A Protection Motivation Theory Approach to Home Wireless Security , 2005, ICIS.

[44]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[45]  Ritu Agarwal,et al.  Practicing Safe Computing: A Multimedia Empirical Examination of Home Computer User Security Behavioral Intentions , 2010, MIS Q..

[46]  P. Sheeran,et al.  The Intention–Behavior Gap , 2016 .

[47]  E. Seydel,et al.  Protection Motivation Theory , 2022 .

[48]  Galen A. Grimes,et al.  Email end users and spam: relations of gender and age group to attitudes and actions , 2007, Comput. Hum. Behav..

[49]  Johan Van Niekerk,et al.  Decoding audience interpretations of awareness campaign messages , 2016, Inf. Comput. Secur..

[50]  Charles A. Holt,et al.  Risk Aversion and Incentive Effects , 2002 .

[51]  P. Sheeran Intention—Behavior Relations: A Conceptual and Empirical Review , 2002 .

[52]  Serge Egelman,et al.  The Myth of the Average User: Improving Privacy and Security Systems through Individualization , 2015, NSPW.

[53]  M. Angela Sasse,et al.  The compliance budget: managing security behaviour in organisations , 2009, NSPW '08.

[54]  Rene van Bavel,et al.  Nudging Online Security Behaviour with Warning Messages: Results from an Online Experiment , 2016 .

[55]  Robert LaRose,et al.  Understanding online safety behaviors: A protection motivation theory perspective , 2016, Comput. Secur..

[56]  Robert E. Crossler,et al.  Understanding Compliance with Bring Your Own Device Policies Utilizing Protection Motivation Theory: Bridging the Intention-Behavior Gap , 2014, J. Inf. Syst..

[57]  N. Sharma,et al.  Future directions for behavioural information security research , 2017 .

[58]  Robert LaRose,et al.  Keeping our network safe: a model of online protection behaviour , 2008, Behav. Inf. Technol..

[59]  M. Mitchell Waldrop,et al.  How to hack the hackers: The human side of cybercrime , 2016, Nature.

[60]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[61]  Paul Skalski,et al.  Blinded by the light: Illuminating the dark side of social network use through content analysis , 2014, Comput. Hum. Behav..

[62]  Seounmi Youn Teenagers' Perceptions of Online Privacy and Coping Behaviors: A Risk–Benefit Appraisal Approach , 2005 .

[63]  John L. Rice,et al.  Spearing High Net Wealth Individuals: The Case of Online Fraud and Mature Age Internet Users , 2013, Int. J. Inf. Secur. Priv..

[64]  Aad P. A. van Moorsel,et al.  SCENE: A Structured Means for Creating and Evaluating Behavioral Nudges in a Cyber Security Environment , 2014, HCI.

[65]  Peter Mayer,et al.  Reliable Behavioural Factors in the Information Security Context , 2017, ARES.

[66]  Nora J. Rifon,et al.  Generational differences in online safety perceptions, knowledge, and practices , 2016 .

[67]  Michel Cukier,et al.  Correlating human traits and cyber security behavior intentions , 2018, Comput. Secur..

[68]  Elizabeth Hoffman,et al.  Information Security Policy Compliance , 2018 .

[69]  R. Rogers Cognitive and physiological processes in fear appeals and attitude change: a revised theory of prote , 1983 .

[70]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[71]  V. Smith Papers in experimental economics , 1991 .

[72]  Younghwa Lee,et al.  Understanding anti-plagiarism software adoption: An extended protection motivation theory perspective , 2011, Decis. Support Syst..

[73]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[74]  G. Kok,et al.  Sixty years of fear appeal research: current state of the evidence. , 2014, International journal of psychology : Journal international de psychologie.

[75]  Galen A. Grimes,et al.  Older Adults' Knowledge of Internet Hazards , 2010 .

[76]  D. Gefen,et al.  Consumer trust in B2C e-Commerce and the importance of social presence: experiments in e-Products and e-Services , 2004 .

[77]  Magid Igbaria,et al.  A Path Analytic Study of Individual Characteristics, Computer Anxiety and Attitudes toward Microcomputers , 1989 .