Impact of Users’ Security Awareness on Desktop Security Behavior: A Protection Motivation Theory Perspective

ABSTRACT This article uses the protection motivation theory to study the impact of information security awareness on desktop security behavior. It contributes to the literature by examining the roles played by awareness, an important antecedent to the cognitive processes in the protection motivation theory. The findings indicate that security awareness significantly affects perceived severity, response efficacy, self-efficacy, and response cost. Constructs in the coping appraisal process (except response cost), in turn, significantly impact recommended security behavior.

[1]  Rossouw von Solms,et al.  Information security awareness: educating your users effectively , 1998, Inf. Manag. Comput. Secur..

[2]  Lorrie Faith Cranor,et al.  Teaching Johnny not to fall for phish , 2010, TOIT.

[3]  Shon Harris,et al.  CISSP All-in-One Exam Guide , 2001 .

[4]  Richard D. Holowczak,et al.  Locking the door but leaving the computer vulnerable: Factors inhibiting home users' adoption of software firewalls , 2008, Decis. Support Syst..

[5]  R. MacCoun Experimental and Quasi‐Experimental Designs for Generalized Causal Inference, by William R. Shadish, Thomas D. Cook, and Donald T. Campbell. Boston: Houghton Mifflin, 2001, 623 pp., $65.56. , 2003 .

[6]  เถลิงศก โสมทิพย์ THE FIFTH DISCIPLINE The Art & Practice of the Learning Organization , 2012 .

[7]  P. Sheeran,et al.  Prediction and Intervention in Health-Related Behavior: A Meta-Analytic Review of Protection Motivation Theory , 2000 .

[8]  Franci Pivec Computerization and controversy: value conflicts and social choices , 2003 .

[9]  Straub,et al.  Editor's Comments: An Update and Extension to SEM Guidelines for Administrative and Social Science Research , 2011 .

[10]  N. Weinstein The precaution adoption process. , 1988, Health psychology : official journal of the Division of Health Psychology, American Psychological Association.

[11]  Qing Hu,et al.  The Centrality of Awareness in the Formation of User Behavioral Intention toward Protective Information Technologies , 2007, J. Assoc. Inf. Syst..

[12]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[13]  R. W. Rogers,et al.  Protection Motivation Theory and preventive health: beyond the Health Belief Model , 1986 .

[14]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[15]  Samuel B. Bacharach,et al.  Organizational Theories: Some Criteria for Evaluation , 1989 .

[16]  David F. Larcker,et al.  Structural Equation Models with Unobservable Variables and Measurement Error: Algebra and Statistics: , 1981 .

[17]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[18]  A. Burns,et al.  The antecedents of preventive health care behavior: An empirical study , 1998 .

[19]  M. Allen,et al.  A Meta-Analysis of Fear Appeals: Implications for Effective Public Health Campaigns , 2000, Health education & behavior : the official publication of the Society for Public Health Education.

[20]  N. Weinstein Testing four competing theories of health-protective behavior. , 1993, Health psychology : official journal of the Division of Health Psychology, American Psychological Association.

[21]  I. Rosenstock Why people use health services. , 1966, The Milbank Memorial Fund quarterly.

[22]  K Witte,et al.  Predicting risk behaviors: development and validation of a diagnostic scale. , 1996, Journal of health communication.

[23]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[24]  Detmar W. Straub,et al.  An Update and Extension to SEM Guidelines for Admnistrative and Social Science Research , 2011 .

[25]  Nasser Modiri,et al.  Information Security Management , 2011, 2011 International Conference on Computational Intelligence and Communication Networks.

[26]  I. Ajzen Attitudes, Personality and Behavior , 1988 .

[27]  R. W. Rogers,et al.  Protection motivation and self-efficacy: A revised theory of fear appeals and attitude change , 1983 .

[28]  Robert LaRose,et al.  Promoting personal responsibility for internet safety , 2008, CACM.

[29]  Eirik Albrechtsen,et al.  Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study , 2010, Comput. Secur..

[30]  Marko Sarstedt,et al.  Partial least squares structural equation modeling (PLS-SEM): An emerging tool in business research , 2014 .

[31]  James Backhouse,et al.  Current directions in IS security research: towards socio‐organizational perspectives , 2001, Inf. Syst. J..

[32]  Thomas R. Peltier Security Awareness Program , 2016 .

[33]  Steven Furnell,et al.  An Analysis of Information Security Awareness within Home and Work Environments , 2010, 2010 International Conference on Availability, Reliability and Security.

[34]  Yajiong Xue,et al.  Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective , 2010, J. Assoc. Inf. Syst..

[35]  Laurie J. Kirsch,et al.  If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security , 2009, Eur. J. Inf. Syst..

[36]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[37]  Dominic Abrams,et al.  Exploring teenagers' adaptive and maladaptive thinking in relation to the threat of hiv infection. , 1994, Psychology & health.

[38]  Qing Hu,et al.  Assimilation of Enterprise Systems: The Effect of Institutional Pressures and the Mediating Role of Top Management , 2007, MIS Q..

[39]  E. Erdfelder,et al.  Statistical power analyses using G*Power 3.1: Tests for correlation and regression analyses , 2009, Behavior research methods.

[40]  Irene Woon,et al.  A Protection Motivation Theory Approach to Home Wireless Security , 2005, ICIS.

[41]  Sarah Chaney,et al.  Behaviour , 2010, The Lancet.

[42]  Wynne W. Chin The partial least squares approach for structural equation modeling. , 1998 .

[43]  G. Freytag [CORRELATION AND CAUSALITY]. , 1964, Psychiatrie, Neurologie, und medizinische Psychologie.

[44]  Atreyi Kankanhalli,et al.  Studying users' computer security behavior: A health belief perspective , 2009, Decis. Support Syst..

[45]  R. Rogers Cognitive and physiological processes in fear appeals and attitude change: a revised theory of prote , 1983 .

[46]  K. Jöreskog,et al.  Intraclass Reliability Estimates: Testing Structural Assumptions , 1974 .

[47]  M. Becker The Health Belief Model and Sick Role Behavior* , 1974 .

[48]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[49]  Xin Luo,et al.  Consumer motivations in taking action against spyware: an empirical investigation , 2009, Inf. Manag. Comput. Secur..

[50]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[51]  Ritu Agarwal,et al.  Practicing Safe Computing: A Multimedia Empirical Examination of Home Computer User Security Behavioral Intentions , 2010, MIS Q..

[52]  W. B. Harvey,et al.  The Weakest Link , 2008 .

[53]  W. Shadish,et al.  Experimental and Quasi-Experimental Designs for Generalized Causal Inference , 2001 .

[54]  S. Orbell,et al.  Can protection motivation theory predict behaviour? A longitudinal test exploring the role of previous behaviour , 1998 .

[55]  P D Mullen,et al.  A meta-analysis of studies of the Health Belief Model with adults. , 1992, Health education research.

[56]  Deborah Compeau,et al.  Computer Self-Efficacy: Development of a Measure and Initial Test , 1995, MIS Q..

[57]  Tabitha L. James,et al.  Determining the antecedents of digital security practices in the general public dimension , 2013, Information Technology and Management.

[58]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[59]  Mikko T. Siponen,et al.  Five dimensions of information security awareness , 2001, CSOC.

[60]  Anne Powell,et al.  Information Systems Management , 1997 .

[61]  S. Sutton Predicting and Explaining Intentions and Behavior: How Well Are We Doing? , 1998 .

[62]  J. Adamson "The weakest link". , 1981, The Journal of plastic and reconstructive surgical nursing : official organ of the American Society of Plastic and Reconstructive Surgical Nurses.

[63]  A. Bandura Self-efficacy: toward a unifying theory of behavioral change. , 1977, Psychological review.

[64]  A. Bandura,et al.  Mechanisms governing empowerment effects: a self-efficacy analysis. , 1990, Journal of personality and social psychology.

[65]  A. Bandura,et al.  Tests of the generality of self-efficacy theory , 1980, Cognitive Therapy and Research.

[66]  Detmar W. Straub,et al.  A Practical Guide To Factorial Validity Using PLS-Graph: Tutorial And Annotated Example , 2005, Commun. Assoc. Inf. Syst..

[67]  L. Henderson On the Social System , 1993 .

[68]  Robert E. Crossler,et al.  Protection Motivation Theory: Understanding Determinants to Backing Up Personal Data , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[69]  Mary Sumner,et al.  Information Security Threats: A Comparative Analysis of Impact, Probability, and Preparedness , 2009, Inf. Syst. Manag..

[70]  Gordon B. Davis,et al.  User Acceptance of Information Technology: Toward a Unified View , 2003, MIS Q..

[71]  M. Conner,et al.  Efficacy of the Theory of Planned Behaviour: a meta-analytic review. , 2001, The British journal of social psychology.

[72]  Elmarie Kritzinger,et al.  Cyber security for home users: A new way of protection through awareness enforcement , 2010, Comput. Secur..

[73]  Stephen Hinde The Weakest Link , 2001, Comput. Secur..

[74]  Richard Ford,et al.  Cyberterrorism? , 2002, Comput. Secur..

[75]  Rudolf R. Sinkovics,et al.  The Use of Partial Least Squares Path Modeling in International Marketing , 2009 .

[76]  T. Keith Multiple Regression and Beyond , 2005, Principles & Methods of Statistical Analysis.

[77]  Scott B. MacKenzie,et al.  Common method biases in behavioral research: a critical review of the literature and recommended remedies. , 2003, The Journal of applied psychology.

[78]  Rebecca Herold,et al.  Managing an Information Security and Privacy Awareness and Training Program, Second Edition , 2010 .

[79]  Mark Ciampa Security Awareness: Applying Practical Security in Your World , 2004 .

[80]  M. Warkentin,et al.  Impact of Protection Motivation and Deterrence on IS Security Policy Compliance: A Multi-Cultural View , 2012 .