https://orcid.org/0000-0003-1639-0667
![Sample our Information Science journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5940/TOC-Subject-Sample-2021-Communication-Studies.jpg"})
ABSTRACT
Not securing smart home devices has proven a threat to cyberspace. This has underscored the importance of using fear appeals to promote users’ information security behavior. We practiced context-specific theorization to enhance fear appeal theory and design. Particularly, we extended Protection Motivation Theory to include avoidant-focused motivation (i.e., users’ intent to avoid using their devices), the positive emotion of hope, and information technology (IT)-self extension. Our hypotheses include that fear engenders both protection and avoidant-focused motivations, hope mediates coping appraisal to engender (reduce) protection (avoidant-focused) motivation, and IT-self-extension acts as an antecedent. We conducted four studies, including two surveys and two experiments, and validated our extensions. Our main theoretical contributions include showing that hope is critical in determining which coping mechanism occurs and that it improves the theory’s predictive power. In terms of practice, we demonstrate that a fear appeal message with a self-extension component and a strong coping component is more effective.
Disclosure Statement
No potential conflict of interest was reported by the authors.
Supplementary information
Supplemental data for this article can be accessed online at https://doi.org/10.1080/07421222.2022.2127449
Notes
1. Smart home devices are also referred to as consumer Internet of Things (IoT) devices. Examples of such devices are smart TVs, smart thermostats, connected surveillance cameras, smart bulbs, smart plugs, smart coffee machines, and so forth. They connect to consumers’ home WiFi and can be accessed and controlled with computing endpoints (e.g., smartphone, tablet, laptop, etc.).
2. For a comprehensive review on the use of PMT and its variations in the information security literature, we refer the reader to the work of Boss et al. [Citation7].
3. Unlike a health threat, an information threat is not directed to one’s self but to one’s IT possessions. Other scholars (i.e., Johnston et al. [Citation34]) also take a similar stance in their examination of employee (as opposed to home user) security behavior in the organizational (as opposed to the home) context. Johnston et al. [Citation34] note that threats to organizational “information assets” are not necessarily relevant to “human assets.” They establish the threats’ relevance to employees through sanctions that deter employees from not complying with security policies. The underlying rationale in both our work and theirs is that fear is usually experienced when the appraised threat is directed to one’s self or wellbeing (e.g., a health threat, a disease, etc.). This view aligns with Lazarus’s statement that the “core relational theme” of fright is “facing an immediate, concrete, and overwhelming physical danger” [Citation36]. This again underscores the importance of addressing appraisal theory’s relational thesis with respect to PMT as applied to information security phenomena.
4. Appraisal theory does not refer to a single theoretical model but to a framework, upon which PMT and other theoretical models draw.
5. Lazarus [Citation36] notes: “ … the relational meaning of each [appraisal and its emotion] does not stem from either the person or the environment; there must be a conjunction of an environment with certain attributes and a person with certain attributes, which together produce the relational meaning … ” (p. 90).
6. We must acknowledge that smart home devices can act as necessities in specific cases, such as supporting seniors [Citation14]. However, most of these devices, and as suggested by the data [Citation69], are adopted by people as accessories.
7. We note that in previous work, the term “avoidance motivation” has been used as a proxy for “protection motivation” [Citation44, Citation45] referring to when individuals approach a positive stimulus and thereby take security actions. An example of its scale items is: “I intend to use anti-spyware software to avoid spyware,” [Citation44] which mainly reflects the construct of protection (and not true “avoidance” in its original meaning) motivation. “Avoidance” in this paper reserves its original meaning and refers to when individuals avoid engaging in (or withdraw from) a situation from which a threat emanates (e.g., using threatful IT).
8. To engage in avoidant-focused coping, users may still use the “smart” device but as a non-smart one. In other words, users may disconnect their smart device from their home network, and this would constitute avoidance, since they would be converting the smart device into a non-smart one.
9. Only papers that had research models resembling at least the structure of the core [Citation7] PMT are included in the table. Studies that draw on PMT as a theoretical framework but do not incorporate its core structure into their research models are not included in the table. Also, non-empirical work that references PMT but does not empirically test it is not included.
10. For a detailed discussion of PMT’s hypothesized construct relationships, we refer the reader to the extant work in the literature (e.g., [Citation7, Citation50, Citation57]).
11. In Study 1, we do not measure maladaptive rewards. In each of Studies 2 and 3, we measure it and find that it is not discriminant from response costs.
12. The emotion system of coping [Citation39] postulates that first primary appraisal elicits emotion accompanied with “physiological change” [Citation54]. Then, secondary appraisal follows (as also postulated by PMT) and also elicits emotion.
13. In the organizational context, a similar statement has been made: “Threats to data, information, and systems do not carry the same personal relevance as threats that directly impact one’s self” [Citation34].
14. For instance, guided by self-determination theory, the manipulated construct of “perceived relatedness to one’s information in their online accounts” in a fear appeal message was found to be highly related to the perceived threat severity of (and susceptibility to) password compromise [Citation50]. Also, based on construal-level theory, a more concrete fear appeal message (vs. an abstract message) was found to increase the perceptions of threat severity and vulnerability as related to spear-phishing attacks [Citation63].
15. After the screening question, smart home users were asked to select devices they owned from a list of popular IoT consumer devices. This also served as an attention check question. To ensure their understanding of the subject matter before answering questions, respondents were provided with information about IoT threats and security precautions (Online Supplemental Table 2.1 and Table 2.2) and context-specific definitions. The questionnaire instrument included several filler consistency and attention check questions that were used to filter out responses of suspicious patterns.
16. MLM produces maximum likelihood estimates with standard errors and a mean-adjusted χ2 test statistic robust to nonnormality [Citation53]. Furthermore, it provides robust versions of CFI, TLI, and RMSEA.
17. All VIF (square root[VIF]) values were far less than the conservative cut-off value of 5 (2.2), indicating that the degree to which the standard errors had been increased due to multicollinearity is low.
18. To assess CMB, we employed the correlational marker technique [Citation48]. We produced an adjusted correlation matrix and compared it to the observed matrix; significant correlations remained as such after the adjustment.
19. When an indirect and a direct effect exist, the mediation is partial (i.e., “complementary”) and when an indirect effect exists and the direct does not, the mediation is full (i.e., “indirect-only”) [Citation73].
20. Here, we adopted a model-generating approach, wherein it is possible to introduce modifications to a priori models [Citation32]. Nonetheless, we did that in a disciplined manner following statistical theory (e.g., likelihood ratio) to rule out the risks of typical post-hoc analyses [Citation17, Citation32].
21. Since the χ² index is sensitive to sample size [Citation49] and since judgements on model comparisons are best made by considering more than one indicator of change in model fit [Citation46], we reaffirmed our comparison results by using the comparative fit index (CFI), which is less sensitive to sample size and more sensitive to model variance.
22. ƒ2 is calculated as {(R2full – R2partial) / (1 – R²full)}. An ƒ2 value of 0.02 represents a small effect size, and ƒ2 values of 0.15 and 0.35 represent medium and large effect sizes respectively [Citation19].
23. To achieve “ceteris paribus” among the three model specifications, we retained the covariances among the original exogenous variables (i.e., the constructs constituting threat and coping appraisal) in the SX-consequent model as the other two models have the covariances by default. Thereby, for validation, we compared an SX-consequent model that retains the covariances among the threat and coping appraisal constructs vs. one that does not. Here, we conducted an SB scaled Δχ2 and compared the models’ CFI values. We found that the model with the reserved covariances performs better. It must be noted that both models outperformed model 3; however, of the two, the model with covariances was superior. Theoretically, this means that the cognitive appraisal constructs have several other exogenous factors, as proposed by PMT2 [Citation60], and that they affect each other as found by previous research [Citation8, Citation12, Citation33, Citation57].
24. It must be noted that research findings are mixed to whether fear acts as a full mediator (e.g., this study; [Citation2]; the overall model in [Citation57]) or a partial mediator (e.g., [Citation9]; the “high organizational commitment model” in [Citation57]). Also noteworthy is that each of the mentioned examples is different in terms of context and/or methodology, and thus each inferred mediation type may be case-specific. Research into fear’s mediation type and if /why it differs in different contexts may be needed.
25. Users who participated in Study 2 were not eligible to participate in Study 3.
26. A fear appeal message comprises a threat component and a coping component. The two fear appeal treatments were identical in all respects except for the last part of the message where “coping efficacy” was manipulated.
27. We dropped MR and RE from our subsequent analyses as they had a lower square root AVE—and thus failed the Fornell-Larcker criterion more than their counterparts.
Additional information
Notes on contributors
Alaa Nehme
Alaa Nehme ([email protected]; corresponding author) is an Assistant Professor of Information Systems at Mississippi State University. He received his Ph.D. from Iowa State University. Dr. Nehme’s research focuses on information security. He teaches courses related to Management Information Systems and Data Analytics.
Joey F. George
Joey F. George ([email protected]) is the John D. DeVries Endowed Chair in Business and a Distinguished Professor in Business at Iowa State University. He earned a Bachelor’s degree at Stanford University and a doctorate at the University of California Irvine. Dr. George’s research interests focus on deceptive computer-mediated communication. He is a past president of the Association for Information Systems (AIS), a Fellow of AIS, and was awarded the AIS LEO lifetime achievement award.