ABSTRACT
Organisations face growing IT security risks with substantial consequences for missteps in business continuity, data loss, reputational harm, and future competitive advantage. To improve precaution-taking among organisation members, leaders frequently turn to susceptibility claims embedded in security education, training, and awareness (SETA) initiatives to motivate change. However, prior studies have produced mixed empirical results concerning the role of susceptibility in motivating precaution-taking. To deepen theorising about using susceptibility claims to change behaviour, we argue that threat characteristics (overt versus furtive attacks) shape individuals’ attitudes of the threat, and these attitudes subsequently anchor how individuals respond to new claims about the threats. We introduce social judgement theory (SJT) to argue that when individuals participate in SETA initiatives, susceptibility claims that are too distant from individuals’ existing attitudes will be ignored, while claims that are more proximal are more likely to be accepted and result in behaviour change. Using a longitudinal field experiment, we found that susceptibility claims motivated precaution taking against phishing (overt attack) but did not against password cracking (furtive attack). These results support SJT predictions and imply latitudes of acceptability and rejection into which susceptibility claims are placed. Implications for researchers, organisation leaders, and SETA developers are discussed.
ACCEPTING EDITOR:
ASSOCIATE EDITOR:
Disclosure statement
No potential conflict of interest was reported by the authors.
Notes
1. Many other theories focus on the effect of external reference points that individuals may use to evaluate a persuasive message. For example, dual process theory addresses peripheral or heuristic-supporting message cues, credibility of the message sender, or order of messages (Ho & Bodoff, Citation2014; Meservy et al., Citation2014). SJT’s focus on prior attitudes as a powerful internal reference point is unique among of theories of persuasion (Eagly & Chaiken, Citation1993).
2. Substantial previous work within and outside the information systems discipline has posited a positive relationship between intentions and behaviour. Although we empirically examine this relationship, we do not offer additional theorising beyond what has previously been argued and therefore we do not explicitly hypothesise this relationship.
3. Participants were asked “The ____ section was helpful” and the items were rated on a 5-point scale with Strongly Disagree and Strongly Agree as the endpoints.
4. The item used to measure perceived frequency is “Please indicate the frequency you experience attacks against your IT security” measured on a 5-point scale with “Never” and “Always” as endpoints.
5. Faculty and students were notified of the project at different times. Students were notified later and the notification took place approximately 2 weeks prior to the round one attacks (see ).
6. L0phtcrack (http://www.l0phtcrack.com/) takes as input the encrypted list of user credentials and through brute force, dictionaries, and rainbow tables attempts to crack the encryption.
7. Once participants were randomly assigned to a type of phishing attack, they only received that type of attack. The type of phishing attack and the round is also included in the analysis. See Tables 7 and 8.
8. AR(1), exchangeable, M-dependent, and unstructured correlation structures were all tested to determine which structure was most suitable in the analysis. No differences were observed between the correlation structures for the analysis for intentions or the analysis for behaviour.
9. To calculate predicted probabilities, mean values for response efficacy, threat severity, self-efficacy, cost of following guidelines, and rewards of not following guidelines were used for each threat. Additionally, drive-by phishing attacks were compared to password cracking attacks.