References
- Acquisti, A., & Grossklags, J. (2004). Privacy attitudes and privacy behavior. Economics of Information Security, 12(1), 165–178. https://doi.org/10.1007/1-4020-8090-5_13
- Anderson, C. L., & Agarwal, R. (2010). Practicing safe computing: A multimedia empirical examination of home computer user security behavioral intentions. MIS Quarterly, 34(3), 613–643. https://doi.org/10.2307/25750694
- Anti-Phishing Working Group. (2016). Phishing activity trends report. Retrieved July 15, 2016, from https://docs.apwg.org/reports/apwg_trends_report_q1_2020.pdf
- Ashford, W. (2018). Nearly half of UK manufacturers hit by cyber attacks. Computer Weekly. Retrieved May 14, 2018, from https://www.computerweekly.com/news/252439718/Nearly-half-of-UK-manufacturers-hit-by-cyber-attacks
- Barlow, J. B., Warkentin, M., Ormond, D., & Dennis, A. R. (2018). Don’t even think about it! The effects of antineutralization, informational, and normative communication on information security compliance. Journal of the Association for Information Systems, 19(8), 689–715. https://doi.org/10.17705/1jais.00506
- Barrett, B. (2016). Some basic security tips for the clinton campaign (and anyone else). Wired Magazine. Retrieved October 14, 2016, from https://www.wired.com/2016/10/basic-security-tips-clinton-campaign-anyone-else/
- Basu, E. (2014). Target CEO fired –Can you be fired if your company is hacked? Forbes Magazine. https://www.forbes.com/sites/ericbasu/2014/06/15/target-ceo-fired-can-you-be-fired-if-your-company-is-hacked/#57e47c987c9f
- Belanger, F., & Crossler, R. E. (2019). Dealing with digital traces: Understanding protective behaviors on mobile devices. The Journal of Strategic Information Systems, 28(1), 34–49. https://doi.org/10.1016/j.jsis.2018.11.002
- Boss, S. R., Galletta, D. F., Lowry, P. B., Moody, G. D., & Polak, P. (2015). What do users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors. MIS Quarterly, 39(4), 837–864. https://doi.org/10.25300/MISQ/2015/39.4.5
- Brookes, S. T., Whitely, E., Egger, M., Smith, G. D., Mulheran, P. A., & Peters, T. J. (2004). Subgroup analyses in randomized trials: Risks of subgroup-specific analyses;: Power and sample size for the interaction test. Journal of Clinical Epidemiology, 57(3), 229–236. https://doi.org/10.1016/j.jclinepi.2003.08.009
- Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523–548. https://doi.org/10.2307/25750690
- Carvalho, S. W., Block, L. G., Sivaramakrishnan, S., Manchanda, R. V., & Mitakakis, C. (2008). Risk perception and risk avoidance: The role of cultural identity and personal relevance. International Journal of Research in Marketing, 25(4), 319–326. https://doi.org/10.1016/j.ijresmar.2008.06.005
- Chen, Y., & Zahedi, F. M. (2016). Individuals’ internet security perceptions and behaviors: Polycontextual contrasts between the United States and China. MIS Quarterly, 40(1), 205–222. https://doi.org/10.25300/MISQ/2016/40.1.09
- Cohen, J. (1992). Statistical power analysis. Current Directions in Psychological Science, 1(3), 98–101. https://doi.org/10.1111/1467-8721.ep10768783
- Corfield, G. (2019). Personal data slurped in Airbus hack – But firm’s industrial smarts could be what crooks are after. The Register. Retrieved April 15, 2019, from https://www.theregister.co.uk/2019/01/31/airbus_hacked_eurofighter_link/
- Crossler, R. E. (2010). Protection motivation theory: Understanding determinants to backing up personal data. Paper presented at the 43rd Hawaii International Conference on System Sciences (HICSS). Hawaii.
- Crossler, R. E., Long, J. H., Loraas, T. M., & Trinkle, B. S. (2014). Understanding compliance with bring your own device policies utilizing protection motivation theory: Bridging the intention-behavior gap. Journal of Information Systems, 28(1), 209–226. https://doi.org/10.2308/isys-50704
- De Castella, K., McGarty, C., & Musgrove, L. (2009). Fear appeals in political rhetoric about terrorism: An analysis of speeches by Australian Prime Minister Howard. Political Psychology, 30(1), 1–26. https://doi.org/10.1111/j.1467-9221.2008.00678.x
- De Guinea, A. O., & Markus, M. L. (2009). Why break the habit of a lifetime? Rethinking the roles of intention, habit, and emotion in continuing information technology use. MIS Quarterly, 33(3), 433–444. https://doi.org/10.2307/20650303
- Disparte, D., & Furlow, C. (2017). The best cybersecurity investment you can make is better training. Harvard Business Review, 5. https://hbr.org/2017/05/the-best-cybersecurity-investment-you-can-make-is-better-training
- DUO. (2016). Inside a retail hack: Lateral movement & credential-harvesting. DUO Inc. Retrieved October 14, 2016, from https://duo.com/blog/inside-a-retail-hack-lateral-movement-and-credential-harvesting
- Eagly, A. H., & Chaiken, S. (1993). The psychology of attitudes. Harcourt Brace Jovanovich College Publishers.
- Easterling, D. V., & Leventhal, H. (1989). Contribution of concrete cognition to emotion: Neutral symptoms as elicitors of worry about cancer. Journal of Applied Psychology, 74(5), 787–796. https://doi.org/10.1037/0021-9010.74.5.787
- Etters, K. (2019). Cyberattack diverts almost $500,000 out of city of Tallahassee payroll account. USA Today. Retrieved April 15, 2019, from https://www.usatoday.com/story/news/nation/2019/04/05/hackers-divert-nearly-500-000-city-tallahassees-payroll/3383451002/
- FBI. (2016). FBI warns of dramatic increase in business E-Mail scams. Federal Bureau of Investigation. Retrieved June 14, 2016, from https://www.fbi.gov/phoenix/press-releases/2016/fbi-warns-of-dramatic-increase-in-business-e-mail-scams
- Fitzgerald, D. (2016). Akamai says hackers use ’smart’ devices to test stolen usernames, passwords. Wall Street Journal. Retrieved October 14, 2016, from http://www.wsj.com/articles/akamai-says-hackers-use-smart-devices-to-test-stolen-usernames-passwords-1476287922
- Gartner. (2018). Gartner forecasts worldwide information security spending to exceed $124 billion in 2019. Gartner Inc. Retrieved April 14, 2019, from https://www.gartner.com/en/newsroom/press-releases/2018-08-15-gartner-forecasts-worldwide-information-security-spending-to-exceed-124-billion-in-2019
- Givens, S. (2019). Five strategies to get employee buy-in for security awareness training. Forbes Magazine. Retrieved April 13, 2019, from https://www.forbes.com/sites/forbeshumanresourcescouncil/2019/04/12/five-strategies-to-get-employee-buy-in-for-security-awareness-training/#1e6262fc236d
- Grover, V., Lyytinen, K., Srinivasan, A., & Tan, B. C. Y. (2008). Contributing to rigorous and forward thinking explanatory theory. Journal of the Association for Information Systems, 9(2), 40–47. https://doi.org/10.17705/1jais.00151
- Herath, T., & Rao, H. R. (2009). Protection motivation and deterrence: A framework for security policy compliance in organisations. European Journal of Information Systems, 18(2), 106–125. https://doi.org/10.1057/ejis.2009.6
- Ho, S. Y., & Bodoff, D. (2014). The effects of web personalization on user attitude and behavior: An integration of the elaboration likelihood model and consumer search theory. MIS Quarterly, 38(2), 497–520. https://doi.org/10.25300/MISQ/2014/38.2.08
- Hoetker, G. (2007). The use of logit and probit models in strategic management research: Critical issues. Strategic Management Journal, 28(4), 331–343. https://doi.org/10.1002/smj.582
- Hosmer, D. W., & Lemeshow, S. (2000). Applied logistic regression. Wiley.
- Huigang, L., & Yajiong, X. (2010). Understanding security behaviors in personal computer usage: A threat avoidance perspective. Journal of the Association for Information Systems, 11(7), 394–413. https://doi.org/10.17705/1jais.00232
- Ives, B., Walsh, K. R., & Schneider, H. (2004). The domino effect of password reuse. Communications of the ACM, 47(4), 75–78. https://doi.org/10.1145/975817.975820
- Jensen, M. L., Dinger, M., Wright, R. T., & Thatcher, J. B. (2017). Training to mitigate phishing attacks using mindfulness techniques. Journal of Management Information Systems, 34(2), 597–626. https://doi.org/10.1080/07421222.2017.1334499
- Johnston, A. C., & Warkentin, M. (2010). Fear appeals and information security behaviors: An empirical study. MIS Quarterly, 34(3), 549–566. https://doi.org/10.2307/25750691
- Johnston, A. C., Warkentin, M., Dennis, A. R., & Siponen, M. (2019). Speak their language: Designing effective messages to improve employees’ information security decision making. Decision Sciences, 50(2), 245–284. https://doi.org/10.1111/deci.12328
- Johnston, A. C., Warkentin, M., McBride, M., & Carter, L. (2016). Dispositional and situational factors: Influences on information security policy violations. European Journal of Information Systems, 25(3), 231–251. https://doi.org/10.1057/ejis.2015.15
- Johnston, A. C., Warkentin, M., & Siponen, M. T. (2015). An enhanced fear appeal rhetorical framework: Leveraging threats to the human asset through sanctioning rhetoric. MIS Quarterly, 39(1), 113–134. https://doi.org/10.25300/MISQ/2015/39.1.06
- Kankanhalli, A., Teo, -H.-H., Tan, B. C. Y., & Wei, -K.-K. (2003). An integrative study of information systems security effectiveness. International Journal of Information Management, 23(2), 139–154. https://doi.org/10.1016/S0268-4012(02)00105-6
- Kaplan, E. L., & Meier, P. (1958). Nonparametric estimation from incomplete observations. Journal of the American Statistical Association, 53(282), 457–481. https://doi.org/10.1080/01621459.1958.10501452
- Karjalainen, M., & Siponen, M. (2011). Toward a new meta-theory for designing information systems (IS) security training approaches. Journal of the Association for Information Systems, 12(8), 518. https://doi.org/10.17705/1jais.00274
- Kumaraguru, P., Cranshaw, J., Acquisti, A., Cranor, L., Hong, J., Blair, M. A., & Pham, T. (2009). School of phish: A real-world evaluation of anti-phishing training. Paper presented at the SOUPS ‘09 proceedings of the 5th symposium on usable privacy and security, Mountain View, CA.
- Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L. F., & Hong, J. (2010). Teaching johnny not to fall for phish. ACM Transactions on Internet Technology (TOIT), 10(2), 7. https://doi.org/10.1145/1754393.1754396
- LaTour, M. S., & Pitts, R. E. (1989). Using fear appeals in advertising for aids prevention in the college age population. Marketing Health Services, 9(3), 5–14. https://doi.org/10.1007/978-3-319-17055-8_5
- Lewis, I., Watson, B., Tay, R., & White, K. M. (2007). The role of fear appeals in improving driver safety: A review of the effectiveness of fear-arousing (threat) appeals in road safety advertising. International Journal of Behavioral Consultation and Therapy, 3(2), 203–222. https://doi.org/10.1037/h0100799
- Limayem, M., Hirt, S. G., & Cheung, C. M. K. (2007). How habit limits the predictive power of intention: The case of information systems continuance. MIS Quarterly, 31(4), 705–737. https://doi.org/10.2307/25148817
- Mantel, N. (1966). Evaluation of survival data and two new rank order statistics arising in its consideration. Cancer Chemotherapy Reports. Part 1, 50(3), 163–170. https://pubmed.ncbi.nlm.nih.gov/5910392/
- Martin, A. (2019). Cybercriminals target the UK police force with ransomware. The Inquirer. Retrieved April 15, 2019, from https://www.theinquirer.net/inquirer/news/3073016/police-federation-ransomware-attack
- Menard, P., Bott, G. J., & Crossler, R. E. (2017). User motivations in protecting information security: Protection motivation theory versus self-determination theory. Journal of Management Information Systems, 34(4), 1203–1230. https://doi.org/10.1080/07421222.2017.1394083
- Meservy, T. O., Jensen, M. L., & Fadel, K. (2014). Evaluation of competing candidate solutions in electronic networks of practice. Information Systems Research, 25(1), 15–34. https://doi.org/10.1287/isre.2013.0502
- Moody, G. D., Siponen, M., & Pahnila, S. (2018). Toward a unified model of information security policy compliance. MIS Quarterly, 42(1), 285–A222. https://doi.org/10.25300/MISQ/2018/13853
- National Institute of Standards and Technology. (2016). Digital authentication guidelines: National institute of standards and technology.
- Oswick, C., Fleming, P., & Hanlon, G. (2011). From borrowing to blending: Rethinking the processes of organizational theory building. Academy of Management Review, 36(2), 318–337. https://www.jstor.org/stable/41318003
- Pahnila, S., Siponen, M., & Mahmood, A. (2007). Employees’ behavior towards IS security policy compliance. Paper presented at the 40th Annual Hawaii International Conference on System Sciences. https://doi.org/10.1109/HICSS.2007.206
- Palfy, S. (2019). Why reused passwords could put your tax information at risk. Forbes Magazine. Retrieved April 22, 2019, from https://www.forbes.com/sites/forbestechcouncil/2019/04/12/why-reused-passwords-could-put-your-tax-information-at-risk/#100e3c6441f5
- Pattabiraman, A., Srinivasan, S., Swaminathan, K., & Gupta, M. (2018). Fortifying corporate human wall: A literature review of security awareness and training. Information Technology Risk Management and Compliance in Modern Organizations (pp. 142–175): IGI Global.
- Peterson, P. D., & Koulack, D. (1969). Attitude change as a function of latitudes of acceptance and rejection. Journal of Personality and Social Psychology, 11(4), 309–311. https://doi.org/10.1037/h0027342
- Posey, C., Roberts, T. L., & Lowry, P. B. (2015). The impact of organizational commitment on insiders’ motivation to protect organizational information assets. Journal of Management Information Systems, 32(4), 179–214. https://doi.org/10.1080/07421222.2015.1138374
- Posey, C., Roberts, T. L., Lowry, P. B., Bennett, R. J., & Courtney, J. F. (2013). Insiders’ protection of organizational information assets: Development of a systematics-based taxonomy and theory of diversity for protection-motivated behaviors. MIS Quarterly, 37(4), 1189–1210. https://doi.org/10.25300/MISQ/2013/37.4.09
- Puhakainen, P., & Siponen, M. (2010). Improving employees’ compliance through information systems security training: An action research study. MIS Quarterly, 34(4), 757–778. https://doi.org/10.2307/25750704
- Reyna, V. F., & Farley, F. (2006). Risk and rationality in adolescent decision making: Implications for theory, practice, and public policy. Psychological Science in the Public Interest, 7(1), 1–44. https://doi.org/10.1111/j.1529-1006.2006.00026.x
- Rhine, R. J., & Severance, L. J. (1970). Ego-involvement, discrepancy, source credibility, and attitude change. Journal of Personality and Social Psychology, 16(2), 175–190. https://doi.org/10.1037/h0029832
- Rogers, R. W. (1975). A protection motivation theory of fear appeals and attitude change. Journal of Psychology:: Interdisciplinary and Applied, 91(1), 93–114. https://doi.org/10.1080/00223980.1975.9915803
- Rogers, R. W. (1983). Cognitive and physiological processes in fear appeals and attitude change: A revised theory of protection motivation. In J. T. Cacioppo & R. E. Petty (Eds.), Social psychophysiology: A source book (pp. 153–176). Guilford Press.
- Savage, M. (2019). Cybercrime for dummies: Cracking internet passwords is as easy as 123456. The Guardian. Retrieved April 22, 2019, from https://www.theguardian.com/technology/2019/apr/21/cybercrime-hacking-internet-account-passwords
- Shah, D. V., Faber, R. J., & Youn, S. (1999). Susceptibility and severity: Perceptual dimensions underlying the third-person effect. Communication Research, 26(2), 240–267. https://doi.org/10.1177/009365099026002006
- Sheeran, P. (2002). Intention—behavior relations: A conceptual and empirical review. European Review of Social Psychology, 12(1), 1–36. https://doi.org/10.1080/14792772143000003
- Sherif, C. W., Sherif, M., & Nebercall, R. E. (1965). Attitude and attitude change: The social judgment-involvement approach. Saunders.
- Sherif, M., & Hovland, C. I. (1961). Social judgment: Assimilation and contrast effects in communication and attitude change. Yale Univer. Press.
- Siponen, M., & Vance, A. (2010). Neutralization: New insights into the problem of employee information systems security policy violations. MIS Quarterly, 34(3), 487–502. https://doi.org/10.2307/25750688
- Slater, M. D. (2006). Specification and misspecification of theoretical foundations and logic models for health communication campaigns. Health Communication, 20(2), 149–157. https://doi.org/10.1207/s15327027hc2002_6
- Smith, K. H., & Stutts, M. A. (2003). Effects of short‐term cosmetic versus long‐term health fear appeals in anti‐smoking advertisements on the smoking behaviour of adolescents. Journal of Consumer Behaviour, 3(2), 157–177. https://doi.org/10.1002/cb.130
- Smith, S. W., Atkin, C. K., Martell, D., Allen, R., & Hembroff, L. (2006). A social judgment theory approach to conducting formative research in a social norms campaign. Communication Theory, 16(1), 141–152. https://doi.org/10.1111/j.1468-2885.2006.00009.x
- Solman, P. (2015). The battle to beat password security threats. Financial Times.
- Steinberg, J. (2016). The biggest lessons from the yahoo data breach are the ones nobody is talking about. Inc Magazine. Retrieved October 14, 2016, from http://www.inc.com/joseph-steinberg/the-biggest-lessons-from-the-yahoo-data-breach-are-the-ones-nobody-is-talking-ab.html
- Tanner, J. F., Hunt, J. B., & Eppright, D. R. (1991). The protection motivation model: A normative model of fear appeals. The Journal of Marketing, 55(3), 36–45. https://doi.org/10.1177/002224299105500304
- Taylor, P. J., Russ-Eft, D. F., & Chan, D. W. L. (2005). A meta-analytic review of behavior modeling training. Journal of Applied Psychology, 90(4), 692–709. https://doi.org/10.1037/0021-9010.90.4.692
- Teigen, K. H. (2005). The proximity heuristic in judgments of accident probabilities. British Journal of Psychology, 96(4), 423–440. https://doi.org/10.1348/000712605X47431
- Truex, D., Holmström, J., & Keil, M. (2006). Theorizing in information systems research: A reflexive analysis of the adaptation of theory in information systems research. Journal of the Association for Information Systems, 7(12), 797–821. https://doi.org/10.17705/1jais.00109
- Vance, A., Anderson, B. B., Kirwan, C. B., & Eargle, D. (2014). Using measures of risk perception to predict information security behavior: Insights from electroencephalography (EEG). Journal of the Association for Information Systems, 15(10), 679. https://doi.org/10.17705/1jais.00375
- Vance, A., Lowry, P. B., & Eggett, D. (2015). Increasing accountability through user-interface design artifacts: A new approach to addressing the problem of access-policy violations. MIS Quarterly, 39(2), 345–366. https://doi.org/10.25300/MISQ/2015/39.2.04
- Velicer, W. F., & Prochaska, J. O. (2008). Stage and non‐stage theories of behavior and behavior change: A comment on schwarzer. Applied Psychology, 57(1), 75–83. https://doi.org/10.1111/j.1464-0597.2007.00327.x
- Verizon. (2017). 2017 Data breach investigations report. Verizon. http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/
- Wall, J. D., & Buche, M. W. (2017). To fear or not to fear? A critical review and analysis of fear appeals in the information security context. Communications of the AIS, 41, 13. https://www.doi.org/10.17705/1CAIS.04113
- Warkentin, M., Johnston, A. C., Walden, E., & Straub, D. W. (2016). Neural correlates of protection motivation for secure IT behaviors: An fMRI examination. Journal of the Association for Information Systems, 17(3), 194. https://doi.org/10.17705/1jais.00424
- Willison, R., Lowry, P. B., & Paternoster, R. (2018). A tale of two deterrents: Considering the role of absolute and restrictive deterrence to inspire new directions in behavioral and organizational security research. Journal of the Association for Information Systems, 19(12), 1187–1216. https://doi.org/10.17705/1jais.00524
- Willison, R., Warkentin, M., & Johnston, A. C. (2018). Examining employee computer abuse intentions: Insights from justice, deterrence and neutralization perspectives. Information Systems Journal, 28(2), 266–293. https://doi.org/10.1111/isj.12129
- Witte, K. (1992). Putting fear back into fear appeals: The extended parallel process model. Communication Monographs, 59(4), 329–349. https://doi.org/10.1080/03637759209376276
- Wright, R. T., Jensen, M. L., Thatcher, J., Dinger, M., & Marett, K. (2014). Influence techniques in phishing attacks: An examination of vulnerability and resistance. Information Systems Research, 25(2), 385–400. https://doi.org/10.1287/isre.2014.0522
- Zahedi, F. M., Abbasi, A., & Yan, C. (2015). Fake-website detection tools: Identifying elements that promote individuals’ use and enhance their performance. Journal of the Association for Information Systems, 16(6), 448–484. https://doi.org/10.17705/1jais.00399