Advanced search
Publication Cover
European Journal of Information Systems Latest Articles
Submit an article Journal homepage
172
Views
0
CrossRef citations to date
0
Altmetric
Research article

A field experiment on ISP training designs for enhancing employee information security compliance

Ilja Nastjuka Chair of Information Security and Compliance, Georg-August-Universität Göttingen, Göttingen, GermanyView further author information
,
Florian Rampolda Chair of Information Security and Compliance, Georg-August-Universität Göttingen, Göttingen, GermanyView further author information
,
Simon Trangb Chair of Information Systems and Environmental Sustainability, Faculty of Business and Economics, University of Paderborn, Paderborn, GermanyView further author information
&
Jose Benitezc Department of Information Systems and Business Analytics, Ambassador Crawford College of Business and Entrepreneurship, Kent State University, Kent, OH, USACorrespondence[email protected]
ORCID Iconhttps://orcid.org/0000-0002-9142-4508View further author information
ORCID Icon
Received 19 Apr 2023, Accepted 20 May 2024, Published online: 03 Jun 2024

References

  • Alavi, M., & Leidner, D. E. (2001). Review: Knowledge management and knowledge management systems: Conceptual foundations and research issues. MIS Quarterly, 25(1), 107–136. https://doi.org/10.2307/3250961
  • Albrechtsen, E. (2007). A qualitative study of users’ view on information security. Computers and Security, 26(4), 276–289. https://doi.org/10.1016/j.cose.2006.11.004
  • Albrechtsen, E., & Hovden, J. (2010). Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study. Computers and Security, 29(4), 432–445. https://doi.org/10.1016/j.cose.2009.12.005
  • Alexander, P. A., Schallert, D. L., & Hare, V. C. (1991). Coming to terms: How researchers in learning and literacy talk about knowledge. Review of Educational Research, 61(3), 315–343. https://doi.org/10.3102/00346543061003315
  • Alshaikh, M., Maynard, S. B., Ahmad, A., & Chang, S. (2018). An exploratory study of current information security training and awareness practices in organizations. Proceedings of the 51st Hawaii International Conference on System Sciences, Hawaii, Hawaii, USA (pp. 5085–5094).
  • Aslan, Ö., Aktuğ, S. S., Ozkan-Okay, M., Yilmaz, A. A., & Akin, E. (2023). A comprehensive review of cyber security vulnerabilities, threats, attacks, and solutions. Electronics, 12(6), 1333. https://doi.org/10.3390/electronics12061333
  • Aurigemma, S., & Mattson, T. (2019). Generally speaking, context matters: Making the case for a change from universal to particular ISP research. Journal of the Association for Information Systems, 20(12), 1700–1742. https://doi.org/10.17705/1jais.00583
  • Bagozzi, R. P., & Yi, Y. (1988). On the evaluation of structural equation models. Journal of the Academy of Marketing Science, 16(1), 74–94. https://doi.org/10.1007/BF02723327
  • Bagozzi, R., Yi, Y., & Phillips, L. (1991). Assessing construct validity in organizational research. Administrative Science Quarterly, 36(1), 421–458.
  • Bagozzi, R. P., Yi, Y., & Singh, S. (1991). On the use of structural equation models in experimental designs: Two extensions. International Journal of Research in Marketing, 8(2), 125–140. https://doi.org/10.1016/0167-8116(91)90020-8
  • Bai, X., Ola, A., Reese, S., Eyob, E., & Bazemore, S. (2020). A study of the effectiveness of remote instruction from students’ perspectives. Issues in Information Systems, 21(4), 143–155.
  • Baldwin, T. T., & Ford, J. K. (1988). Transfer of training: A review and directions for future research. Personnel Psychology, 41(1), 63–105. https://doi.org/10.1111/j.1744-6570.1988.tb00632.x
  • Baskerville, R., & Siponen, M. (2002). An information security meta‐policy for emergent organisations. Logistics Information Management, 15(5/6), 337–346. https://doi.org/10.1108/09576050210447019
  • Benitez, J., Chen, Y., Teo, T. S., & Ajamieh, A. (2018). Evolution of the impact of e-business technology on operational competence and firm profitability: A panel data investigation. Information & Management, 55(1), 120–130. https://doi.org/10.1016/j.im.2017.08.002
  • Benjamini, Y., & Hochberg, Y. (1995). Controlling the false discovery rate: A practical and powerful approach to multiple testing. Journal of the Royal Statistical Society: Series B (Methodological), 57(1), 289–300. https://doi.org/10.1111/j.2517-6161.1995.tb02031.x
  • Blume, B. D., Ford, J. K., Baldwin, T. T., & Huang, J. L. (2010). Transfer of training: A meta-analytic review. Journal of Management, 36(4), 1065–1105. https://doi.org/10.1177/0149206309352880
  • Boss, S. R., Galletta, D. F., Lowry, P. B., Moody, G. D., & Polak, P. (2015). What do systems users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors. Management Information Systems Quarterly, 39(4), 837–864. https://doi.org/10.25300/MISQ/2015/39.4.5
  • Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. Management Information Systems Quarterly, 34(3), 523–548. https://doi.org/10.2307/25750690
  • Caldwell, T. (2016). Making security awareness training work. Computer Fraud & Security, 2016(6), 8–14. https://doi.org/10.1016/S1361-3723(15)30046-4
  • Chen, Y., Ramamurthy, K., & Wen, K. (2015). Impacts of comprehensive information security programs on information security culture. The Journal of Computer Information Systems, 55(3), 11–19. https://doi.org/10.1080/08874417.2015.11645767
  • Chen, Y., Ramamurthy, K., & Wen, K.-W. (2013). Organisations’ information security policy compliance: Stick or carrot approach? Journal of Management Information Systems, 29(3), 157–188. https://doi.org/10.2753/MIS0742-1222290305
  • Cigognini, M. E., Paoletti, G., Fattorini, R., & Boscarol, M. (2015, June). Lecture vs Webinar: Engagement and distraction in distance learning adult teachers. Proceeding from “EDEN Annual Conference-Expanded Learning Scenarios”, Barcelona, Spain (pp. 521–530).
  • Courtois, C., Montrieux, H., De Grove, F., Raes, A., De Marez, L., & Schellens, T. (2014). Student acceptance of tablet devices in secondary education: A three-wave longitudinal cross-lagged case study. Computers in Human Behavior, 35, 278–286. https://doi.org/10.1016/j.chb.2014.03.017
  • Cram, W. A., D’arcy, J., & Proudfoot, J. G. (2019). Seeing the forest and the trees: A meta-analysis of the antecedents to information security policy compliance. MIS Quarterly, 43(2), 525–554. https://doi.org/10.25300/MISQ/2019/15117
  • Cram, W. A., Proudfoot, J. G., & D’arcy, J. (2017). Organizational information security policies: A review and research framework. European Journal of Information Systems, 26(6), 605–641. https://doi.org/10.1057/s41303-017-0059-9
  • D’Arcy, J., & Herath, T. (2011). A review and analysis of deterrence theory in the IS security literature: Making sense of the disparate findings. European Journal of Information Systems, 20(6), 643–658. https://doi.org/10.1057/ejis.2011.23
  • D’Arcy, J., & Hovav, A. (2007). Towards a best fit between organisational security countermeasures and information systems misuse behaviors. Journal of Information System Security, 3(2), 3–31.
  • D’Arcy, J., & Hovav, A. (2009). Does one size fit all? Examining the differential effects of IS security countermeasures. Journal of Business Ethics, 89(SUPPL. 1), 59–71. https://doi.org/10.1007/s10551-008-9909-7
  • D’Arcy, J., Hovav, A., & Galletta, D. F. (2009). User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research, 20(1), 79–98. https://doi.org/10.1287/isre.1070.0160
  • D’Arcy, J., & Lowry, P. B. (2019). Cognitive-affective drivers of employees’ daily compliance with information security policies: A multilevel, longitudinal study. Information Systems Journal, 29(1), 43–69. https://doi.org/10.1111/isj.12173
  • Dhillon, G., Smith, K., & Dissanayaka, I. (2021). Information systems security research agenda: Exploring the gap between research and practice. The Journal of Strategic Information Systems, 30(4), 101693. https://doi.org/10.1016/j.jsis.2021.101693
  • Dincelli, E., & Chengalur-Smith, I. S. (2020). Choose your own training adventure: Designing a gamified SETA artefact for improving information security and privacy through interactive storytelling. European Journal of Information Systems, 29(6), 669–687. https://doi.org/10.1080/0960085X.2020.1797546
  • Eminaǧaoǧlu, M., Uçar, E., & Eren, Ş. (2009). The positive outcomes of information security awareness training in companies - a case study. Information Security Technical Report, 14(4), 223–229. https://doi.org/10.1016/j.istr.2010.05.002
  • ENISA. (2007). European report: Information security awareness initiatives: Current practice and the measurement of success. Retrieved November 6, 2023, from. https://ifap.ru/library/book206.pdf
  • Esentire. (2022). Esentire official cybercrime report. Retrieved November 6, 2023, from. https://www.esentire.com/resources/library/2022-official-cybercrime-report,2022
  • Facteau, J. D., Dobbins, G. H., Russell, J. E. A., Ladd, R. T., & Kudisch, J. D. (1995). The influence of general perceptions of the training environment on pretraining motivation and perceived training transfer. Journal of Management, 21(1), 1–25. https://doi.org/10.1177/014920639502100101
  • Faul, F., Erdfelder, E., Buchner, A., & Lang, A.-G. (2009). Statistical power analyses using G*Power 3.1: Tests for correlation and regression analyses. Behavior Research Methods, 41(4), 1149–1160. https://doi.org/10.3758/BRM.41.4.1149
  • Floyd, D. L., Prentice‐Dunn, S., & Rogers, R. W. (2000). A meta‐analysis of research on protection motivation theory. Journal of Applied Social Psychology, 30(2), 407–429. https://doi.org/10.1111/j.1559-1816.2000.tb02323.x
  • Fombelle, P. W., Bone, S. A., & Lemon, K. N. (2016). Responding to the 98%: Face-enhancing strategies for dealing with rejected customer ideas. Journal of the Academy of Marketing Science, 44(6), 685–706. https://doi.org/10.1007/s11747-015-0469-y
  • Ford, J. K., & Weissbein, D. A. (1997). Transfer of training: An updated review and analysis. Performance Improvement Quarterly, 10(2), 22–41. https://doi.org/10.1111/j.1937-8327.1997.tb00047.x
  • Gibson, K. (2008). Technology and technological knowledge: A challenge for school curricula. Teachers & Teaching, 14(1), 3–15. https://doi.org/10.1080/13540600701837582
  • Gleicher, F., & Petty, R. E. (1990). Expectations of reassurance influence the nature of fear- stimulated attitude change. Journal of Experimental Social Psychology, 100(1), 86–100. https://doi.org/10.1016/0022-1031(92)90033-G
  • Guttman, B., & Roback, E. A. (1995). An introduction to computer security: The NIST handbook. Diane Publishing.
  • Hair, J. F. (2009). Multivariate data analysis. Pearson Prentice Hall Upper Saddle River.
  • Hansche, S. (2001). Designing a security awareness program: Part 1. Information Systems Security, 7(6), 1–9. https://doi.org/10.1201/1086/43298.9.6.20010102/30985.4
  • Henseler, J., Ringle, C. M., & Sarstedt, M. (2014). A new criterion for assessing discriminant validity in variance-based structural equation modeling. Journal of the Academy of Marketing Science, 43(1), 115–135. https://doi.org/10.1007/s11747-014-0403-8
  • Herath, T., & Rao, H. R. (2009). Protection motivation and deterrence: A framework for security policy compliance in organisations. European Journal of Information Systems, 18(2), 106–125. https://doi.org/10.1057/ejis.2009.6
  • Hovav, A., & Putri, F. F. (2016). This is my device! Why should I follow your rules? employees’ compliance with BYOD security policy. Pervasive and Mobile Computing, 32, 35–49. https://doi.org/10.1016/j.pmcj.2016.06.007
  • Hu, S., Hsu, C., & Zhou, Z. (2022). Security education, training, and awareness programs: Literature review. Journal of Computer Information Systems, 62(4), 752–764. https://doi.org/10.1080/08874417.2021.1913671
  • Hulland, J. (1999). Use of Partial Least Squares (PLS) in strategic management research: A review of four recent studies. Strategic Management Journal, 20(2), 195–204. https://doi.org/10.1002/(SICI)1097-0266(199902)20:2<195:AID-SMJ13>3.0.CO;2-7
  • Hulland, J., Baumgartner, H., & Smith, K. M. (2018). Marketing survey research best practices: Evidence and recommendations from a review of JAMS articles. Journal of the Academy of Marketing Science, 46(1), 92–108. https://doi.org/10.1007/s11747-017-0532-y
  • Hull, D. M., Schuetz, S. W., & Lowry, P. B. (2023). Tell me a story: The effects that narratives exert on meaningful-engagement outcomes in antiphishing training. Computers & Security, 129, 103252. https://doi.org/10.1016/j.cose.2023.103252
  • Ifinedo, P. (2012). Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Computers and Security, 31(1), 83–95. https://doi.org/10.1016/j.cose.2011.10.007
  • ISO/IEC. (2022). ISO/IEC 27002:2022 Information technology — Security techniques — Code of practice for information security controls (Vol. 2022).
  • Jansen, J., & van Schaik, P. (2019). The design and evaluation of a theory-based intervention to promote security behaviour against phishing. International Journal of Human-Computer Studies, 123, 40–55. https://doi.org/10.1016/j.ijhcs.2018.10.004
  • Jensen, M. L., Dinger, M., Wright, R. T., & Thatcher, J. B. (2017). Training to mitigate phishing attacks using mindfulness techniques. Journal of Management Information Systems, 34(2), 597–626. https://doi.org/10.1080/07421222.2017.1334499
  • Jensen, M. L., Durcikova, A., & Wright, R. T. (2021). Using susceptibility claims to motivate behaviour change in it security. European Journal of Information Systems, 30(1), 27–45. https://doi.org/10.1080/0960085X.2020.1793696
  • Johnston, A., DiGangi, P. M., Bélanger, F., Crossler, R. E., Siponen, M., Warkentin, M., & Singh, T. (2023). Seeking rhetorical validity in fear appeal research: An application of rhetorical theory. Computers & Security, 125, 103020. https://doi.org/10.1016/j.cose.2022.103020
  • Johnston, A. C., & Warkentin, M. (2010). Fear appeals and information security behaviors: An empirical study. Management Information Systems Quarterly, 34(3), 549–566. https://doi.org/10.2307/25750691
  • Johnston, A. C., Warkentin, M., Dennis, A. R., & Siponen, M. (2019). Speak their language: Designing effective messages to improve employees’ information security decision making. Decision Sciences, 50(2), 245–284. https://doi.org/10.1111/deci.12328
  • Johnston, A. C., Warkentin, M., McBride, M., & Carter, L. (2016). Dispositional and situational factors: Influences on information security policy violations. European Journal of Information Systems, 25(3), 231–251. https://doi.org/10.1057/ejis.2015.15
  • Johnston, A. C., Warkentin, M., & Siponen, M. (2015). An enhanced fear appeal rhetorical framework: Leveraging threats to the human asset through sanctioning rhetoric. Management Information Systems Quarterly, 39(1), 113–134. https://doi.org/10.25300/MISQ/2015/39.1.06
  • Karjalainen, M., & Siponen, M. (2011). Toward a new meta-theory for designing information systems (IS) security training approaches. Journal of the Association for Information Systems, 12(8), 518–555. https://doi.org/10.17705/1jais.00274
  • Karjalainen, M., Siponen, M., Petri, P., & Suprateek, S. (2013). One size does not fit all: Different cultures require different information systems security interventions. Proceedings of the Pacific Asia Conference on Information Systems, Jeju Island, Korea.
  • Kaspersky. (2018). Not so know-it-all: Just 12% of employees are fully aware of their organization’s it security policies. Retrieved November 6, 2023, from. https://www.kaspersky.com/about/press-releases/2017_organizations-it-security-policies
  • Kesh, S., & Ratnasingam, P. (2007). A knowledge architecture for it security. Communications of the ACM, 50(7), 103–108. https://doi.org/10.1145/1272516.1272521
  • Kizilcec, R. F., Reich, J., Yeomans, M., Dann, C., Brunskill, E., Lopez, G., Turkay, S., Williams, J., & Tingley, D. (2020). Scaling up behavioral science interventions in online education. Proceedings of the National Academy of Sciences of the United States of America, 117(26), 14900–14905. https://doi.org/10.1073/pnas.1921417117
  • Klotz, V. K., Winther, E., & Festner, D. (2015). Modeling the development of vocational competence: A psychometric model for economic domains. Vocations and Learning, 8(3), 247–268. https://doi.org/10.1007/s12186-015-9139-y
  • Knowles, M. S., Holton Iii, E. F., Swanson, R. A., Swanson, R., & Robinson, P. A. (2015). The adult learner: The definitive classic in adult education and human resource development (8th ed.). Routledge.
  • Kock, N., & Hadaya, P. (2018). Minimum sample size estimation in PLS-SEM: The inverse square root and gamma-exponential methods. Information Systems Journal, 28(1), 227–261. https://doi.org/10.1111/isj.12131
  • Kock, N., & Lynn, G. (2012). Lateral collinearity and misleading results in variance-based SEM: An illustration and recommendations. Journal of the Association for Information Systems, 13(7), 546–580. https://doi.org/10.17705/1jais.00302
  • Lowry, P. B., Dinev, T., & Willison, R. (2017). Why security and privacy research lies at the centre of the information systems (IS) artefact: Proposing a bold research agenda. European Journal of Information Systems, 26(6), 546–563. https://doi.org/10.1057/s41303-017-0066-x
  • Lowry, P. B., Posey, C., Bennett, R. J., & Roberts, T. L. (2015). Leveraging fairness and reactance theories to deter reactive computer abuse following enhanced organisational information security policies: An empirical study of the influence of counterfactual reasoning and organisational trust. Information Systems Journal, 25(3), 193–273. https://doi.org/10.1111/isj.12063
  • McCormick, R. (2004). Issues of learning and knowledge in technology education. International Journal of Technology and Design Education, 14(1), 21–44. https://doi.org/10.1023/B:ITDE.0000007359.81781.7c
  • McKinsey. (2019). Perspectives on transforming cybersecurity. McKinsey Global Institute. Retrieved November 6, 2023, from. https://www.mckinsey.com/~/media/McKinsey/McKinsey%20Solutions/Cyber%20Solutions/Perspectives%20on%20transforming%20cybersecurity/Transforming%20cybersecurity_March2019.ashx
  • Menard, P., Bott, G. J., & Crossler, R. E. (2017). User motivations in protecting information security: Protection motivation theory versus self- determination theory. Journal of Management Information Systems, 34(4), 1203–1230. https://doi.org/10.1080/07421222.2017.1394083
  • Moody, G. D., Siponen, M., & Pahnila, S. (2018). Toward a unified model of information security policy compliance. Management Information Systems Quarterly, 42(1), 285–312. https://doi.org/10.25300/MISQ/2018/13853
  • Mou, J., Cohen, J. F., Bhattacherjee, A., & Kim, J. (2022). A test of protection motivation theory in the information security literature: A meta-analytic structural equation modeling approach in search advertising. Journal of the Association for Information Systems, 23(1), 196–236. https://doi.org/10.17705/1jais.00723
  • Mwagwabi, F., McGill, T., & Dixon, M. (2018). Short-term and long-term effects of fear appeals in improving compliance with password guidelines. Communications of the Association for Information Systems, 42(1), 147–182. https://doi.org/10.17705/1CAIS.04207
  • Nguyen, C., Jensen, M., & Day, E. (2023). Learning not to take the bait: A longitudinal examination of digital training methods and overlearning on phishing susceptibility. European Journal of Information Systems, 1–25. https://doi.org/10.1080/0960085X.2023.2252390
  • Nunnally, J., & Bernstein, I. (1994). Psychometric theory. McGraw-Hill.
  • Peace, A. G., Galletta, D. F., & Thong, J. Y. L. (2003). Software piracy in the workplace: A model and empirical test. Journal of Management Information Systems, 20(1), 153–177.
  • Peltier, T. R. (2005). Implementing an Information Security Awareness Program. Security Management Practices, 33(2), 1–18. https://doi.org/10.1201/1079.07366981/45423.33.1.20050701/89329.1
  • Peters, G. J. Y., Ruiter, R. A. C., & Kok, G. (2013). Threatening communication: A critical re-analysis and a revised meta-analytic test of fear appeal theory. Health Psychology Review, 7(sup1), S8–S31. https://doi.org/10.1080/17437199.2012.703527
  • Podsakoff, P. M., MacKenzie, S. B., Lee, J. Y., & Podsakoff, N. P. (2003). Common method biases in behavioral research: A critical review of the literature and recommended remedies. Journal of Applied Psychology, 88(5), 879–903. https://doi.org/10.1037/0021-9010.88.5.879
  • Puhakainen, P., & Siponen, M. (2010). Improving employee’s compliance through information systems security training: An action research study. Management Information Systems Quarterly, 34(4), 757–778. https://doi.org/10.2307/25750704
  • Putri, F. F., & Hovav, A. (2014). Employees’ compliance with BYOD security policy: Insights from reactance, organizational justice, and protection motivation theory. Twenty Second European Conference on Information Systems, Tel Aviv, Israel (pp. 1–17).
  • Qu, G., Wang, J., Lu, X., Xu, Q., & Wang, Q. (2022). Network configuration in app design: The effects of simplex and multiplex networks on team performance. Journal of the Association for Information Systems, 23(6), 1532–1556.
  • Ramlogan, S., Raman, V., & Sweet, J. (2014). A comparison of two forms of teaching instruction: Video vs. live lecture for education in clinical periodontology. European Journal of Dental Education, 18(1), 31–38. https://doi.org/10.1111/eje.12053
  • Rantos, K., Fysarakis, K., & Manifavas, C. (2012). How effective is your security awareness program? An evaluation methodology. Information Security Journal: A Global Perspective, 21(6), 328–345. https://doi.org/10.1080/19393555.2012.747234
  • Richardson, R., & Director, C. S. I. (2008). CSI computer crime and security survey. Computer Security Institute, 1, 1–30.
  • Rogers, C. (1969). Freedom to learn. Charles E. Merrill.
  • Rogers, R. W. (1975). A protection motivation theory of fear appeals and attitude change. The Journal of Psychology, 91(1), 93–114. https://doi.org/10.1080/00223980.1975.9915803
  • Schuetz, S. W., Benjamin Lowry, P., Pienta, D. A., & Bennett Thatcher, J. (2020). The effectiveness of abstract versus concrete fear appeals in information security. Journal of Management Information Systems, 37(3), 723–757. https://doi.org/10.1080/07421222.2020.1790187
  • Shavelson, R. J. (2008). Reflections on quantitative reasoning: An assessment perspective. In B. Madison & L. Steen (Eds.), Calculation Vs Context: Quantitative Literacy and Its Implications for Teacher Education, 27–47. Mathematical Association of America.
  • Sikolia, D., Biros, D., & Zhang, T. (2023). How effective are SETA programs anyway: Learning and forgetting in Security Awareness Training. Journal of Cybersecurity Education, Research and Practice, 2023(1), 4. https://doi.org/10.32727/8.2023.13
  • Silic, M., & Lowry, P. B. (2020). Using design-science based gamification to improve organizational security training and compliance. Journal of Management Information Systems, 37(1), 129–161. https://doi.org/10.1080/07421222.2019.1705512
  • Siponen, M. (2000). A conceptual foundation for organisational information security awareness a conceptual foundation for organisational information security awareness. Information Management & Computer Security, 8(1), 31–41. https://doi.org/10.1108/09685220010371394
  • Siponen, M., & Baskerville, R. (2018). Intervention effect rates as a path to research relevance: Information systems security example. Journal of the Association of Information Systems, 19(4), 247–265. https://doi.org/10.17705/1jais.00491
  • Siponen, M., Puhakainen, P., & Vance, A. (2020). Can individuals’ neutralization techniques be overcome? A field experiment on password policy. Computers & Security, 88, 101617. https://doi.org/10.1016/j.cose.2019.101617
  • Siponen, M., & Vance, A. (2010). Neutralisation: New insights into the problem of employee information systems security policy violations. Management Information Systems Quarterly, 34(3), 487–502. https://doi.org/10.2307/25750688
  • Smith, E. R. (1994). Procedural knowledge and processing strategies in social cognition. In R. Wyer & T. Srull (Eds.), Handbook of Social Cognition: Basic Processes (2nded., pp. 99–151). Lawrence Erlbaum Associates.
  • Steinberg, E. R. (1991). Computer-assisted instruction: A synthesis of theory, practice, and technology. Lawrence Erlbaum Associates.
  • Straub, D., & Welke, R. J. (1998). Coping with systems risk: Security planning models for management decision making. Management Information Systems Quarterly, 22(4), 441–469. https://doi.org/10.2307/249551
  • Talib, Y., & Dhillon, G. (2015). Employee ISP compliance intentions: An empirical test of empowerment. Thirty Sixth International Conference of Information Systems, Fort Worth 2015, Fort Worth, USA (pp. 1–19).
  • Tao, Y., Mishra, A., Masyn, K., & Keil, M. (2022). Addressing change trajectories and reciprocal relationships: A longitudinal method for information systems research. Communications of the Association for Information Systems, 50(1), 439–494. https://doi.org/10.17705/1CAIS.05018
  • Tittle, C. R. (1980). Sanctions and social deviance: The question of deterrence. Praeger.
  • Tracey, J. B., Tannenbaum, S. I., & Kavanagh, M. J. (1995). Applying trained skills on the job: The importance of the work environment. Journal of Applied Psychology, 80(2), 239–252. https://doi.org/10.1037/0021-9010.80.2.239
  • Trang, S., & Brendel, B. (2019). A meta-analysis of deterrence theory in information security policy compliance research. Information Systems Frontiers, 21(6), 1265–1284. https://doi.org/10.1007/s10796-019-09956-4
  • Trenz, M., Veit, D., & Tan, C.-W. (2020). Disentangling the impact of omnichannel integration on consumer behavior in integrated sales channels. Management Information Systems Quarterly, 44(3), 1207–1258. https://doi.org/10.25300/MISQ/2020/14121
  • Vance, A., Eargle, D., Eggett, D., Straub, D. W., & Ouimet, K. (2022). Do security fear appeals work when they interrupt tasks? A multi-method examination of password strength. Management Information Systems Quarterly, 46(3), 1721–1738. https://doi.org/10.25300/MISQ/2022/15511
  • Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating IS security compliance: Insights from habit and protection motivation theory. Information and Management, 49(3–4), 190–198. https://doi.org/10.1016/j.im.2012.04.002
  • Verizon. (2023). Verizon 2023 data breach investigations report. Retrieved November 6, 2023, from. https://www.verizon.com/business/resources/reports/dbir/
  • Wall, J. D., & Buche, M. W. (2017). To fear or not to fear? A critical review and analysis of fear appeals in the information security context. Communications of the Association for Information Systems, 41(1), 13. https://doi.org/10.17705/1CAIS.04113
  • Wall, J. D., & Warkentin, M. (2019). Perceived argument quality’s effect on threat and coping appraisals in fear appeals: An experiment and exploration of realism check heuristics. Information and Management, 56(8), 103157. https://doi.org/10.1016/j.im.2019.03.002
  • Wang, M., Beal, D. J., Chan, D., Newman, D. A., Vancouver, J. B., & Vandenberg, R. J. (2017). Longitudinal research: A panel discussion on conceptual issues, research design, and statistical techniques. Work, Aging and Retirement, 3(1), 1–24. https://doi.org/10.1093/workar/waw033
  • Warkentin, M., Johnston, A. C., Shropshire, J., & Barnett, W. D. (2016). Continuance of protective security behavior: A longitudinal study. Decision Support Systems, 92, 25–35. https://doi.org/10.1016/j.dss.2016.09.013
  • Warkentin, M., McBride, M., Carter, L., & Johnston, A. C. (2012). The role of individual characteristics on insider abuse intentions the role of individual characteristics on insider abuse intentions. Proceedings of the Eighteenth Americas Conference on Information Systems, Seattle, USA.
  • Whitman, M. E., & Mattord, H. J. (2018). Principles of information security. Cengage Learning.
  • Williams, A., Birch, E., & Hancock, P. (2012). The impact of online lecture recordings on student performance. Australasian Journal of Educational Technology, 28(2), 199–213. https://doi.org/10.14742/ajet.869
  • Willison, R., Lowry, P. B., & Paternoster, R. (2018). A tale of two deterrents: Considering the role of absolute and restrictive deterrence to inspire new directions in behavioral and organizational security research. Journal of the Association for Information Systems, 19(12), 1187–1216. https://doi.org/10.17705/1jais.00524
  • Witte, K. (1992). Putting the fear back into fear appeals: The extended parallel process model. Communication Monographs, 59(4), 329–349. https://doi.org/10.1080/03637759209376276
  • Wong, L. W., Lee, V. H., Tan, G. W. H., Ooi, K. B., & Sohal, A. (2022). The role of cybersecurity and policy awareness in shifting employee compliance attitudes: Building supply chain capabilities. International Journal of Information Management, 66, 102520. https://doi.org/10.1016/j.ijinfomgt.2022.102520
  • Yazdanmehr, A., Li, Y., & Wang, J. (2022). Does stress reduce violation intention? Insights from eustress and distress processes on employee reaction to information security policies. European Journal of Information Systems, 32(6), 1–19. https://doi.org/10.1080/0960085X.2022.2099767
  • Zureick, A. H., Burk‐Rafel, J., Purkiss, J. A., & Hortsch, M. (2018). The interrupted learner: How distractions during live and video lectures influence learning outcomes. Anatomical Sciences Education, 11(4), 366–376. https://doi.org/10.1002/ase.1754

Reprints and Corporate Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

To request a reprint or corporate permissions for this article, please click on the relevant link below:

Order Reprints Request Corporate Permissions

Academic Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

Obtain permissions instantly via Rightslink by clicking on the button below:

Request Academic Permissions

If you are unable to obtain permissions via Rightslink, please complete and submit this Permissions form. For more information, please visit our Permissions help page.

Related research

People also read lists articles that other readers of this article have read.

Recommended articles lists articles that we recommend and is powered by our AI driven recommendation engine.

Cited by lists all citing articles based on Crossref citations.
Articles with the Crossref icon will open in a new tab.