Advanced search
Publication Cover
Information Systems Management Volume 33, 2016 - Issue 1
Submit an article Journal homepage
3,825
Views
108
CrossRef citations to date
0
Altmetric
Original Articles

Impact of Users’ Security Awareness on Desktop Security Behavior: A Protection Motivation Theory Perspective

Bartlomiej HanusSchool of Business, Emporia State University, Emporia, Kansas, USACorrespondence[email protected]
View further author information
&
Yu “Andy” WuCollege of Business, University of North Texas, Denton, Texas, USAView further author information
Pages 2-16 | Published online: 28 Jan 2016

References

  • Abraham, C. S., Sheeran, P., Abrams, D., & Spears, R. (1994). Exploring teenagers’ adaptive and maladaptive thinking in relation to the threat of HIV infection. Psychology & Health, 9(4), 253–272. doi:10.1080/08870449408407485
  • Ajzen, I. (2005). Attitudes, personality and behavior (2nd ed.). Maidenhead, UK: Open University Press.
  • Albrechtsen, E., & Hovden, J. (2010). Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study. Computers & Security, 29(4), 432–445. doi:10.1016/j.cose.2009.12.005
  • Anderson, C. L., & Agarwal, R. (2010). Practicing safe computing: A multimethod empirical examination of home computer user security behavioral intentions. MIS Quarterly, 34(3), A613–A615.
  • Armitage, C. J., & Conner, M. (2001). Efficacy of the theory of planned behaviour: A meta-analytic review. British Journal of Social Psychology, 40(4), 471–499. doi:10.1348/014466601164939
  • Bacharach, S. B. (1989). Organizational theories: Some criteria for evaluation. Academy of Management Review, 14(4), 496–515.
  • Bandura, A. (1977). Self-efficacy: Toward a unifying theory of behavioral change. Psychological Review, 84(2), 191–215. doi:10.1037/0033-295X.84.2.191
  • Bandura, A., Adams, N. E., Hardy, A. B., & Howells, G. N. (1980). Tests of the generality of self efficacy theory. Cognitive Therapy and Research, 4(1), 39–66. doi:10.1007/BF01173354
  • Becker, M. H. (1974). The health belief model and sick role behavior. Health Education Monographs, 2, 409–419.
  • Boss, S. R., Kirsch, L. J., Angermeier, I., Shingler, R. A., & Boss, R. W. (2009). If someone is watching, I’ll do what I’m asked: Mandatoriness, control, and information security. European Journal of Information Systems, 18(2), 151–164. doi:10.1057/ejis.2009.8
  • CERT Coordination Center. (2002). Home computer security. Retrieved from http://www.cert.org/homeusers/HomeComputerSecurity/
  • Chin, W. W. (1998). The Partial Least Squares Approach to Structural Equation Modeling. In G. A. Marcoulides (Ed.), Modern methods for Business Research (pp. 295–358). Mahwah, NJ: Lawrence Erlbaum Associates.
  • Ciampa, M. (2010). Security awareness: Applying practical security in your world (3rd ed.). Boston, MA: Course Technology.
  • Compeau, D. R., & Higgins, C. A. (1995). Computer self-efficacy: Development of a measure and initial test. MIS Quarterly, 19(2), 189–211. doi:10.2307/249688
  • Crossler, R. E. (2010, January). Protection motivation theory: Understanding determinants to backing up personal data. Paper presented at the 43rd Hawaii International Conference on System Sciences, Honolulu, HI.
  • Dhillon, G., & Backhouse, J. (2001). Current directions in IS security research: Towards socio-organizational perspectives. Information Systems Journal, 11(2), 127–153. doi:10.1046/j.1365-2575.2001.00099.x
  • Dinev, T., & Hu, Q. (2007). The centrality of awareness in the formation of user behavioral intention toward protective information technologies. Journal of the Association for Information Systems, 8(7), 386–408.
  • Dunlop, C., & Kling, R. (1992). Social relationships in electronic commerce—introduction. In C. Dunlop & R. Kling (Eds.), Computerization and controversy—value conflicts and social change. San Diego, CA: Academic Press.
  • Faul, F., Erdfelder, E., Buchner, A., & Lang, A.-G. (2009). Statistical power analyses using G*Power 3.1: Tests for correlation and regression analyses. Behavior Research Methods, 41, 1149–1160. doi:10.3758/BRM.41.4.1149
  • Fornell, C., & Larcker, D. F. (1981). Structural equation models with unobservable variables and measurement error: Algebra and statistics. Journal of Marketing Research (JMR), 18(3), 382–388. doi:10.2307/3150980
  • Gefen, D., Rigdon, E. E., & Straub, D. (2011). An update and extension to SEM guidelines for administrative and social science research. MIS Quarterly, 35(2), iii–A7.
  • Gefen, D., & Straub, D. (2005). A practical guide to factorial validity using PLS-Graph: Tutorial and annotated example. Communications of the Association for Information Systems, 16(1), 109.
  • Gurung, A., Luo, X., & Liao, Q. (2009). Consumer motivations in taking action against spyware: An empirical investigation. Information Management & Computer Security, 17(3), 276–289. doi:10.1108/09685220910978112
  • Hair, J. F., Hult, G. T. M., Ringle, C. M., & Sarstedt, M. (2014). A primer on partial least squares structural equation modeling (PLS-SEM). Thousand Oaks, CA: Sage.
  • Harris, S. (2008). CISSP all-in-one exam guide (4th ed.). New York, NY: McGraw-Hill.
  • Harrison, J. A., Mullen, P. D., & Green, L. W. (1992). A meta-analysis of studies of the health belief model with adults. Health Education Research, 7(1), 107–116. doi:10.1093/her/7.1.107
  • Henseler, J., Ringle, C. M., & Sinkovics, R. R. (2009). The use of partial least squares path modeling in international marketing. Advances in International Marketing (AIM), 20, 277–320.
  • Herath, T., & Rao, H. R. (2009). Protection motivation and deterrence: A framework for security policy compliance in organisations. European Journal of Information Systems, 18(2), 106–125. doi:10.1057/ejis.2009.6
  • Herold, R. (2010). Managing an information security and privacy awareness and training program. Boca Raton, FL: CRC Press.
  • Hinde, S. (2001). The weakest link. Computers & Security, 20(4), 295–301. doi:10.1016/S0167-4048(01)00403-5
  • Hodgkins, S., & Orbell, S. (1998). Can protection motivation theory predict behaviour? A longitudinal test exploring the role of previous behaviour. Psychology & Health, 13(2), 237–250. doi:10.1080/08870449808406749
  • James, T., Nottingham, Q., & Kim, B. (2013). Determining the antecedents of digital security practices in the general public dimension. Information Technology and Management, 14(2), 69–89. doi:10.1007/s10799-012-0147-4
  • Jayanti, R. K., & Burns, A. C. (1998). The antecedents of preventive health care behavior: An empirical study. Journal of the Academy of Marketing Science, 26(1), 6–15. doi:10.1177/0092070398261002
  • Johnston, A. C., & Warkentin, M. (2010). Fear appeals and information security behaviors: An empirical study. MIS Quarterly, 34(3), 549–A544.
  • Keith, T. Z. (2005). Multiple regression and beyond. Boston, MA: Pearson.
  • Keller, S., Powell, A., Horstmann, B., Predmore, C., & Crawford, M. (2005). Information security threats and practices in small businesses. Information Systems Management, 22(2), 7–19. doi:10.1201/1078/45099.22.2.20050301/87273.2
  • Kenny, D. A. (1979). Correlation and causality. New York, NY: Wiley.
  • Kritzinger, E., & von Solms, S. H. (2010). Cyber security for home users: A new way of protection through awareness enforcement. Computers & Security, 29(8), 840–847. doi:10.1016/j.cose.2010.08.001
  • Kumar, N., Mohan, K., & Holowczak, R. (2008). Locking the door but leaving the computer vulnerable: Factors inhibiting home users’ adoption of software firewalls. Decision Support Systems, 46(1), 254–264. doi:10.1016/j.dss.2008.06.010
  • Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L. F., & Hong, J. (2010). Teaching Johnny not to fall for phish. ACM Transactions on Internet Technology, 10(2), 1–31. doi:10.1145/1754393
  • LaRose, R., Rifon, N. J., & Enbody, R. (2008). Promoting personal responsibility for internet safety. Communicable ACM, 51(3), 71–76. doi:10.1145/1325555
  • Liang, H., Saraf, N., Hu, Q., & Xue, Y. (2007). Assimilation of enterprise systems: The effect of institutional pressures and the mediating role of top management. MIS Quarterly, 31(1), 59–87.
  • Liang, H., & Xue, Y. (2010). Understanding security behaviors in personal computer usage: A threat avoidance perspective. Journal of the Association for Information Systems, 11(7), 394–413.
  • Maddux, J. E., & Rogers, R. W. (1983). Protection motivation and self-efficacy: A revised theory of fear appeals and attitude change. Journal of Experimental Social Psychology, 19(5), 469–479. doi:10.1016/0022-1031(83)90023-9
  • McAfee Labs. (2010). McAfee Threats report: Third quarter 2010. Retrieved from http://www.mcafee.com/us/local_content/reports/q32010_threats_report_en.pdf
  • Merriam-Webster Online Dictionary. (2010). Behaviour. Retrieved from http://www.merriam-webster.com/dictionary/behavior
  • Milne, S., Sheeran, P., & Orbell, S. (2000). Prediction and intervention in health-related behavior: A meta-analytic review of protection motivation theory. Journal of Applied Social Psychology, 30(1), 106–143. doi:10.1111/jasp.2000.30.issue-1
  • Ng, B.-Y., Kankanhalli, A., & Xu, Y. (2009). Studying users’ computer security behavior: A health belief perspective. Decision Support Systems, 46(4), 815–825. doi:10.1016/j.dss.2008.11.010
  • Ozer, E. M., & Bandura, A. (1990). Mechanisms governing empowerment effects: A self-efficacy analysis. Journal of Personality and Social Psychology, 58(3), 472–486. doi:10.1037/0022-3514.58.3.472
  • Pahnila, S., Siponen, M., & Mahmood, A. (2007, January). Employees’ behavior towards is security policy compliance. Paper presented at the 40th Annual Hawaii International Conference on System Sciences, Waikoloa, HI.
  • Parsons, T. (1991). The social system (2nd ed.). London, UK: Routledge.
  • Peltier, T. (2000). Security awareness program. In H. F. Tipton & M. Krause (Eds.), Information security management. Boca Raton, FL: Auerbach Publications.
  • Podsakoff, P. M., MacKenzie, S. B., Lee, J. Y., & Podsakoff, N. P. (2003). Common method biases in behavioral research: A critical review of the literature and recommended remedies. The Journal of Applied Psychology, 88(5), 879–903. doi:10.1037/0021-9010.88.5.879
  • Prentice-Dunn, S., & Rogers, R. W. (1986). Protection motivation theory and preventive health: Beyond the health belief model. Health Education Research, 1(3), 153–161. doi:10.1093/her/1.3.153
  • Puhakainen, P., & Siponen, M. (2010). Improving employees’ compliance through information systems security training: An action research study. MIS Quarterly, 34(4), 767–A764.
  • Ringle, C. M., Wende, S., & Will, A. (2005). SmartPLS 2.0. Retrieved from www.smartpls.de
  • Rogers, R. W. (1975). A protection motivation theory of fear appeals and attitude change. The Journal of Psychology, 91(1), 93–114. doi:10.1080/00223980.1975.9915803
  • Rogers, R. W. (1983). Cognitive and physiological processes in fear appeals and attitude change: A revised theory of protection motivation. In J. Ciacioppo & R. Petty (Eds.), Social psychophysiology. New York, NY: Guilford Press.
  • Rosenstock, I. M. (1966). Why people use health services. The Milbank Memorial Fund Quarterly, 44(3), 94–127. doi:10.2307/3348967
  • SANS Institute. (2010). The top cyber security risks. Retrieved from http://www.sans.org/top-cyber-security-risks/
  • Senge, P. M. (1994). The fifth discipline: The art & practice of the learning organization. New York: Currency Doubleday.
  • Shadish, W. R., Cook, T. D., & Campbell, D. T. (2002). Experimental and quasi-experimental designs for generalized causal inference. Boston, MA: Houghton Mifflin Company.
  • Shimeall, T. (2002). Cyberterrorism. Retrieved from http://www.cert.org/homeusers/HomeComputerSecurity/
  • Siponen, M. (2000). A conceptual foundation for organizational information security awareness. Information Management & Computer Security, 8(1), 31–41. doi:10.1108/09685220010371394
  • Siponen, M. (2001). Five Dimensions of Information Security Awareness. Computers & Society, 31(2), 24–29.
  • Straub, D. W., & Welke, R. J. (1998). Coping with systems risk: Security planning models for management decision making. MIS Quarterly, 22(4), 441–469. doi:10.2307/249551
  • Sumner, M. (2009). Information security threats: A comparative analysis of impact, probability, and preparedness. Information Systems Management, 26(1), 2–12. doi:10.1080/10580530802384639
  • Sutton, S. (1998). Predicting and explaining intentions and behavior: How well are we doing? Journal of Applied Social Psychology, 28(15), 1317–1338. doi:10.1111/jasp.1998.28.issue-15
  • Symantec. (2010). Norton cybercrime report: The human impact. Retrieved from www.norton.com/cybercrimereport
  • Symantec. (2012). Norton cybercrime report 2012. Retrieved from http://us.norton.com/cybercrimereport
  • Talib, S., Clarke, N. L., & Furnell, S. (2010, February). An analysis of information security awareness within home and work environments. Paper presented at the International Conference on Availability, Reliability, and Security (ARES’10), Krakow, Poland.
  • Thomson, M. E., & Von Solms, R. (1998). Information security awareness: Educating your users effectively. Information Management & Computer Security, 6(4), 167–173. doi:10.1108/09685229810227649
  • Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating IS security compliance: Insights from habit and protection motivation theory. Information & Management, 49(3–4), 190–198. doi:10.1016/j.im.2012.04.002
  • Venkatesh, V., Morris, M. G., Davis, G. B., & Davis, F. D. (2003). User acceptance of information technology: Toward a unified view. MIS Quarterly, 27(3), 425–478.
  • Warkentin, M., Malimage, N., & Malimage, K. (2012, December). Impact of protection motivation and deterrence on IS security policy compliance: A multi-cultural view (Paper 20). Paper presented at the Pre-ICIS Workshop on Information Security and Privacy (SIGSEC), Orlando, FL.
  • Weinstein, N. D. (1988). The precaution adoption process. Health Psychology, 7(4), 355–386. doi:10.1037/0278-6133.7.4.355
  • Weinstein, N. D. (1993). Testing four competing theories of health-protective behavior. Health Psychology, 12(4), 324–333. doi:10.1037/0278-6133.12.4.324
  • Werts, C. E., Linn, R. L., & Jöreskog, K. G. (1974). Intraclass reliability estimates: Testing structural assumptions. Educational and Psychological Measurement, 34(1), 25–33. doi:10.1177/001316447403400104
  • Witte, K., & Allen, M. (2000). A meta-analysis of fear appeals: Implications for effective public health campaigns. Health Education & Behavior, 27(5), 591–615. doi:10.1177/109019810002700506
  • Witte, K., Cameron, K. A., McKeon, J. K., & Berkowitz, J. M. (1996). Predicting risk behaviors: Development and validation of a diagnostic scale. Journal of Health Communication, 1(4), 317–342. doi:10.1080/108107396127988
  • Woon, I., Tan, G.-W., & Low, R. (2005, December). A protection motivation theory approach to home wireless security. Paper presented at the Proceedings of the 26th International Conference on Information Systems, Las Vegas, NV.

Reprints and Corporate Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

To request a reprint or corporate permissions for this article, please click on the relevant link below:

Order Reprints Request Corporate Permissions

Academic Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

Obtain permissions instantly via Rightslink by clicking on the button below:

Request Academic Permissions

If you are unable to obtain permissions via Rightslink, please complete and submit this Permissions form. For more information, please visit our Permissions help page.

Related research

People also read lists articles that other readers of this article have read.

Recommended articles lists articles that we recommend and is powered by our AI driven recommendation engine.

Cited by lists all citing articles based on Crossref citations.
Articles with the Crossref icon will open in a new tab.