How “What you think you know about cybersecurity” can help users make more secure decisions

2023 | Information & Management | Citations: 0

Authors: Fard Bahreini, Amir; Cavusoglu, Hasan; Cenfetelli, Ronald T.

Abstract: The increasing use of information technology artifacts in daily life makes secur ... Expand

Abstract: The increasing use of information technology artifacts in daily life makes security a shared responsibility of both users and companies. In recent years, increasing a user’s objective (i.e., actual) security knowledge and providing applications with more secure default settings appear among the most ubiquitous tools companies use to broaden their efforts to help users make more secure decisions. Examining both solutions matters because they are widely used, cost effective, and understood by many security practitioners. Additionally, default settings and users’ objective knowledge provide anchors for decision-making. However, human errors and insecure default settings are increasing and raising further questions about the efficacy of such efforts. Using the theory of bounded ra­ tionality, we investigated the role of objective, subjective (i.e., self-assessed) security knowledge, and default settings security level on the overall decision security. We found that objective security knowledge can lead to secure decisions when paired with high subjective security knowledge. In the absence of the latter, objective security knowledge is unable to lead to better security decisions. Furthermore, subjective security knowledge reduces the extent to which users fully accept default security settings, thereby mitigating bias toward insecure default settings. Collapse

Topics: mobile application data security decision making self efficacy mobile application market

Methods: survey descriptive statistic structural equation modeling literature study post-hoc analysis

Theories: theory of bounded rationality

Close the Intention-Behavior Gap via Attitudes: Case Study of the Volitional Adoption of a Two-Factor Authentication Service

2023 | HICSS | Citations: 0

Authors: Mattson, Tom; Aurigemma, Sal; Ren, Jie

Abstract: Most of the theories used in the behavioral security literature explain the vari ... Expand

Abstract: Most of the theories used in the behavioral security literature explain the variance in intentions to act securely. Yet, individuals often fail to act on their intentions. This disconnect is referred to as the intention-behavior gap. Most theories propose a single structural path between intentions and actual behaviors with the expectation that individuals will act on their intentions. The purpose of our paper is to investigate this intention-behavior gap in the context of the volitional adoption of information security technologies. To do so, we conducted a two-phased qualitative study of the adoption of a two-factor authentication (2FA) service. In our bottom-up investigation, we discovered emergent themes related to the four functional areas of attitudes (i.e., functional attitude theory). Our paper contributes to the behavioral security literature by suggesting that individuals must change their negative attitudes related to different functional areas to start to reduce the intention-behavior gap. Collapse

Topics: multi-factor authentication behavioral intention electronic mail data security data breach

Methods: qualitative coding personal interview logistic regression

Theories: attitude theory

Positively Fearful: Activating the Individual’s HERO Within to Explain Volitional Security Technology Adoption

2023 | Journal of the Association for Information Systems | Citations: 0

Authors: Mattson, Thomas; Aurigemma, Sal; Ren, Jie

Abstract: Regardless of what security professionals do to motivate personal users to adop ... Expand

Abstract: Regardless of what security professionals do to motivate personal users to adopt security technologies volitionally, the end result seems to be the same-low adoption rates. To increase these rates, we propose activating their positive psychological capital (PsyCap), which consists of hope, self-efficacy, resilience, and optimism (i.e., their "HERO within"). We propose that greater PsyCap toward a security technology is associated with greater adoption rates (and intentions thereof) because positivity increases motivation. We further posit that PsyCap both moderates and is moderated by other constructs. We suggest that personal users' conditioned fear from the security threat moderates the effect of PsyCap on adoption intentions because some fear is necessary to activate their positive PsyCap to form their behavioral intentions to adopt security technologies. We further hypothesize that PsyCap moderates the effect of adoption intentions on actual adoption rates because activating an individual's HERO within encourages individuals to exert the effort necessary to translate their intentions into actual adoption. Finally, we theorize that enhancing fear appeal messages with appeals to an individual's HERO has a greater effect on volitional adoption rates relative to messages without these PsyCap-related appeals. To support our hypotheses, we conducted two experiments using the volitional adoption of a password manager application and a two-factor authentication (2FA) service. We found differential support for our hypotheses across the two security technologies, which suggests technology characteristics might mitigate the impact of PsyCap on volitional adoption decisions. and underwent three revisions.Thomas Mattson researches a variety of information systems topics including behavioral information security, online networks of practice, technology adoption, and continued use of information systems. He has published in a variety of scholarly journals such as MIS Quarterly, Journal of the Association Sal Aurigemma researches employee information security policy compliance, small business information security practices, and end-user security behaviors. He has published his research in a variety of scholarly journals such as the Jie Ren researches the business impact of collective online behaviors, crowdsourcing, online reviews, social media, and behavioral information security. Her research has been published in many scholarly journals such as the European Collapse

Topics: multi-factor authentication behavioral intention self efficacy password electronic mail

Methods: experimental group experiment survey design chi squared test descriptive statistic

Using Multi-Factor Authentication for Online Account Security: Examining the Influence of Anticipated Regret

2023 | Information Systems Frontiers | Citations: 0

Authors: Ogbanufe, Obi M.; Baham, Corey

Abstract: Authentication plays an important role in securing our systems but is threatened ... Expand

Abstract: Authentication plays an important role in securing our systems but is threatened by increasingly sophisticated account hacking and account take over. Several security services have been developed, including multi-factor authentication (MFA) designed to cope with online account authentication. It remains unknown how users perceive and evaluate secure authentication for online account threats and consequently use it to protect their online account. Drawing on the Protection Motivation Theory (PMT) and the literature on anticipated regret, this study investigates the factors that affect the use of MFA secure authentication to avoid online account threats. This work extends PMT by showing how the emotion of anticipated regret heightens appraisals of threat and coping. Collapse

Topics: electronic authentication multi-factor authentication IT security mobile system cloud storage

Methods: survey theory development structural equation modeling facial recognition system biometric measurement

Theories: protection motivation theory

Securing online accounts and assets: An examination of personal investments and protection motivation

2023 | International Journal of Information Management | Citations: 0

Authors: Ogbanufe, Obi

Abstract: This paper examines how personal investment influence the use of multi-factor au ... Expand

Abstract: This paper examines how personal investment influence the use of multi-factor authentication (MFA) for securing online accounts. We draw from the Protection Motivation Theory (PMT) that accounts for intrapersonal factors that increase one’s understanding of their threat and coping mechanisms and, subsequently, their motivation to protect such investments. We integrate size of investment – the amount of time, effort, and other personal resources that an individual has put into their online account. Based on PMT’s framework, we develop a research model that examines the influence of investment size as an information source that initiates and builds threat and coping appraisals. The model is tested with a survey of 263 responses, and the result shows that investment size influences threat and coping appraisals, which in turn increases MFA protection motivation and use. These results highlight the importance of eliciting individuals’ personal investments in order to improve their protective security behaviors. Collapse

Topics: self efficacy electronic authentication IT security multi-factor authentication data security

Methods: survey structural equation modeling partial least squares path modeling correlation analysis survey design

Theories: protection motivation theory

The Influence of Temporal Focus on Employee Preferences in Cybersecurity Training

2023 | International Conference on Information Systems | Citations: 0

Authors: Shaikh, Faheem Ahmed

Abstract: ... Expand

Abstract: Collapse

Topics: IT security security policy electronic mail password IS education

Methods: descriptive statistic survey experimental group chi squared test theory development

Theories: construal level theory

Using the Expectancy-Value Theory of Motivation to Understand the Gaps in Mobile Identity Protection.

2021 | International Conference on Information Systems | Citations: 0

Authors: Alhelaly, Yasser; Dhillon, Gurpreet; Oliveira, Tiago

Abstract: ... Expand

Abstract: Collapse

Topics: mobile application identity theft password user expectation multi-factor authentication

Methods: case study qualitative interview mixed method interpretative method personal interview

Theories: expectancy–value theory

Mitigating the Security Intention-Behavior Gap: The Moderating Role of Required Effort on the Intention-Behavior Relationship

2021 | Journal of the Association for Information Systems | Citations: 0

Authors: Jenkins, Jeffrey; Durcikova, Alexandra; Jay F. Nunamaker, Jr

Abstract: Although users often express strong positive intentions to follow security polic ... Expand

Abstract: Although users often express strong positive intentions to follow security policies, these positive intentions fail to consistently translate to behavior. In a security setting, the inconsistency between intentions and behavior—termed the intention-behavior gap—is particularly troublesome, as a single failure to enact positive security intentions may make a system vulnerable. We address a need in security compliance literature to better understand the intention-behavior gap by explaining how an omnipresent competing intention—the user’s desire to minimize required effort—negatively moderates the relationship between positive intentions and actual security behavior. Moreover, we posit that this moderating effect is not accounted for in extant theories used to explain behavioral information security, introducing an opportunity to broadly impact information security research to more consistently predict behavior. In three experiments, we found that high levels of required effort negatively moderated users’ intentions to follow security policies. Controlling for this moderating effect substantially increased the explained variance in security policy compliance. The results suggest that security researchers should be cognizant of the existence of competing intentions, such as the desire to minimize required effort, which may moderate the security intention-behavior relationship. Otherwise, such competing intentions may cause unexpected inconsistencies between users’ intentions to behave securely and their actual security behavior. Collapse

Topics: security policy password data breach lean manufacturing IT security training

Methods: experiment experimental group survey statistical hypothesis test regression analysis method

Theories: theory of planned behavior protection motivation theory deterrence theory theory of bounded rationality

Protecting Against Threats to Information Security: An Attitudinal Ambivalence Perspective

2021 | Journal of Management Information Systems | Citations: 13

Authors: Ng, Ka Chung; Zhang, Xiaojun; Thong, James Y. L.; Tam, Kar Yan

Abstract: A popular information security-related motivation theory is the Protection Motiv ... Expand

Abstract: A popular information security-related motivation theory is the Protection Motivation Theory (PMT) that has been studied extensively in many information security contexts with promising results. However, prior studies have found inconsistent findings regarding the relationships within PMT. To shed light on these inconsistent findings, we introduce the attitudinal ambivalence theory to open the black box within PMT. We tested our model on data collect ed from 1,383 individuals facing potential cyberattacks of their emails in a field experiment. The results of polynomial regression with response surface analysis showed that attitudinal ambivalence is generated from the opposition between an individual's evaluations of maladaptive rewards and social norms (i.e., descriptive norm and subjective norm). This attitudinal ambivalence, in turn, affects individuals' evaluations of their coping appraisal process and protection motivation, and ultimately protection behavior. We discuss the theoretical and managerial implications of identifying the determinants and outcomes of attitudinal ambivalence in the information security context. From a theoretical standpoint, our work contributes to the information security literature by incorporating attitudinal ambivalence, which arises from the intrapersonal and interpersonal appraisal processes, into PMT. From a practical standpoint, our work provides insights into designing effective fear appeals to avoid triggering attitudinal ambivalence and thus encouraging adoption of security protection behavior. Collapse

Topics: data security multi-factor authentication electronic mail IT security social norm

Methods: experimental group survey theory development polynomial regression descriptive statistic

Psychological Profiling of Hacking Potential

2020 | HICSS | Citations: 0

Authors: Gaia, Joana; Ramamurthy, Bina; Sanders, G Lawrence; Sanders, Sean Patrick; Upadhyaya, Shambhu; Wang, Xunyi; Yoo, Chul Woo

Abstract: Several suggestions will be made on what This paper investigates the psychologic ... Expand

Abstract: Several suggestions will be made on what This paper investigates the psychological traits of organizations can do to address insider threats. Collapse

Topics: criminality computer crime information privacy law IT security threat database system

Methods: survey partial least squares regression conceptual modelling PLS tool literature study

Theories: rational choice theory big five model