Explaining Users' Security Behaviors with the Security Belief Model (original) (raw)
Related papers
Explaining Users Security Behavior with the Security Belief Model
Journal of Organizational Computing and Electronic Commerce, 2014
Information security is often viewed as a technological matter. However, security professionals will readily admit that without safe practices by users, no amount or type of technology will be effective at preventing unauthorized intrusions. By paralleling the practices of information security and health prevention, a rationale for employing constructs from existing models of health behavior is established. A comprehensive and parsimonious model (the Security Belief Model) is developed to explain information security behavior intentions. The model is tested empirically based on a sample of 237 Indian professionals. The results of the empirical study indicate general support for the model, particularly including severity, susceptibility, benefits, and a cue to action as antecedents to the intention to perform preventive information security behaviors. The paper also discusses implications of the model and results for practitioners and possibilities for future research are included.
Studying users' computer security behavior: A health belief perspective
The damage due to computer security incidents is motivating organizations to adopt protective mechanisms. While technological controls are necessary, computer security also depends on individual's security behavior. It is thus important to investigate what influences a user to practice computer security. This study uses the Health Belief Model, adapted from the healthcare literature, to study users' computer security behavior. The model was validated using survey data from 134 employees. Results show that perceived susceptibility, perceived benefits, and self-efficacy are determinants of email related security behavior. Perceived severity moderates the effects of perceived benefits, general security orientation, cues to action, and self-efficacy on security behavior.
African Conference on Information Systems, 2017
To protect systems and data the adoption of information security is important, with the human factor playing a significant role to ensure positive security behaviour. This paper adopts system dynamics and the theory of planned behaviour as a lens to analyse computer user information security behaviour. It explores the positive and negative loop effects of cognitive beliefs as factors that influence the behaviour. This focus on a user-centred, as opposed to technology-centred approach to motivate behaviour. The analysis shows how Behavioural beliefs inform perceived benefits or drawbacks of adopting security measures and consequently determine attitude towards information security. Normative beliefs are influenced by social pressure or people perceived to be important and consequently determine subjective norms towards information security. Control beliefs is shaped by the perceived ease or difficulty of adopting security measures, which consequently determine perceived behavioural control towards information security. Changing cognitive beliefs and factors define a user's intention and subsequent the adoption of information security measures. A model revealing the complex interplay is developed, providing a view of the beliefs and factors influencing information security behaviour. An understanding of beliefs and factors can be used to design an effective information security awareness program to keep users motivated to adopt security measures.
Enforcing Information Security Protection: Risk Propensity and Self-Efficacy Perspectives
Proceedings of the 50th Hawaii International Conference on System Sciences (2017), 2017
Effective information security (InfoSec) management cannot be achieved through only technology; people are the weakest point in security and their behaviors such as inappropriate use of computer and network resources, file sharing habits etc. cannot be controlled by security technologies. Although the importance of individuals' InfoSec behaviors has been widely recognized, there is limited understanding of what impact individual users InfoSec protection behavior. Thus, focusing on the relationships among risk propensity, InfoSec selfefficacy, InfoSec protection efforts from several theoretical lenses, the study proposes a research model to explain individuals' intention to reinforce their InfoSec protection and empirically validates the proposed model. The results of the study are expected to provide a deeper understanding of the relationships among risk propensity, self-efficacy, risk perception, InfoSec protection efforts, and InfoSec reinforcement intention.
An Empirical Study of Home User Intentions towards Computer Security
Proceedings of the 52nd Hawaii International Conference on System Sciences, 2019
Home computer users are solely responsible for implementing security measures on their devices. Although most computers have security software installed, the potential remains for security breaches, which makes it important for home users to take additional steps, such as not sharing one's password and using strong passwords, to secure their devices further. Drawing on protection motivation theory and findings from prior research, this study evaluates factors that influence individuals to implement additional security measures to protect their home computers. Using SmartPLS and responses from 72 home computer users, the results show that response efficacy, self-efficacy and subjective norms were significant in encouraging persons to implement additional security measures. Maladaptive rewards on the other hand acted as a significant detractor, while neither perceived vulnerability nor perceived severity was significant in relation to willingness to implement additional security measures.
An Integrative Behavioral Model of Information Security Policy Compliance
The Scientific World Journal, 2014
The authors found the behavioral factors that influence the organization members’ compliance with the information security policy in organizations on the basis of neutralization theory, Theory of planned behavior, and protection motivation theory. Depending on the theory of planned behavior, members’ attitudes towards compliance, as well as normative belief and self-efficacy, were believed to determine the intention to comply with the information security policy. Neutralization theory, a prominent theory in criminology, could be expected to provide the explanation for information system security policy violations. Based on the protection motivation theory, it was inferred that the expected efficacy could have an impact on intentions of compliance. By the above logical reasoning, the integrative behavioral model and eight hypotheses could be derived. Data were collected by conducting a survey; 194 out of 207 questionnaires were available. The test of the causal model was conducted by...
"http://aisel.aisnet.org/misq/vol34/iss3/9/ Many organizations recognize that their employees, who are often considered the weakest link in information security, can also be great assets in the effort to reduce risk related to information security. Since the key is employees who comply with the information security rules and regulations of the organization, understanding compliance behavior is crucial for organizations that want to leverage their human capital to strengthen information security. This research identifies the antecedents of employee compliance with the information security policy (ISP) of an organization. Specifically, we investigate the rationality-based factors that drive an employee to comply with requirements of the ISP with regard to protecting the organization’s information and technology resources. Drawing on the theory of planned behavior, we posit that, along with normative belief and self-efficacy, an employee’s attitude toward compliance determines intention to comply with the ISP. As a key contribution, we posit that an employee’s attitude is influenced by benefit of compliance, cost of compliance, and cost of noncompliance, which are beliefs about the overall assessment of consequences of compliance or noncompliance. We then postulate that these beliefs are shaped by the employee’s outcome beliefs concerning the events that follow compliance or noncompliance: benefit of compliance is shaped by intrinsic benefit, safety of resources, and rewards, while cost of compliance is shaped by work impediment; and cost of noncompliance is shaped by intrinsic cost, vulnerability of resources, and sanctions. We also investigate the impact of information security awareness (ISA) on outcome beliefs and an employee’s attitude toward compliance with the ISP. Our results show that an employee’s intention to comply with the ISP is significantly influenced by attitude, normative beliefs, and self-efficacy to comply. Outcome beliefs significantly affect beliefs about overall assessment of consequences, and they, in turn, significantly affect an employee’s attitude. Furthermore, ISA positively affects both attitude and outcome beliefs. As the importance of employees’ following their organizations’ information security rules and regulations increases, our study sheds light on the role of ISA and compliance-related beliefs in an organization’s efforts to encourage compliance."
An Extended Perspective on Individual Security Behaviors
ACM SIGMIS Database: the DATABASE for Advances in Information Systems, 2014
Security threats regularly affect users of home computers. As such, it is important to understand the practices of users for protecting their computers and networks, and to identify determinants of these practices. Several recent studies utilize Protection Motivation Theory (PMT) to explore these practices. However, these studies focus on one specific security protection behavior or on intentions to use a generic measure of security protection tools or techniques (practices). In contrast, this study empirically tests the effectiveness of PMT to explain a newly developed measure for collectively capturing several individual security practices. The results show that PMT explains an important portion of the variance in the unified security practices measure, and demonstrates the importance of explaining individual security practices as a whole as opposed to one particular behavior individually. Implications of the study for research and practice are discussed.
WHAT INFLUENCES INFORMATION SECURITY BEHAVIOR? A STUDY WITH BRAZILIAN USERS
JISTEM - Journal of Information Systems and Technology Management , 2016
The popularization of software to mitigate Information Security threats can produce an exaggerated notion about its full effectiveness in the elimination of any threat. This situation can result reckless users behavior, increasing vulnerability. Based on behavioral theories, a theoretical model and hypotheses were developed to understand the extent to which human perception of threat, control and disgruntlement can induce responsible behavior. A self-administered questionnaire was created and validated. The data were collected in Brazil, and complementary results regarding similar studies conducted in USA were found. The results show that there is an influence of information security orientations provided by organizations in the perception about severity of the threat. The relationship between threat, effort, control and disgruntlement, and the responsible behavior towards information security was verified through linear regression. The results also point out the significant influence of the analyzed construct on Safe Behavior. The contributions involve relatively new concepts in the field and a new research instrument as well. For the practitioners, this study highlights the importance of Perceived Severity and Perceived Susceptibility in the formulation of the content of Information Security awareness guidelines within organizations. Moreover, users' disgruntlement with the organization, colleagues or superiors is a factor to be considered in the awareness programs.
Home Computer User Security Behavioral Intention: A Replication Study from Guam
2021
This replication study is a methodological replication of Study 1 of Anderson and Agarwal (2010) (A&A) using data collected from Guam to investigate information security (InfoSec) behavioral intention. This study also extended the A&A Model by examining the effect of gender on each construct of the model. Our findings are very similar to those reported by A&A, and indicate that the model is generalizable to the population on Guam. We also observed the effect of gender on several constructs of the model. As this study cannot confirm whether the slight differences between the result of A&A and this study are related to cultural differences, we suggest future replication studies be conducted to examine how culture would affect our security behavior intention. We also suggest practitioners consider gender as an important factor when designing mechanisms to encourage people to practice information security behavior.