Exploring determinants of different information security behaviors

Abstract

Aim: The aim was to introduce new explanatory construct, namely illegitimate tasks from Stress-as-Offense-to-Self Theory (SOS), to better understand information security behavior (ISB). In addition, more commonly used constructs from Deterrence theory (DT) and Protection Motivation Theory (PMT) were used to explain ISB. This study also investigated several behaviors separately to evaluate the generalizability of the behavioral determinants. Methods: Four ISBs, namely general ISP compliance (ISP), not copying sensitive information to the unsecured USB drive (USB), locking or logging out from the computer (LOG), and not writing down passwords (PSW). Formal and informal sanctions from DT, threat and coping appraisal, as well as fear, from PMT, and illegitimate tasks from SOS were included as determinants of ISB. The survey method was used to data collection, and each participant answered to one behavior-specific questionnaire. There were 119 respondents to the ISP, 111 to the USB, 118 to the LOG, and 112 to the PSW questionnaires. 55,5% of the 460 participants were male, and 62,2% belonged to the age group of 20-30 years. Most of the participants (56,3%) had 1-7 years of work experience and they were technologically savvy. Confirmatory factor analysis and hierarchical linear regression analysis were used in the analyses, and analysis strategy was applied separately for each of the four ISBs. Results: DT, PMT, and SOS, as well as control variables, explained more than half of the variance (51,1-57,9%) in all of the behaviors, namely ISP, USB, LOG, and PSW. Illegitimate tasks had a relatively strong negative association with two of the ISBs indicating that they function as a determinant of ISB and should be considered in the future research of ISB. Illegitimate tasks also added explanatory power to the models containing sanctions from DT and appraisals from PMT. Illegitimate tasks were the strongest determinant of ISP and LOG. Although illegitimate tasks had a significant association with two of the ISBs, PMT contributed the most strongly to explaining different ISBs. Rewards and costs were the most prominent determinants of behavior and they also correlated highly with illegitimate tasks. This association can be theoretically explained and understood by SOS which addresses the effects of task evaluation on one’s selfimage and relationship with the organization one works at. Of the other constructs of PMT, fear and threat appraisal were significant predictors of LOG and USB, respectively, while response efficacy and self-efficacy predicted ISP. According to the findings of this study, sanctions from DT were not significant predictors of any of the ISBs. Conclusions: ISB has complex and multiple determinants that differ depending on the behavior in question. Findings related to a certain form of behavior are not necessarily generalizable to explaining other behaviors. This should be taken into account when planning research designs and practical procedures for information security management. Keywords