Exploring determinants of different information security behaviors
Aim: The aim was to introduce new explanatory construct, namely illegitimate tasks from Stress-as-Offense-to-Self Theory (SOS), to better understand information security behavior (ISB). In addition, more commonly used constructs from Deterrence theory (DT) and Protection Motivation Theory (PMT) were used to explain ISB. This study also investigated several behaviors separately to evaluate the generalizability of the behavioral determinants. Methods: Four ISBs, namely general ISP compliance (ISP), not copying sensitive information to the unsecured USB drive (USB), locking or logging out from the computer (LOG), and not writing down passwords (PSW). Formal and informal sanctions from DT, threat and coping appraisal, as well as fear, from PMT, and illegitimate tasks from SOS were included as determinants of ISB. The survey method was used to data collection, and each participant answered to one behavior-specific questionnaire. There were 119 respondents to the ISP, 111 to the USB, 118 to the LOG, and 112 to the PSW questionnaires. 55,5% of the 460 participants were male, and 62,2% belonged to the age group of 20-30 years. Most of the participants (56,3%) had 1-7 years of work experience and they were technologically savvy. Confirmatory factor analysis and hierarchical linear regression analysis were used in the analyses, and analysis strategy was applied separately for each of the four ISBs. Results: DT, PMT, and SOS, as well as control variables, explained more than half of the variance (51,1-57,9%) in all of the behaviors, namely ISP, USB, LOG, and PSW. Illegitimate tasks had a relatively strong negative association with two of the ISBs indicating that they function as a determinant of ISB and should be considered in the future research of ISB. Illegitimate tasks also added explanatory power to the models containing sanctions from DT and appraisals from PMT. Illegitimate tasks were the strongest determinant of ISP and LOG. Although illegitimate tasks had a significant association with two of the ISBs, PMT contributed the most strongly to explaining different ISBs. Rewards and costs were the most prominent determinants of behavior and they also correlated highly with illegitimate tasks. This association can be theoretically explained and understood by SOS which addresses the effects of task evaluation on one’s selfimage and relationship with the organization one works at. Of the other constructs of PMT, fear and threat appraisal were significant predictors of LOG and USB, respectively, while response efficacy and self-efficacy predicted ISP. According to the findings of this study, sanctions from DT were not significant predictors of any of the ISBs. Conclusions: ISB has complex and multiple determinants that differ depending on the behavior in question. Findings related to a certain form of behavior are not necessarily generalizable to explaining other behaviors. This should be taken into account when planning research designs and practical procedures for information security management.
Keywords
...
Asiasanat
Metadata
Näytä kaikki kuvailutiedotKokoelmat
- Pro gradu -tutkielmat [29743]
Lisenssi
Samankaltainen aineisto
Näytetään aineistoja, joilla on samankaltainen nimeke tai asiasanat.
-
Protection Motivation Theory in Information Security Behavior Research : Reconsidering the Fundamentals
Siponen, Mikko; Rönkkö, Mikko; Fufan, Liu; Haag, Steffi; Laatikainen, Gabriella (Association for Information Systems, 2024)Scholars commonly use protection motivation theory (PMT) by Rogers to examine information systems (IS) security behaviors and behavioral intentions. A recent, influential paper by Boss, Galletta, Lowry, Moody, and Polak ... -
Common Misunderstandings of Deterrence Theory in Information Systems Research and Future Research Directions
Siponen, Mikko; Soliman, Wael; Vance, Anthony (ACM, 2022)In the 1980s, information systems (IS) borrowed deterrence theory (DT) from the field of criminology to explain information security behaviors (or intention). Today, DT is among the most commonly used theories in IS security ... -
Toward a stage theory of the development of employees' information security behavior
Karjalainen, Mari; Siponen, Mikko; Sarker, Suprateek (Elsevier, 2020)Existing behavioral information security research proposes continuum or non-stage models that focus on finding static determinants for information security behavior (ISB) that remains unchanged. Such models cannot explain ... -
Protection Motivation Theory in Information Systems Security Research : A Review of the Past and a Road Map for the Future
Haag, Steffi; Siponen, Mikko; Liu, Fufan (ACM, 2021)Protection motivation theory (PMT) is one of the most commonly used theories to examine information security behaviors. Our systematic review of the application of PMT in information systems (IS) security and the comparison ... -
Effects of Sanctions, Moral Beliefs, and Neutralization on Information Security Policy Violations Across Cultures
Vance, Anthony; Boyer Fellow, Selvoy J.; Siponen, Mikko T.; Straub, Detmar W. (Elsevier, 2020)A principal concern of organizations is the failure of employees to comply with information security policies (ISPs). Deterrence theory is one of the most frequently used theories for examining ISP violations, yet studies ...
Ellei toisin mainittu, julkisesti saatavilla olevia JYX-metatietoja (poislukien tiivistelmät) saa vapaasti uudelleenkäyttää CC0-lisenssillä.