Exploring determinants of different information security behaviors
Aim: The aim was to introduce new explanatory construct, namely illegitimate tasks from Stress-as-Offense-to-Self Theory (SOS), to better understand information security behavior (ISB). In addition, more commonly used constructs from Deterrence theory (DT) and Protection Motivation Theory (PMT) were used to explain ISB. This study also investigated several behaviors separately to evaluate the generalizability of the behavioral determinants. Methods: Four ISBs, namely general ISP compliance (ISP), not copying sensitive information to the unsecured USB drive (USB), locking or logging out from the computer (LOG), and not writing down passwords (PSW). Formal and informal sanctions from DT, threat and coping appraisal, as well as fear, from PMT, and illegitimate tasks from SOS were included as determinants of ISB. The survey method was used to data collection, and each participant answered to one behavior-specific questionnaire. There were 119 respondents to the ISP, 111 to the USB, 118 to the LOG, and 112 to the PSW questionnaires. 55,5% of the 460 participants were male, and 62,2% belonged to the age group of 20-30 years. Most of the participants (56,3%) had 1-7 years of work experience and they were technologically savvy. Confirmatory factor analysis and hierarchical linear regression analysis were used in the analyses, and analysis strategy was applied separately for each of the four ISBs. Results: DT, PMT, and SOS, as well as control variables, explained more than half of the variance (51,1-57,9%) in all of the behaviors, namely ISP, USB, LOG, and PSW. Illegitimate tasks had a relatively strong negative association with two of the ISBs indicating that they function as a determinant of ISB and should be considered in the future research of ISB. Illegitimate tasks also added explanatory power to the models containing sanctions from DT and appraisals from PMT. Illegitimate tasks were the strongest determinant of ISP and LOG. Although illegitimate tasks had a significant association with two of the ISBs, PMT contributed the most strongly to explaining different ISBs. Rewards and costs were the most prominent determinants of behavior and they also correlated highly with illegitimate tasks. This association can be theoretically explained and understood by SOS which addresses the effects of task evaluation on one’s selfimage and relationship with the organization one works at. Of the other constructs of PMT, fear and threat appraisal were significant predictors of LOG and USB, respectively, while response efficacy and self-efficacy predicted ISP. According to the findings of this study, sanctions from DT were not significant predictors of any of the ISBs. Conclusions: ISB has complex and multiple determinants that differ depending on the behavior in question. Findings related to a certain form of behavior are not necessarily generalizable to explaining other behaviors. This should be taken into account when planning research designs and practical procedures for information security management.
Keywords
...
Keywords
Metadata
Show full item recordCollections
- Pro gradu -tutkielmat [29116]
Related items
Showing items with similar title or keywords.
-
Protection Motivation Theory in Information Security Behavior Research : Reconsidering the Fundamentals
Siponen, Mikko; Rönkkö, Mikko; Fufan, Liu; Haag, Steffi; Laatikainen, Gabriella (Association for Information Systems, 2024)Scholars commonly use protection motivation theory (PMT) by Rogers to examine information systems (IS) security behaviors and behavioral intentions. A recent, influential paper by Boss, Galletta, Lowry, Moody, and Polak ... -
Common Misunderstandings of Deterrence Theory in Information Systems Research and Future Research Directions
Siponen, Mikko; Soliman, Wael; Vance, Anthony (ACM, 2022)In the 1980s, information systems (IS) borrowed deterrence theory (DT) from the field of criminology to explain information security behaviors (or intention). Today, DT is among the most commonly used theories in IS security ... -
Toward a stage theory of the development of employees' information security behavior
Karjalainen, Mari; Siponen, Mikko; Sarker, Suprateek (Elsevier, 2020)Existing behavioral information security research proposes continuum or non-stage models that focus on finding static determinants for information security behavior (ISB) that remains unchanged. Such models cannot explain ... -
Effects of Sanctions, Moral Beliefs, and Neutralization on Information Security Policy Violations Across Cultures
Vance, Anthony; Boyer Fellow, Selvoy J.; Siponen, Mikko T.; Straub, Detmar W. (Elsevier, 2020)A principal concern of organizations is the failure of employees to comply with information security policies (ISPs). Deterrence theory is one of the most frequently used theories for examining ISP violations, yet studies ... -
Impact of deterrence theory methods on employees' information security behavior
Kuhalampi, Mikko (2017)Peloteteoria (Deterrence theory) on alun perin psykologiassa ja kriminologiassa käytetty termi, ja sen mukaan rangaistuksen pelko estää yksilöä toimimasta vastoin lakia ja sääntöjä. Digitalisoituvassa maailmassa on viimeisen ...