Irrational Human Factors in Behavioral Information Security: Familiarity, Fear, and a Change of Mind

Abstract

Behavioral information security (ISec) is an important research stream for management information systems (MIS) that relies on developments in other human sciences. In this dissertation, we investigate the psychological side of MIS by discussing the relationship between a few selected irrational human factors and persuasive information security communication. In Study 1, we explore the role of familiarity on the perception of a range of information security threats and protective behavior. This topic is important and relevant, in that any type of ISec communication can get people familiarized with the broader topic of security and threat despite of its designed intention. The results show that familiarity could yield both positive and negative effects depending on how it is operationalized in the communicative setting. Study 2 was motivated by MIS’s recent emphasis of “fear as the drive” in information security compliance, as well as the use of neuroimaging techniques to validate such fear. Along the chapter, we question the scientific understanding of fear and its measurement in behavioral ISec studies, and further argue that the inherent meaning of one general mental construct may vary to such a degree that a standardized measurement should be discouraged in MIS. Finally, in Study 3, we problematize the simple human capacity of being able to “change their mind” after making an initial decision. Based on discourses in behavioral economics and philosophy, a framework is proposed for portraying how one’s able to have a change of mind, while the relationship between behavioral predictability and the individual’s flexible use of information for decision support is emphasized. This framework explains why persuaded decision-making results may not last and how communication issuers may adapt a relaxed yet reflective implementation strategy to achieve more stable result in a longer lifecycle. This dissertation contributes to MIS and ISec communication by exploring the foundational roles of three subtle yet crucial human factors, namely, familiarity, fear, and a change of mind. The discussions and results are linked to more generalized problems in MIS’s pursuit of scientific and methodological rigor. Meanwhile, they imply great potential in embracing MIS’s research possibilities in a human-centered direction.

Keywords: irrationality, behavioral information security, decision-making