A multi-theoretical perspective on conceptualization and contextualization of IS security behavior

Abstract

The Internet has connected almost everything in our daily life, making information systems security (ISec) an important issue not only to organizations but also to personal users. Despite the increasing number of users of Internet-connected IT, there is insufficient research into how users make their ISec-related decisions (i.e., the cognitive appraisals), their decision-making process under the influence of emotion (i.e., the emotional motivation), user characteristics (e.g., user involvement, years of use), or whether they have enough ISec knowledge to make the right decision to secure their information and computing environment (i.e., the knowledge level). This dissertation contributes to bridging these research gaps by focusing on three studies that explore the security-related decision-making process among personal users. By using novel theoretical perspectives and revisiting some of the “old” theoretical assumptions, we offer insights of value to both academics and practitioners. Three studies are tested and reported that provide insights into the cognitive appraisals, emotional motivation, user characteristics, and ISec knowledge of personal users’ decision-making process regarding security-related behavior. By considering additional theories and constructs and revisiting the theoretical and methodology perspectives, this dissertation provides several contributions to behavioral ISec studies. The results of the empirical study provide new insights into the cognitive mediation process, the decision-making process under the influence of defensive avoidance, and personal users’ self-regulated ability to protect their personal computing devices.

Keywords: cognitive mediation, defensive avoidance, information security knowledge, threat appeals, boundary condition, conceptualization, instrument development