Protection Motivation Theory in Information Security Behavior Research : Reconsidering the Fundamentals

Abstract

Scholars commonly use protection motivation theory (PMT) by Rogers to examine information systems (IS) security behaviors and behavioral intentions. A recent, influential paper by Boss, Galletta, Lowry, Moody, and Polak (2015; hereafter BGLMP) in MIS Quarterly outlines correct and incorrect uses of PMT in Information Security behavior research. In this paper, we review some of BGLMP’s key recommendations, such as the claim that all IS behavior studies that apply PMT should always use the model of the full theory, contain and measure fear, and measure actual behaviors. We defend an interpretation of Rogers (1975, 1983) that differs from the interpretation that BGLMP propose. We present evidence that Rogers’ PMT and the empirical evidence do not adequately support many of BGLMP’s suggestions and that these suggestions contradict good scientific practices (e.g., restricting the use of the method of isolation) that the philosophy of science and the original literature on PMT uphold. As a result, if reviewers and editors continue to embrace these recommendations, they could hinder the progress of IS behavior research by not allowing isolation or the combination of different theoretical components. In contrast to BGLMP’s paper, we argue that further PMT research can focus on isolated PMT components and combine them with other theories. Some of our ideas (e.g., isolation) are not PMT-specific and could be useful for IS research in general. In summary, we contest BGLMP’s recommendations and offer revised recommendations in return.