RESPONSE TO SECURITY THREATS: APPRAISAL OF PROTECTION AND AVOIDANCE ACTIONS

RESPONSE TO SECURITY THREATS: APPRAISAL OF PROTECTION AND AVOIDANCE ACTIONS

Noushin Ashrafi, Jean-Pierre Kuilboer and One-Ki (Daniel) Lee University of Massachusetts Boston

100 Morrissey Blvd., Boston MA 02125 – USA

ABSTRACT

At the age of Big Data, security and privacy issues are magnified and dealt differently from traditional tactics. However, the traditional security threats have become a source of constant fear and costly to individuals and organizations. Security experts have explored the intertwined role of technology and human behavior concerning security protection actions. This research offers an integrated model building on existing theories such as Protection Motivation Theory (PMT), Health Behavior Model (HBM), and Extended Parallel Processing Model (EPPM). We address the impact of the users’ awareness of security threats on their protective actions while taking into consideration the mediation influence of fear.

We also examine moderation effects of intrinsic as well as extrinsic factors such as users’ perception of self-efficacy and the benefits and barriers of protective actions respectively. Structure Equation Modeling (SEM) is used to measure the proposed mediation and moderation effects. Our integrated theoretical model evolves around the assumption that security protection actions are formed by complex human behavior, rather than mere deployment of protective technology. The proposed model will be tested on data gathered from the US and Europe targeted population. This context-specific dimension will allow examination of cultural differences between US and Europe. Our results may shed light on the problem that despite advances in security protection technology, the deployment of such technologies is governed by human behavior and influenced by cultural background of the individuals.

KEYWORDS

Security Threat, SEM, PMT, HBM, EPPM

1. INTRODUCTION

Since the privatization of the Internet for e-commerce in the 1990s, which lead to an exponential growth of

the flow of information, information security has become a source of trepidation. Information security is the

protection of personal data against unauthorized access or modification while ensuring its availability to

legitimate users, confidentiality, and integrity. There is no question that the Internet has become a ubiquitous

platform for social and business activities. Although the public, at large, is aware of its cost/benefit tradeoffs,

a potential downside such as breach of security is often talked about, but hardly reflected on end-users’

behavior. What is telling is that with the increasing outcry by the public as well as the advancement of security related technology, there is no notable reduction in number of breaches (Barker, 2014) and they are

becoming costlier. Researchers contribute the continuing occurrence of security breaches to end users’

negligence to adopt security protection measures (Williams et al. 2014; Herath and Rao 2009). The

ambiguity persists as end-users and businesses jointly spend billions of dollars on products and upgrades to

address new threat categories and set of exploits, yet, there is little evidence that protective solutions are

actually used as safeguards to battle increasingly incoming threats. This paradox has drawn researchers’

attention leading to a number of studies addressing the end-users’ mental status such as their fears, attitudes,

and motivations, and the end-users’ specific behaviors such as their security actions and avoidance.

Each study has its own interpretation of security protection orthodoxy, but mostly they have relied on two

well-known theories from health care and psychology, Health Belief Model (HBM) and Protection

Motivation Theory (PMT) respectively. PMT was originally proposed by Rogers (1975) suggesting fear as an effective mental condition protecting one against threat and consequently leading the individual away from

International Conferences ICT, WBC, BIGDACI and TPMC 2016

251

threat. The assumption is that protection motivation arises from fear appraisal that an event will occur. The

extent of fear, however, is influenced by the belief regarding the effectiveness of a recommended coping

response. A revision of PMT (Rogers, 1983; Maddux and Rogers, 1983) has provided support for the

importance of sources of information initiating the coping process and added self-efficacy as an intrinsic factor. Self-efficacy theory suggests that psychological change is processed through an individual’s

expectancies of personal mastery or efficacy. The revised PMT incorporates self-efficacy as a cognitive

mediating process. The seminal work of Bandura et al. (1980) and Condiotte and Lichtenstein (1981) have

established that changes in behavior and changes in self-efficacy expectancy are positively correlated.

Leventhal (1970) proposed a parallel response model that stressed the importance of differentiating

emotional responses from cognitive responses (fear control versus danger control). Witte (1994) further

developed an Extended Parallel Processing Model (EPPM) by adopting the original PMT’s explanation of

“danger control processes that lead to message acceptance (one side of the parallel process model), and

defines and expands the fear control processes which lead to message rejection (the other side of the parallel

process model)” (Witte 1994, p.337). EPPM explains the possible responses people may have to a fear appeal

message and places them into three broad categories: non-responses, danger control responses, and fear control responses. The theory makes predictions about which of these three response types individuals will

demonstrate depending upon the interaction between their perceptions of the threat and their perceptions of

efficacy to avert the threat.

Another relevant model used in information systems (IS) literature to study user’ behavior regarding

computer security protection is Health Belief Model (HBM). The theory was developed in the 1950’s by a

social psychologist Hochbaum (1956) and was adopted by Rosenstock (1966) to explain the failure of people

participating in programs to prevent and detect disease. Since then, HBM has been evolved and applied to a

broad range of population behavior.

These theories were modified or combined by researchers to adapt to security threat protection

phenomenon. Boss et al. (2015) constructed a complete overview of IS articles that use portions of PMT. Ng

et al. (2009) successfully operationalized and extended primarily HBM to study user’s computer security

behavior. They focused on “understanding of user computer security behavior in the context of the organization” (p.823). Liang and Xue (2010) deployed a modified version of HBM to assess avoidance

behavior of the users. They focused on Spyware as security threat and defined avoidance behavior as using

and updating anti-spyware software regularly. Tu et al. (2015) and Williams et al. (2014) proposed a security

belief model where they drew information from PMT as the reference theory and leveraged the HBM to

examine users’ cognitive behavior when confronted with security threats. Tu et al. (2015) integrated PMT

with the social learning theory to assess users’ coping appraisals in the specific context of mobile device loss

or theft. Chen and Zahedi (2016) added a new dimension to security threat research by comparing cognitive

behavior when it comes to security actions. They drew on “two complementary theoretical bases: (1) the

contextualization of PMT to online security behavior and (2) a polycontextual lens for the cross-national

comparison of users’ security behaviors in the United States and China” (p.205).

The existing research, however, falls short of providing a clear picture of individuals’ conduct driven by fear. In the context of security threat, the user’s response, whether it is taking a protective action or avoiding

online transactions, has consequences on solutions for security threats. This research examines the impact of

the users’ awareness of security threats on their protective behaviors. We draw on three theoretical models to

fill the gap mentioned above and show a clear path from knowledge to fear to possible actions. The

organization of the paper is the following: next section presents out integrated theoretical model followed by

research method including a brief conclusion.

2. THEORETICAL MODEL

This research offers an integrated model building on existing theories such as PMT, HBM, and EPPM. Our

integrated theoretical model takes into account the powerful features of PMT such as fear as the central

motivation factor for taking protection actions against security threats. To emphasize the atmosphere of

digital age where information about security threats could easily become a personal experience or cause

tremendous fear by media exposure, we added awareness as the independent variable and fear as mediating

factor. We consider the awareness of security threat as the combination of personal experience and

ISBN: 978-989-8533-54-8 © 2016

252

knowledge induced by social media leading to fear and noxiousness. Our interpretation of EPPM, in the

context of security threat is also different. The theoretical scope of the EPPM is limited to explaining and

predicting reactions to fear appeals only. This study, however, draws on HBM and takes into consideration

the interaction effects of the positive and negative outcomes. We take into consideration the intrinsic factor such as self-efficacy to manipulate the association between awareness and fear. In the context of security

threat, self-efficacy, as an interaction effect, portrays an individual’s confidence in her or his competency to

deal with security threat. It impacts the degree of association between awareness and fear. Figure 1 depicts

our research model.

The model depicts that fear of security threat is shaped by knowledge and prior experience of threats

while self-efficacy moderates the intensity of the effect. Furthermore, we are postulating that the effect of

fear on protection actions is moderated by perceived degree of effectiveness as well as undesirable attributes

of the outcome. The assumption is that belief about potential positive and negative aspect of protective

actions could intensify the level of fear, which in turn impacts the probability of taking actions or avoiding

activities online. We consider two possible responses; (1) taking action to protect threat security and (2)

avoiding to get engaged in sensitive transactions online.

Figure 1. Moderation and mediation model

These new perspectives allude to the possibility of examining concerns such as ‘why despite the

availability of cyber security protection technology, does security threats remain as an unresolved problem?”

Our future research will look into the impact of the types of platforms (e.g., Apple versus Windows) to assess

the influence of technology type on users’ perception and anxiety level of security threats. Finally, this

work-in-progress will incorporate a cross-national comparison of users’ security behaviors in the United

States and Europe – we are in the process of data collection both in the United States and a European

country.

2.1 Methods

The proposed model will be tested through a large-scale multi-national field survey by conducting the

following steps: (1) measurement development, (2) pilot study, (3) survey translation (if necessary), (4)

multi-national field survey, (5) model test and group comparison, and (6) implication development. First, in

developing our survey measurements, every attempt will be made to use existing validated measurements

that have good psychometric properties. In cases where there are no existing measurements appropriate to the

context of our study, new measurements will be developed based on definitions of the variables and their relevant literature.

Second, the existing and new measurements will be validated through a pilot study. We are planning to

conduct a pilot study in the United States. About 50 samples will be gathered for this pilot test. Based on the

validity test results of the pilot study, some necessary changes will be made for the original measurements.

International Conferences ICT, WBC, BIGDACI and TPMC 2016

253

Third, to gather data from multiple countries having different cultural backgrounds and user behavior

patterns, the original measurements will be translated into local languages if necessary. In particular, we will

use a translation committee approach, i.e., committee of bilinguals (van de Vijver and Leung 1997).

Next, the data gathered from the multi-national field survey will be used to test proposed model. Considering the proposed multi-stage and causal relationships in our research model, we believe a structural

equation modeling (SEM) approach is best fitting to our model test. In particular, the multi-national

differences will be tested a sub-group analysis and other relevant techniques, such as a path comparison and a

cluster analysis (Chin 2003; Sia et al. 2009). The results will also be reflected on some well-adopted cultural

dimensions, such as different levels of uncertainty avoidance and long-term orientation (Hofstede and Bond

1988).

3. CONCLUSION

Upon completion of the research, based on our findings through our model test using multi-national data,

both theoretical and practical implications will be developed. For academics, our findings will be used to

validate and justify the proposed extension of existing theories. The practical implications will provide useful

guidance regarding end-users’ behavior to install necessary security measures and minimize their avoidance

of the security-concerned transactions. The context-specific dimension will allow examination of cultural

differences between the United States and Europe regarding individual protection behavior against security

threat. Last, but not least, our overall results may shed light on the problem that despite advances in security

protection technology, the deployment of such technologies is governed by human behavior and influenced

by cultural background of the individuals.

REFERENCES

Bandura, A., 1982. Self-efficacy Mechanism in Human Agency. In American Psychologist, Vol. 37, No. 2, pp.122-147.

Barker, K. 2014. The Gap between Real and Perceived Security Risks. In Computer Fraud & Security, Vol. 4, pp. 5-8.

Boss, S. R. et al., 2015. What do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear that Motivate Protective Security Behaviors. In MIS Quarterly, Vol. 39, No. 4, pp. 837-864.

Chen, Y. and Zahedi, F. M., 2016. Individuals’ Internet Security Perceptions and Behaviors: Polycontextual contrasts between the United States and China. In MIS Quarterly, Vol. 40, No. 1, pp. 205-222.

Chin, W. W., 2003. A Permutation Procedure for Multi-group Comparison of PLS Models. Proceedings of 2003 PLS International Symposium: PLS Related Methods, Lisbon, Portugal.

Condiotte, M. M. and Lichtenstein, E., 1981. Self-efficacy and Relapse in Smoking Cessation Programs. In Journal of Consulting and Clinical Psychology, Vol. 49, No. 5, pp. 648-658.

Herath, T. and Rao, H. R., 2009. Protection Motivation and Deterrence: A Framework for Security Policy Compliance in Organisations. In European Journal of Information Systems, Vol. 18, No. 2, pp. 106-125.

Hochbaum, G. M., 1956. Why People Seek Diagnostic x-rays. Public Health Reports, Vol. 71, No. 4, pp. 377-380.

Hofstede, G. and Bond, M. H., 1988. The Confucius Connection: From Cultural Roots to Economic Growth. In Organizational Dynamics, Vol. 16, No. 4, pp. 5-21.

Leventhal, H., 1970. Findings and Theory in the Study of Fear Communications. In Advances in Experimental Social Psychology, Vol. 5, pp. 119-186.

Liang, H. and Xue, Y., 2010. Understanding Security Behaviors in Personal Computer Usage: A threat Avoidance Perspective. In Journal of the Association for Information Systems, Vol. 11, No. 7, pp. 394-413.

Maddux, J. E., and Rogers, R. W., 1983. Protection Motivation and Self-efficacy: A Revised Theory of Fear Appeals and Attitude Change. In Journal of Experimental Social Psychology, Vol. 19, No. 5, pp. 469-479.

Rogers, R. W. 1975. A protection motivation theory of fear appeals and attitude change. The journal of psychology, 91(1), 93-114.

ISBN: 978-989-8533-54-8 © 2016

254

Copyright of IADIS International Journal on Computer Science & Information Systems is the property of International Association for Development of the Information Society (IADIS) and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder’s express written permission. However, users may print, download, or email articles for individual use.


Comments are closed.