Noushin Ashrafi, Jean-Pierre Kuilboer and One-Ki (Daniel) Lee University of Massachusetts Boston
100 Morrissey Blvd., Boston MA 02125 – USA
At the age of Big Data, security and privacy issues are magnified and dealt differently from traditional tactics. However, the traditional security threats have become a source of constant fear and costly to individuals and organizations. Security experts have explored the intertwined role of technology and human behavior concerning security protection actions. This research offers an integrated model building on existing theories such as Protection Motivation Theory (PMT), Health Behavior Model (HBM), and Extended Parallel Processing Model (EPPM). We address the impact of the users’ awareness of security threats on their protective actions while taking into consideration the mediation influence of fear.
We also examine moderation effects of intrinsic as well as extrinsic factors such as users’ perception of self-efficacy and the benefits and barriers of protective actions respectively. Structure Equation Modeling (SEM) is used to measure the proposed mediation and moderation effects. Our integrated theoretical model evolves around the assumption that security protection actions are formed by complex human behavior, rather than mere deployment of protective technology. The proposed model will be tested on data gathered from the US and Europe targeted population. This context-specific dimension will allow examination of cultural differences between US and Europe. Our results may shed light on the problem that despite advances in security protection technology, the deployment of such technologies is governed by human behavior and influenced by cultural background of the individuals.
Security Threat, SEM, PMT, HBM, EPPM
Since the privatization of the Internet for e-commerce in the 1990s, which lead to an exponential growth of
the flow of information, information security has become a source of trepidation. Information security is the
protection of personal data against unauthorized access or modification while ensuring its availability to
legitimate users, confidentiality, and integrity. There is no question that the Internet has become a ubiquitous
platform for social and business activities. Although the public, at large, is aware of its cost/benefit tradeoffs,
a potential downside such as breach of security is often talked about, but hardly reflected on end-users’
behavior. What is telling is that with the increasing outcry by the public as well as the advancement of security related technology, there is no notable reduction in number of breaches (Barker, 2014) and they are
becoming costlier. Researchers contribute the continuing occurrence of security breaches to end users’
negligence to adopt security protection measures (Williams et al. 2014; Herath and Rao 2009). The
ambiguity persists as end-users and businesses jointly spend billions of dollars on products and upgrades to
address new threat categories and set of exploits, yet, there is little evidence that protective solutions are
actually used as safeguards to battle increasingly incoming threats. This paradox has drawn researchers’
attention leading to a number of studies addressing the end-users’ mental status such as their fears, attitudes,
and motivations, and the end-users’ specific behaviors such as their security actions and avoidance.
Each study has its own interpretation of security protection orthodoxy, but mostly they have relied on two
well-known theories from health care and psychology, Health Belief Model (HBM) and Protection
Motivation Theory (PMT) respectively. PMT was originally proposed by Rogers (1975) suggesting fear as an effective mental condition protecting one against threat and consequently leading the individual away from
International Conferences ICT, WBC, BIGDACI and TPMC 2016
threat. The assumption is that protection motivation arises from fear appraisal that an event will occur. The
extent of fear, however, is influenced by the belief regarding the effectiveness of a recommended coping
response. A revision of PMT (Rogers, 1983; Maddux and Rogers, 1983) has provided support for the
importance of sources of information initiating the coping process and added self-efficacy as an intrinsic factor. Self-efficacy theory suggests that psychological change is processed through an individual’s
expectancies of personal mastery or efficacy. The revised PMT incorporates self-efficacy as a cognitive
mediating process. The seminal work of Bandura et al. (1980) and Condiotte and Lichtenstein (1981) have
established that changes in behavior and changes in self-efficacy expectancy are positively correlated.
Leventhal (1970) proposed a parallel response model that stressed the importance of differentiating
emotional responses from cognitive responses (fear control versus danger control). Witte (1994) further
developed an Extended Parallel Processing Model (EPPM) by adopting the original PMT’s explanation of
“danger control processes that lead to message acceptance (one side of the parallel process model), and
defines and expands the fear control processes which lead to message rejection (the other side of the parallel
process model)” (Witte 1994, p.337). EPPM explains the possible responses people may have to a fear appeal
message and places them into three broad categories: non-responses, danger control responses, and fear control responses. The theory makes predictions about which of these three response types individuals will
demonstrate depending upon the interaction between their perceptions of the threat and their perceptions of
efficacy to avert the threat.
Another relevant model used in information systems (IS) literature to study user’ behavior regarding
computer security protection is Health Belief Model (HBM). The theory was developed in the 1950’s by a
social psychologist Hochbaum (1956) and was adopted by Rosenstock (1966) to explain the failure of people
participating in programs to prevent and detect disease. Since then, HBM has been evolved and applied to a
broad range of population behavior.
These theories were modified or combined by researchers to adapt to security threat protection
phenomenon. Boss et al. (2015) constructed a complete overview of IS articles that use portions of PMT. Ng
et al. (2009) successfully operationalized and extended primarily HBM to study user’s computer security
behavior. They focused on “understanding of user computer security behavior in the context of the organization” (p.823). Liang and Xue (2010) deployed a modified version of HBM to assess avoidance
behavior of the users. They focused on Spyware as security threat and defined avoidance behavior as using
and updating anti-spyware software regularly. Tu et al. (2015) and Williams et al. (2014) proposed a security
belief model where they drew information from PMT as the reference theory and leveraged the HBM to
examine users’ cognitive behavior when confronted with security threats. Tu et al. (2015) integrated PMT
with the social learning theory to assess users’ coping appraisals in the specific context of mobile device loss
or theft. Chen and Zahedi (2016) added a new dimension to security threat research by comparing cognitive
behavior when it comes to security actions. They drew on “two complementary theoretical bases: (1) the
contextualization of PMT to online security behavior and (2) a polycontextual lens for the cross-national
comparison of users’ security behaviors in the United States and China” (p.205).
The existing research, however, falls short of providing a clear picture of individuals’ conduct driven by fear. In the context of security threat, the user’s response, whether it is taking a protective action or avoiding
online transactions, has consequences on solutions for security threats. This research examines the impact of
the users’ awareness of security threats on their protective behaviors. We draw on three theoretical models to
fill the gap mentioned above and show a clear path from knowledge to fear to possible actions. The
organization of the paper is the following: next section presents out integrated theoretical model followed by
research method including a brief conclusion.
2. THEORETICAL MODEL
This research offers an integrated model building on existing theories such as PMT, HBM, and EPPM. Our
integrated theoretical model takes into account the powerful features of PMT such as fear as the central
motivation factor for taking protection actions against security threats. To emphasize the atmosphere of
digital age where information about security threats could easily become a personal experience or cause
tremendous fear by media exposure, we added awareness as the independent variable and fear as mediating
factor. We consider the awareness of security threat as the combination of personal experience and
ISBN: 978-989-8533-54-8 © 2016
knowledge induced by social media leading to fear and noxiousness. Our interpretation of EPPM, in the
context of security threat is also different. The theoretical scope of the EPPM is limited to explaining and
predicting reactions to fear appeals only. This study, however, draws on HBM and takes into consideration
the interaction effects of the positive and negative outcomes. We take into consideration the intrinsic factor such as self-efficacy to manipulate the association between awareness and fear. In the context of security
threat, self-efficacy, as an interaction effect, portrays an individual’s confidence in her or his competency to
deal with security threat. It impacts the degree of association between awareness and fear. Figure 1 depicts
our research model.
The model depicts that fear of security threat is shaped by knowledge and prior experience of threats
while self-efficacy moderates the intensity of the effect. Furthermore, we are postulating that the effect of
fear on protection actions is moderated by perceived degree of effectiveness as well as undesirable attributes
of the outcome. The assumption is that belief about potential positive and negative aspect of protective
actions could intensify the level of fear, which in turn impacts the probability of taking actions or avoiding
activities online. We consider two possible responses; (1) taking action to protect threat security and (2)
avoiding to get engaged in sensitive transactions online.
Figure 1. Moderation and mediation model
These new perspectives allude to the possibility of examining concerns such as ‘why despite the
availability of cyber security protection technology, does security threats remain as an unresolved problem?”
Our future research will look into the impact of the types of platforms (e.g., Apple versus Windows) to assess
the influence of technology type on users’ perception and anxiety level of security threats. Finally, this
work-in-progress will incorporate a cross-national comparison of users’ security behaviors in the United
States and Europe – we are in the process of data collection both in the United States and a European
The proposed model will be tested through a large-scale multi-national field survey by conducting the
following steps: (1) measurement development, (2) pilot study, (3) survey translation (if necessary), (4)
multi-national field survey, (5) model test and group comparison, and (6) implication development. First, in
developing our survey measurements, every attempt will be made to use existing validated measurements
that have good psychometric properties. In cases where there are no existing measurements appropriate to the
context of our study, new measurements will be developed based on definitions of the variables and their relevant literature.
Second, the existing and new measurements will be validated through a pilot study. We are planning to
conduct a pilot study in the United States. About 50 samples will be gathered for this pilot test. Based on the
validity test results of the pilot study, some necessary changes will be made for the original measurements.
International Conferences ICT, WBC, BIGDACI and TPMC 2016
Third, to gather data from multiple countries having different cultural backgrounds and user behavior
patterns, the original measurements will be translated into local languages if necessary. In particular, we will
use a translation committee approach, i.e., committee of bilinguals (van de Vijver and Leung 1997).
Next, the data gathered from the multi-national field survey will be used to test proposed model. Considering the proposed multi-stage and causal relationships in our research model, we believe a structural
equation modeling (SEM) approach is best fitting to our model test. In particular, the multi-national
differences will be tested a sub-group analysis and other relevant techniques, such as a path comparison and a
cluster analysis (Chin 2003; Sia et al. 2009). The results will also be reflected on some well-adopted cultural
dimensions, such as different levels of uncertainty avoidance and long-term orientation (Hofstede and Bond
Upon completion of the research, based on our findings through our model test using multi-national data,
both theoretical and practical implications will be developed. For academics, our findings will be used to
validate and justify the proposed extension of existing theories. The practical implications will provide useful
guidance regarding end-users’ behavior to install necessary security measures and minimize their avoidance
of the security-concerned transactions. The context-specific dimension will allow examination of cultural
differences between the United States and Europe regarding individual protection behavior against security
threat. Last, but not least, our overall results may shed light on the problem that despite advances in security
protection technology, the deployment of such technologies is governed by human behavior and influenced
by cultural background of the individuals.
Bandura, A., 1982. Self-efficacy Mechanism in Human Agency. In American Psychologist, Vol. 37, No. 2, pp.122-147.
Barker, K. 2014. The Gap between Real and Perceived Security Risks. In Computer Fraud & Security, Vol. 4, pp. 5-8.
Boss, S. R. et al., 2015. What do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear that Motivate Protective Security Behaviors. In MIS Quarterly, Vol. 39, No. 4, pp. 837-864.
Chen, Y. and Zahedi, F. M., 2016. Individuals’ Internet Security Perceptions and Behaviors: Polycontextual contrasts between the United States and China. In MIS Quarterly, Vol. 40, No. 1, pp. 205-222.
Chin, W. W., 2003. A Permutation Procedure for Multi-group Comparison of PLS Models. Proceedings of 2003 PLS International Symposium: PLS Related Methods, Lisbon, Portugal.
Condiotte, M. M. and Lichtenstein, E., 1981. Self-efficacy and Relapse in Smoking Cessation Programs. In Journal of Consulting and Clinical Psychology, Vol. 49, No. 5, pp. 648-658.
Herath, T. and Rao, H. R., 2009. Protection Motivation and Deterrence: A Framework for Security Policy Compliance in Organisations. In European Journal of Information Systems, Vol. 18, No. 2, pp. 106-125.
Hochbaum, G. M., 1956. Why People Seek Diagnostic x-rays. Public Health Reports, Vol. 71, No. 4, pp. 377-380.
Hofstede, G. and Bond, M. H., 1988. The Confucius Connection: From Cultural Roots to Economic Growth. In Organizational Dynamics, Vol. 16, No. 4, pp. 5-21.
Leventhal, H., 1970. Findings and Theory in the Study of Fear Communications. In Advances in Experimental Social Psychology, Vol. 5, pp. 119-186.
Liang, H. and Xue, Y., 2010. Understanding Security Behaviors in Personal Computer Usage: A threat Avoidance Perspective. In Journal of the Association for Information Systems, Vol. 11, No. 7, pp. 394-413.
Maddux, J. E., and Rogers, R. W., 1983. Protection Motivation and Self-efficacy: A Revised Theory of Fear Appeals and Attitude Change. In Journal of Experimental Social Psychology, Vol. 19, No. 5, pp. 469-479.
Rogers, R. W. 1975. A protection motivation theory of fear appeals and attitude change. The journal of psychology, 91(1), 93-114.
ISBN: 978-989-8533-54-8 © 2016
Copyright of IADIS International Journal on Computer Science & Information Systems is the property of International Association for Development of the Information Society (IADIS) and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder’s express written permission. However, users may print, download, or email articles for individual use.