To report or not to report? Extending Protection Motivation Theory to Vulnerability Discovery and Disclosure

Abstract

Vulnerability researchers face difficult choices when considering whether to reporting a finding to an organization with which they are unaffiliated. We used components of Protection Motivation Theory (PMT) to create the Vulnerability Discovery and Disclosure (VDD) model to understand the decision-making processes of vulnerability researchers. PMT uses high fear appeals, threat appraisals, and coping appraisals to encourage employee prosocial behaviors while VDD proposes low fear and threat with high coping, to encourage reporting. In this exploratory study, we surveyed active vulnerability researchers to gain insight into their concerns when deciding to report to an organization. Using principal components analysis, we developed and refined the VDD survey, which may be tested by future researchers. We also discovered a higher-order efficacy construct, comprised of response and self-efficacy. We theorize that well-developed vulnerability disclosure policies, in line with a low-fear, low-threat appraisal and high efficacy may establish a culture of trust between organizations and vulnerability researchers, encouraging more reports.