Security Behavior Research Articles

Information sharing, investment, and retaliatory posture: the role of age in preferences toward information security governance

ABSTRACT The exploitation of older adults in cyberattacks is a growing problem recognized by researchers, organizations, and practitioners alike. Yet, there is limited generalizable research examining how age shapes preferences about the government’s role in cybersecurity across multiple dimensions and measures. This study contributes to our understanding of information security behavior, the public’s response to growing cyberthreats, and potential mechanisms to mitigate information security vulnerability among subgroups in society with the first large-scale and generalizable empirical evidence about the relationship between age and cybersecurity governance preferences. Using a large survey of US adults, the findings indicate that older adults are strongly supportive of government taking a more active role in cybersecurity. However, the magnitude of the effect varies and older adults’ strongest desire is to see the government take a more punitive retaliatory posture toward cybercrimes. The findings have important implications for our understanding of government involvement in cybersecurity and vulnerability mitigation at a time when cybersecurity is of paramount importance for individuals’ well-being, organizational continuity, and governments worldwide.

The Role of Penalties, Pressures and Perceived Effectiveness: A Replication Study of Generation Z's Information Security Behaviors

The Role of Penalties, Pressures and Perceived Effectiveness: A Replication Study of Generation Z's Information Security Behaviors

United We Stand, Divided We Fall: An Autogenic Perspective on Empowering Cybersecurity in Organizations

Cybersecurity groups navigate complex, challenging environments in their mission to protect their organizations. They experience uncertainty from adaptive threats from external attackers and unpredictable stakeholders. Under such volatility, business groups operate best when they are psychologically empowered. Recognizing the potential for empowerment to reduce organizational risk, we sought to learn how cybersecurity groups come to be (dis)empowered and how this (dis)empowerment is sustained. Instead of the conventional view of the empowerment process as designed, we advance an emergent view of the empowerment process. We abductively surface this process from our case analyses of 15 U.S. organizations. We offer three insights: First, organizations with empowered cybersecurity groups enjoy an enhanced level of protection from breaches. Second, we highlight generative rules through which groups become empowered—via their bridging initiatives that co-opt stakeholders into security behaviors and stakeholder responsiveness to bridging, rather than unilaterally applied buffering initiatives. Third, we highlight reinforcing rules through which empowered states persist—via the group’s ability to safeguard organizational information assets, thereby ensuring cybersecurity group viability, continued bridging, and motivated stakeholder responsiveness. For practitioners, our study underscores the interdependence between cybersecurity groups and their stakeholders in securing an organization and posits processes for empowering cybersecurity groups.

Information Security Management at the University: A Critical Review of Recent Studies

As global cyber threats continue to escalate, particularly with the increasing frequency of attacks targeting academic institutions, information security management (ISM) has become imperative for safeguarding the confidentiality and integrity of personal and research data within universities. This study examines the increasingly strategic role of information security management (ISM) in universities that face growing threats to personal and research data. This paper identifies key trends, methodological approaches, and research gaps within university ISM by reviewing research published over the past decade. Findings reveal that, despite the critical importance of ISM, the field still needs to be explored, with significant opportunities for further research in areas such as human factors, organizational culture, and information security behaviors. This research provides a comprehensive overview for IT professionals and university information security managers. It offers insights into the evolving ISM landscape in higher education and highlights new avenues for future investigation.

Information security policy compliance: a replication study in Ethiopia

Purpose This study aims to replicate and assess the applicability and generalizability of Bulgurcu et al.'s (2010) information security policy compliance model to participants from Ethiopia, focusing on understanding compliance behavior with information security policies (ISPs). Design/methodology/approach The study replicates Bulgurcu et al.’s (2010) research methodology. They empirically tested their model using data collected through a survey of 464 employees from a diverse set of organizations in the United States. In this study, the authors used a self-administered survey approach to collect data from 318 valid responses from university students in Ethiopia. The structural equation modeling technique with SmartPLS 4.0 is used to test hypotheses derived from the original model. Findings The replication results confirm most of the hypotheses from the original study, indicating that their model is generalizable to the Ethiopian population. However, the study also identifies differences between the original and replicated results, suggesting potential cultural variations requiring further examination. Originality/value This study contributes to the literature by replicating and extending the original study’s findings in a different cultural context, namely Ethiopia. It highlights the importance of understanding compliance behavior with ISPs across diverse populations and emphasizes the need for future replication studies to explore the impact of culture on intention toward information security behavior.

An information-theoretic analysis of security behavior intentions amongst United States poll workers.

In light of recent events related to national elections in the United States, safeguarding the security and integrity of forthcoming elections stands as a critical national priority. Elections equipment in the United States constitutes critical national infrastructure, and its operation relies on poll workers, who are trusted insiders. However, those insiders may pose risks if they make mistakes with detrimental consequences or act with malice. This research analyzes a large dataset of 2213 responses obtained from a survey of poll workers and potential poll workers in 13 states. The survey includes the Security Behavior Intentions Scale, which has been previously established and validated in the security literature. We use the responses to assess poll workers' intentions of complying with established security-related practices. We develop a novel model using information theory to examine potential weaknesses in security behaviors and identify poll worker security practices to improve to ensure the integrity of our elections. We also recommend action items and countermeasures for states and localities based upon this empirical analysis.

Explanatory and predictive modeling of cybersecurity behaviors using protection motivation theory

ContextProtection motivation theory (PMT) is the most frequently used theory in understanding cyber security behaviors. However, most studies have used a cross-sectional design with symmetrical analysis techniques such as structure equation modeling (SEM) and regression. A data-driven approach, such as predictive modeling, is lacking and can potentially evaluate and validate the predictive power of PMT for cybersecurity behaviors. ObjectiveThe objective of this study is to assess the explanatory and predictive power of PMT for cyber security behaviors related to computers and smartphone. MethodAn online survey was employed to collect data from 1027 participants. The relationship of security behaviors with threat appraisal (severity and vulnerability) and coping appraisal (response efficacy, self-efficacy and response cost) components were tested via explanatory and predictive modeling. Explanatory modeling was employed via SEM, whereas three machine learning algorithms, namely Decision Tree (DT), Support Vector Machine (SVM), and K Nearest Neighbor (KNN) were used for predictive modeling. Wrapper feature selection was employed to understand the most important factors of PMT in predictive modeling. ResultsThe results revealed that the threat severity from the threat appraisal component of PMT significantly influenced computer security and smartphone security behaviors. From the coping appraisal, response efficacy and self-efficacy significantly influenced computer and smartphone security behaviors. The ML analysis showed that the highest predictive power of PMT for computer security was 76 % and for smartphone security 68 % by KNN algorithm. The wrapper feature selection approach revealed that the most important features in predicting security behaviors are self-efficacy, response efficacy and intention to secure devices. Thus, the findings indicate the complementarity of the cross-sectional and data driven methods.

Engaging in cyber hygiene: the role of thoughtful decision-making and informational interventions.

The effectiveness of human-centric cybersecurity largely depends on end-users' adherence to security and privacy behaviors. Understanding and predicting variations in the adoption of these safeguards is crucial for both theoretical advancement and practical application. While existing frameworks are often adapted from health science literature, there is potential to enhance these models by incorporating criminological constructs relevant to online victimization. This study introduce rational choice theory of thoughtfully reflective decision-making (TRDM) into the information security domain. TRDM suggests that variations in cognitive decision-making capabilities influence behavioral outcomes, particularly in the context of security and privacy practices. The study employed a field experiment to test the applicability of TRDM in predicting end-users' engagement in security and privacy behaviors. Participants were exposed to security-related warnings, with the hypothesis that thoughtfully reflective decision-makers would be more likely to adopt robust protective behaviors. Data was collected on participants' responses to these security warnings, as well as their overall adherence to privacy and security practices. The findings support the theoretical framework: individuals exhibiting thoughtfully reflective decision-making tendencies demonstrated a higher likelihood of engaging in privacy and security behaviors. Specifically, participants with higher TRDM scores were more likely to adopt protective behaviors when warned of the consequences of non-compliance. These results indicate that cognitive decision-making capabilities significantly influence the likelihood of engaging in cybersecurity practices. The study challenges the prevailing one-size-fits-all approach to cybersecurity by highlighting the importance of individual differences in cognitive decision-making. Thoughtfully reflective decision-makers are better equipped to adopt preventive security measures, suggesting the need for more tailored interventions in cybersecurity education and risk assessment. This research contributes to the development of sophisticated risk assessment tools aimed at mitigating vulnerabilities and reducing users' susceptibility to digital threats. Incorporating TRDM into information security models provides a more nuanced understanding of user behavior, offering insights into how cognitive processes influence cybersecurity adherence.

Angry and Afraid: Exploring the Impact of Mixed Emotional Reactions to Hate Crimes With LGBT+ and Muslim Communities.

Hate crimes send messages of intolerance that can cause significant emotional and behavioral harm to entire identity groups. Previous research, based on intergroup emotions theory, has helped explain the psychological mechanisms that underpin the indirect effects of anti-LGBT+ hate crime, showing that incidents give rise to perceptions of threat among community members, which in turn elicit certain emotional reactions that trigger specific behavioral outcomes. This article provides two significant contributions to this developing knowledgebase. First, it provides an important replication of the theoretical model with another frequently targeted community: Muslim people. In addition, it offers the first quantitative analysis of how combinations of different emotions trigger discrete behavioral responses in the aftermath of hate crime, thereby providing much-needed nuance to the intergroup emotions theory model. Across two studies (Study 1: N = 589 LGBT+ participants; Study 2: N = 347 Muslim participants), we show that, for both LGBT+ and Muslim participants, indirect experiences of hate crimes are associated with greater perceptions of threat, which are then positively associated with anger, anxiety, and shame, that link to behavioral intentions: avoidance, pro-action, security behaviors, and retaliation. Latent class analyses further revealed that participants' emotional reactions tend to cluster into four distinct profiles in both communities: people scored mid-range on all emotions, or high anger with low shame, or high anger with high anxiety, or low shame. These combinations had direct implications for intended behaviors across both groups: experiencing high anger with high anxiety was a cogent motivator of action. Most significantly, we provide new insights into how and why different emotions interact to predict both similar and divergent behaviors in the aftermath of hate crime incidents. Our findings yield important new knowledge that holds the potential of shaping both public policies and practices aimed at addressing the impacts of hate crimes.

A students’ behaviors in information security: Extension of Protection Motivation Theory (PMT)

ABSTRACT This study investigates information security behaviors among university students, focusing on the interplay of psychological and social factors influencing their behavioral intentions and actions. By integrating the Theory of Planned Behavior, Protection Motivation Theory, and General Deterrence Theory, the research offers a comprehensive understanding of factors such as self-efficacy, perceived risk vulnerability, response cost, and response efficacy. Utilizing structural equation modeling (SEM) and Necessary Condition Analysis (NCA), the study assesses the impact of these factors on students’ information security practices. Measurement items were developed based on recent empirical studies, ensuring relevance to the contemporary digital environment. The findings reveal significant associations between these factors and students’ security behaviors, providing insights into effective strategies for promoting information security awareness and practices. This research contributes to the academic discourse on digital security behaviors and offers practical implications for enhancing information security measures within university settings.

Security awareness, decision style, knowledge, and phishing email detection: Moderated mediation analyses

This study examines whether the negative relationship between email information security awareness and phishing email susceptibility is mediated by less intuitive decision-making when assessing emails, and whether this relationship is moderated by phishing email knowledge. Participants (N = 291) completed an online email sorting task, a measure of email use information security awareness, a measure of preference for intuitive decision-making with emails, and a measure of phishing email knowledge. Moderated mediation analyses indicated that information security awareness predicted positive behavioural intentions directly and indirectly through lower preference for intuitive decision-making, and these relationships were stronger when phishing email knowledge was lower. Further, both the direct and indirect relationships between information security awareness and sensitivity through intuitive decision styles were moderated by phishing email knowledge, with information security awareness positively predicting ability to discriminate phishing from genuine emails when phishing knowledge was average or high but not low. These findings suggest that in the absence of phishing knowledge, information security awareness and less intuitive decision styles reduce susceptibility to phishing attacks through increased caution. Further, the findings provide strong support for the proposition that some level of phishing knowledge is required before email security behaviours and decision-making processes aid in the detection of phishing emails. From an applied perspective, the outcomes suggest that focusing on a combination of awareness, knowledge, and decision-making processes could increase the effectiveness of anti-phishing and cybersecurity training programs.

The Impact of Job Insecurity on Miner Safety Behavior—A Study Based on SEM and fsQCA

The intelligent transformation of coal mines is one of the current trends in developing China’s coal mining industry. To explore the impact of miners’ insecurity on their safety behavior under this trend, miners’ psychological resilience was introduced as the mediating variable, and team safety climate was used as the moderating variable to conduct a questionnaire survey of frontline miners. The data analysis was carried out using descriptive statistics, correlation analysis, structural equation modeling (SEM), and the fsQCA method to explore the impact of job insecurity on miners’ risk behavior through psychological resilience from the dimensions of job loss insecurity, job performance insecurity, and interpersonal insecurity. The results show that the sense of insecurity of the miners has a significant negative correlation with security behavior and a significant negative correlation with psychological toughness; miners’ psychological resilience plays an intermediary role in the correlation between job loss insecurity and miners’ risk behavior. Meanwhile, team safety climate has a significant moderating effect on the relationship between job insecurity and psychological resilience, as well as the relationship between psychological resilience and safety behavior; that is, a good team safety climate can effectively reduce the negative impact of job insecurity brought about by the transformation and upgrading of coal mines.

BYOD security behaviour and preferences among hospital clinicians – A qualitative study

Background/ObjectiveThe use of personal devices for work purposes (Bring-your-own-device) has increased in hospitals, as it facilitates productivity and mobility for clinicians. However, owing to increased risk of leaking patient information, and heavy reliance of patient data privacy on user actions, BYOD is a major challenge for hospitals. There has been a dearth of empirical research studying clinicians’ BYOD security behaviour. Therefore, the study’s aim was to attain subjective understanding of clinicians’ attitudes and preferences towards protecting patient data on their devices through a qualitative study. Methods14 semi-structured interviews were conducted among Australian hospital-based clinicians. A hybrid thematic analysis was conducted using the framework method to explore socio-technical themes pertaining to the clinicians’ BYOD security behavioural practices. ResultsLimited use of secure tools like antivirus and passcodes, and inadequate separation of patient and personal data on BYOD devices was found. Key technology concerns included malware introduction into hospital network, inadvertent patient data sharing, and slow remote access. Hospitals lacked dedicated BYOD policies and training, resulting in unsafe practices. Participants also cited misalignment of BYOD policies with workflow needs, privacy maintenance challenges and fears of personal data breaches, while calling for improved communication between technical and clinical staff and a strong cybersecurity culture. ConclusionThis study provides a comprehensive understanding of BYOD related user behaviour and the usefulness of security controls used in time-sensitive and complex hospital environments. It can inform future policies or processes by advocating for secure and productive BYOD use.

Factors Influencing Employees’ Information Security Behavior in the Telework Environment: An Empirical Study of the Philippines

Factors Influencing Employees’ Information Security Behavior in the Telework Environment: An Empirical Study of the Philippines

Shaping extra-role security behaviors through employee-agent relations: A dual-channel motivational perspective

Organizational information security performance increasingly depends on employees’ extra-role security behaviors (ERBs), which go beyond the scope of formal organizational prescription and control. At the same time, however, the literature suggests ERBs are largely unresponsive to traditional outline-and-control approaches to behavioral security. Instead, this stream finds that ERBs are primarily cultivated through social interactions with other organizational agents, namely the IS department and the direct supervisor. While important progress has been made in explicating the social nature of ERBs and the organizational agents that shape it, little is currently understood about the attributes of these employee-agent relationships that give rise to their influence on ERB enactment. Tied to this void, review of the literature reveals two separate and fundamentally different explanations of relational influence in this context which, according to theory, are associated with different relational attributes. Responding to these gaps, the current study presents a mixed-method examination of the relational antecedents of ERB enactment. We first theoretically develop and quantitatively examine a dual-channel model of socially motivated ERB enactment that highlights two co-existing motivational channels—an exchange-based channel rooted in norms of reciprocity and an identity-based channel rooted in self-verification. Then, applying the findings from quantitative examination of the dual-channel model, we qualitatively examine the specific attributes of these employee-agent relationships that promote ERB enactment. In doing so, this study makes multiple contributions to the literature including unification of prior work in this stream and introduction of detailed profiles of effective employee-agent relationships in this context.

The Effect of Motivation on the Behavioral Intention to Protect Industrial Techniques of High-Tech Firms’ Employees

This study defines the intrinsic and extrinsic motivational factors that influence the prevention of industrial technology leakage by high-tech company employees. It also investigates how these factors affect the employees’ intention to prevent leakage. Based on the TPB (theory of planned behavior), this study analyzes the relationship between “attitude toward behavior”, “subjective norm”, and “perceived behavioral control”, which in turn influences the behavioral intention to prevent such leakage. Specifically, an online survey was conducted among office workers in South Korea’s high-tech industry. A total of 200 questionnaires were collected and analyzed. As the analysis results show, intrinsic motivation has a positive effect on attitude toward behavior, subjective norms, and perceived behavioral control. Extrinsic motivation has a positive effect on subjective norms and perceived behavioral control but a negative effect on attitudes toward behavior. This study also proved, based on the TPB, that the three variables impact the behavioral intention to prevent technology leakage. These results confirm that, in the high-tech sector, where employees are highly specialized and autonomous, technical security behaviors are primarily influenced by individual professional ethics and judgment rather than by organizational regulation or extrinsic motivation.

Safer Sexting Strategies in Technology-Mediated Sexual Interactions: Findings from a National Study

Abstract Introduction While there is extensive research on safer sex, few studies have investigated safer sexting practices. The main objective of this study is to examine the range of security behaviors that individuals adopt in technology-mediated sexual interactions. Methods Three studies collected data on social safety, concealment strategies, and technical security in technology-mediated sexual interactions from participants aged 14–75 in Austria and Germany in 2020 and 2022 (Ntotal = 13,070). Patterns in the data were identified via descriptive statistics and regression analysis. Results The most common precautions of people who used safer sexting strategies were hiding one’s face (46%), only engaging with digital sex partners that are personally known (41%), and negotiating boundaries of consensual sexting (29%). Binomial regression results show that a sexual minority identity, BDSM preference, frequent contact with sexual communities, and prior experiences of unwanted sexting were associated with adopting a wider variety of safer sexting practices. Conclusions The results suggest that the safety strategies used in technology-mediated sexual interactions vary across social groups. Social context factors such as community involvement are associated with the likelihood of safer sexting. Policy Implications Knowledge about safer sexting helps minimize harm in technology-mediated sexual interactions. Safer sexting messages aimed at reducing risk and shame should be included as part of community-based safer sexting education and should be tailored to specific target groups including LGBTIQA+ individuals. Policymakers should support interventions that enhance those social environmental factors that contribute to building trust and consent in technology-mediated sexual interactions.

Technostress and Information Security Behavior Beyond Compliance: A Work-life Resource Perspective

Technostress and Information Security Behavior Beyond Compliance: A Work-life Resource Perspective

Incorrect compliance and correct noncompliance with information security policies: A framework of rule-related information security behaviour

Information security policy (ISP) compliance is recognized as a key measure for dealing with human errors when protecting information. A considerable and growing body of literature has studied the persuasive, deterrent, and coercive antecedents of compliant and noncompliant behaviour. Simultaneously, research indicates that real life situations are too complex and varied to prescribe in terms of a priori rules of acceptable behaviour, and create situations where compliance is in fact harmful for achieving organisational security and business goals. Thus, regarding ISP compliance as inherently “correct” and noncompliance as inherently “incorrect”, may contribute to creating problems that compliance research seeks to alleviate. In this research perspective, we argue that ISP compliance and noncompliance cannot be universally and invariably determined as “correct” or “incorrect” but that they become meaningful only when evaluated against organisational outcomes. We draw on organisational accident theorists to develop our arguments and propose a framework of rule-related information security behaviour (RISB) in order to conceptualize different types of ISP compliant and noncompliant behaviour and their organisational outcomes. Our research argues that compliance and noncompliance are nor inherently correct or incorrect and that making the judgement on the correctness of these actions requires considering the rule, the action, and the outcome.

Factors that influence secure behaviour while using mobile digital devices

PurposeThe use of mobile digital devices requires secure behaviour while using these devices. To influence this behaviour, one should be able to adequately measure the behaviour. The purpose of this study is to establish a model for measuring secure behaviour, and to use this model to measure the secure behaviour of individuals while using mobile digital devices such as smartphones and laptops.Design/methodology/approachBased on a wide-ranging questionnaire (N = 1000), this study investigates the degree of influence that a relatively large number of factors have on secure behaviour while using mobile digital devices. These factors include knowledge and cognitive attitude, but also affective attitude, as well as several types of bias.FindingsThis study has provided a model for measuring secure behaviour. The results of the measurements show that knowledge, bias, cognitive attitude and affective attitude all have impact on secure behaviour while using mobile digital devices. Moreover, none of these factors is of minor importance.Practical implicationsThis study shows that it is important to also consider previously undervalued factors, such as affective attitude and various types of bias, when designing interventions to improve secure behaviour while using mobile digital devices.Originality/valueMost research on secure behaviour has only looked at a small number of influencing factors, usually limited to knowledge and cognitive attitude. This study shows that one needs a more elaborate model for measuring secure behaviour, and that previously undervalued factors have a clear influence on secure behaviour.