Security Behavior Research Articles

Engaging in cyber hygiene: the role of thoughtful decision-making and informational interventions

IntroductionThe effectiveness of human-centric cybersecurity largely depends on end-users’ adherence to security and privacy behaviors. Understanding and predicting variations in the adoption of these safeguards is crucial for both theoretical advancement and practical application. While existing frameworks are often adapted from health science literature, there is potential to enhance these models by incorporating criminological constructs relevant to online victimization. This study introduce rational choice theory of thoughtfully reflective decision-making (TRDM) into the information security domain. TRDM suggests that variations in cognitive decision-making capabilities influence behavioral outcomes, particularly in the context of security and privacy practices.MethodsThe study employed a field experiment to test the applicability of TRDM in predicting end-users’ engagement in security and privacy behaviors. Participants were exposed to security-related warnings, with the hypothesis that thoughtfully reflective decision-makers would be more likely to adopt robust protective behaviors. Data was collected on participants’ responses to these security warnings, as well as their overall adherence to privacy and security practices.ResultsThe findings support the theoretical framework: individuals exhibiting thoughtfully reflective decision-making tendencies demonstrated a higher likelihood of engaging in privacy and security behaviors. Specifically, participants with higher TRDM scores were more likely to adopt protective behaviors when warned of the consequences of non-compliance. These results indicate that cognitive decision-making capabilities significantly influence the likelihood of engaging in cybersecurity practices.DiscussionThe study challenges the prevailing one-size-fits-all approach to cybersecurity by highlighting the importance of individual differences in cognitive decision-making. Thoughtfully reflective decision-makers are better equipped to adopt preventive security measures, suggesting the need for more tailored interventions in cybersecurity education and risk assessment. This research contributes to the development of sophisticated risk assessment tools aimed at mitigating vulnerabilities and reducing users’ susceptibility to digital threats. Incorporating TRDM into information security models provides a more nuanced understanding of user behavior, offering insights into how cognitive processes influence cybersecurity adherence.

Angry and Afraid: Exploring the Impact of Mixed Emotional Reactions to Hate Crimes With LGBT+ and Muslim Communities.

Hate crimes send messages of intolerance that can cause significant emotional and behavioral harm to entire identity groups. Previous research, based on intergroup emotions theory, has helped explain the psychological mechanisms that underpin the indirect effects of anti-LGBT+ hate crime, showing that incidents give rise to perceptions of threat among community members, which in turn elicit certain emotional reactions that trigger specific behavioral outcomes. This article provides two significant contributions to this developing knowledgebase. First, it provides an important replication of the theoretical model with another frequently targeted community: Muslim people. In addition, it offers the first quantitative analysis of how combinations of different emotions trigger discrete behavioral responses in the aftermath of hate crime, thereby providing much-needed nuance to the intergroup emotions theory model. Across two studies (Study 1: N = 589 LGBT+ participants; Study 2: N = 347 Muslim participants), we show that, for both LGBT+ and Muslim participants, indirect experiences of hate crimes are associated with greater perceptions of threat, which are then positively associated with anger, anxiety, and shame, that link to behavioral intentions: avoidance, pro-action, security behaviors, and retaliation. Latent class analyses further revealed that participants' emotional reactions tend to cluster into four distinct profiles in both communities: people scored mid-range on all emotions, or high anger with low shame, or high anger with high anxiety, or low shame. These combinations had direct implications for intended behaviors across both groups: experiencing high anger with high anxiety was a cogent motivator of action. Most significantly, we provide new insights into how and why different emotions interact to predict both similar and divergent behaviors in the aftermath of hate crime incidents. Our findings yield important new knowledge that holds the potential of shaping both public policies and practices aimed at addressing the impacts of hate crimes.

A students’ behaviors in information security: Extension of Protection Motivation Theory (PMT)

ABSTRACT This study investigates information security behaviors among university students, focusing on the interplay of psychological and social factors influencing their behavioral intentions and actions. By integrating the Theory of Planned Behavior, Protection Motivation Theory, and General Deterrence Theory, the research offers a comprehensive understanding of factors such as self-efficacy, perceived risk vulnerability, response cost, and response efficacy. Utilizing structural equation modeling (SEM) and Necessary Condition Analysis (NCA), the study assesses the impact of these factors on students’ information security practices. Measurement items were developed based on recent empirical studies, ensuring relevance to the contemporary digital environment. The findings reveal significant associations between these factors and students’ security behaviors, providing insights into effective strategies for promoting information security awareness and practices. This research contributes to the academic discourse on digital security behaviors and offers practical implications for enhancing information security measures within university settings.

Security awareness, decision style, knowledge, and phishing email detection: Moderated mediation analyses

This study examines whether the negative relationship between email information security awareness and phishing email susceptibility is mediated by less intuitive decision-making when assessing emails, and whether this relationship is moderated by phishing email knowledge. Participants (N = 291) completed an online email sorting task, a measure of email use information security awareness, a measure of preference for intuitive decision-making with emails, and a measure of phishing email knowledge. Moderated mediation analyses indicated that information security awareness predicted positive behavioural intentions directly and indirectly through lower preference for intuitive decision-making, and these relationships were stronger when phishing email knowledge was lower. Further, both the direct and indirect relationships between information security awareness and sensitivity through intuitive decision styles were moderated by phishing email knowledge, with information security awareness positively predicting ability to discriminate phishing from genuine emails when phishing knowledge was average or high but not low. These findings suggest that in the absence of phishing knowledge, information security awareness and less intuitive decision styles reduce susceptibility to phishing attacks through increased caution. Further, the findings provide strong support for the proposition that some level of phishing knowledge is required before email security behaviours and decision-making processes aid in the detection of phishing emails. From an applied perspective, the outcomes suggest that focusing on a combination of awareness, knowledge, and decision-making processes could increase the effectiveness of anti-phishing and cybersecurity training programs.

The Impact of Job Insecurity on Miner Safety Behavior—A Study Based on SEM and fsQCA

The intelligent transformation of coal mines is one of the current trends in developing China’s coal mining industry. To explore the impact of miners’ insecurity on their safety behavior under this trend, miners’ psychological resilience was introduced as the mediating variable, and team safety climate was used as the moderating variable to conduct a questionnaire survey of frontline miners. The data analysis was carried out using descriptive statistics, correlation analysis, structural equation modeling (SEM), and the fsQCA method to explore the impact of job insecurity on miners’ risk behavior through psychological resilience from the dimensions of job loss insecurity, job performance insecurity, and interpersonal insecurity. The results show that the sense of insecurity of the miners has a significant negative correlation with security behavior and a significant negative correlation with psychological toughness; miners’ psychological resilience plays an intermediary role in the correlation between job loss insecurity and miners’ risk behavior. Meanwhile, team safety climate has a significant moderating effect on the relationship between job insecurity and psychological resilience, as well as the relationship between psychological resilience and safety behavior; that is, a good team safety climate can effectively reduce the negative impact of job insecurity brought about by the transformation and upgrading of coal mines.

BYOD security behaviour and preferences among hospital clinicians – A qualitative study

Background/ObjectiveThe use of personal devices for work purposes (Bring-your-own-device) has increased in hospitals, as it facilitates productivity and mobility for clinicians. However, owing to increased risk of leaking patient information, and heavy reliance of patient data privacy on user actions, BYOD is a major challenge for hospitals. There has been a dearth of empirical research studying clinicians’ BYOD security behaviour. Therefore, the study’s aim was to attain subjective understanding of clinicians’ attitudes and preferences towards protecting patient data on their devices through a qualitative study. Methods14 semi-structured interviews were conducted among Australian hospital-based clinicians. A hybrid thematic analysis was conducted using the framework method to explore socio-technical themes pertaining to the clinicians’ BYOD security behavioural practices. ResultsLimited use of secure tools like antivirus and passcodes, and inadequate separation of patient and personal data on BYOD devices was found. Key technology concerns included malware introduction into hospital network, inadvertent patient data sharing, and slow remote access. Hospitals lacked dedicated BYOD policies and training, resulting in unsafe practices. Participants also cited misalignment of BYOD policies with workflow needs, privacy maintenance challenges and fears of personal data breaches, while calling for improved communication between technical and clinical staff and a strong cybersecurity culture. ConclusionThis study provides a comprehensive understanding of BYOD related user behaviour and the usefulness of security controls used in time-sensitive and complex hospital environments. It can inform future policies or processes by advocating for secure and productive BYOD use.

Factors Influencing Employees’ Information Security Behavior in the Telework Environment: An Empirical Study of the Philippines

Factors Influencing Employees’ Information Security Behavior in the Telework Environment: An Empirical Study of the Philippines

Shaping extra-role security behaviors through employee-agent relations: A dual-channel motivational perspective

Organizational information security performance increasingly depends on employees’ extra-role security behaviors (ERBs), which go beyond the scope of formal organizational prescription and control. At the same time, however, the literature suggests ERBs are largely unresponsive to traditional outline-and-control approaches to behavioral security. Instead, this stream finds that ERBs are primarily cultivated through social interactions with other organizational agents, namely the IS department and the direct supervisor. While important progress has been made in explicating the social nature of ERBs and the organizational agents that shape it, little is currently understood about the attributes of these employee-agent relationships that give rise to their influence on ERB enactment. Tied to this void, review of the literature reveals two separate and fundamentally different explanations of relational influence in this context which, according to theory, are associated with different relational attributes. Responding to these gaps, the current study presents a mixed-method examination of the relational antecedents of ERB enactment. We first theoretically develop and quantitatively examine a dual-channel model of socially motivated ERB enactment that highlights two co-existing motivational channels—an exchange-based channel rooted in norms of reciprocity and an identity-based channel rooted in self-verification. Then, applying the findings from quantitative examination of the dual-channel model, we qualitatively examine the specific attributes of these employee-agent relationships that promote ERB enactment. In doing so, this study makes multiple contributions to the literature including unification of prior work in this stream and introduction of detailed profiles of effective employee-agent relationships in this context.

The Effect of Motivation on the Behavioral Intention to Protect Industrial Techniques of High-Tech Firms’ Employees

This study defines the intrinsic and extrinsic motivational factors that influence the prevention of industrial technology leakage by high-tech company employees. It also investigates how these factors affect the employees’ intention to prevent leakage. Based on the TPB (theory of planned behavior), this study analyzes the relationship between “attitude toward behavior”, “subjective norm”, and “perceived behavioral control”, which in turn influences the behavioral intention to prevent such leakage. Specifically, an online survey was conducted among office workers in South Korea’s high-tech industry. A total of 200 questionnaires were collected and analyzed. As the analysis results show, intrinsic motivation has a positive effect on attitude toward behavior, subjective norms, and perceived behavioral control. Extrinsic motivation has a positive effect on subjective norms and perceived behavioral control but a negative effect on attitudes toward behavior. This study also proved, based on the TPB, that the three variables impact the behavioral intention to prevent technology leakage. These results confirm that, in the high-tech sector, where employees are highly specialized and autonomous, technical security behaviors are primarily influenced by individual professional ethics and judgment rather than by organizational regulation or extrinsic motivation.

Safer Sexting Strategies in Technology-Mediated Sexual Interactions: Findings from a National Study

Abstract Introduction While there is extensive research on safer sex, few studies have investigated safer sexting practices. The main objective of this study is to examine the range of security behaviors that individuals adopt in technology-mediated sexual interactions. Methods Three studies collected data on social safety, concealment strategies, and technical security in technology-mediated sexual interactions from participants aged 14–75 in Austria and Germany in 2020 and 2022 (Ntotal = 13,070). Patterns in the data were identified via descriptive statistics and regression analysis. Results The most common precautions of people who used safer sexting strategies were hiding one’s face (46%), only engaging with digital sex partners that are personally known (41%), and negotiating boundaries of consensual sexting (29%). Binomial regression results show that a sexual minority identity, BDSM preference, frequent contact with sexual communities, and prior experiences of unwanted sexting were associated with adopting a wider variety of safer sexting practices. Conclusions The results suggest that the safety strategies used in technology-mediated sexual interactions vary across social groups. Social context factors such as community involvement are associated with the likelihood of safer sexting. Policy Implications Knowledge about safer sexting helps minimize harm in technology-mediated sexual interactions. Safer sexting messages aimed at reducing risk and shame should be included as part of community-based safer sexting education and should be tailored to specific target groups including LGBTIQA+ individuals. Policymakers should support interventions that enhance those social environmental factors that contribute to building trust and consent in technology-mediated sexual interactions.

Technostress and Information Security Behavior Beyond Compliance: A Work-life Resource Perspective

Technostress and Information Security Behavior Beyond Compliance: A Work-life Resource Perspective

Incorrect compliance and correct noncompliance with information security policies: A framework of rule-related information security behaviour

Information security policy (ISP) compliance is recognized as a key measure for dealing with human errors when protecting information. A considerable and growing body of literature has studied the persuasive, deterrent, and coercive antecedents of compliant and noncompliant behaviour. Simultaneously, research indicates that real life situations are too complex and varied to prescribe in terms of a priori rules of acceptable behaviour, and create situations where compliance is in fact harmful for achieving organisational security and business goals. Thus, regarding ISP compliance as inherently “correct” and noncompliance as inherently “incorrect”, may contribute to creating problems that compliance research seeks to alleviate. In this research perspective, we argue that ISP compliance and noncompliance cannot be universally and invariably determined as “correct” or “incorrect” but that they become meaningful only when evaluated against organisational outcomes. We draw on organisational accident theorists to develop our arguments and propose a framework of rule-related information security behaviour (RISB) in order to conceptualize different types of ISP compliant and noncompliant behaviour and their organisational outcomes. Our research argues that compliance and noncompliance are nor inherently correct or incorrect and that making the judgement on the correctness of these actions requires considering the rule, the action, and the outcome.

Factors that influence secure behaviour while using mobile digital devices

Factors that influence secure behaviour while using mobile digital devices

Promoting Security Behaviors in Remote Work Environments: Personal Values Shaping Information Security Policy Compliance

Organizations worldwide face critical concerns related to cybersecurity threats and information security policy (ISP) compliance. Even though humans are the weakest link in the cybersecurity chain, information security professionals understand the importance of promoting individual information security behaviors because employees are also the first line of defense against ever-increasing cyber threats. Despite a recent trend of working from home, organizations do not make significant differences in their information security interventions for remote workers, relying mainly on VPNs as the only used tool, essentially making employees follow in-office standard information security policies because they are “virtually in-office.” Our study suggests that organizations need to recognize the unique context of remote work and consider personal motivations when shaping information security practices. Furthermore, our study indicates that in order to motivate remote employees to follow secure information security practices, organizations should consider personal characteristics instead of focusing on generic interventions. For instance, our study compares onsite and remote workers, suggesting that personal values are more relevant in remote work settings. Our findings exemplify just one of the many potential personal characteristics to be considered, highlighting how personal values are important motivators for ISP compliance and how they differ for onsite and remote workers in their importance when following information security rules.

Transactions at Your Fingertips: Influential Factors in Information Security Behavior for Mobile Banking Users

Transactions at Your Fingertips: Influential Factors in Information Security Behavior for Mobile Banking Users

Unraveling juxtaposed effects of biometric characteristics on user security behaviors: A controversial information technology perspective

Biometric authentication has become ubiquitous and profoundly impacts decision-making for both individuals and firms. Despite its extensive implementation, there is a discernible knowledge gap in understanding the nuanced influence of biometric characteristics on user security behaviors. To advance this line of research, we embrace the controversial information technology framework to delve into the juxtaposed nature of biometric characteristics, wherein they concurrently yield benefits and raise concerns that manifest in opposing effects on users' switching behavior. Adopting a sequential mixed methods approach, we first conducted semi-structured interviews that uncovered three key biometric characteristics and identified two benefits and two concerns associated with them. A follow-up survey was conducted to explore the interplay between each identified construct. The results emphasize the pivotal role of biometric characteristics in shaping user security behavior. Our research contributes to theoretical understanding by scrutinizing user behaviors vis-à-vis biometric authentication through a controversial IT perspective.

Cracking the Code

With the expanding reach of the Internet of Things, information security threats are increasing, including from the very professionals tasked with defending against these threats. This study identified factors impacting information security behavior among these individuals. Protection motivation theory and the theory of planned behavior were employed along with work-related organizational factors as a theoretical framework. Data were collected through a survey of 595 information security professionals working in Saudi information technology companies. Structural equational modeling was used to analyze the data. Threat susceptibility, threat severity, self-efficacy, response cost, fear attitude, behavioral control, subjective norms, and organizational commitment were found to play a significant role in information security protection motivation and behavior, while job satisfaction did not.

Register transfer level hardware design information flow modeling and security verification method

Information flow analysis can effectively model the security behavior and security properties of hardware design. However, the existing gate level information flow analysis methods cannot deal with large-scale designs due to computing power and verification effectiveness, and the register transfer level (RTL) information flow analysis methods require formal languages to rewrite hardware designs. This paper proposes a RTL hardware design information flow modeling and security verification method. Based on the RTL functional model, this method develops an information flow tracking logical model to model security behavior and security properties of RTL hardware designs from the perspective of information flow. This method can be integrated into EDA flows and uses EDA testing and verification tools to capture security property violations and detect security vulnerabilities based on non-interference security policy. The results on experiments with Trust-Hub hardware Trojan benchmarks show that the proposed method can effectively detect hardware Trojans.

Evaluating Online Security Behavior: Development and Validation of a Personal Cybersecurity Awareness Scale for University Students

Evaluating Online Security Behavior: Development and Validation of a Personal Cybersecurity Awareness Scale for University Students

Explanatory and predictive analysis of smartphone security using protection motivation theory: a hybrid SEM-AI approach

PurposeThis research aims to understand the smartphone security behavior using protection motivation theory (PMT) and tests the current PMT model employing statistical and predictive analysis using machine learning (ML) algorithms.Design/methodology/approachThis study employs a total of 241 questionnaire-based responses in a nonmandated security setting and uses multimethod approach. The research model includes both security intention and behavior making use of a valid smartphone security behavior scale. Structural equation modeling (SEM) – explanatory analysis was used in understanding the relationships. ML algorithms were employed to predict the accuracy of the PMT model in an experimental evaluation.FindingsThe results revealed that the threat-appraisal element of the PMT did not have any influence on the intention to secure smartphone while the response efficacy had a role in explaining the smartphone security intention and behavior. The ML predictive analysis showed that the protection motivation elements were able to predict smartphone security intention and behavior with an accuracy of 73%.Research limitations/implicationsThe findings imply that the response efficacy of the individuals be improved by cybersecurity training programs in order to enhance the protection motivation. Researchers can test other PMT models, including fear appeals to improve the predictive accuracy.Originality/valueThis study is the first study that makes use of theory-driven SEM analysis and data-driven ML analysis to bridge the gap between smartphone security’s theory and practice.