Академический Документы
Профессиональный Документы
Культура Документы
a r t i c l e i n f o a b s t r a c t
Article history: Protecting digital assets is a growing concern for corporations, as cyberattacks affect busi-
Received 19 October 2017 ness performance, reputation, and compromise intellectual property. Information technol-
Revised 20 August 2018 ogy (IT) security in general and cyber security, in particular, is a fast-evolving area that
Accepted 20 August 2018 requires continuous evaluation and innovation. The objective of cyber-attacks has not
Available online 30 August 2018 changed over time however there is a shift in the attack methods through the increased use
of social engineering, concentrating on the human elements as the weakest link in the secu-
Keywords: rity posture of any system network. This research looks at the relationship between threat
Information Technology Security awareness and countermeasure awareness on IT professionals’ compliance with desktop
IT Professionals security behaviors. The model originally put forward by Hanus and Wu (2016), was tested
Cybersecurity on a population of 400 IT professionals across a broad range of IT roles and company sizes in
Social Engineering the United States. The overall findings show that 61.2% of the variability in desktop security
Protective Motivation Theory behavior can be explained by threat awareness and countermeasure awareness. In addition,
Security Behavior the research found a determinant relationship between threat awareness and countermea-
Human Behavior sure awareness with the five elements of protective motivation theory (PMT), which include
Security Awareness Programs perceived severity, perceived vulnerability, self-efficacy, response efficacy, and response cost.
Finally, the research shows that all elements of PMT, with the exception of perceived vul-
nerability, significantly determine desktop security behavior.
© 2018 Elsevier Ltd. All rights reserved.
∗
Corresponding author.
E-mail address: stephen.boyle@unisa.edu.au (S. Boyle).
https://doi.org/10.1016/j.cose.2018.08.007
0167-4048/© 2018 Elsevier Ltd. All rights reserved.
computers & security 79 (2018) 68–79 69
with the attacker who can then use them to gain access to the effectiveness of the training process itself and measure
the network. Unlike the attacks on the human elements, auto- change in attitudes and behaviors. This approach could ex-
mated attacks create a common signature or method that can tend this current study by analyzing the training process and
be shared among IT professionals and security companies. motivations to learn and adapt their behavior by those under-
IT professionals’ credentials, including user name and taking the training.
password, are of great interest to any hacker due to the IT This study will focus on an additional behavioral influ-
professional’s potential broad access to sensitive areas of encer, by utilizing the Protection Motivation Theory (PMT),
the network, including root access and network description, which evolved from the theory of fear appeal (Maddux and
which would enable a hacker to roam freely, download data Rogers 1983). PMT was first proposed by Rogers to predict peo-
from the network, or simply monitor information of interest. ples’ engagement in health risk prevention, (Rogers, 1975). The
The present study will focus on the effectiveness of awareness theory identifies three elements that lead to a fear appeal: the
of this specific population: IT professionals. Unfortunately, impact of the event, the probability of the event occurring, and
cyber-attacks have been growing at an annual rate of 200% the efficacy of the individual in protecting oneself from the
resulting in $400 billion in annual losses to corporations event. Fear on its own has a direct impact on an individual’s
and individuals 2015, up from $100 billion in 2013 (Morgan behavior. The experience of fear is a motivation for response,
2016). These rates are critical for businesses as they face but the level and type of response is affected by all three ele-
an increased reliance on information systems in terms of ments of PMT. PMT was later expanded by Bandura (1977) and
intellectual property creation and big data analytics to reach Maddux and Rogers (1983). These made two major contribu-
competitive advantage. Therefore, it is essential that their tions: First, they demonstrated the existing PMT elements and,
information remain secure and awareness aiming protection as predicted, showed that threat occurrence and coping re-
is given to IT professionals (James et al. 2013). sponse have positive effects on the intent to adopt recommen-
This study extends the work of Hanus and Wu (2016) to a dations to prevent unhealthy behavior. Second, they provided
more valued population in the eyes of hackers: the IT profes- evidence that self-efficacy expectancy is an additional key
sionals. While the original research was conducted on univer- element of PMT. In 1991, Tranner Jr et al. continued the as-
sity students in a university setting, the current research will sessment of PMT by reviewing its applicability to marketing
examine how IT professionals respond to security awareness material in the medical field. In developing the PMT model fur-
in terms of desktop security behavior. The study will also con- ther, Tanner Jr et al. (1991) expanded the review of the theory
tributes to the literature by focusing on an additional behavior in four ways and assessed additional variables both theoreti-
influencor, the protection motivation theory (PMT). cally and empirically. Additional variables tested included the
emotional aspect of fear, something that was mostly ignored
in the original theory. The elements of PMT follow an appraisal
2. Literature review process, thus individuals apply behaviors that deal with their
fear as opposed to behaviors that reduce the threat. The nor-
The human behavior literature, establishes several theories to mative and social components of fear were also reviewed, as
predict human response to specific situations, a critical ele- many social behaviors are influenced not just by an individ-
ment of the proposed conceptual framework evaluated in this ualistic assessment of a given situation but also by the social
research. These include the theory of Planned Behavior, the context.
theory of Neutralization and the theory of Knowledge, Atti- The ability to use PMT as a behavior independent variable
tude and Practice – KAP (Armitage and Conner 2001). These was evaluated by Hodgkins and Orbell (1998) through a lon-
theories can provide useful conceptual frameworks for deal- gitudinal study. The findings showed that previous intentions
ing with the complexities of information security. At the same are a significant predictor of behavior and that adding earlier
time, there are some constraints in relation to the time in intentions to the variables of PMT significantly improved its
which behavior responses to security threats can be stud- predictability value. The results also indicated that coping ap-
ied. For instance, the Neutralization Theory (NT) attempts to praisal is a significant determinant of protection motivation
justify a deviant or crime. NT provides a rationale to jus- and that self-efficacy is the only predictor of future intentions.
tify actions and neutralize guilt. This was deemed not ap- Hodgkins and Orbell (1998) concluded that the PMT variables
propriate for this study as it looks at behavior post action, were not sufficient to define future behavior in a longitudinal
where this research aims to look at ways to modify behav- context.
ior to protect against misbehavior. The theory of Planned Be-
havior (PB) aims to underlie the foundations of one’s beliefs 2.1. Protection Motivation: information security and
about their behavior, aiming to trace subjective norms and at- security awareness
titudes (Ajzen 1991). PB theory covers off on intentions prior
to actions, which is driven by the values of the individuals to Early work in the area of protective technology, which may
behave. As this relies on understanding individual intentions, include products that protect against items such as viruses,
morals, values, beliefs, it would be a much larger study requir- spyware, unauthorized access, and disruption, revealed that
ing qualitative interpretation of norms and beliefs of the in- protective technology adoption is different from the adoption
dividual. KAP - Knowledge, Attitude and Practice theory is a of technology in general (Dinev and Hu 2007). Empirical
useful framework for analyzing the effectiveness of a training quantitative research conducted by Dinev and Hu (2007) on
process in where new skills, knowledge, and attitudes are de- 339 subjects (50% IT professionals and 50% business students
veloped. The KAP approach has a powerful appeal to test out from a large southeastern U.S. university) showed that the
70 computers & security 79 (2018) 68–79
adoption of protective technologies are highly motivated by organizational learning (see for example: Herath and Rao,
awareness and fear. The findings revealed that the effect 2009; James et al., 2013; Sumner, 2009 and Wu et al., 2012).
of awareness on individual behavior intention is greater As such, when learning tools, such as cognitive maps, are
for those with stronger technology knowledge than those used in the learning process, the learning will build security
with weaker knowledge. Given that protective technology awareness as one type of distributed cognition. Thus, with
use is motivated by fear, awareness has a greater impact on the proper design, the program should include individual
adoption than that it does in the case of positive technologies expertise, knowledge, and experience and place them in
(i.e., those that deliver productivity improvements). procedural and declarative organizational memory.
As organizations look to achieve compliance with secu- Various studies have validated the importance of PMT to
rity policies, an element of fear is normally incorporated information security. For example, Woon et al. (2005) provided
into awareness communication. Johnston and Warkentin a conceptual foundation of PMT to home wireless security.
(2010) developed an empirical experimental study to evaluate In particular, their research identified key cognitive behaviors
the relationship between fear and end users’ compliance with between individuals that secured their wireless access and
the security posture, using a model that extended PMT to in- those who did not. Chenoweth et al (2009) used PMT to stud-
clude social influences. The results indicated that a fear ap- ied users’ intentions to adopt anti-spyware software, arguing
peal affects user behavior related to compliance with security that PMT is a valuable tool for understanding and explaining
policies, but the magnitude of the effect is not uniform. The individuals’ pattern of adopting protective technologies.
results showed that self-efficacy, response efficacy, and threat Crossler (2010) also indicated the effectiveness of PMT to
severity all affect the level of response, as suggested by PMT. understand behaviors of individuals’ intention to technology
These results are consistent with the findings of Gurung et al. adoption. Specifically, Crossler’s research showed that secu-
(2009) and Herath and Rao (2009). Johnston and Warkentin rity self-efficacy and response efficacy positively influenced
(2010) expanded on those findings by stating that social influ- the backing up of data and use of technology to support
ences also inform the effectiveness of fear in behavior modi- this. Vance et al (2012) expanded PMT to evaluate employees’
fication. The results are also consistent with those of Siponen failure to comply with IS security procedures, recognizing
(2000), who argued that persuasive messages are positively re- that IS security compliance strongly reinforced the cognitive
lated to attitudes and motivations. processes theorized by PMT. Information security has become
Given the high frequency of information breaches, which a critical element of computing systems due to the expanding
occur once a year on average, compliance with policies must use of the Internet as a communication vehicle and the
be a high priority for any information security team. Habit explosion of digital information that it has generated. The
toward compliance with information security policies has a literature indicates that security awareness influences user
significant impact on all the elements of PMT (Vance et al., behavior related to defending against information security
2012). Thus, habits not only support compliance with informa- risks (see for example the various PMT application to infor-
tion security but also affect the level of response efficacy and mation security and risks: Herath and Rao, 2009; Thomson
self-efficacy, which in turn will influence employees’ intent to and Solms, 1998 and Puhakainen and Siponene, 2010). It
comply. Vance et al. (2012) PMT study supported the notion also suggests that PMT is an effective model that can inform
that employees who felt inconvenienced by the security poli- training programs in a way that maximizes their value and
cies evaluated the cost of compliance as high and were more effectiveness.
likely not to comply with the policies, as predicted by PMT. When protecting against attacks, it is important to under-
Building on the earlier works described above, Hanus and stand the weakest link in the security infrastructure, as hack-
Wu (2016) studied the impact of security awareness on desk- ers will look to exploit that area (Hinde, 2001). The weakest
top security awareness through the PMT lens. They found that link is not a stagnant problem, as technologies and processes
security awareness significantly affects key elements of PMT, are put in place to resolve it. Items such as fraudulent certifi-
including perceived severity, response efficacy, self-efficacy, cates, wireless hotspots, and screensavers are some examples
and response cost. The findings demonstrated that when it of weakest links that have been identified and for which tech-
comes to home users, similar to corporate and government nological solutions have been proposed (Hinde, 2001).
employees, security awareness can influence the contributing Modern security infrastructure defense postures requires
factors of PMT and, in turn, the users’ response to security pol- an adequate response to phishing, a rapidly growing attack
icy and expected behavior. These results bring into question vector that circumvents many of the technological based se-
how awareness programs are constructed and delivered. curity systems and focuses on the human element falling prey
The review of the PMT literature in general and as it relates to a cyber attacker. The next section will present a review of
to information security in particular demonstrates that PMT the literature on phishing and present a broader view of the
is central to any IT user’s behavior in terms of compliance human element impact in terms of enabling phishing through
and actions to protect their information technology assets risky behaviors.
while awareness also plays a key role on PMT. While security
awareness programs can be designed from a PMT perspec- 2.2. Human elements in cyber attack vulnerability
tive, using the cognitive response to security in the context
of perceived severity, perceived vulnerability, self-efficacy, Despite continued developments in technical security mea-
response efficacy, and response cost (Hanus and Wu 2016), sures, the critical risk that is commonly described as the
the training process could also be evaluated in the context of weakest link is the human element (Boss et al. 2009). Hu-
organizational learning. Awareness programs should foster man behavior has a multitude of elements that need to be
computers & security 79 (2018) 68–79 71
addressed in the context of information security. The study requests a movement, the request may be flagged and quar-
of Aleem et al. (2013) expanded on the findings of James antined for additional approvals. Reducing the number of
et al. (2013) and Charbonneau (2011); going beyond the human attacks, which is the goal of the awareness research proposed,
behavior of corporate citizens trying to protect corporate or will reduce the number of anomalies in the network and in-
personal data and recognized that corporate citizens with ma- crease the success of such systems to successfully detect
licious intent could be at the heart of an attack. In such a sit- cyber attackers.
uation, training for employees may serve more than just the Humans are increasingly becoming the primary conduit
purpose of looking for phishing attacks, as it may also serve for IT attacks. According to Lemos (2016), 91% of companies
the purpose of evaluating behaviors of peers and identifying have experienced phishing attacks, and 84% of these compa-
behaviors that may not be consistent with the best interests nies claimed that these attacks were successful. Phishing at-
of the company (Jansson and von Solms, 2013). tacks focus on the human element and work to gain access to
Given the complex nature of cyber warfare and the human critical resources by acquiring information from the network’s
element as an enabling gateway to the network (Aleem et al. weakest link. To better protect the IT environment, it is crucial
2013; James et al. 2013), the defense process needs to be both to understand human nature in terms of what would moti-
dynamic and complex. Security against the growing, human- vate employees to comply with security guidelines and poli-
focused attack vectors requires a multi-layered adaptive cies, and then incorporate that learning into security aware-
approach. A layered approach is a technical solution that com- ness programs.
bines threat assessment and the automated assignment of The most common targets of spear phishing are IT profes-
security techniques. The layered approach starts at the pa- sionals, followed by finance professionals (Greengard, 2016).
rameter of the information system, with authentication and IT professionals would be a valuable source of information
authorization, and ends with data encryption (Seong-kee that would help attackers reach critical elements of the net-
and Tae-in, 2015). In between these layers, steps are taken to work. While every IT user is can create risk to the IT infrastruc-
evaluate normal data patterns as well as any data movement ture, IT professional have the most access to IT assets and as
and connections that violate normal network behaviors. Even such, need the most protection. Awareness programs are im-
upon the successful compromise of a human element, the plemented to improve user behavior and much research has
defense systems may identify abnormal data movements been conducted, mostly on students, to assess their effective-
or human behaviors that would automatically suggest a ness. The current research focuses its evaluation on the effect
compromise to the security team (Krombholz et al. (2015). For of awareness programs on IT professionals and evaluates how
example, when an employee who has never before requested they impact their behaviors in terms of protecting their desk-
to move files from a secured area of the network suddenly top and policy compliance.
Perceived
Severity
(PS)
Threat
Awareness
(TA)
Perceived
Vulnerability
(PV)
Self-Efficacy Desktop
(SE) Security
Behavior
(DSB)
Countermeasur Response
e Awareness Efficacy
(CA) (RE)
Response
Cost
(RC)
Path CA-RC CA-RC CA-SE PS-DSB PV-DSB RC-DSB RE-DSB SE-DSB TA-PS TS-PV
P Value 0.00∗ 0.00∗ 0.00∗ 0.04∗ 0.94 0.00∗ 0.00∗ 0.00∗ 0.00∗ 0.00∗
∗
indicates significance less than 0.05.
Fig. 2, a broad distribution of age groups helps generalize the severity, with 41% of the perceived severity explained by threat
results to all IT professionals over the age of 21. awareness, there is little loading and no statistically signifi-
While the intent was to capture a broad cross-section cant relationship between perceived severity and desktop be-
of industries, the response was highly skewed toward the havior (see Table 3). Thus, threat awareness has little influence
information technology industry with 46% participants. on desktop behavior in spite of its strong relationship with
Fig. 3 illustrates the number of IT professionals based on perceived severity.
IT disciplines. While the disciplines were not equally dis- The findings suggest that countermeasure awareness has
tributed, a good representation exists across several areas of the strongest statistically significant loading on the self-
IT. Therefore, the results could be applied to a broad group of efficacy, response efficacy, and response cost elements of PMT
IT professionals. With 72% of respondents working in desktop (self-efficacy, response efficacy, and response cost, and that
support, networking, storage, or security, the results are these elements further have significant effects on desktop se-
clearly applicable to IT professionals with access to sensitive curity behavior. Therefore, it can be concluded that counter-
areas of the network, be it desktops or networks, which are measure awareness in the surveyed population has a stronger
critical areas of focus for hackers looking to reach sensitive relationship with IT professional behaviors than threat
assets. awareness.
Table 3 further demonstrates that the relationship as-
3.5. Inferential statistics sumed in the research model applies to the researched popu-
lation of IT professionals across the US. The only relationship
PLS was used to calculate the R2 and loading of the research that does not show statistical significance is the one between
model. Fig. 4 summarizes the results of the PLS model, demon- perceived vulnerability and desktop security behavior. These
strating that the model explains 62% of the users’ desktop be- findings indicate that the model, using PMT as a lens for as-
havior. While there is a strong determinant relationship and sessing user behavior, is mostly consistent with the expected
high path coefficient between threat awareness and perceived assessment of behavior.
computers & security 79 (2018) 68–79 75
Table 4 – Summary of Hypotheses 1 testing results. Table 6 – Summary of Hypotheses 30 and 31 testing re-
sults.
TA-PS TA-PV
PS-DSB PV-DSB
R2 Loading Sig R2 Loading Sig
∗ ∗ Loading Sig Loading Sig
0.416 0.645 0.138 0.371
∗
−0.006 – −0.116
∗
indicates significance less than 0.05.
∗
indicates significance less than 0.05.
∗
indicates significance less than 0.05.
evidence to reject the null hypotheses. Because the loading The analysis also supports that a determinant relationship
represents the magnitude of the effect, there is evidence to exists between threat awareness and perceived vulnerability.
support the hypothesis that response efficacy by IT profes- The R2 of 0.138 indicates that 13.8% of the perceived vulner-
sionals had the strongest effect on desktop security behavior, ability can be attributed to threat awareness. The findings
followed by response cost and self-efficacy, respectively. show a weaker relationship between threat awareness and
The inferential analysis using SmartPLS shows that all perceived vulnerability, relative to threat awareness and per-
model paths, with the exception of perceived severity, have ceived severity. This may indicate that IT professionals have a
statistically significant effects on IT professionals’ desktop se- better understanding of severity than vulnerability and thus
curity behavior. These findings suggest that awareness affects can relate to the threat more directly with severity. Hanus
IT professionals, as predicted by PMT, with the exclusion of and Wu (2016) found no relationship between threat aware-
perceived severity. The findings also provide information on ness and perceived vulnerability. This may be attributed to the
the relative importance of threat awareness and countermea- overall weaker determinant relationships found between the
sure awareness on behavior, showing that countermeasure variables in the student population; these, in turn, might lead
awareness has a greater effect. to weak relationships in IT professionals, equating to an in-
significant relationship in the student population.
In terms of countermeasure awareness, the findings sug-
5. Discussion gest a positive relationship with coping appraisal, as mea-
sured by self-efficacy, response efficacy, and response cost,
The external research model assesses the relationships which provided a path coefficient of 0.563, 0.570, and 0.316,
among threat awareness, countermeasure awareness, and respectively and an R2 of 0.317, 0.324, and 0.1 respectively.
desktop security behaviors. Given the use of PLS, the exter- These findings are consistent with the findings of Hanus and
nal model is evaluated as a part of the PLS analysis technique Wu (2016), but show a stronger, more pronounced effect of
chosen for this study. Given that no prior research exists on IT countermeasure awareness in the IT professional population
professionals and desktop security behavior, no direct com- relative to that of students. As discussed earlier, the more
parison can be reached between the findings of this study pronounced effect in a knowledgeable group is consistent
and prior ones; however, given the earlier research by Hanus with the findings of Dinev and Hu (2007) and LaRose et al.
and Wu (2016), the results across different populations can be (2008), and may be attributed to the better understanding of
compared. the application of countermeasures and the confidence in be-
An overall R2 of 0.619 indicates the model explains 61.2% ing able to translate knowledge into action. This finding is
of the variance in desktop security behavior. When compar- also consistent with that of Liang and Xue (2010), who de-
ing this with the findings of Hanus and Wu (2016), which had scribed the user response to technology threat awareness the-
an R2 of 0.461, it appears that the model is stronger for IT pro- ory and found that individuals will take appropriate action
fessionals than it is for a student population. In fact, the rela- to deal with threats based on their perceptions and motiva-
tionship can be described as strong for the IT professionals and tions. Thus, IT professionals would be able to utilize coun-
moderate for the student population (Chin 1998; Hair Jr et al. termeasure awareness more successfully than non-technical
2016). students would.
The increased explanatory strength of the model when In terms of the relationship between threat appraisals (as
evaluated on IT professionals may be explained by IT pro- measured by perceived severity and perceived vulnerability)
fessionals’ appreciation of the impact of desktop security be- and desktop security behavior, the findings indicate mixed re-
havior on their daily life. For a security professional, a breach sults. The results indicate a significant relationship between
could lead to significant work in data recovery, removal of mal- perceived severity and desktop security behavior; no signif-
ware, or affect intellectual property and productivity in the icant relationship was found between perceived vulnerabil-
event that a breach led to data exfiltration. The idea that IT ity and desktop security behavior. These findings differ from
professionals are more affected by awareness than students is those of Hanus and Wu (2016), who did not find any statisti-
consistent with the conclusions by Dinev and Hu (2007), who cally significant relationship between either factor (threat ap-
specifically set out to compare students and IT professionals’ praisal or desktop security behavior). Similar to other findings,
behavior (although that study did not evaluate this difference the student population appears to be less responsive to aware-
in the context of desktop security behavior). ness programs as well as less responsive in terms of action.
The analysis provides support that a determinant re- Perhaps this is due to lower concern about the effects associ-
lationship exists between threat awareness and perceived ated with this type of risk.
severity. The R2 of 0.416 indicates that 41.6% of the variability In terms of coping appraisal and desktop security mea-
in perceived severity can be explained by threat awareness. sures, the findings identified a positive significant relationship
While the earlier research identified a significant relationship across all three measures of coping appraisals; Hanus and Wu
between threat awareness and perceived severity, the R2 of (2016), however, did not find a significant relationship with re-
0.03 suggests that the relationship is much stronger in the IT sponse cost. This finding may be due to students not caring
professional population than it is in the student population about the cost or the overall lower relationship across all fac-
researched by Hanus and Wu (2016). This difference could tors, leading the weakest relationship to become insignificant
be attributed to the broader knowledge that IT professionals in the case of students.
have on the impact of security on computer systems; as such, Overall, the findings suggest that IT professionals are
increased awareness leads to a stronger perception of risk. affected more significantly than students by awareness, in
computers & security 79 (2018) 68–79 77
terms of both threat awareness and countermeasure aware- general population, awareness programs should focus much
ness, and that PMT is an effective theory to assess their more heavily on countermeasure awareness to affect policy
response to awareness. Furthermore, 61.9% of the desktop compliance.
behavior of IT professionals can be explained by awareness; This research contributes to the body of knowledge in sev-
this supports the idea that awareness programs are critical eral respects. First, it is the first study to build upon the work
to the security posture of any organization, as proposed by of Hanus and Wu (2016) and explore how IT professionals re-
Siponen (2000), Wolf et al. (2011), James et al. (2013), and spond to security awareness in terms of desktop security be-
Hanus and Wu (2016). There are important implications to havior. Second, it is the first nationwide survey to evaluate
this study, which are discussed below. the effects of awareness on IT professionals using PMT in a
work environment. Third, the research provides primary data
that was not previously available, which can be used for fu-
6. Implications ture comparative studies. Finally, it is one of very few behav-
ioral studies in information security to go beyond a student
As the world continues to increase its reliance on digital data body population. The results indicate that awareness training
for every aspect of life, IT security continues to grow in impor- for IT professionals, especially in the area of countermeasure
tance. Lack of adequate security systems can put corporations activities, would greatly improve the strength of the weakest
and individuals at risk of security breaches that can have link in the security chain, the human element; furthermore,
devastating implications. Target, for example, lost millions of the results indicate that this type of training is effective for IT
dollars from one breach, and suffered a significant negative professionals.
impact on its reputation. As security systems continued to
improve in response to known attack signatures, hackers
moved their focus to the weakest element of the security 7. Practitioner model
infrastructure, the human element. Unlike technology-based
solutions, which scan data for patterns that appear or that are The findings suggest that security compliance training should
known to be malicious, humans vary in their application of focus primarily on countermeasure awareness, since threat
security systems, compliance with policies, and response to awareness has only a small impact on desktop security behav-
phishing and spear-phishing attacks. Therefore, it is critically ior. Fig. 5 provides a simplified version of the research model
important to understand how humans respond to attempts that is most relevant to practitioners, based on this research
to improve their compliance and behavior in the face of this finding.
growing risk. Such understanding is vital to any organization To further simplify the model for practical application,
that may be affected by loss of proprietary information, the PMT elements are removed to create a more direct re-
release of personal identifying information, lack of com- lationship between training and desktop security behaviors.
pliance with regulatory requirements such as the Health With some modification to the wording, an easily remembered
Insurance Portability and Accountability Act of 1996 (HIPAA) model is presented in Fig. 6, playing on the acronym for the
and Sarbanes-Oxley (SOX), or even access to its computing Central Intelligence Agency (CIA), to show that CIA leads to
infrastructure to conduct its business. CIS. This simplified model (Fig. 6), “CIA leads to CIS,” can help
Protection motivation theory (PMT) was shown to be an consultants and practitioners remember, teach, and imple-
effective lens through which to predict the response of em- ment effective security programs.
ployees, both IT professionals and others, to programs that Building upon these findings, an approach to the security
highlight the risks and responses in terms of their desktop se- training process has been developed. To easily remember the
curity behaviors. Thus, organizations should invest significant model, the proposed model uses the acronym “ACE”, as de-
effort in developing and delivering training to all employees. scribed below as well as a pictorial captured as shown in Fig. 7:
While employee response to such training is important, this A: Awareness program implementation
study found that IT professionals respond more strongly to C: Countermeasure focused training
training than the general population. This finding is encour- E: Evaluate effectiveness
aging, as IT professionals may have access to critical elements
of the computing infrastructure, including root access to the
network, which would be highly valuable to any attacker. This 8. Recommendations for future studies
means that when awareness programs are implementing, it
is important to include all the IT professionals in the program The research provided insight into the relationship between
and not assume that any individual would comply with awareness programs and desktop security behaviors of IT pro-
desktop behavior policy without training. It is also important fessionals across the US. While this research expanded on
to understand that awareness training is not as effective on the body of knowledge by focusing on IT professionals, future
the general population, and therefore should be augmented study can further narrow the focus to IT professionals with
with other incentives and assessments to reach compliance. root access. A security breach at the desktop of a user with root
Another key implication of this study relates to the focus access could present an excellent target for a hacker looking
areas for awareness. The findings suggest that threat aware- for broad access to the network. In addition, future research
ness has a weaker relationship with desktop security behav- can broaden the scope of the population by doing a compara-
ior than countermeasure awareness does. While both show tive study across geographic regions, to see whether IT profes-
stronger relationships with IT professionals than with the sionals in different regions respond differently to awareness.
78 computers & security 79 (2018) 68–79
R E F E R E N C E S
Gurung A, Luo X, Liao Q. Consumer motivations in taking action Rogers RW. A protection motivation theory of fear appeals and
against spyware: an empirical investigation. Inf Manag attitude change. J Psychol 1975;91(1):93.
Comput Secur 2009;17(3):276–89. Seong-kee L, Tae-in K. Adaptive multi-layer security approach for
Jr Hair, F J, Hult GTM, Ringle C, Sarstedt M. A Primer on partial cyber defense. J Internet Comput Serv 2015;16(5):1–9.
least squares structural equation modeling (Pls-Sem). Sage Siponen MT. A conceptual foundation for organizational
Publications; 2016. information security awareness. Inf Manag Comput Secur
Hanus B, Wu YA. Impact of users’ security awareness on desktop 2000;8(1):31–41.
security behavior: a protection motivation theory perspective. Sumner M. Information security threats: a comparative analysis
Inf Syst Manag 2016;33(1):2–16. of impact, probability, and preparedness. Inf Syst Manag
Henseler J, Ringle CM, Sinkovics RR. The use of partial least 2009;26(1):2–12.
squares path modeling in international marketing. Adv Int Tanner Jr JF, Hunt JB, Eppright DR. The protection motivation
Mark 2009;20(1):277–319. model: a normative model of fear appeals. J Mark
Herath T, Rao HR. Protection motivation and deterrence: a 1991;55(3):36–45.
framework for security policy compliance in organisations. Thomson ME, Solms Rv. Information Security awareness:
Eur J Inf Syst 2009;18(2):106–25. educating your users effectively. Inf Manag Comput Secur
Hinde S. The weakest link. Comput Secur 2001;20(4):295–301. 1998;6(4):167–73.
Hodgkins S, Orbell S. Can protection motivation theory predict Vance A, Siponen M, Pahnila S. Motivating is security compliance:
behaviour? A longitudinal test exploring the role of previous insights from habit and protection motivation theory. Inf
behaviour. Psychol Health 1998;13(2):237–50. Manag 2012;49(3–4):190–8.
James T, Nottingham Q, Kim BC. Determining the antecedents of Werts CE, Linn RL, Jöreskog KG. Intraclass reliability estimates:
digital security practices in the general public dimension. Inf testing structural assumptions. Educ Psychol Meas
Technol Manag 2013;14(2):69–89. 1974;34(1):25–33.
Jansson K, von Solms R. Phishing for phishing awareness. Behav Wolf M, Haworth D, Pietron L. Measuring an information security
Inf Technol 2013;32(6):584–93. awareness program. Rev Bus Inf Syst 2011;15(3):9–21.
Johnston AC, Warkentin M. Fear appeals and information Woon I, Tan G, Low R. A protection motvation theory approach to
security behaviors: an empirical study. MIS Q 2010;34(3): home wireless security. Proceedings of the ICIS, 2005, 2005.
549–566. Wu Y, Guynes CS, Windsor J. Security awareness programs. Rev
Krombholz K, Hobel H, Huber M, Weippl E. Advanced social Bus Inf Syst (Online) 2012;16(4):165.
engineering attacks. J Inf Secur Appl 2015;22:113–22.
Kumar N, Mohan K, Holowczak R. Locking the door but leaving Dr Ron Torten is Senior Vice President, World Wide Operations and
the computer vulnerable: factors inhibiting home users’ IT at Inphi Corporation in California. He is also a visiting Profes-
adoption of software firewalls. Decis Supp Syst sor of Business at Tiffin University. He has completed his DBA at
2008;46(1):254–64. Capella University and is currently completing his Doctor of In-
LaRose R, Rifon NJ, Enbody R. Promoting personal responsibility formation Technology Data Assurance and Security at the same
for internet safety. Commun. ACM 2008;51(3):71–6. institution.
Lemos R., Phishing attacks continue to sneak past defenses,
Dr Carmen Reaiche Carmen Reaiche’s main expertise is in Sys-
eWeek 2016, 1-1. Available online: http://www.eweek.com/
tems Thinking and Project Management. Prior to joining The Uni-
security/phishing- attacks- continue- to- sneak- past- defenses.
versity of Adelaide and since coming to Australia in 1993 she has
Liang H, Xue Y. Understanding security behaviors in personal
held a number of senior management positions as well as aca-
computer usage: a threat avoidance perspective. J Assoc Inf
demic appointments, where she has coordinated various under-
Syst 2010;11(7):394–413.
graduate and postgraduate courses. In industry she designed and
Maddux JE, Rogers RW. Protection motivation and self-efficacy: a
project managed the implementation of information systems and
revised theory of fear appeals and attitude change. J Exp Soc
policy processes for businesses such as Mobil, IBM, Centrelink and
Psychol 1983;19(5):469–79.
Business SA.
Mickelberg K., Pollard N. and Schive L., US cybercrime: Rising
risks, reduced readiness (2014) US State of cybercrime Survey:
Professor Stephen Boyle is the Dean: Academic at the University
https://collabra.email/wp-content/uploads/2015/04/
of South Australia Business School. His research spans many ar-
2014- us- state- of- cybercrime.pdf.
eas and includes Economics, Organisational Behaviour, Identity
Milne S, Sheeran P, Orbell S. Prediction and Intervention in
and Culture, Innovation and Strategy. He completed his Ph.D. in
health-related behavior: a meta-analytic review of protection
Economics at Macquarie University and has been at the Univer-
motivation theory. J Appl Soc Psychol 2000;30(1):106–43.
sity of South Australia since 2001. He is also a visiting Professor at
Morgan S. Cyber crime costs projected to reach $2 Trillion by
the University of International Business and Economics in Beijing,
2019, 22. Forbes; 2016. Retrieved September.
China.
Puhakainen P, Siponen M. Improving employee’s compliance
through information systems security training: an action
research study. MIS Q 2010;34(4):757–78.