Are we predisposed to behave securely? Influence of risk disposition on individual security behaviors

Employees continue to be the weak link in organizational security management and efforts to improve the security of employee behaviors have not been as effective as hoped. Researchers contend that security-related decision making is primarily based on risk perception. There is also a belief that, if changed, this could improve security-related compliance. The extant research has primarily focused on applying theories that assume rational decision making e.g. protection motivation and deterrence theories. This work presumes we can influence employees towards compliance with information security policies and by means of fear appeals and threatened sanctions. However, it is now becoming clear that security-related decision making is complex and nuanced, not a simple carrot- and stick-related situation. Dispositional and situational factors interact and interplay to influence security decisions. In this paper, we present a model that positions psychological disposition of individuals in terms of risk tolerance vs. risk aversion and proposes research to explore how this factor influences security behaviors. We propose a model that acknowledges the impact of employees' individual dispositional risk propensity as well as their situational risk perceptions on security-related decisions. It is crucial to understand this decision-making phenomenon as a foundation for designing effective interventions to reduce such risk taking. We conclude by offering suggestions for further research.</p

The Role of Individual Characteristics on Insider Abuse Intentions

Insiders represent a major threat to the security of an organization’s information resources (Warkentin & Willison, 2009; Stanton et al., 2005). Previous research has explored the role of protection motivation or of deterrence in promoting compliant behavior, but these factors have not been studied together. Furthermore, other individual differences, such as the Big Five personality factors may serve as critical influences on cybersecurity compliance. In this study we use a factorial survey approach to identify key components of secure insider behavior. We obtained 201 observations from a diverse sample of employees. The results of this effort will enable us to develop psychological profiles of individual employees so that we may create personalized cybersecurity training protocols that meet the unique needs of each employee profile, appealing to the proper set of motivations for each. Findings of the present study are presented, and the long-term project goal is discussed

Prospect Theory and Information Security Investment Decisions

Most articles that discuss the economics of security focus on the use of rational choice decision models for evaluating investment alternatives. However, security investment decisions involve risk and several researchers have noted that risk related decisions often violate the fundamental principles of rational choice decision models. Accordingly, we assert that problems exist with using these models to explain security investment decisions. Further, we believe that the development of prescriptive models to guide investment decisions requires a deeper understanding of the cognitive processes involved. To test these ideas, we introduce a study that uses prospect theory to analyze security practitioners’ investment decisions. The article includes a discussion of our methodology to electronically assess security practitioners’ preference patterns. Additionally, we discuss data collection efforts which are currently in-process and future plans to analyze the collected data. Interim analytical results of data received prior to AMCIS 2012 will be presented to conference attendees

Does risk disposition play a role in influencing decisions to behave SECUREly?

Employees continue to be the weakest link in an organizational security ecosystem, exposing organizational assets through carelessness, malicious threats, or apathy towards security policies. Security-related decision making is a complex process that is driven by an individual’s risk perception, self-efficacy, and their propensity to accept risks. Existing behavioral security re-search on user security behavior is rooted in models based on rational choice theory such as protection motivation theory and deterrence theory, both of which focus on using fear appeals and punishments to prompt desired security behavior. Recent research on human rationality suggests that security-related decision making is far more complex and nuanced, not a simple carrot-and-stick related process, and not necessarily grounded in rational reasoning. In reality, a combination of dispositional and situational factors is likely to interact to influence security decisions. In this paper we explore the role of one particular dispositional factor, individual risk acceptance vs. risk aversion. While not refuting the influence of other factors, we argue that this factor plays a key role in influencing security behaviors. We propose a model that depicts the impact of individual dispositional risk propensity and situational risk perception on employees' security-related decisions. We believe this model will lay a foundation for de-signing effective security compliance interventions

Optimizing Ongoing Telemedicine: An Internal Communicator’s Guide to Engaging Medical Providers

The COVID-19 pandemic ushered in new opportunities for telemedicine as a viable option for medical care in the United States, but its optimal use by medical providers often remains unachieved. Because the benefits of virtual care best come to patients through providers, internal communications campaigns need to engage providers in optimal telemedicine use. This qualitative study undertook in-depth interviews with medical communicators and providers from several healthcare systems to understand their experience of telemedicine adoption during COVID-19 and afterward. These interviews’ findings suggest that providers during the pandemic most often valued ease of use and efficiency in adopting virtual care technology, and that communicators primarily used an educational frame to engage them in that adoption. These findings then informed the creation of a guide of internal communications objectives to help future campaigns engage medical providers in their respective telemedicine use. In conclusion, both the research findings and the guide that they informed are only exploratory, and in time will need of further study to better understand the fast-developing needs of optimal telemedicine use.Master of Art

Persuasion: an analysis and common frame of reference for IS research

Information Systems (IS) researchers persistently examine how Information and Communications Technology (ICT) changes attitudes and behaviours but rarely leverage the persuasion literature when doing so. The hesitance of IS researchers to leverage persuasion literature may be due to this literature’s well-documented complexity. This study aims to reduce the difficulty of understanding and applying persuasion theory within IS research. The study achieves this aim by developing a common frame of reference to help IS researchers to conceptualise persuasion and to conceptually differentiate persuasion from related concepts. In doing this, the study also comprehensively summarises existing research and theory and provides a set of suggestions to guide future IS research into persuasion and behaviour change

Expanding Protection Motivation Theory: The Role of Individual Experience in Information Security Policy Compliance

The purpose of the present study is to make contributions to the area of behavioral information security in the field of Information Systems and to assist in the improved development of Information Security Policy instructional programs to increase the policy compliance of individuals. The role of an individual’s experience in the context of information security behavior was explored through the lens of protection motivation theory. The practical foundation was provided by the framework of Security Education, Training, and Awareness (SETA) programs which are typically used by organizations within the United States to instruct employees regarding information security. A pilot study and primary study were conducted with separate data collections and analyses. Both existing and new measures were tested in the study which used a Modified Solomon Four Group Design to accommodate data collection via a web-based survey that included a two-treatment experimental component. The primary contribution to academia proposed in this study was to expand the protection motivation theory by including direct and vicarious experience regarding both threats and responses to the threats. Clear definitions and valid and reliable reflective measures for each of the four experience constructs were developed and are presented in this dissertation. Furthermore, the study demonstrated that all four forms of experience play an important part in the prediction of the primary constructs in the protection motivation model, and as such ultimately play an important part in the prediction of behavioral intent in the context of information security. The primary contribution to practice was expected to be specifically related to the application of fear appeals within a SETA instructional framework. The contribution to practice made by this dissertation became instead the implications resulting from the strong performance of the experience constructs. Specifically, experience, both direct and vicarious, and with threats and with responses, are all important influences on individuals’ behavioral choices regarding information security and should continue to be explored in this context