Persuasive technology for improving information security awareness and behavior: literature review

The use of Persuasive Technology in various fields is rapidly increasing. It can be applied in many fields such as computing, marketing, sales, environment, education, and health. Persuasive Technology has been found effective in bringing a required change in users' behaviors and attitudes. However, the use of persuasive technology is scarce in the field of Information Security awareness. This paper reviews extensive literature review which focuses on a perspective on how to create awareness among users for good information security practices by applying Persuasive Technology techniques and approaches. The conceptual findings suggest there is a tremendous potential of Persuasive Technology to be applied to persuade users to change their behavior and perception toward Information Security practices

Toward a New Meta-Theory for Designing Information Systems (IS) Security Training Approaches

Employees’ non-compliance with IS security procedures is a key concern for organizations. To tackle this problem, there exist several training approaches aimed at changing employees’ behavior. However, the extant literature does not examine the elementary characteristics of IS security training, such as the ways in which IS security training differs from other forms of training. We argue that IS security training needs a theory that both lays down these elementary characteristics and explains how these characteristics shape IS security training principles in practice. We advance a theory that suggests that IS security training has certain elementary characteristics that separate it from other forms of training, and we set a fundamental direction for IS security training practices. Second, the theory defines four pedagogical requirements for designing and evaluating IS security training approaches. We point out that no existing IS security training approach meets all of these requirements and demonstrate how to design an IS security training approach that does meet these requirements. Implications for research and practice are discussed

Short-term and Long-term Effects of Fear Appeals in Improving Compliance with Password Guidelines

Passwords are the most widely used method of authentication on the Internet, but users find compliance with password guidelines difficult, and we know little about the long-term effects of attempts to improve compliance. In this paper, we extend the work of fear appeals use in the IS security domain to investigate their longer-term effects. We conducted a longitudinal experimental study to examine fear appeals’ long- and short-term effects. Using a model based on protection motivation theory (Rogers, 1983), we found that fear of threat, perceived password effectiveness, and password self-efficacy predicted compliance. We also found that neither perceived vulnerability to a security attack nor perceived severity of an attack influenced compliance. Providing persuasive communication improved compliance with password guidelines and resulted in significantly stronger passwords, but the effects on compliance intentions were only short term. This study extends our understanding of the factors that influence compliance with password guidelines and how we can modify them to improve compliance. We raise interesting questions about the role of fear in different IS security contexts. We also highlight the need for more research on the long-term impact of persuasive communication

An Empirical Examination of the Computer Security Behaviors of Telecommuters Working with Confidential Data through Leveraging the Factors from Fear Appeals Model (FAM)

Computer users’ security compliance behaviors can be better understood by devising an experimental study to examine how fear appeals might impact users’ security behavior. Telecommuter security behavior has become very relevant in information systems (IS) research with the growing number of individuals working from home. The increasing dependence on telecommuting to enhance the viability and convenience has created an urgency with the advent of the COVID-19 pandemic to examine the behavior of users working at home across a corporate network. The home networks are usually not as secure as those in corporate settings. There is seldom a firewall setting and lack of an up-to-date antivirus can make home computers more susceptible to attacks – especially when a user clicks on an attachment or malware. The goal of this study was to investigate how the home computer user’s behavior can be modified, especially among telecommuters who work with sensitive data. The data collected using a web-based survey. A Likert scale was used on all survey items with a pre-analysis of the data preceding the data assessment. The Partial Least Square (PLS) was used to report the analysis of the data gathered from a total of 376 response. The study outcomes demonstrated that response efficacy, self-efficacy, and social influence positively influenced protection motivation. The perceived threat severity positively affected both response efficacy and self-efficacy, while the perceived threat susceptibility did not affect both response efficacy and self-efficacy. The Fear Appeals Model (FAM) extension with computer security usage showed the positive significance of protection motivation on computer security usage. This study adds to the awareness and theoretical suggestions to the current literature. The results disclose the FAM capability to envisage user behavior established on threat and coping appraisals from home computer security usage. Furthermore, the study\u27s FAM extension implies that telecommuters can take recommended responses to protect their computers from security threats. The outcome will help managers communicate effectively with their telecommuting employees to modify their security behavior and safeguard their data

Selecting effective persuasive strategies in behavior change support systems: Third International Workshop on Behavior Change Support Systems (BCSS 2015)

The Third International Workshop on Behavior Change Support Systems provides a place to discuss recent advances in BCSS research. The selected papers show that research into behavior change support systems is expanding: not only by trying to reach more and other people, but also by expanding the contexts where BCSSs are employed. A key point for all BCSSs, for each target group and for each context, is to select the right persuasive strategies. From the proceedings we can learn that there are several ways to select and evaluate these features, but this remains an issue that deserves continuous research attention

“This is the way ‘I’ create my passwords ...":does the endowment effect deter people from changing the way they create their passwords?

The endowment effect is the term used to describe a phenomenon that manifests as a reluctance to relinquish owned artifacts, even when a viable or better substitute is offered. It has been confirmed by multiple studies when it comes to ownership of physical artifacts. If computer users also "own", and are attached to, their personal security routines, such feelings could conceivably activate the same endowment effect. This would, in turn, lead to their over-estimating the \value" of their existing routines, in terms of the protection they afford, and the risks they mitigate. They might well, as a consequence, not countenance any efforts to persuade them to adopt a more secure routine, because their comparison of pre-existing and proposed new routine is skewed by the activation of the endowment effect.In this paper, we report on an investigation into the possibility that the endowment effect activates when people adopt personal password creation routines. We did indeed find evidence that the endowment effect is likely to be triggered in this context. This constitutes one explanation for the failure of many security awareness drives to improve password strength. We conclude by suggesting directions for future research to confirm our findings, and to investigate the activation of the effect for other security routines

Modeling inertia causatives:validating in the password manager adoption context

Cyber criminals are benefiting from the fact that people do not take the required precautions to protect their devices and communications. It is the equivalent of leaving their home’s front door unlocked and unguarded, something no one would do. Many efforts are made by governments and other bodies to raise awareness, but this often seems to fall on deaf ears. People seem to resist changing their existing cyber security practices: they demonstrate inertia. Here, we propose a model and instrument for investigating the factors that contribute towards this phenomenon

To Fear or Not to Fear? A Critical Review and Analysis of Fear Appeals in the Information Security Context

Controlling organizational insiders’ security behaviors is an important management concern. Research presents fear appeals as a viable security control to promote protective security behaviors. To date, research has proven security-related fear appeals have to effectively control insiders’ security behaviors. However, from critically examining fear appeals, we find a different story. Specifically, we critically analyze security-related fear appeal research from two ontological positions: critical realism and critical constructivism. The critical realist analysis identifies several issues with existing fear appeal research, which particular research traditions may cause. We explicate these traditions and issues in the paper. The critical constructivist analysis draws on critical management studies of control and Foucault’s work to identify the identities, beliefs, and values that fear appeals promote and the ways in which fear appeals create discursive closures that limit the consideration and discussion of other positions. Based on the two analyses, we provide important directions for future fear appeal research

A protection motivation theory approach to improving compliance with password guidelines

Usernames and passwords form the most widely used method of user authentication on the Internet. Yet, users still find compliance with password guidelines difficult. The primary objective of this research was to investigate how compliance with password guidelines and password quality can be improved. This study investigated how user perceptions of passwords and security threats affect compliance with password guidelines and explored if altering these perceptions would improve compliance. This research also examined if compliance with password guidelines can be sustained over time. This study focuses on personal security, particularly factors that influence compliance when using personal online accounts. The proposed research model is based on the Protection Motivation Theory (PMT) (Rogers, 1975, 1983), a model widely used in information systems security research. As studies have failed to consistently confirm the association between perceived vulnerability and information security practices, the model was extended to include exposure to hacking as a predictor of perceived vulnerability. Experimental research was used to test the model from two groups of Internet users, one of which received PMT based fear appeals in the form of a password security information and training exercise. To examine if password strength was improved by the fear appeals, passwords were collected. A password strength analysis tool was developed using Shannon’s (2001) formula for calculating entropy and coded in Visual Basic. Structural equation modeling was used to test the model. The proposed model explains compliance intentions moderately well, with 54% of the variance explained by the treatment model and 43% explained by the control group model. Overall, the results indicate that efficacy perceptions are a stronger predictor of compliance intentions than threat perceptions. This study identifies three variables that predict user intentions to comply with password guidelines as particularly important. These are perceived threat, perceived password effectiveness and password self-efficacy. The results show no association between perceived vulnerability to a security attack and a user’s decision to comply. The results also showed that those who are provided with password information and training are significantly more likely to comply, and create significantly stronger passwords. However, the fear appeals used in this study had no long-term effects on compliance intentions. The results on the long-term effects of password training on the participants’ ability to remember passwords were however promising. The group that received password training with a mnemonic training component was twice as likely to remember their passwords over time. The results of this research have practical implications for organizations. They highlight the need to raise the levels of concern for information systems security threats through training in order to improve compliance with security guidelines. Communicating to users what security responses are available is important; however, whether they implement them is dependent on how effective they feel the security responses are in preventing an attack. Regarding passwords, the single most important consideration by a user is whether they have the ability to create strong, memorable passwords. At the very least, users should be trained on how to create strong passwords, with emphasis on memorization strategies. This research found mnemonic password training to have some long-term effects on users’ ability to remember passwords, which is arguably one of the most vexing challenges associated with passwords. Future research should explore the extent to which the effects of PMT based information systems security communication can be maintained over time