So Much Promise, So Little Use: What is Stopping Home End-Users from Using Password Manager Applications?

In this paper, we investigate the voluntary use of password management applications in order to address a decades-old and ubiquitous information security problem related to poor password management. In our exploratory analysis, we investigate two related issues: (1) why home end-users chose not to use password management applications and (2) why high behavioral intentions to use password management applications did not always lead to actual usage for certain users. We found that issues related to the technology such as lack of trust or memory limitations, individual issues such as perceived costs and benefits, and a lack of concern about the threat (threat apathy) were the primary inhibitors of lack of use. For those that had high intentions to use a password management application but failed to actually use the software, we found that a variety of individual issues such as lack of immediacy and having insufficient time were the primary inhibitors leading to this breakdown

Evaluating the Core and Full Protection Motivation Theory Nomologies for the Voluntary Adoption of Password Manager Applications

The protection motivation theory (PMT) is widely used in behavioral information security research, with multiple instantiations of the theoretical model applied in the literature. The purpose of this study is to perform a theoretical (conceptual) replication of both the core and full (PMT) nomologies in the context of voluntary password manager application use for individual home end-users. In our study, the full PMT model explained more variance than the core PMT model, but the relationships between multiple behavioral antecedents differed between the core and full PMT models, possibly due to differences in model complexity. Our findings suggest that researchers should justify the version of the PMT that they choose to use based on their research objectives with the understanding that the same variables may be significant in one version of the PMT but not significant in another version of the PMT

From the weakest link to the best defense : exploring the factors that affect employee intention to comply with information security policies

Ph.D. University of Hawaii at Manoa 2013.Includes bibliographical references.Information and information systems have become embedded in the fabric of contemporary organizations throughout the world. As the reliance on information technology has increased, so too have the threats and costs associated with protecting organizational information resources. To combat potential information security threats, organizations rely upon information security policies to guide employee actions. Unfortunately, employee violations of such policies are common and costly enough that users are often considered the weakest link in information security. The challenge for researchers and practitioners alike is to help transform employees from the weakest link to the best line of information security defense. Building upon recent empirical research in information security policy behavioral compliance, this study provides a composite theoretical framework that captures key factors shown to impact an employee's behavioral intent to comply with related policies. The theoretical framework is tested and validated in a real organizational context employing a robust and well-defined set of information security policies, a first in this burgeoning line of research. This study also evaluates how behavioral intent to follow security policies varies for employees for both the general specter of information security policy compliance and specific guidance for three common security threats. This study found that the primary factors affecting behavioral intent (subjective norms, organizational commitment, attitude, perceived behavioral control, and selfefficacy) had strong, positive relationships with intent to comply with information security policies when examined at a high level of general compliance. However, when the factors affecting behavioral intent and attitude towards a security behavior were evaluated for specific information security threat contexts, individual factor importance and significance varied greatly. These results indicate that threat context plays an essential role in clarifying the roles of specific behavioral antecedents; there may be limited value in future research focusing on general information security threats. This study failed to establish a significant relationship between behavioral compliance intent and an employee's perception of his or her ability to enforce the mandatory information security policy requirements on coworkers. However, the study did highlight a potential gap in the composite theoretical framework for this important phenomenon, which should be addressed in future research