An Empirical Investigation Of The Influence Of Fear Appeals On Attitudes And Behavioral Intentions Associated With Recommended Individual Computer Security Actions

Through persuasive communication, IT executives strive to align the actions of end users with the desired security posture of management and of the firm. In many cases, the element of fear is incorporated within these communications. However, within the context of computer security and information assurance, it is not yet clear how these fear-inducing arguments, known as fear appeals, will ultimately impact the actions of end users. The purpose of this study is to examine the influence of fear appeals on the compliance of end users with recommendations to enact specific individual computer security actions toward the amelioration of threats. A two-phase examination was adopted that involved two distinct data collection and analysis procedures, and culminated in the development and testing of a conceptual model representing an infusion of theories based on prior research in Social Psychology and Information Systems (IS), namely the Extended Parallel Process Model (EPPM) and the Unified Theory of Acceptance and Use of Technology (UTAUT). Results of the study suggest that fear appeals do impact end users attitudes and behavioral intentions to comply with recommended individual acts of security, and that the impact is not uniform across all end users, but is determined in part by perceptions of self-efficacy, response efficacy, threat severity, threat susceptibility, and social influence. The findings suggest that self-efficacy and, to a lesser extent, response efficacy predict attitudes and behavioral intentions to engage individual computer security actions, and that these relationships are governed by perceptions of threat severity and threat susceptibility. The findings of this research will contribute to IS expectancy research, human-computer interaction, and organizational communication by revealing a new paradigm in which IT users form perceptions of the technology, not on the basis of performance gains, but on the basis of utility for threat amelioration

Deployment of Information Security Practices: The High Reliability Theory Perspective

Drawing on high reliability theory, this study investigates how a firm’s information security (InfoSec) practices as practical proficiencies form its organisational security culture. We tested the model using survey data from 602 professional managers in Australia and New Zealand who are aware of the InfoSec programmes within their respective organisations, the findings of which suggest a security culture is influenced by a firm’s practical proficiencies in the form of InfoSec practices namely prevention, detection and response practices. Our findings also emphasise the importance of organisational supportive proficiencies as organisational structure for improving the impact of InfoSec preventive practices on organisational security culture in a firm. The results of this study provide both academics and practitioners an understanding of the vital organisational dynamics necessary to establish a culture of security

The Online Consumer Trust Construct: A Web Merchant Practitioner Perspective

If companies are to enjoy long-term success in the Internet marketplace, they must effectively manage the complex, multidimensional process of building online consumer trust. eMerchants must understand the characteristics of web interfaces, policies, and procedures that promote trust and enact this knowledge in the form of specific trust-building mechanisms. Therefore, eMerchants must exercise a variety of trust-building techniques in the design of their online consumer interface as well as the principles upon which they operate. In doing so, eMerchants look to a variety of sources, outside the discussions available in academic literature, which influence and govern their perception of online consumer trust development. The purpose of this paper is to identify these sources and leverage the theoretical framework of previous academic literature by incorporating these practitioner sources into a framework from which future research efforts of online consumer trust can be based

Integrating Construal-level Theory in Designing Fear Appeals in IS Security Research

Organizations increasingly use fear appeals to motivate users to engage in behaviors that protect information security. Though academic interest in the topic has burgeoned, prior research has mainly focused on providing process evidence on how low- and high-threat security messages influence protective behaviors. According to protection motivation theory, however, the threat-appraisal phase, in which the receiver evaluates whether a fear appeal is threatening or not, follows exposure to the fear appeal. One can indeed design fear appeals to manipulate different dimensions, including the threat depicted and the coping response provided. These dimensions, in turn, influence protection motivation. The general focus on low- and high-threat messages runs the risks of 1) foregoing key theoretical insights that can stem from specific message manipulations and 2) inadvertently introducing message confounds. To address this issue, we introduce construal-level theory as the theoretical lens to design and identify potential confounds in fear-appeal manipulations. We further discuss how researchers can seamlessly integrate construal-level theory into information security studies based on protection motivation theory. Our work has important theoretical and methodological implications for IS security researchers

The Impact of National Culture on Workplace Privacy Expectations in the Context of Information Security Assurance

Organizational leaders seek to establish a safe information environment, including perimeter controls against external threats and also internal controls to monitor for intentional or accidental internal threats. Are individuals who are more oriented toward individualistic perceptions more likely to reject or resent the use of such controls designed to facilitate organizational security? A related question is whether national culture, specifically the cultural environment within East Asian countries such as China, may promote a predominance of individuals who are more oriented toward collectivist or allocentric perceptions such that they may be more willing to relinquish some degree of individual privacy in order to increase overall organizational security. A large sample of working professionals in the insurance and other industries will be surveyed in China and in the United States to address these research questions, and the results will be presented and discussed at the conference

Introduction to the Minitrack on Innovative Behavioral IS Security and Privacy Research

N/

A Broader View of Perceived Risk during Internet Transactions

Ubiquitous networking facilitates Internet access across multiple network environments, whose value is tied directly to user perceptions of its ability to securely execute transactions. Prior research has cited awareness, trust, and risk as critical determinants of adoption but has failed to examine these factors as they relate to infrastructure and its provider. Because information in transit is at risk from a network environment’s vulnerabilities, we focus on the implications of such risk on Internet activities. We examine the multiple parties that must be trusted to complete and facilitate an online transaction. We propose that the user must trust not only the information recipient to act benevolently but also the technologies and organizations that facilitate the online exchange

A Taxonomy of Phishing: Attack Types Spanning Economic, Temporal, Breadth, and Target Boundaries

Phishing remains a pernicious problem for organizations. Phishing attacks are increasing in sophistication, which hinders the ability of cybersecurity functions to effectively defend against them. These attacks are becoming increasingly complex, dynamic, and multifaceted to evade the organizational, individual, and technical countermeasures employed in a cybersecurity ecosystem. Information security (ISec) phishing research and practice have provided an understanding of generalized phishing attacks and their subsequent defense. Yet by applying generalized phishing rules to these studies, it may not be sufficient to understand and defend escalated forms of phishing. This study seeks to develop a taxonomy of phishing to provide a more nuanced understanding of this phenomena. This taxonomy may assist ISec research in providing theoretical guidance for the understanding and defense of the various forms of phishing

Neural Correlates of Protection Motivation for Secure IT Behaviors: An fMRI Examination

Information security management programs have long included “fear appeals”, managerial communiqués designed to promote secure behaviors among organizational insiders. However, recent research has found a conflict between the predictions of contemporary fear appeal theory for how we expect individuals to experience fear appeals and what actually occurs in IS security situations. Using the opportunity presented by neuroimaging tools to examine cognitive and affective reactions to fear appeals, we take a comparative look at the contentions of fear appeal theory and the realities of what insiders experience neurologically when exposed to ecologically relevant IS security fear appeals. Our fMRI results suggest that fear appeals elicit threat and threat response assessments, which partially supports fear appeal theory but does not support the presence of an actual fear response. Furthermore, appraisals of recommended threat responses had a stronger impact on intentions to enact security behaviors than appraisals of the threat itself, which suggests that a focus on threats might be misplaced. Instead, focusing on ways to make the responses to the threats more appealing to users might work better. These controversial findings suggest future research that should explore how fear appeals play out in IS security and in what ways

From liking to not liking: A proposed experiment design to explore consumer perceptions of health wearable notifications

Despite the increase in the adoption of health-wearables, most studies have focused on intentions to use the wearables, with less focus on perceptions related to their use, particularly how consumers perceive the interruptiveness of notifications the wearables provide to alert consumers or state that requires their attention. Based on the argument that wearable notifications influence consumer perceptions, we propose an experiment to develop and test a hybrid model anchored in mere exposure theory that suggests an inverted-U-shaped distribution for notification liking, where familiarity with the notifications through repeated exposure drives increased liking, while habituation, fatigue, and notification satiation drive a simultaneous decrease in liking. We propose to test this model using a vignette-based factorial survey approach. Highlighting changes in consumers’ perceptions related to the interruptiveness of wearable notifications, we expect to contribute to IS research by adapting mere exposure effect and the literature that are currently focused on adoption decisions