Abstract
Research has investigated the role of numerous influences on individual information security behaviors, including protection motivation, deterrence, and various dispositional and environmental factors. Various theories have been applied to study these influences on security behaviors. One major research stream has looked at threat and coping appraisals by IT users. However, users' beliefs, attitudes, appraisals, and intentions are not static, and there has been little attention to how these factors interact over time. When users (directly or vicariously) experience a security threat, they tend to engage in improved security hygiene, but often only for a limited time. A major theory that can provide comprehensive and unified insights into the phenomenon of continuous secure behavior is the Theory of Process Memory which explains the role of prior experience effects and the underlying mechanisms of continuous behavior, including feedback mechanism, sequential updating mechanism, behavioral automaticity (habit), and reason-based action. The application of this theory to behavioral information security research can foster a deep understanding about how each cognitive mechanism can influence IT users' continuous secure behavior, and through which type of human memory each mechanism can act. This rich theory, which is well-established in cognitive psychology, can help behavioral information security scholars to rigorously investigate the very important, yet understudied, phenomenon of continuance secure behavior.
- Anderson, B. B., Vance, A., Kirwan, C. B., Jenkins, J. L.,&Eargle, D. (2016). From warning to wallpaper: Why the brain habituates to security warnings and what can be done about it. Journal of Management Information Systems, 33(3), 713--743.Google ScholarCross Ref
- Anderson, C. L.,&Agarwal, R. (2010). Practicing safe computing: A multimedia empirical examination of home computer user security behavioral intentions. MIS Quarterly, 34(3), 613--643 Google ScholarCross Ref
- Atkinson, R. C.,&Shiffrin, R. M. (1968). Human memory: A proposed system and its control processes. In K. W. Spence&J. T. Spence (Eds.), The psychology of learning and motivation (volume 2) (pp. 89--195). New York: Academic Press.Google Scholar
- Bauer, S.,&Bernroider, E. W. (2017). From information security awareness to reasoned compliant action: Analyzing information security policy compliance in a large banking organization. The DATA BASE for Advances in Information Systems, 48(3), 1--24. Google ScholarDigital Library
- Bhattacherjee, A. (2001). Understanding information systems continuance: An expectationconfirmation model. MIS Quarterly, 25(3), 351--370. Google ScholarDigital Library
- Bhattacherjee, A.,&Premkumar, G. (2004). Understanding changes in belief and attitude toward information technology usage: A theoretical model and longitudinal test. MIS Quarterly, 28(2), 229--254 Google ScholarCross Ref
- Bhattacherjee, A.,&Lin, C. P. (2015). A unified model of IT continuance: Three complementary perspectives and crossover effects. European Journal of Information Systems, 24(4), 364--373Google ScholarCross Ref
- Blair, E.,&Burton, S. (1987). Cognitive processes used by survey respondents to answer behavioral frequency questions. Journal of Consumer Research, 14(2), 280--288.Google ScholarCross Ref
- Bolton, R. N. (1998). A dynamic model of the duration of the customer's relationship with a continuous service provider: The role of satisfaction. Marketing Science, 17(1), 45--65. Google ScholarDigital Library
- Boss, S. R., Galletta, D. F., Lowry, P. B., Moody, G. D.,&Polak, P. (2015). What do systems users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors. MIS Quarterly, 39(4), 837--864. Google ScholarDigital Library
- Bulgurcu, B., Cavusoglu, H.,&Benbasat, I. (2010). Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523--548. Google ScholarCross Ref
- Carver, C. S.,&Scheier, M. F. (1982). Control theory: A useful conceptual framework for personality-- social, clinical, and health psychology. Psychological Bulletin, 92(1),111--135.Google ScholarCross Ref
- Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M.,&Baskerville, R. (2013). Future directions for behavioral information security research. Computers&Security, 32, 90--101.Google ScholarDigital Library
- D'Arcy, J., Herath, T.,&Shoss, M. K. (2014). Understanding employee responses to stressful information security requirements: A coping perspective. Journal of Management Information Systems, 31(2),285--318.Google ScholarCross Ref
- Herath, T.,&Rao, H. R. (2009). Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness. Decision Support Systems, 47(2) 154--165. Google ScholarDigital Library
- Hogarth, R. M.,&Einhorn, H. J. (1992). Order effects in belief updating: The belief-adjustment model. Cognitive Psychology, 24(1), 1--55.Google ScholarCross Ref
- Ifinedo, P. (2012). Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Computers&Security, 31(1),83--95. Google ScholarDigital Library
- Johnston, A. C.,&Warkentin, M. (2010). Fear appeals and information security behaviors: An empirical study. MIS Quarterly, 34(3), 549--566. Google ScholarCross Ref
- Johnston, A. C., Warkentin, M.,&Siponen, M. (2015). An enhanced fear appeal framework: Leveraging threats to the human asset through sanctioning rhetoric. MIS Quarterly, 39(1),113--134. Google ScholarDigital Library
- Kim, S. S.,&Malhotra, N. K. (2005). A longitudinal model of continued is use: An integrative view of four mechanisms underlying postadoption phenomena. Management Science, 51(5), 741- 755. Google ScholarDigital Library
- Liang, H.,&Xue, Y. (2009). Avoidance of information technology threats: A theoretical perspective. MIS Quarterly, 33(1), 71--90. Google ScholarCross Ref
- Limayem, M., Hirt, S. G.,&Cheung, C. M. (2007). How habit limits the predictive power of intention: The case of information systems continuance. MIS Quarterly, 31(4), 705--737. Google ScholarCross Ref
- Mutchler, L. A.,&Warkentin, M. (2015). How direct and vicarious experience promotes security hygiene. In 10th Annual Symposium on Information Assurance (ASIA'15) pp. 2--6.Google Scholar
- Myers, D. G. (2004). Psychology (7th ed.). New York: Worth Publishers.Google Scholar
- Oliver, R. L. (1980). A cognitive model of the antecedents and consequences of satisfaction decisions. Journal of Marketing Research, 17(4), 460--469.Google ScholarCross Ref
- De Guinea, A. O.,&Markus, M. L. (2009). Why break the habit of a lifetime? Rethinking the roles of intention, habit, and emotion in continuing information technology use. MIS Quarterly, 33(3), 433--444 Google ScholarCross Ref
- Ouellette, J. A.,&Wood, W. (1998). Habit and intention in everyday life: The multiple processes by which past behavior predicts future behavior. Psychological Bulletin, 124(1), 54--74.Google ScholarCross Ref
- Ponemon (2017). Ponemon 2017 cost of data breach study. Retrieved September 1, 2017 from https://www.ibm.com/security/data-breach/Google Scholar
- Posey, C., Roberts, T. L., Lowry, P. B., Bennett, R. J.,&Courtney, J. F. (2013). Insiders' protection of organizational information assets: Development of a systematics-based taxonomy and theory of diversity for protection-motivated behaviors. MIS Quarterly, 37(4), 1189--1210. Google ScholarDigital Library
- PwC. (2014). Managing cyber risks in an interconnected world. The Global State of Information Security Survey 2015. Retrieved May 27, 2015 from http://www.pwc.com/ gsiss2015Google Scholar
- Rogers, R. W. (1975). A protection motivation theory of fear appeals and attitude change. The Journal of Psychology, 91(1), 93--114.Google ScholarCross Ref
- Rogers, R. W. (1983). Cognitive and physiological processes in fear appeals and attitude change: A Revised theory of protection motivation. In J. Cacioppo (Ed.), Social psychophysiology: A sourcebook (pp. 153--176). New York: Guilford Press.Google Scholar
- Shropshire, J., Warkentin, M. and Sharma, S. (2015). Personality, attitudes, and intentions: Predicting initial adoption of information security behavior. Computers&Security, 49,177--191. Google ScholarDigital Library
- Sharp. (2017). Employee IT behavior highlights GDPR compliance risk. Retrieved September 1, 2017 from http://www.sharp.co.uk/cpw/rde/xchg/gb/hs.xls/- /html/employee-it-behaviour-highlights-gdprcompliance-risk.htmGoogle Scholar
- Siponen, M.,&Vance, A. (2010). Neutralization: New insights into the problem of employee information systems security policy violations. MIS Quarterly, 34(3), 487--502. Google ScholarDigital Library
- Sophos, (2017). Don't take the bait: How to spot phishing and social engineering scams. Retrieved September 1, 2017 from https://www.sophos.com/lp/antiphishing/prevention.aspxGoogle Scholar
- Vance, A., Siponen, M.,&Pahnila, S. (2012). Motivating IS security compliance: Insights from habit and protection motivation theory. Information&Management, 49(3), 190--198. Google ScholarDigital Library
- Vormetric. (2016). 2016 Vormetric data threat report. Retrieved September 1, 2017 from https:// dtr.thalesecurity.com/datathreat/2016Google Scholar
- Wansink, B., and Ray, M. L. (1996). Advertising strategies to increase usage frequency. Journal of Marketing, 60(1), 31--46.Google ScholarCross Ref
- Warkentin, M., Johnston, A. C., Shropshire, J.,&Barnett, W. D. (2016). Continuance of protective security behavior: A longitudinal study. Decision Support Systems, 92, 25--35. Google ScholarDigital Library
- Wheeler, M. A., Stuss, D. T., and Tulving, E. (1997). Toward a theory of episodic memory: The frontal lobes and autonoetic consciousness. Psychological Bulletin, 121(3), 331--354.Google ScholarCross Ref
- Winn, W. (2004). Cognitive perspectives in psychology. In D. Jonassen (Ed.), Handbook of research for educational communications and technology (pp. 79--112). Manwah, NJ: Lawrence Erlbaum.Google Scholar
- Witte, K. (1992). Putting the fear back into fear appeals: the extended parallel process model.Google Scholar
- Communications Monographs, 59(4), 329--349. Witte, K. (1994). Fear control and danger control: A test of the extended parallel process model (EPPM). Communication Monographs, 61, 113- 134.Google ScholarCross Ref
Index Terms
- Secure Behavior over Time: Perspectives from the Theory of Process Memory
Recommendations
User behaviors toward mobile data services
Rapid advancements in information and communication technologies (ICT) have allowed people some opportunities to access digitalized contents without restrictions in time or place. Mobile data service (MDS) is an important emerging ICT, thus many studies ...
The difference of determinants of acceptance and continuance of mobile data services: A value perspective
Given the large investments in mobile data services (MDS), it has become important to understand customers' decision-making processes as they pertain to the adoption and use of MDS. In the telecommunication domain, understanding the distinction between ...
Effects of Organizational Controls on Employees' Cyber-loafing: The Moderating Effects of Trait Mindfulness
Cyber-loafing is a workplace deviant behavior that may impose perennial losses and security threats to organizations. Due to the destructive impact, organizations take controls to manage employees' cyber-loafing behavior. While previous research ...
Comments