Abstract
Individuals can perform many different behaviors to protect themselves from computer security threats. Research, however, generally explores computer security behaviors in isolation, typically looking at one behavior per study, such as usage of malware or strong passwords. However, defense in depth requires that multiple behaviors be performed concurrently for one’s computer to be protected. Addressing this gap in prior research, this study measures 279 individuals’ computer security behaviors and analyzes them with multi-dimensional scaling. We examined three security threats: security related performance degradation, identify theft, and data loss. The results present a mapping of security behaviors performed together with other behaviors on two dimensions for each of these threats. Using expert reviews of the resulting dimensions, the study proposes that response efficacy and response cost help explain why people perform certain behaviors together. These findings can help explain inconsistent results in prior information security research because they focused on one behavior only whereas people perform various security behaviors together in an effort to mitigate specific security threats. The study informs research and practice by identifying security threat-response pairs via expert interviews, surveying individuals on how they perform multiple security behaviors concurrently to mitigate security threats, identifying why certain behaviors are performed together, and using these findings to identify reasons why IS security research has confounding results based on specific individual threat-response pairs used in prior studies.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
These titles are representative of the respondents’ titles since some of our experts did not want their detailed titles used to ensure their confidentiality.
References
Adams, A., & Sasse, M. A. (1999). Users are not the enemy. Communications of the ACM, 42(12), 40–46.
Anderson, C. L., & Agarwal, R. (2010). Practicing safe computing: a multimethod empirical examination of home computer user security behavioral intentions. MIS Quarterly, 34(3), 613–643.
Avalanche Technology Group. (2014). Password hacked? A 10 step guide to getting back on track... Should I Change My Password. https://shouldichangemypassword.com/password-hacked. Accessed 5 Jan 2014.
Bélanger, F., Collignon, S., Enget, K., & Negangard, E. (2017). User resistance to the implementation of a mandatory security enhancement. Information & Management. doi:10.1016/j.im.2017.01.003.
Boncella, R. J. (2000). Web security for e-commerce. Communications of the Association for Information Systems, 4(11), 1–43.
Boncella, R. J. (2002). Wireless security: an overview. Communications of the Association for Information Systems, 9, 269–282.
Boss, S. R., Galletta, D. F., Lowry, P. B., Moody, G. D., & Polak, P. (2015). What do systems users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors. MIS Quarterly, 39(4), 837–864.
Boss, S. R., Kirsch, L. J., Angermeier, I., Shingler, R. A., & Boss, R. W. (2009). If someone is watching, I’ll do what I’m asked: mandatoriness, control, and information security. European Journal of Information Systems, 18, 151–164.
Breaux, T. D., & Baumer, D. L. (2011). Legally “reasonable” security requirements: a 10-year FTC retrospective. Computers & Security, 30(4), 178–193.
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523–548.
Burns, A.J., Posey, C., Courtney, J.F., Roberts, T.L., & Nanayakkara, P. (2015). Organizational information security as a complex adaptive system: insights from three agent-based models. Information System Frontiers, 1–16. doi:10.1007/s10796-015-9608-8.
Choo, K.-K. R. (2011). The cyber threat landscape: challenges and future research directions. Computers & Security, 30(8), 719–731.
Churchill, G. A. (1979). A paradigm for developing better measures of marketing constructs. Journal of Marketing Research, 16, 64–73.
Cohen, J. (1969) Statistical power analysis for the behavioral sciences. New York: Academic Press.
Cohen, F. (1987). Computer viruses: theory and experiments. Computers & Security, 6(1), 22–35.
Crossler, R.E. (2010). Protection motivation theory: Understanding determinants to backing up personal data. In 2010 43rd Hawaii International Conference on System Sciences (HICSS) (pp. 1–10).
Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M., & Baskerville, R. (2013). Future directions for behavioral information security research. Computers & Security, 32(1), 90–101.
Crossler, R. E., Long, J. H., Loraas, T. M., & Trinkle, B. S. (2014). Understanding compliance with BYOD (bring your own device) policies utilizing protection motivation theory: bridging the intention-behavior gap. Journal of Information Systems, 28(1), 209–226.
D’Arcy, J., & Herath, T. (2011). A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings. European Journal of Information Systems, 20(6), 643–658.
D’Arcy, J., Hovav, A., & Galletta, D. (2009). User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Information Systems Research, 20(1), 79–98.
Dang-Pham, D., & Pittayachawan, S. (2015). Comparing intention to avoid malware across contexts in a BYOD-enabled Australian university: a protection motivation theory approach. Computers & Security, 48, 281–297.
Deloitte. (2007). 2007 global security survey: the shifting security paradigm.
Dennis, A. R., & Valacich, J. S. (2001). Conducting research in information systems. Communications of the Association for Information Systems, 7(5), 1–41.
Dhillon, G., & Torkzadeh, G. (2006). Value-focused assessment of information system security in organizations. Information Systems Journal, 16, 293–314.
Dinev, T., & Hu, Q. (2007). The centrality of awareness in the formation of user behavioral intention toward protective information technologies. Journal of the Association for Information Systems, 8(7), 386–408.
Furnell, S. M., Bryant, P., & Phippen, A. D. (2007). Assessing the security perceptions of personal internet users. Computers & Security, 26(5), 410–417.
Furnell, S., & Clarke, N. (2012). Power to the people? The evolving recognition of human aspects of security. Computers & Security, 31(8), 983–988.
Furnell, S. M., Jusoh, A., & Katsabas, D. (2006). The challenges of understanding and using security: a survey of end-users. Computers & Security, 25(1), 27–35.
Grawemeyer, B., & Johnson, H. (2011). Using and managing multiple passwords: a week to a view. Interacting with Computers, 23(3), 256–267.
Hair, J. F., Black, W. C., Babin, B. J., & Anderson, R. E. (2010). Multivariate data analysis: a global perspective (7th ed.). Upper Saddle River: Pearson Education.
Hallam-Baker, P. (2005). Prevention strategies for the next wave of cyber crime. Network Security, 2005(10), 12–15.
Herath, T., Chen, R., Wang, J., Banjara, K., Wilbur, J., & Rao, H. R. (2014). Security services as coping mechanisms: an investigation into user intention to adopt an email authentication service. Information Systems Journal, 24(1), 61–84.
Herath, T., & Rao, H. R. (2009). Protection motivation and deterrence: a framework for security policy compliance in organisations. European Journal of Information Systems, 18(2), 106–125.
Herzberg, A. (2009). Why Johnny can’t surf (safely)? Attacks and defenses for web users. Computers & Security, 28(1–2), 63–71.
Highland, H. J. (1996). Random bits & bytes. Computers & Security, 15(1), 4–11.
Hu, Q., & Dinev, T. (2005). Is spyware an internet nuisance of public menace? Communications of the ACM, 48(8), 61–66.
Ifinedo, P. (2012). Understanding information systems security policy compliance: an integration of the theory of planned behavior and the protection motivation theory. Computers & Security, 31(1), 83–95.
Jarvis, N. (1999). E-commerce and encryption: barriers to growth. Computers & Security, 18(5), 429–431.
Johnston, A. C., & Warkentin, M. (2010). Fear appeals and information security behaviors: an empirical study. MIS Quarterly, 34(3), 549–566.
Johnston, A. C., Warkentin, M., & Siponen, M. (2015). An enhanced fear appeal rhetorical framework: leveraging threats to the human asset through sanctioning rhetoric. MIS Quarterly, 39(1), 113–134.
Keeney, R. L. (1999). The value of internet commerce to the customer. Management Science, 45(4), 533–542.
Kim, E. B. (2005). Information security awareness status of full time employees. The Business Review, 3(2), 219.
Kishi, M. (2008). Perceptions and use of electronic media: testing the relationship between organizational interpretation differences and media richness. Information Management, 45(5), 281–287.
Kruskal, J. B. (1964). Multidimensional scaling by optimizing goodness of fit to a nonmetric hypothesis. Psychometrika, 29(1), 1–27.
Landwehr, C. E. (2001). Computer security. International Journal of Information Security, 1(1), 3–13.
Lee, Y. (2011). Understanding anti-plagiarism software adoption: an extended protection motivation theory perspective. Decision Support Systems, 50(2), 361–369.
Lee, Y., & Larsen, K. R. (2009). Threat or coping appraisal: determinants of SMB executives’ decision to adopt anti-malware software. European Journal of Information Systems, 18(2), 177–187.
Lee, M., & Lee, J. (2012). The impact of information security failure on customer behaviors: a study on a large-scale hacking incident on the internet. Information Systems Frontiers, 14(2), 375–393.
Li, H., Zhang, J., & Sarathy, R. (2010). Understanding compliance with internet use policy from the perspective of rational choice theory. Decision Support Systems, 48(4), 635–645.
Liang, H., & Xue, Y. (2010). Understanding security behaviors in personal computer usage: a threat avoidance perspective. Journal of the Association for Information Systems, 11(7), 394–413.
Marett, K., McNab, A. L., & Harris, R. B. (2011). Social networking websites and posting personal information: an evaluation of protection motivation theory. AIS Transactions on Human-Computer Interaction, 3(3), 170–188.
Michael, K. (2012). The basics of information security: understanding the fundamentals of InfoSec in theory and practice. Computers & Security, 31(4), 634–635.
Moody, G. D., & Siponen, M. (2013). Using the theory of interpersonal behavior to explain non-work-related personal use of the internet at work. Information Management, 50(6), 322–335. doi:10.1016/j.im.2013.04.005.
Ng, B.-Y., Kankanhalli, A., & Xu, Y. (. C.). (2009). Studying users’ computer security behavior: a health belief perspective. Decision Support Systems, 46(4), 815–825.
Nicholson, A., Webber, S., Dyer, S., Patel, T., & Janicke, H. (2012). SCADA security in the light of cyber-warfare. Computers & Security, 31(4), 418–436.
Pfleeger, S. L., & Caputo, D. D. (2012). Leveraging behavioral science to mitigate cyber security risk. Computers & Security, 31(4), 597–611.
Post, G., & Kagan, A. (2000). Management tradeoffs in anti-virus strategies. Information & Management, 37(1), 13–24.
Rani Sahu, K., & Dubey, J. (2014). A survey on phishing attacks. International Journal of Computer Applications, 88, 42–45.
Rezgui, Y., & Marks, A. (2008). Information security awareness in higher education: an exploratory study. Computers & Security, 27(7–8), 241–253.
Rhee, H.-S., Kim, C., & Ryu, Y. U. (2009). Self-efficacy in information security: Its influence on end users’ information security practice behavior. Computers & Security, 28(8), 816–826.
Richardson, R. (2007). CSI computer crime and security survey.
Rogers, R. W. (1975). A protection motivation theory of fear appeals and attitude change. The Journal of Psychology, 91, 93–114.
Schou, C. D., & Trimmer, K. J. (2004). Information assurance and security. Journal of Organizational and End User Computing, 16(3), i–vii.
Siponen, M., Mahmood, M. A., & Pahnila, S. (2014). Employees’ adherence to information security policies: an exploratory field study. Information & Management, 51(2), 217–224.
Siponen, M., & Vance, A. (2010). Neutralization: new insights into the problem of employee information systems security policy violations. MIS Quarterly, 34(3), 487–502.
Son, J.-Y. (2011). Out of fear or desire? Toward a better understanding of employees’ motivation to follow IS security policies. Information & Management, 48(7), 296–302.
Sprinthall, R. C. (2003). Basic statistical analysis (7th ed.). Boston: Pearson.
Stanton, J. M., Stam, K. R., Mastrangelo, P., & Jolton, J. (2005). Analysis of end user security behaviors. Computers & Security, 24(2), 124–133.
Straub, D. W. (1989). Validating instruments in MIS research. MIS Quarterly, 13(2), 147–169.
Symantec. (2011). Symantec internet security threat report: 2011 trends. http://www.symantec.com/threatreport.
Vance, A., & Siponen, M. (2012). IS security policy violations: a rational choice perspective. Journal of Organizational and End User Computing, 24(1), 21–41.
Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating IS security compliance: insights from habit and protection motivation theory. Information Management, 49(3–4), 190–198.
Vorakulpipat, C., Visoottiviseth, V., & Siwamogsatham, S. (2012). Polite sender: a resource-saving spam email countermeasure based on sender responsibilities and recipient justifications. Computers & Security, 31(3), 286–298.
Warren, M., & Leitch, S. (2010). Hacker taggers: a new type of hackers. Information System Frontiers, 12(4), 425–431.
Whitman, M. E. (2004). In defense of the realm: understanding the threats to information security. International Journal of Information Management, 24(1), 43–57.
Willison, R., & Warkentin, M. (2013). Beyond deterrence: an expanded view of employee computer abuse. MIS Quarterly, 37(1), 1–20.
Witte, K. (1992). Putting fear back into fear appeals: the extended parallel process model. Communication Monographs, 59(4), 329–349.
Witte, K. (1994). Fear control and danger control: a test of the extended parallel process model (EPPM). Communication Monographs, 61, 113–134.
Wood, C. C. (1996). Constructing difficult-to-guess passwords. Information Management & Computer Security, 4(1), 43–44.
Woon, I.M.Y., Tan, G.W., & Low, R.T. (2005). A protection motivation theory approach to home wireless security. In International Conference on Information Systems (pp. 367–380).
Workman, M., Bommer, W. H., & Straub, D. W. (2008). Security lapses and the omission of information security measures: a threat control model and empirical test. Computers in Human Behavior, 24(6), 2799–2816.
Yang, C.-G., & Lee, H.-J. (2016). A study on the antecedents of healthcare information protection intention. Information System Frontiers, 18(2), 253–263.
Zhang, J., Luo, X., Akkaladevi, S., & Ziegelmayer, J. (2009). Improving multiple-password recall: an empirical study. European Journal of Information Systems, 18(2), 165–176.
Zikmund, W. G. (2000). Business research methods. Forth Worth: Harcourt College Publishers.
Zviran, M., & Erlich, Z. (2006). Identification and authentication: technology and implementation issues. Communications of the Association for Information Systems, 17(4), 2–31.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Crossler, R.E., Bélanger, F. & Ormond, D. The quest for complete security: An empirical analysis of users’ multi-layered protection from security threats. Inf Syst Front 21, 343–357 (2019). https://doi.org/10.1007/s10796-017-9755-1
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-017-9755-1