Espoused cultural values as antecedents of individuals’ threat and coping appraisal toward protective information technologies: Study of U.S. and Ghana
Introduction
Large-scale attacks gaining unauthorized access to sensitive data, such as Oracle’s payment systems [1], state election databases [2], and Verizon’s customer information [3] have placed a spotlight on the seriousness of information security. One avenue for these attacks is through malicious software that infects users’ machines, providing an opportunity for hackers to conduct attacks on other targets or steal information from the target’s computer. Third party security breaches, commonly through malware and ransomware [4], are the top perceived security threat [4,5]. Recently, several technology service providers and newspapers have reported new forms of malware attacks. One such attack, the HummingBad malware, is designed to gain system-wide authorization access from the targeted device and generate false ad clicks, which create income for the attacker. The HummingBad malware has attacked as many as 10 million Android phones as of July 2016 [6]. Although these attacks originating from China have mostly targeted devices in Southeast Asia (including China, India, Philippines, and Indonesia), they have gradually propagated to the United States (U.S.), Europe, and Australia [7].
One countermeasure against third party security breaches is using antimalware software. Hence, antimalware software or “protective information technologies” is becoming imperative in the global networked society [8,9]. In the global networked community, security attacks against one computer can replicate across geographical boundaries. Because user behaviors (i.e., properly using antimalware software) influence security attacks, it is important to identify factors that influence these individual security behaviors.
Existing research explores security behaviors of individuals in developed countries, such as the U.S. [[9], [10], [11], [12], [13], [14], [15]], with some research being done in Asian [13,[16], [17], [18]] and European countries [19]. Like all other research domains in information systems (ISs), little has been done in information security in African communities, a developing region (e.g. [8,20,21],). The understanding of security behaviors in Africa is important for several reasons. First, Africa has experienced more growth in mobile and Internet access than any other region over the last decade [22] with a substantial rise in cybercrime in sub-Saharan Africa because of this increase in mobile Internet access [23]. Second, research suggests that behavioral models differ across cultures [24,25]. Finally, researchers contend that the Western-oriented theoretical models may not be applicable to other cultures and that those models should be extended by including contextual variables such as culture [[26], [27], [28]]. The research question that this paper seeks to address is as follows: How do espoused cultural values influence individual threat and coping appraisals toward the use of protective information technologies?
Hofstede’s [29] cultural model has been found to influence behaviors [16,30]. The U.S. differs from countries in Africa in general and in sub-Saharan Africa in particular on all of the scales in Hofstede’s [29] cultural model [26]. We recognize that national culture is a macro-level phenomenon, while the security behavior of interest in this research is an individual-level issue [24,25]. Scholars have argued that examining individual behaviors at a national or group level is an ecological fallacy [31]. Therefore, we study cultural values at the individual level of analysis (e.g. [16,24,32],) to enhance our understanding in behavioral information security research.
Through protection motivation theory (PMT), prior research suggests that protective behaviors influence an individual’s ability to appraise threats and perform coping mechanisms. Although mounting evidence suggests that both threat and coping appraisals influence individuals’ security behavioral intentions, more integrative research is needed [8,9]. Some PMT-related studies have modeled culture as a moderating variable (e.g. [9,16],). However, some scholars suggest that culture can serve as an antecedent to coping and threat appraisals (e.g. [33,34],). The purpose of this paper is to broaden our understanding of the individual’s security behavioral intention by examining the influences by which cultural variables impact intention through threat and coping appraisal mechanisms.
Our research contributes to theory and practice. First, we extend the PMT model in understanding security behavior in a cross-cultural environment through the application of espoused cultural values. It is the first paper that has empirically validated espoused culture values as antecedents to threat appraisal and coping appraisal although scholars had earlier proposed that such relationships may exist. This form of theory contextualization “allows the effects of contextual variables to be explained by the underlying theoretical frameworks of general models” ([35], p. 116). We have also examined the mediating effects of the core PMT constructs on the relationship between cultural variables and the intention to use protective information technologies [35]. Second, the study contributes to understanding the information security behaviors of individuals in the rarely investigated continent of Africa [21]. Third, given that Ghana’s economy and democracy has been touted as an icon for other African nations, our research provides a roadmap from which further studies can be made to enhance the generalizability of the PMT model in Africa in general and sub-Saharan African nations in particular [35,36]. This is important because information and communication technology (ICT) has been recognized as a driver of growth for transforming the social, economic, political, and cultural conditions of developing nations [[37], [38], [39]]. Finally, in the current highly networked society, studies on individual computer security behavior have implications to individuals, organizations, nations, and the world [20].
In the next section, we present a review of relevant studies on the topic. We then discuss our research framework and hypotheses. Following, we describe the research methodology, including data collection from the different contexts. We then present our results, followed by discussion. Finally, we conclude the paper highlighting the theoretical and practical implications, limitations, and potential future research areas.
Section snippets
Theoretical background
Information security (InfoSec) research regularly focuses on both technical issues [40], and more recently on the individual user [13], with papers focusing on understanding individual behaviors drawing on theories such as organizational control [11], the theory of planned behavior [41], general deterrence theory [14,42], self-determination theory [43], and PMT [9,10,12,14,15,19,44,45]. The majority of these papers have drawn on PMT as a foundational theoretical underpinning to explain
Methods
To answer our research question, we first identified individuals to study from different cultures. For this study, we selected the U.S. and Ghana because of their generalized differences on cultural values along with Ghana’s unique status in the sub-Saharan African region resulting from its recent economic, democratic, and information technology advancement [99], and its ranking as a potential IT outsourcing destination [100].
Results
Psychometric properties of the scales and research model were analyzed using SmartPLS [109]. In this section, we describe the results of the psychometric assessment (reliability and validity) and tests on the research model.
Discussion
The first step in answering our research question was to examine whether cultural values influence security behavior. Using combined samples from the U.S. and Ghana, the results demonstrate significance for 12 of the 15 hypotheses, which incorporate culture into a PMT-based security behavior model. The research model utilized in this study empirically tested the role of individual cultural values in determining whether people utilized antispyware software. The purpose of the study was to test
Conclusion
This study was conceived with the intention to examine how cultural values affect security behaviors, specifically targeting an area of the world that has not been studied extensively. This study is one of the first to explore InfoSec in a sub-Saharan African context where significant relationships were demonstrated between known cultural dimensions and the threat and coping appraisals that inform an individual’s security behavior. It is also the first paper that has empirically validated
Robert E. Crossler is an Assistant Professor of Information Systems in the Carson College of Business at Washington State University. He received his Ph.D. from the Department of Accounting and Information Systems at Virginia Tech. His research focuses on the factors that affect the security and privacy decisions individuals make. He has published in leading MIS journals, including MIS Quarterly, Journal of Management Information Systems, Journal of the Association for Information Systems,
References (118)
- et al.
Future directions for behavioral information security research
Comput. Secur.
(2013) - et al.
Approaches to project management in Africa: implications for international development projects
Int. J. Proj. Manag.
(2003) - et al.
Indicators of development: the search for a basic needs yardstick
World Dev.
(1979) - et al.
Exploring the impact of individualism and uncertainty avoidance in web-based electronic learning: an empirical analysis in european higher education
Comput. Educ.
(2009) - et al.
Customer rage back-story: linking needs-based cognitive appraisal to service failure type
J. Retail.
(2013) - et al.
Crossing east-west boundaries: knowledge sharing in intercultural business networks
Ind. Mark. Manag.
(2004) - et al.
Knowledge sharing behavior in virtual communities: the relationship between trust, self-efficacy, and outcome expectations
Int. J. Hum. Stud.
(2007) Cultural differences in career decision-making styles and self-efficacy
J. Vocat. Behav.
(2000)- et al.
Service failure recovery: the moderating impact of individual-level cultural value orientation on perceptions of justice
Int. J. Res. Mark.
(2006) - et al.
A cross-cultural investigation of consumer E-shopping adoption
J. Econ. Psychol.
(2004)
The effect of uncertainty avoidance on information search, planning, and purchases of international travel vacations
Tour. Manag.
Empowering leadership, uncertainty avoidance, trust, and employee creativity: interaction effects and a mediating mechanism
Organ. Behav. Hum. Decis. Process.
The impact of collectivism and psychological ownership on protection motivation: A cross-cultural examination
Comput. Secur.
Manufacturing strategy, competitive strategy and firm performance: an empirical study in a developing economy environment
Int. J. Prod. Econ.
Hackers Infiltrate Oracle Payment System
Two State Election Databases Hacked, FBI Warns
Verizon’s Data Breach Fighter Gets Hit with, Well, a Data Breach
Ransomware: Lucrative, Fast Growing, Hard to Stop
Blurring the Lines 2013 Tmt Global Security Study
Top Story: Millions of Smartphones Infected With Hummingbad Malware
Malware Hits Millions of Android Phones
User behaviour towards protective information technologies: the role of national cultural differences
Inf. Syst. J.
Threat or coping appraisal: determinants of Smb executive’s decision to adopt anti-malware software
Eur. J. Inf. Syst.
Practicing safe computing: a multimethod empirical examination of home computer user security behavioral intentions
MIS Q.
If someone is watching, I’ll do what I’m asked: mandatoriness, control, and information security
Eur. J. Inf. Syst.
What do systems users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors
MIS Q.
Protection motivation and deterrence: a framework for security policy compliance in organisations
Eur. J. Inf. Syst.
Fear appeals and information security behaviors: an empirical study
MIS Q.
Individuals’ internet security perceptions and behaviors: polycontextual contrasts between the United States and China
MIS Q.
Privacy concerns versus desire for interpersonal awareness in driving the use of self-disclosure technologies: the case of instant messaging in two cultures
J. Manag. Inf. Syst.
Proposing the culture-influenced online community self-disclosure model: the case of working professionals in France and the uk who use online communities
Eur. J. Inf. Syst.
An enhanced fear appeal rhetorical framework: leveraging threats to the human asset through sanctioning rhetoric
MIS Q.
Information systems in developing countries: a critical research review
J. Inf. Technol.
The neglected continent of IS research: a research agenda for Sub-Saharan Africa
J. Assoc. Inf. Syst.
Internet Access Is No Longer a Luxury
Communication, technology, and cyber crime in Sub-Saharan Africa
New Threats and Countermeasures in Digital Crime and Cyber Terrorism
The role of espoused national cultural values in technology acceptance
MIS Q.
Toward a theory-based measurement of culture
J. Glob. Inf. Manag.
Information technology success factors and models in developing and emerging economies
Inf. Technol. Dev.
The Impact of Individualism—Collectivism, Social Presence, and Group Diversity on Group Decision Making under Majority Influence
J. Manag. Inf. Syst.
Culture’s Consequences: International Differences in Work Related Values
What drives electronic commerce across cultures? A cross-cultural empirical investigation of the theory of planned behavior
J. Electr. Comm. Res.
Ecological correlations in the behavior of individuals
Am. Sociol. Rev.
Cultural values and authority relations: the psychology of conflict resolution across cultures
Psychol. Public Policy Law
Optimism and realism: a review of self-efficacy from a cross‐cultural perspective
Int. J. Psychol.
Stress, Appraisal, and Coping
A framework and guidelines for context-specific theorizing in information systems research
Inf. Syst. Res.
Social movement learning in Ghana communal defence of resources in neoliberal times
Efficiency Convergence in Transition Economies: 1991-2002 a Non Parametric Frontier Approach
Is there a relationship between Ict, health, education and development? An empirical analysis of five west african countries from 1997–2003
Electron. J. Inf. Syst. Dev. Ctries.
Cited by (28)
Fear appeals and coping appeals for health product promotion: Impulsive purchasing or psychological distancing?
2023, Journal of Retailing and Consumer ServicesSeeking rhetorical validity in fear appeal research: An application of rhetorical theory
2023, Computers and SecurityCitation Excerpt :According to rhetorical theory, fear appeals must account for the factors within the audience to ensure their rhetorical validity. In seeking to understand the rhetorical situation (threat environment) of interest, we conducted interviews because they, similar to other qualitative approaches, are “particularly useful since they typically focus on understanding and describing a phenomenon” (Crossler et al., 2018, p. 575) While the interview method did not limit our study, we acknowledge that it is possible to use other methods of inquiry, such as collecting data from surveys or from expert communities, to gain much-needed insights into the rhetorical situation of interest. This study highlights the importance of rhetorically valid fear appeals when studying motives for protecting sensitive assets.
Securing online accounts and assets: An examination of personal investments and protection motivation
2023, International Journal of Information ManagementCitation Excerpt :We found that perceived threat severity, self-efficacy, response efficacy, and response cost are necessary to motivate protection motivation, and in turn, MFA use. While we found that vulnerability was not significant in its influence on protection motivation, this result seems comparable with others in the security domain (Crossler et al., 2019; Vance et al., 2012). The result suggests that individuals do not believe that they are vulnerable to account hacking threats.
The valued coexistence of protection motivation and stewardship in information security behaviors
2023, Computers and SecurityOrganizational and team culture as antecedents of protection motivation among IT employees
2022, Computers and SecurityCitation Excerpt :Analyzing primarily two cross-cultural variables - collectivism and psychological ownership of information –the study found that individual's personal orientation toward collectivism has an impact on psychological ownership and the intention not to perform secure behaviors. National culture such as espoused individualism-collectivism and uncertainty avoidance has also been studied as antecedents to an individual's threat and coping appraisal toward protecting information (Crossler et al., 2019). Based on the data collected from two separate countries, the study concluded that individualism-collectivism and uncertainty avoidance significantly affect threat and coping appraisals, with uncertainty avoidance demonstrating a slightly stronger effect.
Beyond adaptive security coping behaviors: Theory and empirical evidence
2022, Information and Management
Robert E. Crossler is an Assistant Professor of Information Systems in the Carson College of Business at Washington State University. He received his Ph.D. from the Department of Accounting and Information Systems at Virginia Tech. His research focuses on the factors that affect the security and privacy decisions individuals make. He has published in leading MIS journals, including MIS Quarterly, Journal of Management Information Systems, Journal of the Association for Information Systems, European Journal of Information Systems, Information Systems Journal, Journal of Strategic Information Systems, and Decision Support Systems. He received the 2013 INFORMS Information Systems Society (ISS) Design Science Award for his information privacy work, his paper in The DATA BASE for Advances in Information Systems was recognized as the journal’s best paper in 2014, and he received the Journal of Information Systems inaugural Best Paper Award in 2017. He also serves as the President-Elect for the Association for Information Systems’ Special Interest Group on Security and Privacy (SIG SEC).
Francis Kofi Andoh-Baidoo is Associate Professor, Department of Information Systems, Robert C. Vackar College of Business and Entrepreneurship, University of Texas Rio Grande Valley. He has a PhD in Information Systems from the Virginia Commonwealth University in Richmond. His research interests are in data mining, decision support systems, knowledge management, and information security. His research has appeared in journals such as Communications of the Association for Information Systems, Information Systems Frontiers and The DATA BASE for Advances in Information Systems. He serves on editorial board of the Journal of Information Technology Theory and Application and Information Technology for Development.
Philip Menard is an assistant professor of information systems at the University of South Alabama. He received his Ph.D. from the Department of Management and Information Systems at Mississippi State University and is also a past recipient of the CyberCorps Scholarship for Service. He is interested in the impacts of security measures on organizational end users, security education training and awareness (SETA) programs, and the impact of espoused cultural values on individuals’ secure behaviors. He has published in Journal of Management Information Systems, Journal of the Association for Information Systems, Journal of Computer Information Systems, and Computers & Security. He has also presented his work at several conferences.