Espoused cultural values as antecedents of individuals’ threat and coping appraisal toward protective information technologies: Study of U.S. and Ghana

https://doi.org/10.1016/j.im.2018.11.009Get rights and content

Abstract

Evidence of cyber activities in developing nations has renewed discourse on users’ intention to protect information in the global economy. We present a context theorization in which espoused individualism–collectivism and uncertainty avoidance are posited as antecedents to an individual’s threat and coping appraisal toward protecting information. We tested our model with data from the United States and Ghana, countries that generally differ on cultural values. Individualism–collectivism and uncertainty avoidance significantly affect threat and coping appraisals with uncertainty avoidance demonstrating slightly stronger effect. Path estimate comparisons between Ghana and the United States show significant differences for all of the structural paths.

Introduction

Large-scale attacks gaining unauthorized access to sensitive data, such as Oracle’s payment systems [1], state election databases [2], and Verizon’s customer information [3] have placed a spotlight on the seriousness of information security. One avenue for these attacks is through malicious software that infects users’ machines, providing an opportunity for hackers to conduct attacks on other targets or steal information from the target’s computer. Third party security breaches, commonly through malware and ransomware [4], are the top perceived security threat [4,5]. Recently, several technology service providers and newspapers have reported new forms of malware attacks. One such attack, the HummingBad malware, is designed to gain system-wide authorization access from the targeted device and generate false ad clicks, which create income for the attacker. The HummingBad malware has attacked as many as 10 million Android phones as of July 2016 [6]. Although these attacks originating from China have mostly targeted devices in Southeast Asia (including China, India, Philippines, and Indonesia), they have gradually propagated to the United States (U.S.), Europe, and Australia [7].

One countermeasure against third party security breaches is using antimalware software. Hence, antimalware software or “protective information technologies” is becoming imperative in the global networked society [8,9]. In the global networked community, security attacks against one computer can replicate across geographical boundaries. Because user behaviors (i.e., properly using antimalware software) influence security attacks, it is important to identify factors that influence these individual security behaviors.

Existing research explores security behaviors of individuals in developed countries, such as the U.S. [[9], [10], [11], [12], [13], [14], [15]], with some research being done in Asian [13,[16], [17], [18]] and European countries [19]. Like all other research domains in information systems (ISs), little has been done in information security in African communities, a developing region (e.g. [8,20,21],). The understanding of security behaviors in Africa is important for several reasons. First, Africa has experienced more growth in mobile and Internet access than any other region over the last decade [22] with a substantial rise in cybercrime in sub-Saharan Africa because of this increase in mobile Internet access [23]. Second, research suggests that behavioral models differ across cultures [24,25]. Finally, researchers contend that the Western-oriented theoretical models may not be applicable to other cultures and that those models should be extended by including contextual variables such as culture [[26], [27], [28]]. The research question that this paper seeks to address is as follows: How do espoused cultural values influence individual threat and coping appraisals toward the use of protective information technologies?

Hofstede’s [29] cultural model has been found to influence behaviors [16,30]. The U.S. differs from countries in Africa in general and in sub-Saharan Africa in particular on all of the scales in Hofstede’s [29] cultural model [26]. We recognize that national culture is a macro-level phenomenon, while the security behavior of interest in this research is an individual-level issue [24,25]. Scholars have argued that examining individual behaviors at a national or group level is an ecological fallacy [31]. Therefore, we study cultural values at the individual level of analysis (e.g. [16,24,32],) to enhance our understanding in behavioral information security research.

Through protection motivation theory (PMT), prior research suggests that protective behaviors influence an individual’s ability to appraise threats and perform coping mechanisms. Although mounting evidence suggests that both threat and coping appraisals influence individuals’ security behavioral intentions, more integrative research is needed [8,9]. Some PMT-related studies have modeled culture as a moderating variable (e.g. [9,16],). However, some scholars suggest that culture can serve as an antecedent to coping and threat appraisals (e.g. [33,34],). The purpose of this paper is to broaden our understanding of the individual’s security behavioral intention by examining the influences by which cultural variables impact intention through threat and coping appraisal mechanisms.

Our research contributes to theory and practice. First, we extend the PMT model in understanding security behavior in a cross-cultural environment through the application of espoused cultural values. It is the first paper that has empirically validated espoused culture values as antecedents to threat appraisal and coping appraisal although scholars had earlier proposed that such relationships may exist. This form of theory contextualization “allows the effects of contextual variables to be explained by the underlying theoretical frameworks of general models” ([35], p. 116). We have also examined the mediating effects of the core PMT constructs on the relationship between cultural variables and the intention to use protective information technologies [35]. Second, the study contributes to understanding the information security behaviors of individuals in the rarely investigated continent of Africa [21]. Third, given that Ghana’s economy and democracy has been touted as an icon for other African nations, our research provides a roadmap from which further studies can be made to enhance the generalizability of the PMT model in Africa in general and sub-Saharan African nations in particular [35,36]. This is important because information and communication technology (ICT) has been recognized as a driver of growth for transforming the social, economic, political, and cultural conditions of developing nations [[37], [38], [39]]. Finally, in the current highly networked society, studies on individual computer security behavior have implications to individuals, organizations, nations, and the world [20].

In the next section, we present a review of relevant studies on the topic. We then discuss our research framework and hypotheses. Following, we describe the research methodology, including data collection from the different contexts. We then present our results, followed by discussion. Finally, we conclude the paper highlighting the theoretical and practical implications, limitations, and potential future research areas.

Section snippets

Theoretical background

Information security (InfoSec) research regularly focuses on both technical issues [40], and more recently on the individual user [13], with papers focusing on understanding individual behaviors drawing on theories such as organizational control [11], the theory of planned behavior [41], general deterrence theory [14,42], self-determination theory [43], and PMT [9,10,12,14,15,19,44,45]. The majority of these papers have drawn on PMT as a foundational theoretical underpinning to explain

Methods

To answer our research question, we first identified individuals to study from different cultures. For this study, we selected the U.S. and Ghana because of their generalized differences on cultural values along with Ghana’s unique status in the sub-Saharan African region resulting from its recent economic, democratic, and information technology advancement [99], and its ranking as a potential IT outsourcing destination [100].

Results

Psychometric properties of the scales and research model were analyzed using SmartPLS [109]. In this section, we describe the results of the psychometric assessment (reliability and validity) and tests on the research model.

Discussion

The first step in answering our research question was to examine whether cultural values influence security behavior. Using combined samples from the U.S. and Ghana, the results demonstrate significance for 12 of the 15 hypotheses, which incorporate culture into a PMT-based security behavior model. The research model utilized in this study empirically tested the role of individual cultural values in determining whether people utilized antispyware software. The purpose of the study was to test

Conclusion

This study was conceived with the intention to examine how cultural values affect security behaviors, specifically targeting an area of the world that has not been studied extensively. This study is one of the first to explore InfoSec in a sub-Saharan African context where significant relationships were demonstrated between known cultural dimensions and the threat and coping appraisals that inform an individual’s security behavior. It is also the first paper that has empirically validated

Robert E. Crossler is an Assistant Professor of Information Systems in the Carson College of Business at Washington State University. He received his Ph.D. from the Department of Accounting and Information Systems at Virginia Tech. His research focuses on the factors that affect the security and privacy decisions individuals make. He has published in leading MIS journals, including MIS Quarterly, Journal of Management Information Systems, Journal of the Association for Information Systems,

References (118)

  • R.B. Money et al.

    The effect of uncertainty avoidance on information search, planning, and purchases of international travel vacations

    Tour. Manag.

    (2003)
  • X. Zhang et al.

    Empowering leadership, uncertainty avoidance, trust, and employee creativity: interaction effects and a mediating mechanism

    Organ. Behav. Hum. Decis. Process.

    (2014)
  • P. Menard et al.

    The impact of collectivism and psychological ownership on protection motivation: A cross-cultural examination

    Comput. Secur.

    (2018)
  • K. Amoako-Gyampah et al.

    Manufacturing strategy, competitive strategy and firm performance: an empirical study in a developing economy environment

    Int. J. Prod. Econ.

    (2008)
  • A. Balakrishnan

    Hackers Infiltrate Oracle Payment System

    (2016)
  • A. Dujmovic

    Two State Election Databases Hacked, FBI Warns

    (2016)
  • R. Hackett

    Verizon’s Data Breach Fighter Gets Hit with, Well, a Data Breach

    (2016)
  • H. Taylor

    Ransomware: Lucrative, Fast Growing, Hard to Stop

    (2016)
  • Deloitte

    Blurring the Lines 2013 Tmt Global Security Study

    (2013)
  • F. Navarro

    Top Story: Millions of Smartphones Infected With Hummingbad Malware

    (2016)
  • BBC

    Malware Hits Millions of Android Phones

    (2016)
  • T. Dinev et al.

    User behaviour towards protective information technologies: the role of national cultural differences

    Inf. Syst. J.

    (2009)
  • Y. Lee et al.

    Threat or coping appraisal: determinants of Smb executive’s decision to adopt anti-malware software

    Eur. J. Inf. Syst.

    (2009)
  • C.L. Anderson et al.

    Practicing safe computing: a multimethod empirical examination of home computer user security behavioral intentions

    MIS Q.

    (2010)
  • S. Boss et al.

    If someone is watching, I’ll do what I’m asked: mandatoriness, control, and information security

    Eur. J. Inf. Syst.

    (2009)
  • S.R. Boss et al.

    What do systems users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors

    MIS Q.

    (2015)
  • T. Herath et al.

    Protection motivation and deterrence: a framework for security policy compliance in organisations

    Eur. J. Inf. Syst.

    (2009)
  • A.C. Johnston et al.

    Fear appeals and information security behaviors: an empirical study

    MIS Q.

    (2010)
  • Y. Chen et al.

    Individuals’ internet security perceptions and behaviors: polycontextual contrasts between the United States and China

    MIS Q.

    (2016)
  • P.B. Lowry et al.

    Privacy concerns versus desire for interpersonal awareness in driving the use of self-disclosure technologies: the case of instant messaging in two cultures

    J. Manag. Inf. Syst.

    (2011)
  • C. Posey et al.

    Proposing the culture-influenced online community self-disclosure model: the case of working professionals in France and the uk who use online communities

    Eur. J. Inf. Syst.

    (2010)
  • A.C. Johnston et al.

    An enhanced fear appeal rhetorical framework: leveraging threats to the human asset through sanctioning rhetoric

    MIS Q.

    (2015)
  • C. Avgerou

    Information systems in developing countries: a critical research review

    J. Inf. Technol.

    (2008)
  • V.W.A. Mbarika et al.

    The neglected continent of IS research: a research agenda for Sub-Saharan Africa

    J. Assoc. Inf. Syst.

    (2005)
  • J. Macharia

    Internet Access Is No Longer a Luxury

    (2014)
  • D. Bessette et al.

    Communication, technology, and cyber crime in Sub-Saharan Africa

    New Threats and Countermeasures in Digital Crime and Cyber Terrorism

    (2015)
  • M. Srite et al.

    The role of espoused national cultural values in technology acceptance

    MIS Q.

    (2006)
  • D. Straub et al.

    Toward a theory-based measurement of culture

    J. Glob. Inf. Manag.

    (2002)
  • N. Roztocki et al.

    Information technology success factors and models in developing and emerging economies

    Inf. Technol. Dev.

    (2011)
  • D. Zhang et al.

    The Impact of Individualism—Collectivism, Social Presence, and Group Diversity on Group Decision Making under Majority Influence

    J. Manag. Inf. Syst.

    (2007)
  • G. Hofstede

    Culture’s Consequences: International Differences in Work Related Values

    (1980)
  • P.A. Pavlou et al.

    What drives electronic commerce across cultures? A cross-cultural empirical investigation of the theory of planned behavior

    J. Electr. Comm. Res.

    (2002)
  • W.S. Robinson

    Ecological correlations in the behavior of individuals

    Am. Sociol. Rev.

    (1950)
  • T.R. Tyler et al.

    Cultural values and authority relations: the psychology of conflict resolution across cultures

    Psychol. Public Policy Law

    (2000)
  • R.M. Klassen

    Optimism and realism: a review of self-efficacy from a cross‐cultural perspective

    Int. J. Psychol.

    (2004)
  • R.S. Lazarus et al.

    Stress, Appraisal, and Coping

    (1984)
  • W. Hong et al.

    A framework and guidelines for context-specific theorizing in information systems research

    Inf. Syst. Res.

    (2014)
  • J. Langdon

    Social movement learning in Ghana communal defence of resources in neoliberal times

  • E. Deliktas et al.

    Efficiency Convergence in Transition Economies: 1991-2002 a Non Parametric Frontier Approach

    (2003)
  • O. Ngwenyama et al.

    Is there a relationship between Ict, health, education and development? An empirical analysis of five west african countries from 1997–2003

    Electron. J. Inf. Syst. Dev. Ctries.

    (2006)
  • Cited by (28)

    • Seeking rhetorical validity in fear appeal research: An application of rhetorical theory

      2023, Computers and Security
      Citation Excerpt :

      According to rhetorical theory, fear appeals must account for the factors within the audience to ensure their rhetorical validity. In seeking to understand the rhetorical situation (threat environment) of interest, we conducted interviews because they, similar to other qualitative approaches, are “particularly useful since they typically focus on understanding and describing a phenomenon” (Crossler et al., 2018, p. 575) While the interview method did not limit our study, we acknowledge that it is possible to use other methods of inquiry, such as collecting data from surveys or from expert communities, to gain much-needed insights into the rhetorical situation of interest. This study highlights the importance of rhetorically valid fear appeals when studying motives for protecting sensitive assets.

    • Securing online accounts and assets: An examination of personal investments and protection motivation

      2023, International Journal of Information Management
      Citation Excerpt :

      We found that perceived threat severity, self-efficacy, response efficacy, and response cost are necessary to motivate protection motivation, and in turn, MFA use. While we found that vulnerability was not significant in its influence on protection motivation, this result seems comparable with others in the security domain (Crossler et al., 2019; Vance et al., 2012). The result suggests that individuals do not believe that they are vulnerable to account hacking threats.

    • Organizational and team culture as antecedents of protection motivation among IT employees

      2022, Computers and Security
      Citation Excerpt :

      Analyzing primarily two cross-cultural variables - collectivism and psychological ownership of information –the study found that individual's personal orientation toward collectivism has an impact on psychological ownership and the intention not to perform secure behaviors. National culture such as espoused individualism-collectivism and uncertainty avoidance has also been studied as antecedents to an individual's threat and coping appraisal toward protecting information (Crossler et al., 2019). Based on the data collected from two separate countries, the study concluded that individualism-collectivism and uncertainty avoidance significantly affect threat and coping appraisals, with uncertainty avoidance demonstrating a slightly stronger effect.

    View all citing articles on Scopus

    Robert E. Crossler is an Assistant Professor of Information Systems in the Carson College of Business at Washington State University. He received his Ph.D. from the Department of Accounting and Information Systems at Virginia Tech. His research focuses on the factors that affect the security and privacy decisions individuals make. He has published in leading MIS journals, including MIS Quarterly, Journal of Management Information Systems, Journal of the Association for Information Systems, European Journal of Information Systems, Information Systems Journal, Journal of Strategic Information Systems, and Decision Support Systems. He received the 2013 INFORMS Information Systems Society (ISS) Design Science Award for his information privacy work, his paper in The DATA BASE for Advances in Information Systems was recognized as the journal’s best paper in 2014, and he received the Journal of Information Systems inaugural Best Paper Award in 2017. He also serves as the President-Elect for the Association for Information Systems’ Special Interest Group on Security and Privacy (SIG SEC).

    Francis Kofi Andoh-Baidoo is Associate Professor, Department of Information Systems, Robert C. Vackar College of Business and Entrepreneurship, University of Texas Rio Grande Valley. He has a PhD in Information Systems from the Virginia Commonwealth University in Richmond. His research interests are in data mining, decision support systems, knowledge management, and information security. His research has appeared in journals such as Communications of the Association for Information Systems, Information Systems Frontiers and The DATA BASE for Advances in Information Systems. He serves on editorial board of the Journal of Information Technology Theory and Application and Information Technology for Development.

    Philip Menard is an assistant professor of information systems at the University of South Alabama. He received his Ph.D. from the Department of Management and Information Systems at Mississippi State University and is also a past recipient of the CyberCorps Scholarship for Service. He is interested in the impacts of security measures on organizational end users, security education training and awareness (SETA) programs, and the impact of espoused cultural values on individuals’ secure behaviors. He has published in Journal of Management Information Systems, Journal of the Association for Information Systems, Journal of Computer Information Systems, and Computers & Security. He has also presented his work at several conferences.

    View full text