Abstract
Information security is important for organizations as well as individuals from the perspective of protection from data breaches, identity theft, malware and infections, hacking etc. This article presents the framework of Protection Motivation Theory and its constructs, and then reviews the past IS Literature on information systems security, from a protection motivation perspective. Specifically this article tries to explain how individuals perceive a fear appeal in an information systems security threat, and how the protection motivation framework of fear, threat perceptions of severity and vulnerability, impact the coping intentions of individuals to protect themselves from information systems security threats. This article further discusses the theoretical and managerial implications of protection motivation theory as it applies to information systems security.
TopIntroduction
Information systems security is defined as protection of information systems assets against the threats of unauthorized access to or modification of information, that is stored, being processed or in transmission, that result in disruptions to authorized users, or availability to unauthorized users, and the measures of protections that include detection, documentation and successfully thwarting such threats (Whitman & Mattord, 2012). The information systems assets include components of information system, software, hardware, communication systems, data and storage, and several tangible and intangible aspects of an information system (Schou & Shoemaker, 2007).
Past research identified several threats to information systems (IS) security such as viruses, worms and infections, hacking and unauthorized access, malware, data breaches, credit card and identity theft etc. The catastrophic impact of such information systems incidents or compromises on organizations is well documented (Choobineh, Dhillon, Grimaila, & Rees, 2007; Loch, Carr, & Warkentin, 1992; Panko, 2003). Therefore the importance of information security forms an important aspect of organizational as well as personal information systems.
While IS Security comprises of technical aspects such as firewalls, antivirus software, intrusion detection systems, and other software and hardware controls, ensuring effective information IS security goes beyond the technical controls, and calls for a socio-technical approach to security (Panko, 2004; Workman, Bommer, & Straub, 2009). Arguably, users are the weakest link in IS security because they are often error prone and may lack proper understanding of IS security, or often not in compliance with the security requirements (Dhillon & Moores, 2001; Siponen, 2005; Stanton & Stam, 2006). IS research has studied the impact and effectiveness of deterrence, workplace monitoring and implementing strict IS security policies in organizations extensively (Herath & Rao, 2009; Hu, Dinev, Hart, & Cooke, 2012; Smith, Milberg, & Burke, 1996; Stanton & Stam, 2006). The role of users, and importance of user awareness is well recognized in research as being fundamental to for IS security measures to be effective (Herath & Rao, 2009; Spears & Barki, 2010; Straub & Weike, 1998; Straub & Nance, 1990). However, understanding the factors that can bring an attitude change, motivate the users to protect themselves against IS security threats or create user awareness about the importance of security can be helpful in implementing effective counter measures for the IS security threats.
Protection motivation theory provides a framework for understanding how user’s perceptions of threats and their perceptions about the severity and vulnerability of threats influence user intentions and actions towards protecting themselves. The theoretical framework of protection motivation and persuasive fear appeals is considered appropriate for information systems security because threats to information security is an important issue that warrants understanding of how individuals respond to such threats. This article reviews the protection motivation theory framework and the past research in the area of fear appeals and protection motivation as it relates to information systems security.
Key Terms in this Chapter
Perceived Threat: The stimuli arousing the emotion of fear.
Self-Efficacy: The person’s belief that he or she has the ability to perform the recommended behaviors.
Fear: A negative emotion towards an object, event, person or a perceived threat, accompanied by high arousal.
Personal Identifiers: Names, social security numbers, phone numbers, and addresses which can be used open new credit card or utility accounts, obtain mortgages or automobiles loans, or make online purchases without the victim’s consent.
Information System Security Policy (ISSP): The set of guidelines or mechanisms, or expectations in an organization to influence or regulate the behaviors of its employees with respect to how an organizational IT resources or infrastructure or assets are used.
Identity theft: The unauthorized use of another person’s identifying information for financial or personal gain or with intent to commit fraud.
Response Efficacy: The person’s belief that the recommended behaviors will be effective in reducing or eliminating the perceived threat.
Perceived Severity: The magnitude of the threat or seriousness perceived by a person.
Threat: In the context of IS security is a possibility of situation that could potentially take advantage of a vulnerability in order to compromise an information system, data or information assets or cause damage.
Information Systems Assets: Include components of information system, software, hardware, communication systems, data and storage, and several tangible and intangible aspects of an information system.
Information Systems Security: Protection of information systems assets against the threats of unauthorized access to or modification of information that is stored, being processed or in transmission, that could result in disruptions to authorized users or availability to unauthorized users, and the measures of protections that include detection, documentation and successfully thwarting such threats.
Perceived Vulnerability: The subjective perception of the impending possibility of a negative event happening to him or her.