A Meta-Analysis of Studies on Protection Motivation Theory and Information Security Behaviour

A Meta-Analysis of Studies on Protection Motivation Theory and Information Security Behaviour

Teodor Sommestad (Swedish Defence Research Agency (FOI), Linköping, Sweden), Henrik Karlzén (Swedish Defence Research Agency (FOI), Linköping, Sweden) and Jonas Hallberg (Swedish Defence Research Agency (FOI), Linköping, Sweden)
Copyright: © 2015 |Pages: 21
DOI: 10.4018/IJISP.2015010102
OnDemand PDF Download:
$30.00
List Price: $37.50

Abstract

Individuals' willingness to take security precautions is imperative to their own information security and the information security of the organizations they work within. This paper presents a meta-analysis of the protection motivation theory (PMT) to assess how its efficacy is influenced by the information security behavior it is applied to. It investigates if the PMT explains information security behavior better if: 1) The behavior is voluntary? 2) The threat and coping method is concrete or specific? 3) The information security threat is directed to the person itself? Synthesized data from 28 surveys suggests that the answers to all three questions are yes. Weighted mean correlation coefficients are on average 0.03 higher for voluntary behavior than mandatory behavior, 0.05 higher for specific behaviors than studies of general behaviors, 0.08 higher to threat appraisal when the threat targets the individual person instead of the person's organization or someone else.
Article Preview

1. Introduction

The behavior of individuals handling information resources significantly influences the information security of organizations (R. J. Anderson, 2008; Gollmann, 2006; Shostack & Stewart, 2008). Understanding the variables influencing the security behavior of individuals is important. For instance, by understanding the reasoning of employees, a manager can formulate and justify the information security policy so that it gains wider acceptance or government can educate the public on how to avoid computer malware.

The protection motivation theory (PMT) is an established theory, originally developed to explain how to influence risky behavior and which components a persuasive message should include. The PMT builds on the theory of fear appeals and at its core lies the idea that the behavior of individuals is influenced by their threat appraisal (how thrilling, severe and likely an unwanted consequence is) and their coping appraisal (how efficient, manageable and costly the risk reducing behavior is) (Rogers, 1983). Loosely put, the PMT posits that individuals form their behavior from a cost-benefit analysis where risks associated with the behavior are compared to the costs of trying to reduce or eliminate the risks. This is very similar to the way of thinking promoted in security standards like the ISO 27000 series (IEEE/IEC, 2012), where a selection process focusing on cost-effectiveness is endorsed. In a sense, PMT describes a homo securitas which is rational from a security perspective in the same way as homo economicus (see Persky (1995)) is rational from an economic perspective.

From published tests of relationships described by the PMT it is clear that the theory is able to explain a fair share of intentions related to information security behavior. However, there are good reasons to expect that the accuracy of the theory depends on the type of security behavior it is applied to. First, the PMT has been developed to explain how fear appeals influence voluntary behavioral intentions related to the health. In the information security domain several studies have investigated variables related to the PMT in the context of information security policy compliance or other mandatory behaviors. Second, the theory was developed to explain cognitive processes related to specific threats (e.g., cancer) and specific coping methods (e.g., stop smoking). However, it has also been applied to information security behaviors that are abstract or complex, like behaving securely. Third, the theory was developed for (health) threats against individuals themselves, and not threats against an organization or others. For these reasons this paper revisits the published literature and presents a meta-analysis aiming at answering the following three questions:

  • 1.

    Does the PMT explain information security behavior better if the behavior is voluntary?

  • 2.

    Does the PMT explain information security behavior better if the threat and coping method is concrete or specific?

  • 3.

    Does the PMT explain information security behavior better if the information security threat is directed to the person itself?

The remainder of this paper is outlined as follows. In the subsequent section the PMT is described. Thereafter the review protocol and review method is presented. In the fourth section the results are presented. Last, the results are discussed together with suggestions for future research.

2. Protection Motivation Theory

When Rogers (Rogers, 1975) formulated the first version of the PMT in 1975, the variables said to determine protection motivation were: the severity or noxiousness of an event (severity), the probability that the event occurs if no protective behavior is performed (vulnerability), and the efficacy of the recommended behavior (response efficacy). According to the original theory, cognitive processes cause these variables to mediate each other, e.g., the importance of the perceived probability of an event is irrelevant if the by the perceived severity of the event is low.

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 12: 4 Issues (2018): 1 Released, 3 Forthcoming
Volume 11: 4 Issues (2017)
Volume 10: 4 Issues (2016)
Volume 9: 4 Issues (2015)
Volume 8: 4 Issues (2014)
Volume 7: 4 Issues (2013)
Volume 6: 4 Issues (2012)
Volume 5: 4 Issues (2011)
Volume 4: 4 Issues (2010)
Volume 3: 4 Issues (2009)
Volume 2: 4 Issues (2008)
Volume 1: 4 Issues (2007)
View Complete Journal Contents Listing