Experience Matters: The Role of Vicarious Experience in Secure Actions

Experience Matters: The Role of Vicarious Experience in Secure Actions

Leigh A. Mutchler, Merrill Warkentin
Copyright: © 2020 |Pages: 20
DOI: 10.4018/JDM.2020040101
(Individual Articles)
No Current Special Offers


Information systems security is a major organizational concern. This study examines the role of vicarious experience on an individual's behavioral intent to perform a secure recommended response. The protection motivation theory model is expanded to include vicarious experience, which was examined through the separate constructs of vicarious threat experience and vicarious response experience. This study closes a gap in the literature by including vicarious experience in the PMT model and confirming its role as a significant direct influence on the PMT threat and coping constructs, and thus on the PMT model's ability to explain the variance of an individual's intent to perform secure behaviors. Additionally, vicarious experience measures were multi-item reflective scales rather than the single item measures that are more typically used to measure experience. Implications for theory and practice are discussed.
Article Preview


The numbers of information system (IS) security incidents continue to rise as do the recovery costs (Ponemon, 2017; Vormetric, 2016). The employee is known to be the weakest link in the efforts to protect organizational data assets. Although practitioners and academic researchers are focusing their attention to strengthen that link (Kolkowska, Karlsson, & Hedström, 2017; Moody, Siponen, & Pahnila, 2018; Sharp, 2017; Sophos, 2017), employees continue to be the most commonly identified offender of security incidents (PwC, 2014). Ernst and Young (EY) reported that 73% of all organizations are concerned that their employees possess poor security awareness (EY, 2016), and that 57% of all attacks against an organization’s data assets were perpetrated by employees. Interestingly, the underlying causes of 38% of those attacks were due to employee mistakes or poor understanding of protective behaviors (EY, 2014).

In the workplace, controls restrict employee behaviors, guiding them and at times forcing them to perform secure actions. However, as many as 43% of individuals working in the U.S. spend some of their time working remotely (Chokshi, 2017). During such times, individuals often have discretionary control regarding decisions about security. These individuals must make their own choices about whether or not to use antivirus software, whether or not to regularly back up data, which websites to visit, which emails to open, whether or not to patch (update) their software, and so on. Further, because work systems are often being accessed from an employee’s home, using their personally owned and controlled devices, the choices they make may pose serious risks to the organization. Many organizations are implementing bring your own device (BYOD) programs, allowing employees to use their personal mobile devices for work purposes (Lee, Warkentin, Crossler, & Otondo, 2016). Those personal devices will likely hold organizational data but may be used anywhere and will be primarily managed by the employee. Last, as much as 20% of U.S. workforce is made of contract employees (Noguchi, 2018), and the perceptions held by these individuals about information security compliance may differ due to their non-full-time employee status (Sharma & Warkentin, 2018). Regardless, in all such cases – individuals engage in choices regarding workplace information security. For this reason, there is an important need for researchers and security professionals to examine and understand individual secure behaviors (Anderson & Agarwal, 2010; Hanus & Wu, 2016; Liang & Xue, 2010; Talib, Clarke, & Furnell, 2010; Tsai et al., 2016).

Complete Article List

Search this Journal:
Volume 35: 1 Issue (2024)
Volume 34: 3 Issues (2023)
Volume 33: 5 Issues (2022): 4 Released, 1 Forthcoming
Volume 32: 4 Issues (2021)
Volume 31: 4 Issues (2020)
Volume 30: 4 Issues (2019)
Volume 29: 4 Issues (2018)
Volume 28: 4 Issues (2017)
Volume 27: 4 Issues (2016)
Volume 26: 4 Issues (2015)
Volume 25: 4 Issues (2014)
Volume 24: 4 Issues (2013)
Volume 23: 4 Issues (2012)
Volume 22: 4 Issues (2011)
Volume 21: 4 Issues (2010)
Volume 20: 4 Issues (2009)
Volume 19: 4 Issues (2008)
Volume 18: 4 Issues (2007)
Volume 17: 4 Issues (2006)
Volume 16: 4 Issues (2005)
Volume 15: 4 Issues (2004)
Volume 14: 4 Issues (2003)
Volume 13: 4 Issues (2002)
Volume 12: 4 Issues (2001)
Volume 11: 4 Issues (2000)
Volume 10: 4 Issues (1999)
Volume 9: 4 Issues (1998)
Volume 8: 4 Issues (1997)
Volume 7: 4 Issues (1996)
Volume 6: 4 Issues (1995)
Volume 5: 4 Issues (1994)
Volume 4: 4 Issues (1993)
Volume 3: 4 Issues (1992)
Volume 2: 4 Issues (1991)
Volume 1: 2 Issues (1990)
View Complete Journal Contents Listing