Explaining Users' Security Behaviors with the Security Belief Model

Explaining Users' Security Behaviors with the Security Belief Model

Clay K. Williams (Southern Illinois University Edwardsville, Edwardsville, IL, USA), Donald Wynn (University of Dayton, Dayton, OH, USA), Ramana Madupalli (Southern Illinois University Edwardsville, Edwardsville, IL, USA), Elena Karahanna (Terry College of Business, University of Georgia, Athens, GA, USA) and Barbara K. Duncan (Southern Illinois University Edwardsville, Edwardsville, IL, USA)
Copyright: © 2014 |Pages: 24
DOI: 10.4018/joeuc.2014070102
OnDemand PDF Download:
No Current Special Offers


Information security is often viewed as a technological matter. However, security professionals will readily admit that without safe practices by users, no amount or type of technology will be effective at preventing unauthorized intrusions. By paralleling the practices of information security and health prevention, a rationale for employing constructs from existing models of health behavior is established. A comprehensive and parsimonious model (the Security Belief Model) is developed to explain information security behavior intentions. The model is tested empirically based on a sample of 237 Indian professionals. The results of the empirical study indicate general support for the model, particularly including severity, susceptibility, benefits, and a cue to action as antecedents to the intention to perform preventive information security behaviors. The paper also discusses implications of the model and results for practitioners and possibilities for future research are included.
Article Preview


The ubiquity of computers has made much of the industrialized world dependent on computers and Internet access for purchasing, information retrieval, and correspondence. Despite this dependence, many organizational end users are negligent in the application of preventive security measures including maintaining up-to-date antivirus signatures, operating systems patches, personal firewalls, and data backups (Herath & Rao, 2009). These measures can be automated, but often with some personal effort and/or financial cost. Very few end users have the time or inclination to be fully aware of the expanding torrent of security vulnerabilities and patches. As a result, employees who do not secure their hardware and software on a regular, frequent basis find themselves increasingly vulnerable to unauthorized intrusions. The security of information systems and the policies intended to ensure employees’ compliance with preventive behaviors have become increasingly important. Organizations are realizing the critical importance of IS security. This contrasts markedly with security attitudes previously described (Straub, 1990). As IS security becomes a vital issue for organizations, end users complying with IS security measures will play a crucial role in the company IS security success.

MIS researchers are becoming increasingly interested in investigating individuals’ preventive information security behaviors. These are behaviors that organizational end users may adopt, or choose not to enact, that result in improved information security. Numerous studies exist related to the adoption and diffusion of new computer systems, especially using Rogers’ Diffusion of Innovation (Karahanna, Straub, & Chervany, 1999; Rogers, 1995), the Technology Acceptance Model (Davis, 1989; Davis & Venkatesh, 2004; Venkatesh & Davis, 2000), and Task-Technology Fit (Dishaw & Strong, 1999; Goodhue & Thompson, 1995). However, these theories are not directly applicable to the uncertainty and risk-avoidance behaviors that would be more appropriate to the adoption of preventive information security tools and behaviors.

Recent studies have attempted to incorporate these individual uncertainty and risk perceptions by adapting concepts found in theories developed to explain individuals’ adoption of preventive health behaviors, including several studies in organizational contexts. These include Prentice-Dunn et al.’s Protection Motivation Theory (1986) (see Anderson & Agarwal, 2010; Herath & Rao, 2009; Johnston & Warkentin, 2010; Lee & Larsen, 2009; Liang & Xue, 2009, 2010; Siponen, Pahnila, & Mahmood, 2010) and Rosenstock’s Health Belief Model (1966) (see Ng, Kankanhalli, & Xu, 2009). Additionally, MIS researchers have utilized other behavioral theories such as widely adopted general deterrence theory (e.g. D'Arcy, Hovav, & Galletta, 2009; Siponen et al., 2010; Siponen & Vance, 2010; Straub, 1990; Straub & Welke, 1998), rational choice theory (Vance & Siponen, 2012) and the lessor known universal constructive instructional theory (Puhakainen & Siponen, 2010) to establish guidelines for companies to improve IS security.

Complete Article List

Search this Journal:
Volume 34: 5 Issues (2022): 4 Released, 1 Forthcoming
Volume 33: 6 Issues (2021)
Volume 32: 4 Issues (2020)
Volume 31: 4 Issues (2019)
Volume 30: 4 Issues (2018)
Volume 29: 4 Issues (2017)
Volume 28: 4 Issues (2016)
Volume 27: 4 Issues (2015)
Volume 26: 4 Issues (2014)
Volume 25: 4 Issues (2013)
Volume 24: 4 Issues (2012)
Volume 23: 4 Issues (2011)
Volume 22: 4 Issues (2010)
Volume 21: 4 Issues (2009)
Volume 20: 4 Issues (2008)
Volume 19: 4 Issues (2007)
Volume 18: 4 Issues (2006)
Volume 17: 4 Issues (2005)
Volume 16: 4 Issues (2004)
Volume 15: 4 Issues (2003)
Volume 14: 4 Issues (2002)
Volume 13: 4 Issues (2001)
Volume 12: 4 Issues (2000)
Volume 11: 4 Issues (1999)
Volume 10: 4 Issues (1998)
Volume 9: 4 Issues (1997)
Volume 8: 4 Issues (1996)
Volume 7: 4 Issues (1995)
Volume 6: 4 Issues (1994)
Volume 5: 4 Issues (1993)
Volume 4: 4 Issues (1992)
Volume 3: 4 Issues (1991)
Volume 2: 4 Issues (1990)
Volume 1: 3 Issues (1989)
View Complete Journal Contents Listing