Article Preview
TopIntroduction
The ubiquity of computers has made much of the industrialized world dependent on computers and Internet access for purchasing, information retrieval, and correspondence. Despite this dependence, many organizational end users are negligent in the application of preventive security measures including maintaining up-to-date antivirus signatures, operating systems patches, personal firewalls, and data backups (Herath & Rao, 2009). These measures can be automated, but often with some personal effort and/or financial cost. Very few end users have the time or inclination to be fully aware of the expanding torrent of security vulnerabilities and patches. As a result, employees who do not secure their hardware and software on a regular, frequent basis find themselves increasingly vulnerable to unauthorized intrusions. The security of information systems and the policies intended to ensure employees’ compliance with preventive behaviors have become increasingly important. Organizations are realizing the critical importance of IS security. This contrasts markedly with security attitudes previously described (Straub, 1990). As IS security becomes a vital issue for organizations, end users complying with IS security measures will play a crucial role in the company IS security success.
MIS researchers are becoming increasingly interested in investigating individuals’ preventive information security behaviors. These are behaviors that organizational end users may adopt, or choose not to enact, that result in improved information security. Numerous studies exist related to the adoption and diffusion of new computer systems, especially using Rogers’ Diffusion of Innovation (Karahanna, Straub, & Chervany, 1999; Rogers, 1995), the Technology Acceptance Model (Davis, 1989; Davis & Venkatesh, 2004; Venkatesh & Davis, 2000), and Task-Technology Fit (Dishaw & Strong, 1999; Goodhue & Thompson, 1995). However, these theories are not directly applicable to the uncertainty and risk-avoidance behaviors that would be more appropriate to the adoption of preventive information security tools and behaviors.
Recent studies have attempted to incorporate these individual uncertainty and risk perceptions by adapting concepts found in theories developed to explain individuals’ adoption of preventive health behaviors, including several studies in organizational contexts. These include Prentice-Dunn et al.’s Protection Motivation Theory (1986) (see Anderson & Agarwal, 2010; Herath & Rao, 2009; Johnston & Warkentin, 2010; Lee & Larsen, 2009; Liang & Xue, 2009, 2010; Siponen, Pahnila, & Mahmood, 2010) and Rosenstock’s Health Belief Model (1966) (see Ng, Kankanhalli, & Xu, 2009). Additionally, MIS researchers have utilized other behavioral theories such as widely adopted general deterrence theory (e.g. D'Arcy, Hovav, & Galletta, 2009; Siponen et al., 2010; Siponen & Vance, 2010; Straub, 1990; Straub & Welke, 1998), rational choice theory (Vance & Siponen, 2012) and the lessor known universal constructive instructional theory (Puhakainen & Siponen, 2010) to establish guidelines for companies to improve IS security.