Pojdi na slovensko stran članka / Go to the article page in Slovene
Theories and models in behavioral information security research
Špela Grilc, Kaja Prislan & Anže Mihelič
Full text (pdf) | Views: 94 | Written in Slovene. | Published: December 15, 2022
https://doi.org/10.20419/2022.31.568 | Cited By: CrossRef (0)
Abstract: Behavioral information security is concerned with explaining the role of users in the information security system, drawing on various psychological, organizational, and criminological theories to explain and predict user behavior. Despite numerous systematic literature reviews on the field of information security, there is no comprehensive systematic review of the theories used in behavioral information security research. The purpose of this paper is to investigate which theories are most widely used in research, in which subject areas they are most used, which factors are most frequently included in research according to each set of theories, and which are most frequently statistically significant. Accordingly, we made two studies involving a systematic review of the literature over the past ten years. The findings suggest that the most used theories include the protection motivation theory and the theory of planned behavior. In these two theories, self-efficacy and perceived usefulness of the technology are factors, which are most often statistically significant in predicting self-protective behavior.
Keywords: information security, cybersecurity, behavioral theories, systematic literature review
Cite:
Grilc, Š., Prislan, K., & Mihelič, A. (2022). Teorije in modeli v vedenjskih informacijskovarnostnih raziskavah [Theories and models in behavioral information security research]. Psihološka obzorja, 31, 602–622. https://doi.org/10.20419/2022.31.568
Reference list
Abraham, S., & Chengalur-Smith, I. S. (2019). Evaluating the effectiveness of learner controlled information security training. Computers and Security, 87, članek 101586. CrossRef
Addae, J. H., Sun, X., Towey, D., & Radenkovic, M. (2019). Exploring user behavioral data for adaptive cybersecurity. User Modeling and User-Adapted Interaction, 29, 701–750. CrossRef
Aigbefo, Q. A., Blount, Y., & Marrone, M. (2020). The influence of hardiness and habit on security behaviour intention. Behaviour and Information Technology, 41(6), 1151–1170. CrossRef
Ajzen, I. (1985). From intention to actions: A theory of planned behavior. V J. Kuhl in J. Beckman (ur.), Action control: From cognition to behavior (str. 11–39). Springer. CrossRef
Al-Harthy, I. M., Rahim, F. A., Ali, N., & Singun, A. P. (2020). Dimensions of protection behaviors: A systematic literature review. Journal of Theoretical and Applied Information Technology, 98(17), 3668–3697.
Alohali, M., Clarke, N., Furnell, S., & Albakri, S. (2017). Information security behavior: Recognizing the influencers. V Proceedings of Computing Conference 2017, 18-20 July 2017, London, United Kingdom (str. 844–853). IEEE. CrossRef
Alturki, A., Alshwihi, N., & Algarni, A. (2020). Factors influencing players' susceptibility to social engineering in social gaming networks. IEEE Access, 8, 97383–97391. CrossRef
Angraini, Alias, R. A., & Okfalisa. (2019). Information security policy compliance: Systematic literature review. Procedia Computer Science, 161, 1216–1224. CrossRef
Aurigemma, S., & Mattson, T. (2017). Privilege or procedure: Evaluating the effect of employee status on intent to comply with socially interactive information security threats and controls. Computers and Security, 66, 218–234. CrossRef
Aurigemma, S., & Mattson, T. (2019a). Effect of long-term orientation on voluntary security actions. Information and Computer Security, 27(1), 122–142. CrossRef
Aurigemma, S., & Mattson, T. (2019b). Generally speaking, context matters: Making the case for a change from universal to particular ISP research. Journal of the Association for Information Systems, 20(12), 1700–1742. CrossRef
Ayyash, M. M., Herzallah, F. A. T., & Ahmad, W. (2020). Towards social network sites acceptance in e-learning system: Students perspective at Palestine Technical University-Kadoorie. International Journal of Advanced Computer Science and Applications, 11(2), 312–320. CrossRef
Barlette, Y., Gundolf, K., & Jaouen, A. (20.-22. maj 2015). Toward a better understanding of SMB CEOs' information security behavior: Insights from threat or coping appraisal [prispevek na konferenci]. 20th Symposium of the Association Information and Management 2015, AIM 2015, Rabat, Morocco.
Bauer, S., & Bernroider, E. W. N. (2015). The effects of awareness programs on information security in banks: The roles of protection motivation and monitoring. V Proceedings of the Third International Conference on Human Aspects of Information Security, Privacy, and Trust, 9190 (str. 154–164). Springer. CrossRef
Becker, G. S. (1968). Crime and punishment: An economic approach. V G. S. Becker in W. Landes (ur.), Essays in the economics of crime and punishment (str. 1–54). Columbia University Press. CrossRef
Bélanger, F., Collignon, S., Enget, K., & Negangard, E. (2017). Determinants of early conformance with information security policies. Information and Management, 54(7), 887–901. CrossRef
Blythe, J. M., & Coventry, L. (2018). Costly but effective: Comparing the factors that influence employee anti-malware behaviours. Computers in Human Behavior, 87, 87–97. CrossRef
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2016). Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523–548. CrossRef
Chang, K. C., & Seow, Y. M. (2019). Protective measures and security policy non-compliance intention: IT vision conflict as a moderator. Journal of Organizational and End User Computing, 31(1), 1–21. CrossRef
Chatterjee, S., Kar, A. K., Dwivedi, Y. K., & Kizgin, H. (2019). Prevention of cybercrimes in smart cities of India: From a citizen's perspective. Information Technology and People, 32(5), 1153–1183. CrossRef
Chen, X., Chen, L., & Wu, D. (2018). Factors that influence employees' security policy compliance: An awareness-motivation-capability perspective. Journal of Computer Information Systems, 58(4), 312–324. CrossRef
Chen, Y., Ramamurthy, K., & Wen, K. W. (2012). Organizations' information security policy compliance: Stick or carrot approach? Journal of Management Information Systems, 29(3), 157–188. CrossRef
Chen, L., Zhen, J., Dong, K., & Xie, Z. (2020). Effects of sanction on the mentality of information security policy compliance. Revista Argentina de Clinica Psicologica, 29(1), 39–49.
Chen, X., Wu, D., Chen, L., & Teng, J. K. L. (2018). Sanction severity and employees' information security policy compliance: Investigating mediating, moderating, and control variables. Information and Management, 55(8), 1049–1060. CrossRef
Chou, H. L., & Chou, C. (2016). An analysis of multiple factors relating to teachers' problematic information security behavior. Computers in Human Behavior, 65, 334–345. CrossRef
Cox, J. (2012). Information systems user security: A structured model of the knowing-doing gap. Computers in Human Behavior, 28(5), 1849–1858. CrossRef
D'Arcy, J., & Lowry, P. B. (2019). Cognitive-affective drivers of employees' daily compliance with information security policies: A multilevel, longitudinal study. Information Systems Journal, 29(1), 43–69. CrossRef
Da Veiga, A., & Eloff, J. H. P. (2007). An information security governance framework. Information Systems Management, 24(4), 361–372. CrossRef
Dang-Pham, D., & Pittayachawan, S. (2015). Comparing intention to avoid malware across contexts in a BYOD-enabled Australian university: A protection motivation theory approach. Computers and Security, 48, 281–297. CrossRef
Davis, F. (1989). Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Quarterly, 13(3), 319–340. CrossRef
Dodel, M., & Mesch, G. (2019). An integrated model for assessing cyber-safety behaviors: How cognitive, socioeconomic and digital determinants affect diverse safety practices. Computers and Security, 86, 75–91. CrossRef
Dünnebeil, S., Sunyaev, A., Blohm, I., Leimeister, J. M., & Krcmar, H. (2012). Determinants of physicians' technology acceptance for e-health in ambulatory care. International Journal of Medical Informatics, 81(11), 746–760. CrossRef
Ganeshkumar, P., & Gopalakrishnan, S. (2013). Systematic reviews and meta-analysis: Understanding the best evidence in primary healthcare. Journal of Family Medicine and Primary Care, 2(1), 9–14. CrossRef
Geil, A., Sagers, G., Spaulding, A. D., & Wolf, J. R. (2018). Cyber security on the farm: An assessment of cyber security practices in the United States agriculture industry. International Food and Agribusiness Management Review, 21(3), 317–334. CrossRef
Gibbs, J. P. (1975). Crime, punishment, and deterrence. Elsevier.
Giwah, A. D., Wang, L., Levy, Y., & Hur, I. (2020). Empirical assessment of mobile device users' information security behavior towards data breach: Leveraging protection motivation theory. Journal of Intellectual Capital, 21(2), 215–233. CrossRef
Grimes, M., & Marquardson, J. (2019). Quality matters: Evoking subjective norms and coping appraisals by system design to increase security intentions. Decision Support Systems, 119, 23–34. CrossRef
Han, J. Y., Kim, Y. J., & Kim, H. (2017). An integrative model of information security policy compliance with psychological contract: Examining a bilateral perspective. Computers and Security, 66, 52–65. CrossRef
Hansen, J. M., Saridakis, G., & Benson, V. (2018). Risk, trust, and the interaction of perceived ease of use and behavioral control in predicting consumers' use of social media for transactions. Computers in Human Behavior, 80, 197–206. CrossRef
Hanus, B., & Wu, Y. A. (2016). Impact of users' security awareness on desktop security behavior: A protection motivation theory perspective. Information Systems Management, 33(1), 2–16. CrossRef
Herath, T., Chen, R., Wang, J., Banjara, K., Wilbur, J., & Rao, H. R. (2014). Security services as coping mechanisms: An investigation into user intention to adopt an email authentication service. Information Systems Journal, 24(1), 61–84. CrossRef
Hina, S., Panneer Selvam, D. D. D., & Lowry, P. B. (2019). Institutional governance and protection motivation: Theoretical insights into shaping employees' security compliance behavior in higher education institutions in the developing world. Computers and Security, 87, članek 101594. CrossRef
Ho, S. M., Ocasio-Velázquez, M., & Booth, C. (2017). Trust or consequences? Causal effects of perceived risk and subjective norms on cloud technology adoption. Computers and Security, 70, 581–595. CrossRef
Hochbaum, G., Rosenstock, I., & Kegels, S. (1952). Health Belief Model. United States Public Health Service.
Hong, Y., & Furnell, S. (2019). Organizational formalization and employee information security behavioral intentions based on an extended TPB model. V 2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), University of Oxford, United Kingdom, 3-4 June 2019 (str. 1–4). IEEE. CrossRef
Hooper, V., & Blunt, C. (2020). Factors influencing the information security behaviour of IT employees. Behaviour and Information Technology, 39(8), 862–874. CrossRef
Hu, Q., Dinev, T., Hart, P., & Cooke, D. (2012). Managing employee compliance with information security policies. Decision Sciences, 43(4), 615–659. CrossRef
Hu, Q., Xu, Z., Dinev, T., & Ling, H. (2010). Why individuals commit computer offences in organizations: Investigating the roles of rational choice, self-control, and deterrence. V PACIS 2010 Proceedings: 14th Pacific Asia Conference on Information Systems (str. 1378–1389).
Humaidi, N., Balakrishnan, V., & Shahrom, M. (2014). Exploring user's compliance behavior towards health information system security policies based on extended health belief model. V IC3e: 2014 IEEE Conference on e-Learning, e-Management and e-Services, Melbourne, Australia, 10-12 December 2014 (str. 30–35). IEEE. CrossRef
Iriqat, Y. M., Ahlan, A. R., & Molok, N. N. A. (2019). Information security policy perceived compliance among staff in palestine universities: An empirical pilot study. V 2019 IEEE Jordan International Joint Conference on Electrical Engineering and Information Technology, Jordan, April 9-11 (str. 580–585). IEEE. CrossRef
Jaeger, L., & Eckhardt, A. (2021). Eyes wide open: The role of situational information security awareness for security-related behaviour. Information Systems Journal, 31(3), 429–472. CrossRef
Jalali, M. S., Bruckes, M., Westmattelmann, D., & Schewe, G. (2020). Why employees (still) click on phishing links: Investigation in hospitals. Journal of Medical Internet Research, 22(1), članek e16775. CrossRef
Jansen, J., & van Schaik, P. (2015). Persuading end users to act cautiously online: A fear appeals study on phishing. Information & Computer Security, 23(3), 302–316.
Jansen, J., & van Schaik, P. (2017). Comparing three models to explain precautionary online behavioural intentions. Information and Computer Security, 25(2), 165–180. CrossRef
Jansen, J., & van Schaik, P. (2018). Testing a model of precautionary online behaviour: The case of online banking. Computers in Human Behavior, 87, 371–383. CrossRef
Jeon, S., Son, I., & Han, J. (2021). Exploring the role of intrinsic motivation in ISSP compliance: Enterprise digital rights management system case. Information Technology and People, 34(2), 599–616. CrossRef
Kim, H. L., & Han, J. (2019). Do employees in a "good" company comply better with information security policy? A corporate social responsibility perspective. Information Technology and People, 32(4), 858–875. CrossRef
Kim, S. H., Yang, K. H., & Park, S. (2014). An integrative behavioral model of information security policy compliance. Scientific World Journal, 2014, članek 463870. CrossRef
Kitchenham, B., & Charters, S. (2007). Guidelines for performing systematic literature reviews in software engineering (EBSE 2007-001). Keele University and Durham University Joint Report.
Klobas, J. E., McGill, T., & Wang, X. (2019). How perceived security risk affects intention to use smart home devices: A reasoned action explanation. Computers and Security, 87, članek 101571. CrossRef
Kranz, J. J., & Haeussinger, F. J. (2014). Why deterrence is not enough: The role of endogenous motivations on employees' information security behavior. V Proceedings of the 35th International Conference on Information Systems ICIS 2014: Building a Better World through Information Systems, Auckland, New Zealand, December 14-17, 2014. Association for Information Systems.
Kuppusamy, P., Samy, G. N., Maarop, N., Magalingam, P., Kamaruddin, N., Shanmugam, B., & Perumal, S. (2020). Systematic literature review of information security compliance behaviour theories. Journal of Physics: Conference Series, 1551, članek 012005. CrossRef
Kwak, Y., Lee, S., Damiano, A., & Vishwanath, A. (2020). Why do users not report spear phishing emails? Telematics and Informatics, 48, članek 101343. CrossRef
Laugesen, J., & Hassanein, K. (2017). Adoption of personal health records by chronic disease patients: A research model and an empirical study. Computers in Human Behavior, 66, 256–272. CrossRef
Lebek, B., Uffen, J., Neumann, M., Hohler, B., & Breitner, M. H. (2014). Information security awareness and behavior: A theory-based literature review. Management Research Review, 37(12), 1049–1092. CrossRef
Leering, A., van de Wijngaert, L., & Nikou, S. (2020). More honour'd in the breach: Predicting non-compliant behaviour through individual, situational and habitual factors. Behaviour and Information Technology, 41(3), 519–534. CrossRef
Liu, C., Wang, N., & Liang, H. (2020). Motivating information security policy compliance: The critical role of supervisor-subordinate guanxi and organizational commitment. International Journal of Information Management, 54(28), članek 102152. CrossRef
Mark Grimes, G., Marquardson, J., & Nunamaker, J. F. (2014). Broken windows, bad passwords: Influencing secure user behavior via website design. V 20th Americas Conference on Information Systems (AMCIS 2014): Smart Sustainability: The Information Systems Opportunity, Georgia, USA, 7-9 August 2014 (str. 1862–1873). AIS/ICIS.
Martens, M., De Wolf, R., & De Marez, L. (2019). Investigating and comparing the predictors of the intention towards taking security measures against malware, scams and cybercrime in general. Computers in Human Behavior, 92, 139–150. CrossRef
Mayer, P., Gerber, N., McDermott, R., Volkamer, M., & Vogt, J. (2017). Productivity vs security: Mitigating conflicting goals in organizations. Information and Computer Security, 25(2), 137–151. CrossRef
Mayer, P., Kunz, A., & Volkamer, M. (2017). Reliable behavioural factors in the information security context. V ACM International Conference Proceeding Series, Part F1305. CrossRef
Menard, P., Bott, G. J., & Crossler, R. E. (2017). User motivations in protecting information security: Protection motivation theory versus self-determination theory. Journal of Management Information Systems, 34(4), 1203–1230. CrossRef
Menard, P., Warkentin, M., & Lowry, P. B. (2018). The impact of collectivism and psychological ownership on protection motivation: A cross-cultural examination. Computers and Security, 75, 147–166. CrossRef
Mussa, C., & Cohen, M. (2013). Prudent access control behavioral intention: Instrument development and validation in a healthcare environment. V 19th Americas Conference on Information Systems (AMCIS 2013): Hyperconnected World: Anything, Anywhere, Anytime, Chicago, Illinois, USA, 15-17 August 2013 (str. 2820–2830). AIS/ICIS.
Nasir, A., Abdullah Arshah, R., & Ab Hamid, M. R. (2019). A dimension-based information security culture model and its relationship with employees' security behavior: A case study in Malaysian higher educational institutions. Information Security Journal, 28(3), 55–80. CrossRef
Nasir, A., Abdullah Arshah, R., & Rashid Ab Hamid, M. (2018). The significance of main constructs of theory of planned behavior in recent information security policy compliance behavior study: A comparison among top three behavioral theories. International Journal of Engineering & Technology, 7(2.29), 737–741. CrossRef
Njenga, K. (2017). Understanding internal information systems security policy violations as paradoxes. Interdisciplinary Journal of Information, Knowledge, and Management, 12, 1–15. CrossRef
Ophoff, J., & Lakay, M. (2018). Mitigating the ransomware threat: A protection motivation theory approach. V H. Venter, M. Loock, M. Coetzee, M. Eloff in J. Eloff (ur.), Information security: 17th International Conference, ISSA 2018, Pretoria, South Africa, August 15-16, 2018: Communications in Computer and Information Science, 973 (str. 163–175). Springer. CrossRef
Ormond, D., Warkentin, M., & Crossler, R. E. (2019). Integrating cognition with an affective lens to better understand information security policy compliance. Journal of the Association for Information Systems, 20(12), 1794–1843. CrossRef
Park, E. H., Kim, J., & Park, Y. S. (2017). The role of information security learning and individual factors in disclosing patients' health information. Computers and Security, 65, 64–76. CrossRef
Parker, H. J., & Flowerday, S. V. (2020). Contributing factors to increased susceptibility to social media phishing attacks. SA Journal of Information Management, 22(1), 1–10. CrossRef
Posey, C., Roberts, T. L., & Lowry, P. B. (2015). The impact of organizational commitment on insiders motivation to protect organizational information assets. Journal of Management Information Systems, 32(4), 179–214. CrossRef
Prislan, K., & Bernik, I. (2019). Informacijska varnost in organizacije [Information security and organizations]. Univerzitetna založba Univerze v Mariboru.
Prislan, K., Mihelič, A., & Bernik, I. (2020). A real-world information security performance assessment using a multidimensional socio-technical approach. PLoS ONE, 15(9), članek e0238739. CrossRef
Reason, J. (2000). Human error: Models and management. British Medical Journal, 320(7237), 768–770. CrossRef
Richardson, M. D., Lemoine, P. A., Stephens, W. E., & Waller, R. E. (2020). Planning for cyber security in schools: The human factor. Educational Planning, 27(2), 23–39.
Rocha Flores, W., Antonsen, E., & Ekstedt, M. (2014). Information security knowledge sharing in organizations: Investigating the effect of behavioral information security governance and national culture. Computers and Security, 43, 90–110. CrossRef
Rogers, R. W. (1983). Cognitive and physiological process in fear appeals and attitude change: A revised theory of protection motivation. V J. Cacioppo in R. Petty (ur.), Social Psychophysiology: A source book (str. 153-176). Guilford Press.
Sadaf, H., & Dhanapal, D. D. (2018). Information security policies' compliance: A perspective for higher education institutions. Journal of Computer Information Systems, 60(3), 201–211. CrossRef
Safa, N. S., Maple, C., Watson, T., & Von Solms, R. (2018). Motivation and opportunity based model to reduce information security insider threats in organisations. Journal of Information Security and Applications, 40, 247–257. CrossRef
Safa, N. S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N. A., & Herawan, T. (2015). Information security conscious care behaviour formation in organizations. Computers and Security, 53, 65–78. CrossRef
Shropshire, J., Warkentin, M., & Sharma, S. (2015). Personality, attitudes, and intentions: Predicting initial adoption of information security behavior. Computers and Security, 49, 177–191. CrossRef
Siponen, M., Pahnila, S., & Mahmood, M. A. A. (2010). Compliance with information security policies: An empirical investigation. IEE Computer Society, 43(2), 64–71. CrossRef
Sommestad, T., Karlzén, H., & Hallberg, J. (2019). The theory of planned behavior and information security policy compliance. Journal of Computer Information Systems, 59(4), 344–353. CrossRef
Soomro, Z. A., Shah, M. H., & Ahmed, J. (2016). Information security management needs more holistic approach: A literature review. International Journal of Information Management, 36(2), 215–225. CrossRef
Tamjidyamcholo, A., Kumar, S., Sulaiman, A., & Gholipour, R. (2016). Willingness of members to participate in professional virtual communities. Quality and Quantity, 50(6), 2515–2534. CrossRef
Torten, R., Reaiche, C., & Boyle, S. (2018). The impact of security awarness on information technology professionals' behavior. Computers and Security, 79, 68–79. CrossRef
Trang, S. T. N., Ruch, T. J., & Kolbe, L. M. (2014). Collaborative technologies in an inter-organizational context: Examining the role of perceived information security and trust on post-adoption. V R. H. Sprague, Jr. (ur.), Proceedings of the 47th Annual Hawaii International Conference on System Sciences HICSS, Waikoloa, Hawaii, 6-9 January 2014 (str. 160–169). IEEE. CrossRef
Tsai, H. Y. S., Jiang, M., Alhabash, S., Larose, R., Rifon, N. J., & Cotten, S. R. (2016). Understanding online safety behaviors: A protection motivation theory perspective. Computers and Security, 59, 138–150. CrossRef
Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating IS security compliance: Insights from habit and protection motivation theory. Information & Management, 49(3-4), 190–198. CrossRef
Vedadi, A., & Warkentin, M. (2020). Can secure behaviors be contagious? A two-stage investigation of the influence of herd behavior on security decisions. Journal of the Association for Information Systems, 21(2), 428–459. CrossRef
Verkijika, S. F. (2019). "If you know what to do, will you take action to avoid mobile phishing attacks": Self-efficacy, anticipated regret, and gender. Computers in Human Behavior, 101, 286–296. CrossRef
Vicozi, M. (2018). Vloga posameznika pri zagotavljanju informacijske varnosti [The role of an individual in providing information security] [Magistrsko delo, Univerza v Ljubljani, Ekonomska fakulteta]. Repozitorij Univerze v Ljubljani. https://repozitorij.uni-lj.si/IzpisGradiva.php?id=104732
Warkentin, M., Johnston, A. C., Shropshire, J., & Barnett, W. D. (2016). Continuance of protective security behavior: A longitudinal study. Decision Support Systems, 92, 25–35. CrossRef
Wiafe, I., Koranteng, F. N., Wiafe, A., Obeng, E. N., & Yaokumah, W. (2020). The role of norms in information security policy compliance. Information and Computer Security, 28(5), 743–761. CrossRef
Williams, E. J., & Joinson, A. N. (2020). Developing a measure of information seeking about phishing. Journal of Cybersecurity, 6(1), 1–16. CrossRef
Williams, C. K., Wynn, D., Madupalli, R., Karahanna, E., & Duncan, B. K. (2014). Explaining users' security behaviors with the security belief model. Journal of Organizational and End User Computing, 26(3), 23–46. CrossRef
Yoo, C. W., Goo, J., & Rao, H. R. (2020). Is cybersecurity a team sport? A multilevel examination of workgroup information security effectiveness. MIS Quarterly: Management Information Systems, 44(2), 907–932. CrossRef
