This site uses cookies for user authentication, optional permanent login and monitoring the number of page views (Google Analytics).
Do you agree with cookies being used in accordance with our Privacy policy? You can change your decision regarding the use of cookies on the Privacy page.

I want to know more

Horizons of Psychology :: Psihološka obzorja

Scientific and Professional Psychological Journal of the Slovenian Psychologists' Association

Indexed in:
Academic OneFile

Member of DOAJ and CrossRef



My Account

Most viewed articles


« Back to Volume 31 (2022)

flag Pojdi na slovensko stran članka / Go to the article page in Slovene

Theories and models in behavioral information security research

Špela Grilc, Kaja Prislan & Anže Mihelič

pdf Full text (pdf)  |  Views: 95  |  flagWritten in Slovene.  |  Published: December 15, 2022

pdf  |  Cited By: CrossRef (0)

Abstract: Behavioral information security is concerned with explaining the role of users in the information security system, drawing on various psychological, organizational, and criminological theories to explain and predict user behavior. Despite numerous systematic literature reviews on the field of information security, there is no comprehensive systematic review of the theories used in behavioral information security research. The purpose of this paper is to investigate which theories are most widely used in research, in which subject areas they are most used, which factors are most frequently included in research according to each set of theories, and which are most frequently statistically significant. Accordingly, we made two studies involving a systematic review of the literature over the past ten years. The findings suggest that the most used theories include the protection motivation theory and the theory of planned behavior. In these two theories, self-efficacy and perceived usefulness of the technology are factors, which are most often statistically significant in predicting self-protective behavior.

Keywords: information security, cybersecurity, behavioral theories, systematic literature review

Grilc, Š., Prislan, K., & Mihelič, A. (2022). Teorije in modeli v vedenjskih informacijskovarnostnih raziskavah [Theories and models in behavioral information security research]. Psihološka obzorja, 31, 602–622.

Reference list

Abraham, S., & Chengalur-Smith, I. S. (2019). Evaluating the effectiveness of learner controlled information security training. Computers and Security, 87, članek 101586. CrossRef

Addae, J. H., Sun, X., Towey, D., & Radenkovic, M. (2019). Exploring user behavioral data for adaptive cybersecurity. User Modeling and User-Adapted Interaction, 29, 701–750. CrossRef

Aigbefo, Q. A., Blount, Y., & Marrone, M. (2020). The influence of hardiness and habit on security behaviour intention. Behaviour and Information Technology, 41(6), 1151–1170. CrossRef

Ajzen, I. (1985). From intention to actions: A theory of planned behavior. V J. Kuhl in J. Beckman (ur.), Action control: From cognition to behavior (str. 11–39). Springer. CrossRef

Al-Harthy, I. M., Rahim, F. A., Ali, N., & Singun, A. P. (2020). Dimensions of protection behaviors: A systematic literature review. Journal of Theoretical and Applied Information Technology, 98(17), 3668–3697.

Alohali, M., Clarke, N., Furnell, S., & Albakri, S. (2017). Information security behavior: Recognizing the influencers. V Proceedings of Computing Conference 2017, 18-20 July 2017, London, United Kingdom (str. 844–853). IEEE. CrossRef

Alturki, A., Alshwihi, N., & Algarni, A. (2020). Factors influencing players' susceptibility to social engineering in social gaming networks. IEEE Access, 8, 97383–97391. CrossRef

Angraini, Alias, R. A., & Okfalisa. (2019). Information security policy compliance: Systematic literature review. Procedia Computer Science, 161, 1216–1224. CrossRef

Aurigemma, S., & Mattson, T. (2017). Privilege or procedure: Evaluating the effect of employee status on intent to comply with socially interactive information security threats and controls. Computers and Security, 66, 218–234. CrossRef

Aurigemma, S., & Mattson, T. (2019a). Effect of long-term orientation on voluntary security actions. Information and Computer Security, 27(1), 122–142. CrossRef

Aurigemma, S., & Mattson, T. (2019b). Generally speaking, context matters: Making the case for a change from universal to particular ISP research. Journal of the Association for Information Systems, 20(12), 1700–1742. CrossRef

Ayyash, M. M., Herzallah, F. A. T., & Ahmad, W. (2020). Towards social network sites acceptance in e-learning system: Students perspective at Palestine Technical University-Kadoorie. International Journal of Advanced Computer Science and Applications, 11(2), 312–320. CrossRef

Barlette, Y., Gundolf, K., & Jaouen, A. (20.-22. maj 2015). Toward a better understanding of SMB CEOs' information security behavior: Insights from threat or coping appraisal [prispevek na konferenci]. 20th Symposium of the Association Information and Management 2015, AIM 2015, Rabat, Morocco.

Bauer, S., & Bernroider, E. W. N. (2015). The effects of awareness programs on information security in banks: The roles of protection motivation and monitoring. V Proceedings of the Third International Conference on Human Aspects of Information Security, Privacy, and Trust, 9190 (str. 154–164). Springer. CrossRef

Becker, G. S. (1968). Crime and punishment: An economic approach. V G. S. Becker in W. Landes (ur.), Essays in the economics of crime and punishment (str. 1–54). Columbia University Press. CrossRef

Bélanger, F., Collignon, S., Enget, K., & Negangard, E. (2017). Determinants of early conformance with information security policies. Information and Management, 54(7), 887–901. CrossRef

Blythe, J. M., & Coventry, L. (2018). Costly but effective: Comparing the factors that influence employee anti-malware behaviours. Computers in Human Behavior, 87, 87–97. CrossRef

Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2016). Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523–548. CrossRef

Chang, K. C., & Seow, Y. M. (2019). Protective measures and security policy non-compliance intention: IT vision conflict as a moderator. Journal of Organizational and End User Computing, 31(1), 1–21. CrossRef

Chatterjee, S., Kar, A. K., Dwivedi, Y. K., & Kizgin, H. (2019). Prevention of cybercrimes in smart cities of India: From a citizen's perspective. Information Technology and People, 32(5), 1153–1183. CrossRef

Chen, X., Chen, L., & Wu, D. (2018). Factors that influence employees' security policy compliance: An awareness-motivation-capability perspective. Journal of Computer Information Systems, 58(4), 312–324. CrossRef

Chen, Y., Ramamurthy, K., & Wen, K. W. (2012). Organizations' information security policy compliance: Stick or carrot approach? Journal of Management Information Systems, 29(3), 157–188. CrossRef

Chen, L., Zhen, J., Dong, K., & Xie, Z. (2020). Effects of sanction on the mentality of information security policy compliance. Revista Argentina de Clinica Psicologica, 29(1), 39–49.

Chen, X., Wu, D., Chen, L., & Teng, J. K. L. (2018). Sanction severity and employees' information security policy compliance: Investigating mediating, moderating, and control variables. Information and Management, 55(8), 1049–1060. CrossRef

Chou, H. L., & Chou, C. (2016). An analysis of multiple factors relating to teachers' problematic information security behavior. Computers in Human Behavior, 65, 334–345. CrossRef

Cox, J. (2012). Information systems user security: A structured model of the knowing-doing gap. Computers in Human Behavior, 28(5), 1849–1858. CrossRef

D'Arcy, J., & Lowry, P. B. (2019). Cognitive-affective drivers of employees' daily compliance with information security policies: A multilevel, longitudinal study. Information Systems Journal, 29(1), 43–69. CrossRef

Da Veiga, A., & Eloff, J. H. P. (2007). An information security governance framework. Information Systems Management, 24(4), 361–372. CrossRef

Dang-Pham, D., & Pittayachawan, S. (2015). Comparing intention to avoid malware across contexts in a BYOD-enabled Australian university: A protection motivation theory approach. Computers and Security, 48, 281–297. CrossRef

Davis, F. (1989). Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Quarterly, 13(3), 319–340. CrossRef

Dodel, M., & Mesch, G. (2019). An integrated model for assessing cyber-safety behaviors: How cognitive, socioeconomic and digital determinants affect diverse safety practices. Computers and Security, 86, 75–91. CrossRef

Dünnebeil, S., Sunyaev, A., Blohm, I., Leimeister, J. M., & Krcmar, H. (2012). Determinants of physicians' technology acceptance for e-health in ambulatory care. International Journal of Medical Informatics, 81(11), 746–760. CrossRef

Ganeshkumar, P., & Gopalakrishnan, S. (2013). Systematic reviews and meta-analysis: Understanding the best evidence in primary healthcare. Journal of Family Medicine and Primary Care, 2(1), 9–14. CrossRef

Geil, A., Sagers, G., Spaulding, A. D., & Wolf, J. R. (2018). Cyber security on the farm: An assessment of cyber security practices in the United States agriculture industry. International Food and Agribusiness Management Review, 21(3), 317–334. CrossRef

Gibbs, J. P. (1975). Crime, punishment, and deterrence. Elsevier.

Giwah, A. D., Wang, L., Levy, Y., & Hur, I. (2020). Empirical assessment of mobile device users' information security behavior towards data breach: Leveraging protection motivation theory. Journal of Intellectual Capital, 21(2), 215–233. CrossRef

Grimes, M., & Marquardson, J. (2019). Quality matters: Evoking subjective norms and coping appraisals by system design to increase security intentions. Decision Support Systems, 119, 23–34. CrossRef

Han, J. Y., Kim, Y. J., & Kim, H. (2017). An integrative model of information security policy compliance with psychological contract: Examining a bilateral perspective. Computers and Security, 66, 52–65. CrossRef

Hansen, J. M., Saridakis, G., & Benson, V. (2018). Risk, trust, and the interaction of perceived ease of use and behavioral control in predicting consumers' use of social media for transactions. Computers in Human Behavior, 80, 197–206. CrossRef

Hanus, B., & Wu, Y. A. (2016). Impact of users' security awareness on desktop security behavior: A protection motivation theory perspective. Information Systems Management, 33(1), 2–16. CrossRef

Herath, T., Chen, R., Wang, J., Banjara, K., Wilbur, J., & Rao, H. R. (2014). Security services as coping mechanisms: An investigation into user intention to adopt an email authentication service. Information Systems Journal, 24(1), 61–84. CrossRef

Hina, S., Panneer Selvam, D. D. D., & Lowry, P. B. (2019). Institutional governance and protection motivation: Theoretical insights into shaping employees' security compliance behavior in higher education institutions in the developing world. Computers and Security, 87, članek 101594. CrossRef

Ho, S. M., Ocasio-Velázquez, M., & Booth, C. (2017). Trust or consequences? Causal effects of perceived risk and subjective norms on cloud technology adoption. Computers and Security, 70, 581–595. CrossRef

Hochbaum, G., Rosenstock, I., & Kegels, S. (1952). Health Belief Model. United States Public Health Service.

Hong, Y., & Furnell, S. (2019). Organizational formalization and employee information security behavioral intentions based on an extended TPB model. V 2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), University of Oxford, United Kingdom, 3-4 June 2019 (str. 1–4). IEEE. CrossRef

Hooper, V., & Blunt, C. (2020). Factors influencing the information security behaviour of IT employees. Behaviour and Information Technology, 39(8), 862–874. CrossRef

Hu, Q., Dinev, T., Hart, P., & Cooke, D. (2012). Managing employee compliance with information security policies. Decision Sciences, 43(4), 615–659. CrossRef

Hu, Q., Xu, Z., Dinev, T., & Ling, H. (2010). Why individuals commit computer offences in organizations: Investigating the roles of rational choice, self-control, and deterrence. V PACIS 2010 Proceedings: 14th Pacific Asia Conference on Information Systems (str. 1378–1389).

Humaidi, N., Balakrishnan, V., & Shahrom, M. (2014). Exploring user's compliance behavior towards health information system security policies based on extended health belief model. V IC3e: 2014 IEEE Conference on e-Learning, e-Management and e-Services, Melbourne, Australia, 10-12 December 2014 (str. 30–35). IEEE. CrossRef

Iriqat, Y. M., Ahlan, A. R., & Molok, N. N. A. (2019). Information security policy perceived compliance among staff in palestine universities: An empirical pilot study. V 2019 IEEE Jordan International Joint Conference on Electrical Engineering and Information Technology, Jordan, April 9-11 (str. 580–585). IEEE. CrossRef

Jaeger, L., & Eckhardt, A. (2021). Eyes wide open: The role of situational information security awareness for security-related behaviour. Information Systems Journal, 31(3), 429–472. CrossRef

Jalali, M. S., Bruckes, M., Westmattelmann, D., & Schewe, G. (2020). Why employees (still) click on phishing links: Investigation in hospitals. Journal of Medical Internet Research, 22(1), članek e16775. CrossRef

Jansen, J., & van Schaik, P. (2015). Persuading end users to act cautiously online: A fear appeals study on phishing. Information & Computer Security, 23(3), 302–316.

Jansen, J., & van Schaik, P. (2017). Comparing three models to explain precautionary online behavioural intentions. Information and Computer Security, 25(2), 165–180. CrossRef

Jansen, J., & van Schaik, P. (2018). Testing a model of precautionary online behaviour: The case of online banking. Computers in Human Behavior, 87, 371–383. CrossRef

Jeon, S., Son, I., & Han, J. (2021). Exploring the role of intrinsic motivation in ISSP compliance: Enterprise digital rights management system case. Information Technology and People, 34(2), 599–616. CrossRef

Kim, H. L., & Han, J. (2019). Do employees in a "good" company comply better with information security policy? A corporate social responsibility perspective. Information Technology and People, 32(4), 858–875. CrossRef

Kim, S. H., Yang, K. H., & Park, S. (2014). An integrative behavioral model of information security policy compliance. Scientific World Journal, 2014, članek 463870. CrossRef

Kitchenham, B., & Charters, S. (2007). Guidelines for performing systematic literature reviews in software engineering (EBSE 2007-001). Keele University and Durham University Joint Report.

Klobas, J. E., McGill, T., & Wang, X. (2019). How perceived security risk affects intention to use smart home devices: A reasoned action explanation. Computers and Security, 87, članek 101571. CrossRef

Kranz, J. J., & Haeussinger, F. J. (2014). Why deterrence is not enough: The role of endogenous motivations on employees' information security behavior. V Proceedings of the 35th International Conference on Information Systems ICIS 2014: Building a Better World through Information Systems, Auckland, New Zealand, December 14-17, 2014. Association for Information Systems.

Kuppusamy, P., Samy, G. N., Maarop, N., Magalingam, P., Kamaruddin, N., Shanmugam, B., & Perumal, S. (2020). Systematic literature review of information security compliance behaviour theories. Journal of Physics: Conference Series, 1551, članek 012005. CrossRef

Kwak, Y., Lee, S., Damiano, A., & Vishwanath, A. (2020). Why do users not report spear phishing emails? Telematics and Informatics, 48, članek 101343. CrossRef

Laugesen, J., & Hassanein, K. (2017). Adoption of personal health records by chronic disease patients: A research model and an empirical study. Computers in Human Behavior, 66, 256–272. CrossRef

Lebek, B., Uffen, J., Neumann, M., Hohler, B., & Breitner, M. H. (2014). Information security awareness and behavior: A theory-based literature review. Management Research Review, 37(12), 1049–1092. CrossRef

Leering, A., van de Wijngaert, L., & Nikou, S. (2020). More honour'd in the breach: Predicting non-compliant behaviour through individual, situational and habitual factors. Behaviour and Information Technology, 41(3), 519–534. CrossRef

Liu, C., Wang, N., & Liang, H. (2020). Motivating information security policy compliance: The critical role of supervisor-subordinate guanxi and organizational commitment. International Journal of Information Management, 54(28), članek 102152. CrossRef

Mark Grimes, G., Marquardson, J., & Nunamaker, J. F. (2014). Broken windows, bad passwords: Influencing secure user behavior via website design. V 20th Americas Conference on Information Systems (AMCIS 2014): Smart Sustainability: The Information Systems Opportunity, Georgia, USA, 7-9 August 2014 (str. 1862–1873). AIS/ICIS.

Martens, M., De Wolf, R., & De Marez, L. (2019). Investigating and comparing the predictors of the intention towards taking security measures against malware, scams and cybercrime in general. Computers in Human Behavior, 92, 139–150. CrossRef

Mayer, P., Gerber, N., McDermott, R., Volkamer, M., & Vogt, J. (2017). Productivity vs security: Mitigating conflicting goals in organizations. Information and Computer Security, 25(2), 137–151. CrossRef

Mayer, P., Kunz, A., & Volkamer, M. (2017). Reliable behavioural factors in the information security context. V ACM International Conference Proceeding Series, Part F1305. CrossRef

Menard, P., Bott, G. J., & Crossler, R. E. (2017). User motivations in protecting information security: Protection motivation theory versus self-determination theory. Journal of Management Information Systems, 34(4), 1203–1230. CrossRef

Menard, P., Warkentin, M., & Lowry, P. B. (2018). The impact of collectivism and psychological ownership on protection motivation: A cross-cultural examination. Computers and Security, 75, 147–166. CrossRef

Mussa, C., & Cohen, M. (2013). Prudent access control behavioral intention: Instrument development and validation in a healthcare environment. V 19th Americas Conference on Information Systems (AMCIS 2013): Hyperconnected World: Anything, Anywhere, Anytime, Chicago, Illinois, USA, 15-17 August 2013 (str. 2820–2830). AIS/ICIS.

Nasir, A., Abdullah Arshah, R., & Ab Hamid, M. R. (2019). A dimension-based information security culture model and its relationship with employees' security behavior: A case study in Malaysian higher educational institutions. Information Security Journal, 28(3), 55–80. CrossRef

Nasir, A., Abdullah Arshah, R., & Rashid Ab Hamid, M. (2018). The significance of main constructs of theory of planned behavior in recent information security policy compliance behavior study: A comparison among top three behavioral theories. International Journal of Engineering & Technology, 7(2.29), 737–741. CrossRef

Njenga, K. (2017). Understanding internal information systems security policy violations as paradoxes. Interdisciplinary Journal of Information, Knowledge, and Management, 12, 1–15. CrossRef

Ophoff, J., & Lakay, M. (2018). Mitigating the ransomware threat: A protection motivation theory approach. V H. Venter, M. Loock, M. Coetzee, M. Eloff in J. Eloff (ur.), Information security: 17th International Conference, ISSA 2018, Pretoria, South Africa, August 15-16, 2018: Communications in Computer and Information Science, 973 (str. 163–175). Springer. CrossRef

Ormond, D., Warkentin, M., & Crossler, R. E. (2019). Integrating cognition with an affective lens to better understand information security policy compliance. Journal of the Association for Information Systems, 20(12), 1794–1843. CrossRef

Park, E. H., Kim, J., & Park, Y. S. (2017). The role of information security learning and individual factors in disclosing patients' health information. Computers and Security, 65, 64–76. CrossRef

Parker, H. J., & Flowerday, S. V. (2020). Contributing factors to increased susceptibility to social media phishing attacks. SA Journal of Information Management, 22(1), 1–10. CrossRef

Posey, C., Roberts, T. L., & Lowry, P. B. (2015). The impact of organizational commitment on insiders motivation to protect organizational information assets. Journal of Management Information Systems, 32(4), 179–214. CrossRef

Prislan, K., & Bernik, I. (2019). Informacijska varnost in organizacije [Information security and organizations]. Univerzitetna založba Univerze v Mariboru.

Prislan, K., Mihelič, A., & Bernik, I. (2020). A real-world information security performance assessment using a multidimensional socio-technical approach. PLoS ONE, 15(9), članek e0238739. CrossRef

Reason, J. (2000). Human error: Models and management. British Medical Journal, 320(7237), 768–770. CrossRef

Richardson, M. D., Lemoine, P. A., Stephens, W. E., & Waller, R. E. (2020). Planning for cyber security in schools: The human factor. Educational Planning, 27(2), 23–39.

Rocha Flores, W., Antonsen, E., & Ekstedt, M. (2014). Information security knowledge sharing in organizations: Investigating the effect of behavioral information security governance and national culture. Computers and Security, 43, 90–110. CrossRef

Rogers, R. W. (1983). Cognitive and physiological process in fear appeals and attitude change: A revised theory of protection motivation. V J. Cacioppo in R. Petty (ur.), Social Psychophysiology: A source book (str. 153-176). Guilford Press.

Sadaf, H., & Dhanapal, D. D. (2018). Information security policies' compliance: A perspective for higher education institutions. Journal of Computer Information Systems, 60(3), 201–211. CrossRef

Safa, N. S., Maple, C., Watson, T., & Von Solms, R. (2018). Motivation and opportunity based model to reduce information security insider threats in organisations. Journal of Information Security and Applications, 40, 247–257. CrossRef

Safa, N. S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N. A., & Herawan, T. (2015). Information security conscious care behaviour formation in organizations. Computers and Security, 53, 65–78. CrossRef

Shropshire, J., Warkentin, M., & Sharma, S. (2015). Personality, attitudes, and intentions: Predicting initial adoption of information security behavior. Computers and Security, 49, 177–191. CrossRef

Siponen, M., Pahnila, S., & Mahmood, M. A. A. (2010). Compliance with information security policies: An empirical investigation. IEE Computer Society, 43(2), 64–71. CrossRef

Sommestad, T., Karlzén, H., & Hallberg, J. (2019). The theory of planned behavior and information security policy compliance. Journal of Computer Information Systems, 59(4), 344–353. CrossRef

Soomro, Z. A., Shah, M. H., & Ahmed, J. (2016). Information security management needs more holistic approach: A literature review. International Journal of Information Management, 36(2), 215–225. CrossRef

Tamjidyamcholo, A., Kumar, S., Sulaiman, A., & Gholipour, R. (2016). Willingness of members to participate in professional virtual communities. Quality and Quantity, 50(6), 2515–2534. CrossRef

Torten, R., Reaiche, C., & Boyle, S. (2018). The impact of security awarness on information technology professionals' behavior. Computers and Security, 79, 68–79. CrossRef

Trang, S. T. N., Ruch, T. J., & Kolbe, L. M. (2014). Collaborative technologies in an inter-organizational context: Examining the role of perceived information security and trust on post-adoption. V R. H. Sprague, Jr. (ur.), Proceedings of the 47th Annual Hawaii International Conference on System Sciences HICSS, Waikoloa, Hawaii, 6-9 January 2014 (str. 160–169). IEEE. CrossRef

Tsai, H. Y. S., Jiang, M., Alhabash, S., Larose, R., Rifon, N. J., & Cotten, S. R. (2016). Understanding online safety behaviors: A protection motivation theory perspective. Computers and Security, 59, 138–150. CrossRef

Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating IS security compliance: Insights from habit and protection motivation theory. Information & Management, 49(3-4), 190–198. CrossRef

Vedadi, A., & Warkentin, M. (2020). Can secure behaviors be contagious? A two-stage investigation of the influence of herd behavior on security decisions. Journal of the Association for Information Systems, 21(2), 428–459. CrossRef

Verkijika, S. F. (2019). "If you know what to do, will you take action to avoid mobile phishing attacks": Self-efficacy, anticipated regret, and gender. Computers in Human Behavior, 101, 286–296. CrossRef

Vicozi, M. (2018). Vloga posameznika pri zagotavljanju informacijske varnosti [The role of an individual in providing information security] [Magistrsko delo, Univerza v Ljubljani, Ekonomska fakulteta]. Repozitorij Univerze v Ljubljani.

Warkentin, M., Johnston, A. C., Shropshire, J., & Barnett, W. D. (2016). Continuance of protective security behavior: A longitudinal study. Decision Support Systems, 92, 25–35. CrossRef

Wiafe, I., Koranteng, F. N., Wiafe, A., Obeng, E. N., & Yaokumah, W. (2020). The role of norms in information security policy compliance. Information and Computer Security, 28(5), 743–761. CrossRef

Williams, E. J., & Joinson, A. N. (2020). Developing a measure of information seeking about phishing. Journal of Cybersecurity, 6(1), 1–16. CrossRef

Williams, C. K., Wynn, D., Madupalli, R., Karahanna, E., & Duncan, B. K. (2014). Explaining users' security behaviors with the security belief model. Journal of Organizational and End User Computing, 26(3), 23–46. CrossRef

Yoo, C. W., Goo, J., & Rao, H. R. (2020). Is cybersecurity a team sport? A multilevel examination of workgroup information security effectiveness. MIS Quarterly: Management Information Systems, 44(2), 907–932. CrossRef

« Back to Volume 31 (2022)