Studying users' computer security behavior: A health belief perspective
Introduction
Organizations increasingly rely on information systems for the transmission, processing, and storage of information. Hence, it is essential to protect the information within these systems and the availability of the computer systems. However, the increase in organizational dependence on information systems as well as the ease of mounting attacks has led to a corresponding increase in the number of security incidents and damage caused [26]. A computer security incident is defined as a security-related adverse event in which there is a loss of information confidentiality, disruption of information or system integrity, disruption or denial of system availability, or violation of any computer security policies [19]. According to the 2007 annual survey conducted by the Computer Security Institute [36], 46% of respondents indicated that their organization experienced a security incident within the last 12 months. Of these, a significant number (52%) of the attacks are virus-related. It is therefore important for organizations and employees to be aware of and protect themselves against security threats and cybercrime.
Chung et al. [8] described three approaches at a national level to fight against cybercrime, i.e., legal, organizational, and technological. Countries around the world have created laws (e.g., Computer Misuse Act in Britain and Singapore) and set up national agencies (e.g., the Computer Analysis Response Team in the US) to combat computer security threats. Various technologies are applied at the national level for this purpose, such as a computer surveillance system developed by the FBI. Further, organizational measures are important in this fight. Organizations need to develop and implement a multi-dimensional approach to safeguard their information assets [52].
Among the approaches, technological measures such as firewalls for perimeter defense are common in organizations. Such solutions are necessary but not sufficient for protection [35]. This is because success of computer security depends on the effective behavior of users [43]. Employees in an organization play an essential role in the prevention and detection of security incidents. While system administrators are responsible for configuring firewalls and servers in a secure manner, users are responsible for practicing security countermeasures such as choosing and protecting appropriate passwords.
Thus, for effective security, users have to make a conscious decision to comply with the organization's security policies and adopt computer security behavior. To this end, organizations have been implementing security training and awareness programs to educate users [35]. While many practitioner guidelines are available, there is a lack of empirical studies concerning the design and effectiveness of security awareness programs. An effective awareness program should influence a user's attitude and behavior to be more security-conscious [47]. Thus, it is critical to understand what will influence a user's security behavior so that appropriate awareness programs can be designed. However, there is little theoretically grounded empirical information systems research on the behavior of individuals in practicing secure computing.
Motivated by such theoretical and practical concerns, our research question is, “What are the salient influences for a user to practice computer security in an organization?” Through this study, we aim to contribute to the better understanding of security behavior of computer users in organizations, so that the security climate of an organization can be improved. By identifying and understanding the determinants of computer security behaviour, interventions can be designed to change behaviour by directing at one or more of the determinants.
With the paucity of theoretical perspectives in this area, this study draws upon relevant literature from other fields. Specifically, it makes use of the well-known health belief model [40] traditionally employed to explain preventive healthcare behavior. This perspective is applicable because security practices can be seen as preventive behavior to avert security incidents. The model suggests that an individual's behavior is determined by the threat perception and evaluation of the behaviour to resolve the threat. This model offers a new perspective to better understand the phenomenon using constructs that have not been previously explored in IS research, such as cues to action and general security orientation. Our research model is tested by surveying 134 employees from multiple organizations. The findings are expected to inform theory and practice in this area.
Section snippets
Computer security behavior
There are relatively few research studies of security behavior of computer users and how behavior can be modified to practice security countermeasures. Previous studies in this area can be categorized according to their context, i.e., organizational or non-work use of computers. An example of a study in the organizational context is the investigation of end-user security behaviors and their antecedents by Stanton et al. [43]. It reveals relationships between end-user security behavior (such as
Research model
Fig. 1 presents our research model. While most studies based on the health belief model consider behavioral intention or likelihood of behavior as the dependent variable, we use self-reported actual behavior instead. Although this variable is subject to self-report bias, it is often easier to self-assess than intention and more objective. This approach has been taken in a few previous empirical preventive healthcare studies (e.g., [25]) by asking respondents what behaviors they engage in.
Research methodology
The model was quantitatively tested using the survey methodology [32]. The survey instrument was developed following procedures recommended by Churchill [9]. The first step was to specify the domain of the construct. The second step was to generate items that capture the domain as specified. The constructs were operationalized by adapting items from past literature whenever possible. After considering the original definitions of the constructs in the health belief model, we referred to academic
Data analysis
Multiple regression analysis is a flexible and adaptable multivariate technique that can be used to examine the relationship between a single dependent variable and a set of independent variables [21]. It is also the recommended approach for testing interactions with continuous variables [10]. Hence, we used moderated multiple regression to test our model with interaction hypotheses [23]. We first established the reliability and construct validity of our instrument before we proceeded to test
Discussion of results
The results of the study show that perceived susceptibility, perceived benefits, and self-efficacy are determinants of a user's computer security behavior, when applied to exercising care with email attachments. The first two results are consistent with the nature of security as the motivation for security is to mitigate risks and reduce threat likelihood [44]. Self-efficacy is also important, as a computer user must be confident and able to perform the necessary mitigation measures. In fact, a
Theoretical implications
For academics, this study reduces the gap in our understanding of user computer security behavior in the context of the organization. Though there are plenty of practical guidelines on improving user behavior suggested by practitioners, their effectiveness has not been investigated. This study helps to address the lack of theoretically-based and empirically validated research in this area. This study assesses the suitability of using a theory from the health domain to explain computer security
Acknowledgements
This research is supported by the research grant number R-253-000-033-112, School of Computing, National University of Singapore. We thank the editor and the reviewers for their comments and suggestions.
Boon-Yuen Ng is a lecturer and doctoral student in the Department of Information Systems, School of Computing at the National University of Singapore (NUS). She obtained her B.S. (Honors) from the University of California at Berkeley and her M.S. from the University of Illinois at Urbana-Champaign. Her research has been presented in conferences such as the Pacific Asia Conference on Information Systems and the European Conference on Information Systems. Prior to joining NUS, she was an IT
References (52)
- et al.
The health belief model
- et al.
Predictors of health behaviors in college students
Journal of Advanced Nursing
(2004) The theory of planned behavior
Organizational Behavior and Human Decision Processes
(1991)- et al.
A research model for investigating human behavior related to computer security
Self-efficacy: towards a unifying theory of behavioral change
Psychological Review
(1977)Instrument development for health belief model constructs
Advances in Nursing Science
(1984)- et al.
Perceptions of information security in the workplace: linking information security climate to compliant behavior
Journal of Information Privacy and Security
(2005) - et al.
Fighting Cybercrime: a review and the Taiwan experience
Decision Support Systems
(2006) A paradigm for developing better measures of marketing constructs
Journal of Marketing Research
(1979)- et al.
Applied Multiple Regression/Correlation Analysis for the Behavioral Sciences
(2003)
Application of social cognitive theory to training for computer skills
Information Systems Research
Computer self-efficacy: development of a measure and initial test
MIS Quarterly
Predicting health behaviour: a social cognition approach
Perceived usefulness, perceived ease of use, and user acceptance of information technology
MIS Quarterly
The centrality of awareness in the formation of user behavioral intention toward protective information technologies
Journal of the Association for Information Systems
Motivational beliefs, values, and goals
Annual Review Psychology
A Primer for Soft Modeling
CSI/FBI Computer Crime and Security Survey
Computer Security Incident Handling Guide
Migration of the Health Belief Model (HBM): Effects of psychosocial and migrant network characteristics on emigration intentions in five countries in West Africa and the Mediterranean Region
Multivariate Data Analysis
The effects of piracy in foreign markets on U.S. business
Journal of International Business Studies
Interaction effects in multiple regression
The health belief model: a decade later
Health Education Quarterly
The antecedents of preventive health care behavior: an empirical study
Academy of Marketing Science Journal
An integrative study of information systems security effectiveness
International Journal of Information Management
Cited by (426)
What are the trend and core knowledge of information security? A citation and co-citation analysis
2023, Information and ManagementIndicators of employee phishing email behaviours: Intuition, elaboration, attention, and email typology
2023, International Journal of Human Computer StudiesCommon traits in online shopping behavior: A study of different generational cohorts
2024, Global Business and Organizational ExcellenceUnderstanding security behaviour among healthcare professionals by comparing results from technology threat avoidance theory and protection motivation theory
2024, Behaviour and Information TechnologyExamining the effect of perceived risk, self-efficacy and individual differences on consumer intention to use contactless mobile payment services
2024, Journal of Science and Technology Policy Management
Boon-Yuen Ng is a lecturer and doctoral student in the Department of Information Systems, School of Computing at the National University of Singapore (NUS). She obtained her B.S. (Honors) from the University of California at Berkeley and her M.S. from the University of Illinois at Urbana-Champaign. Her research has been presented in conferences such as the Pacific Asia Conference on Information Systems and the European Conference on Information Systems. Prior to joining NUS, she was an IT consultant with the Infocomm Development Authority of Singapore. She has consulted for several government organizations on information security and policy matters.
Dr. Atreyi Kankanhalli is Assistant Professor in the Department of Information Systems at the National University of Singapore (NUS). She obtained her B. Tech. from the Indian Institute of Technology Delhi, her M.S. from the Rensselaer Polytechnic Institute and Ph.D. from NUS. She had visiting stints at the Haas Business School, University of California Berkeley and the Indian Institute of Science, Bangalore. Prior to joining NUS, she has considerable experience in industrial R & D. She has consulted for several organizations including Bosch SEA and World Bank. Her research interests include knowledge management, IT-enabled organizational forms, and IT in public sector. Dr. Kankanhalli's work has appeared in premium journals such as the MIS Quarterly, Journal of Management Information Systems, IEEE Transactions on Engineering Management, Journal of the American Society for Information Science and Technology, and Decision Support Systems among others. She serves on several editorial boards including IEEE Transactions on Engineering Management and Information and Management. Dr. Kankanhalli was the winner of the ACM-SIGMIS ICIS 2003 Best Doctoral Dissertation award.
Dr. Yunjie (Calvin) Xu is Assistant Professor at the Department of Information System, National University of Singapore. He received his Ph.D. from Syracuse University. His research interest covers knowledge seeking and e-commerce. He has published in the Journal of Association for Information Systems, Communications of the ACM, Journal of the American Society for Information Science and Technology, Electronic Commerce Research and Application, and Information Retrieval.