Top Banner
Contextual Difference and Intention to Perform Information Security Behaviours Against Malware in a BYOD Environment: a Protection Motivation Theory Approach Duy P.T. Dang, Siddhi Pittayachawan and Mathews Z. Nkhoma
19

Dang et al. (2013), "Contextual difference and intention to perform information security behaviours: a Protection Motivation Theory approach", ACIS 2013

May 21, 2015

Download

Technology

Duy Dang-Pham

The research domain of end-user’s information security behaviours has been gaining much attention over the recent years. While the nature of intention to perform information security behaviours are being revealed, there are still gaps in this area. In particular, few studies have addressed whether such intention remains across contexts, especially from home to public places. Secondly, the amount of the cyber-threats swells with the increase of personal devices with the rapid adoption of the BYOD trend. This research employed MSEM methods to develop a conceptual model based on Protection Motivation Theory by using data collected from 252 higher education students in a BYOD Australian university. Our findings confirmed and explored in details how intention to perform information security behaviours varied due to the change of context. Academics and practitioners could mitigate the security gap by focusing on the intention’s differences discussed in our findings.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Dang et al. (2013), "Contextual difference and intention to perform information security behaviours: a Protection Motivation Theory approach", ACIS 2013

Contextual Difference and Intention to Perform Information Security Behaviours Against Malware in a BYOD Environment: a Protection Motivation Theory ApproachDuy P.T. Dang, Siddhi Pittayachawan and Mathews Z. Nkhoma

Page 2: Dang et al. (2013), "Contextual difference and intention to perform information security behaviours: a Protection Motivation Theory approach", ACIS 2013

Background:1. Information security behavioural research is shifting its focus on transitioning intention and behaviours

•Increase uses of personal mobile devices•Increase adoption of BYOD policy—> created more opportunities to use the Internet at anytime and any places for non-work activities

2

Page 3: Dang et al. (2013), "Contextual difference and intention to perform information security behaviours: a Protection Motivation Theory approach", ACIS 2013

Background:Non-work activities are those that bring enjoyable experiences to the users (Li and Siponen 2011)

•Young-adult Australian browses websites (90%), uses social network sites (71%), downloads audio and video content (33%) (ACMA 2013)

•General Australian Internet users check emails frequently (95%), browse websites (88%) and download files (63%)

Page 4: Dang et al. (2013), "Contextual difference and intention to perform information security behaviours: a Protection Motivation Theory approach", ACIS 2013

Background:2. There are more malware threats on mobile devices

targeting non-work activities•23% of 30 billions spam contained malware links,

increase of social engineering attacks etc.•58% increase of mobile malware compared to 2011

(Symantec 2013)

4

Page 5: Dang et al. (2013), "Contextual difference and intention to perform information security behaviours: a Protection Motivation Theory approach", ACIS 2013

The problem:With the increase uses of mobile devices and adoption of BYOD policy, currently we have no clue about whether the users may behave differently in different contexts and jeopardise online safety—> this research will explore this problem

5

Page 6: Dang et al. (2013), "Contextual difference and intention to perform information security behaviours: a Protection Motivation Theory approach", ACIS 2013

Research question:•To what extent the impacts of the cognitive process on intention to perform malware avoidance behaviours have changed across the contexts?

6

Page 7: Dang et al. (2013), "Contextual difference and intention to perform information security behaviours: a Protection Motivation Theory approach", ACIS 2013

Conceptual model

7

Illustrated based on Protection Motivation Theory (Rogers 1975)

Page 8: Dang et al. (2013), "Contextual difference and intention to perform information security behaviours: a Protection Motivation Theory approach", ACIS 2013

Methodology:• Method: Multiple-group SEM• Sample description: HE students using Internet in

BYOD environment for non-work activities• Sample size: 252

8

Page 9: Dang et al. (2013), "Contextual difference and intention to perform information security behaviours: a Protection Motivation Theory approach", ACIS 2013

Goodness of Fit: χ2(34) = 21.032; p = 0.960; RMSEA = 0.000; SRMR = 0.0302; CFI = 1.000 —> specified model fitted the data

*Fit criteriap-value > 0.01; RMSEA < 0.06; SRMR < 0.07; CFI > 0.96

9

Page 10: Dang et al. (2013), "Contextual difference and intention to perform information security behaviours: a Protection Motivation Theory approach", ACIS 2013

Reliability:Criteria for good reliability: ≥ 0.70

10

Page 11: Dang et al. (2013), "Contextual difference and intention to perform information security behaviours: a Protection Motivation Theory approach", ACIS 2013

Findings

11

Page 12: Dang et al. (2013), "Contextual difference and intention to perform information security behaviours: a Protection Motivation Theory approach", ACIS 2013

Small differences:

Vulnerability on Intention: only existed in university context.Self-Efficacy on Intention: stronger in university context.Vulnerability on Response Cost: stronger in university context.(1) security loopholes at home(2) factors were perceived differently? Multiple facets or dimensions?

12

Page 13: Dang et al. (2013), "Contextual difference and intention to perform information security behaviours: a Protection Motivation Theory approach", ACIS 2013

Inconsistent findings:

Rewards positively influences Intention: inconsistent with previous studies and even the original theory. unique characteristics of HE students sample?

Page 14: Dang et al. (2013), "Contextual difference and intention to perform information security behaviours: a Protection Motivation Theory approach", ACIS 2013

Implications for practice:• Established one of the first milestones that focuses on

maintaining information security behaviours across contexts (rather than reinforcing in one context).

• Raised awareness about the potential changes in how the users intend to perform information security behaviours.

• Provided recommendations about designing and implementing security training and measures (from results of the extended conceptual model).

14

Page 15: Dang et al. (2013), "Contextual difference and intention to perform information security behaviours: a Protection Motivation Theory approach", ACIS 2013

Implications for research:

• Anticipated larger changes in intention to perform information security behaviours between contexts that involve work-related activities.

15

Page 16: Dang et al. (2013), "Contextual difference and intention to perform information security behaviours: a Protection Motivation Theory approach", ACIS 2013

Implications for research:•Suggested the potential different meanings of self-efficacy and vulnerability.

Page 17: Dang et al. (2013), "Contextual difference and intention to perform information security behaviours: a Protection Motivation Theory approach", ACIS 2013

Limitations:•Sample of HE students cannot represent the

population Internet users (to represent the change of intention to perform across contexts)

•Only tested 2/4 areas suggested by Li and Siponen (2011).

17

Page 18: Dang et al. (2013), "Contextual difference and intention to perform information security behaviours: a Protection Motivation Theory approach", ACIS 2013

References:• ACMA. (2013), Communications report 2011–12 series, Report 3–Smartphones

and tablets, Take-up and use in, Canberra.• Li, Y. and Siponen, M. (2011), “A CALL FOR RESEARCH ON HOME USERS’

INFORMATION SECURITY BEHAVIOUR,” 15th Pacific Asia Conference on Information Systems (PACIS).

• Rogers, R.W. (1975), “A protection motivation theory of fear appeals and attitude change,” Journal of Psychology, no. 91, pp. 93–114.

• Symantec. (2013), INTERNET SECURITY THREAT REPORT 2013, Moutain View, USA, Vol. 18. Retrieved from http://www.symantec.com/security_response/publications/threatreport.jsp

18

Page 19: Dang et al. (2013), "Contextual difference and intention to perform information security behaviours: a Protection Motivation Theory approach", ACIS 2013

Q&A

Further questions & comments please contact: [email protected]

19