Contextual Difference and Intention to Perform Information Security Behaviours Against Malware in a BYOD Environment: a Protection Motivation Theory Approach Duy P.T. Dang, Siddhi Pittayachawan and Mathews Z. Nkhoma
May 21, 2015
Contextual Difference and Intention to Perform Information Security Behaviours Against Malware in a BYOD Environment: a Protection Motivation Theory ApproachDuy P.T. Dang, Siddhi Pittayachawan and Mathews Z. Nkhoma
Background:1. Information security behavioural research is shifting its focus on transitioning intention and behaviours
•Increase uses of personal mobile devices•Increase adoption of BYOD policy—> created more opportunities to use the Internet at anytime and any places for non-work activities
2
Background:Non-work activities are those that bring enjoyable experiences to the users (Li and Siponen 2011)
•Young-adult Australian browses websites (90%), uses social network sites (71%), downloads audio and video content (33%) (ACMA 2013)
•General Australian Internet users check emails frequently (95%), browse websites (88%) and download files (63%)
Background:2. There are more malware threats on mobile devices
targeting non-work activities•23% of 30 billions spam contained malware links,
increase of social engineering attacks etc.•58% increase of mobile malware compared to 2011
(Symantec 2013)
4
The problem:With the increase uses of mobile devices and adoption of BYOD policy, currently we have no clue about whether the users may behave differently in different contexts and jeopardise online safety—> this research will explore this problem
5
Research question:•To what extent the impacts of the cognitive process on intention to perform malware avoidance behaviours have changed across the contexts?
6
Conceptual model
7
Illustrated based on Protection Motivation Theory (Rogers 1975)
Methodology:• Method: Multiple-group SEM• Sample description: HE students using Internet in
BYOD environment for non-work activities• Sample size: 252
8
Goodness of Fit: χ2(34) = 21.032; p = 0.960; RMSEA = 0.000; SRMR = 0.0302; CFI = 1.000 —> specified model fitted the data
*Fit criteriap-value > 0.01; RMSEA < 0.06; SRMR < 0.07; CFI > 0.96
9
Reliability:Criteria for good reliability: ≥ 0.70
10
Findings
11
Small differences:
Vulnerability on Intention: only existed in university context.Self-Efficacy on Intention: stronger in university context.Vulnerability on Response Cost: stronger in university context.(1) security loopholes at home(2) factors were perceived differently? Multiple facets or dimensions?
12
Inconsistent findings:
Rewards positively influences Intention: inconsistent with previous studies and even the original theory. unique characteristics of HE students sample?
Implications for practice:• Established one of the first milestones that focuses on
maintaining information security behaviours across contexts (rather than reinforcing in one context).
• Raised awareness about the potential changes in how the users intend to perform information security behaviours.
• Provided recommendations about designing and implementing security training and measures (from results of the extended conceptual model).
14
Implications for research:
• Anticipated larger changes in intention to perform information security behaviours between contexts that involve work-related activities.
15
Implications for research:•Suggested the potential different meanings of self-efficacy and vulnerability.
Limitations:•Sample of HE students cannot represent the
population Internet users (to represent the change of intention to perform across contexts)
•Only tested 2/4 areas suggested by Li and Siponen (2011).
17
References:• ACMA. (2013), Communications report 2011–12 series, Report 3–Smartphones
and tablets, Take-up and use in, Canberra.• Li, Y. and Siponen, M. (2011), “A CALL FOR RESEARCH ON HOME USERS’
INFORMATION SECURITY BEHAVIOUR,” 15th Pacific Asia Conference on Information Systems (PACIS).
• Rogers, R.W. (1975), “A protection motivation theory of fear appeals and attitude change,” Journal of Psychology, no. 91, pp. 93–114.
• Symantec. (2013), INTERNET SECURITY THREAT REPORT 2013, Moutain View, USA, Vol. 18. Retrieved from http://www.symantec.com/security_response/publications/threatreport.jsp
18