What Do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear that Motivate Protective Security Behaviors1
指出保护动机理论在信息安全研究中存在四个改进机会,并通过数据备份和反恶意软件两个实证研究验证了包含恐惧诉求的新模型,比现有模型更有效预测安全行为。
Because violations of information security (ISec) and privacy have become ubiquitous in both personal and work environments, academic attention to ISec and privacy has taken on paramount importance. Consequently, a key focus of ISec research has been discovering ways to motivate individuals to engage in more secure behaviors. Over time, the protection motivation theory (PMT) has become a leading theoretical foundation used in ISec research to help motivate individuals to change their security-related behaviors to protect themselves and their organizations. Our careful review of the foundation for PMT identified four opportunities for improving ISec PMT research. First, extant ISec studies do not use the full nomology of PMT constructs. Second, only one study uses fear-appeal manipulations, even though these are a core element of PMT. Third, virtually no ISec study models or measures fear. Fourth, whereas these studies have made excellent progress in predicting security intentions, none of them have addressed actual security behaviors. This article describes the theoretical foundation of these four opportunities for improvement. We tested the nomology of PMT, including manipulated fear appeals, in two different ISec contexts that model the modern theoretical treatment of PMT more closely than do extant ISec studies. The first data collection was a longitudinal study in the context of data backups. The second study was a short-term cross-sectional study in the context of anti-malware software. Our new model demonstrated better results and stronger fit than the existing models and confirms the efficacy of the four potential improvements we identified.