Advisor

Warkentin, Merrill

Committee Member

Otondo, Robert F.

Committee Member

Marett, Kent

Committee Member

Crossler, Robert E.

Committee Member

Sullivan, Joe

Other Advisors or Committee Members

Johnston, Allen C.

Date of Degree

1-1-2012

Document Type

Dissertation - Open Access

Abstract

The purpose of the present study is to make contributions to the area of behavioral information security in the field of Information Systems and to assist in the improved development of Information Security Policy instructional programs to increase the policy compliance of individuals. The role of an individual’s experience in the context of information security behavior was explored through the lens of protection motivation theory. The practical foundation was provided by the framework of Security Education, Training, and Awareness (SETA) programs which are typically used by organizations within the United States to instruct employees regarding information security. A pilot study and primary study were conducted with separate data collections and analyses. Both existing and new measures were tested in the study which used a Modified Solomon Four Group Design to accommodate data collection via a web-based survey that included a two-treatment experimental component. The primary contribution to academia proposed in this study was to expand the protection motivation theory by including direct and vicarious experience regarding both threats and responses to the threats. Clear definitions and valid and reliable reflective measures for each of the four experience constructs were developed and are presented in this dissertation. Furthermore, the study demonstrated that all four forms of experience play an important part in the prediction of the primary constructs in the protection motivation model, and as such ultimately play an important part in the prediction of behavioral intent in the context of information security. The primary contribution to practice was expected to be specifically related to the application of fear appeals within a SETA instructional framework. The contribution to practice made by this dissertation became instead the implications resulting from the strong performance of the experience constructs. Specifically, experience, both direct and vicarious, and with threats and with responses, are all important influences on individuals’ behavioral choices regarding information security and should continue to be explored in this context.

URI

https://hdl.handle.net/11668/19104

Share

COinS