Description

While IT security research has explored explanatory models using risk/fear/efficacy drivers, this effort emphasizes assessments of personal security optimism/pessimism as drivers of personal security behavior. Technical solutions can help but many organizational vulnerabilities are exacerbated by non-compliance. Individuals neglect to or choose not to comply with security practices, placing organizations at risk. In this study, we explore a model that identifies likely non-compliers. We assess constructs over time, assess perceptions of the pros and cons of compliance, and deliver small training/motivational content. In our results measuring over time and including pro/con perception increased explanatory power for compliance behavior and prediction algorithms were able to identify non-compliers with a high degree of accuracy. We assert that this approach, which integrates training and assessment over time and uses measures that may be more palatable for real-world settings, is promising for organizations who seek to both understand and improve security behavior.

Share

COinS
 
Aug 10th, 12:00 AM

Personal Motivation Measures for Personal IT Security Behavior

While IT security research has explored explanatory models using risk/fear/efficacy drivers, this effort emphasizes assessments of personal security optimism/pessimism as drivers of personal security behavior. Technical solutions can help but many organizational vulnerabilities are exacerbated by non-compliance. Individuals neglect to or choose not to comply with security practices, placing organizations at risk. In this study, we explore a model that identifies likely non-compliers. We assess constructs over time, assess perceptions of the pros and cons of compliance, and deliver small training/motivational content. In our results measuring over time and including pro/con perception increased explanatory power for compliance behavior and prediction algorithms were able to identify non-compliers with a high degree of accuracy. We assert that this approach, which integrates training and assessment over time and uses measures that may be more palatable for real-world settings, is promising for organizations who seek to both understand and improve security behavior.