Abstract
Secure behavior, defined as users’ compliance with their organization’s password policy, is critical for sustaining a profitable and operational organization. Training that provides security arguments and promotes systematic cognitive processing has been shown to be an effective mechanism for improving secure behavior. Training by providing security cues, on the other hand, has been criticized as having a short-lived and unpredictable influence on secure behavior. This paper challenges this criticism by explaining how security cues influence secure behavior and when they are more effective in influencing secure behavior than security arguments. We hypothesize the different theoretical mechanisms through which security arguments and security cues influence secure behavior. We further hypothesize that when users’ attitude toward behaving secure is poor, security arguments should be used. However, when users’ attitude toward behaving secure is positive, security cues should be used. This paper suggests how to test our proposed hypotheses in an experimental setting.
Recommended Citation
Jenkins, Jeffrey; Durcikova, Alexandra; and Burns, Mary, "Get a Cue on IS Security Training: Explaining the Difference between how Security Cues and Security Arguments Improve Secure Behavior" (2011). ICIS 2011 Proceedings. 8.
https://aisel.aisnet.org/icis2011/proceedings/ISsecurity/8
Get a Cue on IS Security Training: Explaining the Difference between how Security Cues and Security Arguments Improve Secure Behavior
Secure behavior, defined as users’ compliance with their organization’s password policy, is critical for sustaining a profitable and operational organization. Training that provides security arguments and promotes systematic cognitive processing has been shown to be an effective mechanism for improving secure behavior. Training by providing security cues, on the other hand, has been criticized as having a short-lived and unpredictable influence on secure behavior. This paper challenges this criticism by explaining how security cues influence secure behavior and when they are more effective in influencing secure behavior than security arguments. We hypothesize the different theoretical mechanisms through which security arguments and security cues influence secure behavior. We further hypothesize that when users’ attitude toward behaving secure is poor, security arguments should be used. However, when users’ attitude toward behaving secure is positive, security cues should be used. This paper suggests how to test our proposed hypotheses in an experimental setting.