•  
  •  
 

Management Information Systems Quarterly

Abstract

Many of the theories used in behavioral cybersecurity research have been applied with a nomothetic approach, which is characterized by cross-sectional data (e.g., one-time surveys) that identify patterns across a population of individuals. Although this can provide valuable between-person, point-in-time insights (e.g., employees who use neutralization techniques, such as denying responsibility for cybersecurity policy violations, tend to comply less), it is unable to reveal within-person patterns that account for varying experiences and situations over time. This paper articulates why an idiographic approach, which undertakes a within-person analysis of longitudinal data, can: (1) help validate widely used theories in behavioral cybersecurity research that imply patterns of behavior within a given person over time and (2) provide distinct theoretical insights on behavioral cybersecurity phenomena by accounting for such within-person patterns. To these ends, we apply an idiographic approach to an established theory in behavioral cybersecurity research—neutralization theory—and empirically test a within-person variant of this theory using a four-week experience sampling study. Our results support a more granular application of neutralization theory in the cybersecurity context that considers the behavior of a given person over time. We conclude the paper by highlighting the contexts and theories that provide the most promising opportunities for future behavioral cybersecurity research using an idiographic approach.

Share

COinS