Attacks on information security continue to result in large losses for organizations. Oftentimes, the breaches occur because organizational insiders fail to adhere to commonplace system security messages. This could be because, faced with the challenges and time demands of everyday stressors, security policy compliance can be costly for individuals; security actions require time and distract attention from other primary tasks. To defend against these attacks, user interactions with security messages need to be better understood.
This study reports the results of a 110-participant MTurk field study that examines user interactions with interruptive security messages through the lens of a risk tradeoff paradigm. First, a gap in the information security literature is identified, wherein findings about low security-message attention are contrasted against studies that assume attention and information processing. Three competing hypotheses are proposed that describe different patterns of risk analysis that users may engage in when interacting with an interruptive security message: (1) very little to no elaboration over the risk-taking decision due to perniciously low attention, (2) consistent security message risk-taking decision elaboration, and (3) a bimodal situation where elaboration depends on the information security risk-reward tradeoff balance. Multiple behavioral dependent variables are corroborated to support the third hypothesis, suggesting the existence of a bimodal risk tradeoff paradigm for user interactions with interruptive security messages. The relevance of the findings for research and practice are discussed.
Eargle, David; Galletta, Dennis F.; and Jenkins, Jeffrey L., "What’s it worth to you? Applying risk tradeoff paradigms to explain user interactions with interruptive security messages" (2016). WISP 2016 Proceedings. 14.