Speak their Language: Designing Effective Messages to Improve Employees’ Information Security Decision Making

Johnston, Allen C.; Warkentin, Merrill; Dennis, Alan R.; Siponen, Mikko T.

doi:10.1111/deci.12328

Cited by 44 publications

(20 citation statements)

References 94 publications

(182 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Employee behaviour is fundamental to corporate InfoSec capabilities across the phases of prevention, detection, and response (Baskerville et al, 2014). Unfortunately, despite more than a decade of research on the human side of organisational InfoSec, people are often still identified as the weakest link, rooted in disinterest in security threats and the behaviours that mitigate them (Johnston et al, 2019). Motivated by this disconnect, the current study extends the Overall, the findings shed new light on the motivational mechanisms underpinning end user engagement in organisational InfoSec.…”

Section: Discussionmentioning

confidence: 99%

“…As evidenced above, substantial progress has been made in identifying various drivers of different security behaviours that ultimately contribute to the organisation's InfoSec posture. Despite this, problems in the human side of organisational InfoSec continue to burden companies, often rooted in employee disinterest in security threats and the behaviours that mitigate them (Johnston et al, 2019). A review of the extant literature (Appendix A) reveals two traditions within this stream that may help explain the disconnect between scholarly productivity and performance in practice.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Enhancing users’ security engagement through cultivating commitment: the role of psychological needs fulfilment

Davis¹,

Agrawal²,

Guo³

2021

European Journal of Information Systems

View full text Add to dashboard Cite

Employee behaviour is fundamental to corporate information security (InfoSec) capabilities across the phases of prevention, detection, and response. Unfortunately, despite over a decade of research on the topic, the human aspect of security remains the most vulnerable in many companies today, often rooted in employee disinterest. Two traditions within the InfoSec research that may contribute to this disconnect are 1) emphasis on extrinsic manipulation of behaviour versus cultivation of internalised commitment to organisational InfoSec and 2) emphasis on isolated activities over more integrated perspectives of security behaviour. Addressing these gaps, the current study examines end user InfoSec behaviour through a distinct internal motivational lens. Rooted in Self-Determination Theory, a research model is introduced that highlights workplace factors which drive end users' internalised commitment to organisational InfoSec by fulfiling fundamental psychological needs (autonomy, competence, and relatedness) within this context. Commitment, which captures internally regulated motivation to contribute to organisational InfoSec performance, is then positioned as a driver of intention to engage in various security behaviours. Overall, the results support the study's hypotheses and underscore the important roles perceived behavioural control, IT competence, and user-IS department relations have on commitment to organisational InfoSec and resultant behavioural outcomes.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Enhancing users’ security engagement through cultivating commitment: the role of psychological needs fulfilment

Davis¹,

Agrawal²,

Guo³

2021

European Journal of Information Systems

View full text Add to dashboard Cite

show abstract

“…The potential negative outcomes associated with IS security threats may therefore be more difficult to grasp and anticipate. Prior studies especially conducted in work environments found that often users do not appraise IS security threats as causing them real levels of concern (Johnston et al, 2019).…”

Section: Recommendation #1: Measure the Level Of Concern About Is Security Threatsmentioning

confidence: 99%

“…and Johnston et al (2016) highlight the importance of personal relevance of the IS security threat. We would add that personalizing the content of threat messages and how it is expressed to targeted audiences is likewise important to enhance threat message effectiveness (Johnston et al, 2019;Tannenbaum et al, 2015;Webb et al, 2010). We propose six new manipulations to personalize IS security threat messages.…”

Section: Recommendation #3: Personalize Is Security Threat Messagesmentioning

confidence: 99%

Protection Motivation Theory in Information Systems Security Research

2021

Self Cite

View full text Add to dashboard Cite

Protection motivation theory (PMT) is one of the most commonly used theories to examine information security behaviors. Our systematic review of the application of PMT in information systems (IS) security and the comparison with its application for decades in psychology identified five categories of important issues that have not yet been examined in IS security research. Discussing these issues in terms of why they are relevant and important for IS security, and to what extent IS research has not considered them, offers new research opportunities associated with the study of PMT and IS security threats. We suggest how future studies can approach each of the open issues to provide a new road map for quantitative and qualitative IS scholars.

show abstract

“…Employees are widely recognized as the weakest link in an organization's cybersecurity practice. Yet current programs designed to improve employee security behaviors often fail because interventions are not viewed as personally relevant (Johnston et al, 2019a(Johnston et al, , 2019b. Our study addresses a significant gap in scientific investigations of user cybersecurity hygiene by providing direct financial incentives to motivate users to comply with organizational cybersecurity policies and procedures.…”

Section: Introductionmentioning

confidence: 99%

Understanding the Role of Incentives in Security Behavior

Goel

Williams

Huang

et al. 2020

Proceedings of the Annual Hawaii International Conference on System Sciences

Self Cite

View full text Add to dashboard Cite

A key challenge for researchers has been to affect change in user security behavior in organizations. Several theories from different domains have been used for understanding and changing user security behavior including deterrence, fear appeals, and education; however, the success of these approaches has been low. In this research we examine the role of financial incentives in changing user behavior; we specifically provide incentives to users for good security practices. The study attempts to switch user behavior such that they adopt good security habits however it recognizes the limitations of extrinsic rewards in being temporary and couples the extrinsic rewards to affect intrinsic motivation through use of nudges. The field study shows positive results however the number of subjects in our study was small (24). Our goal is to extend the study by large scale data collection to further validate our results.

show abstract

Speak their Language: Designing Effective Messages to Improve Employees’ Information Security Decision Making

Cited by 44 publications

References 94 publications

Enhancing users’ security engagement through cultivating commitment: the role of psychological needs fulfilment

Enhancing users’ security engagement through cultivating commitment: the role of psychological needs fulfilment

Protection Motivation Theory in Information Systems Security Research

Understanding the Role of Incentives in Security Behavior

Contact Info

Product

Resources

About