Advertisement

Predicting Students’ Security Behavior Using Information-Motivation-Behavioral Skills Model

  • Ali FarooqEmail author
  • Debora Jeske
  • Jouni Isoaho
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 562)

Abstract

The Information-Motivation-Behavioral Skills (IMB) Model has shown reliability in predicting behaviors related to health and voting. In this study, we examine whether the IMB Model could predict security behavior among university students. Using a cross-sectional design and proxy IMB variables, data was collected from 159 Finnish students on their security threats’ awareness (representing IMB’s information variable), attitude toward information security and social motivation (replacing IMB’s motivation variable), self-efficacy and familiarity with security measures (variables related to IMB’s behavioral skills), and self-reported security behavior (IMB outcome variable). An analysis conducted with PLS-SEM v3.2 confirmed that the IMB Model was an appropriate model to explain and predict security behavior of the university students. Path analysis showed that behavioral skills measures predict security behavior directly, while students’ information and motivation variables predicted security behavior through behavioral skills (self-efficacy and familiarity with security measures). The findings suggest that the security behavior of students can be improved by improving threat knowledge, their motivation and behavioral skills – supporting the use of the IMB Model in this context and combination with existing predictors.

Keywords

Information security Threat knowledge Security behavior IMB Model 

References

  1. 1.
    Kim, W., Jeong, O.-R., Kim, C., So, J.: The dark side of the Internet: attacks, costs and responses. Inf. Syst. 36, 675–705 (2011)CrossRefGoogle Scholar
  2. 2.
    Aurigemma, S., Panko, R.: A composite framework for behavioral compliance with information security policies. In: 45th Hawaii International Conference on System Sciences, pp. 3248–3257. IEEE (2012)Google Scholar
  3. 3.
    Bulgurcu, B., Cavusoglu, H., Benbasat, I.: Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Q. 34, 523–548 (2010)CrossRefGoogle Scholar
  4. 4.
    Pahnila, S., Siponen, M., Mahmood, A.: Employees’ behavior towards IS security policy compliance. In: 2007 40th Annual Hawaii International Conference on System Sciences (HICSS 2007), p. 156b. IEEE (2007)Google Scholar
  5. 5.
    Abraham, S.: Information security behavior: factors and research directions. In: AMCIS 2011 (2011)Google Scholar
  6. 6.
    D’Arcy, J., Hovav, A., Galletta, D.: User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Inf. Syst. Res. 20, 79–98 (2009)CrossRefGoogle Scholar
  7. 7.
    Kerievsky, B.: Security and confidentiality in a university computer network. ACM SIGUCCS Newsl. 6, 9–11 (1976)CrossRefGoogle Scholar
  8. 8.
    Ingerman, B.L., Yang, C.: Top-ten IT issues, 2011. Educ. Rev. 46, 24 (2011)Google Scholar
  9. 9.
    Al-Janabi, S., Al-Shourbaji, I.: A study of cyber security awareness in educational environment in the Middle East. J. Inf. Knowl. Manag. 15, 1650007 (2016)CrossRefGoogle Scholar
  10. 10.
    Katz, F.H.: The effect of a university information security survey on instruction methods in information security. In: Proceedings of the 2nd Annual Conference on Information Security Curriculum Development - InfoSecCD 2005, p. 43. ACM Press, New York (2005)Google Scholar
  11. 11.
    Farooq, A., Kakakhel, S.R.U., Virtanen, S., Isoaho, J.: A taxonomy of perceived information security and privacy threats among IT security students. In: 10th International Conference for Internet Technology and Secured Transactions, ICITST 2015, pp. 280–286. IEEE (2016)Google Scholar
  12. 12.
  13. 13.
    Lebek, B., Uffen, J., Neumann, M., Hohler, B., Breitner, M.H.: Information security awareness and behavior: a theory-based literature review. Manag. Res. Rev. Inf. Manag. Comput. Secur. 37, 1049–1092 (2014)CrossRefGoogle Scholar
  14. 14.
    Howe, A.E., Ray, I., Roberts, M., Urbanska, M., Byrne, Z.: The psychology of security for the home computer user. In: 2012 IEEE Symposium on Security and Privacy, pp. 209–223. IEEE (2012)Google Scholar
  15. 15.
    Rogers, R.W.: A protection motivation theory of fear appeals and attitude change. J. Psychol. 91, 93–114 (1975)CrossRefGoogle Scholar
  16. 16.
    Maddux, J.E., Rogers, R.W.: Protection motivation and self-efficacy: a revised theory of fear appeals and attitude change. J. Exp. Soc. Psychol. 19, 469–479 (1983)CrossRefGoogle Scholar
  17. 17.
    Sommestad, T., Karlzén, H., Hallberg, J.: A meta-analysis of studies on protection motivation theory and information security behaviour. Int. J. Inf. Secur. Priv. 9 (2015)CrossRefGoogle Scholar
  18. 18.
    Ajzen, I.: The theory of planned behavior. Organ. Behav. Hum. Decis. Process. 50, 179–211 (1991)CrossRefGoogle Scholar
  19. 19.
    Sommerstad, T., Karlzen, H., Hallberg, J.: The theory of planned behavior and information security policy compliance. J. Comput. Inf. Syst. 1–10 (2017)Google Scholar
  20. 20.
    Fisher, J.D., Fisher, W.A.: Changing AIDS-risk behavior. Psychol. Bull. 111, 455–474 (1992)CrossRefGoogle Scholar
  21. 21.
    Robertson, A.A., Stein, J.A., Baird-Thomas, C.: Gender differences in the prediction of condom use among incarcerated juvenile offenders: testing the information-motivation-behavior skills (IMB) model. J. Adolesc. Health 38, 18–25 (2006)CrossRefGoogle Scholar
  22. 22.
    Fisher, W.A., Williams, S.S., Fisher, J.D., Malloy, T.E.: Understanding AIDS risk behavior among sexually active urban adolescents: an empirical test of the information–motivation–behavioral skills model. AIDS Behav. 3, 13–23 (1999)CrossRefGoogle Scholar
  23. 23.
    Fisher, J.D., Fisher, W.A., Harman, J.J.: An information-motivation-behavioral skills model of adherence to antiretroviral therapy. Health Psychol. 25, 462–473 (2006)CrossRefGoogle Scholar
  24. 24.
    Glasford, D.E.: Predicting voting behavior of young adults: the importance of information, motivation, and behavioral skills. J. Appl. Soc. Psychol. 38, 2648–2672 (2008)CrossRefGoogle Scholar
  25. 25.
    Seacat, J.D., Northrup, D.: An information–motivation–behavioral skills assessment of curbside recycling behavior. J. Environ. Psychol. 30, 393–401 (2010)CrossRefGoogle Scholar
  26. 26.
    Crossler, R.E., Bélanger, F.: The mobile privacy-security knowledge gap model: understanding behaviors. In: 50th Hawaii International Conference on System Sciences (2017)Google Scholar
  27. 27.
    Khan, B., Alghathbar, K.S., Khan, M.K.: Information security awareness campaign: an alternate approach. In: Kim, T.-h., Adeli, H., Robles, R.J., Balitanas, M. (eds.) ISA 2011. CCIS, vol. 200, pp. 1–10. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-23141-4_1CrossRefGoogle Scholar
  28. 28.
    Mariani, M.G., Zappalà, S.: PC virus attacks in small firms: effects of risk perceptions and information technology competence on preventive behaviors. TPM Test. Psychom. Methodol. Appl. Psychol. 21, 51–65 (2014)Google Scholar
  29. 29.
    Pattinson, M.R., Anderson, G., Analyses, A.: End-user risk-taking behaviour: an application of the IMB model. In: 6th Annual Security Conference (2007)Google Scholar
  30. 30.
    Fisher, J.D., Fisher, W.A., Misovich, S.J., Kimble, D.L., Malloy, T.E.: Changing AIDS risk behavior: effects of an intervention emphasizing AIDS risk reduction information, motivation, and behavioral skills in a college student population. Health Psychol. 15, 114–123 (1996)CrossRefGoogle Scholar
  31. 31.
    Huang, D.-L., Rau, P.-L.P., Salvendy, G.: Perception of information security. Behav. Inf. Technol. 29, 221–232 (2010)CrossRefGoogle Scholar
  32. 32.
    Yeh, Q.-J., Chang, A.J.-T.: Threats and countermeasures for information system security: a cross-industry study. Inf. Manag. 44, 480–491 (2007)CrossRefGoogle Scholar
  33. 33.
    Farooq, A., Isoaho, J.J., Virtanen, S., Isoaho, J.J.: Information security awareness in educational institution: an analysis of students’ individual factors. In: Proceedings of the 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015, pp. 352–359. IEEE (2015)Google Scholar
  34. 34.
    Chang, T., et al.: A study on the information-motivation-behavioral skills model among Chinese adults with peritoneal dialysis. J. Clin. Nurs. 27, 1884–1890 (2018)CrossRefGoogle Scholar
  35. 35.
    Compeau, D., Higgins, C.A., Huff, S.: Social cognitive theory and individual reactions to computing technology: a longitudinal study. MIS Q. 23, 145 (1999)CrossRefGoogle Scholar
  36. 36.
    Compeau, D.R., Higgins, C.A.: Application of social cognitive theory to training for computer skills. Inf. Syst. Res. 6, 118–143 (1995)CrossRefGoogle Scholar
  37. 37.
    Jeske, D., van Schaik, P.: Familiarity with Internet threats: beyond awareness. Comput. Secur. 66, 129–141 (2017)CrossRefGoogle Scholar
  38. 38.
    Kruger, H., Drevin, L., Steyn, T.: A vocabulary test to assess information security awareness. Inf. Manag. Comput. Secur. 18, 316–327 (2010)CrossRefGoogle Scholar
  39. 39.
    Taylor, S., Todd, P.A.: Understanding information technology usage: a test of competing models. Inf. Syst. Res. 6, 144–176 (1995)CrossRefGoogle Scholar
  40. 40.
    Zimet, G.D., Dahlem, N.W., Zimet, S.G., Farley, G.K.: The multidimensional scale of perceived social support. J. Pers. Assess. 52, 30–41 (1988)CrossRefGoogle Scholar
  41. 41.
    Hupcey, J.E.: Clarifying the social support theory-research linkage. J. Adv. Nurs. 27, 1231–1241 (1998)CrossRefGoogle Scholar
  42. 42.
    Anderson, C.L., Agarwal, R.: Practicing safe computing: a multimethod empirical examination of home computer user security behavioral intentions. MIS Q. 34, 613–643 (2010)CrossRefGoogle Scholar
  43. 43.
    Thompson, N., McGill, T.J., Wang, X.: “Security begins at home”: determinants of home computer and mobile device security behavior. Comput. Secur. 70, 376–391 (2017)CrossRefGoogle Scholar
  44. 44.
    Reeder, R., Ion, I., Consolvo, S.: 152 simple steps to stay safe online: security advice for non-tech-savvy users. IEEE Secur. Priv. 15, 55–64 (2017)CrossRefGoogle Scholar
  45. 45.
    Ion, I., Reeder, R., Consolvo, S.: “…no one can hack my mind”: comparing expert and non-expert security practices. In: 2015 Symposium on Usable Privacy and Security, pp. 327–340 (2015)Google Scholar
  46. 46.
    Egelman, S., Peer, E.: Scaling the security wall: developing a security behavior intentions scale (SeBIS). In: Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems - CHI 2015, pp. 2873–2882. ACM Press, New York (2015)Google Scholar
  47. 47.
    Ringle, C.M., Smith, D., Reams, R.: Partial least squares structural equation modeling (PLS-SEM): a useful tool for family business researchers. J. Fam. Bus. Strateg. 5, 105–115 (2014)CrossRefGoogle Scholar
  48. 48.
    Hair Jr., J.F., Hult, G.T., Ringle, C., Sarstedt, M.: A Primer on Partial Least Squares Structural Equation Modeling (PLS-SEM). Sage Publishers, Thousand Oaks (2016)zbMATHGoogle Scholar
  49. 49.
    Lowry, P.B., Gaskin, J.: Partial least squares (PLS) structural equation modeling (SEM) for building and testing behavioral causal theory: when to choose it and how to use it. IEEE Trans. Prof. Commun. 57, 123–146 (2014)CrossRefGoogle Scholar
  50. 50.
    Hair, J.F., Black, W.C., Babin, B.J., Anderson, R.E., Tatham, R.L.: Multivariate Data Analysis. Prentice Hall, Upper Saddle River (2010)Google Scholar
  51. 51.
    Henseler, J., Ringle, C.M., Sarstedt, M.: A new criterion for assessing discriminant validity in variance-based structural equation modeling. J. Acad. Mark. Sci. 43, 115–135 (2015)CrossRefGoogle Scholar
  52. 52.
    Chin, W.W.: The partial least squares approach to structural equation modeling. In: Marcoulides, G.A. (ed.) Modern Methods for Business Research, pp. 295–336 (1998)Google Scholar
  53. 53.
    Mayer, P., Kunz, A., Volkamer, M.: Reliable behavioural factors in the information security context. In: Proceedings of the 12th International Conference on Availability, Reliability and Security, ARES 2017, pp. 1–10. ACM Press, New York (2017)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2019

Authors and Affiliations

  1. 1.University of TurkuTurkuFinland
  2. 2.University College CorkCorkIreland

Personalised recommendations