Protection Motivation Theory: Understanding the Determinants of Individual Security Behavior

Individuals are considered the weakest link when it comes to securing a personal computer system. All the technological solutions can be in place, but if individuals do not make appropriate security protection decisions they introduce holes that technological solutions cannot protect. This study investigates what personal characteristics influence differences in individual security behaviors, defined as behaviors to protect against security threats, by adapting Protection Motivation Theory into an information security context.

This study developed and validated an instrument to measure individual security behaviors. It then tested the differences in these behaviors using the security research model, which built from Protection Motivation Theory, and consisted of perceived security vulnerability, perceived security threat, security self-efficacy, response efficacy, and protection cost. Participants, representing a sample population of home computer users with ages ranging from 20 to 83, provided 279 valid responses to surveys. The behaviors studied include using anti-virus software, utilizing access controls, backing up data, changing passwords frequently, securing access to personal computers, running software updates, securing wireless networks, using care when storing credit card information, educating others in one's house about security behaviors, using caution when following links in emails, running spyware software, updating a computer's operating system, using firewalls, and using pop-up blocking software. Testing the security research model found different characteristics had different impacts depending on the behavior studied. Implications for information security researchers and practitioners are provided, along with ideas for future research.