Litcius/Paper detail

Using susceptibility claims to motivate behaviour change in IT security

Matthew L. Jensen, Alexandra Durcikova, Ryan Wright

2020European Journal of Information Systems23 citationsDOI

Abstract

Organisations face growing IT security risks with substantial consequences for missteps in business continuity, data loss, reputational harm, and future competitive advantage. To improve precaution-taking among organisation members, leaders frequently turn to susceptibility claims embedded in security education, training, and awareness (SETA) initiatives to motivate change. However, prior studies have produced mixed empirical results concerning the role of susceptibility in motivating precaution-taking. To deepen theorising about using susceptibility claims to change behaviour, we argue that threat characteristics (overt versus furtive attacks) shape individuals’ attitudes of the threat, and these attitudes subsequently anchor how individuals respond to new claims about the threats. We introduce social judgement theory (SJT) to argue that when individuals participate in SETA initiatives, susceptibility claims that are too distant from individuals’ existing attitudes will be ignored, while claims that are more proximal are more likely to be accepted and result in behaviour change. Using a longitudinal field experiment, we found that susceptibility claims motivated precaution taking against phishing (overt attack) but did not against password cracking (furtive attack). These results support SJT predictions and imply latitudes of acceptability and rejection into which susceptibility claims are placed. Implications for researchers, organisation leaders, and SETA developers are discussed.

Topics & Concepts

PhishingPasswordHarmJudgementDeceptionSocial psychologyPublic relationsBusinessPsychologyComputer securityPolitical scienceThe InternetLawComputer scienceWorld Wide WebInformation and Cyber SecuritySocial Media and PoliticsTerrorism, Counterterrorism, and Political Violence
Using susceptibility claims to motivate behaviour change in IT security | Litcius