Fear Appeal for Cyber Security, A Framework Of ‎Extended PMT For Information Security

  • Shadi Al Zraiqat

Student thesis: Doctoral Thesis

Abstract

The progress of technology has significantly increased the complexity of human existence, as people now navigate both the virtual (digital) and physical (natural) domains to define their lives. The convergence of the digital and natural worlds is changing lives with the manifestation of digital avatars in the Metaverse intersecting with real-life interpersonal transactions. This has strong implications for the communication, entertainment, and lifestyles of individuals with personal information at stake. Threat perceptions are being redefined due to the complexity of individual identity in the real and digital worlds.
It is in this context of complex cyber interactions that we examine the threat perceptions of individuals and the effectiveness of implementing security policies. Against this background, we use the Protection Motivation Theory to understand the socioeconomic behaviours of individuals.
Rogers proposed the Protection Motivation Theory in 1975 for understanding how health related risks were perceived as threatening (Rogers, 1975). This came to be popularly known as PMT. Rogers and Prentice-Dunn further developed and generalised the PMT in 1997 (Rogers & Prentice-Dunn S., 1997). It was later enhanced by Fry and Prentice-Dunn in 2005 (Fry & Prentice-Dunn, 2005). Protection Motivation Theory has been well established with its applicability covering several domains and has been regarded as underpinning the studies that followed on information security in organisations (Cresswell & Hassan, 2007). Limitations of PMT to predict the security behaviour ‎in organisational users have been articulated by Boss who suggested caution in the application of PMT with additional constructs to the original model (Boss, Galletta, Lowry, Moody, & Polak, 2015).‎ Literature reviews suggested that the existing literature on information security was limited to exploring core protective behaviours such as responses in the face of threat perceptions.
From available published literature, it was seen that the Protection Motivation Theory has been successfully applied in the Information Security domain for studies of the organisational and individual behaviours arising out of security concerns within and outside of organisational boundaries. In the mobile Internet era, threat perceptions were seen to have undergone a big change with the increased information proliferation and the consequent threat perceptions necessitating a re-examination of fear as a stimulus and the resultant cognitive responses to perceived threats. This research is based on these changes in security threats and puts forward new hypotheses that seek additional constructs to those in the original PMT model of 2005.
The additional constructs aim to increase understanding of the security behaviour of individuals and organisations faced with pervading Internet access and transformed communication modes that have become less centralised and more mobile. The moot idea here is that policy-makers, especially in the public policy domain, need to understand the behaviours of their constituent populace while drafting and implementing security policies at the national level.
The proposed hypotheses in this work seek to demonstrate that the current mobile communications environment alters fear appeal resulting in security behaviour that has tangible impacts on social behaviour, and this further impacts the economic behaviour of users. This behaviour is studied specifically in the context of always-on mobile communication devices as they respond to perceived threats. Communication has undergone a radical transformation with instant communication between people and more importantly the manner of communication has changed owing to the rise of the social media platforms. The proposed PMT model for Information Security, with extensions and additional constructs, is methodically validated by applying it to the Gulf Cooperation Council (GCC) region. It examines the domain of cybersecurity with two detailed case studies in the region spanning five countries.
This study seeks to successfully show that the basic PMT Model can be extended to cybersecurity and information security domains. By this body of work, we claim that the original PMT model can be successfully applied to understand the socio-economic behaviours of people faced with cybersecurity threats using the mobile Internet.
Moreover, the model can provide a useful framework for conceptualising and quantifying how the fear of cyberthreats influence behaviour in different socioeconomic groups.
Such measurements are expected to be useful in determining the effectiveness of information security policies and maximise their implementation in the context of the social and economic behaviours of the target population.
This work of research seeks to effectively build a valid behavioural model for, and effective implementation of, information security policies for cybersecurity and identifying and understanding causal parameters. It is expected to aid government decision-makers with a tool that serves as a model providing scientific analysis of the impact of information security ‎policies on socio-economic behaviour in the country.
The research studies included understanding the socioeconomic behaviours of randomly selected respondents. Two case studies were undertaken involving a total of 1100+ respondents across five GCC countries. The first case study involved 800+ respondents who were physically interviewed by the researcher. This study was carried out in UAE where the researcher was located. The respondents were randomly selected while they were interacting with government service centres. The second case study was conducted across four countries comprising 244 valid respondents who were also physically interviewed by associates who helped in conducting the interviews. Responses to behavioural questions were collected. The behaviour responses were graded using a five-point Likert Scale. For the first part of data analysis qualitative analysis techniques were used to establish correlations and patterns of responses were studied. Responses were analysed for establishing patterns that indicated behaviours that were observed during the interviews.
As the behavioural response to the fear stimulus became clear, this was then augmented by a detailed analysis using quantitative approach. Within the quantitative technique, several tests were conducted such as sample sufficiency, sample validity, chi-squared test, and factor analysis to establish the factors of stimulus, the factors for social and economic responses. This enabled a mathematical model to be constructed for fear stimulus and the social and economic behaviours. This was further expanded to structured equation modelling to reaffirm the quantitative analysis results.
The interview approach and the analysis of the data from these interviews revealed richer insights during the study and verified the relationship between the added constructs to the extended Protection Motivation Theory by addressing the fear appeal for cybersecurity and the effect of security behaviours on socio-economic behaviours.
Response sample validity and reliability were established with quantitative techniques of analysis. Factor analysis was carried out to identify and validate the key factors of the behavioural response as contributors to fear stimuli, and the consequent responses, as resulting from communication and economic behaviour. The behavioural responses of communication on social media platforms and interpersonal communication were taken as indicators of social behaviour.
Model validity and the testing of hypotheses for the proposed model were established using statistical analytical methods for correlation and confirmation of the factors. The study and the response analysis yielded satisfactory results establishing the validity of the extended Protection Motivation Theory model with the proposed additional constructs. The analyses and research findings validated the extension of the application of the proposed models with newer constructs that explained the security behaviour in social and economic contexts as socio-economic behaviour, thereby contributing to the knowledge base. The implications of the results are discussed, and future research areas are highlighted and recommended.
We believe that there is good scope for further research and the potential to ‎develop a configurable and interactive mathematical tool for quantitative assessment to determine the potential efficiency of cybersecurity policies and the effectiveness of their implementation for government decision-makers.
Date of Award11 Jun 2024
Original languageEnglish
SupervisorJoan Lu (Main Supervisor) & Qiang Xu (Co-Supervisor)

Cite this

'