Behind the scenes of privacy. A quantitative research study to examine the influence of fear appeals on protection motivation

Master's Thesis, 2018

131 Pages, Grade: 1,3



Table of Contents

List of Figures

List of Tables

List of Abbreviations

List of Symbols

1. Introduction

2. Theoretical Background
2.1 Privacy
2.2 Privacy Concerns – Actual Matters
2.3 Collection of Information – General Overview
2.4 Security Threats and Human Errors
2.5 Password Behavior of End Users
2.6 Fear Appeals
2.7 Development of Fear Appeal Theories and Models
2.8 Protection Motivation Theory
2.8.1 Design of the Protection Motivation Theory
2.8.2 Sources of Information
2.8.3 Cognitive Mediating Process Threat Appraisal Fear Coping Appraisal
2.8.4 Coping Modes
2.9 Research done so far

3. Research Model

4. Research Method
4.1 Research Design
4.2 Development of a Measurement Scale
4.3 Questionnaire Design
4.4 Website “Have I been Pwned“
4.5 Survey: Fear-Appeal Manipulation
4.6 Data Collection
4.7 Participants

5. Results
5.1 Measurement Validity
5.2 Data Analysis
5.3 Group Results

6. Discussion
6.1 Theoretical Implications
6.2 Practical Implications
6.3 Limitations and Critical Review of Research

7. Conclusion




This paper deals with the observable and recently emerging concerns of privacy online, such as possible information theft due to data leaks, and methods to motivate people conducting a more adequate behavior. The lack of existing academic literature and research on this phenomenon, is addressed by generating profound results regarding fear appeals and their impact on the intention for people to protect their data. An exploratory, quantitative study design is used, adopted from the protection motivation theory to primarily investigate the components of this model and the modifications of these by means of two groups, one experiencing fear appeals. A set of 25 questions was developed and surveyed within the scope of an online questionnaire. Analysis implied the existence of a positive relationship between fear appeals and protection intention valid. Furthermore, the results support the understanding of connections among the items prompted. The study contributes to the field of research by providing in-depth insights on the influence of fear appeals on the protection motivation. Based on these findings, the thesis concludes with theoretical as well as practical recommendations for future research.

List of Figures

Figure 1: Overall Model of the PMT, own Representation based on Rogers and Prentice-Dunn (Gochman 1997)

Figure 2: Cognitive Mediating Process of PMT, own representation based on Boss et al (Boss et al. 2015)

Figure 3: Overview over Hypotheses

Figure 4: Overall Model Results for Survey

List of Tables

Table 1: Overview over Variables of Cognitive Mediating Process

Table 2: Overview over Questions asked in Survey in relation to Variables of the PMT

Table 3: Overview over Literature Review on Questions asked in Survey

Table 4: Overview over Coefficients no Data Leak on Fear

Table 5: Overview over Coefficients no Data Leak on Protection Motivation

Table 6: Overview over Coefficients Data Leak on Fear

Table 7: Overview over Coefficients Data Leak on Protection Motivation42

List of Abbreviations

Abbildung in dieser Leseprobe nicht enthalten

List of Symbols

Abbildung in dieser Leseprobe nicht enthalten

1. Introduction

Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say. - Edward Snowden (Romero 2015, p.2)

Due to the technological developments of the last 50 years, social networks - also called Web 2.0 technologies have a great influence on most people’s lives. The internet is a platform for communication, information sharing and active participation in the design of media and virtual spaces in a society in which media is part of everyday life (Im and Baskerville 2005; McLoughlin and Lee 2007). The advantages of the global reach and pervasiveness of the internet for individuals are immense. Apart from facilitating normal everyday activities such as shopping, entertainment or information seeking, another advantage plays a major role: More than in any other time, the internet allows individuals to be more connected (Harrington et al. 2006). Not only single individuals benefit from the digitalization, also companies increasingly rely on technologies and the internet to survive and be successful in this competitive environment (Im and Baskerville 2005). As people leave more and more traces online, it became easier for companies to collect various data from users. Vast quantity of consumers information is needed in order for companies to sell better products directly tailored to the end users’ needs (Culnan and Armstrong 1999).

As communication technology has evolved, so has the infringement of privacy online and various other security threats. Furthermore, the situation is a breeding ground for criminals and people with all kinds of malicious ambitions. They attempt to exploit end users who are not properly secured from online threats. These menaces include viruses, pishing, worms, trojan horses, spyware, malware and data breaches (Claar and Johnson 2012). Many known data breaches, which can be referred to as the unauthorized exposure of personal data through third parties, in recent years demonstrate the relevance of the issues (Cheng et al. 2017). A very significant incident with serious range has occurred on 8 on July this year with the company Timehop, an app that allows users to collect and be reminded of old photos and posts. Due to a data leak, 21 million accounts worldwide were compromised, 3.8 million users alone were affected in Europe. Among the data collected were 2.6 million genders, 2.9 million e-mail addresses, 2.6 million dates of birth and 243,000 phone numbers (“Timehop Data Breach: Millions of Users in Europe Compromised” 2018). Furthermore, the company IBM is the sponsor of the 13th annual Cost of a Data Breach study. Based on the study, which was carried out by the Ponemon Institute the average global cost of a data breach has increased to $3.86 million. This represents a growth rate of 6.4 % compared to the previous year. At the same time, the average expense of sensitive information stolen rose to 148 U.S. dollars. This represents an upturn of over 4.8 % (“Cost of Data Breach Study | IBM Security” 2018). Another incident of data leaks was initiated by internal staff gained immense public attention in June 2013, when Edward Snowden, the infamous whistleblower and former IT employee of the National Security Agency (NSA), handed over secret documents to the press. These documents revealed that the NSA was spying on the public while collecting personal information including public data, messages from different nationalities and even the communication systems of several governments around the world. This information could be collected by tapping their phone calls and e-mail services (Cole et al. 2015).

A not insignificant reason for data leaks and other security threats to happen is the negligent misconduct of individuals. Often, they are not aware of the seriousness of the situation and consequential do not consider protecting their data genuinely which makes their information easily accessible for others. In addition, they often do not take the security precautions necessary to be sufficiently protected against security threats (Posey et al. 2015). This negligence can indeed cause fatal consequences for individuals and companies. The repercussions of security threats are far-reaching: They can range from minor inconveniences to financial detriment and harm to the reputation of companies or theft damage to individuals (Harrington et al. 2006). When a company is the victim of such attacks, the data of the end users that the company has collected from them for various purposes is often under the control of a third party and far beyond the supervision of the company, not to mention out of the end users´ reach. The question now arises of whether a user would seek to improve their protection if they were aware of their lack of privacy online. The research question for this thesis therefore is:

Do people reconsider their behavior when they are informed that their data, such as passwords or e-mail addresses, are accessible by others on the internet?

The purpose of this paper is to analyze the privacy protection intention of end users online, by exposing them to fear appeals, persuasive messages emphasizing negative consequences of attitudes in order to motivate behavioral changes (Johnston and Warkentin 2010). These investigations performed are based on the protection motivation theory. This model is established on the assumption, that fear appeals result in people wanting to change behavior intentions (Gochman 1997). In the first instance, the paper sets out to provide an overview of the theoretical background of the terms privacy and the actual privacy concerns. The thesis is giving the reader a better understanding of information collection online as well as possible security threats occurring. A deeper insight of human errors in the process involved is provided and a review of the password behavior of end users is provided. After giving a short overview of fear appeals and different fear appeal models, the protection motivation theory and how it was applied in research so far is introduced. In the second part of the thesis, the research question is evaluated by conducting a quantitative study, which includes fear appeals trying to increase the individual’s motivation for protecting their privacy online. Therefore, a survey participating 284 people was carried out. Gaining a deeper insight with analyzing, interpreting the results and presenting them to the reader, this paper offers various theoretical and practical implications for further research. The thesis concludes with a summary of the findings and ideas put forward.

2. Theoretical Background

2.1 Privacy

Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others

– Alan Westin (Westin 1976,p.7)

As early as in 1967, Alan Westin described the functions of privacy in modern and democratic societies. He was, among other things, Professor of Public Law & Government Emeritus at the time. Westin divides private sphere into three different levels: privacy at political level, privacy at the socio-cultural and organizational level and the one at the individual level (Westin 1968). The latter, personal matters, being of major importance for this thesis. Privacy demands are made by every individual on a daily basis because the person strives for an inner-psychological balance between private sphere, communication and the urge for disclosure. It should be remembered that in these dimensions the demands for an individual’s personal space are continually varying. At a certain time, an individual wishes to have privacy and therefore to be left alone, at another time, the disclosure of private matters seems necessary for the very same individual. The ever-changing demands of individuals and decisions about self-disclosure make private space a question of personal choice. Westin therefore states that privacy is a fundamental social property in democratic societies, and deserves support from the public. When asked in a survey, conducted by Harris-Westin in 2001, what the term means to individuals personally, intimacy was considered the most important closely followed by solitude, reserve and anonymity (Westin 2003). Those functions were published by Westin already in the year 1967. With terms of privacy, the individual is able to keep his true identity veiled. Even though one’s actions can be observed by society, one can remain an unknown person. This gives an individual the freedom not to be dominated or manipulated by others. Westin states that individual’s private sphere is an essential function for managing interpersonal communication. Every relationship is influenced, whether conscious or unconscious, by information individuals previously received about each other. Concluding, privacy allows individuals to distinguish between the content of transmitted information and the receptor of the provided information (Bradberry and Nemati 2014; Mai 2016). If an individual’s information is released without their own consent, the right of free decision has been lost. Therefore, the term must be seen as a social good in democratic societies which requires constant support from the public (Regan 1995). These testimonies can be summed up by the statement Arthur Miller, political scientist, provided in 1971: "The basic attribute of an effective right of privacy is the individual’s ability to control the circulation of information relating to himself; a power that often is essential to maintaining social relationships and personal freedom." (Miller and Zumbansen 2005).

In the context of information systems (IS) privacy is generally understood as the amount of supervision an individual has over their personal details (Bélanger and Crossler 2011). Current challenges in this context will be discussed in the next chapter.

2.2 Privacy Concerns – Actual Matters

On May 25, 2018, the new European General Data Protection Regulation (GDPR) entered into force. It unifies regulations for the processing of personal data. In the days following, the majority of Europeans received e-mails from companies and organizations which at some point they have given their contact details to or from which they regularly receive newsletters. Those concerned should then confirm that the contact or use of the data may continue. The new law replaces the 1995 EU Directive. Unlike the old one, the new regulation applies directly in all member states. This signifies that EU countries do not have to transpose the new rules into their own national law first. The aim is to harmonize data protection and better protect citizens in the digital age (“2018 Reform of EU Data Protection Rules” 2018). Due to those recent changes, personal data is under more protection, for example: name, address, e-mail address, ID number and IP address (European Commission 2018). More sensitive data about health or religious beliefs as well as the data of children are protected in particular, such information may only be processed in exceptional cases. In the case of children under the age of 16 years, parents must give their consent to the processing of data. In general, the following principles apply when dealing with personal data: Appropriation (data may only be used for a pre-defined, unambiguous, and legitimate purpose) Data minimization (declares that using personal data must be restricted to a defined and corresponding extent), Legitimacy and Transparence (data may only be used in a legitimate way which is understandable for the person in question), Limited storage duration (declares that data may only be stored as long as they are necessary for the purpose the data have been given for), Accuracy (all reasonable measures must be taken to ensure that inaccurate personal data is deleted or corrected immediately) and Integrity and Confidentiality (the adequate security of personal data, including protection against unauthorized or unlawful processing and against unintentional loss, destruction or damage (“Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016” 2016). With the GDPR becoming applicable, companies will also be faced with a high administrative burden when it comes to any kind of security gaps, such as possible hacker attacks. However, the measures necessary to subsequently restore GDPR conformity can become much more problematic. Companies should therefore take a close look at their data system with regard to potential attack surfaces and check any back doors like backup devices (“Commission Staff Working Paper Impact Assessment /* SEC/2012/0072 Final */” 2018). The new policy portrays the importance of privacy and the associated data protection. Why this subject is so relevant will be explained in the following. In this section, a short overview on privacy concerns based on previous literature is provided.

As communication technology has evolved, so has the infringement of privacy (Pitta et al. 2003). In this growing environment, the user not only consumes the content, but also provides their own content as a prosumer (Liang and Xue 2010). On the personal level, sharing content via modern communication technologies, in many cases, is intended for close friends or targeted groups of people, but is often also accessible to remote acquaintances or even complete strangers. Many of these disclosures of personal information happen inadvertently and reach a wider audience than intended (Seligman and Csikszentmihalyi 2000). This comes from the circumstance that nowadays the internet is an environment in which it seems perfectly normal to disseminate sensitive data. The user voluntarily discloses private information such as addresses, dates of birth, activities, photos, locations, thoughts, feelings, experiences and preferences without a second thought and is indeed often encouraged to do so by the social environment.

Due to efficiency, exchange of information, reduced communication expenses, easy storage and retrieval of data the economy benefits greatly from communication technologies. They contribute a significant progress to businesses and can be seen as a single interdepend system (Alsunbul et al. 2016). Companies strive to build their own sustainable market positions with the aid of digitalization (Alqahtani et al. 2014). One of the main components of mass customization nowadays is in-depth knowledge of the end users characteristics as well as their diverse and unique preferences. This allows the supplier to provide highly specific and satisfying products and services to the individual customer (Habryn and Kunze 2012). Whilst the use of potential customers’ information is beneficial for various companies, one has to be aware of its extent of dissemination of personal data online. The following examples give an insight of how easily personal data is made available on the internet. In addition to all the advantages for companies and the economy, one consequence is that companies have processed and stored most of the personal data digitally. First, Electronic health records show a lack of security. They acquire data on patients which contains information about all physical and mental illnesses in digital form. Also, the processing of health-related claims due to insurance reasons demands the exchange of health records. However, this information is provided to anyone who is able to access it, which makes the data available to others in an unidentified, aggregated way and not only to the medical professionals affected. The personal information is now out of control of the local health care provider and has been passed on to some, for the individual unknown, remote bureaucrats (Angst and Agarwal 2009). Second, money and credit matters require an exchange of data between credit institutions, debts and loans also included in this information. The emergence of national electronic transactions, often through the use of credit cards, has exacerbated this. National databases with consumer’s financial data are generated and, as a result, individuals are no longer in full control over their data (Pitta et al. 2003).

These developments and trends have challenged end users to face new emerging types of privacy issues and information security: With the increasing development and importance of technology, the definition of privacy has been expanded. Data protection, also often referred to as information security (ISec or InfoSec), is one of these, a subgroup of general privacy (Phelps et al. 2000). Data protection is a multi-faceted, very complex and context-specific construct. Legal and regulatory frameworks, cultural standards and security mechanisms affect data protection (Galanxhi and Nah 2006). Nowadays, protecting online data has become a challenging subject in society. This is mainly the situation for younger people, due them having different viewpoints on security online and the associated practices (Yoon et al. 2012). Protection of data indicates that personally identifiable information is unavailable to other people or organizations in general. In case of this data becoming available to any other party nevertheless, the person affected must be in a position to have a significant degree of control over the information and its usage (Westin 2003). Summarizing, privacy is an individual’s decision to manage communication, on which personal information should be externalized and which should be kept private. Therefore, data protection is the ability of people to monitor the gathering and processing of their personal data (Mai et al. 2010). The willingness to protect data also depends on how sensitive the information is. Most people do not care if someone knows their first name, thus users are willing to divulge this information, as for them personally it is insensitive data. In contrast, one very rarely willingly discloses sensitive data such as their own body weight or sexual experiences (Grossklags and Acquisti 2007).

End users are indeed attaching increasing importance to their privacy and are seeking to protect it. Users are required to maintain a healthy balance between the correct level of disclosure and retention of personal information online. End users, whether inside an organization or within the environment of home computing, have critical assets that require to be protected from various levels of security breaches and data theft (Menard et al. 2017). Partly, privacy has become a shield. If a consumer is confronted with too many requests for information, their privacy becomes an excuse. In response to this question, some now reject all communication. A survey by AT Kearny showed that 52% of the interviewees decide to discontinue an online purchasing transaction for data protection reasons (Ranganathan 2002). It has also been stated that 30-40% of customers enter false information online. This is due to the desire for anonymity, as well as the ability to avoid spam e-mails and the uncertainty as to how the website deals with personal data (Van Dyke et al. 2007). Metzger and Doctor have reviewed opinion surveys on online privacy in 2003 between 1998 and 2001. It emerged that 74% of respondents were concerned about their privacy on the internet (Yao et al. 2007). In his paper, Kshetri gives an overview of surveys conducted with both companies and customers. They proof that companies as well as individuals are concerned about their privacy. A survey was conducted earlier this year by the research and consulting company Ovum, sponsored by data security business Vormetric. The sample consisted of 500 decision-makers from medium and large IT companies in Germany, Great Britain and France. The results show that 53% of the respondents were concerned about lack of security in the online environment. In the same year, a SAP study that included 300 mobile operators found that 38% of the respondents said privacy and security issues were preventing companies from realizing their full potential. The results of the consumer surveys showed similar results. In 2013 BCG conducted a survey of 10.000 consumers from 12 countries. The results show that 75% of the respondents replied that data protection is a "top issue" for them. Only 7% would be comfortable with their data being used for anything other than the original purpose. Ovum also found similar results in the same year. 11,000 people from over 11 different countries were included in the surveys. 68% would use a "do not track function" if it was easily available in a search engine. Moreover, only 14% believed that companies were honest about the use of personal data (Kshetri 2014).

In regard of these current developments, the growing tendency to protect consumers right to privacy is a major obstacle and conflict to the acquisition of this knowledge (Alashoor et al. n.d.). In order to understand the concerns of privacy, the next section provides some background information on the collection of data online to the reader.

2.3 Collection of Information – General Overview

In the past, the owner of the corner shop, the family doctor and maybe the barkeeper in the local pub knew about the preferences of individuals, knew their needs, their disposable budget, as well as family secrets. Such relationships were based on face-to-face communication. As conducted above, the reality nowadays looks different due to extensive data collection and storage online. Two reasons can be attributed to this phenomenon: First, businesses rely on vast volumes of knowledge to develop stronger relationships with current clients and acquire new ones. Second, as mentioned above, information technology is enhancing productivity and reducing costs. As a result, information can now be used in ways that once were either impractical or economically inconvenient (Culnan and Armstrong 1999). For companies, the ownership of end user data is becoming increasingly important. To survive and succeed, companies depend on a large amount of personalized information. The more extensive the data, the greater and more influential the reach. This serves to strengthen existing customer relationships and to win new customers (Awad and Krishnan 2006).

On the one hand, benefits of using the collected data correctly include among others higher quality products, elaborate customer service and customized products that meet the customers’ needs. This brings advantages for the company as well as the customer. On the other hand, a significant disadvantages is the invasion of the customers’ privacy. There is a growing tension between gathering and utilizing of individual data, which is disclosed in the plurality of online operations and the private sphere. Therefore, the same practices that are beneficial to companies also raise concerns about privacy for people (Culnan and Armstrong 1999; Van Dyke et al. 2007). To get an exact overview of how data collection functions two major categories of data usage have to be distinguished: the primary and secondary use. The first utilization of gathered personal information can be determined as an organization's application of the data to create consumer profiles and therefore enhance sales and customer services. In this case, customers are willing to reveal personal data (Culnan 1993). In contrast to the primary use, where the allocation of data happens with authorization from the individuals, secondary use of data includes the disclosure of personal data to third parties who were not part of the initial operation. When information is collected from users for one particular reason, but is used for a different purpose without the permission or even the user’s awareness, it is referred to as secondary use of data (Smith et al. 1996). Concluding the same information will be used for a purpose other than the original intent of the acquisition. If more and more parties can now access the personal data of individuals, the various security threats have a broader reach. These endangerments will be discussed in more detail in the next chapter.

2.4 Security Threats and Human Errors

Information on a sheet of paper is always visible and users have the advantage of being able to control their data or, if necessary, destroy it forever, e.g. by shredders. Online, the individuals control is much more limited. As more and more households use the internet and broadband, consumers face new sources of danger (Pitta et al. 2003).

With the development of such an interdependent environment and the significant online presence of the user, it is becoming a lot easier for hackers to gain access to an individuals' computer. This may result in simple inconveniences e.g. erasure of important, private files. But online security threats can appear in many forms and some scenarios are far less appealing (Harrington et al. 2006). Social engineering attacks like phishing aim at getting users to disclose sensitive data. Malware results in infections such as computer viruses, which are supposed to cause damage. Trojan horses are created to provide to transmit a virus or a spyware, or computer worms that are able to propagate as rapidly and disrupt the network. This kind of malware interferes with the general operation of an infected computer and is quite noticeable for the user. However, a more common type of malware is imperceptibly located on the host computers and attempts to steal private or online activity data stored on the computer (Claar and Johnson 2012). Furthermore, social networking sites are often used by hackers to infect individuals' computers with malware like viruses or worms. A frequent scenario includes Facebook members sharing a YouTube-link with a group of friends. In order to display the enclosed video, one is required to download an "update" of some sort. By updating, users download malware that is infecting the computer with so-called "bots" that allow hackers to use the computers whenever and however they want and therefore join a bigger “botnet” (Crossler and Bélanger 2014). Bots are versatile as they let the hacker running the malware control administrative privileges on the affected person's computer completely. Then, the hacker is able to use the computer to execute distributed denial-of-service attacks on different servers, spread spam, open backdoors on the personal computer or install software to detect keystrokes, the efficiency of a software, on the computer of the person affected. A study by MacAfee Avert Labs reports that over 12 million new machines were integrated into botnets worldwide in the first quarter of 2009 (Claar and Johnson 2012). The consequences of a hacker attack with malware eventually lead to financial harm and damage of reputation for businesses or theft losses for individuals. In addition, these attacks are increasingly targeting private parties, resulting in significant financial burdens for them. Furthermore, the effectiveness of the internet's infrastructure is affected (Harrington et al. 2006). Since home computers can be made part of botnets very quickly and easily, this evolves in a considerable number of problems for private users, companies and governments.

Another topical security threat that has recently been highlighted by various public incidents are data breaches. A data breach can be defined as an occurrence that results in a confirmed disclosure of sensitive personal data to unauthorized third parties. These incidents are often carried out by hackers or other parties that have no entitlement to access this information. This term is a generic term for data leaks, which can be described as the deliberate or accidental disclosure of sensitive personal data. The origins could be based on internal processes or errors. Both lead to consumer data being publicly exposed in some way. These exposures not only represent a major threat to companies but can also have serious consequences for individuals. Furthermore, the loss of sensitive information can gravely damage a company's reputation. Financial losses or even the long-term survival of the company can also be at stake. The information can range from customer data on intellectual property to published medical records. Data leakage can occur in two ways: internal or external information breaches. They can happen either intentionally or accidentally. The first would be data theft by invaders or sabotage by offenders. The latter can be understood as the inadvertent disclosure of sensitive data by employees and associates. The procedure for the first type is as follows: The attacker is looking for ways to get into the target system. For vulnerabilities found in the area of infrastructure, targeted attacks in the form of, for example, attempts to deceive with the help of phishing or spam. As soon as access is obtained in step two, the data is actually stolen by the attacker transferring the data from the target system. (Cheng et al. 2017; Web Application Security Consortium: Threat Classification 2004) A study by Intel Security5 has revealed that the internal staff is responsible for 43% of data leaks. Furthermore, 43% of data leaks are random. Among other things, industrial espionage or financial threats etc. can be regarded as motivations for this. The unintended incidents, are often due to inadequate business workflows. This includes, for example, the non-application of preventive technologies or security guidelines. In 2013, credit and debit card information of about 40 million customers of Target Corporation had been stolen and other information for 70 million people, including e-mail and mailing addresses, had also been exposed. To date, customers have suffered financial losses of $248 million. A year later, about 500 million accounts were stolen in an apparent "state-sponsored" data breach of Yahoo (Cheng et al. 2017).

Another 25 percent of recorded safety violations are caused by end users (Mylonas et al. 2013). This is due to the fact that people cannot be supervised by technical solutions (Siponen and Oinas-Kukkonen 2007). Inside the organizational context, employees are usually the most vulnerable component of information security (Bulgurcu et al. 2010; Im and Baskerville 2005). Many companies state their staff can be considered the weakest link in protecting organizational assets. At the same time, co-workers could make a major contribution to reducing the risks when applying adequate protective behavior (Bulgurcu et al. 2010). This statement will be addressed in more detail below. Therefore, it is important that companies protect the systems with the information they contain, as they increasingly rely on it for transmission, processing and storage (Ng et al. 2009). Thus it is not surprising that compliance with security guidelines by employees have evolved into an important socio-organizational asset (Bulgurcu et al. 2010). Summarizing, behavior of individuals may have far-reaching consequences that cross borders between people, organizations and nations. As a consequence, the demand of promoting appropriate individual safety behavior both at work and at home is higher than ever (Harrington et al. 2006). The deployment of Anti-Virus software, anti-spyware software, identity theft prevention services and automated cloud-based backup solutions are only a few examples of effective resources that home users are investing for protection of their personal assets (Menard et al. 2017). Although, this being a step in the right direction, it is hard for users to keep this precautious behavior on a routine level. Despite using those various protection services, home users tend to stick with poor passwords, share passwords with others in order to co-use streaming accounts like Netflix, to open unknown links or to override security warnings whilst installing applications (Menard et al. 2017) . Even when security behavior has been studied on mobile devices, the search results show that the current security warnings of an app repository tend to become ineffective over time, as users are likely to click through them. It was also found that people tend to overlook the reputation and ratings of an application as well as safety and agreement messages that were detected from App repositories during application installation (Mylonas et al. 2013).

The risks and negative scenarios mentioned above could be largely reduced or eliminated if home users changed their passwords regularly, used stronger key words, kept their anti-virus software up to date, set up firewalls and exercised caution when opening e-mails and attachments or other links sent to them on social media platforms. Nevertheless, some studies show that there is a large disparity between the awareness of the individual in relation to their safety and the manifestations of security threats in reality. These characteristics apply not only to home users but also to employees of various companies (Harrington et al. 2006) For example, another study by America Online and the National Cyber Security Alliance with 329 participants showed that approximately 75% of the participants believe their system is much protected against online assaults and viruses. For this reason, 84% of the participants hold confidential data on their computer and 72% make sensible transfers on their PC. A review of the systems of the interviewees revealed that 15% had no antivirus software in use (Claar and Johnson 2012). At the workplace, guidelines containing regulations on essential safety behavior can be created. In addition, training courses can be held and behavior can be monitored. Furthermore, sanctions may be imposed to ensure compliance with such safety practices (Harrington et al. 2006). While, as already mentioned above, organizations make great efforts to ensure information security, this cannot be accomplished by using technological tools alone. Inquiries into what has caused the latest security breaches have revealed that the negligence of employees has led to infringements costing companies millions. Many breaches were caused by carelessness or ignorance of security policies by employees (Herath et al. 2012). These measures only apply to companies and home users who are often left alone with only their own responsibility or discipline to indulge in such security activities.

In summary, the great majority of online users indeed understands how to apply protection methods but still often neglects to take them, even though they mostly acknowledge themselves as the ones to be accountable for their security behavior rather than the government or software companies (Claar and Johnson 2012).

2.5 Password Behavior of End Users

User names and passwords have been the preferred method of user authentication for many decades due to their low cost of implementation (Herley and Van Oorschot 2012). Entering a password is the predominant method to ensure personal assets, such as personal e-mails, financial information, and privacy of end users online. Among the primary objectives of code word usage is the prevention of hacker attacks (Zhang and McDowell 2009). Nevertheless, there are some problems and challenges associated with the use of passwords for many end users, as difficulties with the performance of key word compliance can appear (Mwagwabi et al. 2018a). Experts confirm the problems resulting from the reckless usage of passwords by stating that code words are among the most common risk elements for human errors (Carstens et al. 2004). The effects of poor password management habits are tangible. In 2009 for example, an unauthorized party hacked into a Twitter corporate account. He managed to gain access to the employee's personal e-mail account and other sensitive data as they were not adequately protected due to poor code word practice and failure to comply with password policies. This case is one of many examples, that non-complex passwords can have an enormous impact not only on the personal level, but also on the organizational level (Mwagwabi et al. 2018a). Moreover, a study which investigated the security of online passwords found that out of 516 end user accounts examined, almost a third could be breached within a minute. The other accounts were bursted open within four hours (Zhang and McDowell 2009). Another showcase of the severity associated with password management is the Verizon Data Breach Investigations Report (DBIR) from the year 2015. It provides an overview of the extent to which legitimate user data (login IDs and code words) was used in 2015, accounting for 50% of all reported data breaches. After an evaluation of 2260 confirmed data breaches, 63% of the tested accounts use Not only are those figures presented above alarming, they also raise the question of how a poor password is defined.

According to Zhang and McDowell, a strong password is a code word consisting of at least 12 alphanumeric characters, upper and lower-case letters, a minimum of one number and at least one special character. Examples of weak code words include words like "password" or numerical orders like "123456" or contain significant personal information. They are used on an alarming rate by end users, even when sensitive data such as financial accounts are involved (Florencio and Herley 2007; Zhang and McDowell 2009). In addition, due to the number of websites individuals are registered on, many end users pick the same codes for various websites. When more complex passwords are being created, owners tend note their complicated combination of letters and numbers somewhere. This again leads to a security gap (Das et al. 2014). Even the application of a very strong keyword to more than one account is hazardous, as only one account has to be compromised for having negative effects on all the other accounts (Stephen 2016). One momentous issue, where the correct application of strong passwords would be of importance are e-mails. Almost all web users access e-mails on a daily basis. However, they are an easy target for a series of security threats. Mails are frequently misused to gain access to personal and financial records through phishing and spamming, exposing users to theft of identity and online fraud (Herath et al. 2012). This can be attributed to the fact that people are often registered with the same e-mail addresses on most social media platforms.

Due to this current situation, there are several website manufacturers and various companies that offer information for users on how to generate more powerful passwords. For example, the company Google provides tips for generating a safe password as well as a password strength meter. The latter evaluates the passwords according to their strength. This is determined from the length of the password and the composition of the characters. Furthermore, weak options such as the word "password" are getting declined. Those weak passwords may not be used on the website (Zhang and W. McDowell 2009). Microsoft also takes its safety measures: In order to create an account, a mixture of letters and numbers and a minimum keyword length is required. These are particularly useful for the end user at home, as they do not benefit from integrated network applications that are available for most of the employees at their workplace. The latter often require a special type of password procedure. Another way to encourage users to create stronger passwords are special password management applications which save all keywords in a cryptographically secured place which is then only accessible through an ideally strong master password phrase, thereby decreasing the workload of storing many unique and strong passwords (Huth et al. 2012).

However, a study shows that despite existing rules on how users should compose their passwords, these are often not adhered to. Many attempts trying to lead end users to the usage of stronger passwords do not have the desired effect. Visual guides, such as code word strength meters on websites, do not motivate end users to use stronger codes. It is evident that many end users still tend to choose weak ones instead (Vance et al. 2013). There are several approaches to explain this phenomenon. One reason for users still preferring simple passwords may be that, as password policies differ from page to page, end users find it difficult to remember the various different passwords. This in turn has a negative effect on the security of the specific page concerned (Beautement et al. 2008; Bonneau and Preibusch 2010). The same holds true for guidelines on pages that demand a monthly keyword reset. Due to the amount of overhead this causes, users are easily tempted to choose passwords that are easy to guess (Adams and Sasse 1999). A further approach, and probably the most common reason, is that most end users still find it difficult to remember complex code words and therefore use the ones common to them (Ur et al. 2012).

2.6 Fear Appeals

Fear appeals are persuasive messages designed to scare people by describing the terrible things that will happen to them if they do not do what the message recommends.

- Kim Witte (Johnston and Warkentin 2010, p.551)

In order to motivate individuals to behave in an adaptive way, fear appeals have been used for many years in convincing messages. These are not only used in research of information security, but derive much more from the research of the field of health awareness and health communication (Roskos‐Ewoldsen et al. 2004). They are persuasive messages designed to alarm people of potential threats by declaring the terrifying consequences of not acting in accordance with the message. The main goal of fear appeals is to create transformation through persuasiveness (Johnston and Warkentin 2010; Mwagwabi et al. 2018b). The importance of fear in fear arousing communication was already known as early as in 1992 when Witte published her work "Putting the fear back into fear appeals" in the same year (Han n.d.).The necessary elements of a fear appeal include the individual susceptibility to threats, assessments of the severity of threats, efficacy in terms of a suggested reaction and the individual's capacity to respond as recommended. A correctly designed fear appeal not only serves to provide information about the existence of a threat, but also to communicate the severity of the danger and the vulnerability of the affected target. Concluding, the main components of a fear appeal are: fear, threat and effectiveness (Johnston and Warkentin 2010; Witte 1992).

A threat can be described as an extrinsic stimulus. This is irrespective of whether the treat is perceptible by a person or not. If an individual is perceiving a threat, the person has an adequate understanding of it. From this message, it is possible for an individual to express the perceived threat severity and the perceived threat susceptibility (Johnston and Warkentin 2010; Witte 1992). The first one can be described as a person’s beliefs about the gravity of an existing threat whereas the perceived vulnerability expresses a person's conviction of the chances that this threat will occur (Witte 1992). Fear appeals often take the form of notices or messages, and serve as a mechanism for manipulation and are geared to the execution of a corresponding protective behavior (Johnston and Siponen 2015). Furthermore, they usually provide practicable suggestions that are described as being powerful in countering the threat (Johnston et al. 2015). Witte suggests that a fear arousing communication contains two parts: statements designed to raise the perceived threat and the effort to increase the perceived effectiveness in the framework of a suggested reaction (Witte 1994). The former is achieved by highlighting the severity of the threat (i.e. the level of damage related to the threat) and the likelihood of the threat appearing. The latter emphasizes the clear and practicable measures to avert the threat and the importance of the suggested response to do so (Johnston and Warkentin 2010; Witte 1994). If an appeal of fear leads to a significant threat perception, an assessment follows of the response effectiveness and the ability to immediately implement the response (self-efficacy). In circumstances when the perceived threat is associated with a modest to high degree of perceived efficacy, an individual will adopt measures to reduce the threat (Johnston and Siponen 2015). The capability to perform the suggested action is critical. This improves self-efficacy, which will be defined in the following chapter. For this reason, the appeals of fear provide guidance on how to follow the recommended procedure (Woon et al. 2015). Furthermore, a fear arousing communication is therefore an incentive to stimulate fear as well as threat and coping assessment processes. In the ideal case, a fear appeal would not only increase the threat, but would also enhance the effectiveness by giving a respondent a way to tackle the threat. It is important that qualified fear appeals generate both high levels of threat and effectiveness, as they appeal to the threat as well as the capacity of the individual to respond (Boss et al. 2015). Concluding, according to this it is not only essential that a fear appeal is used to trigger fear, but also to use it to the right extent in order to have the right consciousness to this extent. It is therefore important that the person concerned develops the awareness for the danger, only then they will act accordingly.

2.7 Development of Fear Appeal Theories and Models

For decades scientists and psychologists have been researching why individuals react positively to some messages contained in fear appeals, whereas others do not show any response at all. Various different theories and models have been developed and applied in the research of fear appeals and information security (Boss et al. 2015; Johnston and Warkentin 2010).

Information Security, abbreviated as ISec or InfoSec, can be seen as the technical part of privacy. According to the international standard, ISec refers to the maintenance of integrity, non-disclosure and the accessibility of information and data (von Solms and van Niekerk 2013). This definition applies to the personal dimension as well as on the organizational level (Awad and Krishnan 2006). Furthermore, the term describes a process, and is not to be confused with a technology or a product. The primary objective is to guarantee the continuance of organizations as well as the reduction of damages within the businesses. Information security achieves these goals by minimizing the consequences of security incidents and to secure absence of security gaps (von Solms and van Niekerk 2013). To achieve this state, a multi-faceted collaboration of technical and organizational topics and events in the external context is essential (Dutta and Roy n.d.). Nowadays, research commonly uses the protection motivation theory to support the investigations (Boss et al. 2015; Johnston and Warkentin 2010). In order to understand the development and the usage of this theory in research, one has to gain a basic understanding of its origin. The following section presents three basic models to provide insights of the underlying assumptions and constraints of the protection motivation theory. The models presented below are, according to scientists, the basis in the field of fear appeal research and in the field of ISec. The following theories were each developed in the 1950s and 1970s and aim to investigate the individual's response to fear appeals. Hence, they were being used by the majority of scientists in this time period (Johnston and Warkentin 2010; Roskos‐Ewoldsen et al. 2004). The models presented are the following: fear-as-acquired drive model, and the parallel process model with a look at its extended version, the extended parallel process model.

The fear as acquired drive model, also known as drive reduction model, was first implemented by Hovland et al. in 1953 and therefore counts as one of the earliest approaches to address the motivation of individuals for the adoption of persuasive messages. This pioneering theory was modified by Janis in 1967. It regards the persuasive effect of appeals of fear as an emotional process. The emotion fear is hereby considered as a drive, whereby it is understood as an unpleasant feeling of inner tension and restlessness, which should lead the individuals to perform a desired behaviorr (de Hoog et al. 2008). The correlation between fear and motivation can be seen as an inverse U-shaped correlation. According to Janis, there must be a certain amount of fear to motivate behavior that is consistent with mitigating the threat. But, in contrast, excessive fear could lead to behavior that is compatible with the alleviation of the threat (Johnston and Warkentin 2010). In this case, the person will find alternative approaches to overcome fear (Boss et al. 2015). Therefore, Janis states, that the negative emotional state generated drives individuals to take actions that decrease their personal fear (Johnston and Warkentin 2010). Concluding, this model implies that greater concern would therefore result in more persuasiveness, but only when the proposed action is considered as being effective for security purposes (de Hoog et al. 2008). McGuire also stated in 1968/1969 that supports Janis' assumption by also outlining an inverse U-shaped relationship between the existence of fear and behavioral change. McGuire declared when fear served as a drive, individuals followed procedures that were in accordance with the suggested actions of this message. In contrast, when fear was the cue, the desired recommendations for action were not made because accustomed responses to fear prevented the recommended actions (Johnston and Warkentin 2010). However, due to science and research of these the two above-mentioned statements by Janis and McGuire, their models since have been strongly rejected because no evidence of proof has been found to support these theories. The main reason is that, in the end, it was never possible to support a direct relationship between drive and behavioral adaption (Leventhal 1970; Witte 1992).

In 1970, Leventhal developed the parallel process model, also referred to as PPM. Based on the assumptions of the fear-as-acquired drive model, the psychologist expanded the concept of duality of answers and developed his model to differentiate between two different reactions that occur in fear: the primary cognitive process and the primary emotional process. The former, the danger prevention process, leads to reflections about the risks and consequently actions are carried out to avoid them. The latter is a process of controlling fear. This leads people to have their anxiousness under control through avoidance, ignorance, etc. However, the reasons for the development of individual processes when they occur are lacking in this model. About 22 years later, in 1992, there was an extended version published: the extended parallel process model, short EPPM. This extended model, which also contains elements from the PMT presented below, specifies some derivations of the two responses to fear appeals (Popova 2012; Witte 1992). In the view of the EPPM, the evaluation of a fear arousing communication triggers two evaluative measures of the message that result either in a mastery of danger control processes or fear control processes (Witte 1992). Therefore, in summary, the extended parallel process model is able to declare as to when and why fear is effective or when it fails. The EPPM and, just like its most closely related model the protection motivation theory, have many strengths that make these models very attractive for scientists and their research (Popova 2012).

The next section gives a detailed overview of the protection motivation theory mentioned above and explains why this model was chosen as the basis for the following research study conducted in order to answer the research question in this thesis.

2.8 Protection Motivation Theory

A minimum level of threat or concern must exist before people start contemplating the benefits of possible actions and ruminate their competence to actually perform them.

– Ralf Schwarzer (Gochman 1997, p.113)

This quote by Schwarzer, already made in 1992, sums up the core statement behind the protection motivation theory hereafter abbreviated with PMT. The model was first developed by Rogers in 1975 and investigates which variables are involved in controlling health related behavior (Gochman 1997). PMT was developed using determinants from previous theories, in particular in the parallel process model presented in the previous section (Ifinedo 2012; Ranganathan and Grandon 2002). It was originally developed in the field of health care and is derived from personal threats, directed straight against an individual. The core idea behind this theory is the motivation behind the defense resulting from a perceptual threat and the willingness to eliminate a potential negative outcome (Menard et al. 2017).

It is one of the "fear appeal theories" and originally examines the impact of endangering health warnings on changes on mindsets and behavior of individuals (Lee et al. 2008; Lee 2011). As the perception of danger and the motivational role of threats plays an important role, it is assumed to inspire people to move towards healthy and protective action. Concluding, the model is based on the assumption that fear, such as experienced health threats, lead to people wanting to change their health behavior, more precisely, they want to change the intentions of their health behavior. Examples of those health threats according to Rogers and Prentice-Dunn could include: unhealthy diet, little exercise, abuse of tobacco and alcohol and other potentially risky habits, which they refer to as "lifestyle illnesses” (Gochman 1997). Beyond the health care sector, PMT is also suitable for the environment of ISec where users, employees and customers require an additional level of motivation to secure their information assets. The computer does not only serve as a source of entertainment, it is also heavily integrated into the everyday life and reaches the position of an extension of the self. Thus, one can simply find strong parallels to personal health behavior and the health of your own computer reaches the same great importance (Lee et al. 2008). Just like an unhealthy body, an unhealthy computer has a negative impact on one’s everyday life. The theory was adapted and applied by many ISec researchers. It is used to explain the individual's tendency to voluntary, safe behavior (Boss et al. 2015; Menard et al. 2017). One reason for its application in this field of research is that the model is able to explain the security behavior of individuals outside a corporate context and thus elucidates why people take certain countermeasures to protect and prevent computer threats (Crossler 2010).The protection motivation theory is inferior to some changes over time. In the first version, the "core nomology", the factor fear has been recognized, but not yet integrated. In a later version, the “full nomology” the variable fear and the maladaptive rewards were integrated and are part of the model. In this thesis, that version is used in the research model because fear is an important component in the quantitative study which will be explained in more detail in a later section (Boss et al. 2015).

In the following sections, there will be a short overview of the revised version of the PMT model. The usage of the model will be explained, the individual components illustrated in detail and the fear appeal discussed.

2.8.1 Design of the Protection Motivation Theory

In summary, PMT describes the procedure that initiates the receiving of information (information sources), which causes the person to evaluate the given content (cognitive mediating process) and to ultimately use the information and take action (coping mode) (Crossler and Bélanger 2014).

In more detail, the sources of information can be divided into environmental ones as well as intrapersonal ones. The cognitive mediation process is furthermore divided into two big dimensions which both influence the protection motivation of an individual, the intention to fulfill recommended behavior of limiting future risks. The two dimensions influencing the protection motivation are: the treat appraisal and the coping appraisal. The threat appraisal contains three variables: the perceived severity of a threatening event, the perceived vulnerability and maladaptive rewards. Response-efficacy, self-efficacy as well as response costs outline the coping appraisal. The coping mode consists of adaptive coping as well as maladaptive coping (Gochman 1997). A self-determined, overall view of the protection motivation theory model, adapted from Rogers and Prentice-Dunn, is provided in Figure 1. Figure 2 shows the cognitive mediating process of the PMT. Both will be explained in more detail in the following sections.

Abbildung in dieser Leseprobe nicht enthalten

Figure 1: Overall Model of the PMT, own Representation based on Rogers and Prentice-Dunn (Gochman 1997)

Abbildung in dieser Leseprobe nicht enthalten

2.8.2 Sources of Information

Sources of information may be divided into two categories: environmental information and intrapersonal information.

Environmental information are sources of information which can include conversations with or instructions from other people such as family members, friends, acquaintances in reality as well as on social media etc. about threats and possible protective responses (verbal persuasion). Environmental information sources can also be direct witnesses of victimization actions or the use of protective responses (observational learning) – seeing what happens to others (Crossler and Bélanger 2014; Crossler 2010). In his model, Rogers differentiates between two intrapersonal sources of information: personality variables and prior experiences. Intrapersonal sources of information refer to the individuals’ personality, the characteristics or former experiences of the individual. Those can influence their perception of the threat or their willingness to take protective action (Gochman 1997).

2.8.3 Cognitive Mediating Process

Considering the PMT model, one has to distinguish between the evaluation of maladaptive response (threat appraisal), fear, the assessment of the adaptive response (coping appraisal) and their influence on the intention to perform protective behavior optimally leading to change of behavior. Studies in other IS security fields demonstrate an expansion of PMT to cover a connection made between intentions and actual behavior (LaRose et al. 2008; Liang and Xue 2010). Regarding the health care context, for most health issues, there may be only one maladaptive and one adaptive response. An example from the health sector is smoking – two possibilities: either one is smoking or one stops smoking. For the remaining amount of health problems, there may be more than one response. For example can more than one reason be the response for being unhealthy. Probably there is an improper diet or the individual is not exercising enough (Gochman 1997). Threat Appraisal

The affected person assesses in the process of maladaptive response, the potential advantages of starting or maintaining the current lifestyle, even though this exposes him to possible negative consequences. Therefore, it can be said that threat assessment is a factor impacting whether a person accepts a particular coping response (Crossler et al. 2014).

The threat appraisal characteristics that enhance the probability of maladaptive reaction are intrinsic and extrinsic rewards. Intrinsic rewards can be seen as physical pleasure while performing a specific activity. A person is extrinsically motivated when external incentives such as remuneration or recognition from a third party etc. play a decisive role in the individuals actions. This can be peer groups or social media. Extrinsic and intrinsic rewards can be summarized as maladaptive rewards and are therefore referred to with this term in the following. While these two factors can encourage a person to engage in behaviors that may expose them to potential threats, there are two other factors that reduce the possibility of maladaptive behavior (Gochman 1997). These two factors are perceived threat severity and perceived threat vulnerability. Perceived severity can be seen as the degree of consequences, like physical and psychological harm (e.g. effect on self-esteem) or social threats on family or friends that result from a threatening event. Furthermore, perceived severity has a positive impact on the individuals protection motivation (Crossler and Bélanger 2014). ISec research confirms this statement by saying that if one perceives the severity of a threat, it increases the probability that people will adhere to the proposed recommendations for action. In their research, Woon et al. ascertained that users tend to enable wireless security measures when they believe that a breach of their wireless home network would be harmful. It is now possible to establish a direct relationship between perceived severity and protection motivation where the likelihood of individuals complying with security policies is greatest if they believe that the threats would be harmful to them or their organization. Concluding, people will take to heart password security recommendations if they feel that the consequences of a data leak can be serious (Mwagwabi et al. 2018b; Woon et al. 2015).

Perceived vulnerability can be defined as the estimation of an individual’s exposure to the threat, the likelihood of an impending security event occurring. Furthermore it is assumed to have a positive correlation with protection motivation intentions. An example from ISec research is the password security of the individual, since passwords can often be guessed by hackers or even be assessed by a program. This program ascertains passwords by searching for possible combinations which are often used in passwords combinations (Crossler and Bélanger 2014; Zhang and McDowell 2009). Fear

The factor fear, influences the assessment of the severity of danger and therefore indirectly behavior and change in behavior. Fear can have an indirect and detrimental effect on the change of attitude by causing inappropriate management, in particular the avoidance of defensive measures (Gochman 1997). Fear was already noticed in the penultimate version of the PMT, but only in the last version, the complete PMT model, it was explained as an important dimension. Research often does not integrate the component of fear in research or does not measure its, leading to mixed results in the studies. Therefore, there is a need to gain a better understanding of the importance of this variable and its implementation in research (Boss et al. 2015; Zhang et al. 2009). Coping Appraisal

In the process of the adaptive response, the individual assesses the capacity for risk prevention and the ability to cope with the danger (Johnston and Warkentin 2010; Mwagwabi et al. 2018b).

The coping appraisal Process contains the factors response efficacy, self-efficacy as well as the response costs. Self-efficacy can be defined to as the individuals perception of their own ability to perform the necessary behavior in order to stop the threatening habits. An important role in the center of attention is the individuals’ willpower. Self-efficacy is known to have a positive correlation with the intention to adopt protective behavior. It also has a positive affinity with executives' desire to implement anti-malware software (Crossler et al. 2014). PMT means that the probability of activation increases as soon as an end user perceives the recommended response to be valid. There are several studies in the field of ISec researches supporting this. For example, Marett et al. investigated the behavior of social media users. If the latter believe that the deletion of confidential data would contribute to prevent them from being endangered by online threats, they are more willing to not disclose sensitive information. It is likely that users considering suggested security policies may prevent password-based threats are more inclined to obey the recommended policies (Mwagwabi et al. 2018a).

Response efficacy can be defined as the individual's perceived effectiveness of the recommended risk prevention behavior. As with self-efficacy, it has a positive correlation with protection intentions well as with managers' intentions to deploy anti-malware software. A number of related studies (Siponen et al. 2010; Workman et al. 2008) demonstrate the key function of self-efficacy in achieving a substantial reduction in the probability of violations, for example in connection with protection against personal spyware (Johnston and Warkentin 2010), the utilization of social media (Marett et al. 2011) and the securing of personal data (Boss et al., 2015). Users will be more comfortable following the password security recommendations if they are sure they can create a secure password (Mwagwabi et al. 2018a).

Response costs are the expenses which could be referred to as the costs of implementing recommended preventive behavior. This factor decreases the coping appraisal and therefore the protection motivation. As a consequence, high perceived costs could prevent people from participating in recommended behaviors. IS research confirms this by stating that managers' intention to use anti-malware software is reduced when response costs are high (Crossler et al. 2014). Another study by Woon et al (2005) discovered that people who finding wireless security measures at home to be cumbersome are less probable to implement (Woon et al. 2015).

In summary, if the two efficacies explained above are high, the coping appraisal is high as well. If the response costs are high, the coping appraisal is declining. Thus, coping appraisal is the product of self-efficacy and response efficacy minus the response costs. Concluding, the threat appraisal and the coping appraisal lead together to the protection motivation.

2.8.4 Coping Modes

The final element of the PMT approach deals with the question whether a person decides on one or more protective measures and which kind of action is taken. One may distinguish between the adaptive and maladaptive coping modes. The first, adaptive coping mode, is the performance of users to avoid the manifestation of the threat. It is however the choice of the person to not implement the necessary precautionary safety techniques protecting him from the threat. This can be defined as maladaptive coping (Gochman 1997; Lee and Larsen 2009). An example for maladaptive coping strategy would be wishful thinking.

In summary, a person only intends to perform preventive behavior if the individual perceives the severity of a threat, feels vulnerable to that threat, is sufficiently convinced that a particular action will reduce the threat, or feels competent to perform that adequate behavior. If these conditions are complied, a positive purpose is formed. The transformation of an intention into behavior also depends on whether no external barriers or the attitude of caregivers prevent the action. Communication about protection motivation must therefore successfully influence several cognitions, so that a certain endangering behavior changes. Recipients must understand that both the severity of the threat and the likelihood of the danger in question is higher than they previously thought, and that the recommendation contained in the communication is an effective remedy for these serious consequences. Table 1 provides a detailed overview over the cognitive mediating process of the PMT, including all important variables having an effect on protection motivation and the actual change of behavior. Examples on each dimension mentioned above are integrated for a better outlining.

Abbildung in dieser Leseprobe nicht enthalten

Table 1: Overview over Variables of Cognitive Mediating Process

2.9 Research done so far

In the past, ISec research concentrated mostly on technical solutions or organizations. However, when researchers began to consider the end user as the weakest link, a shift towards social behavior research ensued (Adams and Sasse 1999).

A number of remarkable studies have therefore included the deduction of the protection motivation theory for this context. The PMT model was primarily used to represent and examine health-related safety habits. Since parallels to preventive behavior in the context of security threats are discernible, researchers from the field of ISec research have applied the protection motivation theory to their research and examined a multitude of security attitudes among individuals or in the context of organizations (Crossler et al. 2014; Vance et al. 2013). The PMT model has most of the time been used to establish a basis for a better understanding of the peoples motivation which has to do with security policy and people managing it. The assumptions and fundamentals of the protection motivation theory are therefore of significant interest for ISec's behavioral science and practice (Chen 2017). There are different approaches to convince people to accept particular actions or ambitions. These motivations involve fear appeals (Boss et al. 2015). For this reason, contemporary explorations have concentrated on the possible value of fear appeals, based on the PMT, when it comes to enhancing security practices (Mwagwabi et al. 2018a). The question on how to use fear appeals correctly in order to initiate behavioral changes in people while arousing protection motivation among them has occupied researchers for some time now. Scientists have investigated why people react or do not react to a content of a fear appeal in comparison to individuals who are not addressed specifically in the field of ISec and the behavioral security context (Boss et al. 2015; Menard et al. 2017). The PMT model makes use of the fundamentals of fear appeal research by taking dimensions from previous models. These include the two theories described above, in particular the PPM theory. In contrast to the latter theory, which assumes that individuals with maladaptive responses to fear appeals react with ignorance or inactivity, the protection motivation theory includes both reactions, the adaptive and the maladaptive. However, the focus is on adaptive reactions such as protective motivation and the resulting behaviors (Leventhal 1970). The protection motivation theory model states that maladaptive coping behavior has to do with feelings caused by the threat. Therefore, the PMT focuses on adaptive reactions by aiming to motivate people to perform adaptive responses. As a result, the threat can actually be mitigated or even overcome (Chen 2017; Rogers 1975). In summary, PMT has been utilized to describe individuals' tendency to engage in voluntary, safe behavior. Various behavior patterns have been examined at the cause of a better understanding why people are protecting their assets. Further, it can help to explain why end users who adapt protective behavior are unsuccessful in doing so (Menard et al. 2017).

In order to give a better overview of the adoption of the PMT in the research field of InfoSec, several papers have been reviewed that used studies with derivations and dimensions of the PMT model. The best results and most valuable articles on information systems can be found in the leading journals (Webster and Watson 2002). The most respected, scientifically proven journals were selected for the literature analysis and formed the basis for a complete coverage of the subject area. In addition to the journals mentioned above, the ECIS and ICIS conferences were researched and reviewed for relevant contributions. For several decades, both of these conferences have been established gatherings of renowned scientists in the field of information systems (“Conferences - Association for Information Systems (AIS)” 2018). The papers were based on various other articles dealing with previous research on this topic and have been accessed through google Scholar, Ebsco Host or Aisel. net. in the time frame from March to June 2018.

30 articles, including their conducted studies, turned out to be appropriate for the current question. The table in the appendix B summarizes the studies found using the dimensions of the PMT. This chart contains information on the journals and threat targets within the behavioral context. Furthermore, the table indicates whether only the PMT model was integrated into the study or other models were adopted. If the former was the case, it shows which variables are contained in the construct of the PMT (core and full) and which ones are missing. It is also shown whether fear appeals have been included. Ultimately, the chart offers a brief overview of the most important results. The overview of the various ISec studies delivers striking insights: The literature and the study results are diverse, contradictory and inconsistent. In the following, outcomings will be displayed and various reasons where the results may originate from will be presented. Only findings with relevance to the research of this thesis will be named and presented.

First of all most studies have failed to ensure manipulation with fear incentives. Out of 30 papers reviewed, only seven used fear appeal manipulations. One of the few exceptions is the paper by Boss et al. which incorporated fear appeals in form of notifications about the necessity of backups and the use of anti-malware software (Boss et al. 2015). Johnston and Warketing used an appeal of fear to convey the threats of malicious spyware and the impact of user-friendly anti-spyware software to users (Johnston and Warkentin 2010). Another paper, published this year, is the one from Menard et al which addresses fear appeals in the context of password management software (Menard et al. 2017). Therefore, if fear appeals are not applied, one of the core elements of the PMT is missing.

Secondly, most of the studies do not show the correlation between the other dimensions and the behavioral intention as well. Although it´s importance and impact on results is an often held viewpoint, this component is treated differently in various studies (Johnston et al. 2015; Mwagwabi et al. 2018b). Some research studies consider threat as being an autonomous variable (Siponen et al. 2010), while others suggest that fear is a feature of perceived severity and vulnerability (Posey et al. 2015). Some researchers even assume that the three variables are independent and have a direct influence on intentions (Zhang et al. 2009). Comparing results is therefore remains complicated.

Third, the exact role of fear remains unclear in the reviewed studies. The results were found to be very inconsistent. For example, earlier works by Rogers suggest that the fear and the subsequent behavior are directly related. However, it can be seen that different results are also obtained in two different situations. According to the study of Boss et al (data loss on the PC) Boss et al. 2015) or Zhang & McDowell from 2009, the fear of hacking directly influences behavior and plays a significant role in motivating users to take preventive measures. In the organizational environment, however, it appears that fear of protecting the motivation on the company's data assets does not matter. This is shown, for example, by Posey's study in 2015 (Posey et al. 2015) where intentions and actual protection of organization's information assets were measured (Mwagwabi et al. 2018b). This study aims to explore in the personal area, which most of the studies and papers looked at were researching in the personal level as well. Only 12 looked at only the organizational level.

Another conspicuous and fourth point is that for many studies, the core or complete PMT nomology has not been tested and it is not proven that their changes improve the explanatory value of PMT or that the variant model developed or used by the researchers has a more exact match than PMT. Basic variables, contexts and fear appeals are deleted without explanation. Constructs are renamed and measured or even simply omitted. In addition, many of the studies add new constructs that lie outside the nomology of PMT (Boss et al. 2015). The table in the appendix B shows that 18 out of 30 papers looked through added other models or variables besides PMT to test the study. This makes it difficult to measure the results.

Fifth, no study has measured actual fear. Such measurements would help to create an appropriate level of anxiety about the severity of the threat and vulnerability. Therefore, the efficacy cannot be tested exactly. This is because each individual perceives fear at a different level and perceives a threat at different speeds. If fear was measured accurate, this could represent a significant step towards improved research (Boss et al. 2015).

The sixth point is that most studies made very great achievements to behavioral intentions, but dealt very few with the actual behavior of end users. After conducting their study, Boss et al. found that the actual protective behaviors were also carried out at a high fear appeal (Boss et al. 2015). However, in most studies it remains unclear how these so-called appeals for fear may eventually affect the behavior of end consumers (Johnston and Warkentin 2010).

In summary, Boss et al give in their paper four opportunities which could improve the current research. These opportunities are: using the PMT nomology, using fear appeals, measuring fear and measuring actual behavioral changes (Boss et al. 2015). Finally, IS research concentrates on the immediate effects of fear but does not focus on long term effects (Jenkins et al. 2014; Johnston and Warkentin 2010; Posey et al. 2015; Vance et al. 2013) Mwagwabi et al address this problem, which deals with improving compliance by password guidelines. However, this is also a limitation of this study, since it was prepared within 4 months, making it impossible to measure the long term effects (Mwagwabi et al. 2018b).

3. Research Model

The primary purpose of this study is to find out whether the induction of fear appeals has an impact on protection motivation relating to protective measures in information sharing and handling own data online. The core question is, if people reconsider their behavior, when they are informed that their personal data is accessible on the internet. This study aims to fill gaps in the literature regarding the impact of fear appeals on the protection motivation from an individual’s point of view. Based on indicators of exploratory research, some hypotheses must be formulated a priori. These are evaluated using the construct of an online questionnaire in the following survey and serve to improve the verification and evaluation of the data received from the survey. The protection motivation theory proposes, that the higher the threat, the higher is an individual’s behavior to change and adapt its behavior in favor of personal safety activities. Although the literature states that fear appeals should be included in PMT research and ought to be applied within the model, little research conducting fear arousing communications has been applied to date (Boss et al. 2015; Menard et al. 2017). Therefore, in this study, fear appeals are incorporated, in form of potential data leaks. In order to achieve a more expressive and informative result, the survey was divided into two groups. The first group exposed to fear appeals in form of a data leaks in one of their online user accounts based on checking their e-mail address and the second group which did not detect a data leak in one of their user accounts. More information on the fear arousing communication used will be provided in a subchapter in Chapter 4. The hypotheses were formulated in each case for both groups. All relationships between the different variables in the PMT model can be accessed in Figure 3.

As shown in Figure 2, dimensions adding up to the threat appraisal are perceived threat severity and the perceived threat vulnerability. Perceived threat severity can be related to one´s personal concern about the seriousness of the threat (Boss et al. 2015; Gochman 1997). In this case, perceived severity can be considered as the extent to which a person believes that the consequences of data leaks threats would be harmful. Therefore, the first two hypotheses can be formulated as follows:

H1a: Perceived threat severity in the group exposed to fear appeals in form of potential data leaks will positively influence the factor protection motivation.

H1b: Perceived threat severity in the group not exposed to fear appeals in form of potential data leaks will positively influence the factor protection motivation.

Perceived vulnerability is the personal estimation of the probability of being faced with a specific threat, also standing in positive correlation with the protection intention of an individual (Gochman 1997; Menard et al. 2017). In this thesis, this dimension can be summarized as the extent to which the person exposed believes they are likely to experience threats in regard to data leaks. Therefore, the following hypothesis were proposed:

H2a: Perceived vulnerability to threats in the group exposed to fear appeals in form of potential data leaks will positively influence the factor protection motivation.

H2b: Perceived vulnerability to threats in the group not exposed to fear appeals in form of potential data leaks will positively influence the factor protection motivation.

As mentioned in the section above, fear plays an important role in the protection motivation theory. The term can be defined as the consequence of a threat, in which the affected person is called to negative emotions such as worry or concern. In this case, the individual associates unfavorable feelings with a data leak. Fear can play a mediating function between the threat and the security mechanisms. To trigger fear, people must assume that they are vulnerable to threats (Wall and Buche 2017). In this case, an individual must believe that it would be possible to be personally affected by a data leak in one of the personal user accounts. Another factor to increase fear arises when the individual believes that the consequences of a threat, in this case a data leak, would have serious personal consequences. As a consequence, the following four hypotheses have been presented:

H3a: Perceived vulnerability in the group exposed to fear appeals in the form of potential data leaks is positively related to fear of threat.

H3b: Perceived vulnerability in the group not exposed to fear appeals in the form of potential data leaks is positively related to fear of threat.

H3c: Perceived severity in the group exposed to fear appeals in the form of potential data leaks is positively related to fear of threat.

H3d: Perceived severity in the group not exposed to fear appeals in the form of potential data leaks is positively related to fear of threat.

The factor fear can lead to a user considering protection instructions more severely and as stated above, plays a mediating function between the threat and the intention to engage in more secure behavior (Mwagwabi et al. 2018a). In this case, fear is described as the threat of possible data leaks. Therefore, the following two hypothesis were set:

H4a: An increase of fear in the group exposed to fear appeals in the form of potential data leaks induces an increased motivation for protection.

H4b: An increase of fear in the group not exposed to fear appeals in the form of potential data leaks induces an increased motivation for protection.

Besides the two factors mentioned above, there is a third dimension that directly influences the protection motivation: maladaptive rewards. The latter can be defined as positive aspects of starting or continuing unhealthy behavior (Menard et al. 2017). In this survey, maladaptive rewards are reasons for individuals to continue using weak passwords, for example for reasons of simplicity. For this matter, it is negatively correlated with the protection motivation, and therefore the following hypothesis have been made:

H5a: Increase of maladaptive rewards in the group exposed to fear appeals in the form of potential data leaks are negatively correlated with protection motivation.

H5b: Increase of maladaptive rewards in the group not exposed to fear appeals in the form of potential data leaks are negatively correlated with protection motivation.

According to the protection motivation theory, response efficacy, self-efficacy, and the response costs all together result in the coping appraisal. Response efficacy can be described as an individual’s conviction that a proposed reaction will effectively prevent a threat. In this context, if users believe that recommended password policies are able to prevent password-based threats, they are more likely to comply with the recommended policies. Furthermore the PMT model emphasizes, that the increase of response efficacy indicates an advanced likelihood to select the appropriate adaptive response (Boss et al. 2015; Gochman 1997). Therefore, the following hypotheses have been put forward:

H6a: Response efficiency in the group exposed to fear appeals in the form of potential data leaks will positively influence the protection motivation.

H6b: Response efficiency in the group not exposed to fear appeals in the form of potential data leaks will positively influence the protection motivation.

Self-efficacy is the anticipation of an individual's potential to conduct a suggested action (Gochman 1997; Lai et al. 2012). In this case, self-efficacy is described as the degree to which a user has confidence in his personal capacity to generate strong passwords and thus prevent data leaks. As well as response efficacy, self-efficacy is also positively related to the outcome and the adaption of individuals appropriate coping behavior (Gochman 1997). The following hypotheses have been formulated:

H7a: Self-efficacy in the group exposed to fear appeals in the form of potential data leaks will positively influence the protection motivation.

H7b: Self-efficacy in the group not exposed to fear appeals in the form of potential data leaks will positively influence the protection motivation.

Response costs are the perceived expenses of a person in conducting suggested coping actions. In this case, these costs can be defined as the level to which an individual considers it being challenging for him to remember more powerful passwords. Unlike response efficacy and self-efficacy, the response costs have a negative relationship with the likelihood of an individual choosing the appropriate adaptive response (Mwagwabi et al. 2018a). Therefore, this paper hypothesizes:

H8a: Increase of response costs in the group exposed to fear appeals in the form of potential data leaks are negatively correlated with protection motivation.

H8b: Increase of response costs in the group not exposed to fear appeals in the form of potential data leaks are negatively correlated with protection motivation.

When contemplating all these factors, connections and relationships between the variables of the PMT model, it could be suggested, that the greater the strength of a fear appeal manipulation, the stronger the protection motivation and resulting the change of behavior with security related threats. However, in the extent this survey was conducted, it was not possible to create an environment where the actual behavior of end users could be tested in comparison to the protection motivation. This will be explained in more detail later on.

Abbildung in dieser Leseprobe nicht enthalten


Excerpt out of 131 pages


Behind the scenes of privacy. A quantitative research study to examine the influence of fear appeals on protection motivation
Lehrstuhl für Wirtschaftsinformatik, insb. Informationssysteme in Dienstleistungsbereichen
Catalog Number
ISBN (eBook)
ISBN (Book)
It Sicherheit, Big data, Protection motivation theory, Privacy, fear appeal, Collection of information, security threats, password behaviour, enduser, human errors
Quote paper
Anonymous, 2018, Behind the scenes of privacy. A quantitative research study to examine the influence of fear appeals on protection motivation, Munich, GRIN Verlag,


  • No comments yet.
Look inside the ebook
Title: Behind the scenes of privacy. A quantitative research study to examine the influence of fear appeals on protection motivation

Upload papers

Your term paper / thesis:

- Publication as eBook and book
- High royalties for the sales
- Completely free - with ISBN
- It only takes five minutes
- Every paper finds readers

Publish now - it's free