The Role of Trait Affect in the Information Security Behavior of Home Users
Dupuis, Marc J.
MetadataShow full item record
University of Washington Abstract The Role of Trait Affect in the Information Security Behavior of Home Users Marc J. Dupuis Chairs of the Supervisory Committee: Research Associate Professor Barbara Endicott-Popovsky Associate Professor Hazel Taylor The Information School Computers provide people with the means to perform a wide range of tasks, from running complex applications to storing photographs. The Internet adds an additional dimension; it enables people to shop for gifts, pay bills, perform research, read the news, and communicate with old friends and new. In addition to all of the benefits computers provide to people, there are inherent risks. These risks exist in many different forms, including malware, phishing scams, loss of data, and the privacy of individuals being compromised. Home users represent the largest segment of Internet users and pose the most significant threat. However, research has traditionally focused on users within an organizational setting. While research examining home users has increased significantly over the last several years, there is still a lot that we do not know. This research examined the role trait affect, a lifelong and generally stable type of affect, has on the information security behavior of home users in response to three threats: computer performance compromise, personal information compromise, and loss of data and files. In this study, the role of trait affect in the information security behavior of home users was examined by using the two higher order dimensions of affect, positive affect and negative affect, which represent the valence of mood descriptors (e.g., afraid, scared, nervous, guilty, active, alert, enthusiastic, excited). It was hypothesized that the effect trait positive affect and trait negative affect have on the information security behavior of home users is indirect through their effect on threat perception (i.e., perceived threat severity and perceived threat vulnerability) and self-efficacy. Likewise, it was hypothesized that higher levels of trait positive affect are associated with lower levels of threat perception and higher levels of self-efficacy, with trait negative affect having the opposite effect. Three surveys were used to explore these issues, including a previously validated survey instrument for trait positive affect and trait negative affect, previously validated constructs adapted from other research, and measures for the dependent variables developed through use of the Delphi technique. The results of the three surveys supported 10 of the 33 hypotheses. Out of the nine hypotheses for trait positive affect, three were supported. This included an association between higher levels of trait positive affect with higher levels of information security response self-efficacy in two of the three studies. In one of the surveys, higher levels of trait positive affect was also associated with lower levels of perceived threat vulnerability. In contrast, none of the nine hypotheses for trait negative affect were supported. Beyond the 18 hypotheses for trait affect, the hypothesized relationship between self-efficacy and information security behavior was supported in all three surveys. Five additional hypotheses based on Protection Motivation Theory (PMT) were also supported. This research makes five primary contributions. First, trait positive affect may play an indirect role in understanding how individuals respond to and cope with a threat. Furthermore, it suggests that trait positive affect is worth exploring further, perhaps with greater granularity than what was done here. Second, this research extended the application of Protection Motivation Theory (PMT), which has been the primary underlying theory used by researchers in understanding the information security behavior of home users. In part, this was done by including constructs from PMT and measurements of trait affect to form a more complete understanding of the information security behavior of home users. Third, in addition to extending PMT, this research examined three different threats using the same methods and data analysis procedures. I did this by conducting three different surveys at the same time--one for each of the three threats. This allowed me to determine if the efficacy of PMT depended at least in part on the threat under examination. The data analysis suggests that the specific threat that is examined using PMT does impact the efficacy of PMT as a theoretical framework for understanding human behavior. Fourth, an additional contribution this research makes is its support for the continued role of self-efficacy as a predictor of behavior. In fact, the positive association between self-efficacy and behavior was the one general hypothesis that was supported in all three surveys. Fifth, this dissertation contributes to research on the information security behavior of home users by having developed and validated three survey instruments. These three survey instruments were designed to measure specific information security responses required to mitigate one of three different threats: computer performance compromise, personal information compromise, and loss of data and files. Finally, I explored future research avenues in light of these results, including experimental research, as well as exploring trait positive affect with a higher level of granularity than what was done here. Implications for theory, policy, and practice are discussed.
- Information science