Using susceptibility claims to motivate behaviour change in IT security

Organisations face growing IT security risks with substantial consequences for missteps in business continuity, data loss, reputational harm, and future competitive advantage. To improve precaution-taking among organisation members, leaders frequently turn to susceptibility claims embedded in securi...

Full description

Saved in:
Bibliographic Details
Published inEuropean journal of information systems Vol. 30; no. 1; pp. 27 - 45
Main Authors Jensen, Matthew L., Durcikova, Alexandra, Wright, Ryan T
Format Journal Article
LanguageEnglish
Published Taylor & Francis 02.01.2021
Subjects
Anat Hovav
Dov Te'eni
fear appeal
field experiment
furtive attack
latitude of acceptability
latitude of rejection
overt attack
password
Phishing
social judgement theory
susceptibility
Online AccessGet full text

Cover

More Information
Summary:Organisations face growing IT security risks with substantial consequences for missteps in business continuity, data loss, reputational harm, and future competitive advantage. To improve precaution-taking among organisation members, leaders frequently turn to susceptibility claims embedded in security education, training, and awareness (SETA) initiatives to motivate change. However, prior studies have produced mixed empirical results concerning the role of susceptibility in motivating precaution-taking. To deepen theorising about using susceptibility claims to change behaviour, we argue that threat characteristics (overt versus furtive attacks) shape individuals' attitudes of the threat, and these attitudes subsequently anchor how individuals respond to new claims about the threats. We introduce social judgement theory (SJT) to argue that when individuals participate in SETA initiatives, susceptibility claims that are too distant from individuals' existing attitudes will be ignored, while claims that are more proximal are more likely to be accepted and result in behaviour change. Using a longitudinal field experiment, we found that susceptibility claims motivated precaution taking against phishing (overt attack) but did not against password cracking (furtive attack). These results support SJT predictions and imply latitudes of acceptability and rejection into which susceptibility claims are placed. Implications for researchers, organisation leaders, and SETA developers are discussed.
ISSN:0960-085X
1476-9344
DOI:10.1080/0960085X.2020.1793696