Examining Multiple Stages of IS Security Behavior by End-Users

Mary Burns
Assistant Professor, Augusta State University
The adage, “old habits die hard”, is especially relevant when humans learn new protective behaviors (i.e., dental flossing, IS security behaviors). The foundation that underlies many social-cognitive theories used in IS research is that intention to change predicts actual behavior change. Despite intentions to change, humans do not always change their habits due to actual or perceived obstacles, for example. In this study, user behavior, particularly with respect to vigilance over phishing attempts, was investigated via the theoretical lens of a hybrid continuum-stage behavior change model adapted from health-related fields. This type of model helps us to understand whether there are qualitatively different stages for adopting a more vigilant action plan toward phishing attempts, the number and ordering of distinct stages that a user must move through between forming an intention and subsequent behavior, what characterizes those stages, and how appropriate interventions at these stages can move a user to a higher stage of vigilant behavior. The goal of this research was to gain a better understanding of: a) whether there are distinct stages that distinguish end-users’ vigilance toward phishing attempts; b) how many qualitatively different stages there are; and, c) what characterizes these stages. This study profiled IS end-users based on the model’s constructs (e.g., coping self-efficacy, intention, action/coping planning, and risk perception) that examined end-users’ protective behavior toward phishing attempts. In an exploratory analysis of survey data, stages of IS end-users were determined via cluster analysis techniques (hierarchical followed by K-means). A survey was administered to respondents (n= 394). Next, an agglomerative hierarchical cluster analysis using within-groups method of average linkage and Euclidean distance measures was performed on the model’s constructs. Three clusters emerged as the optimal number to be used in the subsequent K-means cluster analysis. After conducting analyses for stability, validity using a dissimilarity ratio, and cross-validation for the 3-cluster solution, I compared the means of the model’s constructs to develop profiles for the distinct three stages. I conclude that exploratory cluster analysis is an effective technique to discover natural groupings for protective behavior of IS end-users and propose future research to investigate stage-appropriate interventions to move users to higher stages.