Empirical assessment of mobile device users’ information security behavior towards data breach. Leveraging protection motivation theory
| DOI | https://doi.org/10.1108/JIC-03-2019-0063 |
| Date | 11 November 2019 |
| Published date | 11 November 2019 |
| Pages | 215-233 |
| Author | Anthony Duke Giwah,Ling Wang,Yair Levy,Inkyoung Hur |
| Subject Matter | Information & knowledge management |
Empirical assessment of mobile
device users’information security
behavior towards data breach
Leveraging protection motivation theory
Anthony Duke Giwah, Ling Wang, Yair Levy and Inkyoung Hur
College of Engineering and Computing,
Nova Southeastern University, Fort Lauderdale, Florida, USA
Abstract
Purpose –The purpose of this paper is to investigate the information security behavior of mobile device
users in the context of data breach. Much of the previous research done in user information security behavior
have been in broad contexts, therefore creating needs of research that focuses on specific emerging
technologies and trends such as mobile technology.
Design/methodology/approach –This study was an empirical study that gathered survey data from 390
mobile users.Delphi study and pilot studywere conducted prior to the main surveystudy. Partial Least Square
StructuralEquation Modelingwas used to analyzethe survey data after conducting pre-analysisdata screening.
Findings –This study shows that information security training programs must be designed by practitioners
to target the mobile self-efficacy (MSE) of device users. It also reveals that practitioners must design mobile
device management systems along with processes and procedures that guides users to take practical steps at
protecting their devices. This study shows the high impact of MSE on users’protection motivation (PM) to
protect their mobile devices. Additionally, this study reveals that the PM of users influences their usage of
mobile device security.
Originality/value –This studymakes theoretical contributions to theexisting informationsecurity literature.
It confirms PM theory’s power to predict user behavior within the context of mobile device security usage.
Additionally,this study investigates mobileusers’actual security usage.Thus, it goes beyond users’intention.
Keywords Protection motivation theory, Data breach, Mobile device security, Mobile device users,
User security behaviour
Paper type Research paper
1. Introduction
Mobile devices are transforming the way we collect, process and store data. While the
growth in their use can be attributed to the convenience they offer, mobile device
users, however, face data theft and breaches. Zahadat et al. (2015) noted it is a growing
security problem due to users’failure adhering to best mobile device security practices. The
Verizon Business 2015 report revealed that at least five major data breach incidents occur
daily (Goode et al., 2017), and the Ponemon Institute’s 2015 report noted it cost victimized
organizations over $4m.
The security challenges posed by mobile devices are not common to traditional
stationary computing systems. Mobile devices present unique risks that can lead to adverse
outcomes, and explains the need for users to take special measures to reduce or prevent
them (He et al., 2015; Tu et al., 2015). Also, mobile devices are more susceptible to data
breach than conventional systems as their mobility means data is carried everywhere and
exposed to insecure networks (Das and Khan, 2016; Tu and Yuan, 2012). The sizes of mobile
devices make them easy to carry around, thus, exposing them to loss or theft, with data
ending up in unauthorized hands (O’Neill, 2014; Tu et al., 2015). Compared to traditional
computers, mobile device malware and spyware behavioral detection engines are
inadequate, challenging to effectively implement and update due to their obscurity and
limited software platforms (Oberheide and Jahanian, 2010). Li and Clark (2013) noted that
Received 31 March 2019
Revised 16 June 2019
21 August 2019
28 August 2019
Accepted 28 August 2019
The current issue and full text archive of this journal is available on Emerald Insight at:
www.emeraldinsight.com/1469-1930.htm
Mobile device
users’
information
security
JournalofIntellectualCapital
Vol.21 No. 2, 2020
pp.215-233
©EmeraldPublishingLimited
1469-1930
DOI10.1108/JIC-03-2019-0063
215
mobile devices are more vulnerable to data breach because they host numerous mobile
applications which could have malicious codes. Also, mobile device users often bear the
responsibility to secure their own devices due to personal ownership, compared to
enterprises equipped with securing stationary computing systems (Tu and Yuan, 2012).
Mobile encryption software for instance remains scarce and more expensive than those for
traditional computers (Leavitt, 2011). Thus, mobile devices are less protected.
As the security challenges presented by mobile devices and the need for secure user
behavior become more apparent, this study aims to understand the contributing factors to
the security usage behavior of mobile device users. Past studies have generally investigated
user security behavior in information systems. However, a published study that researched
the mobile device security usage (MDSU) of mobile users by determining the effects of
perceived threat severity (PTSE), perceived threat susceptibility (PTSU), perceived response
costs (PRC), response efficacy (RE), mobile self-efficacy (MSE) and PM has not been found.
Willison and Warkentin (2013) and Crossler et al. (2013) noted that studies in user
information security behavior have always been high in demand. However, the few attempts
made at research in information security and mobile devices together have looked into other
issues rather than the security behavior of mobile device users. The few studies around
mobile devices include the work done by Keith, Thompson, Hale et al. on information
disclosure through location-based services on mobile devices, and the study by Allam et al.
(2014) on smartphone information security awareness. Lee et al. (2017) studied user attitude
in relation to their participation in a program that encourages the use of personal mobile
devices for work. Lebek et al. (2013) also conducted a study that examined employee
perceived concerns and perceived benefits, and the impact on their attitude toward using
mobile devices.
The growing popularity and usage of mobile devices as the paramount computing tool
for different activities cannot be understated (Kuznekoff and Titsworth, 2013). This is
evident in how past research attempts on mobile devices have focused on how users are
leveraging mobile devices in unconventional ways such as learning (Martin and Ertzberger,
2013), healthcare (Boruff and Storie, 2014) and finance (Fenu and Pau, 2015). Although it is
clear that mobile device users utilize them in a myriad of ways, what still remains
unexplored in the research on mobile devices is the information security usage behavior
mobile users in the context of data breach. The lack thereof, or minimal exploration in this
area may be attributed to the suggestion by Alhogail et al. (2015) that within the information
security context, the human factor is complex to understand and manage because human
behavior is unpredictable.
2. Theoretical background
This study was based on the protection motivation theory (PMT). The PMT was first
developed by Rogers (1975) as a framework to provide clarity to the understanding of fear
appeals. Rogers (1983) later revised the theory to provide a more general perspective of the
impact of persuasion communication with an emphasis on its efficacy to mediate behavior
change. According to Floyd et al. (2000), “the protection motivation concept involves any
threat for which there is an effective recommended response that can be carried out by the
individual”(p. 409). PMT posits that individuals’PM is based on perceived threats to
themselves and their surroundings, and individuals cope with threats based on two
processes: appraising the threat, and a coping appraisal in which the options to reduce or
mitigate the threats are assessed (Herath and Rao, 2009). Boss et al. (2015) and Posey et al.
(2015) noted that PMT is based on threat appraisal and coping appraisal, and how these two
components influence PM.
Past behavioral information security research mostly lacks the explicit inclusion of
actual security usage as the dependent construct in their models. Its minimal use in previous
JIC
216
21,2
To continue reading
Request your trial