Reconsidering neutralization techniques in behavioral cybersecurity as cybersecurity hygiene discounting

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-01-01 DOI:10.1016/j.cose.2024.104306

Mikko Siponen , Volkan Topalli , Wael Soliman , Tiina Vestman

{"title":"Reconsidering neutralization techniques in behavioral cybersecurity as cybersecurity hygiene discounting","authors":"Mikko Siponen , Volkan Topalli , Wael Soliman , Tiina Vestman","doi":"10.1016/j.cose.2024.104306","DOIUrl":null,"url":null,"abstract":"<div><div>Neutralization Theory (NT), with its popular neutralization techniques, have been established as a major framework to explain or predict cybersecurity policy noncompliance by users. NT states that people anticipating the perpetration of a norm violation activity will excuse their behaviors through self-talk justifications (neutralization) to avoid <em>guilt</em> and <em>shame</em>. NT's appeal for cybersecurity is obvious. One can easily imagine users justifying noncompliance by neutralizing the negative outcomes of their behavior. NT, as originally formulated, assumed that guilt and shame were the exclusive outcomes of anticipated transgressions. However, in the cybersecurity context, the role of guilt and shame as the sole motivators of neutralization excuses is debatable. We argue that users may be motivated by other factors (e.g., fear, boredom, concern for efficiency) in neutralizing that could be causally more relevant in predicting noncompliance behavior in cybersecurity. What holds value for behavioral cybersecurity, we argue, is the general mechanism of NT, the process of neutralizing the impact of an anticipated negative outcome on the decision to move forward (or not) with noncompliance. We call for decoupling the general mechanism of NT (e.g., neutralizing) from the criminologically identified motivations for engaging in NT (e.g., guilt and shame). In doing so, we put forward a behavioral cybersecurity security version of NT – cybersecurity hygiene discounting – and suggest four streams of research.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104306"},"PeriodicalIF":4.8000,"publicationDate":"2025-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404824006126","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Neutralization Theory (NT), with its popular neutralization techniques, have been established as a major framework to explain or predict cybersecurity policy noncompliance by users. NT states that people anticipating the perpetration of a norm violation activity will excuse their behaviors through self-talk justifications (neutralization) to avoid guilt and shame. NT's appeal for cybersecurity is obvious. One can easily imagine users justifying noncompliance by neutralizing the negative outcomes of their behavior. NT, as originally formulated, assumed that guilt and shame were the exclusive outcomes of anticipated transgressions. However, in the cybersecurity context, the role of guilt and shame as the sole motivators of neutralization excuses is debatable. We argue that users may be motivated by other factors (e.g., fear, boredom, concern for efficiency) in neutralizing that could be causally more relevant in predicting noncompliance behavior in cybersecurity. What holds value for behavioral cybersecurity, we argue, is the general mechanism of NT, the process of neutralizing the impact of an anticipated negative outcome on the decision to move forward (or not) with noncompliance. We call for decoupling the general mechanism of NT (e.g., neutralizing) from the criminologically identified motivations for engaging in NT (e.g., guilt and shame). In doing so, we put forward a behavioral cybersecurity security version of NT – cybersecurity hygiene discounting – and suggest four streams of research.

查看原文本刊更多论文

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.