Who cares if we get hacked? The development and testing of a measure of information security apathy

IF 8.2 2区管理学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Information & Management Pub Date : 2025-05-13 DOI:10.1016/j.im.2025.104166

Alan R. Dennis , Sanjay Goel , Jenny Huang , Kevin J. Williams

{"title":"Who cares if we get hacked? The development and testing of a measure of information security apathy","authors":"Alan R. Dennis , Sanjay Goel , Jenny Huang , Kevin J. Williams","doi":"10.1016/j.im.2025.104166","DOIUrl":null,"url":null,"abstract":"<div><div>We develop a construct called information security apathy, which we define as the extent to which individuals lack interest in information security. In Study 1, we develop and refine a scale to measure information security apathy, assess its content and its convergent, discriminant, and predictive validity, and show that it is distinct from and more stable over time than seven security motivation and attitude constructs used in prior research. In Study 2, we examine the relative effects of security apathy and security knowledge on security decisions by presenting users with a series of security situations and asking what security actions they would be likely to take. We also investigate the personality factors that influence security apathy. In Study 3, we again examine the relative effects of security apathy (and security knowledge) and its personality correlates, but this time when job responsibilities pose strong competing priorities to security compliance, a situation in which apathy should be particularly important. Studies 2 and 3 show that security apathy has a medium to large effect on security decisions—a noticeably larger effect than security knowledge. Our measure of security apathy offers researchers a better ability to predict security compliance and organizations a better way of assessing where to focus their security efforts (reducing apathy versus providing training).</div></div>","PeriodicalId":56291,"journal":{"name":"Information & Management","volume":"62 7","pages":"Article 104166"},"PeriodicalIF":8.2000,"publicationDate":"2025-05-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information & Management","FirstCategoryId":"91","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0378720625000692","RegionNum":2,"RegionCategory":"管理学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

We develop a construct called information security apathy, which we define as the extent to which individuals lack interest in information security. In Study 1, we develop and refine a scale to measure information security apathy, assess its content and its convergent, discriminant, and predictive validity, and show that it is distinct from and more stable over time than seven security motivation and attitude constructs used in prior research. In Study 2, we examine the relative effects of security apathy and security knowledge on security decisions by presenting users with a series of security situations and asking what security actions they would be likely to take. We also investigate the personality factors that influence security apathy. In Study 3, we again examine the relative effects of security apathy (and security knowledge) and its personality correlates, but this time when job responsibilities pose strong competing priorities to security compliance, a situation in which apathy should be particularly important. Studies 2 and 3 show that security apathy has a medium to large effect on security decisions—a noticeably larger effect than security knowledge. Our measure of security apathy offers researchers a better ability to predict security compliance and organizations a better way of assessing where to focus their security efforts (reducing apathy versus providing training).

查看原文本刊更多论文

谁在乎我们被黑了？开发和测试一种衡量信息安全冷漠的方法

我们开发了一个称为信息安全冷漠的结构，我们将其定义为个人对信息安全缺乏兴趣的程度。在研究1中，我们开发并完善了一个衡量信息安全冷漠的量表，评估其内容及其收敛、判别和预测效度，并表明它与先前研究中使用的七个安全动机和态度结构不同，并且随着时间的推移更稳定。在研究2中，我们通过向用户展示一系列安全情况并询问他们可能采取的安全行动，来检查安全冷漠和安全知识对安全决策的相对影响。本研究亦探讨了人格因素对安全冷漠的影响。在研究3中，我们再次检查了安全冷漠（和安全知识）及其人格相关性的相对影响，但是这一次，当工作职责对安全遵从性构成强烈的竞争优先级时，冷漠应该特别重要。研究2和3表明，安全冷漠对安全决策有中等到较大的影响——明显大于安全知识的影响。我们对安全冷漠的度量为研究人员提供了更好的预测安全遵从性的能力，并为组织提供了更好的方法来评估在哪里集中他们的安全工作（减少冷漠与提供培训）。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Information & Management 工程技术-计算机：信息系统

CiteScore

17.90

自引率

6.10%

发文量

123

审稿时长

1 months

期刊介绍： Information & Management is a publication that caters to researchers in the field of information systems as well as managers, professionals, administrators, and senior executives involved in designing, implementing, and managing Information Systems Applications.