What motivates users to adopt cybersecurity practices? A survey experiment assessing protection motivation theory

Research Summary

A 2 × 2 × 3 fully crossed factorial experiment is used to examine the linkages between key dimensions of protection motivation theory (PMT; perceived severity of risk, vulnerability to risk, and response costs) and the intentions to adopt information technology (IT) cybersecurity recommendations after being informed of degrees of risk in the vignettes. Data in this study consist of a nationwide sample of 720 American adults. Results from a series of fractional logistic regressions indicate support for many of the core mechanisms within PMT. Seventy percent of respondents indicated they were likely to follow IT recommendations to mitigate a cyber threat. Self-efficacy and response costs affected intentions to do so.

Policy Implications

The study's findings have important implications for improving cybersecurity and reducing vulnerabilities to cyber threats. Current training programs need more effective communication strategies and engagement tools. Perceptions of users as security threats rather than potential contributors hinder progress in the ability of organizations to improve cybersecurity. Collaborative, user-centered approaches can enhance users’ self-efficacy and improve cybersecurity by aligning user and IT professional needs and capabilities. Strategies like gamified simulations and tailored interventions can create a more security-focused culture and encourage user participation in defending an organization. Recognizing individual differences among users and further examining personal characteristics that may impact user interactions with technology and cybersecurity interventions is crucial. Overall, more personalized, adaptable approaches to cybersecurity policies and technical solutions, accounting for diverse user needs and characteristics, should be a priority for improving cybersecurity practices.