This chapter explores existing literature and presents a discussion in terms of the concepts for the research topic and set the scene for the reader in understanding the topic. The chapter will also discuss the motivation theoretical framework which will be drawn on to guide the data collection, data analysis and interpretation of the collected data.
Previous literature has widely discussed human factors and cybersecurity behaviours influences on cybersecurity awareness, or the effects that cybersecurity awareness over behaviours (Alghamdi, 2021). Employees main objective is to complete a task, if security controls in place impede or slow down this objective, then the employee will see this as a barrier and circumvent the process. This phenomenon is perceived barrier which is what an employee deems inconvenient and the cost of them carrying out cybersecurity tasks (Alghamdi, 2021). This is in line with Calvin (2018) who noted that if employees are frustrated to the extent that they believe that performing a behaviour is negative then there would be a disagreeable attitude from that employee. Blythe et al (2015), called this a response cost in which employee’s security behaviour is determined by the degree to which it impacts on their job productivity.
Human factor are human errors that cause a security incident error (Gratian et al., 2018). Calvin, (2018) describes human factors as human interactions and practices within an information system environment. Behaviours in terms of security compliance continues to be a challenge as identified by Donalds and Osei-Bryson (2020) that individuals’ malicious, negligent, or unintentional actions is listed as the top cause of security incident. The explanation of behaviours within the research papers have been grounded on the theory of planned behaviour (TPB) and protection motivation theory (PMT) (Ergen et al., 2021; Blythe et al., 2015; Alghamdi, 2021; Calvin, 2018). Carelessness or negligence rather than malicious intent is the main cause of human enabled data breaches (Nifakos et al., 2021). Employees’ resist compliance due to human factors such as time pressure, high workload and finding quicker way of completing a task (Calvin, 2018).
In Alghamdi (2021) case study, he noted that 51% of the respondents regarded the threat associated with cybersecurity awareness as significant. Restrictive organisational policies would be viewed by some as unnecessarily constraining (Donalds & Osei-Bryson, 2020), this is not helped by existing cybersecurity awareness training that are restrictive in scope as they fail to modify employee security behaviours (Calvin, 2018). In organisations where security resources are usually under resourced, engaging in a detailed cyber security awareness program with employees might prove to be a wish list, rather, what it ends up being is a compliance tick box exercise where computer-based training is an annual exercise.
Companies need to move away from the traditional security training and awareness initiatives in the form of an annual computer-based training and move towards implementing a more transformative based training (Alshaikh, 2020).
Cybersecurity awareness programs
Cybersecurity is an interdisciplinary multidimensional global phenomenon (de Bruijn & Janssen, 2017). A cybersecurity breach can range from low to limited impact, the stealing and manipulation of data, or even taking over control of systems and causing harm to the physical world (de Bruijn & Janssen, 2017).
Whitman and Mattford (2019, p. 689) define cybersecurity as the “protection of computerised information, processing systems and the data they contain and process”. This is similar to UK’s National Cyber Security Centre (2021, para. 16), which defines cybersecurity as “the protection from theft or damage of devices, services and networks including the information contained within them”.
Cybersecurity concerns both humans and systems as the concept of cybersecurity refers to the knowledge, beliefs, perceptions, attitudes, assumptions, norms, and values of people regarding cybersecurity and how they manifest themselves in people’s behaviour with information technologies (Georgiadou et al., 2020). Despite the fact, that almost everybody has heard of cybersecurity, the urgency and behaviour of people do not reflect high level of awareness (de Bruijn & Janssen, 2017). The need for effective cybersecurity awareness is even now more important with the introduction of Internet of things (IoT) interwoven into everyday life and our continued dependencies on information and communication technologies.
Cybersecurity Awareness as noted by Ergen et al (2021) is the starting point to fight against cyber-attacks and can be defined as the level of knowledge employees have on the cyber threats facing their organisation, their systems and themselves. Awareness as described by Alshaikh et al (2018) involves the provision of informal training to employees to raise their awareness about risk and security.
Most breaches are the result of employee’s failure to comply with the organisation’s security policies (Nifakos et al., 2021). Whilst cybersecurity awareness is growing amongst senior executives, there is a need for organisations need to rethink their cybersecurity awareness strategy as cyber threats become even more sophisticated. Ergen et al., (2021) noted that cyber threats that organisations must deal with are usually difficult to detect.
It has been identified that many employees lack basic understanding of organisations information security policies and even if they do have some understanding of their organisation’s policies there is no guarantee that they will comply with them (Hadlington et al., 2020). Awareness is elementary to behavioural change (Ergen et al., 2021). Organisations must invest in changing employees’ behaviours to be consistent with their information security policies in a way that it becomes natural (Alshaikh, 2020) in both their corporate and personal activities. By being proactive in preparing cybersecurity awareness programs and measuring the results, there is an opportunity to reduce existing gaps with security behaviours (Ergen et al., 2021).
The consensus in the security research field is that security and awareness should be in place to not only raise employees’ awareness but also equip them with the necessary knowledge to comply with the organisation’s security policies (Alshaikh et al., 2018).
Cybersecurity awareness campaign must convey a sense of importance and urgency to their audience, one way of doing this is to be open about the risks and what is at stake (Haney & Lutters, 2018) as well as advocating empowerment of people to foster the belief in one’s ability to manage or control a situation. Context within cybersecurity awareness is important, one size fit all approach must not be taken. Whoever is responsible for the awareness program must ensure that the operational environment of their audience is considered ensuring that technology, roles, constraints, and goals are taken into consideration (Haney & Lutters, 2018). Having context awareness is critical to selling the security message in a manner that the audience understands and cares about (Haney & Lutters, 2018).
Cybersecurity awareness programs should not just concentrate on the organisation but should also touch on personal environment, it is important that security awareness programs should include reasons for why people should follow security guidelines and rouse feelings of wellbeing, rationality, and logic (Haney & Lutters, 2018).
Understanding what motivates people to effect good security behaviours is paramount as this will give security awareness practitioners an understanding to evaluate if their current approach to their awareness campaign needs to be changed.
Motivation is related to psychology and as noted by Ryan and Deci (2020), it is through understanding the basic psychological needs, that practitioners are better able to understand what factors alienate or encourage engagement.
Motivation is concerned about the act of intention (Ryan & Deci, 2000) and may influence a user to comply with security policy and take action to protect information assets (Menard et al., 2017) People are moved to act by different circumstances, they can be motivated because they have a vested interest in that activity (intrinsic motivation) or because they have been influenced by an external factor (extrinsic motivation), (Ryan & Deci, 2000). Motivation is an action influencer as it arouses, sustains, and directs activity (Menard et al., 2017).
Kieinginna and Kleinginna (1981) in their paper categorised a list of definitions for motivation. The description chosen for this paper is the definition by Herbert L. Petri (1981, p. 281) which defines motivation as the “concept used to describe the forces acting on or within an individual to initiate and direct behaviour”.
To understand the underpinning security behaviours within information systems field, theoretical models are used to facilitate the identification of factors (Blythe et al., 2015). The two most used theories within information systems are the Theory of Planned Behaviour (TPB) that identifies links between attitudes and behaviours and Protection Motivation Theory (PMT) a risk perception theory that explores individuals’ threat, their response behaviour, and their motivation to protect themselves (Blythe et al., 2015).
Protection motivation theory
Protection motivation theory (PMT) is one of the most applied theories in behavioural information systems (IS) security research and has been used as a foundation for information security research (Haag et al., 2021; Posey et al., 2015). It is considered a general theory of motivation that can be used to explain individuals’ actions regarding any threat (Posey et al., 2015) and can be used and applied to situations involving threats (Haag et al., 2021). PMT postulates that an individual assesses a threat when confronted with one and looks to find possible solutions (Menard et al., 2017). The most discussed components for PMT model include perceived severity, perceived vulnerability, self-efficacy, response efficacy and response cost (Posey et al., 2015; Blythe et al., 2015; Haag et al., 2021). These components have been identified by prior research as having a direct effect on behaviour (Menard et al., 2017)
Central to the PMT model is the threat appraisal and coping appraisal processes (Posey et al., 2015). Threat appraisal consists of perceived severity and perceived vulnerability and is about how individuals assess and evaluates the danger level that is presented by a cybersecurity threat (Li et al., 2019; Posey et al., 2015).
Coping appraisal, which includes self-efficacy, response costs and response efficacy, on the other hand, refers to how individuals assess their abilities to deal or cope with the threat, it is about the individual’s confidence in coping with the security situation (Li et al., 2019).
Threat vulnerability is the degree to which individuals feel that they or their organisation is easily open to certain security threats (Posey et al., 2015).
Habits has a significant influence on whether an individual feel subjected to a particular threat (Vance et al., 2012), as the combination of unavoidable events that exacts discomfort often causes individuals to become nervous, scared, and upset (Posey et al., 2015). If individuals feel that security attacks are unlikely to happen to them then they may not engage in security awareness campaigns or good security behaviours (Blythe et al., 2015) on the other hand It is possible that when an individual feels vulnerable to security attacks this may result in displaying protective behaviour (Blythe et al., 2015). This is supported by Haag et al (2021) in their paper who identified significant impact on threat vulnerabilities on users who have had a personal experience or knew someone who had been exposed to a threat or the likelihood of them.
Threat severity is the level of seriousness of a security threat and its related consequences (Blythe et al., 2015). It is the extent to which organizational threats are perceived to be damaging and to cause harm (Posey et al., 2015). In simple terms it is the perception that an employee has on the seriousness of the threat (Menard et al., 2017).
Vance et al (2012) have found that the severity of the threat does have a positive impact on an individual’s intention to comply with their organisations IS security policies. Although security breaches may or may not a have direct consequences for the individual, the breach itself may lack personal relevance (Menard et al., 2017), thereby using appeals that are individually focused is much more effective in reinforcing security behaviours rather than fear or threat focused communications.
Self-efficacy is an individual’s belief that they can alleviate cybersecurity threat (Shappie et al., 2020), it is basically the belief in one’s ability to make appropriate decisions when faced with a cybersecurity situation. Self- efficacy a dimension within cybersecurity (Shappie et al., 2020), has been identified by Alghamdi, (2021) and Shappie et al., (2020) as an important factor of cybersecurity awareness. It has consistently been shown within research to influence security compliance (Blythe et al., 2015). This is because it relates to personal belief in one’s ability in being able to make appropriate decisions in the event of a cybersecurity event. Alghamdi, (2021) study identified that individuals with high levels of self-efficacy have positive impact on cybersecurity behaviours. This is in support of Blythe et al (2015) paper that identifies self-efficacy as an individual’s belief in their ability to cope with a task, the higher the self-efficacy, the more likely to follow cybersecurity policies. This indicates that self-efficacy is a dimension of cybersecurity. Donalds and Osei-Bryson (2020), state that security self-efficacy influences an individual’s cybersecurity compliance behaviours. As self-efficacy is about self-belief, this can be positively influenced into improvement through the targeting of an individual’s knowledge of the organisational security behaviour as well as their belief that the knowledge will help improve cybersecurity within the organisation (Shappie et al., 2020).
Response efficacy is the perception of how well the recommended response or coping strategy addresses the threat at hand (Menard et al., 2017; Posey et al., 2015). It is the belief that a specific security behaviour will reduce a security event (Blythe et al., 2015). Employees who are committed to their organisation are more likely to engage in security awareness programs as they are willing to equip themselves with the knowledge of how to protect the company information (Posey et al., 2015).
Some researchers claim that response efficacy is the most important predictor of protection motivation, this is supported by Posey et al (2015), who in their paper were able to demonstrate that response efficacy exhibited a stronger relationship with protection motivation than the other components. Menard et al (2017) also identified in their study that response efficacy is a more important factor than self-efficacy in terms of protection motivation and that by reinforcing an individual’s computer-based competence increases the individual’s confidence in their ability to carry out the recommended response.
Response cost refers to the belief on the costs of performing the expected security behaviour (Blythe et al., 2015). An individual may interpret response cost in a number of forms, including time, money, effort, inconveniences, difficulties, and potential side effects (Menard et al., 2017; Posey et al., (2015). One of the difficulties identified by Posey et al (2015) is that response costs often conflict with an individual or organizational goals, such as trying to get one’s own assignment completed on time. If the individual perceives that the cost of following a security behaviour is too high, then they are unlikely to follow through with it (Blythe et al., 2015).
Individuals and organisations have a different perspective of costs for certain security compliance behaviours (Blythe et al., 2015), an individual might have multiple effective responses and evaluate the costs associated with each of the responses to select the appropriate response based on minimizing cost of performance (Menard et al., 2017).
As response cost is seen to negatively affect the adoption of security behaviours (Menard et al., 2017), as individuals consider the inconvenience of adhering to IS security policies a legitimate reason for not complying with those policies (Vance et al., 2012). It is important that individuals within the organisation are made to understand the need to perform good security behaviours despite any perceived response cost to them (Posey et al., 2015).
Posey et al (2015) identified that coping appraisal process (self-efficacy, response efficacy) is more vital to increasing protection motivation and protective actions than the threat appraisal process. Behaviour responses should be identified to design distinct IS security threat messages that are able to change perceptions of the targeted individuals.
Security awareness practitioners whilst ensuring that their awareness campaigns do cover the threats vulnerabilities and severity, should really concentrate on how they can motivate and empower the employees in identifying and dealing with a security event.
In turn, creating a culture where individuals within the organisation comply with IS security policies as part of their habit will have a positive influence on threat severity, self-efficacy, response efficacy (Vance et al., 2012).
Understanding the barriers
The Cambridge online dictionary defines a barrier as “something that prevents something else from happening or makes it more difficult”.
Applying these definitions to cybersecurity awareness, implies there is a need to understand what is ‘that thing’ that is preventing or encouraging a certain behaviour. What factors cause these barriers need to be understood, to counter them using different motivating factors.
People have the tendency to select only those parts of a message that they want to hear (de Bruijn & Janssen, 2017), there is a belief of their ability in engaging in a particular way and are not usually worried about cybersecurity unless they have been previously affected. This self-interest is both a barrier and motivator. Haney and Lutters (2018) identified that when a threat was personally relatable the security behaviours were better, this shows that individuals who develop feelings of ownership for their work-related data are more likely to engage in positive behaviours (Raddatz et al., 2020).
The perceptions of cybersecurity that people have is also another factor, people choose to accept security advice based on trustworthiness (Haney & Lutters, 2018). Unfortunately, sensationalised media portrayals of cyber incidents of big corporations, has a hand in giving a false sense of security that they or their organisations will not be targeted as in their opinion only a certain type of organisation is targeted. It has not helped that within the cybersecurity realm, security professionals are seen as negative, due to the history of security professionals having regularly expressed the belief that users are unable to comprehend and practice good security behaviours (Haney & Lutters, 2018). There is also a weariness towards security when it becomes too burdensome (Haney and Lutters, 2018). Employees view rigid security measures as counterproductive as they believe it hinders their ability to be flexible in their day-to-day operations (Haney & Lutters, 2018). Another barrier is communication, as cybersecurity has been the domain of specialists and experts who are not trained to communicate about the issues (de Bruijn & Janssen, 2017), these specialists often use technical terms which in turn fails to get the right message across. De Bruijn and Janssen (2017) identified that management techniques are used to over dramatize and oversimplify cybersecurity risks, these techniques are applied when security policies are written. A consequence of this approach is that employees within an organisation see security policies as inefficient or counter-productive to them attaining their business objectives thereby making them a barrier. Mandating or forcing users to complete organisational annual security awareness program is another reason that drives user lack of interest in adopting good security behaviours (Haney & Lutters, 2018). These annual computer-based training do not encourage good security behaviours but rather reinforces lack of apathy as the aim of the training is not to change behaviour but rather to meet a regulatory obligation.
A real challenge within the current environment is that cybersecurity comes at a price and complete protection is never possible (de Bruijn & Janssen, 2017). If a complex topic such as cybersecurity is made relevant to people’s immediate living environment, then they will readily recognize the urgent need to address cybersecurity (de Bruijn & Janssen, 2017), within their own personal and professional space.
Table of contents :
1.1 Research Question
2. Theoretical Background
2.1 Related research
2.2 Cybersecurity awareness programs
2.3 Motivation theory
2.3.1 Protection motivation theory
2.4 Understanding the barriers
3. Research Method
3.1 Research methodology
3.2 Case study approach
3.3 Case study participants selection
3.4 Case study design
3.5 Data collection
3.5.1 Primary data source: Interviews
3.6 Data Analysis
4.1 Theme 1: Using different engaging techniques
4.2 Theme 2: Making it personal and relatable
4.3 Theme 3: Utilising leadership commitment
4.4 Theme 4: Embracing technical controls
5.1 Discussion of findings
5.2 Implications for practice
5.3 Limitations and future research
Appendix A. Interview Protocol Guide