This empirical study uses protection motivation theory to articulate and test a threat control model to validate assumptions and better understand the ‘‘knowing-doing” gap, so that more effective interventions can be developed.
| Construct | Cites | Category | Questions given? | Content validity | Pretests | Response type | Notes |
|---|---|---|---|---|---|---|---|
| Perceived severity | Rippetoe, 1987, Milne et al., 2000 | yes | no | none | 7? point likert scale | ||
| Vulnerability | Rippetoe, 1987, Milne et al., 2000 | yes | no | none | 7? point likert scale | ||
| Locus of control | NEW, Rotter, 1966, Harrington, 1996 | yes | no | none | 7? point likert scale | ||
| Self-efficacy | NEW, Rotter, 1966, Harrington, 1996 | yes | no | none | 7? point likert scale | ||
| Response efficacy | Rippetoe, 1987, Milne et al., 2000 | yes | no | none | 7? point likert scale | ||
| Response cost | Rippetoe, 1987, Milne et al., 2000 | yes | no | none | 7? point likert scale | ||
| Subjective omission of security | NEW, Ajzen, 2002 | yes | no | none | 7? point likert scale |
Michael Workman, William H. Bommer, and Detmar Straub. Security lapses and the omission of information security measures: A threat control model and empirical test. Computers in Human Behavior, 24(6):2799–2816, September 2008. doi:10.1016/j.chb.2008.04.005.
@article{workman_security_2008,
abstract = {Organizations and individuals are increasingly impacted by misuses of information that result from security lapses. Most of the cumulative research on information security has investigated the technical side of this critical issue, but securing organizational systems has its grounding in personal behavior. The fact remains that even with implementing mandatory controls, the application of computing defenses has not kept pace with abusers' attempts to undermine them. Studies of information security contravention behaviors have focused on some aspects of security lapses and have provided some behavioral recommendations such as punishment of offenders or ethics training. While this research has provided some insight on information security contravention, they leave incomplete our understanding of the omission of information security measures among people who know how to protect their systems but fail to do so. Yet carelessness with information and failure to take available precautions contributes to significant civil losses and even to crimes. Explanatory theory to guide research that might help to answer important questions about how to treat this omission problem lacks empirical testing. This empirical study uses protection motivation theory to articulate and test a threat control model to validate assumptions and better understand the ``knowing-doing'' gap, so that more effective interventions can be developed.},
author = {Workman, Michael and Bommer, William H. and Straub, Detmar},
doi = {10.1016/j.chb.2008.04.005},
issn = {0747-5632},
journal = {Computers in Human Behavior},
keywords = {Information Security,Omissive behaviors,Threat control model,Social cognitive theory,Protection motivation theory},
month = {September},
number = {6},
pages = {2799-2816},
series = {Including the Special Issue: Electronic Games and Personalized eLearning Processes},
shorttitle = {Security Lapses and the Omission of Information Security Measures},
title = {Security Lapses and the Omission of Information Security Measures: {{A}} Threat Control Model and Empirical Test},
volume = {24},
year = {2008}
}