This experimental research uses the framework of protection motivation theory (PMT) to understand user response to a cybersecurity message. The findings provide empirical evidence of the negative consequences that arise from a sense of self-efficacy in technology use when it is not accompanied by domain knowledge. This research found that even though cybersecurity messages motivated individuals to increase their protections, when shown how to perform a security task (checking for browser updates) there was a significant drop in self-efficacy. This would suggest that other factors, such as usability, are inhibiting motivated individuals from enacting security protections. This research consisted of three phases for rigor and to increase validity. First, the appropriateness of using PMT in this domain was tested through reviewing previous literature. Next, PMT a set of focus group transcripts (n=18 groups, ~10 people each) was explored to look for new constructs and emerging threats to improve scales. From the previous literature and focus group review, a research instrument was developed and tested. Next, a pilot study (n=70) was run using a college student sample. The results informed revisions of the research instrument, which was then used on a larger sample of online workers (n= 820). The model increases specificity in the use of PMT by adding new constructs including domain knowledge. Unexpectedly, the experimental stimulus (i.e., a cybersecurity compliance message with a training component) resulted in a significant decline in self-efficacy and lower protection motivation than the control group. This was especially true for those with high self-efficacy pre-message who were lacking domain knowledge. As this response is quite different from other domains, where vicarious learning usually increases motivation, this finding has significant theoretical and practical implications. The lower motivation to protect, and the decline in self-efficacy after being shown how to complete a security task, suggests that usability is a critical issue in enacting protections. Previous experiences with cybersecurity threats, current protective actions, and protection habit strength were also explored. Implications for cybersecurity education efforts and improvements in cybersecurity usability are discussed.
Read
