The Role of Habit in Information Security Behaviors

Abstract

The purpose of this present study is to understand the role of habit in information security behaviors. The automatic aspect of habit and its impact on secure behavior and the intention-behavior relationship was explored in this dissertation through the lens of protection motivation theory. Three secure behaviors were selected for the investigation after following a rigorous process to identify habitual secure behaviors. The three behaviors that were investigated are: locking the PC when leaving it unattended, verifying the recipient email addresses before sending email and visiting only verified websites. Separate pilot studies were conducted for each of the behaviors followed by a main investigation. Habit was measured with a first-order reflective and second-order formative scale that captured the multidimensional aspects of habit: Lack of Awareness, Uncontrollability and Mental Efficiency.

Data were collected for each of the behaviors separately via separate online surveys using Amazon Mechanical-Turk. The results of the data analyses indicate that habit significantly influence the performance of secure behavior while negatively moderating the intention-behavior relationship for each of the three behaviors. The findings also confirm that when certain behaviors are habitual, the cognitive resources needed to make decisions on performing behavior reduce. Several alternate models were analyzed as a part of the post hoc phase of the study.

The findings of this study provide several contributions to the IS research and practice. This study investigated the role of habit in an information security context using a second-order formative scale. The findings indicate that habit play a significant role in the performance of secure behaviors and verifies the relationship between intention and behavior in an information security context. The findings provide directions to organizations in understanding habits of their employees and to foster positive habits while breaking negative habits. The findings of this study provide several future research directions and highlight the importance of further exploration of habit in an information security context.