Mitigating the security intention-behavior gap: The moderating role of required effort on the intention-behavior relationship
Name:
MitigatingtheSecurityIntention ...
Size:
905.3Kb
Format:
PDF
Description:
Final Published Version
Publisher
Association for Information SystemsCitation
Jenkins, J., Durcikova, A., & Nunamaker Jr, J. F. (2021). Mitigating the security intention-behavior gap: The moderating role of required effort on the intention-behavior relationship. Journal of the Association for Information Systems, 22(1), 1.Rights
Copyright © 2021 by the Association for Information Systems.Collection Information
This item from the UA Faculty Publications collection is made available by the University of Arizona with support from the University of Arizona Libraries. If you have questions, please contact us at repository@u.library.arizona.edu.Abstract
Although users often express strong positive intentions to follow security policies, these positive intentions fail to consistently translate to behavior. In a security setting, the inconsistency between intentions and behavior—termed the intention-behavior gap—is particularly troublesome, as a single failure to enact positive security intentions may make a system vulnerable. We address a need in security compliance literature to better understand the intention-behavior gap by explaining how an omnipresent competing intention—the user’s desire to minimize required effort—negatively moderates the relationship between positive intentions and actual security behavior. Moreover, we posit that this moderating effect is not accounted for in extant theories used to explain behavioral information security, introducing an opportunity to broadly impact information security research to more consistently predict behavior. In three experiments, we found that high levels of required effort negatively moderated users’ intentions to follow security policies. Controlling for this moderating effect substantially increased the explained variance in security policy compliance. The results suggest that security researchers should be cognizant of the existence of competing intentions, such as the desire to minimize required effort, which may moderate the security intention-behavior relationship. Otherwise, such competing intentions may cause unexpected inconsistencies between users’ intentions to behave securely and their actual security behavior. © 2021, Association for Information Systems. All rights reserved.Note
Immediate accessISSN
1536-9323Version
Final published versionae974a485f413a2113503eed53cd6c53
10.17705/1jais.00660