Protecting Against Threats to Information Security: An Attitudinal Ambivalence Perspective

Ka Chung Ng, Xiaojun Zhang, James Y.L. Thong, Kar Yan Tam

Research output: Journal article publicationJournal articleAcademic researchpeer-review

2 Citations (Scopus)

Abstract

A popular information security-related motivation theory is the Protection Motivation Theory (PMT) that has been studied extensively in many information security contexts with promising results. However, prior studies have found inconsistent findings regarding the relationships within PMT. To shed light on these inconsistent findings, we introduce the attitudinal ambivalence theory to open the black box within PMT. We tested our model on data collect ed from 1,383 individuals facing potential cyberattacks of their emails in a field experiment. The results of polynomial regression with response surface analysis showed that attitudinal ambivalence is generated from the opposition between an individual’s evaluations of maladaptive rewards and social norms (i.e., descriptive norm and subjective norm). This attitudinal ambivalence, in turn, affects individuals’ evaluations of their coping appraisal process and protection motivation, and ultimately protection behavior. We discuss the theoretical and managerial implications of identifying the determinants and outcomes of attitudinal ambivalence in the information security context. From a theoretical standpoint, our work contributes to the information security literature by incorporating attitudinal ambivalence, which arises from the intrapersonal and interpersonal appraisal processes, into PMT. From a practical standpoint, our work provides insights into designing effective fear appeals to avoid triggering attitudinal ambivalence and thus encouraging adoption of security protection behavior.

Original languageEnglish
Pages (from-to)732-764
Number of pages33
JournalJournal of Management Information Systems
Volume38
Issue number3
DOIs
Publication statusPublished - 7 Dec 2021

Keywords

  • attitudinal ambivalence theory
  • cybersecurity
  • information security
  • maladaptive rewards
  • polynomial regression
  • protection motivation theory
  • response surface analysis
  • security breaches
  • social norms
  • two-factor authentication

ASJC Scopus subject areas

  • Management Information Systems
  • Computer Science Applications
  • Management Science and Operations Research
  • Information Systems and Management

Cite this