The health belief model and phishing: determinants of preventative security behaviors

Abstract

Email is frequently the attack vector of choice for hackers and is a large concern for campus IT organizations. This paper attempts to gain insight into what drives the email security behaviors of students, faculty, and staff at one midwestern public, master’s granting university. The survey relies on the health belief model as its theoretical basis and measures eight constructs including email security behavior, perceived barriers to practice, self-efficacy, cues to action, prior security experience, perceived vulnerability, perceived benefits, and perceived severity. Barriers to practice, self-efficacy, vulnerability, benefits, and prior experience variables were found to be significant determinants of self-reported email security behaviors. Additional discussion of results based on subgroups of the respondents and interaction models is included in this paper. The findings of this study may help shed light on how universities can better prepare students, faculty, and staff to handle this critical information security concern. Given the makeup of the subject population, some findings may be applicable to businesses beyond academic institutions.

Introduction and motivation

Email security is not a new issue. The specific problem of phishing has been known for over two decades (https://www.phishing.org/history-of-phishing; accessed 24 May 2021). In this time, numerous defenses have been proposed, and yet the issue persists. Technical defenses on their own are insufficient, as phishing is an attack targeting the human, not the machine. However, training and awareness activities are also not completely effective, and their effectiveness typically falls off over time, back to pretraining levels, after 6 months [1]. To build more effective human-focused countermeasures against phishing and other email-based security issues, we must better understand the factors that influence users’ email behaviors. This research attempts to understand what drives individuals’ information security behavior when dealing with email.

The subjects of this research are the students, faculty, and staff of a large, midwestern university. This is an appropriate and important choice as the literature and news reports show that college campuses are prime targets for phishing attacks, and that phishing remains a primary concern of campus IT departments. The open access nature of higher education institutions’ networks makes them more susceptible, and the email addresses of students, alumni, faculty, and staff are usually publicly available and are the preferred vector for cyber-attacks [2]. “Phishing and social engineering attacks” was rated the highest concern amongst Higher Education Information Security Council working groups [3]. Universities have recently become the target of ransomware attacks and phishing is a primary vector for ransomware distribution [4].

College students’ attitudes toward Internet usage present a unique target for information security attacks. They continue to be a big security concern for most IT departments on campuses [5, 6] and studies show that college students rely more on the Internet and find online information more credible than does a more general adult population [7]. College students also exercise different mobile device security behaviors compared to IT professionals [8]. These findings lead to the notion that student email security behavior is an important topic to study.

The health belief model (HBM) was chosen as the theoretical basis for this investigation because it is an expectancy-based theory defined to explore the drivers of preventative behavior. As noted above, this study was undertaken to attempt to understand the drivers of subjects’ preventative behaviors related to email-based phishing attacks. Though there are some published studies that use the HBM to investigate the drivers of people’s email security behavior, including our previous study [9], they often limited their samples to a specific group, such as IT employees [10] or students [9, 11, 12]. This paper expands on those earlier works on HBM in cyber security behaviors in four ways.

First, this paper presents the findings of a single, large-scale email security behavior survey that included, faculty, staff, and a much broader sample of students than did our previous study [9] at a large, master’s granting university in the Midwest. In [9], our survey was limited to students enrolled in an introductory computing course. Including a random sample of the entire student body allows us to collect a more representative sample of student data and avoid the potential of biases attached to those mostly business and computing students in the original sample taken from that Introduction to Computing course. This broader student sample, combined with the addition of faculty and staff in this study helps us better understand people’s email security behaviors in a university environment. As a result, a more comprehensive list of the determinants of email security behaviors has been identified.

Second, this study extends the literature on HBM and cybersecurity by adding to the limited number of studies of the HBM and phishing. This study validates prior results using a broader sample of subjects to indicate that self-efficacy in identifying potential phishing attacks and a better understanding of the perceived benefits of taking preventative action against phishing attacks play key roles in determining an individual’s response to phishing attacks.

Third, the single, broader sample also allows us to examine each subgroup in the population (e.g. student group and employee group) to help us better understand the factors that uniquely impact each group’s email security behaviors. This paper presents the differences between student and faculty/staff groups in the sample and discusses how these findings can be used to enhance antiphishing training practices. The differences found amongst the two groups in the sample lead to a discussion of what could be causing those differences and opens the door to future work exploring group differences such as age, workplace experience/maturity, and the level of cyber security training received by individuals.

Fourth, because our research model includes two moderating factors, recommended statistics practice requires that we extend the model in our prior study [9] to include three-way interaction effects. The three-way interaction investigates whether the moderating effect of one variable (e.g. perceived severity) on the association between the independent variable (IV) and the dependent variable is itself moderated by the other moderator (e.g. prior experience). The new model follows recommended practice and measures all potential interaction effects among the moderating variables. The findings of this analysis are inconclusive most likely due to the post hoc introduction of this analysis leading to an inadequate sample size for this type of analysis. For completeness’ sake, in adherence to recommended statistics practice, we include this analysis, acknowledge the limitations of inconclusive results due to inadequate sample size, and suggest that, since we did find significant two-way interactions, future research should include this consideration in the sampling of subjects to enable a proper analysis of three-way interactions.

Literature review

The HBM and security behaviors

On its surface, the question of whether users will adopt security behaviors appears to be an obvious target for IT adoption research: after all, the question asks why people adopt certain behaviors related to IT usage. Adopting behaviors is not the same decision as adopting a technology, especially when adopting preventive behaviors. Those adopting technologies are thought to do so to gain some sort of advantage or positive result in their job performance or to reduce the effort it takes to complete tasks using the technology [13]. An example of this in the business world would be the expected efficiency gains through the adoption of a new software package designed as part of a business process re-engineering effort. Those adopting preventative behaviors, however, are believed to be doing so not to gain a positive result or benefit, but to avoid the repercussions associated with the occurrence of some avoidable or preventable problem—a ransomware attack, for example, or, in a non-IT-related area, the decision whether to get vaccinated against the virus causing Covid-19. Ng et al. [10] present the argument suggesting that this behavior is similar to a patient’s preventative behavior in the health care industry.

Recent research has applied the HBM [14, 15] to the study of IT security behaviors [11, 16–19]. Others have suggested using the HBM to help devise security and training measures in university IT departments [20] and in security design strategies in general [21]. The remainder of the literature review will provide detailed descriptions of the research summarized in Table 1.

The management literature has referred to the HBM as “an expectancy model of health care decision making” [22, p. 188]. The dependent variable in the HBM is the subjects’ decision to adopt the preventative health action or behavior in question (e.g.—getting vaccinated or submitting to testing to screen for disease even though asymptomatic). The IVs of the HBM are a person’s perceptions as to how susceptible they believe they might be to a condition, how serious the health condition or problem in focus may be, how beneficial an action might be to preventing the condition from manifesting, any negative aspects of the preventive behavior or action that could be interpreted as barriers to actually performing the behavior or taking the action, and any cues to action or triggers that could impact a decision to adopt the behavior or take the action [14, 15]. The adaptation of these determinant factors to information security research is rather straightforward and is explained in the description of our research model below.

Our prior work on HBM and phishing

In our prior study using the HBM to study the determinants of students’ email security behaviors [9], our sample population was limited to students in multiple sections of an Introduction to Computing class (receiving 153 usable survey responses). We found students’ perceived benefits (BEN), perceived self-efficacy (EFF), and cues to action (CUE), along with the moderating effect of students’ experience with email-related security incidents on perceived barriers to practice (EXPxBAR), and cues to action (EXPxCUE) to be significant determinants of predicted behavior. CUE was found to have the opposite effect to the hypothesized effect.

The HBM and information security

Ng et al. [10] argue for the use of HBM to understand protective security behaviors. Starting with the argument for something other than Technology Acceptance Model (TAM) based theories to explain preventive technology adoption [23], they built upon TAM, the Theory of Planned Behavior, Protection Motivation Theory (PMT), and Expectancy-Value Theory to arrive at and adapt the HBM to the examination of email users’ security-related behaviors. They surveyed part-time (working) students and employees in three IT related organizations regarding their security-related email usage behaviors (N = 134). They found subjects’ ability to recognize suspicious emails (self-efficacy), the likelihood of receiving harmful emails (perceived susceptibility) and the efficacy of the protective behaviors (perceived benefits) to be determinants of email-related computer security behavior [10].

Claar and Johnson [11] and Dodel and Mesch [17] applied the HBM to the study of the drivers of the installation of antivirus software on home computers. Claar and Johnson [11] used a snowball sampling approach beginning with undergraduate students at a western US university to survey subjects about the adoption and use of computer security solutions (antivirus, firewall, and antispyware software) on their home computers. They found perceived vulnerability of their computer to security threats (VUL); perceived barriers to action—what they defined as obstacles to adoption and use of the security solutions—(BAR); and a subject’s belief in their ability to install, configure, and maintain the security solutions—self efficacy—(SEF) to be significant determinants of security behavior.

Dodel and Mesch [17] surveyed adult Israeli Internet users about their usage of antivirus software and found several significant determinants of the use of antivirus software including the subjects’ ability to protect their personal computers, or self-efficacy (EFF), their willingness to spend effort increasing computer safety—the absence of barriers to the use of cyber safety measures (BAR), their belief that antivirus software usage will reduce their cyber security risk (BEN), their perceptions on seriousness of cyber-threats, and a generalized, self-assessed measure of their ability to perform six safety-related, digital security tasks on their computers (DSS).

In the same study, Dodel and Mesch [17] found self-efficacy (EFF), digital security skills (DSS) and the subjects’ awareness of the severity of the cyber-security threat (SEV) to be significant determinants of the adoption of password safety behaviors. They defined password safety behaviors to be the use of a variety of numbers, letters, and symbols in their passwords and changing passwords every 6 months.

Williams et al. [16] applied the HBM in their study of a multidimensional dependent variable—Security Behavior Intentions. Instead of measuring security behaviors, they measured individuals’ intention to practice several information security behaviors in the future. The significant determinants of that behavior they found are the subjects’ belief in the effectiveness of a behavior will have on reducing a security threat—the perceived benefits of a given behavior (BEN), their self-evaluation of the likelihood of experiencing a security violation—their perceived susceptibility to a violation (VUL), their awareness of the potential and likelihood of occurrence of a particular security problem—the existence of cues to action (CUE), and their understanding of the difficulties or consequences that would result from a security violation—the perceived severity of such a violation (SEV). They also renamed the model to the security belief model. For simplicity’s sake, we will use the HBM label when we refer to these theoretical models in this paper.

Research done after we administered our survey continues to apply the HBM to help understand information security behaviors. The following are two examples related to email security. Koloseni et al. [18] argued that the past HBM-based studies tended to focus only on the conscious factors and the study of nonconscious factors was limited. So, they extended HBM by including a nonconscious factor, information security habit that is defined as a form of actions that are learned and practiced by individuals without their conscious control. Their findings suggest that perceived severity, perceived vulnerability, perceived barriers, cues to action, and information security habits significantly influence security behavior intentions of Tanzanian government employees.

Ehizibue [19] analyzed 79 survey responses on individuals’ behavior toward phishing attacks using the HBM. Instead of using general security orientation [10], Ehizibue used a new construct of perceived importance to measure “an individual’s belief in the importance of outcomes when taking actions to prevent phishing attacks.” [19, p. 2] Four moderator variables (age, gender, knowledge about phishing, and prior victim of a phishing attack) were used in their model. The results show that perceived severity, perceived barriers, self-efficacy, and perceived importance influence the likelihood of phishing attack prevention behavior.

Others have suggested using HBM as a framework to investigate various information security issues. Lei et al. [24] set up a framework based on HBM to investigate the role of optimism bias in the phishing context. They posit that optimism bias impacts perceived vulnerability, perceived severity, perceived benefits, and perceived barriers. In a study attempting to explore how behavioral science and cyber security intersect, Pfleeger and Caputo [21] interviewed cyber security decision makers and their results suggest that, among other things, the HBM may be a candidate for security design strategies and deserves further research.

Jeske and Van Schaik [20] investigated student knowledge of threats and found that familiarity with threats was a significant predictor of security behaviors. They suggest that the HBM could be used to help university IT departments define security training and intervention measures.

The literature noted above provides ample support for the use of the HBM as a theoretical basis for investigating the antecedents of behaviors intended to prevent email-driven phishing attacks.

Protection Motivation Theory (PMT)

Many have proposed and applied PMT to the study of information security behaviors. PMT was originally created to explain how attitudinal change might be impacted by a subject’s understanding, based on fear appeals, of the unhealthy outcomes of behaviors or practices they may adopt [25]. PMT proposes that when facing a threatening event people protect themselves from a threatening event based on two factors: threat appraisal and coping appraisal. Threat appraisal consists of perceived severity and perceived vulnerability while coping appraisal consists of response efficacy and perceived self-efficacy [26].

PMT has been widely used to study behavior change in various IT security applications such as home computer use [27, 28], mobile device security behavior [28], online security behavior [29], maladaptive behavior to phishing [30], and cybersecurity behavior among government employees [31].

A meta-analysis on the relationships among PMT constructs in the information security literature was conducted by Mou et al. [32]. The analysis results based on 92 published studies suggest that coping appraisal variables of response efficacy and self-efficacy have the largest average effects on security behavior.

Given that our intention was to study behaviors and not behavior change or the intention to perform a behavior, which is the intent behind PMT [25], we chose HBM as our theoretical model.

Moderating variables

Various moderating variables have been suggested. Demographic variables (gender, age, and education) are thought to have some impact on behavior in the HBM [14]. Ng et al. [10] hypothesized that perceived severity would have a moderating effect on all other IVs and found significant interactions with perceived benefits, cues to action, general security orientation, and self-efficacy. Claar and Johnson [11] hypothesized that prior experience, along with age, education, and gender would have moderating effects on all IVs except for cues to action and found significant interactions between age and perceived barriers to action, education and perceived benefits, and prior experience and perceived severity and self-efficacy. Williams et al. [16] and Dodel and Mesch [17] did not include any moderating variables in their research models.

Table 1 summarizes the research models and findings of the literature cited above. The acronyms used in Table 1represent the labels used for the variables in the referenced paper. The asterisks indicate that a variable was found to be a significant determinant of security behavior in the referenced paper. Interactions tested are noted by listing the moderating variable and then, in parenthesis, the main effects paired with that variable.

Research model

This research adopts the HBM research model defined in our previous HBM research on email security behavior [9] but extends the model to include the three-way interaction effects of multiple moderators as recommended in [33] (see Fig. 1). The research model is based on the HBM [14, 15] that underlies the models tested in [10, 11, 16]. The research model contains seven IVs and one dependent variable. The dependent variable is the subjects’ self-reported email security behavior (BEH). The seven IVs are perceived benefits (BEN), perceived barriers to action (BAR), self-efficacy (EFF), perceived vulnerability (VUL), cues to action (CUE), prior experience (EXP), and perceived severity (SEV). Among them, prior experience and perceived severity are used as moderators that impact the association between other IVs and the dependent variable. The definitions of these variables are presented in Table 2.

All seven IVs and the dependent variable are taken directly from [10] with one difference: the replacement of the general security orientation variable with security experience variable (EXP) used in [11]. The general health orientation variable from the HBM is intended to represent a basic foundation or consistent behavior related to all health care decision situations [22]. Ng et al. [10] defined a general security orientation variable and operationalized it as a set of questions related to subjects’ self-awareness of and activities associated with acquiring general knowledge of information security. We followed the approach to this variable in [11] and used a more direct measure of the subjects’ experience with email-related information security problems. Given that a large portion of our subject group is made up of young, typically traditional, undergraduate students and faculty and staff across the university (not necessarily a group of people deeply concerned about information security) we feel that it is very likely that they have not had enough security-related experience to establish a general orientation towards security such as that described in [10]. We see a direct measure of experience as a precursor to a general security orientation and believe it, therefore, to be a reasonable substitution.

Main effects

Ng et al. [10] present a detailed derivation of the research model’s main effects hypotheses. We build on that work and provide additional explanation below.

The HBM relies on the notion that if a person believes that an action will reduce the risk of something occurring, they will most likely take that action. Since the results of taking preventative actions will result in nothing occurring—that there is no tangible “reward” for taking such action, people will need to be convinced that there are sufficient benefits to taking such actions. We expect to see that the consideration of the benefits of adopting preventative behaviors relating to email security will, therefore, impact those behaviors.

• H1—perceived benefits (BEN) of practicing email security behaviors are positively related to email security behaviors.

Building on the idea that an individual is likely to take an action if they believe it will reduce the risk of something occurring, we must consider the potential negative aspects of taking that action. Individuals may find it inconvenient or unpleasant to take an action. The idea of being so diligent when reading each and every email may feel unpleasant to some and could logically be seen as inconvenient when dealing with overloaded email inboxes. This inconvenience or unpleasantness could become a potential barrier to diligently analyzing each email. If barriers to an action become too difficult to overcome, people may avoid taking that action.

• H2—perceived barriers (BAR) to practicing email security behaviors are negatively related to email security behaviors.

The adoption of a behavior is likely to be influenced by an individual’s self-confidence in their skills or abilities to effectively practice that behavior. In this research, self-efficacy refers to an individual’s belief in their ability to identify and avoid phishing schemes sent to them via emails. Much of the research in information security behaviors in general, and the application of the HBM to such behaviors, specifically (see Table 1) have found self-efficacy to be a significant determinant of these behaviors. We expect to find the same.

• H3—self-efficacy (EFF) is positively related to email security behaviors.

If an individual perceives that a negative event is likely to occur, they are likely to feel vulnerable to the impact of that negative event. That is, they are likely to “exhibit a greater level of computer security behavior.” [10, p. 819]. We posit that, if a person feels they may be vulnerable to a phishing attack, they will likely be on the lookout for it and take action to avoid being victimized.

• H4—perceived vulnerability (VUL) to email-related security incidents is positively related to email security behaviors.

The HBM suggests that a person may not take any action without some instigating event occurring that prompts them into action. Such triggering events are referred to as cues to action. We expect that, for computer users, notices from IT departments or stories overheard of people falling victim to phishing scams, among other things, could cause individuals to be more vigilant in their email security behavior.

• H5—cues to action (CUE) are positively related to email security behaviors.

We followed the approach taken in [11] and replaced the general security orientation with the subject’s experience with phishing or other email-related security incidents. We expect to see a wide variety of computer security experience and understanding across our sample subjects. The low end of this range contains those who mainly see security as being covered by logging into something: students who have only used computers as social media and web browsing tools and faculty and staff who only use them as communications tools—email and chat—and as access points to the software tools they use on a day-to-day basis. The high end of that range would include students and faculty/staff who are very concerned about the security and privacy of their personal or work-related data, activities, and even opinions and might even be studying information security and privacy issues across the academic spectrum or working in IT. Given the focus on seeking information about information security of the general security orientation variable found in Ng et al. [10], and the wide variety of computing and information security experience we expect in our sample subjects, we see a direct measure of experience as a precursor to a general security orientation and expect that directly asking about the subjects’ experiences with unsafe emails would provide more insight into drivers of their behavior. We, therefore, follow Claar and Johnson’s [11] approach and expect to find that a subject’s prior experience with a negative email security event will predispose them to take preventative action.

• H6—prior experience (EXP) with email-related security issues is positively related to email security behaviors.

The perceived severity of the consequences of a behavior may impact an individual’s attitudes and actions regarding that behavior. The consequences of email-related security behaviors often go beyond simply impacting the individual responsible for the behavior. In our prior research with a sample limited to only students taking an Introduction to Computing course [9], perceived severity was not found to be a significant determinant of security behavior. In this study, we broaden our sample and expect to learn more about this particular factor. We propose that a subject’s understanding of the consequences of email-based attacks on networks and systems will likely have an impact on their email security behaviors.

• H7—perceived severity (SEV) of email-related security issues is positively related to email security behaviors.

Two-way interaction effects

A moderator is any variable that affects the association between two or more other variables. Our research model hypothesizes two moderators should exist: prior experience and perceived severity.

The literature suggests, as a general notion, people use direct experience to predict the future more than other factors [34]. The literature also suggests that people with prior experience with negative events are more likely to imagine themselves in the victim role owing to the “availability” of their prior victimization experience [35].

Specific to the HBM, Claar et al. [12] used prior experience as a moderator in their model to investigate college student home computer security adoption and found that prior experience has a significant moderation effect on perceived benefits and perceived severity. Ramayah et al. [36] found that prior experience moderates the effect of perceived ease of use on PC usage. Cho et al. [37] explored the effect of optimistic bias about online privacy risks and found that prior experience significantly moderates optimistic bias. In this study, the prior experience considered is limited to negative events caused by security incidents. We suggest that people with prior experiences with negative events related to email security behaviors would be influenced by those experiences in ways causing them to more easily see the value of practicing email security behaviors, have a reduced focus on the barriers to performing email security behaviors, perceive their ability to practice an email security behavior to be lower, have an increased perceived vulnerability due to the availability heuristic [35], have a greater appreciation for the cues to action, and have a better understanding of the perceived severity of email security incidents. Therefore, we posit the following six hypotheses to test the moderating effects of prior experience:

• H6a—prior experience with email-related security incidents increases the positive effect of perceived benefits on email security behaviors (EXPxBEN).

• H6b—prior experience with email-related security incidents reduces the negative effect of barriers to practice on email security behaviors (EXPxBAR).

• H6c—prior experience with email-related security incidents reduces the positive effect of self-efficacy on email-related security behaviors (EXPxEFF).

• H6d—prior experience with email-related security incidents increases the positive effect of perceived vulnerability on email security behaviors (EXPxVUL).

• H6e—prior experience with email-related security incidents increases the positive effect of cues to action on email security behaviors (EXPxCUE).

• H6f—prior experience with email-related security incidents increases the positive effect of perceived severity on email security behaviors (EXPxSEV).

Ng et al. [10] relied on the HBM and expectancy value theory to hypothesize that perceived severity is a moderator influencing other variables’ effects on computer security behavior. Their results showed that the perceived severity has a significant moderating effect on perceived benefits, cues to action, self-efficacy, and general security orientation. Based on [10], we suggest that people who believe that the negative consequences are significantly severe would be likely to give less weight to the perceived benefits of email security behavior, have a reduced focus on the barriers to performing email security behaviors, perceive their ability to practice an email security behavior to be lower, have an increased perceived vulnerability of email security incidents, have a greater appreciation for the cues to action toward practicing email security behaviors, and have a reinforced memory of their experience with negative events related to email security incidents. Therefore, we posit the following six hypotheses to test the moderating effects of perceived severity:

• H7a—perceived severity of any email-related security incidents reduces the positive effect of perceived benefits on email security behaviors (SEVxBEN).

• H7b—perceived severity of any email-related security incidents reduces the negative effect of barriers to practice on email security behaviors (SEVxBAR).

• H7c—perceived severity of any email-related security incidents reduces the positive effect of self-efficacy on email security behaviors (SEVxEFF).

• H7d—perceived severity of any email-related security incidents increases the positive effect of perceived vulnerability on email security behaviors (SEVxVUL).

• H7e—perceived severity of any email-related security incidents increases the positive effect of cues to action on email security behaviors (SEVxCUE).

• H7f—perceived severity of any email-related security incidents increases the positive effect of prior experience with email-related security incidents on email security behaviors (SEVxEXP).

Three-way interaction effects

The literature suggests that, since there is a chance that the two moderators defined above may interact, we need to test for the potential three-way interaction [33]. This necessity was identified during a review of our statistical methods/analysis done well after we collected our survey data. There may, therefore be limitations to the applicability of the results of this analysis but we felt it necessary to include here for completeness’ sake. In our hypotheses, the relationship between other IVs and email security behavior is moderated by prior experience, but it may also be moderated by perceived severity. Moreover, the moderating effects of prior experience may itself depend on perceived severity and vice versa. For instance, even if the individuals have prior experience with negative incidents, their perceived vulnerability may not positively relate to email security behaviors if their perception of email incident severity is low. But if they believe that the perceived severity is high and they have prior experience with negative incidents, the effects of perceived vulnerability may be exacerbated beyond that predicted by either moderator alone. In other words, the association between perceived vulnerability and security behavior will be stronger when both levels of perceived severity and prior experience are higher. To investigate the moderating effect of prior experience and perceived severity on the relationship between other IVs and the dependent variable (email security behavior), we posit the following five hypotheses to test the three-way interaction effects with prior experience and perceived severity as moderators:

• H8a—the positive effect of perceived benefits is expected to be positively influenced by prior experience with email-related security incidents but negatively influenced by perceived severity of any email-related security incidents. It is difficult to predict the magnitude of these influences or their precise interaction with each other. Since these influences work in opposition to each other, we predict that the overall effect of this three-way interaction will not be significant (EXPxSEVxBEN).

• H8b—the negative effect of perceived barriers is reduced by prior experience with email-related security incidents and perceived severity of any email-related security incidents (EXPxSEVxBAR).

• H8c—the positive effect of self-efficacy is reduced by prior experience with email-related security incidents and perceived severity of any email-related security incidents (EXPxSEVxEFF).

• H8d—the positive effect of perceived vulnerability is increased by prior experience with email-related security incidents and perceived severity of any email-related security incidents (EXPxSEVxVUL).

• H8e—the positive effect of cues to action is increased by prior experience with email-related security incidents and perceived severity of any email-related security incidents (EXPxSEVxCUE).

Subgroup differences

This study set out to study the application of the HBM to email security behaviors. The increase in the study’s population to be sampled (in comparison to our initial study [9]) provides us the opportunity to explore factors outside the model. To that end, this paper sets the foundation of one leg of our investigation into the influence demographic factors may have on such behaviors and their determinants by asking if determinants of student behaviors differ from those of faculty/staff behaviors at our institution. We state an additional hypothesis H9, in the alternative form, to set that foundation.

• H9—determinants of student behaviors will differ from those of faculty/staff.

Methodology

Survey development

A single, electronic survey was implemented to test the hypotheses. The survey items (questions) were derived from those used in [10, 11]. The items in the survey focused on the eight latent constructs representing one dependent and seven IVs. All survey items (see Table 9 in Appendix A) are anchored on 5-point Likert scales. The survey consisted of eight demographic items and 32 email security items with a target completion time of less than 10 minutes. This survey research was reviewed and approved by our institution’s IRB. The initial survey items were pilot tested with a small group of the target population. Minor changes were made to the wording of several items to improve understandability.

The target population for this study was students, faculty, and staff at one midwestern public, master’s granting university in the USA. A random sample was selected from each of the student and faculty/staff categories. An email was sent to the selected participants to explain the study and inform them the time estimated to complete along with other information required by the university. The survey questions were administered using the Qualtrics online survey platform.

Data processing

The survey was conducted in November 2019. We worked with our university’s Office of Institutional Analysis to administer the survey. Using online sample size calculators to determine minimum sample sizes for our analysis (https://www.danielsoper.com/statcalc/default.aspx) looking for medium affect size and using 0.8 as a desired power level) and assuming a survey response rate of ∼10%, we randomly selected 1700 emails from both the student and faculty/staff populations and sent out survey invitations. A total of 489 responses were received. The responses with missing values (61 records) and the responses, which indicated “decline” (10 records) were removed. Thus, the data collection yielded 418 usable survey response sets, among which 101 are from the student participants and 317 are from the employee participants. Table 3 summarizes the demographics of the sample. The demographics of our population show a 61%/39% female to male ratio amongst students and a 55%/45% ratio amongst the faculty staff population. The only substantial difference in the age demographics between our sample and the actual population was found in the student sample where there were roughly 5% more under 20 respondents and roughly 4% fewer 20–29-year-old respondents. Demographics are reflected upon in the discussion sections of this paper. As noted above, no attempt was made when selecting the survey sample to manage the demographic sampling, but we feel comfortable that our sample is representative of the university community and that the results presented in this paper are generalizable to the entire university.

Tables 4 –6 list the interconstruct Pearson’s correlations in the whole data set and two subgroups (student and employee).

Data analysis procedure

We conducted a two-step analysis on the whole data set and the data from the two subgroups to examine the effects of the hypothesized constructs on the subjects’ reported email security behavior (BEH). First, an exploratory factor analysis (EFA) was done to extract the factors (latent variables) from the survey response data to validate our model constructs. Then, a multiple regression analysis was conducted using the factor scores calculated by SPSS. Using the factor scores, the dependent variable was regressed on the seven IVs and the hypothesized interactions.

Exploratory Factor Analysis (EFA)

We followed the process of conducting factor analysis suggested by [38]. We first screened the initial set of items in each data set (each item representing a single survey question) using principal component analysis. As expected, eight factors were extracted in each of the three data sets, consistent with the eight main-effects constructs hypothesized in our research model. Then we performed an EFA (using principal axis factoring as the extraction method and promax as the rotation method) to make sure that the survey items loaded properly onto the factors. The factor loading thresholds to be applied to each data set are determined based on the number of subjects in each set [39].

For the whole data set, the eight factors were extracted after one round of EFA and the factor loadings for each survey item were greater than the cutoff threshold of 0.3. All survey items loaded onto the latent constructs except for EXP1, which loaded onto the VUL construct. We will address this issue later in the section “Limitations and future work.”

For the student subgroup, six survey items (SEV3, EXP1, CUE1, CUE2, CUE5, and BEH1) were removed due to lower factor loadings than the threshold, 0.55. All remaining survey items loaded onto the latent constructs as expected.

For the employee subgroup, three survey items (CUE3, CUE4, and SEV3) were removed because their factor loading is less than the threshold, 0.35. All remaining survey items loaded onto the latent constructs as expected.

To evaluate the reliability of the data, we calculated the Cronbach Alpha coefficient for each latent variable. For internal consistency, Cronbach Alpha should have a value of at least 0.707 [40]. However, for exploratory studies, a minimum alpha value of 0.6 is allowable [40]. In each of the data sets (whole sample and the two subgroups), all constructs exhibited acceptable construct validity and reliability. The factor loadings for each item and the Cronbach Alpha values for each construct in each data set are summarized in Table 10 in Appendix B.

Results

Multiple linear regression analysis was conducted to test the hypotheses. Table 7 shows the regression analysis results. A standard multiple regression was performed first on the whole data set and then on student and employee (faculty/staff) subgroups separately using the factor scores calculated by SPSS during the EFA described above. The regressions were run between self-reported email security behavior (BEH) as the dependent variable and Perceived Benefits (BEN), Perceived Barriers to Action (BAR), Self-efficacy (EFF), Perceived Vulnerability (VUL), Cues to Action (CUE), Prior Experience (EXP), and Perceived Severity (SEV). The hypothesized interactions were also analyzed. Analysis was performed using SPSS REGRESSION.

Whole data set

For the whole data set, R for the regression was significantly different from zero (F = 20.254, P < 0.001). R² for the regression was 0.542, and the adjusted R² of 0.515 indicated that slightly more than half of the variability in self-reported email security behavior adoption is predicted by the model. Five of the seven IVs, perceived benefits (BEN, β = 0.105, P = .017, supporting H1), perceived barriers (BAR, β = −0.110, P = .015, supporting H2), self-efficacy (EFF, β = 0.472, P < .001, supporting H3), perceived vulnerability (VUL, β = 0.141, P = .001, supporting H4), and prior experience (EXP, β = 0.099, P = .015, supporting H6) were found to have regression coefficients significantly different from zero. This indicates that they are all significant determinants of our survey subjects’ email security behavior. The moderating effects of prior experience on perceived benefits (EXPxBEN, β = −0.092, P = .040, contradicting H6a) and self-efficacy (EXPxEFF, β = −0.151, P = .003, supporting H6c) were found to be significant as were the moderating effects of perceived severity on perceived vulnerability (SEVxVUL, β = 0.098, P = .037, supporting H7d). No significant three-way interactions were identified.

Student subgroup

For the student subgroup, R for the regression was significantly different from zero (F = 5.282, P < .001). R² for the regression was 0.612 and the adjusted R² of 0.496 indicates that, amongst student subjects, just under half of the variability in self-reported email security behavior is predicted by the model. Two IVs, self-efficacy (EFF, β = 0.509, P < .001, supporting H3) and prior experience (EXP, β = 0.214, P = .026, supporting H6) were found to have coefficients significantly different from zero and are therefore significant indicators of student subjects’ email security behavior. It was found that prior experience significantly moderated the effects of self-efficacy (EXPxEFF, β = −0.234, P = .029, supporting H6c) and perceived severity significantly moderated the effects of perceived barriers (SEVxBAR, β = −0.290, P = .006, supporting H7b). As in the whole data set, no significant three-way interactions were identified in the student subgroup.

Employee subgroup

For the employee subgroup, R for the regression was significantly different from zero (F = 4.951, P < .001). R² for the regression was 0.280 and the adjusted R² of 0.223 indicates that, amongst employees, just under a quarter of the variability in self-reported email security behavior is predicted by the model. Two IVs, perceived benefits (BEN, β = 0.125, P = .039, supporting H1) and self-efficacy (EFF, β = 0.393, P < .001, supporting H3) were found to have coefficients significantly different from zero. It was found that prior experience significantly moderated the effects of perceived benefits (EXPxBEN, β = −0.136, P = .032, contradicting H6a) and perceived severity significantly moderated the effects of cues to action (SEVxCUE, β = −0.152, P = .041, contradicting H7e). Again, no significant three-way interactions were identified for the employee subgroup.

Discussion of results

Whole data set

For the whole data set, we found support for hypotheses H1, H2, H3, H4, H6, H6c, and H7d. Given the substantial differences in results for the student and employee subgroups, a detailed discussion of the results for the whole data set seems unnecessary. Most of the remainder of this paper will focus on the presentation and discussion of the support found for H9: the fact that we found substantial differences in each subgroup’s determinants of security behaviors.

That being said, we believe three findings need to be discussed from the overall results:

1. Perceived severity was not found to be a significant determinant of email security behavior in any of the analyses (whole sample, faculty/staff, and student subgroups).

2. Similarly, cues to action was not found to be a significant determinant in any of the analyses.

3. Self-efficacy was the only factor found to be a significant determinant in all three analyses.

The finding that perceived severity (SEV) is not a significant determinant is consistent with the findings of some past studies [10, 11]. This suggests that perceived severity is a weak predictor of protective security behaviors. Given the propensity of reporting on hacking, malware/bots, and ransomware, and the amount of training most employees get specifically focusing on phishing, the potential harm these attacks can do may simply be so well known that SEV has no impact as a main effect. This does not mean it should be ignored, however. Although the main effect of perceived severity was not found to be significant in any of the data sets analyzed, it was found to have significant moderating effects (interactions) in both the student and employee subgroups. The significant moderating effects were different in each model and will be discussed below in their appropriate sections of this discussion.

The finding that cues to action are not significant in triggering an individual to adopt email security behavior is surprising and deserves further study. This could be the result of some bias in the CUE survey questions. The CUE questions asked in the survey used in this study focus on predicted responses to hypothetical situations. It is also possible that the participants’ predictions of their responses to these cues to action may not line up with their self-reported behaviors. This form of questioning may have asked too much of the subjects. Other forms of cues to action, such as whether they have received such cues, might play a role in people’s email security behaviors, and should be explored in future work. Another option for future investigation would be to ask more direct questions about subjects’ response to cues to action they have experienced instead of asking them to predict responses to hypothetical cues.

A third result from this research that is quite clear is the finding that self-efficacy was the only latent factor found to be a significant determinant of email security behavior in all three data sets. These findings are consistent with our prior research [9], and other research presented in the literature [10, 11, 19, 41]. This suggests that institutions should continue to emphasize, and possibly even increase, efforts related to training on the identification of potential phishing attempts (and all forms of email security “scams”) and on the proper response to such attempts. Institutions should also continually test employees and students to make sure they become effective at identifying such attempts at breaching security, and that they know the proper responses to such threats when identified.

Student subgroup

For the student subgroup, the results indicated that self-efficacy and prior experience were significant in determining individuals’ email security behavior, i.e. H3 and H6 were supported. The finding of self-efficacy as a determinant to email security behavior is consistent with other studies [9–11]. The finding that prior experience is a determinant to email security behavior is consistent with the findings in [12]. When taking into consideration the interaction effects, we found that prior experience moderated the effects of self-efficacy and that perceived severity moderated the effects of perceived barriers to entry, i.e. H6c and H7b were supported.

As already noted, self-efficacy is a common determinant across most, if not all, information security behavior research. Therefore, the finding of support for H3 is no surprise to the authors—nor should it be to information security researchers reading this paper—and needs no further discussion here.

The results indicate that prior experience is a significant determinant of email security behavior (H6 supported). This tells us that students may be triggered to be more vigilant regarding email security when they hear stories of or experience phishing attacks.

H6c hypothesizes that prior experience with email-related security incidents will reduce the positive effect of self-efficacy on email-related security behaviors. As noted, our results found support for that hypothesis. Figure 2 indicates the moderating effect prior negative experience has on the impact of self-efficacy on behavior (EXPxEFF). Because the slope of the high experience line is much lower than that of the low experience line, the plots suggest that, as prior experience increases, the impact that self-efficacy has on behavior is diminished. Said a different way: those with low self-efficacy showed a substantially greater tendency to perform antiphishing behaviors if they had a high level of prior experience with phishing than did those who had a low level of experience, while those with high levels of self-efficacy and experience showed similar security behaviors. This is consistent with our hypothesis (H6c.) This suggests that organizations might benefit from informing stakeholders (employees and students, in the case of a university) of the occurrence and impact of phishing schemes as part of their training activities so as to increase the level of experience with such events and improve the use of security behaviors by those stakeholders. Further research into the impact training and the dissemination of information may have on users’ security behaviors is needed to provide more insight into how to help the users of their IT systems (employees and students in the case of this research) be better stewards of IT security.

H7b hypothesizes that perceived severity of email-related security incidents reduces the negative effect barriers to entry will have on email-related security behaviors (SEVxBAR). Neither SEV nor BAR were found to be significant determinants of email security behaviors on their own in the student data set, but in combination, the two were shown to be a significant determinant, and in theory, supports H7b. Figure 3 depicts the moderating effect of perceived severity on barriers to entry. When student subjects believe the severity of the impact of a phishing attack is relatively low, the effects of barriers to action increase and behaviors increase/improve as barriers to action increase, contradicting our hypothesis. When they believe that the severity of impact is high, the effects of barriers to action on behaviors increase and behaviors worsen as barriers increase. This supports our hypothesis. We would expect the slopes of both lines to be negative but the slope of the low severity line to be flatter. We do not see that in Fig. 3. Given that both main effects (SEV and BAR) were not found to be significant determinants, this interaction, while significant, may not be meaningful.

Employee subgroup

In the employee subgroup, perceived benefits and self-efficacy were found to be significant determinants of subjects’ email security behavior. These findings support H1 and H3 and help validate prior literature on the subject [10]. They suggest that institutions might benefit from more training of employees on how to detect and respond to phishing attacks and from communicating to employees how they can benefit from doing so. The section “Implications for research and practice” examines this idea in more detail.

Prior experience was found to interact with perceived benefits. It produced a negative coefficient, contradicting our hypothesis (H6a) that prior experience with email-related security incidents would increase the positive effect of perceived benefits on email security behaviors (see Fig. 4). The plot in Fig. 4 shows that higher levels of experience dampen the effect of the perceived benefits of better email security behaviors. Further exploration of this question is needed to better understand why more experience with email security threats seems to dampen the impact of the perceived benefits.

The interaction between perceived severity and cues to action also produced a negative coefficient, contradicting our hypothesis (H7e) that the perceived severity of any email-related security incidents would increase the positive effect of cues to action on email security behaviors. Figure 5 shows that when perceived severity is high, the effect of cues to action decreases, contradicting our hypothesis. It also shows that when perceived severity is low, the effect of cues to action increases as cues increase, supporting our hypothesis. Again, further investigation into this question is needed to understand this interaction and its impact on email security behaviors. We would expect the slopes of both lines to be positive but the slope of the low severity line to be flatter. We do not see that in Fig. 5. Given that both main effects (SEV and CUE) were not found to be significant determinants, this interaction, while significant, may not be meaningful.

Differences between subgroups

It is difficult to explain the differences between the results from the two subgroups. This study did not set out to explore such differences. We will attempt to suggest reasons for these differences, but these are pure speculation on the part of the authors. They could be used as motivation for future research in this area. What we presented here on the group differences is exploratory and forms a first step toward investigating the impact of demographics on people’s security behavior. A thorough investigation into the group differences needs to be done in future work.

By comparing the significant determinants of email security behavior between the two subgroups, we found that self-efficacy impacts both students and employees’ email security behavior while perceived benefits only impact the employees and prior experience only impacts the students.

These differences may be related to the lack of experience and maturity seen in students when compared to the “adults” that make up the employee group. Students might simply focus more on themselves than on the big-picture concepts associated with the university perspective since their concern is to get an education and earn their degree. Their focus is, logically, on their efforts to learn and enjoy life as a college student. They have not gained the wisdom that experience in the professional world provides and therefore are not really expected to see how their actions might impact the larger institution. In fact, a survey such as this one might be the first time they have considered such things in any depth.

It could be possible that employees see the prevention of a security breach as having a bigger impact (benefit—BEN) on their lives due to the fact that being the victim of a phishing scam could impact their ability to earn income and live the life they have become accustomed to. While it is unlikely that falling victim to such a scam would cause them to lose their jobs, it is easy to think that employees might see harm to their reputation in the workplace resulting from such a situation. They could then easily conclude that such a situation could harm their ability to progress in their career at the institution or, at a minimum, delay career progress while they rebuild their reputation.

Students likely do not see a long-term personal impact of falling victim to such a scam. Younger generations tend to see themselves as invulnerable to many things. They might not put that much weight in avoiding such problems given that the biggest impact they might see is that they would have to use school computers to do schoolwork while they get their personal computer “disinfected.”

Students (“the younger generation”) might not have the wisdom gained from earning an income and supporting oneself to see the immediate impact successful phishing attacks might have on themselves. This might explain why prior experience is a significant determinant of email security behavior for them and not for employees. Maybe they need to “see it, to believe it”—seeing triggers to more vigilant behavior in reports and stories of phishing attacks.

While these statements are pure speculation on the part of the authors of this paper, they support the idea that investigation into the development of a cybersecurity culture is an ongoing need as stated in [42]. Understanding the roles and behaviors of different stakeholders in that culture could surely benefit those trying to build one.

Based on adjusted R² numbers, the HBM-based research model used in this study appears to explain much more of the variance in behaviors for students (0.496) than for faculty/staff (0.223). Gratian et al. [43] conducted a survey of 369 students, faculty, and staff at a large public university on their cyber security behavior intentions. Their results highlighted the individual differences on security behavior intension and suggested that security decisions should depend on the environment. This supports the idea that further investigation into security behaviors of differing categories of stakeholders and how they fit into the overall university environment is needed.

Comparison of our results to other HBM-phishing studies

Table 8 summarizes the results of recent studies investigating email security (phishing) behaviors beside our subgroup results. As is typical for most information security behaviors research, self-efficacy seems to dominate the findings of these papers and our study validates that fact. The only other factor that shows at least some consistency as a significant determinant of email security behaviors appears to be the perceived benefits of proper, vigilant email security behavior.

Implications for research and practice

This study presents findings of what drives people’s email security behaviors by surveying a large population including students, faculty, and staff at one midwestern public master’s granting university. This research reinforces prior work applying the HBM to preventative information security behaviors by indicating the importance of self-efficacy and perceived benefits as key determinants of preventative behavior when it comes to identifying and avoiding phishing emails and adds to the limited amount of existing research applying the HBM to preventative information security behaviors.

For academics, this study expands upon the prior research [9–11] by using a single survey of a much broader subject population that includes both students and employees, thus improving the validity/applicability of those prior studies. Our findings also showed differences between students and employees in the determinants of their email security behavior. These findings highlight the importance of future work investigating group differences to gain a better understanding of people’s security behavior.

As noted above, this study is the first step down that path: it has identified a difference between the groups. Questions arise as to the real differences between the groups. To be specific, two questions stand out to the authors:

Why are the benefits of email security practices significant predictors for the employees but not the students?

Why is prior experience with attempts at security breaches via email a significant predictor for students but not for employees?

Are the differences driven primarily by the age of the subjects? By the amount of work experience? Is there something beyond age and work experience that separates students from employees at a university? All are valid questions worthy of further investigation.

Our findings also have implications for practitioners in the field of information security. The results from the combined subgroups suggest that self-efficacy, perceived vulnerability, perceived benefits, perceived barriers, and prior experience all have an impact on people’s email behavior. These findings are broadly consistent with prior research [9, 11, 16, 17]. The moderating effects of perceived severity and prior experience were also identified. These findings shed light on the design of information security awareness programs. Such programs should focus on training users on how to practice email security behaviors by emphasizing the vulnerability of the institution to such attacks and the severity of the consequences of successful phishing attacks. This will also help users to better understand the benefits of practicing email security behavior and realize that it is worth the effort to practice email security behaviors even though it requires more time and effort.

More specific recommendations on improving training include going beyond self-efficacy in training programs. Most cyber security phishing training the authors have experienced tends to emphasize the ability to identify phishing scam emails. This is most likely a result of the fact that self-efficacy is well-known as a determinant of information security behaviors in the literature (and it was found to be significant for faculty/staff in our research). But this may be a limitation if the emphasis is placed too highly, or solely on rules to be applied to the identification of the potential scams. An overemphasis on self-efficacy in training might help explain why, in a recent QuickPoll conducted by EDUCAUSE [44] only 38% of institutions responding (n = 160) indicated that their training was “Effective” or “Very Effective.” Our finding that the perceived benefits of applying preventive security behavior (BEN) are a significant determinant of that behavior suggests that faculty and staff training should include and/or increase training activities that help remind the trainees of the benefits of taking the training seriously and learning to identify and avoid these scams. A suggestion would be that, instead of relying too heavily on the once per year, rule-based training offered by many institutions, institutions send out regular reminders that keeping vigilant supports the endeavors of all members of the institution by dramatically reducing the likelihood of disruption caused by ransomware or other attacks. Another suggestion would be to go beyond such simple reminders to add more formal mindfulness training such as that described in [45].

The first suggestion for dealing with the student subgroup would be to actually train them. According to the EDUCAUSE QuickPoll cited above [44], only about 36% of institutions responding to the survey ask students to participate in training (this number may increase to as much as 50% of responding institutions if you include student workers in that number). Given that self-efficacy is one of only two significant determinants of our students’ behavior in this study the same rule-based awareness training should help students detect and avoid attacks. It is likely that the same mindfulness training mentioned above [45] would also be beneficial. Student training should also find ways to increase experiences with unsafe emails for students. This might include more active testing of students with dummy emails and phishing sites that remind the students of what could have happened had the links they clicked been associated with real phishing sites. It is possible that barriers to entry in the form of IRB approvals for student training might be what is preventing institutions from asking students to participate in cyber security training. These findings suggest that a battle with the IRB might be a worthwhile endeavor if it can result in the detection and avoidance of cyber threats.

Limitations and future work

This study has several limitations that warrant discussion here. This is survey-based research examining the determinants of adopting email security behaviors. As survey research, it relies on self-reported behavioral information which could lead to self-reporting bias. Direct measurement of individual survey respondent’s email security behavior is difficult to perform and would likely result in biasing the survey responses if done in close temporal proximity to the administration of the survey. And, in the case of students, it would likely be a challenge to get IRB approval.

There may be limitations with our application of the research model. The questions in some constructs should be further explored. One observation that should be noted is that the item EXP1 loaded on the VUL factor in the whole and employee data sets (it was dropped from the student data set due to low factor loading). Different from other EXP questions that ask the frequency of impact or level of impact of unsafe emails (see Table 9 in Appendix A), EXP 1 asks the frequency of receiving unsafe emails. Instead of measuring the prior experience, this question measures the participants’ perception on how often they receive unsafe email. This might explain why this question loaded as a vulnerability question since it leans more toward the personal risk or susceptibility of contracting a condition caused by a security incident. Researchers should consider this notion when conducting surveys using this model in the future.

The questions in the prior experience construct need to be studied further to make sure these questions are truly measuring the complete range of prior experience with phishing schemes. The current set of questions focuses on prior experience as a negative and only one of them attempts to measure the impact of a phishing event without a timeframe. Could positive experiences resulting from the training subjects may have received, or other experiences with reacting to the phishing attempts, be measured and have a positive impact on future behavior? Could adding a timeframe and refining the scales contribute to a more accurate measurement of the construct? Those deserve further exploration. The cues to action questions also need to be explored further to determine if other forms of cues to action, such as awareness messages or possibly something related to Social Proof, might have a different effect on email security behaviors than the cues we explored. Refining questions and their scales following standardized processes for scale development [46] and limiting the number of constructs tested in a research model (to keep survey length manageable) might lead to more informative results.

No significant three-way interaction was detected in this study. We added this analysis and a set of hypotheses to the study after we had collected our survey responses based on a review of our statistical methods indicating that we should add them to the model when we have multiple moderators [33]. A possible reason for these findings might be that our sample size is not big enough to detect three-way interactions. Heo and Leon [47] conducted simulation studies and concluded that the sample size needed to detect three-way interactions is 4-fold that required to detect two-way interactions [47]. The nonsignificant three-way interactions in this study do not indicate that such interactions do not exist. We now believe that our sample size is simply too small to adequately test for them and suggest that future research should include a larger sample size to enable proper analysis of these potential effects.

Specific limitations of the HBM in privacy and security research

Considering the results of this study along with those of others using the HBM as the theoretical basis for their investigations (see Table 1 for a summary of other studies’ results), one might conclude that a different theoretical foundation is needed. Research into the security behaviors of individuals has typically resulted in only two to five out of the seven of the main effects factors in the model being significant determinants of subjects’ self-reported behavior. It should also be noted that beyond self-efficacy, there is little consistency in the other one to four significant determinants across the studies done to date (see Table 8 for a comparison of HBM-based phishing study results). While logic and some literature (most recently [20, 21]) suggest that the HBM be used as guidance for research and practice in the area of information security, the investigatory studies appear to suggest that a better model might be able to provide a more robust picture of what drives security behaviors. Such an investigation into improving the model would heed Burton-Jones et al.’s recent call to action on “IS Theorizing” [48]. The HBM would fit into their “Theory as Lens” category [48, Table 3, p. 306]. Further refinement of the model might help improve HBM as one of a diverse set of lenses used to study preventive IS security behaviors. This study’s findings help validate prior HBM-based results and provide some detailed insight into how a university might improve their email security (phishing) training. The discussion of a better model here simply indicates that, as in most cases, the theoretical model presented here could be improved to help provide even deeper insight into the topic.

Conclusion

This study investigated the factors that impact people’s email security behavior. The students, faculty, and staff at a public university were surveyed about their intentions and behaviors when using email. Substantial differences were found in the determinants of security behaviors between the two subgroups in our study. The moderating effects of perceived severity and prior experience were also identified and discussed.

This study makes several contributions to the literature. The study validates prior findings that self-efficacy is a significant driver of security behavior. It adds to the limited studies applying the HBM to the study of preventative email security behaviors (phishing). It presents suggestions for improving email security training in academic institutions. Finally, it suggests paths for further research on the subject of security behaviors.

Author contributions

Jie Du (Conceptualization [equal], Formal analysis [equal], Methodology [equal], Writing – original draft [equal], Writing – review & editing [equal]), Andrew Kalafut (Conceptualization [equal], Methodology [equal], Writing – review & editing [equal]), and Gregory Schymik (Conceptualization [equal], Methodology [equal], Project administration [lead], Writing – original draft [equal], Writing – review & editing [lead])

Conflict of interest

None declared.

Funding

This research did not receive any specific grant from funding agencies in the public, commercial, or not-for-profit sectors.

References