Mitigating the Ransomware Threat: A Protection Motivation Theory Approach

  • Jacques OphoffEmail author
  • Mcguigan Lakay
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 973)


Ransomware has emerged as one of the biggest security threats to organizations and individuals alike. As technical solutions are developed the creators of ransomware are also improving the sophistication of such attacks. A combination of technical and behavioral measures is required to deal with this problem. This study investigates computer users’ motivation to adopt security measures against ransomware, using protection motivation theory (PMT) as a theoretical foundation. We conducted empirical research, using a survey methodology, collecting data from 118 respondents. Using partial least squares structural equation modelling our analysis provides support for several factors influencing protection motivation in this context. These include perceived threat severity and perceived threat vulnerability, mediated by fear. Self-efficacy is shown as a significant coping factor. Maladaptive rewards and response costs both have a significant negative influence on protection motivation. The results provide support for the use of fear appeals and PMT to influence protection motivation in the context of ransomware threats.


Ransomware Malware Cybersecurity Protection motivation theory Fear appeal 



This work is based on the research supported wholly/in part by the National Research Foundation of South Africa (Grant Numbers 114838).


  1. 1.
    Whitman, M.E., Mattord, H.J.: Principles of Information Security. Cengage Learning, Boston (2011)Google Scholar
  2. 2.
    Al-rimy, B.A.S., Maarof, M.A., Shaid, S.Z.M.: Ransomware threat success factors, taxonomy, and countermeasures: a survey and research directions. Comput. Secur. 74, 144–166 (2018)CrossRefGoogle Scholar
  3. 3.
    Investigation: WannaCry cyber attack and the NHS - National Audit Office (NAO).
  4. 4.
    Kharraz, A., Robertson, W., Kirda, E.: Protecting against ransomware: a new line of research or restating classic ideas? IEEE Secur. Priv. 16, 103–107 (2018)CrossRefGoogle Scholar
  5. 5.
    Mansfield-Devine, S.: Ransomware: taking businesses hostage. Netw. Secur. 2016, 8–17 (2016)CrossRefGoogle Scholar
  6. 6.
    Nadeau, M.: 11 ransomware trends for 2018. ransomware/11-ways-ransomware-is-evolving.html
  7. 7.
    Crossler, R.E., Johnston, A.C., Lowry, P.B., Hu, Q., Warkentin, M., Baskerville, R.: Future directions for behavioral information security research. Comput. Secur. 32, 90–101 (2013)CrossRefGoogle Scholar
  8. 8.
    Fimin, M.: Are employees part of the ransomware problem? Comput. Fraud Secur. 2017, 15–17 (2017)CrossRefGoogle Scholar
  9. 9.
    Johnston, A.C., Warkentin, M.: Fear appeals and information security behaviors: an empirical study. MIS Q. 34, 549-A4 (2010)CrossRefGoogle Scholar
  10. 10.
    Boss, S.R., Galletta, D.F., Benjamin Lowry, P., Moody, G.D., Polak, P.: What do systems users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors. MIS Q. 39, 837–864 (2015)CrossRefGoogle Scholar
  11. 11.
    Gallegos-Segovia, P.L., Bravo-Torres, J.F., Larios-Rosillo, V.M., Vintimilla-Tapia, P.E., Yuquilima-Albarado, I.F., Jara-Saltos, J.D.: Social engineering as an attack vector for ransomware. In: 2017 CHILEAN Conference on Electrical, Electronics Engineering, Information and Communication Technologies (CHILECON), pp. 1–6 (2017)Google Scholar
  12. 12.
    Brewer, R.: Ransomware attacks: detection, prevention and cure. Netw. Secur. 2016, 5–9 (2016)CrossRefGoogle Scholar
  13. 13.
    Simmonds, M.: How businesses can navigate the growing tide of ransomware attacks. Comput. Fraud Secur. 2017, 9–12 (2017)CrossRefGoogle Scholar
  14. 14.
    Crossler, R.E., Bélanger, F., Ormond, D.: The quest for complete security: an empirical analysis of users’ multi-layered protection from security threats. Inf. Syst. Front., 1–15 (2017)Google Scholar
  15. 15.
    Rogers, R.W.: A protection motivation theory of fear appeals and attitude change. J. Psychol. 91, 93–114 (1975)CrossRefGoogle Scholar
  16. 16.
    Aurigemma, S., Mattson, T.: Exploring the effect of uncertainty avoidance on taking voluntary protective security actions. Comput. Secur. 73, 219–234 (2018)CrossRefGoogle Scholar
  17. 17.
    Herath, T., Rao, H.R.: Protection motivation and deterrence: a framework for security policy compliance in organisations. Eur. J. Inf. Syst. 18, 106–125 (2009)CrossRefGoogle Scholar
  18. 18.
    Vance, A., Siponen, M., Pahnila, S.: Motivating IS security compliance: insights from habit and protection motivation theory. Inf. Manag. 49, 190–198 (2012)CrossRefGoogle Scholar
  19. 19.
    Rogers, R.W.: Cognitive and physiological processes in fear appeals and attitude change: a revised theory of protection motivation. Soc. Psychophysiol., 153–176 (1983)Google Scholar
  20. 20.
    Witte, K.: Fear control and danger control: a test of the extended parallel process model (EPPM). Commun. Monogr. 61, 113–134 (1994)CrossRefGoogle Scholar
  21. 21.
    Hair Jr., J.F., Hult, G.T.M., Ringle, C.M., Sarstedt, M.: A primer on partial least squares structural equation modeling. SAGE Publications Inc., Los Angeles (2016)zbMATHGoogle Scholar
  22. 22.
    Hair Jr., J.F., Sarstedt, M., Hopkins, L., Kuppelwieser, V.G.: Partial least squares structural equation modeling (PLS-SEM): an emerging tool in business research. Eur. Bus. Rev. 26, 106–121 (2014)CrossRefGoogle Scholar
  23. 23.
    Ringle, C.M., Wende, S., Becker, J.-M.: SmartPLS 3. SmartPLS GmbH (2015)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.University of Cape TownCape TownSouth Africa

Personalised recommendations