The Effects of Awareness Programs on Information Security in Banks: The Roles of Protection Motivation and Monitoring

  • Stefan BauerEmail author
  • Edward W.N. Bernroider
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9190)


Our aim is to understand how information security awareness (ISA) programs affect the intention of employees for compliant information security behavior. We draw on Protection Motivation Theory (PMT) to uncover indirect influences of ISA programs, and seek to identify the extent to which intention translates into actual compliance is contingent on monitoring. Based on partial least squares structural equation modeling analysis of 183 survey responses consisting of German bank employees, we find strong empirical evidence for the importance of ISA programs, protection motivation and monitoring. While ISA programs effectively change how employees cope with and assess security threats, only coping appraisal is an important condition for the positive behavioral effects of such programs to occur. However, ISA programs may cause a false sense of security, as vulnerability perceptions are reduced by consuming ISA programs but not affecting intentions for compliant security behavior. Perceived monitoring strengthens this confirmed intention-behavior link.


Information security awareness programs Protection Motivation Theory Employee security behavior PLS-SEM Moderation effect 


  1. 1.
    Albrechtsen, E., Hovden, J.: The information security digital divide between information security managers and users. Comput. Secur. 28(6), 476–490 (2009)CrossRefGoogle Scholar
  2. 2.
    Baron, R.M., Kenny, D.A.: The moderator-mediator variable distinction in social psychological research: conceptual, strategic, and statistical considerations. J. Pers. Soc. Psychol. 51(6), 1173–1182 (1986)CrossRefGoogle Scholar
  3. 3.
    Bauer, S., Bernroider, E.W.N.: IT operational risk awareness building in banking companies: a preliminary research design highlighting the importance of risk cultures and control systems. In: Janczewski, L. (ed.) Proceedings of the International Conference on Information Resource Management 2013 (Conf-IRM 2013), Natal, pp. 1–4 (2013)Google Scholar
  4. 4.
    Bauer, S., Bernroider, E.W.N.: IT operational risk management practices in austrian banks: preliminary results from exploratory case study. In: Nunes, M.B. (ed.) Proceedings of the International Conference Information Systems 2013, pp. 30–38. IADIS Press, Lissabon (2013)Google Scholar
  5. 5.
    Bauer, S., Bernroider, E.W.N., Chudzikowski, K.: End user information security awareness programs for improving information security in banking organizations: preliminary results from an exploratory study. In: AIS SIGSEC Workshop on Information Security & Privacy (WISP 2013), Milano (2013)Google Scholar
  6. 6.
    Behrend, T.S., Sharek, D.J., Meade, A.W., et al.: The viability of crowdsourcing for survey research. Behav. Res. Methods 43(3), 800–813 (2011)CrossRefGoogle Scholar
  7. 7.
    D’arcy, J., Hovav, A.: Does one size fit all? Examining the differential effects of is security countermeasures. J. Bus. Ethics 89(1), 59–71 (2008)Google Scholar
  8. 8.
    Eminağaoğlu, M., Uçar, E., Eren, Ş.: The positive outcomes of information security awareness training in companies – a case study. Inf. Secur. Tech. Rep. 14(4), 223–229 (2009)CrossRefGoogle Scholar
  9. 9.
    Floyd, D.L., Prentice-Dunn, S., Rogers, R.W.: A meta-analysis of research on protection motivation theory. J. Appl. Soc. Psychol. 30, 407–429 (2000)CrossRefGoogle Scholar
  10. 10.
    Goldstein, J., Chernobai, A., Benaroch, M.: An event study analysis of the economic impact of it operational risk and its subcategories. J. Assoc. Inf. Syst. 12, 606–631 (2011)Google Scholar
  11. 11.
    Hagen, J.M., Albrechtsen, E., Hovden, J.: Implementation and effectiveness of organizational information security measures. Inf. Manag. Comput. Secur. 16, 377–397 (2008)Google Scholar
  12. 12.
    Hair, J.F., Hult, G.T.M., Ringle, C.M., et al.: A Primer on Partial Least Squares Structural Equation Modeling (PLS-SEM). Sage, Thousand Oaks (2013)Google Scholar
  13. 13.
    Hair, J.F., Sarstedt, M., Ringle, C.M., et al.: An assessment of the use of partial least squares structural equation modeling in marketing research. J. Acad. Mark. Sci. 40, 414–433 (2011)CrossRefGoogle Scholar
  14. 14.
    Herath, T., Rao, H.R.: Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness. Decis. Support Syst. 47, 154–165 (2009)CrossRefGoogle Scholar
  15. 15.
    Herath, T., Rao, H.R.: Protection motivation and deterrence: a framework for security policy compliance in organisations. Eur. J. Inf. Syst. 18, 106–125 (2009)CrossRefGoogle Scholar
  16. 16.
    Hu, Q., Dinev, T., Hart, P., et al.: Managing employee compliance with information security policies: the critical role of top management and organizational culture. Decis. Sci. 43, 615–659 (2012)CrossRefGoogle Scholar
  17. 17.
    Ifinedo, P.: Understanding information systems security policy compliance: an integration of the theory of planned behavior and the protection motivation theory. Comput. Secur. 31, 83–95 (2012)CrossRefGoogle Scholar
  18. 18.
    Johnston, A.C., Warkentin, M.: Fear appeals and information security behaviors: an empirical study. MIS Q. 34, 549–566 (2010)Google Scholar
  19. 19.
    Kajzer, M., D’arcy, J., Crowell, C.R., et al.: An exploratory investigation of message-person congruence in information security awareness campaigns. Comput. Secur. 43, 64–76 (2014)CrossRefGoogle Scholar
  20. 20.
    Lebek, B., Uffen, J., Neumann, M., et al.: Information security awareness and behavior: a theory-based literature review. Manag. Res. Rev. 37, 1049–1092 (2014)CrossRefGoogle Scholar
  21. 21.
    Meso, P., Ding, Y., Xu, S.: Applying protection motivation theory to information security training for college students. J. Inf. Priv. Secur. 9, 47–67 (2013)CrossRefGoogle Scholar
  22. 22.
    Milne, S., Orbell, P.S., Orbell, S.: Prediction and intervention in health-related behavior: a meta-analytic review of protection motivation theory. J. Appl. Soc. Psychol. 30, 106–143 (2000)CrossRefGoogle Scholar
  23. 23.
    Orx: ORX report on operational risk loss data. In: Operational Riskdata eXchange Association (2014)Google Scholar
  24. 24.
    Padayachee, K.: Taxonomy of compliant information security behavior. Comput. Secur. 31, 673–680 (2012)CrossRefGoogle Scholar
  25. 25.
    Pahnila, S., Siponen, M., Mahmood, M.A.: Employees’ behavior towards is security policy compliance. In: Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS 2007). IEEE, Hawaii (2007)Google Scholar
  26. 26.
    Puhakainen, P., Siponen, M.: Improving employees’ compliance through information systems security training: an action research study. MIS Q. 34, 757–778 (2010)Google Scholar
  27. 27.
    Ringle, C., Wende, S., Will, A.: SmartPLS 2.0 (beta). In: Hamburg Uo (ed.) (2005)Google Scholar
  28. 28.
    Rogers, R.W.: A protection motivation theory of fear appeals and attitude change. J. Psychol. 91, 93–114 (1975)CrossRefGoogle Scholar
  29. 29.
    Sarstedt, M., Ringle, C.M., Hair, J.F.: PLS-SEM: indeed a silver bullet. J. Mark. Theory Pract. 19, 139–152 (2011)CrossRefGoogle Scholar
  30. 30.
    Siponen, M., Mahmood, M.A., Pahnila, S.: Employees’ adherence to information security policies: an exploratory field study. Inf. Manag. 51, 217–224 (2014)CrossRefGoogle Scholar
  31. 31.
    Siponen, M., Pahnila, S., Mahmood, M.A.: Compliance with information security policies an empirical investigation. IEEE Comput. 43(2), 64–71 (2010)CrossRefGoogle Scholar
  32. 32.
    Sobel, M.E.: Asymptotic confidence intervals for indirect effects in structural equation models. In: Leinhardt, S. (ed.) Sociological Methodology, pp. 290–312. American Sociological Association, Washington DC (1982)Google Scholar
  33. 33.
    Tsohou, A., Karyda, M., Kokolakis, S., et al.: Managing the introduction of information security awareness programmes in organisations. Eur. J. Inf. Syst. 24(1), 38–58 (2013)CrossRefGoogle Scholar
  34. 34.
    Vance, A., Siponen, M., Pahnila, S.: Motivating IS security compliance: insights from habit and protection motivation theory. Inf. Manag. 49, 190–198 (2012)CrossRefGoogle Scholar
  35. 35.
    Workman, M.: A field study of corporate employee monitoring: attitudes, absenteeism, and the moderating influences of procedural justice perceptions. Inf. Organ. 19, 218–232 (2009)CrossRefGoogle Scholar
  36. 36.
    Workman, M., Bommer, W.H., Straub, D.: Security lapses and the omission of information security measures: a threat control model and empirical test. Comput. Hum. Behav. 24, 2799–2816 (2008)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Vienna University of Economics and BusinessViennaAustria

Personalised recommendations