تاثیر آگاهی از تهدید امنیت اطلاعات در رفتارهای محافظتی حریم خصوصی The impact of information security threat awareness on privacy-protective behaviors

1. Introduction Continued integration of technology into everyday life exposes technology users to growing security and privacy risks. According to a survey of Chief Information Officers by PricewaterhouseCoopers, 42.8 million security incidents were detected in 2016, showing a 48% increase over the previous year (PricewaterhouseCoopers, 2017). The economic impact of the security breaches is estimated at nearly half a trillion dollars globally (Ponemon Institute, 2017). Password breaches are one of the most common information security failures. Although there is a considerable body of research on the best practices in secure computing (Fernandez-Aleman, Senor, Lozoya, & Toval, 2013; Yang & Tate, 2012; Zeng, Wang, Deng, Cao, & Khundker, 2012), companies continue to struggle with preventing password breaches. In 2015, the Central Intelligence Agency discovered that 47 government agencies, including the Department of Homeland Security, were compromised, giving the hackers access to over 21 million government employee accounts (Hirschfield Davi, 2015). Equifax, one of the three largest credit agencies, recently reported that it suffered a breach that affected 143 million consumers (McMillan & Knutson, 2017) and Yahoo announced that over three billion user accounts were impacted in the previously reported breach (Andriotis & McMillan, 2017). These events indicate that secure password selection and protection remains a problematic area of practice that merits further research. News of security breaches feeds a parallel trend in modern society because they exacerbate concerns about potential privacy violations. Increased reliance on technology to store and communicate personally identifiable information exposes technology users to ever-growing privacy risks. Yet, researchers have found that, seemingly in contradiction to increasing privacy concerns, people continue to disclose ever-growing volume of personal information online (Barnes, 2006) and this trend shows no signs of slowing down. Recent social media statistics show that Facebook users share over 300 million images through the social network platform every day (Zephoria Digital Marketing, 2017). The growing frequency of security incidents along with the mounting volume of technology-mediated information disclosure raises the question of how to motivate technology users to protect themselves. Interdisciplinary research has established that people have two alternative information processing systems: automatic (fast) and effortful cognitive (slow) (Kahneman, 2011). The cognitive approach to motivating employee compliance with organizational security policies has been a central theme in Information System search (Sommestad, Karlzen,
& Hallberg, 2015). However, little is known about the automatic reactions of technology users to immediate perceived privacy and security threats. We draw on the Information Processing (IP) framework (Beck & Clark, 1997), which emphasizes automatic threat mitigation in response to threatening stimuli and we conduct an experimental study to evaluate the effects of an exposure to information security threats on the strength of passwords and disclosure of personal information. We manipulate the exposure to information security threats by showing the participants different types of news stories. The control group is exposed to general technology-related news, while the treatment group is exposed to computer security breach related stories. For these two conditions, we evaluate the differences in two behavioral variables: the strength of passwords chosen by participants to protect their responses and the degree of refusal to answer personal questions in a self-disclosure survey.