Cybersecurity breaches leading to compromised personal data and violations of privacy are an increasing concern for both organisations and individuals, and despite people becoming more alert to such threats, they are still the “weakest link in the cybersecurity chain”. It is therefore vital to heighten individuals’ cybersecurity awareness and ensure that they are motivated to take appropriate actions against these threats.
Within the information security literature, a popular model used to examine how people cope and make decisions when facing cybersecurity threats is the protection motivation theory (PMT); a core assumption of which is that if a threatening message causes fear in an individual, then the individual will be more motivated to engage in behaviours that reduce the said fear. However, inconsistent findings in prior research regarding the relationships within PMT have prompted a recent study by Ka Chung Ng, Xiaojun Zhang, James Y. L. Thong, and Kar Yan Tam to re-examine the core assumption and underlying mechanisms of PMT in order to gain a better understanding of what motivates individuals to engage in protection behaviours against cybersecurity threats.
Indeed, while fear can motivate someone to engage in protection behaviours, a simultaneous force, namely maladaptive rewards, can inhibit them from taking the recommended action. PMT assumes that individuals will choose the recommended action only if they think that the threat outweighs the maladaptive rewards; however, this is an oversimplification, and more often than not, people will perceive similar levels of security threat and maladaptive rewards at the same time. Instead, the authors argue that a fear appeal likely acts as a trigger of attitudinal ambivalence: “a state in which individuals experience simultaneous positive and negative evaluations toward an attitude object”.
Drawing on the attitudinal ambivalence theory, the authors apply the concept to the information security context and argue that maladaptive rewards (e.g., time, effort, pleasure, etc.) gained by not adopting security protection behaviours in PMT is the most salient factor that can give rise to attitudinal ambivalence when individuals process fear. Based on a field experiment involving 1,383 individuals facing potential cyberattacks on their emails, the authors use polynomial regression and surface response analysis to gain a more holistic and nuanced picture of the effects of PMT antecedents on attitudinal ambivalence.
They find that attitudinal ambivalence is generated when someone’s evaluation of maladaptive rewards is at odds with their evaluations of social norms. In turn, this attitudinal ambivalence, formed during the fear appraisal process, has a direct impact on their protection motivation and coping appraisal process; a process which evaluates the effectiveness, difficulty, and cost of engaging in the recommended protection behaviours.
From the theoretical standpoint, the study makes several important contributions to the cybersecurity literature. First, the authors provide a new and alternative explanation for how PMT operates, empirically validating that the aforementioned inconsistent findings may be because of attitudinal ambivalence. Second, they show that attitudinal ambivalence emerges when a person simultaneously examines the intrapersonal (their thoughts and feelings about cybersecurity threats) and interpersonal (social norms) appraisal processes. Third, the study is among the first to explain individuals’ coping appraisal and protection motivation using the attitudinal ambivalence theory. Fourth, the authors identify maladaptive rewards as an important source of attitudinal ambivalence in the cybersecurity context and pair it with constructs representing the positive evaluation toward protection behaviours against cybersecurity threats.
In terms of the managerial implications, the study provides key insights for organisations regarding the negative consequences of attitudinal ambivalence and how it can significantly affect individuals’ coping appraisal process. Specifically, the authors highlight why organisations need to spend more time and effort designing and deploying appropriate and effective fear appeals that deliver the intended persuasive message to reduce the possibility of triggering attitudinal ambivalence and encourage the adoption of cybersecurity protection behaviours.