Many theories are used to explain and predict human behaviour. Protection Motivation Theory is one of those theories sometimes used by cybersecurity professionals to prepare their programs. Is it a good choice?
Ronald W. Rogers proposed the Protection Motivation Theory (Rogers, 1975) to explain the effect of fear appeal in communications on the audience’s attitude change. Initially, Rogers developed PMT to explain health-related behavioural changes like the impact of fear-appeal on smokers’ behaviour. In 1983, Rogers and Maddux revised the model to include self-efficacy as an influencing factor (Maddux & Rogers, 1983).
PMT suppose an effect of the perceived efficacy of coping response, the perceived self-efficacy to perform the coping response and the probability of the threat on the attitude towards the coping response. We summarised the different variables and their effects in the figure below: Protection Motivation Theory – variables and effects.
PMT is now also used in an information security context by different researchers. As Menard et al. (2017) showed in their literature review on PMT, its application to the information security field gives mixed results.
It was mainly used to explain the impact of threat perception and perceived self-efficacy on changes in security behaviours or attitude in a population (Chou & Sun, 2017; Grimes & Marquardson, 2019; Ismail et al., 2017; Jansen & van Schaik, 2018; Menard et al., 2017; Milne et al., 2009).
If we take the specific case of phishing, these studies did not provide a specific model. Still, they suggest that perceived self-efficacy and threat perception might play a role in the process of detecting phishing emails.
It is an interesting model for health prevention professionals, but probably not for human-centrric cyber security ones.
- Chou, H.-L., & Sun, J. C.-Y. (2017). The moderating roles of gender and social norms on the relationship between protection motivation and risky online behavior among in-service teachers. Computers & Education, 112, 83–96. https://doi.org/10.1016/j.compedu.2017.05.003
- Grimes, M., & Marquardson, J. (2019). Quality matters: Evoking subjective norms and coping appraisals by system design to increase security intentions. Decision Support Systems, 119, 23–34. Scopus. https://doi.org/10.1016/j.dss.2019.02.010
- Ismail, K. A., Singh, M. M., Mustaﬀa, N., Keikhosrokiani, P., & Zulkefli, Z. (2017). Security Strategies for Hindering Watering Hole Cyber Crime Attack. Procedia Computer Science, 124, 656–663. https://doi.org/10.1016/j.procs.2017.12.202
- Jansen, J., & van Schaik, P. (2018). Testing a model of precautionary online behaviour: The case of online banking. Computers in Human Behavior, 87, 371–383. Scopus. https://doi.org/10.1016/j.chb.2018.05.010
- Maddux, J. E., & Rogers, R. W. (1983). Protection motivation and self-efficacy: A revised theory of fear appeals and attitude change. Journal of Experimental Social Psychology, 19(5), 469–479. https://doi.org/10/cbzjj7
- Menard, P., Bott, G. J., & Crossler, R. E. (2017). User Motivations in Protecting Information Security: Protection Motivation Theory Versus Self-Determination Theory. Journal of Management Information Systems, 34(4), 1203–1230. Scopus. https://doi.org/10.1080/07421222.2017.1394083
- Milne, G. R., Labrecque, L. I., & Cromer, C. (2009). Toward an understanding of the online consumer’s risky behavior and protection practices. Journal of Consumer Affairs, 43(3), 449–473. Scopus. https://doi.org/10.1111/j.1745-6606.2009.01148.x
- Rogers, R. W. (1975). A Protection Motivation Theory of Fear Appeals and Attitude Change1. The Journal of Psychology, 91(1), 93–114. https://doi.org/10/cb4jgn