Effect of long-term orientation on voluntary security actions

Salvatore Aurigemma (Computer Information Systems, University of Tulsa, Tulsa, Oklahoma, USA)
Thomas Mattson (Robins School of Business, University of Richmond, Richmond, Virginia, USA)

Information and Computer Security

ISSN: 2056-4961

Publication date: 11 March 2019

Abstract

Purpose

This paper aims to examine the impact an individual’s long-term orientation (a cultural dimension) has on their attitude, behavioral intention and actual voluntary security actions taken in the context of the dangers related to poor account access management.

Design/methodology/approach

The paper relied upon survey data and actual usage information from a culturally diverse sample of 227 individuals who were introduced to the specific security problem and the accepted solution of using a password manager application.

Findings

The paper provides empirical evidence that the effect of positive attitudes increased when individuals were more long-term oriented, but the effect was reversed for average/negative attitudes toward the voluntary security behavior. Furthermore, participants with high long-term orientation and strong positive attitudes toward the security action actually adopted password manager applications 57 per cent more than the average adoption rate across the sample.

Research limitations/implications

Due to the research approach (survey data), security context and sample population, the research results may lack generalizability.

Practical implications

The findings suggest that security awareness messaging and training should account for differences in long-term orientation of the target audience and integrate the distinctly different types of messages that have been shown to improve an individual’s participation in voluntary security actions.

Originality/value

The paper addresses previous research calls for examining possible cultural differences that impact security behaviors and is the only study that has focused on the impact of long-term orientation, specifically on voluntary security actions.

Keywords

Citation

Aurigemma, S. and Mattson, T. (2019), "Effect of long-term orientation on voluntary security actions", Information and Computer Security, Vol. 27 No. 1, pp. 122-142. https://doi.org/10.1108/ICS-07-2018-0086

Publisher

:

Emerald Publishing Limited

Copyright © 2019, Emerald Publishing Limited


1. Introduction

The password remains one of the primary defense mechanisms used to protect our digital data. For a variety of reasons, however, individuals often use poor password management practices such as reusing passwords across multiple websites or using generally weak passwords (CSID, 2012; Ofcom, 2015). Furthermore, cybercriminals specifically target individual passwords to gain access to both personal and corporate information resources, which amplifies the detrimental impact of poor password management practices (Beardsley et al., 2016). In organizations, corporate IT departments often mandate the use of strong passwords and require frequent password modifications on internal systems, but individuals have accounts on many other websites (i.e. banks, personal email accounts and social media accounts) outside the organization’s control. At these other websites, individuals often do not change their relatively weak passwords for extended periods of time (if ever) (Florencio and Herley, 2007; Liu et al., 2018). As a result, many individuals have a single password for multiple websites, which is highly problematic, especially if the password is relatively weak (Choong and Theofanos, 2015; Stobert and Biddle, 2014).

Dedicated password manager applications such as LastPass, Dashlane, KeePass or 1Password exist to help resolve these types of problems. A password manager is “software for storing all your passwords in one location that is protected and accessible with one easy-to-remember master passphrase” (Huth et al., 2013, p. 2). Both the highly reputable SANS Institute and the US Computer Emergency Readiness Team (US-CERT) recommend the use of password manager applications (Huth et al., 2013; Zeltser, 2015). However, the use of password managers inside of organizations is still mostly optional, and individuals’ adopting these solutions outside of the work environment is entirely voluntary, which has resulted in low adoption rates (Humphries, 2015; Liu et al., 2018). In light of this voluntary adoption decision, these low adoption rates may not be surprising because convincing individuals to perform voluntary information security actions can be a daunting challenge, especially when the action requires any amount of time, energy, and thought to implement.

One unique aspect of password manager applications relative to other security software such as anti-malware or data backup applications is the initially high setup costs associated with these applications. Depending on how many (and what types of) devices and websites that individuals have, they may have to invest a significant amount of time configuring the password manager to work correctly (Aurigemma and Mattson, 2018). This endeavor can be challenging, especially for a relatively novice or non-technical individual. Therefore, a password manager is a long-term solution to the problem of poor password management. Furthermore, the on-going use of password managers requires continuous effort to maintain as users join additional or drop out of existing password protected online communities and commercial websites, which is different from the voluntary adoption of anti-spyware or anti-virus controls (i.e. controls that run automatically in the background with minimal configuration required).

Interestingly, individuals socialized in different national cultures have varying virtues oriented toward future rewards, which is referred to as long-term orientation (LTO) (Hofstede, 2001). Certain cultures such as Sierra Leon, Ghana and Nigeria socialize their members to have a more short-term orientation (i.e. past and present are more important than the future) whereas other cultures such as China, Hong Kong and Taiwan socialize their members to have a more long-term orientation (i.e. future is more important than the past or present). Therefore, given the future oriented nature of password manager applications, it would be reasonable to predict that individuals socialized in different national cultures with varying time orientations would have different adoption intentions and actual adoption rates. However, this conjecture has not been theoretically or empirically investigated in the prior behavioral information security literature, specifically related to password manager adoption. Therefore, the following research question is addressed in this paper:

RQ.

What is the effect of long-term orientation on behavioral intentions to adopt voluntary information security controls, specifically password manager applications?

To theoretically and empirically answer this research question, the theory of planned behavior (TPB) was used as the theoretical foundation. The TPB has been used extensively in the behavioral information security literature but without the inclusion of LTO in any of the traditional paths (Bulgurcu et al., 2010; Dinev and Hu, 2007; Hu et al., 2011; Safa et al., 2015; Siponen et al., 2014; Wynn et al., 2012). Therefore, using this theory allowed the determination of the incremental impact that LTO had above and beyond the common factors that have previously been found to impact behavioral intentions to adopt (voluntarily) a variety of information security controls. The TPB also enabled contextualizing the presented LTO hypotheses in relation to previously established relationships.

To empirically test the impact of LTO in the TPB, a culturally diverse sample of 227 individuals participated in a two part survey (i.e. one measuring intentions and one measuring actual adoption). In this sample, LTO did not have a statistically significant main effect on password manager adoption intentions but it did have a qualifying effect on an individual’s attitudes toward adoption. The data show that the effect of positive attitudes on intentions to take voluntary security actions increased when individuals were more long-term oriented (relative to short-term oriented) but the effect was reversed for negative attitudes. The implication of these findings is that a one-size fits all approach to encourage voluntary information security actions (or intentions thereof) may not be the best approach, because individuals from different cultures have varying beliefs and values along many dimensions including (but not limited to) time orientation. Instead of relying upon a single set of culture-blind security messages and training for an “average” employee or individual, attention should be given to provide content in the security messaging that activates the inherent cultural biases of different individuals toward more positive attitudes and implementation of voluntary security actions.

2. Theoretical foundations

The existing research has relied on a number of theories such as psychological capital, general deterrence theory (GDT), the theory of planned behavior (TPB), protection motivation theory (PMT) and rational choice theory to explain the variability in information security-related behaviors (Aurigemma, 2013; Crossler et al., 2013). There are pros and cons associated with each one of these theoretical approaches. Therefore, under a given set of circumstances we can make a valid argument to use each one of them. Furthermore, there is no consensus among behavioral information security researchers as to which theory is the most appropriate to use for a specific situation, sample, and security-related action. For instance, the GDT may be more appropriate for mandatory information security actions whereas the TPB or PMT may be more appropriate for voluntary security actions. In this paper, the TPB is used because it is a parsimonious theory where the core paths are typically statistically significant with an average to above average amount of explained variance in a variety of information security contexts (Aurigemma and Mattson, 2017; Bulgurcu et al., 2010; Dinev and Hu, 2007; Guo et al., 2011; Ifinedo, 2014; Siponen et al., 2014).

2.1 The theory of planned behavior

The TPB assumes that individuals act rationally whereby their choices and behaviors are governed (in large part) by their behavioral intentions (Ajzen, 1991). The TPB specifically theorizes that individual actions are determined by attitudes (positive or negative state of mind), subjective norms (social pressures from relevant others), and self-efficacy (a sense of behavioral control) (Ajzen, 1991). Individuals with more positive attitudes, greater subjective norms, and higher self-efficacy toward the behavior will have a higher likelihood of performing the action. The TPB has been extensively and successfully used to explain a variety of information security behaviors and actions (Bulgurcu et al., 2010; Dinev and Hu, 2007; Guo et al., 2011; Hu et al., 2011; Ifinedo, 2014; Karahanna et al., 1999; Peace et al., 2003; Siponen et al., 2014; Wynn et al., 2012; Zhang et al., 2009).

The TPB certainly has limitations, which critics have extensively documented in the literature. For instance, critics have argued that the TPB ignores affective, cognitive, and other biases that impact human behaviors, which means that individuals are not inherently rational in their decision-making (McEachan et al., 2011). This critique attacks the core assumption (rational decision-making) of the TPB. However, Ajzen (2011) argues that many of these confounding factors are included in the definition and measurement of the primary TPB constructs. Furthermore, the TPB does not dictate that individual beliefs are completely free of irrational premises but instead argues that attitudes toward a goal-directed behavior, subjective norms, and a sense of behavioral control follow consistently from those beliefs (Ajzen, 2011; Geraerts et al., 2008).

In the TPB, a sense of behavioral control denotes a belief that individuals have the capability to perform a required action in the face of reasonable obstacles and/or facilitating conditions (Ajzen, 2002). Information security researchers typically use the self-efficacy construct to proxy for an individual’s sense of behavioral control (Bulgurcu et al., 2010). Self-efficacy represents individuals’ beliefs that they are capable of performing a specific behavior, which means higher self-efficacy results in greater effort to persist in the face of obstacles (Bandura, 1997). In some instantiations of the TPB, this sense of behavioral control is broken down into two antecedents with their own distinctive definitions and measures:

  1. self-efficacy; and

  2. perceived controllability (i.e. beliefs about the extent to which performing the behavior is up to the individual to carry out) (Taylor and Todd, 1995).

Many scholars have pointed out that there are similarities between perceived controllability and self-efficacy (Ajzen, 2002; Bulgurcu et al., 2010). These similarities have led some researchers to use them interchangeably in the behavioral information security literature (Bulgurcu et al., 2010; Herath and Rao, 2009; Ifinedo, 2012) and in other disciplines (Fishbein and Cappella, 2006; Fishbein and Yzer, 2003; Yi and Hwang, 2003). In this paper, the argument is presented that whether it is necessary and appropriate to decompose this construct depends on the type of voluntary information security action that is being investigated. For example, individuals’ self-efficacy about not reusing passwords across multiple websites may be very high because they feel very capable of following guidelines to generate strong, unique passwords for each website in their own work setting or personal computing environment. Yet, these same individuals may exhibit weak control-related beliefs if they are required to ensure that subordinates or family members (for example) not reuse passwords across multiple websites, because they obviously are not directly involved in coworker or family members’ password creation.

In the context of this study, the voluntary adoption of a password manager is an individual decision whereby control-related beliefs are not applicable. There are minimal (if any) control-related obstacles associated with this voluntary adoption, because we are not investigating managers who are responsible for convincing their direct reports (subordinates) to adopt (voluntarily) a password manager. Our context is a self-driven choice, which is effectively captured using the self-efficacy construct.

The attitude construct has arguably received the most attention from behavioral information security researchers. Antecedents for attitudes have been primarily developed using general deterrence theory (D’Arcy et al., 2009; Herath and Rao, 2009), protection motivation theory (Herath and Rao, 2009; Johnston and Warkentin, 2010; Ng et al., 2009; Safa et al., 2015; Workman et al., 2008; Wynn et al., 2012), and rational choice theory (Bulgurcu et al., 2010; Workman et al., 2008). Attitudes have received all of this attention in the literature because having a positive attitude toward an information security action is consistently one of the most important factors in motivating individuals to adopt voluntary information security controls. Changing individuals’ attitudes toward the security behavior is an important first place to start to motivate more secure behaviors. Therefore, the focus is on the attitude path in the TPB for this study and how culture may shape individuals’ attitudes toward a voluntary security action. How individuals are socialized in specific cultures influences their attitudes because different cultures develop different thought patterns, values, and culturally defined norms toward certain types of behaviors (Christie et al., 2003; Schein, 2010; Triandis, 1994).

2.2 Culture

Culture is an abstract construct that often means different things to different scholars. While a complete review of all of the previous definitions of culture is well beyond the scope of this paper, it is necessary to have a base understanding of what is meant by culture to fully understand the logical connection among the different constructs proposed in the study. Culture may be delimited at (among others) the group, community, occupation, and national levels (Hofstede, 2001; Triandis, 2000; Trice, 1993). In this paper, the theoretical interest is in national culture differences and uses the following classic definition of national culture:

Culture consists of patterns, explicit and implicit, of and for behavior acquired and transmitted by symbols, constituting the distinctive achievement of human groups, including their embodiments in artifacts; the essential core of culture consists of traditional (i.e., historically derived and selected) ideas and especially their attached values; culture systems may, on the one hand, be considered as products of action, on the other hand as conditioning elements of further action (Kroeber and Kluckhohn, 1952, p. 181).

The key aspect of this definition of culture as it pertains to this study is patterns of and for behaviors and the notion that individuals from different cultural groups exhibit different patterns of thought and behaviors. By this definition, culture plays an important role in determining how groups of people are socialized to behave and think both individually and collectively (O’Reilly et al., 1991; Qiu et al., 2013). Individuals in different parts of the world are socialized via social, political, economic, and educational means to process information differently and, as such, to make sense of the world differently. These cross-cultural differences shape individuals’ attitudes toward all types of actions (Christie et al., 2003). Cultural differences are evident in many different dimensions, which are also highly debated in the prior literature.

At the national level, information systems research has most commonly used Hofstede’s dimensions of national culture (power distance, uncertainty avoidance, individualism-collectivism, masculinity-femininity, long-term orientation and indulgence) to measure and theorize about national culture (Kappos and Rivard, 2008; Leidner and Kayworth, 2006). Hofstede (2001) defines each dimensions as follows:

  • Power distance refers to the extent to which a culture accepts status inequalities.

  • Uncertainty avoidance refers to a culture’s acceptance of ambiguous or uncertain situations.

  • Individualism-collectivism is the degree of interdependence a society maintains among its members.

  • Masculinity-femininity refers to a cultures competitiveness such as wanting to be the best (masculinity) or caring for others (femininity).

  • Long-term orientation refers to how a culture balances its past with the challenges of the present or future.

  • Indulgence refers to the extent to which a culture tries to control their impulses.

These dimensions are certainly not the only distinctions between national cultures but these do represent scientifically measured differences that can form a basis for cross-cultural comparisons.

While prior information systems research has explored the potential impact of national culture on IT adoption and implementation for many years (Cardon and Marshall, 2008; Veiga et al., 2001), the behavioral information security literature has just started to investigate the role that national cultural differences play in security-related actions (Aurigemma and Mattson, 2018; Chen and Zahedi, 2016; Dinev et al., 2009; Dols and Silvius, 2010; Hovav, 2017; Hovav and D’Arcy, 2012; Karjalainen et al., 2013; Lowry et al., 2014). For instance, Hovav and D’Arcy (2012) explored the effect of national culture on employee information system misuse and found that there were significant differences in security intentions and behavioral antecedents between US and South Korean participants across a set of the same misuse scenarios. More directly germane to this study, Dinev et al. (2009) explored the impact of Hofstede’s cultural dimensions as potential model moderators for the TPB toward taking a voluntary recommended security action (use of anti-malware software) among a large group of US and South Korean college students. They found that cultural factors moderated the strength of the relationships in their behavioral model in the context of protective information technologies. These studies, and others, have begun to critically examine and question the universality of human behaviors arguing that individuals from different national cultures can be expected to exhibit different security-related behaviors (Aurigemma and Mattson, 2018; Menard et al., 2018). Therefore, there is a need to further evaluate the effect of national culture on information security behaviors to best educate and inform security stakeholders (Karjalainen et al., 2013).

3. Research model

The LTO cultural dimension was developed specifically to address cross-cultural differences in decision-making (Hofstede, 2001), which makes it a logical extension to the decision oriented TPB. The core idea behind this cultural dimension is that groups of people are socialized to have differing desires in terms of sacrificing time, money and effort today for potential future success (Cannon et al., 2010). Cultures that have a longer term orientation value persistence more than immediate results, while cultures that have a shorter term orientation value immediate results and relatively instant gratification (Hofstede, 2001). Previous literature has demonstrated that longer term orientation is positively correlated with being innovative and proactive and negatively correlated with risk taking (Cannon et al., 2010; Vitell et al., 2015; Vitell et al., 1993).

This cultural dimension relates to password managers because of the relatively high setup time and ongoing maintenance time associated with the continued use of password manager applications. That is, password manager adopters invest a significant amount of time in the present to spend less time in the future to fix and deal with password-related issues. Furthermore, the use of a password manager is a long-term solution to the password management problem. Adopters are choosing to make a short-term investment for a potential future award (not being the subject of an information security breach), which can be argued depends partially on individuals’ LTO. Therefore, the following main effect is hypothesized:

H1.

Individuals with a long-term relative to a short-term orientation will have a greater intention to adopt a voluntary information security control, specifically password managers.

In the behavioral information security literature that uses the TPB, the attitude path has consistently been demonstrated to be a strong predictor of behavioral intentions (Bulgurcu et al., 2010; Workman et al., 2008). An attitude toward a particular behavior is an individual’s overall positive or negative evaluation of the desirability of implementing a behavior (Ajzen, 2001). The desirability of implementing a behavior has also been found to be impacted by cultural norms and values (Lovelock and Yip, 1996; Triandis, 1994). Therefore, it is expected that LTO (a cultural value) will moderate or qualify the impact of attitudes toward adopting voluntary information security actions.

For those individuals with a high (positive) attitude toward adopting a password manager application, it is proffered here that the relationship will be stronger for those with long-term orientation because the long-term orientation will further reinforce the positive attitude toward investing the time and energy to adopt the password manager. Contrarily, for those individuals with a low (negative) attitude toward adopting password manager applications, the prediction is that the effect of long-term orientation will have minimal effect because the effect of attitudes is much stronger than that of LTO construct. In essence, the argument presented in this paper is that an individual’s time orientation will not be able to mitigate the effect of the low (negative) attitude toward adopting the voluntary information security control. Therefore, the following qualifying relationship is hypothesized:

H2.

An individual’s LTO will moderate the effect of attitudes on intentions to adopt a voluntary information security control, specifically password managers.

Figure 1 visually displays both hypotheses.

4. Research design and method

To empirically test the potential impact of an individual’s LTO on taking a voluntary information security action (adopting a password manager) in the context of the TPB, a sequential two-part study of the voluntary adoption (or non-adoption) of a password manager application (LastPass) was conducted. The LastPass password manager application was used because it is a free[1] and well-respected password management application that uses industry-accepted encryption techniques to protect users’ account credentials. All of the data in LastPass are secured with AES-256 bit encryption, salted SHA-256 hashing and PBKDF2 key stretching whereby even LastPass employees cannot view a user’s login credentials. Part 1 of the study consisted of presenting all of the subjects with a generic video message about password managers (what they are, what problem they solve, and why they are important) followed by a survey that captured self-reported perceptions of the core TPB constructs including each subject’s self-reported behavioral intention to adopt (voluntarily) the LastPass password manager. At this stage of the study, Hofstede’s LTO dimension of national culture for each one of our survey participants was also measured. The content and video format of the message was developed and refined through a series of three pilot studies conducted with 16 management information systems (MIS) students in an introductory information security course. The participants in the pilot studies were a mix of 50 per cent American and 50 per cent international students of which only three had prior working knowledge of password managers.

The survey was designed and administered using best practices related to question order (pp. 157-165) and instruction wording (pp. 65-105) by Dillman et al. (2014). Additionally, to remedy potential common method bias procedurally via the instrument, a proximal separation between the measures of the independent and dependent variables was introduced along with using both positive and negative line items on the survey instrument (Podsakoff et al., 2012).

Part 2, which occurred one week after the completion of Part 1, of the study captured the actual security behavior of the participant (i.e. did they or did they not adopt the password manager). After the participants completed Part 1 of our study, they were specifically told that the researchers would be following up with them in one week. To alleviate the potential problems associated with a self-reported actual use measure (i.e. social desirability bias resulting in the subjects not being truthful), several questions were asked that could be answered only by using the “Security Challenge” tool built in LastPass. If the subjects did not actually adopt the tool, then the participants would not be able to answer these questions. These items included the relative strength of their master password, total security score for all their accounts, and total number of accounts in their password manager application after initial use.

4.1 Participants

The study sample consisted of 227 undergraduate business students from a private university in the Midwest portion of the USA with a sizable international population. In return for participation, the subjects were given a small amount of extra credit in their course (between 1 and 2 per cent of their overall course grade depending on the instructor). Our sample was 62 per cent North American, 22 per cent Asian, 10 per cent European and 6 per cent Middle Eastern. This sample provided adequate variance along the LTO cultural dimension (and the core TPB constructs) to empirically test the proposed relationships. Additionally, the sampling frame used technology extensively in their daily lives had great familiarity with a variety of online applications (such as social networking sites and school-related information systems), and known to be somewhat carefree with their online privacy and security (Drennan et al., 2006). Furthermore, while the sample had low adoption rates of password manager applications as reported in the first survey, their overall IT use patterns and large number of password protected online accounts indicated that they would benefit from the voluntarily use of password managers.

4.2 Constructs and measures

For the survey instrument, measures (items) for the constructs from adapted from pre-validated (reflective) scales taken from previous TPB security and national culture research. Table I displays the specific items, citations, and additional details. All items measured reflectively using 7-point Likert scales ranging from (1) strongly disagree to (7) strongly agree (or opposite when the question used reverse scaling).

There is considerable debate in the literature in terms of how to measure national culture (Kirkman et al., 2006; McCoy et al., 2005; Sivakumar and Nakata, 2001). Some scholars argue that culture, particularly Hofstede’s dimensions, should be measured at the individual level of analysis (Brockner, 2005; Srite and Karahanna, 2006), whereas other scholars are adamantly opposed to measuring culture at the individual level (Bochner and Hesketh, 1994; Hofstede, 2001; Palich et al., 1995). Much of the contention rests on the definition of Hofstede’s dimensions. For instance, if LTO is defined as a property of the culture (i.e. China is a long-term orientation culture), then measuring LTO at the individual level may be misleading. However, if LTO is defined as an individual’s perception of the virtues of balancing the past, present, and future, then measuring LTO at the individual level is justified. Srite and Karahanna (2006) argue that it is valid to measure the Hofstede dimensions at the individual level because individuals interact with many different cultures from all around the world throughout their lives, which may change their individual perceptions related to the Hofstede dimensions in relation to the Hofstede scores from their national culture of origin. Measuring at the individual level also avoids the ecological fallacy of deducing individual-level characteristics based on the characteristics of the group (or one of the several groups) to which an individual belongs. Therefore, the decision was made to follow Srite and Karahanna (2006) and many others and measure the Hofstede dimensions at the individual level[2].

4.3 Data analysis technique

Covariance-based structural equation modeling (CBSEM) was used to evaluate the theorized relationships and overall model fit. CBSEM is considered an appropriate analysis method when testing theoretically derived relationships between latent constructs (Raykov and Marcoulides, 2006), which is the case for the proposed research model. Prior to conducting CBSEM analyses, the data was successfully screened for issues that may jeopardize the results, such as outliers, multicollinearity and non-normality (Byrne, 2001; Kline, 2016).

To test for potential common method variance, the unmeasured latent method factor approach discussed by Podsakoff et al. (2012) was evaluated. In the data, adding this first-order method factor whose only measures were the indicators of the theoretical constructs of interest that shared a common method did not reveal any major issues. However, this approach has been demonstrated to have some weaknesses because it assumes that the method factor does not interact with the trait factors (Richardson et al., 2009). Therefore, as an additional test, the approach of Gefen et al. (2011) used by Moody et al. (2018) was used to test whether the theoretical models fit the data better than models with a single latent factor. In this approach, the single latent factor served as a proxy variable for any common method variance that might be present in our data (Gefen et al., 2011). Across both of these post hoc statistical tests, there was no evidence of common method variance in the data.

5. Results

CBSEM analysis consists of two parts:

  1. a confirmatory factor analysis (CFA) stage; and

  2. the structural model analysis (also known as path analysis) stage (Heck, 1998).

5.1 Confirmatory factor analysis and instrument validity

The CFA stage assesses the quality and validity of the construct measures. Analysis was performed on the entire set of measurement items for all latent constructs simultaneously with each observed variable restricted to load on its a priori factor. Table II displays the measurement item loadings on their respective constructs. All factor loadings were in the range of 0.634-0.983. While the recommended threshold for item loadings is 0.7, individual item loadings between 0.40 and 0.70 are acceptable for inclusion as long as composite reliabilities are above 0.70 (which they were for all of the constructs) (Chin, 1998). Average variance extracted (AVE) was also examined to ensure individual item reliability and convergent validity. All of the AVE values were greater than the minimum recommended threshold of 0.50, which further indicates that the items satisfied the convergent validity requirements.

To assess the discriminant validity of the latent constructs in our research model, AVE, maximum shared squared variance (MSV) and average shared squared variance (ASV) metrics were examined (Table II). MSV and ASV were both less than the AVE, which is evidence of discriminant validity because the construct items load more on their respective latent variables than on other constructs (Hair et al., 2010). Based upon the criteria set forth in Jarvis et al. (2003) and Petter et al. (2007), all of the construct measures met the requirements to be considered reflective indicators of their respective latent constructs. Finally, the model fit for the CFA analysis (which includes all latent constructs) was satisfactory (χ2/df = 1.492; CFI = 0.982; SRMR = 0.0485).

5.2 Structural model analysis

Following establishment of the measurement model in the CFA stage, the data was fit to the proposed research model (see Figure 1). Model fit was assessed using multiple criteria (Heck, 1998; Kline, 2016; Raykov and Marcoulides, 2006). To further account for the potential impact of even mild deviations from perfectly normal data distributions on the χ2 calculations, Bollen and Stine (1992) bootstrapping was conducted to calculate model fit p-values, which were all above the 0.05 threshold. However, scholars caution against relying upon χ2 measurements alone for model fit determination (Kline, 2016). As such, one goodness-of-fit and one badness-of-fit metric was used to further assess overall model fit.

Comparative fit index (CFI) was used as the goodness-of-fit metric and the standardized root mean square residual (SRMR) as the badness-of-fit metric. The CFI measures model fit relative to a null model and a non-centrality index. The CFI value for the full TPB CBSEM model was above the 0.95 recommended threshold (Hu and Bentler, 1999). The SRMR badness-of-fit metric compares the residuals (unexplained variance) to what would be reasonably expected from a well-fitting model. In the applied research model (the full model displayed in Figure 1), the SRMR was below the common threshold of 0.08, which indicates good model fit (Hu and Bentler, 1999).

Table III displays the model fit results and the path coefficients for the three models that were used to empirically evaluate the hypotheses. Model 1 was the TPB only model, which was used to show the effectiveness of the base model. Model 1 showed that all of the core TPB constructs were statistically significant predictors of behavioral intent to adopt LastPass in our sample. Model 2 contained the core TPB constructs along with LTO as a direct antecedent to behavioral intent. In this model, all of the core TPB constructs remained statistically significant, but the main effect of the LTO construct was not statistically significant. Therefore, the direct effect proposed in H1 was not supported in these data.

Model 3 showed an interesting qualifying relationship between attitudes and LTO. Model 3 was the full model with both a direct effect of LTO into behavioral intent and the interaction effect of attitude and LTO. Testing this interaction effect required mean-centering both attitude scores and LTO values across the sample to reduce the variance inflation factors associated with testing this interaction effect. Model fit for Model 3 was satisfactory (χ2/df = 1.474, CFI = 0.982, and SRMR = 0.0500). This model explained roughly 52.5 per cent of the total variance (SMC = 0.525) of the participant’s intent to adopt LastPass. Table III shows a modest increase in SMC across models. This increase was primarily attributable to the addition of the main effect of LTO (Model 2) and the attitude by LTO interaction effect (Model 3). While the core LTO dimension of national culture was not a direct significant contributor to LastPass adoption intentions, the effect of attitude toward using a password manager application was qualified by an individual’s LTO. The structural path associated with the interaction effect of LTO and attitude was positive and significant (β = 0.137, p < 0.01).

To assist in interpreting this qualifying effect, the predicted intention to adopt a password manager as a function of both individuals’ attitudes toward adopting and individuals’ LTO is plotted (see Figure 2 for the moderating effect of the mean centered variables). For those individuals who had a higher attitude (above average line in Figure 2), the effect of an individual’s LTO was positive (i.e. going from short-term to long-term increased behavioral intentions to adopt password managers). Contrarily, for those individuals who had an average or below average attitude (below average line in Figure 2), the effect of long-term orientation was negative (i.e. going from short-term to long-term reduced behavioral intentions to adopt password managers). The differential effect of LTO was greater for those individuals who were more long-term oriented relative to more short-term oriented. Therefore, Model 3 supports the H2 qualifying hypothesis.

5.3 Descriptive analysis of actual adoption

A post-hoc descriptive analysis of actual adoption rates of LastPass was conducted, which provided additional support for the impact of LTO on behavioral intent and actual use of password managers by study participants. Table IV displays the actual adoption rates for the sample broken down by both attitudes and LTO. Participants with above average LTO values and above average attitudes yielded the highest behavioral intent scores and the highest actual password manager adoption rates. The high long-term orientation and high attitude participants adopted password managers at an overall rate of 24.2 per cent, which is 57 per cent more than the average adoption rate for the whole sample (35 out of 227 or 15.4 per cent). As predicted by the TPB, participants with stronger positive attitudes (high attitude row in Table IV) yielded greater intentions and actual behaviors relative to participants with weaker negative attitudes (low attitude row in Table IV). A chi-square test between LTO (low and high) and attitude (low and high) showed a statistically significant difference (Pearson Chi-square = 7.956, p = 0.005).

5.4 Effect of the other Hofstede dimensions

In this paper, theoretical interest lies in Hofstede’s LTO dimension of national culture as it pertains to voluntary information security controls such as password managers that require a sacrifice between short-term time investments with potential long-term benefits. Of the six Hofstede dimensions of national culture, the LTO dimension is the one that is most applicable to the research context presented in this study. However, all of the Hofstede dimensions were measured using pre-validated scales in the survey instrument. Due to the fact that the data was captured, the main and qualifying effect of the other Hofstede dimensions (uncertainty avoidance, power distance, individualism-collectivism, masculinity-femininity, and indulgence) were also tested (in an exploratory manner) on attitudes and behavioral intentions to adopt (voluntarily) the LastPass password manager.

None of the attitude by other Hofstede dimensions’ interaction effects were statistically significant and none of the main effects were statistically significant. Therefore, in this study, the only Hofstede dimension that had a statistically significant impact on intentions (via the interaction effect of attitudes) to adopt a voluntary information security control was LTO. For a different voluntary information security control, however, different cultural dimensions may be more relevant (Lowry et al., 2014). For example, for a socially interactive threat such as tailgating it would be reasonable to predict that power distance would have a direct, indirect, or qualifying impact on behavioral intentions, because there is a status dynamic associated with the tailgating threat and control (Aurigemma and Mattson, 2017).

6. Discussion and conclusion

The prior behavioral information security literature has discovered many important factors such as fear, self-efficacy, attitudes, habits and norms that influence an individual’s propensity to adopt voluntary information security controls (Anderson and Agarwal, 2010; Boss et al., 2015; Johnston and Warkentin, 2010). In general, many of the papers in this stream of literature make the implicit or explicit assumption that their theorized relationships will be broadly generalizable (Johnston and Warkentin, 2010; Siponen and Tsohou, 2018). That is, much of the prior literature speculates or assumes that their reported findings will be robust to individuals across different cultures, genders, socio-economic backgrounds and educational levels.

However, individuals socialized in different cultures have varying values, beliefs and thought patterns across multiple cultural dimensions (Hofstede, 2001; Triandis, 2000), which may positively or negatively influence their propensity to adopt voluntary information security controls (Aurigemma and Mattson, 2018; Chen and Zahedi, 2016; Menard et al., 2018). One cultural dimension that is particularly relevant to the voluntary adoption of information security controls (particularly those requiring relatively high up-front setup costs) is LTO (Hofstede, 2001; Spears et al., 2001).

In this study, LTO did not have a direct impact on behavioral intent or the actual adoption rates of LastPass. However, the data analysis did reveal a qualifying effect of LTO on attitudes toward intention to adopt (voluntarily) password managers. The effect of positive attitudes increased when individuals were more long-term oriented but the effect was reversed for average and negative attitudes. This would suggest that having a shorter term orientation can suppress some of the negative impact that negative attitudes have toward adopting a password manager application. In terms of actual adoption, individuals with high LTO and strong positive attitudes adopted password manager applications 57 per cent more than the average adoption rate across our sample. The implication of this finding is that a one-size-fits-all approach to encourage voluntary information security actions (or intentions thereof) may not be the best approach, because individuals from different cultures have varying beliefs and values along many dimensions including (but not limited to) time orientation. As such, security awareness and training messages should account for individuals with both short- and long-term orientation. Those with short-term orientation should be more moved by messages that espouse the immediate positive impact of using a password manager (with possible instant gratification helping to overcome neutral or poor attitudes toward the behavior). In contrast, security messages that impart sustained improvements and benefits of better account management through the use of tools such as password managers should provide greater impact to those with long-term orientations.

One of the goals of this paper was to discover behavioral antecedents to encourage individuals to use better password management strategies through the implementation of password manager applications. However, password manager applications are not the only solution to poor password management. Federated systems such as Google or Facebook where a user logs into one system and is granted access to multiple other systems also aims to solve the problems that individuals have regarding password management. We believe that it is not realistic to have a single federated system that manages access across all platforms and to all banks, social sites, email accounts, and others, but the popularity of platform oriented websites such as Google, Facebook and Yahoo may make federated systems part of the solution. Interestingly, the initially high setup costs in terms of time and effort associated with adopting password managers are much less for many federated systems, which may impact the effect of LTO. Therefore, an interesting future study would be to test the findings of this study model using a federated system. It would not be surprising if the results are different because each solution requires a different set of short-term costs and long-term benefits.

Like all research, this study has limitations. First, the behavioral information security literature has decomposed the attitude construct into a multi-dimensional construct. Antecedents for attitudes include (among others) the core elements of rational choice theory and general deterrence theory (Bulgurcu et al., 2010; D’Arcy et al., 2009; Herath and Rao, 2009; Workman et al., 2008). We did not test the effects of LTO “downstream” and our model only included the higher order attitude construct. Decomposing attitudes might reveal additional insights into the effects of LTO and might be an interesting area for future research. Second, LTO effects were only investigated the in connection with the TPB. As previously mentioned, there is no consensus among behavioral information security researchers as to which theoretical approach is best and under which conditions. Therefore, future research can investigate the effect of LTO (and other cultural dimensions) in other models such as the PMT, GDT or psychological capital. Third, although there was significant variance of the LTO construct for the survey participants to test the proposed research model, the sample did not include any participants from the most short-term oriented cultures. It is possible that the main effect of LTO will be significant if we had subjects from Ghana or Nigeria, for example. Therefore, future research might focus on the shortest of the short-term oriented cultures to further empirically test our theorized relationships.

The main practical contribution of this study, as with most other research associated with cultural dimensions and human behaviors, is that it is important to know the composition and behavioral orientations of the people involved. In the university where the data for this study was collected, for example, basic security awareness training and documentation is designed in a one-size-fits-all paradigm where the same message is expected to engender positive behavioral change for all information system users regardless of age, gender, education level, IT experience, or national culture. As succinctly argued by Karjalainen et al. (2013, p. 1), “while information security behaviors are learned, different paradigms of learning are effective in different cultures; i.e. different cultures require different IS security interventions.”. Particularly in organizations or social settings where there is a diverse cultural background of people that are relied upon to take sound and effective security actions, ignoring the effect of cultural dimensions such as LTO, and possibly other cultural characteristics, can have a deleterious impact on the overall organizational information security posture.

Figures

Research model for voluntary adoption of information security controls

Figure 1.

Research model for voluntary adoption of information security controls

Qualifying effect of long-term orientation

Figure 2.

Qualifying effect of long-term orientation

Construct definitions and measurement items

Construct Definition and Item Source(s) Survey Question/Measurement Item Item Factor Load Mean SD
Behavioral Intent Self-reported intention to perform a security-related behavior.
Items adapted from Ajzen (1991), Bulgurcu et al. (2010)
I intend to use a password manager in the next week BINT1 0.927 4.11 1.538
I predict I will use a password manager in the next week BINT2 0.983 4.05 1.536
I plan to use a password manager in the next week BINT3 0.908 4.16 1.524
Subjective Norms The perceived social pressure to engage or not to engage in a security-related behavior.
Items adapted from Taylor and Todd (1995), Herath and Rao (2009)
My peers think I should use a password manager application to help protect my online account passwords SNORM1 0.869 3.88 1.439
Those senior to me (parents, professors, bosses, etc.) think I should use a password manager application to help protect my online account passwords SNORM2 0.676 4.29 1.561
Those subordinate/junior to me think I should use a password manager application to help protect my online account passwords SNORM3 0.869 3.88 1.408
Self-efficacy One’s perceived ability to successfully complete a security-related behavior.
Items adapted from Bandura (1991), Herath and Rao (2009)
Password manager software is easy to use SE1 0.809 5.29 1.091
Password manager software is convenient to use SE2 0.837 5.13 1.185
I am able to use password software without much effort SE3 0.799 5.10 1.197
Attitude The self-reported degree to which performance of a security behavior is positively or negatively valued.
Items adapted from Ajzen (1991), Herath and Rao (2009)
Password manager software is easy to use ATT1 0.773 5.06 1.141
Password manager software is convenient to use ATT2 0.0964 5.28 1.064
I am able to use password software without much effort ATT3 0.872 5.33 1.057
Long-term Orientation The self-reported degree to which one prefers long-term values and traditions vs quick gratification and short-term needs.
Items adapted from Hofstede et al. (2010), Yoo et al. (2011)
I plan for the long term LTO1 0.634 5.36 1.179
I work hard for success in the future LTO2 0.867 6.00 1.075
Persistence is important to me LTO3 0.739 5.84 1.037

Confirmatory factor analysis results

Construct CR AVE MSV ASV SNORM BINT LTO ATT SEFF
SNORM 0.829 0.621 0.365 0.140 0.788        
BINT 0.958 0.883 0.365 0.201 0.604 0.940      
LTO 0.794 0.567 0.057 0.030 −0.121 0.036 0.753    
ATT 0.905 0.762 0.237 0.144 0.343 0.487 0.239 0.873  
SEFF 0.856 0.664 0.203 0.119 0.249 0.450 0.219 0.406 0.815
Notes:

CR = composite reliability; AVE = average variance extracted; MSV = maximum shared squared variance; ASV = shared squared variance; BINT = behavioral intent; SEFF = self-efficacy; ATT = Attitude; LTO = long-term orientation

Structural model analysis results

SEM Model Fit Results Model 1 Model 2 Model 3
χ2/df 1.661 1.427 1.474
χ2 79.705 111.317 198.67
df 48 78 88
Comparative Fit Index (CFI) 0.984 0.985 0.982
Standardized Root Mean Residual (SRMR) 0.048 0.0489 0.05
Squared Multiple Correlation (SMC) 0.506 0.514 0.525
SEM Structural Path Results      
SNORM → BINT 0.471*** 0.465*** 0.458***
SEFF → BINT 0.238*** 0.249*** 0.247***
ATT → BINT 0.229*** 0.241*** 0.237***
LTO → BINT   NS NS
LTO x ATT Interaction → BINT     0.137**
Notes:

**p < 0.01,

***p < 0.001; BINT = behavioral intent; SEFF = self-efficacy; ATT = Attitude, LTO = long-term orientation, NS = not significant

Actual use by long-term orientation vs attitude

Metric Low LTO High LTO Attitude
# of Participants 68 55 Low ATT
Mean BINT 3.78 3.25
% Actual Behavior 11.80% 2%
# of Participants 38 66 High ATT
Mean BINT 4.47 4.96
% Actual Behavior 18.40% 24.20%
Notes:

BINT = behavioral intent; ATT = Attitude; LTO = long-term orientation, Actual Behavior means adopted use of a password manager as a result of participating in this study

Notes

1.

LastPass is actually a freemium product. The primary free features (at the time of our study) included: access on all devices, one-to-one sharing, save and fill passwords, password generators, and multifactor authentication. In addition to these free features, the primary premium (pay) features (at the time of this study) included: one-to-many sharing, advanced multifactor options, emergency access, and priority technical support. In this study, the freemium nature of the LastPass password manager was not mentioned by the participants as a reason why they decided to adopt or not to adopt the password manager.

2.

Individual level values were also compared with Hofstede’s reported country scores (where available). In the sample, none of the individual level values were significantly different from Hofstede’s published values.

References

Ajzen, I. (1991), “The theory of planned behavior”, Organizational Behavior and Human Decision Processes, Vol. 50 No. 2, pp. 179-211.

Ajzen, I. (2001), “Nature and operation of attitudes”, Annual Review of Psychology, Vol. 52 No. 1, pp. 27-58.

Ajzen, I. (2002), “Perceived behavioral control, self-efficacy, locus of control, and the theory of planned behavior”, Journal of Applied Social Psychology, Vol. 32 No. 4, pp. 665-683.

Ajzen, I. (2011), “The theory of planned behaviour: reactions and reflections”, Psychology & health, Vol. 26 No. 9, pp. 1113-1127.

Anderson, C.L. and Agarwal, R. (2010), “Practicing safe computing: a multimedia empirical examination of home computer user security behavioral intentions”, MIS Quarterly, Vol. 34 No. 3, pp. 613-643.

Aurigemma, S. (2013), “A composite framework for behavioral compliance with information security policies”, Journal of Organizational and End User Computing, Vol. 25 No. 3, pp. 32-51.

Aurigemma, S. and Mattson, T. (2017), “Privilege of procedure: evaluating the effect of employee status on intent to comply with socially interactive information security threats and controls”, Computers and Security, Vol. 66 No. 1, pp. 218-234.

Aurigemma, S. and Mattson, T. (2018), “Exploring the effect of uncertainty avoidance on taking voluntary protective security actions”, Computers and Security, Vol. 73, pp. 219-234.

Bandura, A. (1991), “Social cognitive theory of self-regulation”, Organizational Behavior and Human Decision Processes, Vol. 50 No. 2, pp. 248-287.

Bandura, A. (1997), Self-Efficacy: The Exercise of Control, W. H. Freeman and Company, New York, NY.

Beardsley, T. Hodgman, R. Hart, J. and Geiger, H. (2016), “The attacker’s dictionary: auditing criminal credential attacks”, available at: https://community.rapid7.com/community/infosec/blog/2016/03/01/the-attackers-dictionary

Bochner, S. and Hesketh, B. (1994), “Power distance, individualism/collectivism, and job-related attitudes in a culturally diverse work group”, Journal of Cross-Cultural Psychology, Vol. 25 No. 2, pp. 233-257.

Bollen, K.A. and Stine, R.A. (1992), “Bootstrapping goodness-of-Fit measures in structural equation models”, Sociological Methods and Research, Vol. 21 No. 2, pp. 205-229.

Boss, S.R., Galletta, D.F., Lowry, P.B., Moody, G.D. and Polak, P. (2015), “What do systems users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors”, MIS Quarterly, Vol. 39 No. 4, pp. 837-864.

Brockner, J. (2005), “Unpacking country effects: on the need to operationalize the psychological determinants of Cross-National differences”, in Staw, B. M. and Sutton, R. L. (Eds.), Research in Organizational Behavior, JAI Press, Greenwich, CT, pp. 335-369.

Bulgurcu, B., Cavusoglu, H. and Benbasat, I. (2010), “Information security compliance: an empirical study of rationality-based beliefs and information security awareness”, MIS Quarterly, Vol. 34 No. 3, pp. 523-548.

Byrne, B.M. (2001), “Structural equation modeling with AMOS, EQS, and LISREL: comparative approaches to testing for the factorial validity of a measuring instrument”, International Journal of Testing, Vol. 1 No. 1, pp. 55-86.

Cannon, J.P., Doney, P.M., Mullen, M.R. and Petersen, K.J. (2010), “Building long-term orientation in buyer-supplier relationships: the moderating role of culture”, Journal of Operations Management, Vol. 28 No. 6, pp. 506-521.

Cardon, P.W. and Marshall, B.A. (2008), “National culture and technology acceptance: the impact of uncertainty avoidance”, Issues in Information Systems, Vol. 9 No. 2, pp. 103-110.

Chen, Y. and Zahedi, F.M. (2016), “Individual’s internet security perceptions and behaviors: polycontextual contrasts between the United States and China”, MIS Quarterly, Vol. 40 No. 1, pp. 205-222.

Chin, W.W. (1998), “Commentary: issues and opinion on structural equation modeling”, MIS Quarterly, Vol. 22 No. 1, pp. 7-16.

Choong, Y.-Y. and Theofanos, M. (2015), “What 4,500+ people can tell you–employees’ attitudes toward organizational password policy do matter”, Human Aspects of Information Security, Privacy, and Trust, Springer, pp. 299-310.

Christie, M.J., Kwon, I.-W.G., Stoeberl, P.A. and Baumhart, R. (2003), “A cross-cultural comparison of ethical attitudes of business managers: India, Korea and the united Staes”, Journal of Business Ethics, Vol. 46 No. 3, pp. 263-287.

Crossler, R.E., Johnston, A.C., Lowry, P.B., Hu, Q., Warkentin, M. and Baskerville, R. (2013), “Future directions for behavioral information security research”, Computers and Security, Vol. 32, pp. 90-101.

CSID (2012), “Consumer survey: password habits - a study of password habits among American consumers”, available at: www.csid.com/wp-content/uploads/2012/09/CS_PasswordSurvey_FullReport_FINAL.pdf

D’Arcy, J., Hovav, A. and Galletta, D. (2009), “User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach”, Information Systems Research, Vol. 20 No. 1, pp. 79-98.

Dillman, D.A., Smyth, J.D. and Christian, L.M. (2014), Internet, Phone, Mail, and Mixed-Mode Surveys: The Tailored Design Method, John Wiley and Sons, Hoboken, NJ.

Dinev, T. and Hu, Q. (2007), “The centrality of awareness in the formation of user behavioral intention toward protective information technologies”, Journal of the Association for Information Systems, Vol. 8 No. 7, pp. 386.

Dinev, T., Goo, J., Hu, Q. and Nam, K. (2009), “User behaviour towards protective information technologies: the role of national cultural differences”, Information Systems Journal, Vol. 19 No. 4, pp. 391-412.

Dols, T. and Silvius, A. (2010), “Exploring the influence of national cultures on Non-Compliance behavior”, Communications of the IIMA, Vol. 10 No. 3.

Drennan, J., Sullivan, G.M. and Previte, J. (2006), “Privacy, risk perception, and expert online behavior: an exploratory study ”, Journal of Organizational and End User Computing, Vol. 18 No. 1, pp. 1-22.

Fishbein, M. and Cappella, J.N. (2006), “The role of theory in developing effective health communications”, Journal of Communication, Vol. 56 No. suppl_1, pp. S1-S17.

Fishbein, M. and Yzer, M.C. (2003), “Using theory to design effective health behavior interventions”, Communication Theory, Vol. 13 No. 2, pp. 164-183.

Florencio, D. and Herley, C. (2007), A large-scale study of web password habits, Paper presented at the Proceedings of the 16th international conference on World Wide Web.

Gefen, D., Straub, D.W. and Rigdon, E.E. (2011), “An update and extension to SEM guidelines for admnistrative and social science research”, MIS Quarterly, Vol. 35 No. 2, pp. 3-14.

Geraerts, E., Bernstein, D.M., Merckelbach, H., Linders, C., Raymaekers, L. and Loftus, E.F. (2008), “Lasting false beliefs and their behavioral consequences”, Psychological Science, Vol. 19 No. 8, pp. 749-753.

Guo, K.H., Yuan, Y., Archer, N.P. and Connelly, C.E. (2011), “Understanding nonmalicious security violations in the workplace: a composite behavior model”, Journal of Management Information Systems, Vol. 28 No. 2, pp. 203-236.

Hair, J.F., Black, W.C., Babin, B.J. and Anderson, R.E. (2010), Multivariate Data Analysis: A Global Perspective. Upper Saddle, Pearson, River, NJ.

Heck, R.H. (1998), “Factor analysis: exploratory and confirmatory approaches”, in Marcoulides, G. (Ed.), Modern Methods for Business Research, Erlbaum, Mahwah, NJ, pp. 177-215.

Herath, T. and Rao, H.R. (2009), “Encouraging information security behaviors in organizations: role of penalties, Pressures and perceived effectiveness”, Decision Support Systems, Vol. 47 No. 2, pp. 154-165.

Herath, T. and Rao, H.R. (2009), “Protection motivation and deterrence: a framework for security policy compliance in organisations”, European Journal of Information Systems, Vol. 18 No. 2, pp. 106-125.

Hofstede, G. (2001), Culture’s Consequences: Comparing Values, Behaviors, Institutions, and Organizations Across Nations, Sage, Thousand Oaks, CA.

Hofstede, G., Hofstede, G.J. and Minkov, M. (2010), Cultures and Organizations: Software of the Mind. Revised and Expanded, McGraw-Hill, New York, NY.

Hovav, A. (2017), “How espoused culture influences misuse intention: a Micro-Institutional theory perspective”, Paper presented at the Proceedings of the 50th HI International Conference on System Sciences.

Hovav, A. and D’Arcy, J. (2012), “Applying an extended model of deterrence across cultures: an investigation of information systems misuse in the US and South Korea”, Information and Management, Vol. 49 No. 2, pp. 99-110.

Hu, L. and Bentler, P.M. (1999), “Cutoff criteria for fit indexes in covariance structure analysis: conventional criteria versus new alternatives”, Structural Equation Modeling, Vol. 6 No. 1, pp. 1-55.

Hu, Q., Xu, Z., Dinev, T. and Ling, H. (2011), “Does deterrence work in reducing information security policy abuse by employees? ”, Communications of the ACM, Vol. 54 No. 6, pp. 54-60.

Humphries, D. (2015), “Best practices for workplace passwords”, available at: www.softwareadvice.com/security/industryview/password-workplace-report-2015/

Huth, A. Orlando, M. and Pesante, L. (2013), “Password security, protection, and management”, available at: www.us-cert.gov/security-publications/password-security-protection-and-management

Ifinedo, P. (2012), “Understanding information systems security policy compliance: an integration of the theory of planned behavior and the protection motivation theory”, Computers and Security, Vol. 31 No. 1, pp. 83-95.

Ifinedo, P. (2014), “Information systems security policy compliance: an empirical study of the effects of socialisation, influence, and cognition”, Information and Management, Vol. 51 No. 1, pp. 69-79.

Jarvis, C.B., Mackenzie, S.B. and Podsakoff, P.M. (2003), “A critical review of construct indicators and measurement model misspecification in marketing and consumer research”, Journal of Consumer Research, Vol. 30 No. 2, pp. 199-218.

Johnston, A.C. and Warkentin, M. (2010), “Fear appeals and information security behaviors: an empirical study”, MIS Quarterly, Vol. 34 No. 3, pp. 549-566.

Kappos, A. and Rivard, S. (2008), “A Three-Perspective model of culture, information systems, and their development and use”, MIS Quarterly, Vol. 32 No. 3, pp. 601-634.

Karahanna, E., Straub, D.W. and Chervany, N.L. (1999), “Information technology adoption across time: a cross-sectional comparison of pre-adoption and post-adoption beliefs”, MIS Quarterly, Vol. 23 No. 2, pp. 183-213.

Karjalainen, M. Siponen, M.T. Puhakainen, P. and Sarker, S. (2013), “One size does not fit all: different cultures require different information systems security interventions”, Paper presented at the PACIS.

Kirkman, B.L., Lowe, K.B. and Gibson, C.B. (2006), “A quarter century of ‘Culture’s consequences’: a review of empirical research”, Journal of International Business Studies, Vol. 37 No. 3, pp. 285-320.

Kline, R.B. (2016), Principles and Practice of Structural Equation Modeling: Fourth Edition, Guilford Press, New York, NY.

Kroeber, A.L. and Kluckhohn, C. (1952), Culture: A Critical Review of Concepts and Definitions, The Museum, Cambridge, Mass.

Leidner, D.E. and Kayworth, T. (2006), “A review of culture in information systems research: toward a theory of information technology culture conflict”, MIS Quarterly, Vol. 30 No. 2, pp. 357-399.

Liu, Y.-T., Chen, H.-B., Zang, B.-Y. and Liang, Z. (2018), “SplitPass: a mutually distrusting Two-Party password manager”, Journal of Computer Science and Technology, Vol. 33 No. 1, pp. 98-115.

Lovelock, C.H. and Yip, G.S. (1996), “Developing global strategies for service businesses”, California Management Review, Vol. 38 No. 2, pp. 64-86.

Lowry, P.B., Posey, C., Roberts, T.L. and Bennett, R.J. (2014), “Is your banker leaking your personal information? The roles of ethics and Individual-Level cultural characteristics in predicting organizational computer abuse”, Journal of Business Ethics, Vol. 121 No. 3, pp. 385-401.

McCoy, S., Galletta, D.F. and King, W.R. (2005), “Integrating national culture into IS research: the need for current individual level measures”, Communications of the Association for Information Systems, Vol. 15

McEachan, R.R.C., Conner, M., Taylor, N.J. and Lawton, R.J. (2011), “Prospective prediction of health-related behaviours with the theory of planned behaviour: a Meta-analysis”, Health Psychology Review, Vol. 5 No. 2, pp. 97-144.

Menard, P., Warkentin, M. and Lowry, P.B. (2018), “The impact of collectivism and psychological ownership on protection motivation: a cross-cultural examination”, Computers and Security, Vol. 75, pp. 147-166.

Moody, G.D., Siponen, M. and Pahnila, S. (2018), “Toward a unified model of security policy compliance”, MIS Quarterly, Vol. 42 No. 10, pp. 1-20.

Ng, B.-Y., Kankanhalli, A. and Xu, Y.C. (2009), “Studying users’ computer security behavior: a health belief perspective”, Decision Support Systems, Vol. 46 No. 4, pp. 815-825.

Ofcom (2015), “Adults’ media use and attitudes (Report 2015)”, available at: http://stakeholders.ofcom.org.uk/binaries/research/media-literacy/media-lit-10years/2015_Adults_media_use_and_attitudes_report.pdf

O’Reilly, C.A., III, Chatman, J. and Caldwell, D.F. (1991), “People and organizational culture: a profile comparison approach to assessing Person-Organization fit”, Academy of Management Journal, Vol. 34 No. 3, pp. 487-516.

Palich, L.E., Horn, P.W. and Griffeth, R.W. (1995), “Managing in the international context: testing cultural generality of sources of commitment to multinational enterprises”, Journal of Management, Vol. 21 No. 4, pp. 671-690.

Peace, A.G., Galletta, D.F. and Thong, J.Y. (2003), “Software piracy in the workplace: a model and empirical test”, Journal of Management Information Systems, Vol. 20 No. 1, pp. 153-178.

Petter, S., Straub, D. and Rai, A. (2007), “Specifying formative constructs in information systems research”, MIS Quarterly, Vol. 31 No. 4, pp. 623-656.

Podsakoff, P.M., MacKenzie, S.B. and Podsakoff, N.P. (2012), “Sources of method bias in social science research and recommendations on how to control it”, Annual Review of Psychology, Vol. 63 No. 1, pp. 539-569.

Qiu, L., Lin, H. and Leung, A. K-y. (2013), “Cultural differences and switching of in-Group sharing behavior between an American (Facebook) and a Chinese (Renren) Social networking site”, Journal of Cross-Cultural Psychology, Vol. 44 No. 1, pp. 106-121.

Raykov, T. and Marcoulides, G.A. (2006), A First Course in Structural Equation Modeling, Lawrence Erlbaum, Mahwah, New York, NY.

Richardson, H.A., Simmering, M.J. and Sturman, M.C. (2009), “A tale of three perspectives: examining post hoc statistical techniques for detection and correction of common method variance”, Organizational Research Methods, Vol. 12 No. 4, pp. 762-800.

Safa, N.S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N.A. and Herawan, T. (2015), “Information security conscious care behaviour formation in organizations”, Computers and Security, Vol. 53, pp. 65-78.

Schein, E.H. (2010), Organizational Culture and Leadership, Jossey-Bass, San Francisco.

Siponen, M. and Tsohou, A. (2018), “Demystifying the influential IS legends of positivism”, Journal of the Association for Information Systems, Vol. 19 No. 7, pp. 600-617, doi: 10.17705/1jais.00503.

Siponen, M., Mahmood, M. and Pahnila, S. (2014), “Employees’ adherence to information security policies: an exploratory field study”, Information and Management, Vol. 51 No. 2, pp. 217-224.

Sivakumar, K. and Nakata, C. (2001), “The stampede toward Hofstede’s framework: avoiding the sample design pit in Cross-Cultural research”, Journal of International Business Studies, Vol. 32 No. 3, pp. 555-574.

Spears, N., Xiaohua, L. and Mowen, J.C. (2001), “Time orientation in the United States, China, and Mexico: measurement and insights for promotional strategy”, Journal of International Consumer Marketing, Vol. 13 No. 1, pp. 57-75.

Srite, M. and Karahanna, E. (2006), “The role of espoused national cultural values in technology acceptance”, MIS Quarterly, Vol. 30 No. 3, pp. 679-704.

Stobert, E. and Biddle, R. (2014), The Password Life Cycle: User Behaviour in Managing Passwords, Paper presented at the Symposium On Usable Privacy and Security (SOUPS 2014).

Taylor, S. and Todd, P.A. (1995), “Understanding information technology usage: a test of competing models”, Information Systems Research, Vol. 6 No. 2, pp. 144-176.

Triandis, H.C. (1994), Culture and Social Behavior, McGraw-Hill, New York, NY.

Triandis, H.C. (2000), “Culture and conflict”, International Journal of Psychology, Vol. 35 No. 2, pp. 145-152.

Trice, H.M. (1993), Occupational Subcultures in the Workplace, ILR Press, Ithaca, New York, NY.

Veiga, J.F., Floyd, S. and Dechant, K. (2001), “Towards modelling the effects of national culture on IT implementation and acceptance”, Journal of Information Technology, Vol. 16 No. 3, pp. 145-158.

Vitell, S.J., King, R.A., Howie, K., Toti, J.-F., Albert, L., Hidalgo, E.R. and Yacout, O. (2015), “Spirituality, moral identity, and consumer ethics: a multi-cultural study”, Journal of Business Ethics, Vol. 139 No. 1, pp. 147-160.

Vitell, S.J., Nwachukwu, S.L. and Barnes, J.H. (1993), “The effects of culture on ethical Decision-Making: an application of Hoftsede’s typology”, Journal of Business Ethics, Vol. 12 No. 10, pp. 753-760.

Workman, M., Bommer, W.H. and Straub, D. (2008), “Security lapses and the omission of information security measures: a threat control model and empirical test”, Computers in Human Behavior, Vol. 24 No. 6, pp. 2799-2816.

Wynn, D., Williams, C., Karahanna, E. and Madupalli, R. (2012), Preventive Adoption of Information Security Behaviors, Paper presented at the Thirty Third International Conference on Information Systems, Orlando, FL December 16-19.

Yi, M.Y. and Hwang, Y. (2003), “Predicting the use of web-based information systems: self-efficacy, enjoyment, learning goal orientation, and the technology acceptance model”, International Journal of Human-Computer Studies, Vol. 59 No. 4, pp. 431-449.

Yoo, B., Donthu, N. and Lenartowicz, T. (2011), “Measuring Hofstede’s five dimensions of cultural values at the individual level: development and validation of CVSCALE”, Journal of International Consumer Marketing, Vol. 23 Nos 3/4, pp. 193-210.

Zeltser, L. (2015), “Password managers”, available at: https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201310_en.pdf

Zhang, J., Reithel, B.J. and Li, H. (2009), “Impact of perceived technical protection on security behaviors”, Information Management and Computer Security, Vol. 17 No. 4, pp. 330-340.

Corresponding author

Salvatore Aurigemma can be contacted at: sal@utulsa.edu