Effects of conflicting non-compliant current habit on the adoption of new information security policy (ISP): Using a phishing email perspective
Date
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
The dissertation shows that when a new information security policy (ISP) is implemented that conflicts with a current habit, in the presence of the contextual cues that trigger the habit, users behave according to the habit and fail to comply with the new policy. The dissertation also shows that when it is not possible to change the contextual cues that trigger the current habit, Implementation Intention can be an effective intervention technique that changes the current non-compliant habit and creates a new habit that leads to ISP compliance. In the first study a risky login habit is induced in the participants of the treatment group. After the habit is induced, both the habit induced group and the habit non-induced group receive training about the risk of the login behavior and how to protect their login credentials from phishing attacks. After the training session, both groups complete a survey that measures their intention to comply with the instructions they receive during the lab session to protect their login credentials and avoid falling victim to phishing attacks. Three weeks after the training session, participants from both groups receive a phishing email that attempts to find out if they are complying with the instructions received during the lab session. Results show that in the presence of the cues that trigger the risky login habit, the habit induced group acts habitually and login through the phishing login prompt even after receiving the training and forming an intention to comply with the instructions received during the training session. The habit non-induced group acts according to their intention and does not login through the phishing login prompt. In the second study participants from both groups develop the same login habit and receive the training on how to protect their login credentials. In addition, participants from the treatment group receive implementation intention intervention that links the situational cues that trigger the current habit with the new ISP compliant response. Participants from both groups later receive a phishing email that attempts to find out the effectiveness of the intervention. Results show that implementation intention changes the non-compliant habit and creates a new habit that leads to ISP compliance.