Little is known about the context sensitivity of users' online security perceptions and behaviors to national and individual attributes, and there is inadequate research about the spectrum of users' behaviors in dealing with online security threats. In addressing this gap, this paper draws on two complementary theoretical bases: (1) the contextualization of the protection motivation theory (PMT) to online security behavior and (2) a polycontextual lens for the cross-national comparison of users' security behaviors in the United States and China. The conceptualized model is tested based on 718 survey observations collected from the United States and China. The results support our model and show the divergence between the United States, an exemplar of modern Western society, and China, an exemplar of traditional Eastern society, in forming threat perceptions and in seeking help and avoidance as coping behaviors. Our results also uncovered the significant moderating impacts of espoused culture on the way perceptions of security threats and coping appraisals influence security behaviors. Our findings underline the importance of context-sensitive theory building in security research and provide insights into the motivators and moderators of individuals' online security behaviors in the two nations.
Phishing websites continue to successfully exploit user vulnerabilities in household and enterprise settings. Existing anti-phishing tools lack the accuracy and generalizability needed to protect Internet users and organizations from the myriad of attacks encountered daily. Consequently, users often disregard these tools' warnings. In this study, using a design science approach, we propose a novel method for detecting phishing websites. By adopting a genre theoretic perspective, the proposed genre tree kernel method utilizes fraud cues that are associated with differences in purpose between legitimate and phishing websites, manifested through genre composition and design structure, resulting in enhanced anti-phishing capabilities. To evaluate the genre tree kernel method, a series of experiments were conducted on a testbed encompassing thousands of legitimate and phishing websites. The results revealed that the proposed method provided significantly better detection capabilities than state-of-the-art anti-phishing methods. An additional experiment demonstrated the effectiveness of the genre tree kernel technique in user settings; users utilizing the method were able to better identify and avoid phishing websites, and were consequently less likely to transact with them. Given the extensive monetary and social ramifications associated with phishing, the results have important implications for future anti-phishing strategies. More broadly, the results underscore the importance of considering intention/purpose as a critical dimension for automated credibility assessment: focusing not only on the ÒwhatÓ but rather on operationalizing the ÒwhyÓ into salient detection cues. > >
Companies' information security efforts are often threatened by employee negligence and insider breach. To deal with these insider issues, this study draws on the compliance theory and the general deterrence theory to propose a research model in which the relations among coercive control, which has been advocated by scholars and widely practiced by companies; remunerative control, which is generally missing in both research and practice; and certainty of control are studied. A Web-based field experiment involving real-world employees in their natural settings was used to empirically test the model. While lending further support to the general deterrence theory, our findings highlight that reward enforcement, a remunerative control mechanism in the information systems security context, could be an alternative for organizations where sanctions do not successfully prevent violation. The significant interactions between punishment and reward found in the study further indicate a need for a more comprehensive enforcement system that should include a reward enforcement scheme through which the organizational moral standards and values are established or reemphasized. The findings of this study can potentially be used to guide the design of more effective security enforcement systems that encompass remunerative control mechanisms.