Mitigating the security intention-behavior gap: The moderating role of required effort on the intention-behavior relationship

Jeffrey L. Jenkins, Alexandra Durcikova, Jay F. Nunamaker

Research output: Contribution to journalArticlepeer-review

Abstract

Although users often express strong positive intentions to follow security policies, these positive intentions fail to consistently translate to behavior. In a security setting, the inconsistency between intentions and behavior—termed the intention-behavior gap—is particularly troublesome, as a single failure to enact positive security intentions may make a system vulnerable. We address a need in security compliance literature to better understand the intention-behavior gap by explaining how an omnipresent competing intention—the user’s desire to minimize required effort—negatively moderates the relationship between positive intentions and actual security behavior. Moreover, we posit that this moderating effect is not accounted for in extant theories used to explain behavioral information security, introducing an opportunity to broadly impact information security research to more consistently predict behavior. In three experiments, we found that high levels of required effort negatively moderated users’ intentions to follow security policies. Controlling for this moderating effect substantially increased the explained variance in security policy compliance. The results suggest that security researchers should be cognizant of the existence of competing intentions, such as the desire to minimize required effort, which may moderate the security intention-behavior relationship. Otherwise, such competing intentions may cause unexpected inconsistencies between users’ intentions to behave securely and their actual security behavior.

Original languageEnglish (US)
Pages (from-to)246-272
Number of pages27
JournalJournal of the Association for Information Systems
Volume22
Issue number1
DOIs
StatePublished - 2021

Keywords

  • Competing Intentions
  • Effort
  • Information Disclosure
  • Intention-Behavior Gap
  • Passwords
  • Security

ASJC Scopus subject areas

  • Information Systems
  • Computer Science Applications

Fingerprint Dive into the research topics of 'Mitigating the security intention-behavior gap: The moderating role of required effort on the intention-behavior relationship'. Together they form a unique fingerprint.

Cite this