Next Article in Journal
Study on the Yield Behavior of Closed-Cell Foams under Multiaxial Loads Based on Different Yield Definitions
Previous Article in Journal
Application of the [WO2(C5H7O2)2] Complex in Hydrothermal Synthesis of WO3 Film and Study of Its Electrochromic Properties
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Applied Sciences
Volume 13
Issue 15
10.3390/app13158731
applsci-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles thumb_up
...
Endorse textsms
...
Comment
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

The Role of Decision-Making Styles in Shaping Cybersecurity Compliance Behavior

by
Ahmet Duzenci
*,
Hakan Kitapci
and
Mehmet Sahin Gok
Faculty of Business Administration, Gebze Technical University, Kocaeli 41400, Turkey
*
Author to whom correspondence should be addressed.
Appl. Sci. 2023, 13(15), 8731; https://doi.org/10.3390/app13158731
Submission received: 3 June 2023 / Revised: 11 July 2023 / Accepted: 19 July 2023 / Published: 28 July 2023
Browse Figure
Versions Notes

Abstract

:
The growing number of attacks on crucial cyber networks is one of humanity’s most significant security threats. Combining technological solutions with the convenient cybersecurity behavior of the human factor is necessary to reduce the effects of these attacks. In this study, the impact of individual decision-making styles on cybersecurity compliance behavior was examined. A conceptual framework was developed based on the protective motivation theory, and it was tested with a data set representing the survey results of 668 employees and students with work experience. Regression analyses were performed to evaluate the impacts of individuals’ decision-making styles on cybersecurity compliance behaviors. Results showed that the decision-making styles of individuals affected their cybersecurity compliance behaviors, and these effects showed significant differences according to their decision-making styles. The study also confirmed that security awareness was another important indicator of cybersecurity compliance behavior. Our research provided new insight into the effects of individual decision-making styles on cybersecurity compliance behavior.

1. Introduction

While cybersecurity expenditures continue to take a larger share of organizations’ budgets yearly, cyberattacks remain a challenge for organizations. Despite the increasingly large cybersecurity expenditures, human factor remains the most critical source of data leaks [1]. Although technological solutions help reduce cyber incidents caused by human factors, it is impossible to prevent them entirely.
Many studies have been conducted to explain individuals’ cybersecurity compliance behaviors, based on different theories, such as rational choice theory (e.g., [2,3]), theory of planned behavior (e.g., [4,5]), general deterrence theory (e.g., [6,7]), neutralization theory (e.g., [8,9]), and protection motivation theory (e.g., [10,11,12,13]).
However, most of these studies have been carried out by focusing on perceived factors, such as perceived cost [14], perceived effectiveness [15], and perceived susceptibility [16], or external factors, such as subjective norms [4,15,17,18,19], social influence [20], and rewards [21]. Despite the importance given to perceived and external factors [22], the internal factors of individuals, such as decision-making styles, have not attracted the necessary attention [23,24,25]. This study examines individuals’ decision-making styles’ impacts on cybersecurity compliance behaviors. For this purpose, we determined our main research question: “To what extent do employees with different decision-making styles differ in their cybersecurity compliance behavior?”.
In light of the abovementioned gap, we proposed a conceptual model based on the protection motivation theory (PMT) [26,27] and empirically tested it. This study extended current research by examining the role of decision-making styles identified through the General Decision-Making Style Inventory (GDMS) within the framework of the PMT approach. Study findings also contributed to literature by presenting new evidence in explaining individuals’ cybersecurity compliance behaviors. This study analyzed individuals’ actual cybersecurity protective behaviors rather than behavioral intentions. By doing this, we aimed to shed light on how cybersecurity could be improved by offering more realistic, practical applications based on individual decision-making.

2. Theoretical Background

Researchers working on decision-making behavior suggest that individuals show stereotypical reactions in similar situations due to their habits [28,29,30]. These stereotypical reactions individuals exhibit in their decision-making processes are called decision-making styles [29,30,31]. The term “decision-making style” refers to the routines that people follow while making decisions [28] and an individual’s unique way of understanding and reacting to activities requiring decision-making [32]. After an analysis of earlier research on decision-making styles, Scott and Bruce [29] identified it as a habitual, automatic reaction style used by a person in decision-making situations, and it is more of a habit-based tendency than a personality attribute.
Rowe and Mason [31] defined a decision-making style as a cognitive procedure that depicts how a person handles a challenge. This implies that each person uses different methods of perceiving and analyzing information and, therefore, will make different decisions. Rowe and Boulgarides [33] argued that decision behavior could be predicted if one knew how they made decisions. Prediction of human decision-making behavior would enable the prediction of cybersecurity behavior and all other fields of application.
The General Decision-Making Style Inventory (GDMS), developed by Scott and Bruce [29], was used in this study to measure individuals’ decision-making styles. In GDMS, five different decision-making styles are measured. Sufficient samples were not obtained from the two decision-making styles (spontaneous and avoidant) in this study. Nevertheless, the remaining rational, intuitive, and dependent decision-making styles, for which sufficient samples were obtained, were from Harren’s [32] decision-making styles typology. The most well-known, logically valid, and least-redundant taxonomic categorization of decision-making styles is Harren’s [32] division of decision-making into dependent, intuitive, and rational styles [34,35,36]. Specific characteristics and inclinations emerge for different decision-making styles. Rational style is characterized by consciously and rationally making decisions; intuitive style is represented by deciding in accordance with emotions and a sense of fulfillment; dependent style is described as deciding depending on what others think and expect of you [29,32].
After determining the decision-making styles of individuals, cybersecurity compliance behaviors were explained theoretically. Many theories have been used in literature to elucidate individuals’ security compliance behaviors. In this study, the protection motivation theory (PMT) was used to investigate individuals’ cybersecurity compliance behaviors. The protection motivation theory describes why people are driven to act when they are warned about danger or risky conduct [13,26,27]. In other words, the theory’s fundamental premise is that people are driven to defend themselves when confronted with potentially dangerous situations [37]. PMT comprises two appraisal processes to understand how individuals motivate themselves in risky situations: coping appraisal and threat appraisal. Coping appraisal describes how people evaluate their capacity to cope with and prevent possible loss or harm from a danger [38,39] and comprises self-efficacy, response efficacy, and perceived barriers. The threat appraisal explains how individuals perceive threats and includes perceived severity and vulnerability factors.
Cyber-attacks pose a potentially dangerous situation in the digital world [1]. In many different usage areas, such as the home computers [17], smartphones [40], wireless networks [38], and smart cities [41], there is an increasing potential danger of cyberattacks. In the event of these attacks, many negative situations may be encountered, such as the disclosure of personal data, the interruption of access to systems, and financial loss [40]. These potentially dangerous situations in cyber issues comply with the context of PMT [37]. Therefore, in order to find an answer to the question of how employees with different decision-making styles differ in their cyber security compliance behaviors in the face of cyberattacks, a conceptual model and subsequent hypotheses were developed within the framework of PMT.

3. Hypothesis Development

To examine the impacts of individuals’ decision-making styles on cybersecurity compliance behaviors, subsequent hypotheses were developed within the framework of the conceptual model.

3.1. Perceived Severity and Cybersecurity Compliance Behavior

The essential assumption of PMT is to motivate and protect individuals when they feel threatened by risky events [37]. PMT structure helps to understand the behaviors that individuals will develop to protect the information assets of their organizations when faced with cybersecurity risks. Perceived severity, one of PMT’s threat appraisal factors, refers to an individual’s judgment that a security threat will cause severe harm and cause serious inconvenience [19]. Individuals who perceive a threat to their organization’s information system assets are more likely to engage in cybersecurity compliance behavior [3,42]. Vance et al. [11] found that perceived severity influenced the security intentions of employees in an organizational context. Hooper and Blunt [43] also showed that the perceived severity strongly affected the IT employee’s intention to implement information security. It is estimated that employees who perceive severe consequences due to non-compliance tend to exhibit cybersecurity compliance behaviors.
H1. 
The cybersecurity compliance behaviors of employees are positively influenced by their perceived severity.

3.2. Perceived Vulnerability and Cybersecurity Compliance Behavior

Perceived vulnerability is defined as the degree to which individuals perceive the potential threat of a cyberattack and feel that they lack the necessary methods and tools to prevent or mitigate such a threat [11]. An employee will be more inclined to undertake defensive actions if they believe their organization’s information system is very vulnerable [39]. Studies demonstrated that business leaders’ desires to implement security measures in their businesses can be influenced by their perception of their firms’ vulnerability [44], information privacy concerns in social networking sites [45], employees’ self-reported cybersecurity behaviors [46], and employees’ cybersecurity compliance behaviors [13]. This study postulates that employees tend to exhibit cybersecurity compliance behaviors if they perceive the organization’s information infrastructure to be highly vulnerable.
H2. 
The cybersecurity compliance behaviors of employees are positively influenced by their perceived vulnerability.

3.3. Self-Efficacy and Cybersecurity Compliance Behavior

Self-efficacy is one of PMT’s coping appraisal factors. It refers to an individual’s judgment of their skills, knowledge, or competency to practice protective behavior to reduce the risks that may arise from possible cyberattacks [3,11]. Self-efficacy of individuals has been linked to both general and password security compliance behaviors [25]. This is in line with other research showing a positive correlation between different information security behaviors. Thus, employees who believe they can perform protective behaviors against cyber threats tend to exhibit cybersecurity compliance behaviors.
H3. 
The cybersecurity compliance behaviors of employees are positively influenced by their self-efficacy.

3.4. Response Efficacy and Cybersecurity Compliance Behavior

Response efficacy refers to the belief that a proposed counter-behavior (response) in the event of a threat will effectively reduce the threat level [39]. In cybersecurity, this means that an employee’s faith that the guidelines and standards set within their organization’s information system security policies would effectively prevent the threat. Hence, we suggest that employees who believe that their organization’s proposed response is effective at averting cyber threats are likely to perform cybersecurity compliance behaviors.
H4. 
The cybersecurity compliance behaviors of employees are positively influenced by their response efficacy.

3.5. Perceived Barriers and Cybersecurity Compliance Behavior

Individuals’ perceptions of the response cost are referred to as perceived barriers, meaning unpleasant or inconvenient cybersecurity protection behaviors [47]. Employees’ beliefs that a response proposed by their organization will eliminate the threat do not always mean that they will take that action. Even if they know that this proposed response will avert the threat, they may find this response unpleasant or inconvenient. This attitude is called perceived barriers and can prevent cybersecurity compliance behavior. Indeed, previous studies have proven that perceived barriers are negatively associated with cybersecurity-related behaviors [11,13,19,46]. As a result, we expect employees’ perceived barriers to be negatively related to cybersecurity compliance behavior.
H5. 
The cybersecurity compliance behavior of employees is negatively influenced by their perceived barriers.

3.6. Security Awareness and Cybersecurity Compliance Behavior

Security awareness refers to individuals knowing about cybersecurity issues and the consequences of cyber incidents [3]. The link between cybersecurity behavior and security awareness has been revealed in various studies in different contexts, such as an individual’s password change frequency and propensity to use strong passwords [48] and the perspective of users with regard to conforming to an organization’s IS policy [3]. Donalds and Osei-Bryson [25] also provided empirical evidence for the effects of security awareness on both password compliance and overall general compliance behavior. In their recent research, Alanazi et al. [49] reported that young adults’ perceived awareness of cyber threats strongly influenced cybersecurity behaviors. In line with past studies, we argue that employees with security awareness tend to demonstrate cybersecurity compliance behaviors.
H6. 
The cybersecurity compliance behavior of employees is positively influenced by their security awareness.
Figure 1 shows the conceptual model.

4. Methods

4.1. Measures

The survey methodology was used in this study. The questionnaire was designed using multi-item scales from published literature. Respondents were asked to answer cybersecurity construct (i.e., self-efficacy, perceived vulnerability, perceived severity, response efficacy, perceived barriers, and security awareness) questions by considering their cybersecurity behaviors and decision-making style (GDMS) questions by considering their approaches in the individual decision-making process.
Cybersecurity compliance behavior was the dependent variable in this study, and it was measured through a four-item scale adapted from Donalds and Osei-Bryson [25], Anwar et al. [46], and Ng et al. [47]. The four-item scale used to evaluate the perceived severity was derived from Li et al. [13], Ifinedo [39], Mohamed and Ahmad [45], Ng et al. [47], and Woon et al. [38]. The four-item scale used to assess perceived vulnerability was taken from Li et al. [13], Ifinedo [39], and Woon et al. [38]. Four items were adapted from Donalds and Osei-Bryson [25], Li et al. [13], Anwar et al. [46], and Rhee et al. [50] to measure self-efficacy. Response efficacy was measured through a four-item scale adapted from Li et al. [13], Mohamed and Ahmad [45], and Lee et al. [51]. Perceived barriers were measured through a four-item scale adapted from Li et al. [13], Anwar et al. [46], Ng et al. [47], and Woon et al. [38]. We adopted a three-item scale for security awareness from Donalds and Osei-Bryson [25] and Bulgurcu et al. [3]. Individual decision-making style was measured through the scales of Scott and Bruce’s [29] twenty-five-item General Decision-Making Style Inventory (GDMS). Five different decision-making styles were measured using GDMS, which included five items for each style. On a five-point scale ranging from strongly disagree (1) to strongly agree (5), respondents indicated their preference. The average of the statements showed how individuals felt about each decision-making style and, therefore, which decision-making style they had. Scales are presented in Appendix A.

4.2. Data Collection and Sample

The study’s participants were public and private sector employees and students with work experience. The online survey method was adopted to collect data.
Ethical considerations were considered. The aims of the study were provided to all participants before the survey. The right to withdraw from the study during data collection was given to participants. Participants were informed that being a part of the research was completely voluntary and that their replies would be kept anonymous and confidential. The local research ethics committee allowed the research.
The instrument was tested through two pilot studies, with 31 and 35 respondents. After the pilot studies, refinements were made to the questionnaire, and the final version was created. After excluding the replies of those who finished the survey in an insufficient amount of time, 668 responses remained, yielding a 67% response rate. For subsequent data analysis, the remaining responses constituted an adequate sample size [52,53]. When respondents were asked whether there was an information security policy in their workplace, 57.1% responded “yes”, 10.8% responded “no”, and 31.9% answered that they did not know anything about their workplace’s information security policy.

5. Analysis and Findings

The varimax rotation principal component analysis was performed to verify the factor loadings of the variables. In this way, the components for the independent and dependent variables were determined. The analysis classified 27 items into seven components. Furthermore, all variables’ Cronbach’s alpha values varied from 0.77 to 0.91. A reliability coefficient above 0.70 was favored [54]. Thus, this study’s Cronbach alpha values for all variable measurements were reliable.
Descriptive statistics and intercorrelations between the constructs were analyzed. The means, standard deviations, and correlations between the variables are indicated in Table 1. Then, regression analyses were performed to test the hypotheses. The first regression analysis was conducted for the whole group, regardless of the participants’ decision-making styles. Model 1 (Table 2) shows that perceived severity (β = 0.186; p < 0.01), perceived vulnerability (β = 0.096; p < 0.05), self-efficacy (β = 0.133; p < 0.01), response-efficacy (β = 0.106; p < 0.05), and security awareness (β = 0.238; p < 0.01) were positively related to cybersecurity compliance behavior. Nevertheless, there was no support for the relationship between perceived barriers and cybersecurity compliance behavior. Model 1 provided a statistically significant fit to the data (R2 = 0.356, F = 60.823, p = 0.000), and 35.6% of the variation in cybersecurity compliance behavior was explained by Model 1. Hence, while H5 was not supported, H1, H2, H3, H4, and H6 were all supported for all participants.
After an overall look at all participants, regression analyses were performed for subgroups of participants regarding individual decision-making styles. In this study, the data set did not yield sufficient samples for two decision-making styles (spontaneous and avoidant styles). However, the remaining decision-making styles were obtained from Harren’s [32] most well-known taxonomic categorization of decision-making styles and included dependent, intuitive, and rational styles. As can be seen in Model 2 (Table 2), perceived severity (β = 0.200; p < 0.01), self-efficacy (β = 0.153; p < 0.01), security awareness (β = 0.198; p < 0.01), and cybersecurity compliance behaviors were positively correlated. Contrary to Model 1, no support was found for the relationships between perceived vulnerability and response-efficacy variables and cybersecurity compliance behaviors in Model 2. Additionally, in parallel with Model 1, no support was found for the relationship between perceived barriers and cybersecurity compliance behaviors. Model 2 presented a statistically significant fit to the data (R2 = 0.303, F = 28.875, p = 0.000) and explained a 30.3% variance in cybersecurity compliance behaviors. Thus, for individuals with rational decision-making styles, H2, H4, and H5 were not supported, whereas H1, H3, and H6 were supported.
The regression analysis results for individuals with intuitive decision-making styles are reflected in Model 3. It was found that response efficacy (β = 0.231; p < 0.05) and security awareness (β = 0.339; p < 0.01) were positively correlated with cybersecurity compliance behaviors. Model 3 did not support the relationships between perceived vulnerability, perceived severity, self-efficacy, perceived barriers variables, and cybersecurity compliance behavior. A statistically significant fit to the data was observed in Model 3, and 54% of the variation in cybersecurity compliance behavior was explained by Model 3 (Table 2). Consequently, for those with intuitive decision-making styles, H4 and H6 were supported, but H1, H2, H3, and H5 were not.
Model 4 was constructed to perform a regression analysis for individuals with dependent decision-making styles. For this group, the security awareness (β = 0.199; p < 0.05) and cybersecurity compliance behavior were positively correlated. No support was found for the relationships between perceived severity, perceived vulnerability, self-efficacy, response-efficacy, perceived barriers variables, and cybersecurity compliance behavior. Model 4 provided a statistically significant fit to the data (R2 = 0.397, F = 10.303, p = 0.000) and explained a 39.7% variance in cybersecurity compliance behavior. As a result, for individuals with dependent decision-making styles, solely H6 was supported, whereas H1, H2, H3, H4, and H5 were not.

6. Discussion

Our research provided the evidence for cybersecurity compliance behavior and explained in detail how the various decision-making styles of the employees differed in cybersecurity compliance behaviors. In this respect, the findings might be evaluated from two aspects. The first would be to evaluate the model for the overall group that included all participants, and the second would be to consider the differentiation in current cybersecurity compliance behaviors of subgroups, based on individuals’ decision-making styles. For the general group, it was observed that perceived severity, perceived vulnerability, self-efficacy, response-efficacy, and security awareness affected cybersecurity compliance behavior, while perceived barriers had no impact. The effect of all variables differed from the general group and other subgroups. However, security awareness stood out as an essential explanatory factor in the general group and all subgroups, and perceived barriers did not have a significant explanatory effect.
The effect of perceived severity on employees’ cybersecurity compliance behaviors was tested, and results showed that the severity of cyber threats perceived by employees positively related to their compliance behaviors. Findings were in the same line as the results of Larose et al. [55], Pahnila et al. [42]; Bulgurcu et al. [3]; Vance et al. [11]; Mohamed and Ahmad [45]; Hooper and Blunt [43]; and Wong et al. [10]. From the decision style perspective, it was found that while perceived severity strongly explained the cybersecurity compliance behaviors of employees with rational decision-making styles, it could not explain the behaviors of employees with intuitive and dependent decision-making styles. Contrary to previous studies, Ng et al. [47] concluded that the perceived severity of employees was not a reliable indicator of cybersecurity protection intentions, and people’s unawareness of the potential cyber threats was suggested as the cause of this. Indeed, this proposition was confirmed, since it was observed that employees with intuitive and dependent decision-making styles had less cybersecurity awareness, compared to employees with rational decision-making styles.
We also examined the effects of perceived vulnerability on employees’ cybersecurity compliance behaviors. Findings indicated that perceived vulnerability positively affected employees’ cybersecurity compliance behaviors. This result supported the findings of Ifinedo [39], Anwar et al. [46], and Li et al. [13] and extended Lee et al.’s [51] study by working on employees as a sample. On the other hand, the positive relationship could not be observed when participants were evaluated based on subgroups according to their decision-making styles.
In light of the analysis, it was seen that employees’ self-efficacy was significant in explaining cybersecurity compliance behavior. Findings showed that self-efficacy strongly explained the cybersecurity compliance behaviors of employees with rational decision-making styles. However, it could not elucidate the exact behaviors of employees with intuitive and dependent decision-making styles. Findings indicated that self-efficacy was an important component of employees’ cybersecurity compliance behaviors.
The effects of response efficacy on employees’ cybersecurity compliance behaviors were also tested. Findings demonstrated that employees’ response efficacies were significant in explaining cybersecurity compliance behaviors. When the results were evaluated on the focus of decision-making style, it was seen that the behaviors of employees with an intuitive decision-making style were explained by response efficacy. However, it could not explain the exact behaviors of employees with rational and dependent decision-making styles. This might be because individuals with an intuitive decision-making style have better inclinations to make decisions based on emotions when they need to decide. Hence, they feel more confident in terms of the effects of their reaction.
Analyses results did not support the significant impacts of perceived barriers in explaining cybersecurity compliance behavior. Recalling that perceived barriers showed the unpleasantness or inconvenience of performing cybersecurity protection behavior, it could be interpreted that participants did not find barriers in demonstrating the cybersecurity protection behaviors.
Security awareness was found to affect employees’ cybersecurity compliance behaviors significantly. The results supported the hypothesis that an employee aware of potential cyber incidents and their outcomes will perform cybersecurity compliance behavior. Findings broadened Li et al.’s [13] study by covering a well-grounded scale for security awareness instead of just measuring employees’ awareness about whether there was an information security policy in the organization. Furthermore, this study extended Donalds and Osei-Bryson’s [25] research using a different decision-making style scale, namely the General Decision-Making Style Inventory (GDMS). Results showed that security awareness was the only significant factor in explaining employees’ cybersecurity compliance behaviors for all subgroups. That meant rational, intuitive, and dependent decision-maker employees found security awareness necessary to perform cybersecurity compliance behaviors. However, when the subgroups were ranked according to significance level for security awareness, the order was rational, intuitive, and dependent upon decision-makers. These findings also provided empirical support for Donalds and Osei-Bryson’s [25] results, asserting that an individual’s dominant decision style significantly impacts their security compliance behavior.

6.1. Theoretical Contributions

This study offered three main contributions to cybersecurity research. First, based on the theoretical assumption of decision style and protection motivation, this paper proposed and validated a research model that emphasized the importance of decision-making style differences in exploring individuals’ cybersecurity compliance behaviors. As far as we know, this was the first study to examine the impacts of individuals’ decision style differences on their actual cybersecurity compliance behaviors in the context of the protection motivation theory. Second, a considerable contribution to literature was made by proposing and validating the research model. Mainly, it was crucial to provide empirical support to a limited number of studies [23,24,25] examining the effects of decision-making styles on cybersecurity compliance behaviors. Third, in this study, individuals’ cybersecurity protective behaviors were analyzed, contrary to what is expected in literature, rather than behavioral intentions. To take more sensible precautions in daily life, it is crucial to focus on the actual behaviors, even if they are self-reported, instead of their assumptions about their future behavior. Additionally, the call of Donalds and Osei-Bryson [25] to explore the potential influence of decision style theory on individuals’ cybersecurity or other security compliance behaviors was also heeded.

6.2. Practical Contributions

Understanding individuals’ current awareness levels and perceptions of cyber security issues will make significant contributions to the elimination of problems [5]. In addition, focusing on the effects of employee decision-making styles on cybersecurity compliance behaviors helps organizations take more effective security measures at an individual level. Employees have individual differences, and their decision-making styles might be an essential indicator of how they will behave. The employees might be assigned to jobs by determining the differences in their individual decision-making styles. For example, employees with rational decision-making styles should be directed to more technical jobs, such as firewall/WAF/IPS, etc., administrations. Perceived severity, self-efficacy, and security awareness factors are prominent, compared to employees with other decision-making styles.
Similarly, technical employees with intuitive decision-making styles might be placed in positions where they need to take rapid action in the event of a cyber threat, such as the security information and event management (SIEM) system or the computer security incident response team (CSIRT). Since the intuitive decision-making style response-efficacy factor impacts cybersecurity compliance behavior, employees with an intuitive decision-making style are expected to perform better in preventing the threat. Deploying employees in jobs suitable for them according to their personality traits and decision-making styles will significantly contribute to the provision of organizational cybersecurity.

6.3. Limitations and Future Research

Our research had certain limits, which also offered an idea for future studies. First, this study offered new insight on the connection between individuals’ decision-making styles and cybersecurity compliance behaviors from the protection motivation theory (PMT) perspective. However, future research might test the same relation from different security-related theoretical frameworks, such as the rational choice theory, general deterrence theory, theory of planned behavior, and neutralization theory. Second, the General Decision-Making Style Inventory (GDMS), developed by Scott and Bruce [29], was used to measure and determine individuals’ decision-making styles. Future research can use the same inventory in different models, based on other theoretical frameworks. Third, this study collected data in a specific geographic and cultural context. Future research might collect data from different geographic, cultural, or cross-national contexts to identify deficiencies in the model.

7. Conclusions

Despite the high-cost investments made by public and private sector organizations to ensure their cybersecurity, employees’ noncompliance with information security policies threatens the organizations’ information assets. Employees must comply with the security regulations their institutions have notified them of to ensure cybersecurity. Many models based on different theories have been proposed to explain individuals’ cybersecurity compliance behaviors. However, most of these studies focused on external factors rather than internal factors of individuals. This study aimed to observe the impacts of individuals’ decision-making styles, one of the internal factors, on the factors that affect the employees’ cybersecurity compliance behaviors.
The results showed that our model explained individuals’ cybersecurity compliance behaviors well and that subgroups differed, based on individuals’ decision-making styles. For the general group that included all participants, perceived vulnerability, perceived severity, self-efficacy, response efficacy, and security awareness factors affected employees’ cybersecurity compliance behaviors. However, the effects of the perceived barrier factors were not observed. In detail, our findings indicated that security awareness was significant, both for the overall group and for all subgroups of decision-making styles in explaining cybersecurity compliance behaviors. Meanwhile, the effects of perceived vulnerability, perceived severity, response-efficacy, and self-efficacy factors varied for decision-making styles.

Author Contributions

All authors contributed to the study. Conceptualization, A.D. and H.K.; data collection, A.D. and M.S.G.; data analysis, A.D. and H.K.; writing—original draft, A.D. and H.K.; writing—review and editing, M.S.G. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Institutional Review Board Statement

The study was conducted in accordance with the Declaration of Helsinki and approved by the Academic Human Research Ethics Committee of Gebze Technical University in Turkey, with protocol code #12-01, on 17 August 2022.

Informed Consent Statement

Informed consent was obtained from all subjects involved in the study.

Data Availability Statement

The data in this study can be provided upon request by sending an e-mail to the corresponding author.

Conflicts of Interest

The authors declare no conflict of interest.

Appendix A

Survey items in the final data analysis
  • Perceived Severity (adapted from Li et al., 2019 [13]; Ifinedo, 2012 [39]; Mohamed and Ahmad, 2012 [45]; Ng et al., 2009 [47]; Woon et al., 2005 [38])
    PS1—Having my computer infected by a virus as a result of opening a suspicious email attachment is a serious problem for me.
    PS2—At work, having my confidential information accessed by someone without my consent or knowledge is a serious problem for me.
    PS3—Loss of data resulting from hacking is a serious problem for me.
    PS4—Having my online identity stolen through social networking sites would be a serious problem for me.
  • Perceived Vulnerability (adapted from Li et al., 2019 [13]; Ifinedo, 2012 [39]; Woon et al., 2005 [38])
    PV1—I feel that my organization could become vulnerable to security breaches if I do not adhere to its information security policy.
    PV2—I feel that I could fall victim to a malicious attack if I fail to comply with my organization’s information security policy.
    PV3—I believe that my effort to protect my organization’s information will reduce illegal access to it.
    PV4—My organization’s data and resources may be compromised if I do not pay adequate attention to information security policies and guidelines.
  • Self-Efficacy (adapted from Donalds and Osei-Bryson, 2020 [25]; Li et al., 2019 [13]; Anwar et al., 2017 [46]; Rhee et al., 2009 [50])
    SEEF1—I feel confident setting the web browser to different security levels.
    SEEF2—I feel confident using different programs to protect my information and information system.
    SEEF3—I feel confident handling virus-infected files and/or getting rid of malware/spyware.
    SEEF4—I feel confident learning the method to protect my information and information system.
  • Response-Efficacy (adapted from Li et al., 2019 [13]; Mohamed and Ahmad, 2012 [45]; Lee et al., 2008 [51])
    REEF1—Complying with the information security policies in my organization will keep security breaches down.
    REEF2—If I comply with information security policies, the chances of information security breaches occurring will be reduced.
    REEF3—Careful compliance with information security policies helps to avoid security problems.
    REEF4—Using information security technologies is an effective way to protect confidential information.
  • Perceived Barriers (adapted from Li et al., 2019 [13]; Anwar et al., 2017 [46]; Ng et al., 2009 [47]; Woon et al., 2005 [38])
    PB1—It is inconvenient to check the security of an email with attachments.
    PB2—Changing the privacy setting on social media sites is inconvenient.
    PB3—Backing up a computer regularly is inconvenient.
    PB4—Cybersecurity training takes too much time from work.
  • Security Awareness (adapted from Donalds and Osei-Bryson, 2020 [25]; Bulgurcu et al., 2010 [3])
    SEAW1—Overall, I am aware of potential information/cybersecurity threats and their negative consequences.
    SEAW2—I understand the concerns regarding information/cybersecurity threats and the risks they pose in general.
    SEAW3—I have sufficient knowledge about the costs of potential information/cybersecurity threats.
  • Cybersecurity Compliance Behavior (adapted from Donalds and Osei-Bryson, 2020 [25]; Anwar et al., 2017 [46]; Ng et al., 2009 [47])
    CSCB1—I do not open email attachments from people whom I do not know.
    CSCB2—I have never sent sensitive information via email or using social media.
    CSCB3—Concerns about security issues made me visit only websites I know/trust.
    CSCB4—Concerns about security issues made me click on URLs if I know where the URLs will really take me.

References

  1. Verizon, Data Breach Investigations Report. Available online: https://www.verizon.com/business/resources/reports/2022/dbir/2022-data-breach-investigations-report-dbir.pdf (accessed on 2 April 2023).
  2. Han, J.; Kim, Y.J.; Kim, H. An integrative model of information security policy compliance with psychological contract: Examining a bilateral perspective. Comput. Secur. 2017, 66, 52–65. [Google Scholar] [CrossRef]
  3. Bulgurcu, B.; Cavusoglu, H.; Benbasat, I. Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Q. 2010, 34, 523–548. [Google Scholar] [CrossRef] [Green Version]
  4. Ifinedo, P. Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition. Inf. Manag. 2014, 51, 69–79. [Google Scholar] [CrossRef]
  5. Alsmadi, D.; Maqousi, A.; Abuhussein, T. Engaging in cybersecurity proactive behavior: Awareness in COVID-19 age. Kybernetes 2022. ahead-of-print. [Google Scholar] [CrossRef]
  6. Chen, Y.; Ramamurthy, K.; Wen, K.-W. Organizations’ information security policy compliance: Stick or carrot approach? J. Manag. Inf. Syst. 2014, 29, 157–188. [Google Scholar] [CrossRef]
  7. Moody, G.D.; Siponen, M.; Pahnila, S. Toward a unified model of information security policy compliance. MIS Q. 2018, 42, 285–311. [Google Scholar] [CrossRef] [Green Version]
  8. Barlow, J.B.; Warkentin, M.; Ormond, D.; Dennis, A.R. Don’t make excuses! Discouraging neutralization to reduce IT policy violation. Comput. Secur. 2013, 39, 145–159. [Google Scholar] [CrossRef]
  9. Siponen, M.; Vance, A. Guidelines for improving the contextual relevance of field surveys: The case of information security policy violations. Eur. J. Inf. Syst. 2010, 23, 289–305. [Google Scholar] [CrossRef]
  10. Wong, L.W.; Lee, V.H.; Tan, G.W.H.; Ooi, K.B.; Sohal, A. The role of cybersecurity and policy awareness in shifting employee compliance attitudes: Building supply chain capabilities. Int. J. Inf. Manag. 2022, 66, 102520. [Google Scholar] [CrossRef]
  11. Vance, A.; Siponen, M.; Pahnila, S. Motivating IS security compliance: Insights from habit and protection motivation theory. Inf. Manag. 2012, 49, 190–198. [Google Scholar] [CrossRef]
  12. Safa, N.S.; Sookhak, M.; Von Solms, R.; Furnell, S.; Ghani, N.A.; Herawan, T. Information security conscious care behaviour formation in organizations. Comput. Secur. 2015, 53, 65–78. [Google Scholar] [CrossRef] [Green Version]
  13. Li, L.; He, W.; Xu, L.; Ash, I.; Anwar, M.; Yuan, X. Investigating the impact of cybersecurity policy awareness on employees’ cybersecurity behavior. Int. J. Inf. Manag. 2019, 45, 13–24. [Google Scholar] [CrossRef]
  14. Boss, S.R.; Galletta, D.F.; Lowry, P.B.; Moody, G.D.; Polak, P. What do systems users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors. MIS Q. 2015, 39, 837–864. [Google Scholar] [CrossRef] [Green Version]
  15. Herath, T.; Rao, H.R. Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decis. Support Syst. 2009, 47, 154–165. [Google Scholar] [CrossRef]
  16. Warkentin, M.; Johnston, A.C.; Shropshire, J.; Barnett, W.D. Continuance of protective security behavior: A longitudinal study. Decis. Support Syst. 2016, 92, 25–35. [Google Scholar] [CrossRef]
  17. Anderson, C.L.; Agarwal, R. Practicing safe computing: A multimethod empirical examination of home computer user security behavioral intentions. MIS Q. 2010, 34, 613–643. [Google Scholar] [CrossRef] [Green Version]
  18. Hadlington, L. Human factors in cybersecurity; examining the link between Internet addiction, impulsivity, attitudes towards cybersecurity, and risky cybersecurity behaviours. Heliyon 2017, 3, e00346. [Google Scholar] [CrossRef] [Green Version]
  19. Herath, T.; Rao, H.R. Protection motivation and deterrence: A framework for security policy compliance in organisations. Eur. J. Inf. Syst. 2008, 18, 106–125. [Google Scholar] [CrossRef]
  20. Tu, Z.; Turel, O.; Yuan, Y.; Archer, N. Learning to cope with information security risks regarding mobile device loss or theft: An empirical examination. Inf. Manag. 2015, 52, 506–517. [Google Scholar] [CrossRef]
  21. Boss, S.R.; Kirsch, L.J.; Angermeier, I.; Shingler, R.A.; Boss, R.W. If someone is watching, I’ll do what I’m asked: Mandatoriness, control, and information security. Eur. J. Inf. Syst. 2009, 18, 151–164. [Google Scholar] [CrossRef]
  22. Lu, Y. Cybersecurity research: A review of current research topics. J. Ind. Integr. Manag. 2018, 3, 1850014. [Google Scholar] [CrossRef]
  23. Egelman, S.; Peer, E. Scaling the Security wall: Developing a Security Behavior Intentions Scale (SeBIS). In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, Seoul, Republic of Korea, 18–23 April 2015; pp. 2873–2882. [Google Scholar]
  24. Gratian, M.; Bandi, S.; Cukier, M.; Dykstra, J.; Ginther, A. Correlating human traits and cyber security behavior intentions. Comput. Secur. 2018, 73, 345–358. [Google Scholar] [CrossRef]
  25. Donalds, C.; Osei-Bryson, K.M. Cybersecurity compliance behavior: Exploring the influences of individual decision style and other antecedents. Int. J. Inf. Manag. 2020, 51, 102056. [Google Scholar] [CrossRef]
  26. Rogers, R.W. A protection motivation theory of fear appeals and attitude change1. J. Psychol. 1975, 91, 93–114. [Google Scholar] [CrossRef] [PubMed]
  27. Rogers, R.W. Cognitive and Physiological Processes in Fear Appeals and Attitude Change: A Revised Theory of Protection Motivation. In Social Psychophysiology; Cacioppo, J.T., Petty, R.E., Eds.; Guilford: New York, NY, USA, 1983; pp. 153–176. [Google Scholar]
  28. Driver, M.J. Individual Decision-Making and Creativity. In Organizational Behavior; Kerr, S., Ed.; Grid Publishing: Columbus, OH, USA, 1979; pp. 59–91. [Google Scholar]
  29. Scott, S.G.; Bruce, R.A. Decision-making style: The development and assessment of a new measure. Educ. Psychol. Meas. 1995, 55, 818–831. [Google Scholar] [CrossRef]
  30. Thunholm, P. Decision-making style: Habit, style or both? Personal. Individ. Differ. 2004, 36, 931–944. [Google Scholar] [CrossRef]
  31. Rowe, A.J.; Mason, R.O. Managing with Style: A Guide to Understanding, Assessing, and Improving Decision Making; Jossey-Bass: San Francisco, CA, USA, 1987. [Google Scholar]
  32. Harren, V.A. A model of career decision making for college students. J. Vocat. Behav. 1979, 14, 119–133. [Google Scholar] [CrossRef]
  33. Rowe, A.J.; Boulgarides, J.D. Managerial Decision Making: A Guide to Successful Business Decisions; McMillan: New York, NY, USA, 1992. [Google Scholar]
  34. Phillips, S.D.; Friedlander, M.L.; Pazienza, N.J.; Kost, P.P. A factor analytic investigation of career decision-making styles. J. Vocat. Behav. 1985, 26, 106–115. [Google Scholar] [CrossRef]
  35. Mau, W.C. Cultural differences in career decision-making styles and self-efficacy. J. Vocat. Behav. 2000, 57, 365–378. [Google Scholar] [CrossRef] [Green Version]
  36. Singh, R.; Greenhaus, J.H. The relation between career decision-making strategies and person–job fit: A study of job changers. J. Vocat. Behav. 2004, 64, 198–221. [Google Scholar] [CrossRef]
  37. Youn, S. Teenagers’ perceptions of online privacy and coping behaviors: A risk–benefit appraisal approach. J. Broadcast. Electron. Media 2010, 49, 86–110. [Google Scholar] [CrossRef]
  38. Woon, I.; Tan, G.W.; Low, R. A Protection Motivation Theory Approach to Home Wireless Security. In Proceedings of the ICIS 2005 Proceedings, Caen, France, 12–16 September 2005. [Google Scholar]
  39. Ifinedo, P. Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Comput. Secur. 2012, 31, 83–95. [Google Scholar] [CrossRef]
  40. Bubukayr, M.A.S.; Almaiah, M.A. Cybersecurity Concerns in Smart-Phones and Applications: A Survey. In Proceedings of the 2021 International Conference on Information Technology (ICIT), Amman, Jordan, 14–15 July 2021; pp. 725–731. [Google Scholar]
  41. Alamer, M.; Almaiah, M.A. Cybersecurity in Smart City: A Systematic Mapping Study. In Proceedings of the 2021 International Conference on Information Technology (ICIT), Guangzhou, China, 22–25 December 2021; pp. 719–724. [Google Scholar]
  42. Pahnila, S.; Siponen, M.; Mahmood, A. Employees’ Behavior towards IS Security Policy Compliance. In Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS’07), Hyatt Regency Maui, HI, USA, 4–7 January 2022; p. 156b. [Google Scholar]
  43. Hooper, V.; Blunt, C. Factors influencing the information security behaviour of IT employees. Behav. Inf. Technol. 2019, 39, 862–874. [Google Scholar] [CrossRef]
  44. Lee, Y.; Larsen, K.R. Threat or coping appraisal: Determinants of SMB executives’ decision to adopt anti-malware software. Eur. J. Inf. Syst. 2009, 18, 177–187. [Google Scholar] [CrossRef]
  45. Mohamed, N.; Ahmad, I.H. Information privacy concerns, antecedents and privacy measure use in social networking sites: Evidence from Malaysia. Comput. Hum. Behav. 2012, 28, 2366–2375. [Google Scholar] [CrossRef]
  46. Anwar, M.; He, W.; Ash, I.; Yuan, X.; Li, L.; Xu, L. Gender difference and employees’ cybersecurity behaviors. Comput. Hum. Behav. 2017, 69, 437–443. [Google Scholar] [CrossRef] [Green Version]
  47. Ng, B.Y.; Kankanhalli, A.; Xu, Y.C. Studying users’ computer security behavior: A health belief perspective. Decis. Support Syst. 2009, 46, 815–825. [Google Scholar] [CrossRef]
  48. Stanton, J.M.; Stam, K.R.; Mastrangelo, P.; Jolton, J. Analysis of end user security behaviors. Comput. Secur. 2005, 24, 124–133. [Google Scholar] [CrossRef]
  49. Alanazi, M.; Freeman, M.; Tootell, H. Exploring the factors that influence the cybersecurity behaviors of young adults. Comput. Hum. Behav. 2022, 136, 107376. [Google Scholar] [CrossRef]
  50. Rhee, H.S.; Kim, C.; Ryu, Y.U. Self-efficacy in information security: Its influence on end users’ information security practice behavior. Comput. Secur. 2009, 28, 816–826. [Google Scholar] [CrossRef]
  51. Lee, D.; Larose, R.; Rifon, N. Keeping our network safe: A model of online protection behaviour. Behav. Inf. Technol. 2008, 27, 445–454. [Google Scholar] [CrossRef]
  52. Hair, J.F.; Black, W.C.; Babin, B.J.; Anderson, R.E.; Tatham, R.L. Multivariate Data Analysis; Pearson Prentice Hall: Hoboken, NJ, USA, 2006. [Google Scholar]
  53. Westland, J.C. Lower bounds on sample size in structural equation modeling. Electron. Commer. Res. Appl. 2010, 9, 476–487. [Google Scholar] [CrossRef]
  54. DeVellis, R.F. Scale Development: Theory and Applications; Sage Publications, Inc.: Thousand Oaks, CA, USA, 2003; pp. 27–48. [Google Scholar]
  55. LaRose, R.; Rifon, N.; Liu, S.; Lee, D. Understanding Online Safety Behavior: A Multivariate Model. In Proceedings of the 55th Annual Conference of the International Communication Association, New York, NY, USA, 26–30 May 2005. [Google Scholar]
Applsci 13 08731 g001 550
Figure 1. Conceptual model.
Figure 1. Conceptual model.
Applsci 13 08731 g001
Table
Table 1. Correlations of variables.
Table 1. Correlations of variables.
NoVar.MeanStd. Dev.CrAlph123456
1PS4.560.720.91
2PV4.280.800.890.713 **
3SEEF3.311.040.900.262 **0.352 **
4REEF4.230.760.870.655 **0.749 **0.370 **
5PB2.790.990.77−0.0160.0400.117 **0.050
6SEAW3.830.880.810.420 **0.513 **0.521 **0.582 **0.109 **
7CSCB3.920.910.850.459 **0.479 **0.382 **0.490 **0.078 *0.500 **
** p < 0.01; * p < 0.05.
Table
Table 2. Regression overall.
Table 2. Regression overall.
Model 1
Dependent Var. CSCB
General		Model 2
Dependent Var. CSCB
DMS-Rational		Model 3
Dependent Var. CSCB
DMS-Intuitive		Model 4
Dependent Var. CSCB
DMS-Dependent
BetatSig.BetatSig.BetaTSig.BetatSig.
PS0.1864.0140.000 **0.2003.7200.000 **−0.003−0.0230.9820.2361.4680.145
PV0.0961.8090.026 *0.0941.4490.1480.1931.3450.1820.2551.5930.110
SEEF0.1333.5880.000 **0.1533.1040.002 **0.0971.2050.2310.0790.7930.430
REEF0.1062.0520.020 *0.0961.4970.1350.2311.7970.027 *−0.046−0.2930.770
PB0.0300.9620.1180.0170.4000.689−0.027−0.3900.6970.1351.5920.110
SEAW0.2385.6350.000 **0.1983.5770.000 **0.3393.4610.001 **0.1991.7130.045 *
R20.3560.3030.5400.397
F60.82328.87520.57310.303
Sig.0.0000.0000.0000.000
** p < 0.01; * p < 0.05.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Duzenci, A.; Kitapci, H.; Gok, M.S. The Role of Decision-Making Styles in Shaping Cybersecurity Compliance Behavior. Appl. Sci. 2023, 13, 8731. https://doi.org/10.3390/app13158731

AMA Style

Duzenci A, Kitapci H, Gok MS. The Role of Decision-Making Styles in Shaping Cybersecurity Compliance Behavior. Applied Sciences. 2023; 13(15):8731. https://doi.org/10.3390/app13158731

Chicago/Turabian Style

Duzenci, Ahmet, Hakan Kitapci, and Mehmet Sahin Gok. 2023. "The Role of Decision-Making Styles in Shaping Cybersecurity Compliance Behavior" Applied Sciences 13, no. 15: 8731. https://doi.org/10.3390/app13158731

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop