Computers in Human Behavior 26 (2010) 1739–1747

Contents lists available at ScienceDirect

Computers in Human Behavior

journal homepage: www.elsevier.com/locate/comphumbeh

It won’t happen to me: Promoting secure behaviour among internet users

Nicola Davinson *, Elizabeth Sillence
PaCTLab, School of Psychology and Sports Science, Northumbria University, Newcastle upon Tyne NE1 8ST, UK

a r t i c l e i n f o a b s t r a c t

Article history: Fraudulent activity on the Internet, in particular the practice known as ‘Phishing’, is on the increase.
Available online 31 July 2010 Although a number of technology focussed counter measures have been explored user behaviour remains
fundamental to increased online security. Encouraging users to engage in secure online behaviour is dif-
Keywords: ficult with a number of different barriers to change. Guided by a model adapted from health psychology
Security this paper reports on a study designed to encourage secure behaviour online. The study aimed to inves-
Risk perception tigate the effects of education via a training program and the effects of risk level manipulation on subse-
Risk information
quent self-reported behaviour online. The training program ‘Anti-Phishing Phil’ informed users of the
Training
Phishing
common types of phishing threats and how to identify them whilst the risk level manipulation randomly
Internet allocated participants to either high risk or low risk of becoming a victim of online fraud. Sixty-four par-
ticipants took part in the study, which comprised of 9 males and 55 females with an age range of 18–
43 years. Participants were randomly allocated to one of four experimental groups. High threat informa-
tion and/or the provision of phishing education were expected to increase self-reports of secure behav-
iour. Secure behaviour was measured at three stages, a baseline measure stage, an intention measure
stage, and a 7-day follow-up measure stage. The results showed that offering a seemingly tailored risk
message increased users’ intentions to act in a secure manner online regardless of whether the risk mes-
sage indicated they were at high or low risk of fraud. There was no effect of the training programme on
secure behaviour in general. The findings are discussed in relation to the model of behaviour change,
information provision and the transferability of training.
Ó 2010 Elsevier Ltd. All rights reserved.

1. Introduction & Odabasi, 2007), for example by providing further opportunity

The number of people using the Internet is constantly increas-
ing; with a US survey conducted in 2006 indicating 73% of their
respondents use the Internet, whereas the same survey carried
out in 2005 reported 66% were Internet users. Additionally, statis-
tics reported by Internet World Stats (August 2008) indicate the
number of Internet users worldwide has increased 305.5% since
2000, now representing 21.9% of the population worldwide. The
number of people using the Internet to perform financial transac-
tions has similarly increased. It is estimated that 2012 will see
one billion users completing online purchases (IDC, June 2008).
The Internet offers a number of benefits to consumers, such as
24 h accessibility (Berthon, Pitt, & Watson, 1996), improved interac-
tivity (Maignan & Lukas, 1997), and convenience (Jarvenpaa & Todd,
1997; Wolhandler, 1999). Accessibility and functionality improve-
ments such as these have made it quicker and easier for users to
purchase goods and services online and to manage their bank ac-
counts via the Internet. However, these advancements also make
unethical use of the Internet easier and more widespread (Namlu
* Corresponding author. Tel.: +44 191 227 3716; fax: +44 191 227 3190.
E-mail address: nicola.davinson@northumbria.ac.uk (N. Davinson).
for academic dishonesty among students (Akbulut et al., 2008),
and providing additional channels for aggressive or threatening
behaviour, more recently known as ‘‘cybervictimisation” (Akbulut,
Sahin, & Eristi, 2010). More specifically in a financial domain, the
practice known as ‘Phishing’ is on the increase. Myers (2007, p. 1)
describes phishing as ‘‘a form of social engineering in which an at-
tacker, also known as a ‘phisher’, attempts to fraudulently retrieve
legitimate users’ confidential or sensitive credentials by mimicking
electronic communications from a trustworthy or public organisa-
tion in an automated fashion.” In December 2009, there were
46,190 unique phishing sites detected (Anti-Phishing Working
Group, APWG) and in recent years phishing methods have become
much more prevalent and sophisticated (Milletary, 2005; Moore &
Clayton, 2007; Myers, 2007). Typically victims receive an email dis-
guised as an authentic organisation which asks them to re-confirm
their details by following a link. The link directs them to a spoof
website that often looks exactly the same or at the very least uses
the same images and logos as the genuine site. The proprietor of
the spoofed website then harvests the information given by the vic-
tim, typically bank details, and uses it fraudulently. The costs of
phishing are not simply the direct losses associated with the crime,
but also the indirect and opportunity costs that are incurred (Myers,

0747-5632/$ - see front matter Ó 2010 Elsevier Ltd. All rights reserved.
doi:10.1016/j.chb.2010.06.023
1740 N. Davinson, E. Sillence / Computers in Human Behavior 26 (2010) 1739–1747
2007). These include the costs associated with devalued brand and
the loss of actual and potential online customers.
From a technology perspective there are a number of counter-
measures to phishing available (Emigh, 2007). These include email
filtering and email authentication which would prevent the user
from actually receiving the phishing attack in the first instance.
There are also a number of other technological security systems
that can be put in place, such as the introduction of phishing tool-
bars and indicators that make it easier for the user to identity a
fraudulent site. Typically, these kinds of security measures are only
concerned with the technological side of the system and fail to
consider the user. Users, however, could be seen to be the ‘weakest
link in the security chain’ (Schneier, 2000) suggesting the need for
a greater emphasis on user awareness and education in terms of
online security.
This paper reports on a study which examines whether users
can be encouraged to protect themselves through a combination
of increased awareness and training enabling them to adopt a more
secure style of interaction when conducting financial transactions
online. Before presenting the study itself it is worth reviewing
the literature surrounding user awareness and behaviour in this
domain as well as introducing a potentially useful model for guid-
ing our thinking about behavioural change.
1.1. User concerns and behaviour
It is apparent that consumers have concerns about the security
and privacy of the data they may provide to websites (Briones,
1998; Culnan, 1999). Internet users report being concerned about
the collection and use of the personal information they supply
when shopping online (Rohm & Milne, 1998; Sheehan & Hoy,
2000). Such concerns have previously been thought to be only a
minor barrier to the adoption of online shopping (Jarvenpaa &
Todd, 1996–1997); however, more recently it is thought that such
concerns play a major role in consumers’ willingness to purchase
goods online (Culnan, 1999; Metzger, 2004). Previous research,
for example, has indicated that the primary reason young consum-
ers choose not to conduct financial transactions online is due to
concerns about the privacy of their credit card information
(McQuivey & Ham, 2000). Similarly, Fram and Grady (1997) report
a study relating to security aspects of online purchasing and state
when a consumer has concerns about credit card fraud they will
only commit to purchases with a low level of risk. Furthermore,
risk perception does not only affect online purchases, but has also
been found to affect adoption of Internet banking (Tan & Teo,
2000).
However, this apparent concern among Internet users is often
not noticeable in their online actions when completing financial
transactions. Studies have indicated that users are willing to
trade-off their privacy concerns in return for benefits such as con-
venience (Chellappa & Sin, 2005; Spiekermann, Grossklags, & Ber-
endt, 2002). Therefore, it has been suggested that there is a
dichotomy between attitudes and behaviour in this domain. Spie-
kermann et al. (2002) found that participants who had been classi-
fied as privacy advocates were still willing to trade their personal
information to obtain a small benefit. This dichotomy is by no
means a new phenomenon and has been present and detected in
other domains, such as attitudes and behaviour towards racial pre-
judice and classroom cheating (Corey, 1937; LaPiere, 1934), indeed
there is a wealth of literature which considers the cause and effect
nature of attitudes and behaviour (Ajzen, 1985; Festinger, 1957).
If users are willing to trade-off their privacy attitudes in order to
receive benefits it is likely that they will also behave against their
privacy judgements in order to avoid costs, for example, having
their online accounts suspended. Many online fraudsters prey on
user insecurities and use the threat of account closure or suspen-
sion as a way to con them into supplying their username and pass-
word information or even their bank details. As noted previously
this type of phishing attack is often difficult for users to detect ren-
dering credibility evaluation difficult.
1.2. Credibility evaluation
We know that users consider a number of factors when assess-
ing the credibility of a website and that these factors differ from
expert evaluations (Stanford, Tauber, Fogg, & Marable, 2002). Large
scale surveys by Fogg et al. (2001, 2003) suggest that credibility is
primarily driven by an attractive and professional design, or is
influenced by the presence or absence of visual anchors or promi-
nent features such as a photograph or trust seal (Riegelsberger,
Sasse, & McCarthy, 2003). Others suggest that credibility evalua-
tions are based upon judgments of the institution, degree of
personalisation, communication integrity or like-mindedness
(Bhattacherjee, 2002; Briggs, de Angeli, & Simpson, 2004; Egger,
2000; Sillence, Briggs, Harris, & Fishwick, 2007). Developmental
or staged models of credibility (or a related construct trust) help
reconcile these different emphases. Staged models (e.g. Sillence,
Briggs, Harris, & Fishwick, 2006) also allow us to distinguish be-
tween relatively hasty and more considered processing strategies
for evaluating credibility online. Their model suggests that users
first of all carry out a rapid screening of the sites based upon a heu-
ristic analysis. During this stage they base their credibility deci-
sions upon predominantly visual features, e.g. colour, logos, and
a familiar layout. Given sufficient time and resources, e.g. knowl-
edge and motivation, the user will then engage in a more system-
atic analysis of the website’s content. These resources are,
however, often absent and Dhamija, Tygar, and Hearst (2006)
noted that people often lack the specific knowledge to spot the vi-
sual deception present in a phishing scam. To complicate matters
Emigh (2007) notes that organisations, such as American Express
and Capital One, include one or more of the common errors that
users are warned to look out for, e.g. do not click on email links,
check for the padlock icon and check for a valid SSL session before
entering data. It seems likely that faced with a vast array of infor-
mation in the form of web search results or spam emails, the aver-
age user will fall back on heuristic credibility evaluation processes.
2. Modifying user behaviour
Thus we have seen that credibility evaluation is not straightfor-
ward. Users are often faced with time pressures or insufficient
knowledge or motivation to carry out anything other than a heuris-
tic analysis of online material. This is just one of the barriers facing
users that researchers need to consider when trying to decide how
to encourage users to behave more securely online. Users may not
always weigh up the costs and benefits associated with good secu-
rity practices accurately, for example believing financial institu-
tions to be solely responsible for preventing fraud (Davinson &
Sillence, in preparation). How then can we increase user motiva-
tion to engage in secure behaviour online? Whilst there is rela-
tively little literature regarding behavioural change in financial
settings; a useful starting point is the health psychology literature
which provides a number of behaviour based models. The Health
Belief Model (HBM) (Becker & Rosenstock, 1987; Rosenstock,
1966) predicts that behaviour is due to a number of user percep-
tions concerning threat, costs and benefits and control. Table 1 dis-
plays the elements of the HBM and then how they could
potentially be adapted for a financial context.
Practicing secure behaviour is expected to be affected by per-
ception of a threat being present and whether enacting a secure
behaviour will actually reduce the threat. Perception of a threat
 N. Davinson, E. Sillence / Computers in Human Behavior 26 (2010) 1739–1747
Table 1
Health belief model and potential financial considerations.
Concept Financial context
Perceived What are the chances of becoming a victim of fraud?
susceptibility
Perceived severity How serious fraud and its consequences are?
Perceived costs What are the costs involved in carrying out the secure
behaviour?
Perceived benefits What are the benefits of carrying out secure behaviour?
Cues to action When to conduct secure behaviour?
Health motivation Am I concerned that technology use can affect my
finances?
Perceived control Can I prevent fraud by behaving securely?
is likely to be affected by susceptibility, severity, and motivation,
and evaluation of secure behaviour is likely to be affected by costs,
benefits, and control. Once a threat is perceived and secure behav-
iour is chosen the user must also know when to conduct it. There is
little evidence to indicate a predetermined sequence of events that
must occur to successfully promote secure behaviour, or which
factors need to be satisfied before others come into play; however,
it is logical to suggest a sequence in the order presented from left
to right in Fig. 1.
Reasonable order of events
Firstly, if users are not informed about technology breaches and
risk when completing financial transactions they will not perceive
susceptibility to be high. Similarly, if users do not consider the con-
sequences of fraud to impact their lives or their finances they will
not perceive severity of fraud to be high. If susceptibility to the
threat and severity of the consequences are not perceived the user
will not be concerned about protecting their finances and ulti-
mately will not be motivated to behave securely when conducting
financial transactions. However, even if users are sufficiently moti-
vated, feel susceptible, and perceive severe consequences it does
not necessarily change their behaviour. Practices are also governed
by perceived control, perceived costs and benefits, and finally cues
to action. The user must perceive they can control the occurrence
of fraud, for instance checking for the relevant security symbols,
such as the lock symbol, when making purchases to ensure details
are being entered into a secure site will help to prevent fraud
occurring. These symbols, however, can also be spoofed by phish-
ers therefore rendering the action redundant. Furthermore, the
user must also decide if the potential benefits outweigh the costs,
for instance checking for the lock symbol requires minimal effort
and could potentially prevent fraudulent use of their information.
Nevertheless, if all three of the factors are satisfied the user must
then know when to carry out the correct preventative practices
otherwise secure behaviour may not be adequately achieved. The
current focus for this research is on identifying and examining
the factors in relation to promoting secure behaviour rather than
specifying the precise sequence of the events.
2.1. Promoting secure behaviour
It appears logical that the effect of some factors is engaged be-
fore others, for example it is unlikely that a user will need to over-
come perceived costs if they are not motivated to act in the first
Fig. 1. Hierarchy of factors contributing towards secure behaviour.
1741
place. Also, some factors such as motivation are less tangible and
less directly observable and appear to be a product of other factors
(perceived susceptibility and severity). Therefore, perceived sus-
ceptibility will be focussed upon initially, as it is reasonable to as-
sume this factor will increase concerns and motivation to act,
which must be satisfied before a change in behaviour is even
considered.
2.1.1. Increasing users’ motivation via perceived susceptibility
One way of increasing motivation is to raise the level of user
knowledge in the domain. Providing users with more information
about the threat of online fraud could increase their perceptions
of susceptibility. Studies have investigated the effective use of
threat appeals for health communication (Leventhal, 1970; Rogers,
1975) and have attempted to utilize threat in changing health be-
liefs (Kirscht & Haefner, 1973; Radelfinger, 1965). For example,
Becker, Maiman, Kirscht, Haefner, and Drachman (1977) indicate
that the use of fear-arousal did have an effect on recorded weight
loss, with the high fear intervention being the most consistent in
the long-term. The low fear intervention also recorded more
weight loss than the control group but appears to be less effective
than the high fear group. It is also noted that the experimental
treatments were most effective for those who had the lowest be-
liefs about threat initially.
Whilst research throughout the 60s and 70s into the value of
using threat appeals is somewhat inconclusive (McGuire, 1968)
there is some suggestion that the evidence favours the use of threat
when making health recommendations (Leventhal, 1973). It is also
noted that the threat itself is not necessarily the direct link to
behaviour change but that the fear produced from such threats is
something that people wish to resolve, and hence indirectly threat
should affect behaviour (e.g. Janis, 1974). Leventhal (1973) points
out that the use of threat is particularly useful when provided
alongside methods of coping with the threat, especially among
those with low levels of concern.
It is also important to consider coping strategies when users are
presented with threat information. Rippetoe and Rogers (1987)
investigated the impact of threat (defined as severity plus vulner-
ability), response efficacy and self-efficacy on two adaptive coping
responses and five maladaptive coping responses. Findings indi-
cate that a high level of threat encourages the individual to act
regardless of whether the response was adaptive or maladaptive.
In addition, the coping strategy chosen by participants was depen-
dent upon which coping appraisal information they had been gi-
ven. Specifically, the effective coping information (high response
efficacy and high self-efficacy) led to greater use of the adaptive
rather than maladaptive strategies when compared to the ineffec-
tive coping information. Therefore, caution must be taken when
high threat is present in the absence of effective coping strategies
as it appears participants are likely to choose a maladaptive strat-
egy in response to high threat if an adaptive strategy is not known
or available.
Thus, once motivated via increased susceptibility the user also
needs to be aware of an effective coping strategy to prevent the
occurrence of fraud. In the Internet security and phishing domain
this typically entails having the knowledge and means to be able
to spot phishing websites and avoid using them. Previously there
1742 N. Davinson, E. Sillence / Computers in Human Behavior 26 (2010) 1739–1747
has been a reliance on technology to aid the user in identifying
phishing sites, for example through the use of toolbars (e.g.
www.spoofstick.com). Some researchers, however, are exploring
ways of training users to reduce their risk of suffering phishing at-
tacks. A group at Carnegie Mellon University have manipulated
user education and training noting the success of embedded train-
ing materials in which users are ‘‘learning by doing” in relation to
phishing attacks (Kumaraguru et al., 2007). Users that receive
training after they have fallen for a phishing scam are more likely
to retain and transfer their knowledge than those who simply
received the training materials via email. In a similar vein,
Sheng et al. (2007) successfully demonstrated the usefulness of
interactive learning experiences in increasing users’ ability to spot
phishing sites. They developed an interactive training program
‘Anti-Phishing Phil’ to help users identify and prevent phishing
attacks. In this game the user plays throughout four rounds and
is given tutorials between each round as the attacks become
increasingly difficult to spot. Sheng et al. (2007) found that playing
the interactive game did result in greater identification of phishing
sites among users compared with users who viewed current online
tutorials or a paper based version of the interactive game. Behav-
ioural studies using role play scenarios have also noted the impor-
tance of education in helping people to avoid phishing attacks
(Downs, Holbrook, & Cranor, 2007).
Therefore, the current study proposes to raise levels of user
motivation through an increase in perceived susceptibility. This
will be achieved by providing information about the methods
and consequences of phishing and online fraud alongside a tailored
risk warning score. The information given to participants will con-
tain both reassuring and threatening elements as the aim is to in-
crease feelings of threat but also to reassure the user that they can
do something to prevent the threat. It is expected that those in the
high risk warning group will report more secure behaviour inten-
tions and more secure behaviour at a 1-week follow-up. A further
aim of the study is to provide users with an effective coping strat-
egy to ensure the increase to perceived susceptibility is most effec-
tive in motivating adaptive responses and changes in behaviour. It
is expected that educating users by means of the interactive game
‘Anti-Phishing Phil’ will provide users with an effective coping
strategy and will also result in more secure behaviour reports, spe-
cifically at the follow-up stage. Therefore, this study hypothesises
users will report a greater perception of susceptibility and will re-
port more secure behaviour when given a high risk warning score
and/or are provided with training to overcome the threat.
3. Method
The study consisted of four main stages (Fig. 2). Firstly, partici-
pants were presented with an online questionnaire to determine a
baseline score of their online behaviour which was retained for
comparison purposes with post-manipulation and 1-week fol-
low-up. Upon completion of the questionnaire a risk score was ran-
domly generated together with appropriate risk information to
inform the participants whether they were at high risk or low risk
of becoming a victim of online fraud. This score was randomly gen-
Fig. 2. Methodology sequence of procedure.
erated to indicate ‘high’ or ‘low’ risk and did not reflect how they
had responded to the questionnaire; however, the participants
were led to believe the score was based on their questionnaire re-
sponses. Secondly, participants were then asked to complete a
questionnaire to measure their intentions to behave securely over
the next 7 days. Thirdly, participants in the training group were
then asked to complete the Anti-Phishing Phil education program.
Finally, all participants were emailed 1 week later to measure their
secure behaviour in the 7 days since they had completed the study.
3.1. Participants
Sixty-four participants completed the study in full which com-
prised of 9 males and 55 females (total average age 21.97 years)
with an age range of 18–43 years. It is noted that the sample is pre-
dominantly female which may be somewhat of a drawback, how-
ever, the proportion of males/females recruited does reflect the
Psychology student population from which they were sought. Par-
ticipants were randomly allocated using a random number gener-
ator to one of four experimental groups.
 Group 1: Low threat/no training consisted of 2 males and 14
females (average age 21.2 years). One participant was a previ-
ous victim of online fraud.
 Group 2: Low threat/training consisted of 1 male and 15
females (average age 21.98 years). One participant was a previ-
ous victim of online fraud.
 Group 3: High threat/no training consisted of 3 males and 13
females (average age 22.13 years). One participant was a previ-
ous victim of online fraud.
 Group 4: High threat/training consisted of 3 males and 13
females (average age 22.63 years). Two participants were previ-
ously victims of online fraud.
It is noted that 8% of participants (n = 5) reported previously
being victims of online fraud and 42% (n = 27) of participants re-
ported knowing someone who had previously been a victim of on-
line fraud.
Participants were asked a number of demographic questions
relating to their Internet use, including length of use of the Internet,
shopping online and banking online. The majority of participants
have used the Internet for over 3 years, have been shopping online
for longer than 12 months, and banking online for less than
12 months. Most participants use the Internet for more than 5 h/
week, with 50% indicating the used the Internet in excess of 10 h/
week. Similarly most participants had made at least one purchase
online in the past month, with 35% indicating they had made more
than five purchases online in the same period. Finally, there was a
very similar number of people who reported using Internet banking
monthly (34%) weekly (34%) or not at all (28%).
3.1.1. Randomisation
ANOVA analysis indicates no significant differences between
the groups for their baseline score of behaviour. Furthermore, v2
analyses for independence were conducted on the demographic
 N. Davinson, E. Sillence / Computers in Human Behavior 26 (2010) 1739–1747
data per group to ensure random allocation had occurred. There
were no significant relationships between any of the demographic
variables and the groups except for experience of online banking
(v2(6) = 13.145, p = 0.041). The high threat score/training given
group appear to have more experience of banking online than
the other groups with 10% reporting more than 3 years of experi-
ence compared to 3% and less reported in the other groups.
Participants were recruited from the population of staff and stu-
dents at Northumbria University with the stipulation that they had
previous experience of using the Internet for purchases and/or
banking. The study was advertised via the Division of Psychology
notice board and participants were also sought through canvassing
of students during seminars. Incentives were provided in the form
of payment and course credit. Ethical approval was sought and
granted from the Psychology and Sport Science School Ethics Com-
mittee at Northumbria University.
3.2. Design
The study had an experimental design, with two between par-
ticipants independent variables: participants were randomly as-
signed to one of four groups (1) low risk warning score/no
training (n = 16); (2) low risk warning score/training given
(n = 16); (3) high risk warning score/no training (n = 16); (4) high
risk warning score/training given (n = 16). The experiment had a
prospective component, with a follow-up after 1 week.
3.3. Materials
3.3.1. Baseline measure
Measures were taken of age, sex, Internet use, experience of car-
rying out online financial transactions and experience of fraud.
Baseline or current behaviour was measured using an 11 item scale
(a = 0.829), e.g. ‘‘I only use websites with the secure padlock icon
when shopping online” and ‘‘I only use reputable companies when
shopping online” and utilised a seven-point Likert scale (1 = Al-
ways – 7 = Never). Susceptibility was measured using two items
(a = 0.734) and utilised a seven-point Likert scale (1 = Strongly dis-
agree – 7 = Strongly agree). All measures were taken via an online
questionnaire delivered by Survey Monkey.
3.3.2. Intention measure
A further paper-based questionnaire was administered consist-
ing of the same behaviour items and the same susceptibility items
that were used for the baseline measure but framed to reflect
intention over the next 7 days. For example: In the next 7 days I in-
tend to ‘‘only use websites with the secure padlock icon when
shopping online” and responses were recorded on a seven-point
Likert scale (1 = More often – 7 = Less often).
3.3.3. One-week follow-up measure
After 1 week participants received a brief follow-up question-
naire, by email. Included were the same behaviour and susceptibil-
ity items but framed to reflect the previous 7 days. For example: In
the past week, I have ‘‘only used reputable companies when shop-
ping online” and responses were recorded on a seven-point Likert
scale (1 = More often – 7 = Less often).
3.3.4. Risk warning score presentation
Following completion of the baseline measure participants
were told that their ‘risk warning score’ was being calculated. This
was then presented to the participants. Participants in the low risk
warning score groups were presented with a ‘‘20% at RISK” fact
sheet, whereas participants in the high risk warning score groups
were presented with an ‘‘80% at RISK” fact sheet. Each group in fact
received exactly the same information which was a combination of
1743
details retrieved from getsafeonline.org and the APACS website.
The only information which differed per group included a preced-
ing paragraph which is presented below:
‘‘Well done! You have a low percentage risk of becoming a victim of
fraud due to the way you use the Internet. You appear to be acting
safely while using the Internet however do not become complacent
as threats are evolving all the time.”
‘‘Warning! You have a very high percentage risk of becoming a vic-
tim of fraud due to the way you use the Internet.”
3.3.5. Training program
Participants in the training group were asked to complete a
training program ‘Anti-Phishing Phil’ (Fig. 4) which was developed
by, and used with permission of the CUPS lab (CMU Usable Privacy
and Security) at Carnegie Melon University, USA. The program is a
fun and interactive game that trains the user to be more able to de-
fend themselves against phishing attacks. The program consists of
four rounds with tutorial information before each round. Each
round requires the participant to identify the credibility of URLs
by determining whether they are genuine or not, with the tutorial
information providing information on the appropriate cues to look
out for when assessing the credibility of web addresses. Partici-
pants were asked to complete all four rounds and were given as
much time as they required, typically taking 15–20 min.
3.4. Procedure
Participants were tested individually and upon arriving at the
laboratory they were told the study involved an evaluation of risk
when conducting financial transactions online. After completing
the baseline measures, participants were asked to wait for their on-
line risk warning score to be calculated. They were asked to read
the information provided to them regarding their score before
completing the second paper-based questionnaire. The training
groups were then directed to the Anti-Phishing Phil training pro-
gram and asked to spend as much time as they required complet-
ing all four rounds. Instructions on how to play the training game
were presented as a part of the training program. Participants were
sent the follow-up measures by email approximately 7 days later
at which point they were fully debriefed.
4. Results
4.1. Effects of risk warning score and training
The sum of the behaviour items at each stage of the study was
calculated with a lower score indicating more security-conscious
and responsible behaviour. Data was analysed using a 2  2  3
(Risk warning score  Training  Stage) mixed design ANOVA,
with Stage as the only within factor. There was a significant main
effect of stage of questionnaire completion (F(2,120) = 43.837,
p < 0.001) and pairwise comparisons indicate significant differ-
ences (p < 0.001 and p = 0.003) between all three stages (Fig. 3).
Therefore, it appears once given the risk warning score, regardless
of whether it indicated high or low risk, participants intentions
were to behave more securely than they had indicated at baseline.
In contrast at the follow-up stage, regardless of risk warning score
or training, their reported behaviour was significantly less secure
than they had intended to be. However, it was still significantly
more secure compared to the initial baseline measure.
There was no main effect of risk warning score or training at any
of the three stages, suggesting that users only need to be given
information at a generic level and do not need to have their level
of risk to be increased in order to behave more securely.
1744 N. Davinson, E. Sillence / Computers in Human Behavior 26 (2010) 1739–1747

ring to another person increases significantly. Paired samples t-

tests also indicated that at each stage participants consistently per-
ceived there to be more risk to others than to themselves.

5. Discussion and conclusions

The aim of this study was to encourage users to behave more

securely when using the Internet to complete financial transac-
tions through a combination of increased perception of susceptibil-
ity and identifying a coping strategy. It was expected that a greater
perception of susceptibility would motivate the user to think more
carefully about whom they gave their personal details to, and in
what circumstances they would disclose information, when they
use the Internet. Similarly, it was expected that providing educa-
Fig. 3. Reported secure behaviour at each of the three stages, with a lower score
tion through an interactive training programme would provide
indicating more secure behaviour reported.
the user with an effective coping strategy, and that in turn this
would help the user to understand how they can combat phishing
4.2. Susceptibility perceptions
Table 2
The perceived susceptibility items included perceived suscepti- Mean score pertaining to likelihood of becoming a victim of fraud, with a higher score
bility to the individual and perceived susceptibility to someone indicating a greater likelihood.
else and there were significant differences between the two items.
Baseline Intention Follow-up
With regard to themselves there was a significant affect of stage of measure measure measure
completion (F(1,18) = 10.068, p < 0.001). Pairwise comparisons indi-
Mean perceived susceptibility 3.560 4.233 3.900
cate only one significant difference (p < 0.001) between the base- to self-score
line measure and the intention measure (Table 2). Therefore, it
appears that following the risk warning score, regardless of
whether it indicated high or low risk, perceived susceptibility to
the occurrence of online fraud increased. Table 3
Mean score pertaining to the likelihood of someone else becoming a victim of online
With regard to fraud occurring to another person there was also
fraud, with a higher score indicating a greater likelihood.
a significant affect of stage (F(1,118) = 4.641, p = 0.011) with pairwise
comparisons indicating a significant difference between the base- Baseline Intentions Follow-up
measure measure measure
line measure and the intention measure (Table 3). Again it appears
that following the score information, regardless of whether it in- Mean perceived susceptibility 4.441 4.888 4.858
to others score
cluded a high or low risk, the perceived likelihood of fraud occur-

Fig. 4. Screenshot taken from round 2 of the Anti-Phishing Phil training program.
 N. Davinson, E. Sillence / Computers in Human Behavior 26 (2010) 1739–1747
attacks that rely on disclosure of personal information. Whilst
users did report behaving more securely, the data present a more
complex picture concerning perceived susceptibility and training.
The findings are discussed below in terms of both the practical
and theoretical implications.
Following the presentation of the risk warning score users re-
ported that they intended to behave more securely (compared to
the baseline behaviour) and reported an increased likelihood of
becoming a victim of fraud (compared to the baseline measure).
Similarly, the follow-up stage indicated an increase in secure
behaviour compared to baseline measures, which was regardless
of both risk and training level. This shows that the risk information
was successful to some extent in raising perceived susceptibility to
motivate the user into behaving in a more secure way. Therefore, it
suggests that giving risk information to Internet users will encour-
age them to behave more securely when they complete financial
transactions online. The fact that the two different risk warning
scores failed to differentiate the participants’ susceptibility feelings
may indicate that the materials used were underpowered to some
extent. From an ethical standpoint developing materials which
would instil a greater sense of susceptibility is difficult. The fol-
low-up aspect to the study meant that participants would be left,
potentially anxious, for 7 days before being debriefed.
Therefore, it was necessary to ensure that the information was
both reassuring and threatening, so that the user was not unduly
anxious. This may have resulted in the two risk warning messages
being too similar.
The training programme utilised in the study to provide an
effective coping strategy has previously been shown to increase
the ability of users to detect phishing websites (Sheng et al.,
2007). It was hoped that the training would raise participants’
knowledge at a specific and general level. Both with regard to
the actual websites featured in the programme and to the broader
principles of behaving securely online. Training programmes in
phishing studies have shown positive ‘near’ (Whitten & Bjork,
1977) transfer results, i.e., a transfer of knowledge when the train-
ing and testing materials were very similar (Kumaraguru et al.,
2007). In this study, the training appears not to have had a broad
effect beyond the very specific points it trained on. The current
study was concerned with promoting secure behaviour in a real
world setting. The training programme used was perhaps too spe-
cific for the range of Internet experiences tested out by the partic-
ipants. It may be that more thought needs to be given to
developing a broader security education training programme.
5.1. Raising awareness of susceptibility
The fact that secure behaviour increased at both the intention
stage and at the 7-day follow-up regardless of information type
or training is of particular interest. It may be that simply providing
the risk warning information raised awareness of the risks suffi-
ciently to encourage intention and behavioural change. The fact
that it is either ‘highly likely to happen’ or ‘quite unlikely to hap-
pen’ may almost be a side issue. For some people simply being re-
minded that the risk exists may be enough to promote intention
and behaviour change. The findings relating to intentions to be-
have may appear unsurprising given the warning information
which was presented immediately prior to the measure being ta-
ken. However, participants were presented with different levels
of warning and a meta-analysis of fear appeals suggests strong fear
appeals are more persuasive than low or weak fear appeals (Witte
& Allen, 2000). Therefore, it would be expected that those in the
high threat condition would feel more compelled to change their
behaviour than those in the low threat condition. The fact that
all participants reported intentions to behave more securely,
regardless of the condition, indicates the finding is more compli-
1745
cated than first thought. A study by LaRose, Rifon, and Enbody
(2008) may provide an alternative explanation for this finding.
They found that moderate levels of threat susceptibility were least
related to safe behaviours, such as updating security patches and
scanning for spyware, and those with high or low threat suscepti-
bility were more likely to behave in a secure manner. Thus, we can
be somewhat confident that the findings relating to intentions
were not only due to the ‘prompt’ provided by the warning infor-
mation, although the effect of such a prompt cannot be ruled out
entirely.
This result, however, also conflicts with previous research that
suggests interventions that simply inform people they are suscep-
tible to health risks are often not sufficient to change their behav-
iour (Leventhal et al., 1997). In fact there is an education tool in
the health domain which has been criticised because it simply re-
lies on perceptions of risk to change behaviour. The Health Risk
Appraisal (HRA) relies on risk perception alone to be effective in
changing behaviour and does not provide sufficient information
regarding how to make the changes they suggest. Kreuter and
Strecher (1996) attempted to enhance the HRA technique by
including the assessment of relevant psychological factors, such
as costs and benefits, and facilitating self-change via individua-
lised feedback. Their findings suggest a positive effect of individu-
ally tailored messages to the HRA tool in promoting change in
three of the seven health related areas under investigation. When
tailored messages were not received the HRA was not effective in
any of the areas. This may also help to explain why the current
study elicited a change in behaviour via raised awareness of sus-
ceptibility as users were led to believe that they were receiving
a tailored risk warning based on their current behaviour. There
is evidence to suggest tailored messages are more likely receive
attention and be recalled (Campbell et al., 1994) and previous re-
search indicates a positive effect of tailoring health information
particularly in the areas of smoking, diet and mammography
attendance (Campbell et al., 1994; Skinner, Strecher, & Hospers,
1994; Strecher et al., 1994).
It is also worth considering the possible role of the self-proph-
ecy effect (Sprott, Spangenberg, & Fisher, 2003) on the findings re-
ported here. This suggests simply asking users whether they intend
to undertake a particular behaviour is enough to increase the prob-
ability that they will do so. This effect has been shown across a
number of domains, such as voting behaviour (Greenwald, Carnot,
Beach, & Young, 1987). It also indicates that simply making the
user aware and providing the opportunity to think about secure
behaviour can be successful in changing their subsequent behav-
iour. Furthermore, providing users with education and indicating
effective coping strategies for them to undertake is certainly not
harmful to this effect, and it is unlikely that users will sustain se-
cure behaviour over a longer period if they are unaware of the con-
sequences or coping strategies available.
There are a number of practical applications for the findings of
this study, firstly in the contribution to future interventions aimed
at increasing secure behaviour when using technology to complete
financial transactions. For example, the findings of this study indi-
cate that fear appeals can be used effectively in this domain which
is strengthened by personalisation of the message. Secondly, there
are wider implications for providers of e-commerce and e-banking
domains to understand consumer issues surrounding fraudulent
attacks. For example, effectively educating the user to identify
appropriate cues which indicate credibility will not only help to
decrease successful fraudulent attacks but will also increase user
satisfaction and uptake of services online if they are confident in
their abilities to use the services safely.
In theoretical terms, this study has provided some support for
the use of the adapted health belief model as a way of predicting
secure behaviour in a financial context.
1746 N. Davinson, E. Sillence / Computers in Human Behavior 26 (2010) 1739–1747
Raising awareness of susceptibility does appear to increase se-
cure behaviour. A useful next step would be to investigate suscep-
tibility alongside severity. Although Downs et al. (2007) found that
severity per se did not seem to encourage secure behaviour it may
be that combinations of the two factors can prove effective in pro-
moting change. The findings also reflect the intention-behaviour
gap common in much of the social and health behaviour literature
(e.g. Sheeran, 2002). Intentions to behave securely were signifi-
cantly higher than the actual behaviour reported 7 days later.
5.2. Limitations and future considerations
There are a number of limitations with the present study which
warrant further attention. The conclusion that the training pro-
gram did not affect secure behaviour can only be applied to the
generalised measure of behaviour that was adopted for the study.
The findings relating to the training program may have been differ-
ent if the measure was developed to specifically focus on the
phishing elements that the users were trained in. However, as
one purpose of the study was to promote secure behaviour in a real
world setting, participants were always likely to be exposed to a
greater, and more varied range of security issues than those faced
in the training sessions.
A further limitation refers to use of self-report data, as it is
noted that all data collected was reliant upon self-reports which
were requested retrospectively and are commonly prone to errors
(Turner & Martin, 1984). Such errors could include demand charac-
teristics, whereby the participant responds in the way they think
they should, rather than as a true reflection of their actual behav-
iour, i.e., participants in this study reporting that they behaved se-
curely because they know that they should. However, a number of
related studies suggest that users, despite knowing what they
should being doing, often report acting ‘inappropriately’. Over
two-thirds of ATM users reported that they would continue to
use ATMS as they normally would despite their knowledge of the
fraud risks (NCR, 2006). A qualitative study examining ATM and
Internet use found that users reported being indifferent towards
the threat of fraud and disregarded this information in their behav-
ioural practices. (Davinson & Sillence, in preparation). The substan-
tial literature on the negligent use of passwords (Bishop & Klein,
1995; Morris & Thompson, 1979) and privacy policies (Jensen,
Potts, & Jensen, 2005; TRUSTe, 2006) also points to the fact that
users do not always report acting securely despite their awareness
of appropriate practices.
It is also worth noting that the use of self-reports is a common
behaviour change paradigm that is used extensively to measure
baseline, intentions and follow-up behaviour across a number of
domains, such as healthy eating (Epton & Harris, 2008), smoking
cessation (Hammond, Fong, McDonald, Cameron, & Brown, 2003)
and exercise taken (Bock, Marcus, Pinto, & Forsyth, 2001). There-
fore, despite the limitations associated with self-report data the
methodology follows an established paradigm that tackles an area
in which it is otherwise very difficult to obtain concrete evidence of
behaviour change.
It is noted that the study failed to measure Internet usage
behaviour in the week preceding the follow-up measure. There-
fore, it is not known what kinds of emails and websites, legitimate
or otherwise, participants were encountering. However, the demo-
graphic information collected does indicate 35% of participants
made five or more purchases online in the previous month, and
56% had made between one and five purchases, therefore it is rea-
sonable to assume they would have made an online purchase in
the week recorded by the follow-up measure. Even if participants
did not make any purchases doing the follow-up period it is likely
that they would have browsed the Internet (95% reported using the
Internet for five or more hours per week) thus providing them with
plenty of opportunity to practice the secure behaviour which they
reported.
Finally, it is apparent that the follow-up behaviour reported is
less secure than the reported intention behaviour, which raises
questions regarding the longevity of such an intervention. Future
research would benefit from an extended follow-up period that
can assess just how long the message lasts. An extended follow-
up could also serve to provide more depth to the current findings,
perhaps via the use of diaries to record amount of Internet use and
websites visited/purchased from during the follow-up period.
5.3. Conclusions
Using an adapted health behaviour model, the present study ex-
plored manipulating susceptibility and control as a way of promot-
ing secure behaviour in Internet users. Findings indicate a positive
change in both intentions to behave and actual behaviour 7 days
later following presentation of susceptibility information which
was tailored to the user’s behaviour. The improvement was ob-
served regardless of whether the participant was told they were
at high risk or low risk. There was no difference in reported behav-
iour between those given training to highlight a coping strategy
and those not given training, raising the issue of near and far trans-
fer in phishing training programmes. Using the adapted health be-
lief model provides a wider perspective on the nature of
behavioural change in relation to online financial security. It ap-
pears that Internet users who complete financial transactions on-
line can be encouraged to behave more securely in terms of how
and when they disclose their personal information.
Acknowledgment
The authors would like to thank CUPS lab at Carnegie Melon
University for supporting their use of the Anti-Phishing Phil train-
ing program.
References
Ajzen, I. (1985). From intentions to actions: A theory of planned behavior. In J.
Kuhland & J. Beckman (Eds.), Action-control: From cognitions to behaviour
(pp. 11–39). Heidelberg: Springer.
Akbulut Sahin & Eristi (2010). Development of a scale to investigate
cybervictimization among online social utility members. Contemporary
Educational Technology, 1(1), 46–59.
Akbulut, Y., Sendag, S., Birinci, G., Kilicer, K., Sahin, M. C., & Odabasi, H. F. (2008).
Exploring the types and reasons of Internet-triggered academic dishonesty
among Turkish undergraduate students: Development of Internet-triggered
Academic Dishonesty Scale (ITADS). Computers and Education, 51(1), 463–473.
Anti-Phishing Working Group. (2007). Phishing activity trends report, December 2007.
<http://www.apwg.org/reports/apwg_report_dec_2007.pdf>.
Becker, M. H., Maiman, L. A., Kirscht, J. P., Haefner, D. P., & Drachman, R. H. (1977).
The health belief model and prediction of dietary compliance: A field
experiment. Journal of Health and Social Behavior, 18(4), 348–366.
Becker, M. H., & Rosenstock, I. M. (1987). Comparing social learning theory and the
health belief model. In W. B. Ward (Ed.), Advances in health education and
promotion (pp. 245–249). Greenwich, CT: JAI Press.
Berthon, P. L., Pitt, L. F., & Watson, R. T. (1996). Marketing communication and the
world wide web. Business Horizons, 39, 43–54.
Bhattacherjee, A. (2002). Individual trust in online firms: Scale development and
initial test. Journal of Management Information Systems, 19(1), 211–241.
Bishop, M., & Klein, D. (1995). Improving system security via proactive password
checking. Computers and Security, 14(3), 233–249.
Bock, B. C., Marcus, B. H., Pinto, B. M., & Forsyth, L. H. (2001). Maintenance of
physical activity following an individualized motivationally tailored
intervention. Annals of Behavioral Medicine, 23, 79–87.
Briggs, P., de Angeli, A., & Simpson, B. (2004). Personalisation and trust: A reciprocal
relationship? In M. C. Karat, J. Blom, & J. Karat (Eds.), Designing personalized user
experiences for ecommerce. Kluwer.
Briones, M. G. (1998). Internet innovations—and privacy issues—remain marketing’s
biggest story. Marketing News, 32(7), 1–16.
Campbell, M. K., DeVellis, B. M., Strecher, V. J., Ammerman, A. S., DeVillis, R. F., &
Sandler, R. S. (1994). The impact of message tailoring on dietary behavior
change for disease prevention in primary care settings. American Journal of
Public Health, 84, 783–787.
 N. Davinson, E. Sillence / Computers in Human Behavior 26 (2010) 1739–1747
Chellappa, R. K., & Sin, R. (2005). Personalization versus privacy: An empirical
examination of the online consumer’s dilemma. Information Technology and
Management, 6(2-3), 181–202.
Corey, S. M. (1937). Professional attitudes and actual behavior. Journal of Educational
Psychology, 28(1), 271–280.
Culnan, M. J. (1999). Georgetown Internet privacy policy study: Privacy online in 1999:
A report to the Federal Trade Commission. Washington, DC: Georgetown
University.
Davinson, N., & Sillence, E. (in preparation). Understanding user perceptions of
fraud in technology mediated financial transactions.
Dhamija, R., Tygar, J. D., & Hearst, M. (2006). Why phishing works. In Proceedings of
the CHI 2005 conference of human factors in computing systems. New York: ACM
Press.
Downs, J. S., Holbrook, M., & Cranor, L. F. (2007). Behavioral response to phishing
risk. In APWG ecrime researchers summit, Pittsburgh, PA, USA, October 4–5,
2007.
Egger, F. N. (2000). ‘‘Trust Me, I’m an Online Vendor”: Towards a model of trust for
e-commerce system design. In Proceedings of the CHI 2000. ACM Press.
Emigh, A. (2007). Phishing attacks: Information flow and chokepoints. In M.
Jakobsson & S. Myers (Eds.), Phishing and countermeasures. New Jersey: John
Wiley and Sons.
Epton, T., & Harris, P. R. (2008). Self-affirmation promotes health behavior change.
Health Psychology, 27(6), 746–752.
Festinger, L. (1957). A theory of cognitive dissonance. Evanston, IL: Row Peterson.
Fogg, B. J., Marshall, J., Laraki, O., Osipovich, A., Varma, C., Fang, N., et al. (2001).
What makes web sites credible? A report on a large quantitative study. In
Proceedings of the ACM CHI 2001 conference human factors in computing systems.
New York: ACM Press.
Fogg, B. J., Soohoo, C., Danielson, D. R., Marable, L., Stanford, J., & Tauber, E. R. (2003).
How do users evaluate the credibility of web sites? A study with over 2500
participants. In Proceedings of the ACM CHI 2003 conference human factors in
computing systems. New York: ACM Press.
Fram, E. H., & Grady, D. B. (1997). Internet shoppers: is there a surfer gender gap?
Direct Marketing, 59(9), 46–50.
Greenwald, A. G., Carnot, C. G., Beach, R., & Young, B. (1987). Increasing voting
behaviour by asking people if they expect to vote. Journal of Applied Psychology,
72(2), 315–318.
Hammond, D., Fong, G. T., McDonald, P. W., Cameron, R., & Brown, K. S. (2003).
Impact of the graphic Canadian warning labels on adult smoking behaviour.
Tobacco Control, 12, 391–395.
IDC. (June 2008). IDC finds more of the world’s population connecting to the Internet in
new ways and embracing web 2.0 activities. Press release. <http://www.idc.com/
getdoc.jsp?containerId=prUS21303808> (retrieved on 10.09.2008).
Internet World Stats. (August 2008). <http://www.Internetworldstats.com/
stats.htm> (retrieved on 10.09.2008).
Janis, I. (1974). Vigilance and decision making in personal crises. In G. Coelho, D.
Hamburg, & R. J. Adams (Eds.), Coping and adaptation. New York: Basic Books.
Jarvenpaa, S. L., & Todd, P. A. (1996–1997). Consumer reactions to electronic
shopping on the world wide web. International Journal of Electronic Commerce,
1(winter), 59–88.
Jarvenpaa, S. L., & Todd, P. A. (1997). Is there a future for retailing on the Internet? In
R. A. Peterson (Ed.), Electronic marketing and the consumer. Thousand Oaks, CA:
Sage Publications.
Jensen, C., Potts, C., & Jensen, C. (2005). Privacy practices of Internet users: Self-
reports versus observed behavior. International Journal of Human-Computer
Studies, 63, 203–227.
Kirscht, J. P., & Haefner, D. P. (1973). Effects of repeated threatening health
communications. International Journal of Health Education, 16, 268–277.
Kreuter, M. W., & Strecher, V. J. (1996). Do tailored behavior change messages
enhance the effectiveness of health risk appraisal? Results from a randomized
trial. Health Education Research, 11(1), 97–105.
Kumaraguru, P., Rhee, Y., Sheng, S., Hasan, S., Acquisti, A., Cranor, L. F., et al. (2007).
Getting users to pay attention to anti-phishing education: Evaluation of
retention and transfer. In APWG ecrime researchers summit, Pittsburgh, PA, USA,
October 4–5, 2007.
LaPiere, R. (1934). Attitudes versus actions. Social Forces, 13, 230–237.
LaRose, R., Rifon, N., & Enbody, R. (2008). Promoting personal responsibility for
Internet safety. Communications of the ACM, 51(3).
Leventhal, H. (1970). Findings and theory in the study of fear communications. In L.
Berkowitz (Ed.), Advances in experimental social psychology (Vol. 5). New York:
Academic Press.
Leventhal, H. (1973). Changing attitudes and habits to reduce risk factors in chronic
disease. American Journal of Cardiology, 31, 571–581.
Leventhal, H., Benjamini, Y., Brownlee, S., Diefenbach, M., Leventhal, E. A., & Patrick-
Miller, L. (1997). Illness representations: Theoretical foundations. In K. J. Petrie
& J. A. Weinman (Eds.), Perceptions of health and illness. Amsterdam: Harwood.
Maignan, I., & Lukas, B. A. (1997). The nature and social uses of the Internet: A
qualitative investigation. Journal of Consumer Affairs, 31(2), 346–371.
McGuire, W. (1968). The nature of attitudes and attitude change. In G. Lindzey & E.
Aronson (Eds.). The handbook of social psychology (Vol. 3). Reading, MA:
Addison-Wesley.
1747
McQuivey, J., & Ham, C. (2000). Why some young consumers don’t shop online.
Forrester research brief, June 2, 2000.
Metzger, M. J. (2004). Privacy, trust, and disclosure: Exploring barriers to electronic
commerce. Journal of Computer-Mediated Communication, 9(4).
Milletary, J. (2005). Technical trends in phishing attacks. CERT Coordination Center,
Carnegie Mellon University. <http://www.cert.org/archive/pdf/Phishing_trends.
pdf>.
Moore, T., & Clayton, R. (2007). An empirical analysis of the current state of phishing
attack and defence. In Proceedings of the 2007 workshop on the economics of
information security (WEIS2007).
Morris, R., & Thompson, K. (1979). Password security: A case history.
Communications of the ACM, 22(11).
Myers, S. (2007). Introduction to phishing. In M. Jakobsson & S. Myers (Eds.),
Phishing and countermeasures. New Jersey: John Wiley and Sons.
Namlu, A. G., & Odabasi, F. (2007). Unethical computer using behavior scale: A study
of reliability and validity on Turkish university students. Computers and
Education, 48, 205–215.
NCR (2006). ID theft and ATM fraud, NCR Webinar Series. Available from http://
www.hacfe.gr/events/Papers/NCR-ATM_Fraud_WP06.pdf.
Radelfinger, S. (1965). Some effects of fear-arousing communications on preventive
health behaviour. Health Education Monographs, 19, 2–5.
Riegelsberger, J., Sasse, M. A., & McCarthy, J. (2003). Shiny happy people building
trust? Photos on e-commerce websites and consumer trust. In Proceedings of the
CHI 2003. ACM Press.
Rippetoe, P. A., & Rogers, R. W. (1987). Effects of components of a protection
motivation theory on adaptive and maladaptive coping with a health threat.
Journal of Personality and Social Psychology, 52, 596–604.
Rogers, R. W. (1975). A protection motivation theory of fear appeals and attitude
change. Journal of Psychology, 91, 93–114.
Rohm, A., & Milne, G. R. (1998). Emerging marketing and policy issues in electronic
commerce: Attitudes and beliefs of Internet users. In A. Andreasen, A. Simonson,
& N. C. Smith (Eds.), Marketing and public policy proceedings (Vol. 8). Chicago:
American Marketing Association.
Rosenstock, I. M. (1966). Why people use health services. Millbank Memorial Fund
Quarterly, 44, 94–124.
Schneier, B. (2000). Secrets and lies. New York, NY: John Wiley and Sons.
Sheehan, K. B., & Hoy, M. G. (2000). Dimensions of privacy concern among online
consumers. Journal of Public Policy and Marketing, 19(spring), 62–73.
Sheeran, P. (2002). Intention-behavior relations: A conceptual and empirical review.
In W. Stroebe & M. Hewstone (Eds.), European review of social psychology (Vol.
12). Chichester, UK: Wiley.
Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L. F., Hong, J., et al.
(2007). Anti-Phishing Phil: The design and evaluation of a game that teaches
people not to fall for phish. In Proceedings of the third symposium on usable
privacy and security, Pittsburgh, PA, July 18–20.
Sillence, E., Briggs, P., Harris, P., & Fishwick, L. (2006). A framework for
understanding trust factors in web based health advice. International Journal
of Human–Computer Studies, 64, 697–713.
Sillence, E., Briggs, P., Harris, P., & Fishwick, L. (2007). Going online for health advice:
Changes in usage and trust practices over the last five years. Interacting with
Computers, 19, 397–406.
Skinner, C. S., Strecher, V. J., & Hospers, H. (1994). Physician recommendations for
mammography: do tailored messages make a difference? American Journal of
Public Health, 84, 43–49.
Spiekermann, S., Grossklags, J., & Berendt, B. (2002). Eprivacy in 2nd generation e-
commerce: Privacy preferences versus actual behavior. In Proceedings of the
third ACM conference on electronic commerce – EC’01 (pp. 38–47).
Sprott, D. E., Spangenberg, E. R., & Fisher, R. (2003). The importance of normative
beliefs to the self-prophecy effect. Journal of Applied Psychology, 88(3), 423–431.
Stanford, J., Tauber, E., Fogg, B. J., & Marable, L. (2002). Experts vs. online consumers: A
comparative credibility study of health and finance web sites. Consumer web
watch research report. <http://www.consumerwebwatch.org/news/report3_
crediilityresearch/slicedbread_abstract.htm> (retrieved on August 2003).
Strecher, V. J., Kreuter, M. W., Den Boer, D. J., Kobrin, S. C., Hosper, H. J., & Skinner, C.
S. (1994). The effects of computer-tailored smoking cessation messages in
family practice settings. Journal of Family Practice, 39, 262–270.
Tan, M., & Teo, T. S. H. (2000). Factors influencing the adoption of Internet banking.
Journal of Associative Information Systems, 1(5).
TRUSTe (2006). Consumers have a false sense of security about online privacy – Actions
inconsistent with attitudes. Conducted by TNS, December 2006. Available from
http://www.truste.org/about/press_release/12_06_06.php.
Turner, C., & Martin, E. (1984). Surveying subjective phenomena. New York: Russell
Sage Foundation.
Whitten, W. B., & Bjork, R. A. (1977). Learning from tests: Effects of spacing. Journal
of Verbal Learning and Verbal Behaviour, 16(4), 465–478.
Witte, K., & Allen, M. (2000). A meta-analysis of fear appeals: Implications for
effective public health campaigns. Health Education and Behavior, 27(5),
591–615.
Wolhandler, H. C. (1999). Real numbers behind ‘net profits’. ActivMedia research.
<http://www.activmediaresearch.com/real_numbers_1999.html>.