Journal of the Association for Information Systems

Volume 23 Issue 1 Article 6

2022

A Test of Protection Motivation Theory in the Information Security

Literature: A Meta-Analytic Structural Equation Modeling
Approach
Jian Mou
Pusan National University, jian.mou@pusan.ac.kr

Jason F. Cohen
University of the Witwatersrand, jason.cohen@wits.ac.za

Anol Bhattacherjee
University of South Florida, abhatt@usf.edu

Jongki Kim
Pusan National University, jkkim1@pusan.ac.kr

Follow this and additional works at: https://aisel.aisnet.org/jais

Recommended Citation
Mou, Jian; Cohen, Jason F.; Bhattacherjee, Anol; and Kim, Jongki (2022) "A Test of Protection Motivation
Theory in the Information Security Literature: A Meta-Analytic Structural Equation Modeling Approach,"
Journal of the Association for Information Systems, 23(1), 196-236.
DOI: 10.17705/1jais.00723
Available at: https://aisel.aisnet.org/jais/vol23/iss1/6

This material is brought to you by the AIS Journals at AIS Electronic Library (AISeL). It has been accepted for
inclusion in Journal of the Association for Information Systems by an authorized administrator of AIS Electronic
Library (AISeL). For more information, please contact elibrary@aisnet.org.
 Journal of the Association for Information Systems (2022) 23(1), 196-236
doi: 10.17705/1jais.00723

RESEARCH ARTICLE

ISSN 1536-9323

A Test of Protection Motivation Theory in the Information

Security Literature: A Meta-Analytic Structural Equation
Modeling Approach

Jian Mou1, Jason Cohen2, Anol Bhattacherjee3, Jongki Kim4

1
Pusan National University, Republic of Korea, jian.mou@pusan.ac.kr
2
University of the Witwatersrand, South Africa, jason.cohen@wits.ac.za
3
University of South Florida, USA, abhatt@usf.edu
4
Pusan National University, Republic of Korea, jkkim1@pusan.ac.kr

Abstract

Information security is one of the important domains of information systems research today, with
protection motivation theory (PMT) one of its most influential theoretical lenses. However, empirical
findings based on PMT are often inconsistent and inconclusive. To reconcile these inconsistent
findings, we conducted a meta-analysis to investigate the relationships among PMT constructs while
also considering additional contextual constructs that are not specified in PMT. Ninety-two published
studies were meta-analyzed and estimated using structural equation modeling. Our results provide
support for three of the five predictors of security motivation intention, as postulated by PMT, mixed
support for perceived vulnerability, and no support for response cost. We found that coping appraisal
variables of response efficacy and self-efficacy have the largest average effects on security behavior.
In addition, cultural attributes of collectivism and individualism moderated some of the pairwise
correlations, PMT-theoretic relationships were generally stronger in personal contexts than in
workplace contexts, and the intention-behavior relationship was strongest in workplace and
compliance settings. Our results contribute to the information security literature by providing
guidance for future PMT-related research and by demonstrating how meta-analysis and structural
equation modeling can be combined to test theories in information systems research.

Keywords: Information Security, Cybersecurity, Protection Motivation Theory, Meta-Analysis

Jason Bennett Thatcher was the accepting senior editor. This research article was submitted on March 12, 2020 and
underwent three revisions.
1 Introduction
Information security is one of the most important
issues facing individuals and firms today (Herath &
Rao, 2009; Shaw et al., 2009). During 2013-2017, the
US Federal Bureau of Investigation’s Internet Crime
Complaint Center (IC3) received 1.4 million
cybersecurity complaints, claiming cumulative losses
of $5.52 billion (FBI, 2017). The vast majority of these
crimes are targeted at individual users, such as
personal data breaches, phishing, identity theft, credit
card fraud, extortion, impersonation, malware,
ransomware, and crimes against children. In response
to such threats, information security research has
examined why users do or do not take sufficient
safeguards to protect themselves from security threats,
and how to motivate users to institute such safeguards
(e.g., Liang & Xue, 2010; Johnston & Warkentin,
2010; Siponen et al., 2014; Tu et al., 2015; Chen &
Zahedi, 2016; Burns et al., 2017). To this end,
researchers have employed different theoretical

196

frameworks to understand information security
behavior, such as deterrence theory (Gibbs, 1968),
extended parallel process model (Witte, 1992), and
technology threat avoidance theory (Liang & Xue,
2010). One of the more popular theoretical influences
in this literature is protection motivation theory (PMT)
(Rogers, 1975). PMT’s main premise is that our
behaviors in response to a perceived threat are a
function of our appraisals of that threat (perceptions of
threat vulnerability and threat severity) and appraisals
of coping mechanisms available to us to deal with that
threat (perceptions of response efficacy, self-efficacy,
and response cost).
However, many inconsistent patterns of relationships
are observed in PMT-based empirical studies (see also
Schuetz et al., 2020). For example, while Ifinedo
(2012) reported that vulnerability perceptions motivate
employees’ information systems security policy
compliance behavior, Zahedi et al. (2015) found that
such perceptions do not influence users’ use of fake-
website detection tools. Similarly, Siponen et al.
(2014) observed that perceived severity significantly
influences employees’ intention to comply with
information security policies, but Lee et al. (2008)
found that this construct had a nonsignificant effect on
USA college students’ online protection behavior.
There is also debate about whether PMT can
adequately explain general information security
behaviors, such as employees’ security policy
compliance (Crossler & Belanger, 2014), in contrast to
specific behaviors such as installing a password
manager (Menard et al., 2017), suggesting the
possibility of moderating effects not theorized in PMT
such as personal versus organizational context
(Schuetz et al., 2020) and culture (Chen & Zahedi,
2016). It is possible that some of the previously
reported inconsistent effects may have been caused by
inadequate sample sizes, leading to low statistical
power to detect small effects. Therefore, we conducted
a meta-analysis of 92 studies in the information
security literature that employed PMT as a theoretical
lens. A meta-analysis also allows us to examine the
moderating influence of macrolevel variables on users’
information security behaviors, such as culture,
contexts (e.g., workplace versus personal use), and
types of behaviors (e.g., general versus specific).
Our work differs from prior meta-analyses of PMT in
the information security literature (Sommestad et al.,
2015) and more general meta-analyses of information
security compliance (Cram et al., 2019) in several
ways. First, Cram et al. (2019) examined information
security policy compliance in workplace settings only,
while our research examines the full spectrum of
information security behaviors from workplace to
personal or home contexts. Moreover, Cram et al.
A Test of PMT in the Information Security Literature
(2019) examined factors drawn from several theories
and did not consider the full nomological network of
PMT, while we focus specifically on PMT and
consider the full nomological network of PMT in the
information security context. Sommestad et al. (2015)
examined the application of PMT within the
information security literature but did not extend from
protection motivation to actual behavior, which we do.
Meta-analyses of PMT in the psychology literature
focus primarily on health behavior (Tannenbaum et al.,
2015; Floyd et al., 2000; Milne et al., 2000), our study
focuses on information security rather than health
contexts.
Second, unlike Sommestad et al. (2015) and Cram et
al. (2019), we employ meta-analytic SEM modeling
(MASEM), a stepwise combination of meta-analysis
and structural equation modeling procedures that
allows us to test theories using the combined data of
prior studies. MASEM is intended specifically for
theory testing, while traditional meta-analysis aims to
synthesize and summarize prior research. Further, we
consider a wider range than prior research like
Sommestad et al. (2015), examining seven moderators.
Finally, we differ from past efforts in terms of the
corpus of primary studies included in our analysis.
Cram et al. (2019) included only PMT studies focused
on information policy compliance and not the entire
information security literature, while Sommestad et al.
(2015) used a sample of only 30 PMT articles
published in or prior to 2014. The number of PMT
studies has tripled since 2014, providing a more
comprehensive set of studies for our research, which
increased the statistical power of our meta-analysis.
Specifically, this study addresses the following
research questions:
RQ1: To what extent does PMT explain information
security behaviors?
RQ2: What moderators influence PMT-theoretic
relationships in the information security
context and how?
The rest of this paper is organized as follows. In the
next section, we review the prior literature on PMT
and explore the potential moderating role of
contextual and cultural variables in information
security behavior. The third section introduces the
meta-analytic SEM methodology that was used in this
study. The fourth section presents the results of our
meta-analysis and meta-analytic structural model.
The fifth section discusses the study’s findings and
the implications of these findings for research. The
paper ends with a discussion of the contributions and
limitations of this research.
197
Journal of the Association for Information Systems
2 Theoretical Background
2.1 Protection Motivation Theory
Protection motivation theory (PMT) was developed by
Rogers (1975) to explain how people engage in
protective behaviors to cope with threats in their
environment. Originally informed by expectancy-value
theory, PMT suggests that two cognitive processes
guide our protection motivation response to a threat:
threat appraisal and coping appraisal.
When confronted with a threat, we first appraise the
threat by evaluating its seriousness (perceived severity)
and our susceptibility to the threat (perceived
vulnerability). Our threat appraisal is high if a threat’s
perceived severity and our perceived vulnerability to that
threat are both high. These threat appraisal factors can be
manipulated by external “fear appeal” messaging, which
is intended to generate a “fear arousal” that may
sensitize users to a threat’s severity and vulnerability.
Following threat appraisal, we explore different ways to
respond to that threat by evaluating the different
available coping strategies (protective actions) at our
disposal. In this coping appraisal process, we consider
the perceived effectiveness of these protective actions in
mitigating the threat at hand (response efficacy), our
perceived ability to take those actions (self-efficacy),
and the perceived extrinsic or intrinsic personal costs of
performing those actions (response cost). The outcome
of these threat and coping appraisal processes is
protection motivation, which is typically
operationalized as an individual’s behavioral intention
to engage in the recommended protective behavior
and/or subsequent protection behavior.
In the information security context, PMT can be
explained using the example of malware threat (Tsai et
al., 2016). When faced with a malware threat, we first
assess whether our computers are likely to be infected by
malware (perceived vulnerability) and, if so, whether the
malware is harmful enough to cause our system to fail
(perceived severity). We then appraise how useful virus
control software would be at detecting and removing
malware (response efficacy), whether we have the
knowledge to take necessary measures to install and use
such software (self-efficacy), and the effort required to
use protective software (response cost). The threat and
coping appraisals jointly predict whether we intend to use
protective software to protect ourselves from malware.
Some researchers have extended PMT to include the
construct of “fear” as a partial mediator between threat
appraisal and subsequent behavior (Posey et al., 2011).
Fear is an emotional response to the perceived security
threat and manifests as feelings of anxiety and worry over
the potential for exposure and loss (Aurigemma &
Mattson, 2018; Moody et al., 2018). In contrast to
perceived severity and vulnerability, which are both
cognitions, fear captures the emotive dimension of threat.
198
Drawing on related research in cognitive psychology
(e.g., Ajzen 1991), it can be argued that different
cognitions regarding a targeted behavior lead to
summative emotions about that behavior, which then
influence user intentions about that behavior. Leventhal’s
(1970) parallel response model also stressed the
importance of distinguishing emotional from cognitive
responses. Although Rogers (1983) downplayed the role
of fear as an emotional response in favor of the cognitive
PMT processes, some PMT researchers such as Boss et
al. (2015) highlight the importance of the mediating role
of fear in PMT’s nomological net. Its omission may
explain the observed inconsistencies regarding the effects
of perceived severity and vulnerability in PMT (Cram et
al., 2019). Figure 1 depicts the constructs and
relationships in the PMT model.
2.2 Protection Motivation Theory in the
Information Security Literature
Some of the earliest applications of PMT to information
security included Siponen et al.’s (2007) study of
employee compliance with workplace information
security policies. These early efforts found threat and
coping appraisal variables to be mostly significant.
Since then, PMT has been applied to a wide range of
information security behaviors and contexts, such as
user response to malware threats (Tsai et al. 2016), use
of antivirus software (Lee et al., 2008), password
protection (Vedadi & Warkentin, 2020), and college
students’ protective online behaviors, such as erasing
cookies, blocking pop-ups, and updating browser
security (Boehmer et al., 2015). In organizational
settings, PMT has been applied to study employee
information security policy compliance (e.g., Vance et
al., 2012; Burns et al., 2017), adherence to “bring your
own device” (BYOD) security (Ameen et al., 2020), and
anti-malware adoption by small business executives
(Lee & Larsen, 2009), among other examples.
Despite this growing PMT literature base, there are
differences in the manner in which PMT is modeled and
operationalized across studies. Some studies included
only a few threat appraisal (Comesongsri, 2010) or
coping appraisal variables (Jansen et al., 2016; Lee &
Larsen, 2009) in their models. Other studies (e.g., Posey
et al., 2015) dropped PMT constructs from their model
because of high collinearity between threat vulnerability
and threat severity and between response efficacy and
self-efficacy. However, most studies do not include fear
appeals, and the studies that do vary widely in their
operationalization of appeals (Boss et al., 2015).
Examples include studies examining extended exposure
by participants to fear appeals (Boss et al., 2015), rich
media-based messaging using video (e.g., Aurigemma
& Mattson, 2018; Schuetz et al., 2020), text-based fear
appeals that include descriptions of sanctions (Johnston
et al., 2015), and simple descriptive definitions and
examples (e.g., Martens et al., 2019).

Figure 1. Protection Motivation Model for IS Research
While some studies lend strong support to PMT—for
example, in the context of malware avoidance (Dang-
Pham & Pittayachawan, 2015)—others lend only
minimal to no support, concluding that PMT threat and
coping appraisal variables offer limited explanations of
information security behaviors such as the use of
password managers (Menard et al., 2017). Some
studies have found that while threat appraisal is a
significant predictor of protection behavior, coping
appraisal is less relevant (Verkijika, 2018),
contradicting the theory (Lazarus, 1991). Others have
found the coping appraisal process to be significant
and threat appraisal to be not significant (Blythe &
Coventry, 2018; Heidt et al., 2019). Still others have
found both appraisals to be significant but conclude
that coping appraisals have more explanatory
significance (Yoon et al., 20012; Li et al., 2019).
Some studies have found no support for threat
appraisal variables (e.g., Hanus & Wu, 2016), while
others report mixed results. For example, Burns et al.
(2017) found perceived severity to be an important
predictor of employees’ information security actions,
whereas Lee et al. (2008) did not find this effect to be
significant in a study on virus protection behavior
among students. Some studies have concluded that,
among the threat appraisal constructs, severity is more
important than vulnerability (Meso et al., 2013), while
others have found vulnerability to be more salient (Li
et al., 2019). In terms of coping appraisal, response
efficacy has been identified as the most important
coping factor by some (Zahedi et al., 2015), while
A Test of PMT in the Information Security Literature
others have found self-efficacy to be more important
(Vance et al., 2012; Warkentin et al., 2016). Response
cost tends to be significant across contexts in some
studies (Boss et al., 2015) but not significant elsewhere
(e.g., Menard et al., 2017).
Some studies have integrated selected PMT factors
with those from the theory of planned behavior (TPB)
(e.g., Safa et al., 2015), elaboration likelihood model
(e.g., Komatsu et al., 2013), technology acceptance
model (e.g., Hung et al. 2019), cognitive evaluation
theory, and the theory of reasoned action (TRA) (e.g.,
Siponen et al., 2014). The findings of these studies are
largely inconclusive as to the role of PMT relative to
the other theories. For example, Menard et al. (2017)
combined PMT with motivation theory but found
stronger effects for motivation theoretic constructs
determined that only response efficacy from PMT was
significant. Hooper and Blunt (2019) combined PMT,
deterrence theory, and TRA to study IT employee
security behavior and found some PMT variables such
as severity of impact and self-efficacy to be significant,
while others were not. Rajab and Eydgahi (2019)
combined PMT with general deterrence theory, TPB,
and organizational theory, and concluded that only the
PMT constructs for threat appraisal and coping
appraisal were significant while those drawn from
other theories were not. Given these varied findings, it
is unclear to what extent PMT can sufficiently explain
information security behaviors (cf. Johnston &
Warkentin 2010).
199
Journal of the Association for Information Systems
Taken together, the above inconsistencies raise several
questions about the overall utility of PMT as a referent
theory of information security, the conditions under
which PMT-based explanations for information
security behaviors are likely to hold, and the relative
effects of threat and coping appraisal variables. A
meta-analytic investigation of the population of PMT
studies provides us with an opportunity to examine
these inconsistencies. We believe that it may be
possible to reconcile such inconsistencies by exploring
the moderating role of constructs that are not specified
by PMT yet potentially relevant to the information
security setting. We explore these moderators in the
next section.
2.3 Role of Moderators in PMT
Research
Extending the works of Floyd et al. (2000), Milne et al.
(2000), Tannenbaum et al. (2015), Cram et al. (2019),
and Sommestad et al. (2015), we conceptualize three
classes of potential moderators that may influence
PMT-theoretic effects: context-related, behavior-
related, and methodological. Context-related
moderators include the cultural context (e.g.,
uncertainty avoidance and individualism versus
collectivism) and security context (workplace or home
setting of the study). Behavior-related moderators
reflect the generality or specificity of the security
behavior and whether it is a compliance or a volitional
behavior. Methodological moderators relate to a
study’s methodological considerations, such as the
subject sample chosen for the study (e.g., students or
nonstudents) and the presence or absence of
experimental manipulation in the research design.
Security context: Information security studies have
examined protection behaviors in both personal and
workplace contexts. Anderson and Agarwal (2010)
state that “within an organizational setting, security
plans typically include initiatives to train employees in
the appropriate use of technology and outline the
required policies and procedures to be followed so as
to mitigate risks in areas of vulnerability.”
Organizational security policies are often mandatory,
and if employees are aware that their firm is
monitoring their compliance behaviors, they are more
likely to comply with corporate security policies
(Herath & Rao, 2009). Moreover, one’s lack of
awareness of security threats or security violations
may have a repercussive effect on the organization as
a whole—for example, if it threatens the stability of the
corporate network (Culnan et al., 2008). Hence,
organizational norms often create social pressure on
employees to practice computer security behaviors,
even if they personally consider it unnecessary (Yoon
& Kim, 2013).
200
In home or personal settings, on the other hand,
information security practices are voluntary and often
ignored (Chen & Zahedi, 2016; Palmer, 2020). While
home users may have heightened threat perceptions
because the data is personal to them, the implications
of not taking necessary safeguards are largely personal
and unlikely to affect others. Some workplace users,
who are required to use proper security protocols at
work, may find it unnecessary to institute similar
protocols at home. Furthermore, some home users may
not even be aware of security threats or the tools and
resources that can protect them from such threats,
particularly if they have not gone through any security
training. Hence, many internet users lack even a single
core protective tool against security threats in home or
personal settings (Chen & Zahedi, 2016). Reports
indicate that during the COVID-19 pandemic, over
half (52%) of work-from-home employees working on
their own devices are not following the same security
practices that they follow at their workplaces while
working on company-issued devices, such as sharing
confidential files using unencrypted emails (Palmer,
2020). The reasons for such behavior include not being
monitored by corporate IT, finding workarounds to
work more efficiently (suggesting that corporate
security policies are viewed as a barrier to
productivity), and the distractions of everyday life such
as childcare, roommates, or not having an office-type
setup (Palmer, 2020). Hence, the relationship between
threats and coping appraisals and security protection
motivation is likely to be different, and presumably
weaker, for home users than for workplace users.
Cultural context: Culture is defined in the field of
anthropology as “the collective programming of the
mind which distinguishes the members of one human
group from another” (Hofstede, 1980). Based on an
extensive study of 117,000 IBM employees across 50
countries from 1967 to 1973, Hofstede (1991)
classified national culture along five dimensions:
power distance, individualism, uncertainty avoidance,
masculinity, and long-term orientation. The role of
cultural factors has been examined in information
systems research, in contexts such as individual
acceptance of information technologies (Straub et al.,
1997) and e-commerce transactions (Cry, 2008;
Hwang & Lee, 2012). Ciganek et al. (2004) suggest
that social norms and values that affect individual
behaviors and beliefs are influenced by national
culture, while Doney et al. (1998) observe that in
collectivistic cultures, people tend to treat out-group
members with suspicion and avoid transactions with
them. In the information security context, Cram et al.
(2019) have suggested that culture may also play an
important role. In this context, Chen and Zahedi (2016)
compared PMT in the US versus China and found that,
while coping appraisal factors were more significant
for protective behaviors in China, threat appraisal was
more significant for the US sample.

Among the dimensions of culture, individualism and
uncertainty avoidance have particular relevance to
information security behavior (Crossler et al., 2014).
Collectivism (opposite of individualism) refers to the
“degree to which people in a society are integrated into
groups” (Hofsteade, 1991). Collectivist societies tend
to tightly integrate extended families and business
partners into in-groups that are laced with loyalty and
that support each other through conflicts and chaos.
Stronger loyalty in collectivistic cultures and greater
concern for protecting group assets are likely to
promote greater compliance with information security
policies (Crossler et al., 2014). Individualists, on the
other hand, may have higher appraisals of their
personal self-efficacy to cope with threats and
therefore hold a negative view of organizational
information security policies (Crossler et al., 2014).
Menard et al. (2018) suggested that collectivism may
impact PMT constructs through its effects on
psychological ownership. In collectivist cultures,
people are less likely to accept personal responsibility
or seek individual benefits, which may result in more
limited perceptions of threat severity, susceptibility,
and response efficacy, but increased perception of
response cost. However, it remains unclear whether
PMT provides a better explanation of security
behaviors in individualist versus collectivist settings.
Uncertainty avoidance is defined as “a society's
tolerance for ambiguity” or the extent to which people
embrace or avoid unexpected events or deviation from
the status quo. Societies with high degrees of
uncertainty avoidance typically have stiff codes of
behavior and societal norms designed to reduce
ambiguity, while those with lower uncertainty
avoidance are more accepting of differences of
thoughts or opinions, tend to impose fewer regulations,
and are more tolerant of ambiguity. Individuals from
high uncertainty avoidance cultures have a greater
propensity to shun uncertainty and are thus less likely
to fall prey to information security threats. As Crossler
et al. (2014) suggest, risk tolerance is lower among
users from high uncertainty avoidance cultures, who
would prefer safeguards from the unknown and be
more motivated to engage in protective behaviors.
Aurigemma and Mattson (2018) similarly argued that
high perceived threat severity would activate
uncertainty avoidance, which would influence threat
appraisals and their consequent effects on security
behavior. Because of these reasons, we consider the
collectivism and uncertainty avoidance dimensions of
culture as appropriate moderators in our meta-analysis
of PMT.
General versus specific behaviors: Past studies have
explored a wide range of information security
behaviors, from simple and specific behaviors like
installing anti-virus software to more general
protection responses involving a combination of
A Test of PMT in the Information Security Literature
technical and nontechnical behaviors. Specific
behaviors include the use of specific software tools or
actions in response to specific types of threats, such as
installing antivirus software (Lee et al., 2008),
password protection managers (Vedadi & Warkentin,
2020), anti-spyware software (Gurung et al., 2009;
Crossler et al., 2014), anti-malware software (Lee &
Larsen, 2009), or data backups in response to
ransomware threats (Ophoff & Lakay, 2018). Among
other examples, Tsai et al. (2016) examined
employees’ general security intentions—for example,
increasing browser security level, changing passwords
frequently, running protective software regularly, and
removing spyware, among other actions. Workman et
al. (2008) considered a general set of employee
security behaviors like password changes, security
patch updates, and use of backups. Vance et al. (2012)
studied employees’ propensity to share passwords,
failing to log off, installing home software on a work
laptop, and copying highly sensitive information
without encryption. Boehmer et al. (2015) studied the
intentions of students to update their antivirus
software, scan their computers, install anti-spyware,
update patches, and erase cookies as part of general
online safety behaviors. However, general information
security behaviors may also include a combination of
detection, prevention, and mitigation-related
behaviors, such as watching for unusual computer
responses such as freezing or slowing down, keeping
software up to date, not opening email attachments,
and doing regular backups (Li et al., 2019; Simonet &
Teufel, 2019), and general compliance with workplace
security policies.
It is unclear whether PMT is more suited for predicting
specific behaviors or more general behaviors. It may
be argued that PMT has less predictive ability in more
general settings where threat appraisal, coping
appraisal, and behavior may be confounded across a
broad range of security threats. For example, a person
may install and run anti-malware software but may not
be comfortable with updating security patches.
Sommestad et al. (2015) found that studies of general
behaviors have marginally lower mean correlations
and about 10% lower explained variance, on average,
than studies of more specific behaviors. Similarly, in
the health behavior context, Floyd et al. (2000) found
that coping appraisals may be more relevant to
predicting specific health behaviors such as medication
adherence. These studies suggest that some of the
heterogeneity in PMT effect sizes may be due to
differences in the specific information security
behavior examined.
Voluntary versus compliance behavior: PMT studies
in workplace contexts, typically consider one of two
behaviors: mandatory adherence to corporate information
security policy, and voluntary response to information
security threats. Organizational compliance may be
201
Journal of the Association for Information Systems
driven by subjective or social norms (Ifinedo, 2012),
shared beliefs in the importance of information security
(Furnell & Thomson, 2009), the appropriateness and
acceptability of compliance acts (Moody et al., 2018), or
fear of punishment or severity of sanctions (Johnston et
al., 2015), rather than threat appraisal processes. Yet
distinctions between compliance and volitional protective
actions are not always clear in the operationalization of
behavior in PMT studies. For example, Siponen et al.
(2014) operationalized compliance as employee
intentions to comply with information security policies in
conjunction with voluntary behaviors like recommending
compliance and helping others comply. In view of these
inconsistencies, it is useful to examine whether policy
compliance and volitional behaviors have differential
effects on information security behaviors.
Study sample: Many studies (32% in our meta-
analysis sample) have used convenience samples of
students, with the typical justification that university
students are exposed to frequent malicious threats and
are responsible for protecting their own systems and
information (Warkentin et al., 2016). While student
populations may be appropriate for studying certain
security behaviors, findings drawn from student
samples may not be generalizable to the population at
large (Boss et al., 2015). Students may be more apt to
take risks or may not be fully aware of potential
security threats or their consequences (Crossler et al.,
2014). Moreover, some students may be more
computer literate and therefore have higher self-
efficacy perceptions or may have less sensitive
information to protect. Therefore, the use of student
samples may lead to a pattern of PMT relationships
that are systematically different from the broader
population. Hence, student samples versus nonstudent
samples is a useful moderator for our meta-analysis.
Manipulation of fear appeals: Prior PMT studies
have generally followed one of two research designs:
(1) simple questionnaire-based correlational designs
with no experimental manipulation or information
about threats or protective behaviors, and (2)
experimental studies that provide general or targeted
information about a threat and/or coping response,
typically in an effort to encourage a protection
motivation behavior in the treatment group.
Experimental manipulations typically take the form of
fear appeal messages. Some PMT researchers have
argued that without fear appeal messaging, studies may
not create the desired motivation or response because
of incomplete threat and/or coping appraisals
(Workman et al., 2009). Johnston and Warkentin
(2010) outlined the required elements of a fear appeal;
it should allow participants to make inferences about
threat severity, their personal susceptibility to the
threat, the efficacy of a recommended response, and
their ability to perform the recommended response.
Studies have shown that concrete fear appeals that
202
describe threats, their consequences, and how to
defend against them are high in psychological
proximity and tend to have more consistent PMT-
theoretic relationships. Participants’ frequency of
exposure to fear appeals has also been found to be
important in motivating security protection behaviors
(Boss et al., 2015). Others have suggested that
messages that appeal to intrinsic motivations (Menard
et al., 2017) or threats of sanctions in the workplace
(Johnston et al., 2015) can complement traditional fear
appeal messaging. The presence or absence of fear
appeals may therefore account for variability in PMT
effect sizes. To account for this variance, we include
threat and/or response appeal messaging (versus
simple correlation designs without fear appeals) as a
moderator in our meta-analysis.
3 Research Method
3.1 Meta-Analysis
Meta-analysis, defined as “the statistical analysis of a
large collection of analysis resulting from individual
studies for the purposes of integrating the findings”
(Glass, 1976, p. 3), is a method of statistical synthesis
that allows us to view the “whole picture” in a research
context by aggregating and analyzing the quantitative
results of multiple empirical studies. Empirical studies,
using primary data from experiments or surveys, are
often limited in sample sizes because of cost and
practicality considerations. Small sample sizes make it
difficult to detect small effect sizes and moderating
effects because of low statistical power. Although
large-scale sensor-based observational data have seen
increased use in recent research, such data are often
difficult to acquire, observations are often restricted to
behaviors that can be tracked unobtrusively and do not
lend themselves well to psychometric evaluation of
threat or coping appraisals. Meta-analyses help address
this problem by aggregating data from many (often
hundreds) of primary studies to boost statistical power
to detect small effects as well as discover new and
unanticipated effects.
Meta-analysis has its own strengths and weaknesses,
as documented in prior studies (e.g., Wolf, 1986). The
distinct advantage of this approach is its ability to
measure small effect sizes that might have been missed
in the underlying studies because of small sample sizes
or low statistical power. It also allows the examination
of artifactual variance, caused by nonrandom samples,
unreliable measurements, use of different
measurement instruments, measurement range
restrictions (e.g., of a 5-point or 7-point Likert scale),
and so forth, that may give rise to illusory patterns in
the data. However, meta-analytic inferences are
sensitive to researchers’ sample of selected studies, it
excludes qualitative studies that do not report effect
sizes, and choice of control variables to consider (e.g.,

how many controls, which ones, coded how, etc.)
require judgment calls on the researcher’s part.
Furthermore, since research published in journals
tends to be biased in favor of significant findings and
nonsignificant findings are rarely reported (He & King,
2008), this “publication bias” may be manifested in
meta-analyses of published papers. To counter this
bias, it is often recommended to include conference
proceedings and dissertations that may report
nonsignificant findings often omitted in journal
publications. One may also contend that combining
studies with different variable definitions, different
measurement techniques (e.g., perceived versus actual
measures), and numerous methodological errors, may
render meta-analytic findings questionable.
Several instances of meta-analyses are available in the
information security literature (e.g., Cram et al., 2019;
Trang & Brendel, 2019). While the objective of most
of these prior studies is to aggregate and synthesize
previously reported effects, in this study, our goal is to
use meta-analysis to test theory (PMT). For this
purpose, we combine meta-analysis with structural
equation modeling (SEM). In this MASEM approach,
meta-analysis procedures are first used to combine
quantitative evidence from prior studies to estimate
weighted mean and true-score correlations between the
variables of interest (Hunter & Schmidt, 2004). The
matrix of corrected (true-score) correlations derived
from the meta-analysis is then used as an input to SEM
analysis to test a hypothesized pattern of relationships
derived from theory (Viswesvaran & Ones, 1995).
MASEM is ideally suited for testing theories by
aggregating results across many prior empirical studies
and has been applied in meta-analytic investigations of
the unified theory of acceptance and use of technology
(Dwivedi et al., 2019), the technology acceptance
model (Schepers & Wezels, 2007; Gerow et al., 2013),
the turnover behavior of IT professionals (Joseph et al.,
2007), organizational knowledge flows (Montazemi et
al., 2012), and IT value research (Mandrella et al.,
2020), among other topics.
3.2 Study Selection
Studies included in our meta-analysis were sourced
from EBSCOhost, JSTOR, and ABI-Inform databases
using abstract search of keywords “protection
motivation” and “information system” or “information
security,” while restricting our search to full-text
articles in the English language. This process led to
259 articles from EBSCOhost, 112 from ABI-Inform,
and nine from JSTOR over the 1996-2020 time frame.
We manually screened the articles to exclude
duplicates, qualitative articles, opinions, literature
reviews, and studies that did not report at least one
correlation, beta coefficient, or effect size. This
process resulted in 83 articles, including 66 peer-
reviewed journals, 13 PhD dissertations, and 3
A Test of PMT in the Information Security Literature
conference papers. We reviewed the reference lists of
the shortlisted articles to locate a few additional
empirical articles on information security. To
overcome publication bias, we also included additional
working papers from Google Scholar and conference
papers from the Association of Information Systems
(AIS) conference journals to result in an overall sample
size of 92 articles for meta-analysis. Our search
process is illustrated in Figure 2.
The 92 articles in our final sample (see Table B1 in the
Appendix) represented 112 samples (some articles
reported multiple samples/studies); over 58% of these
articles (54 articles) were published within the last five
years (2016 to 2020). Sixteen samples were from
countries with a collectivist culture, 92 samples were
from countries with an individualist culture, and three
samples included respondents from both collectivist
and individualist cultures. Eighty samples were from
low uncertainty-avoidance cultures, 29 were from high
uncertainty-avoidance cultures, and three were from
mixed cultures, as identified through a manual reading
of each study. Fifty-three samples were from the
workplace context and 59 were from a
personal/individual context. Thirty-three samples
employed student respondents and the rest used
nonstudent or mixed populations. After manually
coding the security behavior in each sample as general
or specific, we found that 66 were general behaviors
and the remaining were specific behaviors. Thirty-nine
samples manipulated fear with a fear appeal
intervention, while 73 did not use fear appeals.
For each study in our sample, we identified the relevant
PMT constructs and compared the conceptual and
operational definitions of each construct read with its
measurement items to verify whether the measurement
items faithfully represented the construct of interest
(see Table 1). For each construct pair, one author of
this study recorded relevant effect sizes from all
studies, which were then double-checked by a research
assistant. Correlations that were not reported in the
source study were calculated from effect sizes
reported, such as beta coefficients (e.g., Ayyagari et
al., 2019). For studies with missing correlations or
effect sizes, we contacted the authors for correlation
matrices or raw data.
The following data were recorded for each sample in
the included studies: (1) study’s year of publication, (2)
sample size, (3) the type of information security context
under examination, (4) bivariate correlations between
constructs of interest, (5) standard deviation of each
variable, and (6) reliabilities of each PMT construct
using the reported Cronbach’s alpha coefficient or,
when not available, the composite reliability. Based on
the reported reliabilities, an average reliability score was
calculated for each construct for subsequent analysis,
reported in the next section.
203
Journal of the Association for Information Systems

EBSCOhost JSTOR ABI/Inform Global

Automated Database Search:

Search criteria: “Protection motivation” (all text) AND (“information security” or “information systems”) (abstract),
Full Text, English

259 Articles (Years 1996:2020) 112 Articles (Years 2002:2020)

245 academic journals, 4 trade 9 Articles (Years 2009-2017) 76 academic journals, 31 dissertations,
publications, 4 e-books, 2 magazines, 1 9 academic journals 2 trade publications, 1magazines, 1
report proceedings

Consolidation and Manual Screening:

Screening criterion: Drop qualitative articles, opinions, literature reviews; articles that did not report at least one correlation between PMT
construct pairs; eliminate duplicate papers from the same study

83 Articles (Years 2006:2020)

66 academic journals, 13 dissertations, 3 proceedings

Manual Screening: Add articles and working papers from Google Scholar [6 articles] and conference papers from AIS eLibrary that were not
previously included [3 articles]

92 Articles
112 samples

Figure 2. Study Search and Selection

For moderator analysis, we coded each study as
workplace versus personal setting, compliance versus
voluntary behavior, general versus specific behavior,
student versus nonstudent sample, and presence versus
absence of experimental manipulation. Protection
motivation was coded as a compliance behavior if the
study context suggested employee adherence to
corporate information security policy or procedure
(e.g., Vance et al., 2012; Herath & Rao, 2009).
Corporate security policies often include sanctions for
violations such as admonishment or censure, and thus,
in addition to offering protection, compliance
behaviors avoid sanctions. However, not all studies in
workplace settings were policy compliance-related.
For example, some studies examined anti-spyware,
password change, and other security behaviors without
reference to provisions of a security policy but rather
only as recommended actions. Such behaviors were
coded as discretionary or volitional (e.g., Johnston &
Warkentin, 2010). We coded studies as collectivist
versus individualist and high- versus low uncertainty-
avoidance culture, based on whether the country where
the study was conducted scored below or above the
midpoint of Hofstede’s individualist and uncertainty
avoidance scales (https://www.hofstede-insights.com/
country-comparison/).
Lastly, common method variance (CMV) is a common
problem in any study that uses a single instrument for
data collection. We coded the potential for CMV by
identifying those studies that employed single
instrument, cross-sectional surveys versus those that
employed experimental or longitudinal designs. We
found a preponderance of single-instrument, cross-
sectional PMT studies (106 of 112 samples) with the
potential for CMV. However, meta-analysis results are
robust to CMV because aggregating results across
multiple study designs has the effect of nullifying biases
in each study, including systematic error caused by
CMV (Craighead et al., 2011).
3.3 Descriptive Analysis and
Correlations
As recommended by Hunter and Schmidt (2004), we
used random-effects models to estimate pairwise
correlations (r) between our constructs of interest for
each of the 112 samples in our meta-analysis. Results
from this analysis are reported in Table 2. For each
correlation between PMT construct pairs, we report the
total number of studies, the total number of observed
correlations, the range of correlations, cumulative and
average sample size, and the range of sample size.
Because some studies reported data from more than
one sample, the number of pairwise correlations
available for analysis was greater than the number of
studies for some construct pairs.

204
 A Test of PMT in the Information Security Literature

Table 1. Operational Definitions of Constructs

Constructs Operational definition
Perceived vulnerability High if user beliefs reflect a high degree of
(PVU) vulnerability to a particular security threat
Perceived severity High if user beliefs reflect high
(PSE) significance or magnitude of potential
harm caused by a security threat
Fear (FR) High if user emotions reflect a high degree
of worry about a security threat
Self-efficacy (SEF) High if user beliefs reflect high ability to
take protective actions to avoid a security
threat
Response efficacy High if user beliefs reflect effective
(REF) protection from security threats from a
recommended protective measure
Response cost (REC) High if user beliefs reflect high perceived
extrinsic or intrinsic personal costs of
performing the protective actions
Protection motivation High if user beliefs reflect high intentions
(PM) to use a software or adopt a security
compliance behavior
Protection behavior Self-reported or observed protection
(ACB) behavior
Sample items
When it comes to the likelihood of Internet security
attacks, I believe that my risks of getting Internet
security attacks are (very low/very high) (Chen &
Zahedi, 2016)
When it comes to the severity of internet security
attacks, I believe that the consequences of security
attacks for me is (not serious at all/very serious)
(Chen & Zahedi, 2016)
The thought of being deceived by a spear-phishing
attack terrifies me (strongly disagree/strongly agree)
(Schuetz et al., 2020)
I believe that my knowledge for taking preventive
actions is (not adequate at all/very adequate) (Chen
& Zahedi, 2016)
I believe that the success rate of protective actions is
(very low/very high) (Chen & Zahedi, 2016)
Updating antivirus software requires significant
financial cost (Hanus & Wu, 2016)
I intend to protect my organization from its
information security threats (Burns et al., 2017)
I use information security protections:
Never ... always (Workman et al., 2009)

Table 2. Descriptive Statistics

Construct Number Number of Cumulative Average Range of sample sizes Pair-wise correlations
pair of studies correlations sample size sample size Lower Upper Lower Upper Average
PSE-PVU 73 89 30,479 342 70 1200 -0.668 0.989 0.284
PSE-REF 70 86 28,812 335 70 1200 -0.391 0.982 0.253
PSE-REC 41 54 16,938 314 70 1200 -0.526 0.579 -0.064
PSE-SEF 70 86 30,064 350 70 1200 -0.120 0.981 0.186
PSE-FR 10 15 3,663 244 84 522 0.130 0.666 0.401
PSE-PM 66 83 27,574 332 70 1200 -0.251 0.903 0.264
PSE-ACB 19 23 7,800 339 95 1121 0.038 0.670 0.234
PVU-REF 68 84 28,087 334 70 1200 -0.485 0.986 0.095
PVU-REC 39 52 17,467 336 70 1593 -0.404 0.563 0.080
PVU-SEF 72 89 31,465 358 70 1593 -0.44 0.987 0.038
PVU-FR 9 14 3,141 224 84 480 0.282 0.680 0.447
PVU-PM 66 83 28,601 345 70 1593 -0.433 0.902 0.139
PVU-ACB 22 26 9,749 375 95 1593 -0.190 0.580 0.136
REF-REC 41 54 17,100 317 70 1200 -0.655 0.566 -0.160
REF-SEF 72 88 31,304 356 70 1622 -0.200 0.979 0.391
REF-FR 12 17 4,378 256 84 522 -0.250 0.532 0.081
REF-PM 69 87 31,029 357 70 1622 -0.290 0.896 0.367
REF-ACB 18 22 7,142 325 95 917 -0.060 0.610 0.309
REC-SEF 40 53 18,157 343 70 1593 -0.746 0.593 -0.215
REC-FR 8 11 2,958 269 84 522 -0.370 0.320 0.008
REC-PM 41 53 17,979 339 70 1593 -0.580 0.537 -0.173
REC-ACB 8 10 3,922 392 95 1593 -0.340 0.038 -0.168
SEF-FR 12 17 4,378 258 84 522 -0.18 0.442 0.041
SEF-PM 66 83 31,189 376 70 1622 -0.239 0.888 0.398
SEF-ACB 22 26 10,360 399 95 1593 0.090 0.650 0.347
FR-PM 10 14 3,334 238 84 522 -0.190 0.590 0.266
FR-ACB 5 7 1,838 263 95 480 -0.052 0.432 0.162
PM-ACB 13 16 7,857 491 95 1622 0.137 0.848 0.458
Note: PVU = Perceived vulnerability, PSE = Perceived severity, FR = Fear, SEF = Self-efficacy, REF = Response efficacy, REC = Response
cost, PM = Protection motivation, ACB = Actual behavior

205
Journal of the Association for Information Systems
The number of available pair-wise correlations in our
dataset ranged from seven (for fear and actual
behavior) to 89 (for perceived severity and perceived
vulnerability). Cumulative sample sizes for pooled
pairwise correlations ranged from 1,838 (for fear and
actual behavior) to 31,465 (perceived vulnerability and
self-efficacy). Average sample sizes between construct
pairs ranged between 224 and 491, although the
smallest sample in our analysis had 70 observations
and the largest sample had 1,622 observations. Across
all studies, the smallest average pairwise correlation
for PMT relationships was 0.008 (for response cost and
fear) and the largest average correlation was 0.447 (for
perceived vulnerability and fear). These average
sample sizes and correlation coefficients may be
considered as benchmarks for future empirical
research on information security.
To account for samples of different sizes and potential
sampling errors in small samples, we computed sample
size-adjusted correlations (r+) for each pair of PMT
constructs by weighting observed correlations from
each sample by the number of observations in that
sample, using the formula:
k between self-efficacy and response efficacy (rc =
 N ir i
r +
= i =1
k
N i =1
i
where Ni is the size of the ith sample, and ri is the
observed correlation value between each pair of
constructs in that sample. We also corrected for
measurement error in samples with low construct
reliabilities by computing reliability-adjusted
correlation (rc), also called true-score correlation
(Hunter and Schmidt, 2004), using the formula:
𝑟𝑥𝑦
𝑟𝑐 = ,
√𝑟𝑥𝑥 √𝑟𝑦𝑦
where rxy is the average observed correlation between
constructs x and y across all studies, rxx is the average
of the reported reliability estimates for construct x, and
ryy is the average of the reported reliability estimates
for construct y.
Sample size and reliability-adjusted correlations (r+
and rc), along with their variance, standard deviation of
rc, and 95% confidence interval of r+ are listed in Table
3. With the exception of correlations between
perceived vulnerability and self-efficacy, response cost
and fear, self-efficacy and fear, and response efficacy
and fear, all other pairwise correlations in our meta-
analysis were significant.
Finally, a fail-safe N-test was used to test the
robustness of the findings by estimating the number of
nonsignificant results or nonpublished studies that
would be required to reduce an obtained mean effect
size to a trivial level (Rosenthal, 1979). For this test,
206
we transformed pairwise correlations (r) to Cohen’s d
value, and then used Orwin’s (1983) formula to
estimate fail-safe N-values. As a rule of thumb, the
fail-safe N-value should exceed 5k+10 (where k is the
number of observed correlations). The results of this
analysis are also reported in Table 3. We found that all
pairwise correlations for the core PMT variables
passed the fail-safe N-test, with the exception of
perceived vulnerability and protection motivation.
We observed low and nonsignificant correlations
between perceived vulnerability and self-efficacy,
perceived vulnerability and response efficacy,
perceived severity and response cost, self-efficacy and
fear, response efficacy and fear, and response cost and
fear, confirming that PMT’s threat and coping
appraisal processes are largely independent of each
other. Although correlations between perceived
vulnerability and fear (rc = 0.509) and between
perceived severity and fear (rc = 0.451) were strong and
significant, we observed more moderate correlations
between protection motivation and fear (rc = 0.295),
perceived vulnerability (rc = 0.158), and perceived
severity (rc = 0.297). However, stronger correlations
0.449), response efficacy and protection motivation (rc
= 0.414), and self-efficacy and protection motivation
(rc = 0.448) suggested that coping appraisal has a
stronger influence on security protection intention, on
average, than threat appraisal. This observed
dominance of coping appraisal (self-efficacy and
response efficacy) over threat appraisal in information
security intentions is one of the key contributions of
our meta-analysis to the PMT literature. Finally, we
found that protection motivations translate well to
actual behavior (rc = 0.513)
3.4 Analysis of Moderator Effects
To detect the presence of moderating effects, we
employed two alternative criteria. First, we computed
95% credibility intervals for each construct pair, which
are reported in Table 3. Sufficiently large credibility
intervals suggest the presence of moderators, which
was the case with most correlations in our study.
Second, following Hedges and Olkin (1985), we
conducted a homogeneity test to determine whether
there were any significant differences in residuals
(errors) in the underlying correlations. Large
differences in residuals (i.e., some samples with high
residuals and others with residuals approaching zero)
are often symptomatic of the presence of moderating
effects. For this homogeneity test, we computed the
Fisher Z-transformation using the formula:
loge 1+ r i 
1  
Zr =
2  1− r i 
i
 A Test of PMT in the Information Security Literature

Table 3: Sample Size and Reliability Adjusted Correlations

Construct r+ rc Var(r+) Var(rc) SD(rc) 95% confidence 95% credibility Fail- Result
pair interval (r+) interval (r+) safe N
Low Lim Up Lim Low Lim Up Lim (0.05)
PSE-PVU 0.292 0.328 0.081 0.104 0.322 0.239 0.345 -0.198 0.782 964 sig
PSE-REF 0.226 0.290 0.057 0.072 0.268 0.180 0.273 -0.191 0.644 814 sig
PSE-REC -0.078 -0.074 0.037 0.046 0.214 -0.126 -0.030 -0.416 0.260 -192 sig
PSE-SEF 0.177 0.213 0.038 0.046 0.214 0.141 0.212 -0.136 0.490 565 sig
PSE-FR 0.396 0.451 0.025 0.027 0.165 0.331 0.462 0.167 0.626 248 sig
PSE-PM 0.248 0.297 0.035 0.041 0.202 0.211 0.285 -0.074 0.571 825 sig
PSE-ACB 0.219 0.266 0.044 0.053 0.229 0.158 0.280 -0.056 0.493 199 sig
PVU-REF 0.070 0.110 0.055 0.070 0.254 0.016 0.124 -0.412 0.552 237 sig
PVU-REC 0.114 0.094 0.037 0.048 0.218 0.060 0.168 -0.258 0.486 115 sig
PVU-SEF 0.004 0.044 0.055 0.069 0.263 -0.043 0.051 -0.425 0.434 47 non-sig
PVU-FR 0.449 0.509 0.014 0.013 0.115 0.392 0.506 0.263 0.635 266 sig
PVU-PM 0.101 0.158 0.011 0.010 0.100 0.055 0.146 -0.304 0.505 385 sig
PVU-ACB 0.132 0.156 0.035 0.043 0.206 0.067 0.196 -0.182 0.445 117 sig
REF-REC -0.219 -0.186 0.063 0.083 0.287 -0.280 -0.158 -0.653 0.214 -403 sig
REF-SEF 0.399 0.449 0.046 0.057 0.239 0.359 0.439 0.036 0.762 1407 sig
REF-FR 0.026 0.091 0.048 0.056 0.237 -0.063 0.116 -0.323 0.375 38 non-sig
REF-PM 0.371 0.414 0.019 0.021 0.145 0.324 0.417 -0.053 0.795 1284 sig
REF-ACB 0.295 0.353 0.036 0.043 0.208 0.234 0.356 0.026 0.564 264 sig
REC-SEF -0.279 -0.249 0.095 0.124 0.352 -0.353 -0.204 -0.812 0.255 -519 sig
REC-FR 0.080 0.010 0.047 0.057 0.239 -0.041 0.201 -0.303 0.464 -7 non-sig
REC-PM -0.199 -0.197 0.075 0.094 0.306 -0.266 -0.132 -0.676 0.277 -424 sig
REC-ACB -0.129 -0.194 0.049 0.062 0.249 -0.215 -0.042 -0.384 0.127 -78 sig
SEF-FR 0.008 0.046 0.032 0.036 0.189 -0.065 0.081 -0.268 0.284 11 non-sig
SEF-PM 0.373 0.448 0.003 0.001 0.032 0.327 0.419 -0.039 0.785 1356 sig
SEF-ACB 0.332 0.395 0.041 0.050 0.224 0.273 0.391 0.043 0.621 358 sig
FR-PM 0.230 0.295 0.046 0.051 0.227 0.099 0.361 -0.247 0.707 141 sig
FR-ACB 0.151 0.181 0.019 0.019 0.138 0.052 0.250 -0.084 0.385 39 sig
PM-ACB 0.471 0.513 0.044 0.052 0.228 0.361 0.582 0.035 0.908 314 sig
Note: Low Lim = Lower limit; Up Lim = Upper limit; PVU = Perceived vulnerability, PSE = Perceived severity, FR = Fear, SEF = Self-efficacy,
REF = Response efficacy, REC = Response cost, PM = Protection motivation, ACB = Actual behavior

correlations. Table A1 in the Appendix reports the Q-

Then homogeneity Q was calculated by using the
values and critical Q-values for all pairwise
formula:
correlations in our study. For each construct pair, the
Q =  (wi )(z r )
k
2 computed Q-value exceeded the critical Q-value,
i =1
suggesting the presence of moderating effects.
,
We compared correlations to explore the moderating
where
effects of workplace versus personal context, culture
 (N − 3) z
k k
(individualism versus collectivism, and uncertainty
 w zr i i ri avoidance), general versus specific behavior, policy
= i =1
= i =1
i

z
 (N − 3)
r k k compliance versus voluntary behavior, student versus
w
i =1
i
i =1
i nonstudent samples, and fear appeals manipulation.
.
The Z-values of workplace versus personal contexts
If Q-values exceed a critical value, moderating effects reported in Table A1 are significant (>1.96) for the
should be suspected (Hedges & Olkin, 1985). The relationships between protection motivation and the
critical value of Q, is the χ2 for a = 0.05 and k-1 degrees PMT constructs of perceived vulnerability, self-
of freedom, where k is the number of observed efficacy, response efficacy, response cost, and fear.

207
Journal of the Association for Information Systems
The Z-value for perceived severity is nonsignificant.
The results show that, along with fear, coping appraisal
factors of response efficacy and self-efficacy are more
important in personal contexts while perceived
vulnerability and response costs are more important to
protection motivation in workplace contexts. Hence, in
workplace settings, employees may be less motivated
to take action if they do not believe that the risk of an
attack is high and that responding will be easy, while
in personal contexts, individuals are more motivated to
respond to fear and take action if they consider their
response to be efficacious.
Likewise, our analysis of the Z-value also shows that
relationships between protection motivation and
perceived severity and response efficacy are
moderated by culture such that they are stronger in
collectivist cultures than in individualistic cultures.
This suggests that, in collectivist cultures, individuals
are more likely to act in response to severe threats,
particularly if they feel that their response would work,
probably motivated by a desire to protect the common
good. We found coping appraisal (self-efficacy,
response efficacy, and response cost) and perceived
vulnerability to be more significant for protection
motivation in low uncertainty-avoidance cultures than
in high uncertainty-avoidance cultures. This would
suggest that individuals in high uncertainty-avoidance
cultures are more likely to take protective measures
without resorting to coping appraisals. Low
uncertainty-avoidance cultures appear to require more
convincing threat and coping appraisals to produce
protection motivation behaviors. Our findings indicate
that PMT relationships are also moderated by whether
the security behavior is general or specific. Protection
motivation was found to be more strongly related to
PMT threat and coping appraisal factors in general
contexts than in specific contexts, although fear was
more salient in specific contexts. We found that, along
with fear, threat appraisal (perceived vulnerability and
severity) was more strongly related to protection
motivation in policy compliance settings than in
volitional settings. While self-efficacy was
demonstrated to be more important for protection
motivation in compliance settings, response efficacy
and response costs were more strongly related to
protection motivation in volitional settings.
Our analysis of Z-values also confirms that research
design has an important influence on PMT research
results. First, studies that used student samples
reported significantly lower correlations between
protection motivation and perceived vulnerability,
response efficacy, and response cost. Only self-
efficacy was higher among student samples. While the
relationship between fear and protection motivation
was stronger in studies that manipulated fear appeals,
response efficacy and self-efficacy had higher
correlations with protection motivation in studies
208
without fear appeals. This is possibly because good
fear appeal messages arouse fear and increase coping
and protection motivation (Johnston & Warkentin,
2010).
We conducted further subgroup moderator analyses to
gain deeper insights into how context and culture
moderate PMT relationships. The results, shown in
Table A2 in the Appendix, suggest that while
perceived vulnerability had the smallest effect sizes
across most subgroups, it appeared to be most relevant
to protection motivation in workplace studies that were
carried out in low uncertainty-avoidance cultures.
Apart from its general relevance in collectivist
cultures, we also found perceived severity to be
important for protection motivation in personal
contexts and in cases of general rather than specific
security behavior. Within individualist cultures, our
results indicate that self-efficacy informs protection
motivation largely in personal contexts, while in
collectivist cultures, the effect of self-efficacy is
stronger in workplace contexts. However, we found that
self-efficacy is more important for protection motivation
in personal contexts when behavior is more specific, and
in workplace contexts when behavior is more general.
Our findings indicate that response efficacy is most
important for protection motivation in collectivist
cultures and personal contexts. Response costs was
found to be a weak predictor of protection motivation
across all subgroups but appears to be more relevant for
actual behavior in workplace settings characterized by
high individualism in low uncertainty-avoidance
cultures and for general protection motivations in
personal and workplace contexts. We found protection
motivation to be more strongly associated with actual
behavior in workplace settings.
3.5 Structural Equation Model Analysis
The final step in our study was to test PMT by
integrating empirical evidence from 92 different
samples in our meta-analysis. For this analysis, we
used as inputs our matrix of reliability-adjusted (true-
score) correlations and harmonic means
(N/(1/a1+1/a2+1/a3+1/a4+.......+1/aN)) of sample
sizes as a conservative estimate of sample size, as
recommended by Viswesvaran and Ones (1995). We
used the maximum likelihood estimation (MLE)
method to fit the model, using AMOS version 23
software. Model fit was examined using χ2, RMSEA,
GFI, NFI, and CFI metrics, and the path coefficients
represented overall effect sizes for our meta-analytic
test of PMT.
We tested three alternative PMT models—Model 1: an
extended PMT that included fear as a full mediator
between threat appraisal and protection motivation;
Model 2: an extended PMT that included fear as a
partial mediator between threat appraisal and
protection motivation (see Boss et al., 2015); and

Model 3: the original PMT model that excluded fear.
For Model 1, the χ2 fit statistic was 151.710, with 21
degrees of freedom (χ2/df = 7.224, p = 0.000),
RMSEA was 0.159, GFI was 0.852, NFI was 0.647,
and CFI was 0.675. For Model 2, χ2/df was 7.933 (p =
0.000), RMSEA was 0.168, GFI was 0.852, NFI was
0.650, and CFI was 0.673. For Model 3, χ2/df was
9.972 (p = 0.000), RMSEA was 0.191, GFI was 0.836,
NFI was 0.517, and CFI was 0.533. Of the three
models, the fully mediated and partially mediated
models (Models 1 and 2) had comparable fit while
Figure 3. Path Coefficients
A Test of PMT in the Information Security Literature
Model 3 (original PMT without fear) had the poorest
fit. An examination of R-squared values also
demonstrated that the fully mediated model explained
protection motivation (R2 = 0.249) the most, followed
marginally by the partially mediated model (R2 =
0.243), while both models explained significantly
more protection motivation than Model 3, which
excluded fear (R2 = 0.193). Path coefficients and the
significances of all models are summarized in Figure
3, and more detailed statistical estimates are provided
in Table 4.
209
Journal of the Association for Information Systems

Table 4. Summary of Results

Model 1: Including fear (full Model 2: Including fear (partial Model 3: Excluding fear
mediation) mediation)
Path Path t-value Supported Path t-value Supported Path t-value Supported
coefficient coefficient coefficient
PSE→FR 0.364 6.146*** Yes 0.364 6.146*** Yes - - -
PVU→FR 0.388 7.887*** Yes 0.388 7.887*** Yes - - -
FR→PM 0.229 4.851*** Yes 0.213 3.811*** Yes - - -
PSE→PM - - - 0.061 1.086 No 0.142 2.656** Yes
PVU→PM - - - -0.012 -0.253 No 0.071 1.597 No
REF→PM 0.262 4.409*** Yes 0.249 4.198*** Yes 0.236 3.872*** Yes
REC→PM -0.081 -1.547 No -0.079 -1.507 No -0.083 -1.543 No
SEF→PM 0.333 6.003*** Yes 0.328 5.908*** Yes 0.322 5.651*** Yes
PM→ACB 0.541 8.777*** Yes 0.541 8.728*** Yes 0.541 8.698*** Yes
Model fit χ2 = 151.710, df = 21, p = 0.000, χ2 = 150.721, df = 19, p = 0.000, χ2 = 149.578, df = 15, p = 0.000,
RMSEA = 0.159 GFI = 0.852, NFI = RMSEA = 0.168 GFI = 0.852, NFI = RMSEA = 0.191 GFI = 0.836, NFI =
0.647, CFI = 0.675 (R2, FR:0.289; 0.650, CFI = 0.673 (R2, FR:0.289; 0.517, CFI = 0.533 (R2, PM:0.193;
PM:0.249; ACB: 0.238) PM:0.243; ACB: 0.236) ACB: 0.235)
Note: ***p < 0.001; **p < 0.01; *p < 0.05. PVU = Perceived vulnerability, PSE = Perceived severity, FR = Fear, SEF = Self-efficacy, REF =
Response efficacy, REC = Response cost, PM = Protection motivation, ACB = Actual behavior

In Model 1 (fully mediated model), excepting response
cost, all other predictors (perceived severity, perceived
vulnerability, response efficacy, self-efficacy, and
fear) had significant effects on protection motivation.
We found similar support in Model 2 (partially
mediated model) for the path from fear to protection
motivation with no support for direct effects of
perceived vulnerability and perceived severity. In
contrast, in Model 3, which excluded fear, the effects
of response cost and perceived vulnerability on
security protection motivation were not significant,
although all other effects were statistically significant.
This comparison suggests that, according to our meta-
analysis, fear indeed positively mediates the
relationships between perceived vulnerability and
protection motivation and between perceived severity
and protection motivation. Hence, although not
suggested by the original PMT, we maintain that
applications of PMT within the information security
context should consider this mediating role of fear. We
could not confirm the hypothesized effect of response
cost on protection motivation in any of the three
models. It may be that the cost of information security
protection is so low (e.g., installing or activating a free
software) that response costs are not generally a
significant factor driving information protection
behaviors, although response costs may still be
relevant in contexts with higher monetary or effort
costs, such as healthcare.
We next conducted subgroup SEM analyses to evaluate
the moderating effects of context and culture. For this
purpose, we reorganized our samples into the culture
subgroups, into workplace- versus individual-context
subgroups, and into general versus specific behavior and
compliance versus volitional behavior settings. We then
estimated the PMT model separately for each subgroup
using correlation data from that group. The results of this
analysis are reported in Tables 5 and 6 (for culture), Table
7 (for context), and Tables 8 and 9 (for security
behaviors).
Models for individualist and high uncertainty-avoidance
cultures demonstrated better goodness-of-fit in terms of
chi-square, RMSEA, GFI, NFI, and CFI metrics than
other cultures (see Tables 5 and 6). Both low- and high-
uncertainty contexts, however, exhibited a similar pattern
of effects on protection motivation. Likewise, the pattern
of effects was the same across collectivist and
individualist cultures. However, we observed few notable
differences. Self-efficacy had the strongest effect in
individualist cultures while response efficacy had the
strongest effect in collectivist cultures. In addition,
response cost had a significant effect on intention in
collectivist cultures but not in individualist cultures. It
appears that collectivism versus individualism is a more
relevant component of national culture influencing
protection motivation behaviors, compared to uncertainty
avoidance. Consistent with our overall model, perceived
vulnerability had nonsignificant effects on protection
motivation in all culture subgroups.

210
 A Test of PMT in the Information Security Literature

Table 5. Summary of Results: Uncertainty Avoidance Cultures

Low uncertainty avoidance culture High uncertainty avoidance culture
Path Path coefficient t-value Supported Path coefficient t-value Supported
PSE→ PM 0.133 2.612** Yes 0.246 3.543*** Yes
PVU→PM 0.078 1.909 No 0.025 0.392 No
REF→PM 0.246 4.115*** Yes 0.279 4.134*** Yes
REC→PM -0.075 -1.397 No 0.038 0.688 No
SEF→PM 0.329 5.927*** Yes 0.310 4.783*** Yes
Model fit χ2 = 125.340, df = 10, p = 0.000, RMSEA = 0.226 χ2 = 120.089, df = 5, p = 0.000, RMSEA = 0.192 GFI
GFI = 0.834, NFI = 0.423, CFI = 0.429 (R2: = 0.878, NFI = 0.380, CFI = 0.384 (R2: PM:0.151)
PM:0.222)
Note: ***p < 0.001; **p < 0.01; *p < 0.05. PVU = Perceived vulnerability, PSE = Perceived severity, SEF = Self-efficacy, REF = Response
efficacy, REC = Response cost, PM = Protection motivation

Table 6. Summary of Results: Collectivist versus Individualist Cultures

Collectivist culture Individualism culture
Path Path coefficient t-value Supported Path coefficient t-value Supported
PSE→PM 0.100 2.643** Yes 0.136 2.430* Yes
PVU→PM 0.050 1.277 No 0.083 1.878 No
REF→PM 0.300 7.953*** Yes 0.246 3.764*** Yes
REC→PM -0.083 -2.395* Yes -0.076 -1.322 No
SEF→PM 0.198 5.204*** Yes 0.341 5.628*** Yes
Model fit χ2= 211.986, df = 10, p = 0.000, RMSEA = 0.280, χ2= 113.775, df = 10, p = 0.000, RMSEA = 0.208
GFI = 0.776, NFI = 0.399, CFI = 0.402 (R2: GFI = 0.856, NFI = 0.414, CFI = 0.421 (R2:
PM:0.289) PM:0.193)
Note: ***p < 0.001; **p < 0.01; *p < 0.05. PVU = Perceived vulnerability, PSE = Perceived severity, SEF = Self-efficacy, REF = Response
efficacy, REC = Response cost, PM = Protection motivation

Table 7. Summary of Results: Workplace versus Personal Context

Workplace context Personal context
Path Path coefficient t-value Supported Path coefficient t-value Supported
PSE→FR 0.126 2.547* Yes 0.540 8.269*** Yes
PVU→ FR 0.485 8.939*** Yes 0.339 7.688*** Yes
FR→PM 0.205 3.500*** Yes 0.219 5.219*** Yes
REF→PM 0.223 3.583*** Yes 0.323 5.548*** Yes
REC→PM -0.128 -2.273* Yes -0.050 -0.957 No
SEF→PM 0.314 5.175*** Yes 0.327 6.253*** Yes
Model fit χ2 = 146.339, df = 15, p = 0.000, RMSEA = 0.190 χ2 = 128.661, df = 15, p = 0.000, RMSEA = 0.175
GFI = 0.838, NFI = 0.516, CFI = 0.533 (R2, GFI = 0.869, NFI = 0.657, CFI = 0.679 (R2,
FR:0.262; PM:0.190) FR:0.340; PM:0.283)

Note: ***p < 0.001; **p < 0.01; *p < 0.05. PVU = Perceived vulnerability, PSE = Perceived severity, FR = Fear, SEF = Self-efficacy, REF =
Response efficacy, REC = Response cost, PM = Protection motivation

211
Journal of the Association for Information Systems

Table 8. Summary of Results: General Behavior versus Specific Behavior

General behavior Specific behavior
Path Path coefficient t-value Supported Path coefficient t-value Supported
PSE→FR 0.432 7.231*** Yes 0.357 5.764*** Yes
PVU→FR 0.309 6.905*** Yes 0.563 8.797*** Yes
FR→PM 0.146 3.982*** Yes 0.276 4.885*** Yes
REF→PM 0.247 5.440*** Yes 0.267 3.439*** Yes
REC→PM -0.145 -3.459*** Yes 0.022 0.335 No
SEF→PM 0.263 5.974*** Yes 0.408 5.901*** Yes
Model fit χ2 = 157.815, df = 15, p = 0.000, RMSEA = 0.193, χ2 = 130.805, df = 15, p = 0.000, RMSEA = 0.182,
GFI = 0.841, NFI = 0.581, CFI = 0.598 (R2, FR:0.282; GFI = 0.851, NFI = 0.593, CFI = 0.614 (R2, FR:0.321;
PM:0.267) PM:0.232)
Note: ***p < 0.001; **p < 0.01; *p < 0.05. PVU = Perceived vulnerability, PSE = Perceived severity, FR = Fear, SEF = Self-efficacy, REF =
Response efficacy, REC = Response cost, PM = Protection motivation

Table 9. Summary of Results: Policy Compliance versus Volitional Behaviors

Policy compliance behavior Volitional behavior
Path Path coefficient t-value Supported Path coefficient t-value Supported
PSE→ PM 0.148 2.978** Yes 0.132 2.414* Yes
PVU→PM 0.097 1.868 No 0.063 1.505 No
REF→ 0.163 2.982** Yes 0.293 4.572*** Yes
PM
REC→ -0.084 -1.795 No -0.079 -1.403 No
PM
SEF→ PM 0.386 6.616*** Yes 0.286 5.128*** Yes
Model fit χ2 = 123.795, df = 10, p = 0.000, RMSEA = 0.224, χ2 = 140.076, df = 10, p = 0.000, RMSEA = 0.226,
GFI = 0.831, NFI = 0.425, CFI = 0.432 (R2: GFI = 0.835, NFI = 0.378, CFI = 0.381 (R2:
PM:0.231) PM:0.184)
Note: ***p < 0.001; **p < 0.01; *p < 0.05. PVU = Perceived vulnerability, PSE = Perceived severity, SEF = Self-efficacy, REF = Response
efficacy, REC = Response cost, PM = Protection motivation

Table 10 Summary of Results: Manipulation of Fear—Yes versus No

Fear Manipulation No fear manipulations
Path Path coefficient t-value Supported Path coefficient t-value Supported
PSE -> FR 0.399 6.186*** Yes 0.464 6.901*** Yes
PVU -> FR 0.604 8.535*** Yes 0.365 6.901*** Yes
FR -> PM 0.411 5.074*** Yes 0.050 1.585 No
REF -> PM 0.296 2.796** Yes 0.277 5.955*** Yes
REC -> PM -0.119 -1.373 No -0.093 -2.180* Yes
SEF -> PM 0.384 3.878*** Yes 0.301 6.845*** Yes
Model fit χ2 = 108.767, df = 15, p = 0.000, RMSEA = 0.172, χ2 = 201.135, df = 15, p = 0.000, RMSEA = 0.216,
GFI = 0.860, NFI = 0.605, CFI = 0.631 (R2, GFI = 0.819, NFI = 0.520, CFI = 0.532 (R2,
FR:0.345; PM:0.193) FR:0.263; PM:0.251)
Note: ***p < 0.001; **p < 0.01; *p < 0.05. PVU = Perceived vulnerability, PSE = Perceived severity, FR = Fear, SEF = Self-efficacy, REF =
Response efficacy, REC = Response cost, PM = Protection motivation

212

Our subgroup analysis for workplace versus personal
contexts (Table 7) found that fear influences protection
motivation in both workplace and personal contexts.
Response cost was only significant in the workplace
context and all other effects were significant in both
contexts. We found perceived vulnerability to be more
significant for fear in personal contexts. It seems
reasonable that the more susceptible one is to a security
threat in a personal context, the more likely one is to
exhibit high security protection motivation. However, in
a workplace setting, one’s personal perception of
susceptibility may be rendered irrelevant and may be
superseded by organizational policies or standards on
how to combat security threats. In both contexts, we
found that self-efficacy and response efficacy are more
important than response costs in the response appraisal
process, but in workplace settings, response costs,
including effort costs, should be kept sufficiently low to
encourage protection behaviors.
Our results in Table 8 suggest similar patterns of effects
across general versus specific behaviors. We found that
response costs were significant for predicting protection
motivation for more general behaviors but not for
specific behaviors. Response costs may not be separable
from specific security protection behaviors and may be
difficult to estimate upfront, which may make the cost-
benefit evaluation outcome more uncertain for specific
behaviors, in contrast to general behaviors. Our findings
were similar across policy compliance and volitional
behavior settings (Table 9). This was unexpected
because we initially anticipated that threat appraisal
processes would be more salient in volitional settings,
while compliance might respond more strongly to social
norms or fear of sanctions, among other factors.
Although PMT assumes volitional behavior, protection
motivation in compliance settings nonetheless relies, in
part, on similar threat and coping appraisals. However,
for individuals in compliance settings, coping largely
concerns one’s self-efficacy.
Lastly, as shown in Table 10, we found that fear
influenced protection motivation most strongly in
studies that used fear appeal manipulations. Appeals are
persuasive messages intended to arouse a fear response
by emphasizing the harm that will be caused by threats
and the failure to adopt recommended protective
measures (Tannenbaum et al., 2015). Appeals in
information security do appear to motivate the intended
fear arousal and consequent protection motivation.
4 Discussion and Theoretical
Implications
The goal of this meta-analysis was to address two
questions: (1) To what extent does PMT explain
information security behaviors? (2) What moderators
influence PMT-theoretic relationships in the
A Test of PMT in the Information Security Literature
information security context and how? This
investigation was important because PMT is a
dominant theoretical lens in the information security
literature; however, the relationships among PMT
variables have been observed to be inconsistent. Our
meta-analytic study overcomes the limitations of past
empirical efforts by conducting a more extended meta-
analysis of the PMT literature than attempted before by
considering a broad range of potential moderators and
by employing MASEM techniques to reconcile past
findings in information security. We provide an
updated and more extensive analysis of PMT than
Sommestad et al. (2015) and adopt a clear focus on
PMT, in contrast to the general body of information
security research as in Cram et al. (2019). In particular,
our substantially larger sample helped us detect small
effects that may have been missed in prior empirical
analysis.
4.1 Relevance of PMT for Information
Security Research
Our analysis of 112 samples sourced from 92 studies
provides consistent support for three of the five
predictors of security motivation intention proposed by
PMT (perceived severity of security threat, response
efficacy of response to threat, and self-efficacy of
managing that response), and inconsistent support for
two predictors (perceived vulnerability from security
threats and response cost for security protection). In
addition, we observed support for fear mediating the
effects of perceived severity and perceived
vulnerability on security protection intention, which
has been infrequently discussed in the information
security literature, and found that response appraisal
variables have a stronger overall effect on protection
motivation, compared to threat appraisal, which
contradicts some prior empirical studies in this
literature. Our results thus differ from the general
conclusions of prior PMT meta-analyses (Floyd et al.,
2000; Milne et al., 2000), which have found all PMT
components to be useful in predicting protection
motivation. However, our results do confirm their
conclusions that the coping appraisal components of
the model tend to have stronger associations than the
threat appraisal variables. We also differ from the
general conclusions of Sommestad et al. (2015) that
PMT holds empirically in all cases and explains
security behavior even better in some cases. Our larger
sample suggests that not all PMT components are
relevant to information security behaviors. Our results
in this regard are more closely aligned to those of Cram
et al. (2019), who suggested that the full PMT
nomology may not be essential to the study of
information security.
In addressing our research questions, we make a
number of theoretical contributions. Regarding
213
Journal of the Association for Information Systems
whether PMT is a relevant theory for information
security research, we confirm that PMT does explain
information security behavior. However, there are a
number of caveats to this general conclusion.
Importantly, the decision of individuals to take
protective action is not a direct function of perceived
vulnerability and perceived severity but is rather
mediated by the emotional response of “fear.”
Importantly, this finding provides us with an
opportunity to clarify and correct the causality in the
PMT literature among threat cognitions, emotions, and
protection motivation intentions and to emphasize the
need for a more consistent approach to modeling the
threat appraisal process. The clear separation of the
cognitive (threat appraisal) and emotional (fear)
dimensions of threat helped us elaborate the causal
paths by which threat cognitions influence protection
motivation in information security. Based on our
results, we recommend that PMT should model fear as
mediating the effects of threat cognitions (perceived
vulnerability and severity) on protection motivation (a
behavioral intention). We are thus able to offer some
clarity and boundaries of PMT constructs. Given that
the fear construct has not received adequate attention
in prior empirical studies or meta-analysis of PMT and
that there has not been a consistent approach to
modeling the threat appraisal process in the literature,
this is a significant contribution to the referent theory,
at least regarding its application to information
security contexts.
Furthermore, we observed that perceived vulnerability
has low direct effects on protection motivation, and
this effect seems to be highly context specific (e.g.,
Aurigemma & Mattson, 2020) and mediated by fear.
Rogers (1983) argued that vulnerability is one of the
necessary prerequisites to eliciting protection
motivations and explained that increasing probability
of exposure to a threat increases intentions to adopt
recommended practices, especially if they are
perceived as effective. Our findings however suggest
that perceived vulnerability is important to eliciting
fear but does not directly motivate a protection
behavior. Hence, the probability of a threat may not
necessarily trigger information security behaviors until
users are fearful of that threat.
There may be a number of additional reasons for this
finding. First, as suggested by Johnston et al. (2015),
PMT logic may break down in contexts where threats
confront information assets as opposed to humans, since
we tend to assign less personal relevance to information
assets like emails than to, say, personal health or money.
Perceived vulnerability as a component of PMT may
thus be more important for motivating protection against
diseases and threats to bodily injury than to nonpersonal
threats. Unless there is a reason for personal fear,
vulnerability becomes less relevant in a threat appraisal.
214
Second, it is also known that human beings make very
poor judgments of risk. Kahneman and Tversky
(1979) have shown, through a series of behavioral
economics experiments, that we tend to overestimate
potential gains (e.g., our chances of winning a lottery)
and underestimate risks (e.g., our chance of
contracting a disease); thus, we would rather spend a
dollar buying a lottery ticket than buying insurance.
In the information security context, we may
irrationally assume that even though we see the
effects of malware or phishing attacks, we are
somehow immune to those threats. If we indeed
systematically underestimate our risks or perceived
vulnerability, it is no surprise that vulnerability may
not play a direct role in motivating our protection
behavior. Hence, although perceived vulnerability is
a logical predictor of our threat perception, cognitive
biases in our risk assessment may render this
construct less effective, and we should perhaps
examine other salient drivers of threat perceptions.
Third, unlike health behaviors, security behaviors are
often carried out in settings where the vulnerability
calculus is performed by others. In such contexts,
vulnerability assessments may not form part of a
cognitive appraisal process. Vulnerability may only
be important for certain behaviors, such as continued
performance of information security behaviors rather
than for initial engagements where response
appraisals seem to take on greater relevance
(Warkentin et al., 2016).
Fourth, we found that response appraisal has
substantially greater influence on protection motivation,
compared to threat appraisal and fear, as evidenced by
the higher average effects of response efficacy and self-
efficacy on protection motivation. The relationship
between response efficacy and protection motivation
was one of the more robust PMT relationships in our
meta-analysis (very large fail-safe N) and was relatively
consistent across information security contexts. This
observation should be of interest to PMT researchers
and practitioners because it suggests that, given limited
resources, it may be more worthwhile to invest in
“response appeals” to motivate desired security
behaviors than in fear appeals. Future research could, for
example, compare response appeals against fear appeals
against “no appeals,” comparing alternative
customizations of response messages to information
security threats, and so forth. We believe that this could
be an exciting area for future PMT research, which has
not been fully explored in the literature.
Fifth, although response cost has been emphasized as
an important factor in PMT (Boss et al., 2015), we
found response cost to be nonsignificant in our very
large sample of information security studies. While we
should write off response cost as “irrelevant” for
information security studies, it is important to

recognize that the costs of installing and maintaining
protective software such as virus scanners and
malware detectors are so low that they may not have
particular relevance in shaping one’s security
protection intentions. The monetary costs for
individuals are also often zero in organizational
settings, where organizations bear the responsibility
for installing security software and hiring security
personnel. Many other forms of security protection
involve more effort costs than financial costs, such as
changing (and remembering) passwords every six
months, using stronger passwords or two-factor
authentication, performing routine backups, and
continuous monitoring of computer slowdowns. It is
possible that response cost, if framed as effort cost,
may still play a significant role in shaping protection
motivation intentions. Response cost may still be an
important predictor of intention in non-information
security contexts such as health (Milne et al., 2000).
Finally, we extended the dependent variable in our
study from security protection intention to actual
behavior. Given that the goal of information security
research is to influence people’s behavior rather than
their intentions, and that prior studies (e.g., Sommestad
et al., 2015) have often ignored this crucial link, it was
important for us to investigate whether security
intentions indeed do translate into corresponding
security behaviors. Although our meta-analysis found
intention to be a reasonably strong predictor of
behavior, we also saw a gap between intention and
behavior, particularly when the behavior was largely
volitional and where resources and sanctions were less
likely to be present in reinforcing motivations. We
summarize our contributions to PMT in Table 11.
4.2 Moderators of PMT-Theoretic
Constructs in Information Security
Research
Regarding the conditions under which PMT best
applies to information security studies and whether the
PMT nomology changes across contexts, we found the
pattern of PMT relationships to be fairly consistent,
with a few exceptions. Specifically, our meta-analysis
revealed that culture and context do influence PMT-
informed relationships in information security studies.
We provide specific associations in the PMT
nomological network where the effects of these
moderators are most pronounced. For example, our
findings indicate that response efficacy is more salient
than self-efficacy in collectivist cultures and less
salient in individualist cultures.
Comparing security motivations in workplace versus
personal contexts, we conclude that PMT-theoretic
relationships are generally stronger in personal as
opposed to workplace contexts. This does not
A Test of PMT in the Information Security Literature
necessarily imply that PMT is not relevant to
workplace contexts; it may be that organizational
security threats may lack personal relevance (Johnston
et al., 2015) and that organizational employees may
consider their personal security behaviors to be
redundant if they expect their organization to take the
necessary steps to safeguard corporate networks and
databases—for example, deploying firewalls, virtual
private networks, and up-to-date spam filters and virus
scanning software to minimize potential security
threats. More work is needed to explore the relative
efficacy of fear appeal messaging in workplace
contexts.
Finally, our analysis shows that the strength of the link
between intention and behavior is smallest in
workplace and compliance settings. However, because
of sample size limitations, we could not explore
whether the bridge between intention and actual
behavior is weaker in more technically complex
information security contexts, as suggested elsewhere
(Cram et al., 2019).
5 Limitations
Our study is not without limitations. First, meta-
analytic studies, by their very nature, can only include
studies that report correlations and sample sizes.
Reported correlations may also be range restricted.
Hence, we could not include qualitative studies or
other quantitative studies featuring reported statistics
that could not be converted into correlation estimates.
However, our analysis of fail-safe N suggests that our
findings relate to the core PMT relationships are robust
and are unlikely to have changed based on potentially
excluded papers.
Second, although our study identified a number of
moderators salient to information security (e.g.,
culture, security context, etc.), there may be
additional moderators pertinent to information
security that were not examined in this study or that
could not be considered because of limited samples.
For example, our study does not distinguish between
different types of security threats, such as malware,
phishing, denial of service attacks, and SQL injection
attacks, because of sample size limitations. It is
possible our threat appraisal and coping appraisal
patterns may vary according to specific types of
threat, which may correspondingly have differential
effects on our security intentions or behavior. As the
body of literature in this domain grows, future
researchers may be able to consider threat differences
in their analyses and estimate their effects on security
protection motivations. Lastly, by aggregating
findings from across studies, meta-analytic work
necessarily ignores information about the specific
contexts of the original studies, and findings are
examined only in the aggregate.
215
Journal of the Association for Information Systems
Table 11. Summary of Contributions
PMT nomology What was previously known
Threat appraisal Threat appraisals motivate protection
(perceived motivation. People respond to threats that
vulnerability and are more serious and if they are personally
perceived severity) vulnerable to those threats.
Fear The role of fear as an emotional response
to threats has been downplayed relative to
cognitive appraisals in PMT. Fear has been
infrequently examined by PMT
information security researchers, and
included in only one-fifth of the articles in
our meta-analysis, and often conflated with
the cognitive (threat appraisal) process.
Response appraisal The three coping appraisal variables
(Self-efficacy, influence protection motivation, stronger
response-efficacy and than threat appraisal variables. Self-
response cost) efficacy and response cost are the
important factors, while response efficacy
tends to have inconsistent effects.
6 Future Research
We expect the findings of this meta-analysis to help
future researchers expand on PMT as they seek to
improve the conceptualization of the mechanisms
through which threat appraisal and coping appraisal
factors influence security behavior intentions and
develop a more comprehensive and nuanced
understanding of information security behaviors. By
aggregating evidence from prior studies, our results
also provide a benchmark against which future studies
can compare their effects.
In terms of potential research directions that future
PMT-based information security research may take,
first, from the perspective of research design, too few
PMT studies manipulate fear appeal and too many
studies are based on simple correlational designs that
employ single instruments, with an overreliance on
convenience sampling of students. Our analysis
suggests that studies that omit fear appeals
underestimate certain PMT-theoretic relationships. We
encourage future research to consider incorporating
fear appeals, longitudinal designs, and objective
behavioral measures to not only strengthen their
research designs but also to minimize the concerns of
common method variance that have plagued much
information security research. Furthermore, future
research should also explore the relative efficacy of
different fear appeals and source credibility effects in
216
What we found
Threat severity is a consistent predictor of protection
motivation in information security but is of low
overall effect size and is less salient than certain
coping appraisal factors. Threat vulnerability is less
salient to information security protection motivation.
Threat appraisals are also of especially limited
applicability in compliance settings (a boundary
condition to the theory), and is mediated by fear as
an emotional response.
Fear mediates the effects of threat appraisal factors
on protection motivation. Fear is however a weaker
predictor of protection motivation than coping
appraisals.
Response efficacy is the most significant predictor of
information security protection motivation. Self-
efficacy is a significant predictor but is generally less
salient than response efficacy, and has higher
salience in personal contexts and individualist
cultures. Response cost has non-significant effects,
but this effect could be higher for effort costs.
fear appeals messaging, such as those from IT or
business managers in a workplace context.
Second, we urge future researchers to consider the
potential role of response appeals, given that response
appraisal was found to have stronger effects on
security intention than threat appraisal. While it is
important to sensitize users to potential information
security threats, we find that such sensitization tends to
have smaller effects, perhaps because users do not
consider themselves vulnerable to those threats. In
such instances, response appeals may have strong
effects. While some prior studies have combined fear
and response appeals within the same treatment, it may
be useful to disentangle the two appeals using
alternative treatments so that their individual and joint
effects may be clearly estimated.
Third, future research might examine fear as a
predictor of other information security behavioral
responses not being routinely modeled in the PMT-
based information security literature. Moody et al.’s
(2018) attempt to unify the information security
theories supports fear as a predictor of other coping
responses, as suggested by theories such as the
extended parallel process model.
Fourth, because PMT effect sizes differ across cultural
contexts, careful consideration should be given to the
role of culture in future information security. Although
we tend to view culture as a national collective, based,
for example, on Hofstede’s (1991) work on national

culture, we know that people are rarely homogeneous
across entire countries. For instance, we can currently
see diversity in the responses to the current coronavirus
threat in the US population. To capture culture at a
microlevel, it may be worthwhile to measure culture at
an individual level in future PMT studies—for
instance, by measuring individual responses to
uncertainty avoidance or individualism/collectivism
dimensions of culture.
Fifth, future researchers should explore factors that
moderate the intention-behavior relationship in PMT-
based studies. In a recent paper, Jenkins et al. (2021)
validated the required effort of a behavior as a potential
moderator. Cram et al. (2019) suggested that, in
organizational contexts, factors related to the
individual employee’s personal norms and ethics are
highly relevant to their compliance behavior. PMT
does not include factors related to personal disposition
or values, which may provide an opportunity to expand
the bounds of the theory. Future work may wish to
consider how personal values interact with PMT
constructs, particularly in organizational settings. For
example, response costs may be less relevant when
protection motivation is more consistent with an
individual’s personal norms or ethics. We observed
relatively low overall fit in our MASEM models, and
more contextualized models, as suggested here, may
improve the predictive power and fit of PMT-based
models.
Lastly, it has not yet been considered whether PMT
relationships are linear or nonlinear and whether PMT
factors such as severity and vulnerability are
A Test of PMT in the Information Security Literature
substitutive, additive, or multiplicative. Our findings
suggest that perceived vulnerability and severity are
independent determinants of fear, but others argue that
PMT factors may be substitutive (e.g., Sun et al.,
2020). Examining whether these factors are
substitutive, complementary, independent, or
nonlinear may be fruitful extensions of the current
body of PMT research.
7 Conclusion
Our research was motivated by the inconsistent
patterns in prior empirical studies employing PMT in
the information security literature. We employed meta-
analytic SEM modeling to examine 112 samples from
92 published studies. Our results confirmed three of
the five PMT predictors of security motivation
intention and the relevance of fear as a mediator of the
effects of threat appraisals. Overall, our results provide
strong support for response efficacy and self-efficacy
while also challenging some of the commonly held
precepts of PMT, such as the roles of vulnerability and
response costs. The results also contribute new insights
into the influence of culture on PMT nomology, along
with differences between workplace and personal
settings and compliance versus volitional settings.
Acknowledgments
The authors are grateful to the senior editor and
anonymous reviewers for their helpful comments. We
also thank the reviewers and participants at ICIS 2017
for their comments on an early version of this work.
217
Journal of the Association for Information Systems

References *Blythe, J. M., & Coventry, J. (2018). Costly but

effective: Comparing the factors that influence
(*References marked with an asterisk were included in employee antimalware behaviours. Computers
our MASEM analysis) in Human Behavior, 87, 87-97.
*Abraham, S., & Chengalur-Smith, I. (2019). *Boehmer, J., Larose, R., Rifon, N., Alhabash, S., &
Evaluating the effectiveness of learner Cotten, S. (2015). Determinants of online safety
controlled information security training. behaviour: Towards an intervention strategy for
Computers & Security, 87, Article 101586. college students. Behaviour and Information
Technology, 34(10), 1022-1035.
*Adhikari, K., & Panda, R, K. (2018). Users’
information privacy concerns and privacy *Boss, S. R., Galletta, D. F., Lowry, P. B., Moody, G.
protection behaviors in social networks. D., & Polak, P. (2015). What do systems users
Journal of Global Marketing, 31(2), 96-110. have to fear? Using fear appeals to engender
threats and fear that motivate protective
Ajzen, I. (1991). The theory of planned behavior.
security behaviors. MIS Quarterly 39(4), 837-
Organizational Behavior and Human Decision
864.
Processes, 50(2), 179-211.
*Burns, A. J., Roberts, T. L., Posey, C., & Lowry, P.
*Ameen, N., Tarhini, A., Shah, M. H., & Madichie, N.
B. (2017). Examining the relationship of
O. (2020). Employees’ behavioural intention to
organizational insiders’ psychological capital
smartphone security: A gender-based, cross-
with information security threat and coping
national study. Computers in Human Behavior,
appraisals. Computers in Human Behavior, 68,
104, Article 106184.
190-209.
Anderson, C. L., & Agarwal, R. (2010). Practicing safe
*Chang, S. H. (2017). The influence of information
computing: A multimethod empirical
security stress on security policy compliance: A
examination of home computer user security
protection motivation theory perspective
behavioral intentions. MIS Quarterly, 34(3),
[Master’s thesis]. National Sun Yat-sen
613-643.
University.
*Aurigemma, S., & Mattson, T. (2020). Generally
*Chen, Y., & Zahedi, F. M. (2016). Individuals’
speaking, context matters: Making the case for
internet security perceptions and behaviors:
a change from universal to particular ISP
Polycontextual contrasts between the United
research. Journal of the Association for
States and China. MIS Quarterly, 40, 205-222.
Information Systems, 20(12), 1700-1742.
*Chenoweth, T., Minch, R., & Gattiker, T. (2009).
*Aurigemma, S., & Mattson, T. (2018). Exploring the
Application of protection motivation theory to
effect of uncertainty avoidance on taking
adoption of protective technologies.
voluntary protective security actions.
Proceedings of the 42nd Hawaii International
Computers & Security, 73, 219-234.
Conference on System Sciences.
*Ayyagari, R., Lim, J., & Hoxha, O. (2019). Why do
*Chiang, C. Y., & Tang, X. (2020). Use public Wi-Fi?
not we use password managers? A study on the
Fear arouse and avoidance behavior. Journal of
intention to use password managers.
Computer Information Systems,
Contemporary Management Research, 15(4),
DOI:10.1080/08874417.2019.1707133.
227-245.
*Chou, H. L., & Chou, C. (2016). An analysis of
*Barlette, Y., Gundolf, K., & Jaouen, A. (2015).
multiple factors relating to teachers'
Toward a better understanding of SMB CEOs'
problematic information security behavior.
information security behavior: Insights from
Computers in Human Behavior, 65, 334-345.
threat or coping appraisal. Journal of
Intelligence Studies in Business, 50(1), 5-17. Ciganek, A. P., Jarupathirun, S., & Zo, H. (2004). The
role of national culture and gender on
* Bélanger, F., Collignon, S., Enget, K., & Negangard,
information elements in e-commerce: A pilot
E. (2017). Determinants of early conformance
study on trust. Proceedings of the Tenth
with information security policies. Information
Americas Conference on Information Systems.
& Management, 54, 887-901.
*Comesongsri, V. (2010). Motivations for the
*Beugre, G. M. (2019). Perceived behaviors and
avoidance of phishing threat [Doctoral
security compliance intention of employees
dissertation). ProQuest Dissertations and
processing big data: A correlational study
Theses database, No. 3421381)
[Doctoral dissertation]. ProQuest Dissertations
and Theses database, No. 27664294.

218

Craighead, C. W., Ketchen, D. J., Dunn, K. S., & Hult,
G. T. M. (2011). Addressing common method
variance: Guidelines for survey research on
information technology, operations, and supply
chain management. IEEE Transactions on
Engineering Management, 58(3), 578-588.
Cram, W. A., D’Arcy, J., & Proudfoot, J. G. (2019).
Seeing the forest and the trees: A meta-analysis
of the antecedents to information security
policy compliance. MIS Quarterly, 43(2), 525-
554.
Crossler, R., & Bélanger, F. (2014). An extended
perspective on individual security behaviors:
Protection motivation theory and a unified
security practices (USP) instrument. Data Base
for Advances in Information Systems, 45(4), 51-
71.
*Crossler, R. E., Long, J. H., Loraas, T. M., & Trinkle,
B. S. (2014). Understanding compliance with
bring your own device policies utilizing
protection motivation theory: Bridging the
intention-behavior gap. Journal of Information
Systems, 28(1), 209-226.
*Crossler, R. E., Andoh-Baidoo, F. K., & Menard, P.
(2019). Espoused cultural values as antecedents
of individuals’ threat and coping appraisal
toward protective information technologies:
Study of U.S. and Ghana. Information &
Management, 56, 754-766.
Cry, D. (2008). Modeling web site design across
culture: Relationships to trust, satisfaction, and
e-loyalty. Journal of Management Information
Systems, 24(4), 47-72.
Culnan, M. J., Foxman, E. R., & Ray, A. W. (2008).
Why IT executives should help employees
secure their home computers. MIS Quarterly
Executive, 7(1), 49-56.
*Dang-Pham, D., & Pittayachawan, S. (2015).
Comparing intention to avoid malware across
contexts in a BYOD-enabled Australian
university: A protection motivation theory
approach. Computers & Security, 48, 281-297.
*Doane, A. N., Boothe, L. G., Pearson, M. R., &
Kelley, M. L. (2016). Risky electronic
communication behaviors and cyberbullying
victimization: An application of protection
motivation theory. Computers in Human
Behavior, 60, 508-513.
Doney, P. M., Cannon, J. P., & Mullen, M. R. (1998).
Understanding the influence of national culture
on the development of trust. Academy of
Management Review, 23(3), 601-620.
A Test of PMT in the Information Security Literature
Dwivedi, Y. K., Rana, N. P., Jeyaraj, A., Clement, M.,
& Williams, M. D. (2019). Re-examining the
unified theory of acceptance and use of
technology (UTAUT): Towards a revised
theoretical model. Information Systems
Frontiers, 21(3), 719-734.
FBI, 2017. (2017). Internet crime report.
https://pdf.ic3.gov/2017_IC3Report.pdf
Floyd, D. L., Prentice-Dunn, S., & Rogers, R. W.
(2000). A meta-analysis of research on
protection motivation theory. Journal of
Applied Social Psychology, 30(2), 407-429.
Furnell, S., & Thomson, K. L. (2009). From culture to
disobedience: Recognising the varying user
acceptance of IT security. Computer Fraud &
Security, 2, 5-10.
Gerow, J. E., Ayyagari, R., Thatcher, J. B., & Roth, P.
L. (2013). Can we have fun@ work? The role
of intrinsic motivation for utilitarian systems.
European Journal of Information Systems,
22(3), 360-380.
Gibbs, J. P. (1968). Crime, punishment, and deterrence.
Southwestern Social Science Quarterly, 48(4),
515-530.
Glass, G. V. (1976). Primary, secondary, and meta-
analysis of research. Educational Researcher,
5(10), 3-8.
*Grimes, M., & Marquardson, J. (2019). Quality
matters: Evoking subjective norms and coping
appraisals by system design to increase security
intentions. Decision Support Systems, 119, 23-
34.
*Gurung, A., Luo, X., & Liao, Q. (2009). Consumer
motivations in taking action against spyware:
An empirical investigation. Information
Management and Computer Security, 17(3),
276-289.
*Hanus, B., & Wu, Y. (2016). Impact of users' security
awareness on desktop security behavior: A
protection motivation theory perspective.
Information Systems Management, 33(1), 2-16.
*Hanus, B., Windsor, J. C., & Wu, Y. (2018).
Definition and multidimensionality of security
awareness: Close encounters of the second
order. Data Base for Advances in Information
Systems, 49, 103-133.
He, J. & King, W. (2008). The role of user participation
in information systems development:
Implications from a meta-analysis. Journal of
Management Information Systems, 25(1), 301-
331.
219
Journal of the Association for Information Systems
Hedges, L., & Olkin, I. (1985). Statistical methods for
meta-analysis. Academic Press, Orlando, FL.
*Herath, T., & Rao, H. R. (2009). Protection
motivation and deterrence: A framework for
security policy compliance in organisations.
European Journal of Information Systems,
18(2), 106-125.
*Heidt, M., & Olt, C. M. (2019). To (psychologically)
own data is to protect data: How psychological
ownership determines protective behavior in a
work and private context. Proceedings of the
14th International Conference on
Wirtschaftsinformatik.
*Herath, T. (2008). Essays on information security
practices in orgnizations [Doctoral
dissertation]. ProQuest Dissertations and
Theses database, No. 3320381)
*Hina, S., Selvam, D. D. D. P., & Lowry, P. B. (2019).
Institutional governance and protection
motivation: Theoretical insights into shaping
employees’ security compliance behavior in
higher education institutions in the developing
world. Computers & Security, 87, Article
101594.
Hofstede, G. (1980). Culture’s consequences. SAGE.
Hofstede, G. (1991). Cultures and organizations:
software of the mind. McGraw-Hill.
*Hooper, V., & Blunt, C. (2019). Factors influencing
the information security behaviour of IT
employees. Behaviour & Information
Technology, 29(8), 862-874.
*Hovav, A., & Putri, F. F. (2016). This is my device!
Why should I follow your rules? Employees’
compliance with BYOD security policy.
Pervasive & Mobile Computing, 32, 35-49.
*Humaidi, N., & Balakrishnan, V. (2015). The
moderating effect of working experience on
health information system security policies
compliance behaviour. Malaysian Journal of
Computer Science, 28(2), 70-92.
Hung, S. Y., Yu, A. P. I., Hung, Y. L., Chen, K., &
Hung, H. T. (2019). Factors influencing
attitudes towards patients’ personal information
protection. Proceedings of the Pacific Asia
Conference on Information Systems.
Hunter, J. E., & Schmidt, F. L. (2004). Methods of
meta-analysis correcting error and bias in
research findings. SAGE.
Hwang, Y., & Lee, K. C. (2012). Investigating the
moderating role of uncertainty avoidance
cultural values on multidimensional online trust.
Information & Management, 49, 171-176.
220
*Ifinedo, P. (2012). Understanding information
systems security policy compliance: An
integration of the theory of planned behavior
and the protection motivation theory.
Computers & Security, 31(1), 83-95.
*Iriqat, Y. M., Ahlan, A. R., & Molok, N. N. (2019).
Information security policy perceived
compliance among staff in Palestine
universities: An empirical pilot study.
Proceedings of the IEEE Jordan International
Joint Conference on Electrical Engineering
and Information Technology (pp. 580-585).
*James, T. L., Wallace, L., Warkentin, M., Kim, B. C.,
& Collignon, S. E. (2017). Exposing others’
information on online social networks (OSNs):
Perceived shared risk, its determinants, and its
influence on OSN privacy control use.
Information & Management, 54, 851-865.
*Jansen, J., & van Schaik, P. (2018). Testing a model
of precautionary online behaviour: The case of
online Banking. Computers in Human Behavior,
87, 371-383.
*Jansen, J., Veenstra, S., Zuurveen, R., & Stol, W.
(2016). Guarding against online threats: Why
entrepreneurs take protective measures.
Behaviour and Information Technology, 35(5),
368-379
*Jansen, J., & van Schaik, P. (2017). Comparing three
models to explain precautionary online
behavioural intentions. Information &
Computer Security, 25(2), 165-180.
Jenkins, J., Durcikova, A., & Nunamaker Jr, J. F.
(2021). Mitigating the Security Intention-
Behavior Gap: The Moderating Role of
Required Effort on the Intention-Behavior
Relationship. Journal of the Association for
Information Systems, 22(1), 246-272.
*Johnston, A. C., & Warkentin, M. (2010). Fear
appeals and information security behaviors: An
empirical study. MIS Quarterly, 34(3), 549-566.
*Johnston, A. C., Warkentin, M., & Siponen, M.
(2015). An enhanced fear appeal rhetorical
framework: Leveraging threats to the human
asset through sanctioning rhetoric. MIS
Quarterly, 39(1), 113-134.
Joseph, D., Ng, K. Y., Koh, C., & Ang, S. (2007).
Turnover of information technology
professionals: A narrative review, meta-
analytic structural equation modeling, and
model development. MIS Quarterly, 31(3),
547-577.

Kahneman, D., & Tversky, A. (1979). Prospect Theory:
An Analysis of Decision under Risk.
Econometrica, 47(2), 263-292.
*Kim, T. S., & Kim, A. (2016). Factors influencing the
intention to adopt identity theft protection
services: severity vs. vulnerability.
Proceedings of Pacific Asia Conference on
Information Systems.
Komatsu, A., Takagi, D., & Takemura, T. (2013).
Human aspects of information security: An
empirical study of intentional versus actual
behavior. Information Management &
Computer Security, 21(1), 5-15.
Lazarus, R. (1991). Cognition and motivation in
emotion. American Psychologist, 46, 352-367.
*Lee, D., Larose, R., & Rifon, N. (2008). Keeping our
network safe: A model of online protection
behavior. Behaviour and Information
Technology, 27(5), 445-454.
*Lee, Y., & Larsen, K. R. (2009). Threat or coping
appraisal: Determinants of SMB executives'
decision to adopt anti-malware software.
European Journal of Information Systems,
18(2), 177-187.
Leventhal, H. (1970). Findings and theory in the study
of fear communications. In L. Berkowitz (Ed.),
Advances in experimental social psychology
(Vol. 5, pp. 119-186). Academic Press.
*Li, L., He, W., Xu, L., Ash, I., Anwar, M., & Yuan,
X. (2019). Investigating the impact of
cybersecurity policy awareness on employees’
cybersecurity behavior. International Journal
of Information Management, 45, 13-24.
*Li, Y., Wang, J., & Rao, H. R. (2017). Adoption of
identity protection service: An integrated
protection motivation–precaution adoption
process model. Proceedings of the Americas
Conference on Information Systems.
Liang, H., & Xue, Y. L. (2010). Understanding
security behaviors in personal computer usage:
A threat avoidance perspective. Journal of the
Association for Information Systems, 11(7),
394-413.
*Lwin, M. O., Li, B., & Ang, R. P. (2012). Stop
bugging me: An examination of adolescents’
protection behavior against online harassment.
Journal of Adolescence, 35(1), 31-41.
Mandrella, M., Trang, S., & Kolbe, L. M. (2020).
Synthesizing and integrating research on IT-
based value co-creation: A meta-analysis.
Journal of the Association for Information
Systems, 21(2), 388-427.
A Test of PMT in the Information Security Literature
*Marett, K., Mcnab, A. L., Harris, R., Marett, K., &
Harris, R. (2011). Social networking websites
and posting personal information: an evaluation
of protection motivation theory. AIS
Transactions on Human-Computer Interaction,
3, 170-188.
*Martens, M., Wolf, R. D., & Marez, L. D. (2019).
Investigating and comparing the predictors of
the intention towards taking security measures
against malware, scams and cybercrime in
general. Computers in Human Behavior, 92,
139-150.
*Matt, C., & Peckelsen, P. (2016). Sweet idleness, but
why? How cognitive factors and personality
traits affect privacy-protective behavior.
Proceedings of the Hawaii International
Conference on System Sciences.
*Menard, P., Bott, G. J., & Crossler, R. E. (2017). User
motivations in protecting information security:
Protection motivation theory versus self-
determination theory. Journal of Management
Information Systems, 34(4), 1203-1230.
*Menard, P., Warkentin, M., & Lowry, P. B. (2018).
The impact of collectivism and psychological
ownership on protection motivation: A cross-
cultural examination. Computers & Security, 75,
147-166.
Meso, P., Ding, Y., & Xu, S. (2013). Applying
protection motivation theory to information
security training for college students. Journal of
Information Privacy and Security, 9(1), 47-67.
*Mills, A.M., & Sahi, N. (2019). An empirical study
of home user intentions towards computer
security. Proceedings of the 52nd Hawaii
International Conference on System Sciences,
4834-4840.
Milne, S., Sheeran, P., & Orbell, S. (2000). Prediction
and intervention in health-related behavior: A
meta-analytic review of protection motivation
theory. Journal of Applied Social Psychology,
30(1), 106-143.
*Mohamed, N., & Ahmad, I. H. (2012). Information
privacy concerns, antecedents and privacy
measure use in social networking sites:
Evidence from malaysia. Computers in Human
Behavior, 28(6), 2366-2375.
Montazemi, A. R., Pittaway, J. J., Saremi, H. Q., &
Wei, Y. (2012). Factors of stickiness in
transfers of know-how between MNC units.
Journal of Strategic Information Systems, 21(1),
31-57.
*Moody, G. D., Siponen, M., & Pahnila, S. (2018).
Toward a unified model of information security
221
Journal of the Association for Information Systems
policy compliance. MIS Quarterly, 42(1), 285-
311.
*Mousavi, R., Chen, R., Kim D. J., & Chen, K. (2020).
Effectiveness of privacy assurance mechanisms
in users’ privacy protection on social
networking sites from the perspective of
protection motivation theory. Decision Support
Systems, 135, Article 113323.
*Mousavizadeh, M., & Kim, D. (2015). A study of the
effect of privacy assurance mechanisms on self-
disclosure in social networking sites from the
view of protection motivation theory.
Proceedings of the Americas Conference on
Information Systems.
*Mwagwabi, F., McGill, T., & Dixon, M. (2018).
Short-term and Long-term effects of fear
appeals in improving compliance with
password guidelines. Communications of the
Association for Information Systems, 42, 147-
182.
*Ngugi, B., & Kamis, A. (2013). Modeling the impact
of biometric security on millennials' protection
motivation. Journal of Organizational and End
User Computing, 25(4), 27-49.
*Olt, C. M., & Wagner, A. (2020). Having two
conflicting goals in mind: The tension between
is security and privacy when avoiding threats.
Proceedings of the Hawaii International
Conference on System Sciences.
*Ophoff, J., & Lakay, M. (2018). Mitigating the
ransomware threat: a protection motivation
theory approach. Proceedings of the
International Information Security Conference
(pp. 163-175).
Orwin, R. G. (1983). A fail-safe n for effect size in
meta-analysis. Journal of Educational Statistics,
8(2), 157-159.
*Pahnila, S., Karjalainen, M., & Siponen, M. (2013).
Information security behavior: Towards
multistage models. Proceedings of Pacific Asia
Conference on Information Systems.
Palmer, D. (2020). Cybersecurity: Half of employees
admit they are cutting corners when working
from home. ZDNet. https://www.zdnet.com/
article/cybersecurity-half-of-employees-admit-
they-are-cutting-corners-when-working-from-
home/
Posey, C., Roberts, T., & Lowry, P. B. (2015). The
impact of organizational commitment on
insiders’ motivation to protect organizational
information assets. Journal of Management
Information Systems, 32(4), 179-214
222
*Posey, C., Roberts, T., Lowry, P. B., Courtney, J., &
Bennett, B. (2011). Motivating the insider to
protect organizational information assets:
Evidence from protection motivation theory
and rival explanations. Proceedings of the
Dewald Roode Workshop on Information
Systems Security (pp. 22-23).
*Rajab, M., & Eydgahi, A. (2019). Evaluating the
explanatory power of theoretical frameworks
on intention to comply with information
security policies in higher education.
Computers & Security, 80, 211-223.
Rogers, R. W. (1975). A protection motivation theory
of fear appeals and attitude change. Journal of
Psychology, 91, 93-114.
Rogers, R. W. (1983). Cognitive and physiological
processes in fear appeals and attitude change: A
revised theory of protection motivation. In J. T.
Cacioppo & R. E. Petty, (Eds.), Social
psychophysiology: A source book (pp. 153-176).
Guilford Press.
Rosenthal, R. (1979). The “file drawer” problem and
tolerance for null results. Psychological
Bulletin, 86, 638-641.
*Safa, N. S., Sookhak, M., Solms, R. V., Furnell, S.,
Ghani, N. A., & Herawan, T. (2015).
Information security conscious care behaviour
formation in organizations. Computers &
Security, 53, 65-78.
Schepers, J., & Wetzels, M. (2007). A meta-analysis of
the technology acceptance model: Investigating
subjective norm and moderation effects.
Information & Management, 44(1), 90-103.
Schuetz, S. W., Lowry, P. B., Pienta, D. A., & Thatcher,
J. B. (2020). The effectiveness of abstract
versus concrete fear appeals in information
security. Journal of Management Information
Systems, 37(3), 723-757.
Shaw, R., Chen, C. C., Harris, A. L., & Huang, H. J.
(2009). The impact of information richness on
information security awareness training
effectiveness. Computers and Education, 52(1),
92-100.
*Simonet, J., & Teufel, S. (2019). The influence of
organizational, social and personal factors on
cybersecurity awareness and behavior of home
computer users. In G. Dhillon, F. Karlsson, K.
Hedström, A. Zúquete (Eds.), ICT systems
security and privacy protection: SEC 2019 (vol.
562, pp. 194-208). Springer.
*Siponen, M., Pahnila, S., & Mahmood, A. (2007).
Employees’ adherence to information security
policies: An empirical study. IFIP International

Federation for Information Processing, 232,
133-144.
*Siponen, M., Mahmood, M. A., & Pahnila, S. (2014).
Employees’ adherence to information security
policies: An exploratory field study.
Information & Management, 51(2), 217-224.
*Sonnenschein, R., Loske, A., & Buxmann, P. (2016).
Gender differences in mobile users’ it security
appraisals and protective actions: findings from
a mixed-method study. Proceedings of
International Conference on Information
Systems.
*Sommestad, T., Karlzén, H., & Hallberg, J. (2015).
The sufficiency of the theory of planned
behavior for explaining information security
policy compliance. Information & Computer
Security, 23(2), 200-217.
Sommestad, T., Karlzén, H., & Hallberg, J. (2015). A
meta-analysis of studies on protection
motivation theory and information security
behaviour. International Journal of
Information Security and Privacy, 9(1), 26-46.
Straub, D., Keil, M., & Brenner, W. (1997). Testing
the technology acceptance model across
cultures: A three country study. Information &
Management, 33(1), 1-11.
Sun, Y., Wang, N., & Shen, X. L. (2020). Toward a
configurational protection motivation theory.
Proceedings of the Hawaii International
Conference on System Sciences.
*Taneja, A., Vitrano, J., & Gengo, N. J. (2014).
Rationality-based beliefs affecting individual’s
attitude and intention to use privacy controls on
Facebook: An empirical investigation.
Computers in Human Behavior, 38, 159-173.
Tannenbaum, M. B., Hepler, J., Zimmerman, R. S.,
Saul, L., Jacobs, S., Wilson, K., & Albarracín,
D. (2015). Appealing to fear: A meta-analysis
of fear appeal effectiveness and theories.
Psychological Bulletin, 141(6), 1178.
*Thompson, N., McGill, T. J. & Wang, X. (2017).
Security begins at home”: Determinants of
home computer and mobile device security
behavior. Computers & Security 70, 376-391.
Trang, S., & Brendel, B. (2019). A meta-analysis of
deterrence theory in information security policy
compliance research. Information Systems
Frontiers, 21(6), 1265-1284.
*Tsai, H. Y. S., Jiang, M., Alhabash, S., Larose, R.,
Rifon, N. J., & Cotten, S. R. (2016).
Understanding online safety behaviors: A
protection motivation theory perspective.
Computers & Security, 59, 138-150.
A Test of PMT in the Information Security Literature
*Tu, C. Z., Adkins, J., & Zhao, G. Y. (2018).
Complying with BYOD security policies: A
moderation model. Proceedings of the Midwest
Association for Information Systems
Conference.
*Tu, Z., Turel, O., Yuan, Y., & Archer, N. (2015).
Learning to cope with information security
risks regarding mobile device loss or theft: An
empirical examination. Information &
Management, 52(4), 506-517.
*Tu, Z., Yuan, Y., & Archer, N. (2014). Understanding
user behaviour in coping with security threats
of mobile device loss and theft. International
Journal of Mobile Communications, 12(6), 603.
*Vance, A., Siponen, M., Pahnila, S., Vance, A.,
Siponen, M., & Pahnila, S. (2012). Motivating
is security compliance: Insights from habit and
protection motivation theory. Information &
Management, 49(3-4), 190-198.
*Vedadi, A., & Warkentin, M. (2020). Can secure
behaviors be contagious? A two-stage
investigation of the influence of herd behavior
on security decisions. Journal of the
Association for Information Systems, 21(2),
428-459.
*Verkijika, F. S. (2018). Understanding smartphone
security behaviors: An extension of the
protection motivation theory with anticipated
regret. Computers & Security, 77, 860-870.
Viswesvaran, C., & Ones, D. S. (1995). Theory testing:
combining psychometric meta-analysis and
structural equations modelling. Personnel
Psychology, 48, 865-885.
*Wang, J., Yazdanmehr, A., Li, Y,. & Rao, H. R.
(2017). Opting for identity theft protection
services: The role of anticipated distress.
Proceedings of the International Conference on
Information Systems.
*Warkentin, M., Johnston, A. C., Shropshire, J., &
Bennett, W. (2016). Continuance of protective
security behavior: A longitudinal study.
Decision Support Systems, 92, 25-35.
Witte, K. (1992). Putting the fear back into fear appeals:
the extended parallel process model.
Communications Monographs, 59(4), 329-349.
Wolf, F. M. (1986). Meta-analysis: Quantitative
methods for research synthesis. SAGE.
*Workman, M., Bommer, W. H., & Straub, D. (2008).
Security lapses and the omission of information
security measures: A threat control model and
empirical test. Computers in Human Behavior,
24(6), 2799-2816.
223
Journal of the Association for Information Systems
*Workman, M., Bommer, W. H., & Straub, D. (2009).
The amplification effects of procedural justice
on a threat control model of information
systems security behaviours. Behaviour and
Information Technology, 28(6), 563-575.
*Wottrich, V. M., Reijmersdal, E. A. V., & Smit, E. G.
(2019). App users unwittingly in the spotlight:
A model of privacy protection in mobile apps.
Journal of Consumer Affairs, 53(3), 1056-1083.
*Yang, C. G., & Lee, H. J. (2016). A study on the
antecedents of healthcare information
protection intention. Information Systems
Frontiers, 18(2), 253-263.
*Yoon, C., Hwang, J. W., & Kim, R. (2012). Exploring
factors that influence students’ behaviors in
information security. Journal of Information
Systems Education, 23(4), 407-416.
224
*Yoon, C., & Kim, H. (2013). Understanding
computer security behavioral intention in the
workplace: An empirical study of Korean firms.
Information Technology and People, 26(4),
425-456.
*Youn, S. (2009). Determinants of online privacy
concern and its influence on privacy protection
behaviors among young adolescents. Journal of
Consumer Affairs, 43(3), 389-418.
*Zahedi, F. M., Abbasi, A., & Chen, Y. (2015). Fake-
website detection tools: Identifying elements
that promote individuals’ use and enhance their
performance. Journal of the Association for
Information Systems, 16(6), 448-484.
* Zhang, L., & McDowell, W. C. (2009). Am I really
at risk? Determinants of online users' intentions
to use strong passwords. Journal of Internet
Commerce, 8(3), 180-197.
 A Test of PMT in the Information Security Literature

Appendix A
Table A1. Moderator Analysis
Construct Q-value Critical Personal Workplace Z-value Student Non- Z-value Collectivist Individualist Z-value Low High Z-value
pair value context context student uncertainty uncertainty
avoidance avoidance
PSE-PVU 4051 110.9 0.261 0.309 -4.478 0.234 0.352 -9.310 0.399 0.262 8.804 0.286 0.269 1.473
(18141) (12338) (6771) (22150) (3759) (24673) (18725) (9707)
PSE-REF 2630 107.5 0.227 0.280 -4.734 0.227 0.274 -3.560 0.401 0.225 10.656 0.242 0.264 -1.862
(16921) (11891) (6672) (20582) (3367) (24519) (18347) (9539)
PSE-REC 632 71.0 -0.015 -0.106 5.910 -0.010 -0.080 3.407 -0.168 -0.048 -3.605 -0.067 -0.016 -3.045
(9400) (7538) (2864) (13381) (937) (15075) (10694) (5318)
PSE-SEF 1936 107.5 0.162 0.212 -4.402 0.192 0.193 -0.075 0.282 0.165 6.898 0.183 0.174 0.737
(18032) (12032) (6876) (21630) (3591) (24426) (18478) (9539)
PSE-FR 115 23.7 0.466 0.271 6.549 0.363 0.427 -2.295 - 0.386 - 0.401 - -
(2379) (1284) (1829) (1834) (3425) (3663)
PSE-PM 1247 104.1 0.273 0.253 1.707 0.276 0.289 -1.051 0.369 0.252 5.974 0.261 0.269 -0.063
(17793) (9781) (7986) (18030) (2327) (24321) (17721) (8927)
PSE-ACB 224 33.9 0.179 0.307 -6.012 0.187 0.255 -2.687 0.346 0.205 5.241 0.215 0.297 -3.209
(4035) (3765) (1853) (5947) (1524) (5155) (4831) (1848)
PVU-REF 3199 105.3 0.093 0.097 -0.332 0.081 0.115 2.359 0.162 0.081 4.331 0.096 0.077 1.506
(16738) (11349) (6150) (20379) (3137) (24024) (17622) (9539)
PVU-REC 732 68.7 0.114 0.048 4.303 0.136 0.060 3.444 0.135 0.082 1.393 0.086 0.080 0.383
(10471) (6996) (2342) (14432) (707) (15834) (9630) (6911)
PVU-SEF 3015 109.8 -0.005 0.090 -8.167 0.012 0.062 -3.606 0.148 0.021 7.372 0.065 -0.030 7.927
(19745) (11720) (6657) (23462) (3803) (25827) (18498) (11132)
PVU-FR 141 22.4 0.438 0.463 -0. 863 0.455 0.442 0.449 - 0.439 - 0.447 - -
(1857) (1284) (1307) (1834) (2903) (3141)
PVU-PM 1722 104.1 0.113 0.176 -5.090 0.101 0.161 -4.518 0.182 0.140 1.897 0.164 0.081 6.808
(19362) (9239) (7623) (19420) (2097) (25578) (17155) (10520)
PVU-ACB 313 37.7 0.099 0.186 -4.311 0.147 0.131 0.650 0.213 0.120 3.562 0.163 0.091 3.329
(5772) (3977) (1997) (7752) (1736) (6892) (5187) (3441)
REF-REC 1043 71.0 -0.114 -0.199 5.660 -0.057 -0.180 6.367 -0.138 -0.152 0.424 -0.181 -0.052 -7.823
(9562) (7538) (3240) (13167) (937) (15237) (10856) (5318)
REF-SEF 30 109.8 0.405 0.376 3.010 0.383 0.395 -1.032 0.368 0.390 -1.391 0.413 0.325 8.699
(17332) (13972) (6958) (22788) (3288) (27090) (18300) (12078)
REF-FR 166 26.3 0.138 -0.057 5.897 0.033 0.114 -2.694 - 0.083 - 0.081 - -
(3094) (1284) (2205) (2173) (4140) (4378)
REF-PM 2358 108.7 0.421 0.308 11.359 0.344 0.396 -4.560 0.491 0.355 7.725 0.389 0.310 7.616
(17926) (13103) (7780) (21691) (2310) (27793) (18412) (11691)
REF-ACB 197 32.7 0.268(291 0.358 -4.147 0.252 0.335 -3.365 0.365 0.296 2.335 0.341 0.239 4.588
4) (4228) (1853) (5289) (1070) (6072) (4377) (2765)

225
Journal of the Association for Information Systems

REC-SEF 1754 69.8 -0.233 -0.197 -2.475 -0.172 -0.218 2.456 -0.075 -0.211 3.614 -0.232 -0.129 -6.856
(11155) (7002) (3240) (14224) (707) (16524) (10320) (6911)
REC-FR 130 18.3 -0.012 0.033 -1.212 0.005 0.012 -0.190 - 0.009 - 0.009 - -
(1674) (1284) (1556) (1402) (2958) (2958)
REC-PM 1287 69.8 -0.147 -0.199 3.428 -0.135 -0.223 5.033 -0.186 -0.162 -0.735 -0.188 -0.061 -8.066
(11694) (6285) (3978) (13308) (937) (16116) (11016) (6037)
REC-ACB 74 16.9 -0.107 -0.309 5.895 -0.165 -0.168 0.060 - -0.172 - -0.172 -0.06 -3.295
(2859) (1063) (443) (3479) (3720) (3720) (1795)
SEF-FR 107 26.3 0.092 -0.081 5.220 0.014 0.060 -1.523 - 0.038 - 0.041 - -
(3094) (1284) (2205) (2173) (4140) (4378)
SEF-PM 2261 104 0.429 0.361 6.913 0.443 0.406 3.422 0.399 0.395 0.105 0.433 0.312 12.113
(19327) (11862) (7802) (21829) (2080) (28183) (17372) (12891)
SEF-ACB 332 37.7 0.316 0.388 -4.149 0.304 0.365 -2.757 0.375 0.344 1.336 0.405 0.238 8.968
(5772) (4588) (1997) (8363) (1736) (7503) (4881) (4358)
FR-PM 254 22.4 0.317 0.174 4.281 0.278 0.257 0.838 - 0.266 - 0.266 - -
(2050) (1284) (1738) (1596) (3334) (3334)
FR-ACB 36 12.6 0.211 0.039 (757) 3.690 0.331 0.094 5.106 - 0.157 - 0.162 - -
(1081) (649) (1189) (1600) (1838)
PM-ACB 951 25.0 0.342 0.575 -12.911 0.349 0.484 -4.013 - 0.458 - 0.436 0.480 -2.216
(3073) (4784) (657) (7200) (7655) (2201) (5656)

Table A1. Moderator Analysis (Continued)

Construct Q- Critical General Specific Z-value Policy Volitional Z-value Fear No Z-value
pair value value compliance manipulation manipulation
PSE-PVU 4051 110.9 0.335 0.212 11.189 0.363 (6539) 0.255 8.568 0.183 (8828) 0.338 -13.203
(19374) (11105) (23940) (21651)
PSE-REF 2630 107.5 0.215 0.315 -8.491 0.254 (6092) 0.253 0.074 0.239 (9153) 0.261 -1.854
(19728) (9084) (22720) (19659)
PSE-REC 632 71.0 -0.049 -0.082 2.070 -0.018 (2957) -0.081 3.120 -0.115 (4575) -0.034 -4.680
(10837) (6101) (13981) (11841)
PSE-SEF 1936 107.5 0.171 0.207 -3.101 0.220 (6233) 0.173 3.436 0.178 (9136) 0.191 -1.073
(19341) (10723) (23831) (20928)
PSE-FR 236 25.0 0.444 0.364 4.361 0.601 (194) 0.371 3.710 0.378 (1920) 0.436 -4.072
(2284) (1379) (3469) (1743)
PSE-PM 1247 104.1 0.289 0.236 4.645 0.301 (5026) 0.251 3.470 0.253 (8665) 0.271 -1.479
(16341) (11233) (22548) (18085)
PSE-ACB 224 33.9 0.253 0.166 3.432 0.322 (3202) 0.166 7.223 0.363 (398) 0.215 3.136
(5929) (1871) (4598) (7402)
PVU-REF 3199 105.3 0.099 0.089 0.789 0.196 (5550) 0.059 9.307 0.104 (8631) 0.090 1.016
(19003) (9020) (22537) (19456)
PVU-REC 732 68.7 0.073 0.088 -0.951 0.094 (2415) 0.075 0.873 0.047 (4575) 0.099 -3.038
(11366) (6101) (15052) (12892)

226
 A Test of PMT in the Information Security Literature

PVU-SEF 3015 109.8 0.047 0.035 1.016 0.143 (5921) 0.009 9.364 -0.0002 (8614) 0.063 -5.011
(20795) (10882) (25756) (23063)
PVU-FR 551 23.7 0.435 0.456 1.724 0.388 (194) 0.456 -1.705 0.455 (1398) 0.435 -1.766
(1762) (1379) (2947) (1743)
PVU-PM 1722 104.1 0.153 0.130 1.943 0.227 (4484) 0.114 7.163 0.154 (8665) 0.135 1.504
(17209) (11392) (24117) (19634)
PVU-ACB 313 37.7 0.179 -0.046 8.820 0.172 (3202) 0.114 2.745 0.186 (398) 0.129 1.138
(7878) (1871) (6547) (9351)
REF-REC 1043 71.0 -0.149 -0.172 1.487 -0.029 (2957) -0.210 9.104 -0.207 (4361) -0.131 -4.418
(10837) (6263) (14143) (11841)
REF-SEF 30 109.8 0.388 0.396 -0.772 0.335 (6312) 0.411 -6.272 0.353 (9315) 0.412 -5.593
(21660) (9644) (24992) (21989)
REF-FR 180 27.6 0.025 0.130 -2.957 0.490 (194) 0.026 6.777 0.100 (1398) 0.054 0.886
(2623) (1755) (4184) (2082)
REF-PM 2358 108.7 0.396 0.334 6.131 0.332 (6487) 0.381 -4.002 0.280 (8468) 0.421 -12.530
(19114) (11915) (24542) (21088)
REF-ACB 197 32.7 0.304 0.333 -0.835 0.314 (3665) 0.304 0.467 0.278 (398) 0.314 -0.762
(6392) (750) (3477) (6744)
REC-SEF 1754 69.8 -0.178 -0.260 5.520 -0.055 (2421) -0.267 10.007 -0.346 (4361) -0.135 -12.845
(11894) (6263) (15736) (12898)
REC-FR 130 18.3 0.160 -0.078 6.497 - 0.009 - -0.052 (1303) 0.284 -7.516
(1397) (1561) (2958) (757)
REC-PM 1287 69.8 -0.211 -0.126 (6593) -5.656 -0.105 (2957) -0.199 4.785 -0.206 (4157) -0.152 -3.123
(11386) (15022) (12742)
REC-ACB 74 16.9 -0.201 -0.090 -2.226 -0.137 (500) -0.181 0.941 - -0.174 -
(3487) (435) (3422) (3827)
SEF-FR 107 27.6 -0.028 0.102 -4.260 0.373 (194) -0.003 5.352 0.062 (2296) 0.011 1.833
(2623) (1755) (4184) (2082)
SEF-PM 2261 104 0.402 0.389 1.309 0.423 (5246) 0.389 2.689 0.322 (8451) 0.441 -10.895
(19866) (11323) (25943) (21840)
SEF-ACB 332 37.7 0.347 0.346 0.044 0.354 (3813) 0.342 0.670 0.318 (398) 0.350 -0.702
(8489) (1871) (6547) (9962)
FR-PM 254 23.7 0.160 0.309 -4.575 0.449 (194) 0.236 3.289 0.322 (1398) 0.062 6.220
(1397) (1937) (3140) (856)
FR-ACB 36 12.6 0.186 0.101 1.136 0.101 (194) 0.186 -1.136 - 0.173 -
(1644) (194) (1644) (1743)
PM-ACB 951 25.0 0.500 0.279 5.716 0.526 (2599) 0.405 6.460 0.184 (235) 0.498 -5.410
(7348) (509) (5258) (7622)
Note: Values within parentheses represent cumulative sample size. Additional Q tests, after accounting for moderators, suggest that our moderators do not fully account for all heterogeneity in reported
correlations, and therefore additional moderators, not considered in our study, may yet prove useful. PVU = Perceived vulnerability, PSE = Perceived severity, FR = Fear, SEF = Self-efficacy, REF = Response
efficacy, REC = Response cost, PM = Protection motivation, ACB = Actual behavior.

227
Journal of the Association for Information Systems

Table A2. Subgroup Moderator Analysis

Moderator Subgroup PSE-FR PSE-PM PSE-ACB PVU-FR PVU-PM PVU-ACB REF-PM REF-ACB REC-PM REC-ACB SEF-PM SEF-ACB FR-PM PM-ACB
moderator
Workplace 0.271 0.231 0.254 0.463 0.184 0.188 0.276 0.336 -0.183 -0.309 0.346 0.405 0.174 0.575
Individualist context (1284) (7922) (2987) (1284) (7610) (2987) (11093) (3904) (5111) (1063) (10082) (3598) (1284) (4784)
Personal 0.449 0.267 0.162 0.424 0.110 0.071 0.421 0.256 -0.143 -0.103 0.433 0.300 0.317 0.216 (843)
context (2141) (16399) (2168) (1619) (17968) (3905) (16700) (2168) (11005) (2657) (18101) (3905) (2050)
Z-value -5.816 -2.805 3.409 1.298 5.532 4.899 -13.515 3.274 -2.427 -5.947 -8.262 5.195 -4.281 11.641
Collectivist Workplace 0.379 0.517 - 0.173 0.180 0.498 - -0.205 - 0.432 0.342 ( - -
context (1420) (778) (1190) (990) (1571) (735) (1341) 900)
Personal 0.352 0.231 - 0.194 0.247 0.470 - - - 0.315 0.408 - -
context (907) (746) (907) (746) (739) (739) (746)
Z-value 0.732 6.563 - -0.492 -1.446 0.819 - - - 2.969 -1.549 - -
Uncertainty Workplace 0.271 0.246 0.292 0.463 0.221 0.253 0.347 0.451 -0.188 -0.309 0.398 0.451 0.174 0.614
avoidance context (1284) (5842) (2259) (1284) (5300) (2471) (6232) (1805) (4954) (1063) (5384) (2165) (1284) (1063)
(low)
Personal 0.466 0.272 0.169 0.438 0.127 0.105 0.422 0.287 -0.189 -0.126 0.458 0.380 0.317 0.330
context (2379) (11879) (2572) (1857) (11855) (2716) (12180) (2572) (6062) (1064) (11988) (2716) (2050) (1138)
Z-value -6.549 -1.744 4.509 0.863 5.870 5.508 -5.655 6.205 0.054 -4.439 -4.480 2.979 -4.281 8.721
Uncertainty Workplace - 0.262 0.329 - 0.103 0.069 0.234 0.264 -0.157 - 0.282 0.313 - 0.551
avoidance context (3500) (1506) (3500) (1506) (6432) (2423) (892) (6039) (2423) (3721)
(high)
Personal - 0.277 0.235 - 0.081 0.120 0.425 0.175 -0.020 -0.06 0.336 0.113 - 0.363
context (5427) (342) (7020) (1935) (5259) (342) (5145) (1795) (6852) (1935) (1935)
Z-value - -0.746 1.700 - 1.072 -1.497 -11.581 1.614 -3.808 - -3.383 6.896 - 8.539
Personal General 0.497 0.305 0.186 0.491 0.125 0.172 0.436 0.236 -0.221 -0.120 0.399 0.301 0.440 0.380
context behavior (1527) (10067) (2164) (1005) (11477) (3901) (10150) (2164) (7291) (2424) (11750) (3901) (640) (2564)
Specific 0.436 0.248 0.166 0.395 0.103 -0.046 0.409 0.333 (750) -0.087 -0.090 0.455 0.346 0.282 0.279 (509)
behavior (852) (7726) (1871) (852) (7885) (1871) (7776) (4171) (435) (7577) (1871) (1410)
Z-value 1.822 4.081 0.653 2.565 1.524 7.809 2.181 -2.490 -7.080 -1.728 -4.650 -1.787 3.819 2.332
Workplace General 0.314 (757) 0.275 0.307 0.322 (757) 0.180 0.186 0.367 0.358 -0.203 -0.309 0.405 0.388 -0.121 0.575
context behavior (6274) (3765) (5732) (3977) (8964) (4228) (4095) (1063) (8116) (4588) (757) (4784)
Specific 0.243 (527) 0.212 - 0.557 (527) 0.186 - 0.209 - -0.192 - 0.277 - 0.370 -
behavior (3507) (3507) (4139) (2190) (3746) (527)
Z-value 1.354 3.177 - -5.180 -0.289 - 9.194 - -0.432 - 7.348 - -8.968 -

228
 A Test of PMT in the Information Security Literature

Appendix B
Table B1. Studies Used in Meta-Analysis

Journal / Conference

Information security

Sample: Student (S),

Protection behavior

Potential for CMV

Fear manipulation
Response efficacy
Coping appraisal
Non-Student (N),

Compliance (C) /

Threat appraisal
Workplace (W) /

Fear modeled
Volitional (V)
General (G) /
Personal (P)

Self-efficacy
Sample Size
Mixed (M)

Specific (S)
Population
Pub. type

variables

variables
Country
Study

Year

topic
Siponen et al. 2007 IFIP BC Compliance with Finland Employees N 917 W G C Y Y Y Y N N Actual Y
information security
policies
Workman et al. 2008 Computers in J Information security USA Employees N 588 W G V Y Y Y Y N N Actual Y
Human Behavior passwords, patches,
backups
Lee et al. 2008 Behaviour & J Virus protection USA Students S 273 P S V Y Y Y Y N N Intention Y
Information behaviour
Technology
Herath 2008 Dissertation D Employee security USA Employees N 312 W G C Y Y Y Y N N Intention Y
compliance
Youn 2009 The Journal of J Online privacy USA Students S 144 P G V Y Y N Y N N Actual Y
Consumer Affairs protection
Lee & Larsen 2009 European Journal J Anti-malware USA Employees N 239 W S V Y Y Y Y N N Actual Y
of Information software
Systems
Chenoweth et al. 2009 HICSS C Anti-spyware USA Users N 204 P S V Y Y Y Y N N Intention Y
software
Zhang & 2009 Journal of J Online password USA Students S 182 P S V Y Y Y Y Y Y Intention Y
McDowell Internet protection
Commerce
Herath & Rao 2009 European Journal J Compliance with USA Employees N 312 W G C Y Y Y Y N N Intention Y
of Information security policies
Systems
Workman et al. 2009 Behaviour & J Protection from USA Employees N 163 W G C Y Y N Y N y Actual Y
Information security violations
Technology
Gurung et al. 2009 Information J Use of anti-spyware USA Students S 232 P S V Y Y Y Y N N Actual Y
Management & tools
Computer
Security

229
Journal of the Association for Information Systems

Johnston & 2010 MIS Quarterly J Anti-spyware USA Users N 275 W S V Y Y Y Y N Y Intention Y
Warkentin software
Comesongsri 2010 Dissertation D Phishing protections USA MBA student S 376 P S V N Y Y Y N Y Intention Y
Marett et al. 2011 Transactions on J Social network USA Students S 522 P G V Y Y Y Y Y Y Intention Y
Human-Computer security threat
Interaction
Posey et al. 2011 Workshop C Account and login USA Employees N 380 W G V Y Y Y Y Y N Actual Y
protection
Vance et al. 2012 Information & J IS security Finland Employees N 210 W G C Y Y Y Y N N Intention Y
Management compliance
Lwin et al. 2012 Journal of J protection behavior Singapore Students S 537 P G V Y Y Y Y N N Intention Y
Adolescence against online
harassment
Mohamed & 2012 Computers in J Information privacy Malaysia Students S 340 P G V Y Y Y Y N N Actual Y
Ahmad Human Behavior concerns
Ifinedo 2012 Computers & J IS security policy Canada Employees N 124 W G C Y Y Y Y N N Intention Y
Security compliance
Yoon et al. 2012 Journal of J Information security South Korea Students S 202 P G V Y Y Y Y N N Actual Y
Information practices
Systems
Education
Pahnila et al 2013 PACIS C Information security Finland Employees N 340 W G C Y Y Y Y N N Actual Y
policy compliance
Pahnila et al 2013 PACIS C Information security Finland Employees N 173 W G C Y Y Y Y N N Actual Y
policy compliance
Ngugi & Kamis 2013 Journal of J Biometric security USA Students S 159 P S V Y Y Y Y N N Intention Y
Organizational for system access
and End User
Computing
Yoon & Kim 2013 Information J Protection from South Korea Employees N 162 W G V Y Y Y Y N N Intention Y
Technology & security violations
People
Tu et al. 2014 International J Mobile device Canada Users N 339 P G V Y Y Y Y N N Intention Y
Journal of Mobile protection
Communications
Siponen et al. 2014 Information & J Adherence to Finland Employees N 669 W G C Y Y Y Y N N Actual Y
Management information security
policy
Crossler et al. 2014 Journal of J Compliance with USA Students S 250 W G C Y Y Y Y N Y Actual Y
Information BYOD policies
Systems
Taneja et al. 2014 Computers in J Privacy controls on USA Students S 249 P G V Y Y Y N N N Intention Y
Human Behavior Facebook

230
 A Test of PMT in the Information Security Literature

Boss et al. 2015 MIS Quarterly J Data backups USA MBA student S 104 P S V Y Y Y Y Y Y Actual N
Boss et al. 2015 MIS Quarterly J Anti-malware USA Students S 327 P S V Y Y Y Y Y Y Actual Y
software
Humaidi & 2015 Malaysian J IS Security policies Malaysia Users N 454 W G C Y Y N Y N N Actual Y
Balakrishnan Journal of compliance
Computer
Science
Tu et al. 2015 Information & J Mobile device Canada Users N 339 P G V Y Y Y Y N N Intention Y
Management information security
threat
Safa et al. 2015 Computers & J Information security Malaysia Worker N 212 W G V Y Y Y Y Y N Actual Y
Security conscious care
behavior
Zahedi et al. 2015 Journal of the J Fake-website USA Students and M 437 P S V Y Y Y Y N Y Actual Y
Association for detection tools staff
Information
Systems
Zahedi et al. 2015 Journal of the J Fake-website USA Students and M 428 P S V Y Y Y Y N Y Actual Y
Association for detection tools staff
Information
Systems
Johnston et al. 2015 MIS Quarterly J Recommended Finland Worker N 559 W S V Y Y Y Y N Y Intention Y
password protective
strategies
Boehmer et al. 2015 Behaviour & J Online safety USA Students S 565 P S V Y Y Y Y N Y Intention Y
Information behaviour
Technology
Boehmer et al. 2015 Behaviour & J Online safety USA Students S 565 P S V Y Y Y Y N Y Intention Y
Information behaviour
Technology
Boehmer et al. 2015 Behaviour & J Online safety USA Students S 565 P S V Y Y Y Y N Y Intention Y
Information behaviour
Technology
Mousavizadeh & 2015 ICIS C Self-disclosure USA Students S 256 P G V Y Y N Y N N Intention Y
Kim behavior
Barlette et al. 2015 Journal of J Information security French CEO N 177 W G C Y Y Y Y N N Intention Y
Intelligence actions
Studies in
Business
Dang-Pham & 2015 Computers & J Perform malware Australia Students S 252 P S V Y Y Y Y N N Intention Y
Pittayachawan Security avoidance at home
Dang-Pham & 2015 Computers & J Perform malware Australia Students S 252 P S V Y Y Y Y N N Intention Y
Pittayachawan Security avoidance in BYOD
context

231
Journal of the Association for Information Systems

Sommestad et al. 2015 Information and J Adherence to Sweden Employees N 306 W G C Y Y Y Y N N Actual Y
Computer information security
Security policy
Hanus & Wu 2016 Information J Desktop security USA Students S 241 P S V Y Y Y Y N N Actual Y
Systems awareness
Management
Jansen et al. 2016 Behaviour & J Business computer Netherlands Entrepreneurs N 1622 W G V N Y Y Y N N Actual Y
Information protective measures
Technology
Warkentin et al. 2016 Decision Support J Security alert USA Students S 253 P S V Y Y Y Y N Y Actual Y
Systems software
Chou & Chou 2016 Computers in J Information security Taiwan Teacher N 505 W G V Y Y Y Y N N Intention Y
Human Behavior behavior
Hovav & Putri 2016 Pervasive and J Compliance with Indonesia Employees N 230 W G C Y Y Y N Y N Intention Y
Mobile organizational
Computing BYOD security
Chen & Zahedi 2016 MIS Quarterly J Internet security USA Students S 480 P G V Y Y Y Y Y N Actual Y
protective actions
Chen & Zahedi 2016 MIS Quarterly J Internet security China Consumers N 238 P G V Y Y Y Y Y N Actual Y
protective actions
Yang & Lee 2016 Information J Healthcare South Korea Users N 222 W G V Y Y Y Y N N Intention Y
Systems Frontiers information
protection
Tsai et al. 2016 Computers & J Online safety USA Worker N 988 P G V Y Y Y Y N N Intention Y
Security behaviors
Sonnenschein et 2016 ICIS C Smartphone IT Germany Users N 177 P G V Y Y Y Y N Y Intention Y
al. security threats
Kim & Kim 2016 PACIS C Identity theft South Korea Students S 168 P S V Y N N N N N Intention Y
protection services
Doane e al. 2016 Computers in J Safe electronic USA Students S 577 P G V Y Y Y Y N N Intention Y
Human Behavior communication
behaviors
Matt & Peckelsen 2016 HICSS C Smartphone privacy- Germany Students S 140 P G V Y Y Y Y N Y Actual N
protective behavior
Burns et al. 2017 Computers in J Organisational USA Employees N 377 W G V Y Y Y Y Y N Actual Y
Human Behavior information security
Thompson et al 2017 Computers & J Home computer USA Users N 322 P G V Y Y Y Y N N Actual Y
Security security behavior
Thompson et al 2017 Computers & J Mobile device user USA Users N 307 P G V Y Y Y Y N N Actual Y
Security
James et al 2017 Information & J Privacy controls on USA, Korean Consumers N 1121 P S V Y Y N Y N N Actual Y
Management Facebook

232
 A Test of PMT in the Information Security Literature

Bélanger et al 2017 Information & J Information security USA Users N 535 W S C Y Y N Y N N Actual Y
Management policies conformance
Li et al 2017 AMCIS C Identity protection USA Consumers N 616 P G V Y Y Y Y N N Intention Y
service
Jansen & Schaik 2017 Information & J Online security Netherlands Users N 1200 P G V Y Y Y Y N N Intention Y
Computer behaviour
Security
Wang et al. 2017 ICIS C Identity theft USA Users N 636 P G V Y Y Y Y N N Intention Y
protection services
Menard et al. 2017 Journal of J Password USA Users N 545 P S V Y Y Y Y N Y Intention Y
Management management
Information software home users
Systems
Chang 2017 Dissertation D Information security Taiwan Employees N 324 W G C Y Y Y Y N N Actual Y
policies compliance
Aurigemma & 2018 Computers & J Information security USA Students S 227 P S V Y Y Y Y Y Y Actual N
Mattson Security protective actions
Tu et al. 2018 MWAIS C BYOD security USA Employees N 122 W G C Y Y N Y N N Intention Y
policy compliance
Hanus et al. 2018 The Data Base J Information security USA Employees N 172 W G C Y Y Y Y N Y Intention Y
for Advances in policy compliance
Information
Systems
Jansen & Schaik 2018 Computers in J Precautionary online Netherlands Users N 1200 P G V Y Y Y Y N N Intention Y
Human Behavior behaviour
Menard et al. 2018 Computers & J Behavioral intent to USA+China Users N 439 W S V Y Y Y Y N Y Intention Y
Security not protect
information
Moody et al. 2018 MIS Quarterly J Information security Finland Users N 274 W S C Y Y Y Y Y Y Intention Y
policy violations
Moody et al. 2018 MIS Quarterly J Information security Finland Working N 393 W S C Y Y Y Y Y Y Intention Y
policy violations professionals
Adhikari & 2018 Journal of Global J Information privacy India Students S 306 P G V Y Y Y Y N N Actual Y
Panda Marketing protection
Blythe & 2018 Computers in J Anti-malware UK Employees N 526 W S V Y Y Y Y N N Intention Y
Coventry Human Behavior software
Mwagwabi et al 2018 CAIS J Compliance with USA Users N 99 P S C Y Y Y Y Y N Actual N
password guidelines
Mwagwabi et al 2018 CAIS J Compliance with USA Users N 95 P S C Y Y Y Y Y Y Actual N
password guidelines
Ophoff & Lakay 2018 ISSA C Ransomware threat South Africa Users N 118 P G V Y Y Y Y Y Y Intention Y
Verkijika 2018 Computers & J Smartphone security South Africa Users N 428 P G V Y Y Y Y N N Actual Y
Security behaviors

233
Journal of the Association for Information Systems

Beugre 2019 Dissertation D Security compliance USA Employees N 169 W G C Y Y Y Y N N Intention Y

intention
Crossler et al. 2019 Information & J Antispyware USA+Ghana Students S 487 P S V Y Y Y Y N N Intention Y
Management software
Grimes & 2019 Decision Support J Password security USA Students S 169 P S V Y Y Y Y N Y Intention Y
Marquardson Systems measures
Hooper & Blunt 2019 Behaviour & J IT employees New Zealand Employees N 70 W G V Y Y Y Y N N Intention Y
Information information security
Technology behavior
Li et al 2019 International J Cybersecurity USA Employees N 579 W G C Y Y Y Y N N Actual Y
Journal of protection behavior
Information
Management
Rajab & Eydgahi 2019 Computers & J Information security USA Employees N 206 W G C Y Y Y Y N N Intention Y
Security policies compliance
Abraham & 2019 Computers & J Webpages security USA Students S 197 P S V Y Y N Y N Y Intention Y
Chengalur-Smith Security
Heidt et al 2019 Conference C Password security Germany Employees N 209 W S V Y Y Y Y N Y Intention Y
Heidt et al 2019 Conference C Password security Germany Users N 209 P S V Y Y Y Y N Y Intention Y
Hina et al 2019 Computers & J Informaton security Malaysia Employees N 301 W G C Y Y Y Y N N Intention Y
Security policy compliance
Martens et al 2019 Computers in J Cyber-security Belgium Users N 1181 P G V Y Y Y Y N Y Intention Y
Human Behavior protection
Mills & Sahi 2019 HICSS C Home computer New Zealand Users N 72 P G V Y Y Y Y N N Intention Y
security behavior
Simonet & Teufel 2019 IFIP C Cybersecurity Switzerland Employees N 456 W G V Y Y Y Y N N Actual Y
behavior
Wottrich et al 2019 The Journal of J Privacy protection in Netherlands Users N 1593 P G V Y Y N Y N N Actual Y
Consumer Affairs mobile apps
Ayyagari et al 2019 Contemporary J Use of a password USA Students S 120 P S V Y N N N N Y Intention Y
Management manager
Research
Iriqat et al 2019 Conference C Information security Malaysia Employees N 151 W G C Y Y Y Y N N Intention Y
policy compliance
Shuetz et al 2020 JMIS J Information security USA Users N 84 W S V Y Y Y Y Y Y Intention Y
spear-phishing
attacks
Shuetz et al 2020 JMIS J Information security USA Employees N 179 W S V Y Y Y Y Y Y Intention Y
spear-phishing
attacks
Shuetz et al 2020 JMIS J Information security USA Users N 264 W S V Y Y Y Y Y Y Intention N
spear-phishing
attacks

234
 A Test of PMT in the Information Security Literature

Ameen et al 2020 Computers in J Smartphone security USA Employees N 602 W G C Y Y Y Y N N Intention Y

Human Behavior
Ameen et al 2020 Computers in J Smartphone security UAE Employees N 554 W G C Y Y Y Y N N Intention Y
Human Behavior
Aurigemma & 2020 JAIS J Information security USA Employees N 254 W G C Y Y Y Y N N Intention Y
Mattson policy compliance
Aurigemma & 2020 JAIS J Information security USA Employees N 254 W S V Y Y Y Y N N Intention Y
Mattson phishing
Aurigemma & 2020 JAIS J Information security USA Employees N 254 W S V Y Y Y Y N N Intention Y
Mattson removable flash
media
Aurigemma & 2020 JAIS J Information security USA Employees N 254 W S V Y Y Y Y N N Intention Y
Mattson tailgating
Aurigemma & 2020 JAIS J Information security USA Students and M 231 W G C Y Y Y Y N Y Intention Y
Mattson policy compliance staff
Aurigemma & 2020 JAIS J information security USA Students and M 231 W S V Y Y Y Y N Y Intention Y
Mattson workstation locking staff
Aurigemma & 2020 JAIS J information security USA Students and M 231 W S V Y Y Y Y N Y Intention Y
Mattson password sharing staff
Chiang & Tang 2020 Journal of J Public Wi-Fi USA Students S 169 P G V Y Y Y Y Y N Actual Y
Computer avoidance behavior
Information
Systems
Mousavi et al 2020 DSS J Information privacy USA students S 315 P S V Y Y Y Y N N Intention Y
protection
Olt & Wagner 2020 HICSS C Online backup Germany Users N 446 P S V Y Y Y Y N Y Intention Y
service for
smartphone
Vedadi & 2020 JAIS J Password protection USA Users N 214 P S V Y N Y N N Y Intention Y
Warkentin
Note: J = journal, C = conference, BC = book chapter, Y = yes, N = no

235
Journal of the Association for Information Systems

About the Authors

Jian Mou is an associate professor in the School of Business, Pusan National University, South Korea. He was
previously an assistant professor at Xidian University, China, and adjunct professor at the Business School of
Sungkyunkwan University, South Korea. In addition, he engaged in research as a visiting scholar at the University of
Illinois-Chicago, USA, and was awarded postdoctoral fellowships at Sungkyunkwan University, South Korea, and the
University of Ottawa, Canada. His research interests include electronic commerce, human-computer interaction, trust,
and risk issues in electronic services, and the dynamic nature of systems use. His research has appeared in journals
such as Information and Management, International Journal of Information Management, Information Processing and
Management, Computers in Human Behavior, Information Technology and People, Journal of Retailing and
Consumer Services, Electronic Commerce Research and Applications, Internet Research, Industrial Management &
Data Systems, Electronic Commerce Research, Behaviour and Information Technology, International Journal of
Human-Computer Interaction, and Information Development.
Jason Cohen is an associate professor of information systems at the University of the Witwatersrand, Johannesburg
where he also serves as the deputy dean in the Faculty of Commerce, Law and Management. He received his PhD in
2004 on the topic of IS strategy and planning. His research focuses on IT adoption, management of information systems
in organizations, and electronic commerce. His work has been presented at conferences such as ICIS, ECIS, PACIS,
and AMCIS and published in journals such as Information & Management, International Journal of Information
Management, International Journal of Medical Informatics, Internet Research, Electronic Commerce Research and
Applications, and Expert Systems with Applications, among others. Dr. Cohen is the corresponding author on this
paper.
Anol Bhattacherjee is a professor of business analytics and information systems and the Exide Professor of Business
Ethics at the University of South Florida. In a research career spanning 20 years, Anol has published over 70 refereed
journal papers, including in MIS Quarterly, Information Systems Research, Journal of the Association for Information
Systems, and Journal of Management Information Systems. Anol’s research focuses on dysfunctional consequences of
social media, healthcare informatics, and algorithm bias. He served on the editorial board of MIS Quarterly for four
years and served as a senior editor at Journal of the Association for Information Systems. He holds PhD and MBA
degrees from the University of Houston, and MS and BS degrees from Indian Institute of Technology, Kharagpur,
India.
Jongki Kim is a full professor in the School of Business at Pusan National University, Korea. He currently serves as
the president of the Korea Internet e-Commerce Association. He received his PhD in management information systems
from Mississippi State University. His research interests are in the areas of IT security and privacy, digital technology
innovation, and meta-analytic structural equation modeling. He has published more than 100 articles in refereed
journals, including Journal of Information Systems, Journal of Digital Convergence, Entrue Journal of Information
Technology, Asia Pacific Journal of Information Systems, and Journal of Retailing and Consumer Services.

Copyright © 2022 by the Association for Information Systems. Permission to make digital or hard copies of all or part
of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for
profit or commercial advantage and that copies bear this notice and full citation on the first page. Copyright for
components of this work owned by others than the Association for Information Systems must be honored. Abstracting
with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists requires prior
specific permission and/or fee. Request permission to publish from: AIS Administrative Office, P.O. Box 2712 Atlanta,
GA, 30301-2712 Attn: Reprints, or via email from publications@aisnet.org.

236