ADDIS ABABA UNIVERSITY

COLLEGE OF NATURAL AND COMPUTATIONAL SCIENCE

SCHOOL OF INFORMATION SCIENCE

InSS 672 – Information Systems Security Management Article Review

Title: A Test of Protection Motivation Theory in the Information Security Literature: A

Meta-Analytic Structural Equation Modeling Approach

Name ID No

By Seid Hussen GSR/2364/16

To Dr. Lemma Lessa. (Assistant Professor of Information Systems)

Due date: Monday, April 29, 2024

Addis Ababa, Ethiopia

Title: A Test of Protection Motivation Theory in the Information Security Literature: A
Meta-Analytic Structural Equation Modeling Approach

Introduction:

The paper addresses the significance of information security in today's digital landscape and
examines the application of Protection Motivation Theory (PMT) as a theoretical framework
for understanding security behaviors. Information security is a critical concern for
individuals and organizations, given the increasing prevalence of cyber threats. PMT
proposes that individuals' response to perceived threats is influenced by their appraisal of
the threat and their assessment of coping mechanisms. However, empirical studies based on
PMT have yielded inconsistent and inconclusive findings.

Summary:

The paper presents a study that aims to investigate the relationships between different factors
in the Protection Motivation Theory (PMT) in the context of information security. PMT is a
theory that looks at how people's behaviors in response to perceived threats are influenced
by how they evaluate the threat and their ability to cope with it.

The researchers analyzed 92 published studies using a statistical technique called structural
equation modeling.

The results support 3 out of the 5 factors proposed by PMT as predictors of people's
intention to take security measures. However, there was mixed support for one factor
(perceived vulnerability) and no support for another (response cost).

The study found that the factors related to people's ability to cope, such as believing the
security measures are effective and having confidence in their own ability, had the strongest
effects on people's security behaviors.

The researchers also observed that cultural factors like collectivism and individualism
influenced some of the relationships in the PMT framework. They noted the relationships
were generally stronger in personal contexts compared to work contexts, and the intention-
behavior link was strongest in work and compliance settings.

The article concludes by contributing to the information security research by providing

guidance for future PMT-related studies and demonstrating the combined use of meta-
analysis and structural equation modeling to test theories in information systems research.
Methodology:

The methodology used in this study is a meta-analytic structural equation modeling

(MASEM) approach. The key points about the methodology are:

Meta-analysis: The authors conducted a meta-analysis of 92 published studies in the

information security literature that employed protection motivation theory (PMT) as a
theoretical lens. This allowed them to synthesize the inconsistent findings from prior PMT
studies in information security.

Structural equation modeling (SEM): The authors then used meta-analytic SEM to test the
nomological network of PMT constructs and their relationships, going beyond just
synthesizing prior findings to actually testing the theory.

Moderator analysis: The authors examined several potential moderators of the PMT
relationships, including cultural factors (individualism/collectivism), security context
(personal vs. workplace), type of security behavior (general vs. specific, compliance vs.
volitional), and methodological factors (student vs. non-student samples, presence vs.
absence of experimental manipulation).

Stepwise MASEM approach: The authors followed a stepwise MASEM approach, first
conducting a meta-analysis to estimate the pooled correlation matrix, then using that as
input to estimate the structural model using SEM.

Key Findings:

The study found support for three of the five predictors of security motivation intention
proposed by PMT - threat severity, response efficacy, and self-efficacy. However, the
relationship between perceived vulnerability and security behavior showed mixed support
across the analyzed studies. Interestingly, the study did not find support for the influence of
response cost on security behavior.

Delving deeper into the PMT constructs, the researchers observed that the coping appraisal
variables of response efficacy and self-efficacy had the most substantial average effects on
security behavior. This suggests that an individual's beliefs about the effectiveness of security
measures and their own ability to implement those measures are particularly important in
driving security-related actions.
The study also examined the moderating effects of cultural attributes on the PMT
relationships. The cultural dimensions of collectivism and individualism were found to
moderate some of the pairwise correlations between the PMT constructs. This highlights the
importance of considering cultural context when applying PMT in information security
research.

Furthermore, the findings revealed that the PMT-theoretic relationships were generally
stronger in personal contexts compared to workplace contexts. This suggests that the factors
influencing security behaviors may differ depending on the environment in which those
behaviors take place.

Lastly, the study found that the relationship between intention and actual security behavior
was strongest in workplace and compliance settings. This underscores the importance of
understanding the specific context in which information security behaviors occur and how
that may shape the intention-behavior link.

Conclusion:

The study aims to resolve inconsistent findings in prior PMT research on information
security behaviors and provide guidance for future research in this area by demonstrating
how meta-analysis and SEM can be combined to test theories.