IT Security in the Age of Digitalization – Toward an Understanding of Risk Perceptions and Protective Behaviors of Private Individuals and Managers in Organizations

Nowadays, information technology (IT) has become an integral part of our everyday life. In both the private and business context, we extensively use different IT systems for data production, data organization, data analysis, and communication with others. Due to the extensive usage of IT, the amount of digitalized personal and organizational information is rapidly and incessantly rising — making both private individuals and organizations attractive targets for attackers. The necessity to effectively protect sensitive data from IT security incidents is highly discussed in practice and research, it attracts high media attention, and our society should be actually aware of the importance of IT security in today’s digital world. However, recent reports demonstrate that organizations as well as private individuals — even though they are afraid of the rapid evolution of IT security risks — still often refrain from adopting the necessary IT security safeguards. To better prepare our society for the ongoing risks arising from extensive IT usage, a better understanding of how IT security is perceived by private individuals and managers is required. Motivated by the findings and theoretical underpinnings from previous research, this thesis addresses several research questions with respect to IT security perceptions and behaviors of private individuals and managers in organizations. By conducting four studies — one among private individuals and three among managers in organizations — the thesis not only contributes to the current research but also provides useful recommendations for practice. Suppliers of IT and IT security products as well as managers in customer organizations can especially learn from the findings of the studies. First, research paper A is focused on the private context and analyzes the gender differences in mobile users’ IT security perceptions and protective behaviors. Drawing on Gender Schema Theory and Protection Motivation Theory, a mixed-method study (survey, experiment, and interviews) under laboratory conditions is conducted. The results show that IT security perceptions of females and males are based on different downstream beliefs and indicate that females are more likely to translate their intention to take precautionary actions into actual behavior than males. The studies presented in research papers B, C, and D are conducted within the business context and focus on the IT security perceptions and behaviors of managers in organizations. Research paper B analyzes top managers’ IT security awareness. Since previous research predominantly investigated IT security awareness at the employee level, a comprehensive conceptualization of IT security awareness at the management level is currently missing. To address this research gap, a structured literature review and expert interviews are performed in order to develop and test a comprehensive conceptualization — including both individual and organizational factors — of top managers’ IT security awareness. Within research paper C, managers’ willingness to pay for IT security is in the focus of the investigation. Previous research largely neglected that various IT security safeguards might be differently evaluated by organizations, for example, due to different IT security requirements. By drawing on Kano’s Theory, the study takes into account that — depending on the organization’s individual IT security requirements — the implementation of IT security safeguards can also be associated with disadvantages. Based on interviews and an empirical study among managers, the study reveals that IT security safeguards are differently evaluated and that these different evaluations are associated with different levels of managers’ willingness to pay. Finally, research paper D analyzes managers’ Status Quo-Thinking in risk perception. Based on Prospect Theory, Status Quo Bias research, and an empirical study among managers, the findings indicate that managers’ risk evaluations and decisions to adopt new technologies are highly dependent on their assessments of the systems currently used in the organization. Moreover, the results implicate that the impact of Status Quo-Thinking on managers’ risk assessments and intentions to adopt new technologies is stronger the less experienced a manager is with a new technology, probably resulting in an incorrect risk assessment and inappropriate adoption behavior. Implications for research and practice are discussed in more detail within each research paper and summarized in the final chapter of the thesis.