Use of Persuasive Technology to Change End-Users- IT Security Aware Behaviour: A Pilot Study
Persuasive technology has been applied in marketing,
health, environmental conservation, safety and other domains and is
found to be quite effective in changing people-s attitude and
behaviours. This research extends the application domains of
persuasive technology to information security awareness and uses a
theory-driven approach to evaluate the effectiveness of a web-based
program developed based on the principles of persuasive technology
to improve the information security awareness of end users. The
findings confirm the existence of a very strong effect of the webbased
program in raising users- attitude towards information security
aware behavior. This finding is useful to the IT researchers and
practitioners in developing appropriate and effective education
strategies for improving the information security attitudes for endusers.
[1] Stanton, J. M., Kathryn R.S., Indira G. & Cavinda C., "Examining the
linkage between organizational commitment and information security"-,
in IEEE International Conference on Systems, Man and Cybernetics. pp:
2501-2506, 2003.
[2] Deloitte, ÔÇÿ2005 Global security survey-, Deloitte, available at:
http://www.deloitte.com/dtt/cda/doc/content/2005%20Global%20Securit
y%20Survey%281%29.pdf, 2005
[3] CIO, "CIO research reports", CIO, available at:
http://www2.cio.com/research/surveyreport.cfm?id=93, 2005
[4] Straub D. W., "Effective IS security: an empirical study"-, Information
System Research, Vol.1, No.2, pp:255-277, 1990.
[5] Straub, D. W. and Welke, R. J., "Coping with systems risk: Security
planning models for management decision making", MIS Q, Vol.22, No.
4, pp: 441-469, 1998.
[6] Leach, J., "Improving user security behaviour", Computers and Security.
Vol.22, No.8, pp: 685-692, 2003.
[7] AUSCERT, "2006 Australian Computer Crime and Security Survey",
Available at: www.auscert.org.au, 2006
[8] Ajzen, I., and Fishbein, M. Understanding attitudes and predicting
social behaviour, Englewood Cliffs, NJ: Prentic-Hall, 1980.
[9] Thomson, M. and R. von Solms, 1998, ÔÇÿInformation security awareness:
educating your users effectively-, Information Management and
computer security, Vol.6, No.4, pp: 167-173.
[10] Fogg B.J., Persuasive Technology: using computers to change what we
think and do, Morgan Kaufmann Publishers, CA, 2003
[11] Fogg B.J., ÔÇÿPersuasive Computers: Perspectives and Research
Directions-, CHI98 Conference of ACM (CA: ACM Press, 1998), pp:
225-232.
[12] Fogg B.J. and Clifford Nass, ÔÇÿHow users reciprocate to computers: an
experiment that demonstrates behaviour change-, in Extended Abstracts
of the CHI97 Conference of the ACM/SIGCHI (New York: ACM Press,
1997), pp: 331-332.
[13] Lapolla, N.A. and Salvucci, A., ÔÇÿEvaluation of a Youth Driving
Simulator Program-, available at:
http://apha.confex.com/apha/128am/techprogram/paper_13286.htm,
2000.
[14] Lenert L, Mu├▒oz RF, Stoddard J, Delucchi K, Bansod A, Skoczen S,
Pérez-Stable EJ., ÔÇÿDesign and Pilot Evaluation of an Internet smoking
cessation program-, J AM Med Inform Assoc., 10 (1), pp:16-20, 2003.
[15] Ajzen, I.´╝îÔÇÿThe theory of planned behaviour-, Organizational Behaviour
and Human Decision Processes, 50, 179-211, 1991.
[16] Siponen, M. T., ÔÇÿA conceptual foundation for organizational information
security awareness-, Information Management and Computer Security,
Vol.8, No.1, pp: 31-41, 2000.
[17] IJsselsteijn, W.A., de Kort, Y.A.W., Midden, C., Eggen, B., and van den
Hoven, E., ÔÇÿPersuasive technology for human well-being: setting the
scene-, Persuasive 06 Eindhoven: Springer, 2006
[18] Chau, P., ÔÇÿAn empirical assessment of a modified technology acceptance
model-, Journal of Management Information Systems, Vol.13 No. 2, pp:
185-205, 1996.
[19] Mathieson, K., ÔÇÿPredicting user intentions: comparing the technology
acceptance model with the theory of planned behaviour-, Information
System Research, Vol. 3, No. 2, pp: 173-191, 1991.
[20] Chan, D.K.-S., and Fishbein, M. , 1993, ÔÇÿDeterminants of college
women-s intentions to tell their partners to use condoms-, Journal of
Applied Social Psychology, 23, pp: 1445-1470.
[21] Libbus, K., ÔÇÿWomen-s beliefs concerning condom acquisition and use-,
Public Health Nursing, 12, pp: 341-347, 1995.
[22] Reinecke, J., Schmidt, P., and Ajzen, I., ÔÇÿApplication of the theory of
planned behaviour to adolescents- condom use: A panel study-, Journal
of Applied Social Psychology, 26, pp: 749-772, 1996.
[23] Ajzen, I.,and Madden, T. J., ÔÇÿPrediction of goal-directed behaviour:
Attitudes, intentions, and perceived behavioural control-, Journal of
Experimental Social Psychology, 22, pp: 453-474, 1986.
[24] Prislin, R.,andKovrlija, N., ÔÇÿPredicting behaviour of high and lowselfmonitors:
an application of the theory of planned behaviour-,
Psychological Reports, 70, pp:1131-1138, 1992.
[25] Ajzen, I., and Driver, B. E., ÔÇÿApplication of the theory of planned
behaviour to leisure choice-, Journal of Leisure Research, 24, pp:207-
224, 1992
[26] Godin, G.,Valois, P. and Lepage, L., ÔÇÿThe pattern of influence of
perceived behavioural control upon exercising behaviour: an application
of Ajzen-s theory of planned behaviour-, Journal of Behavioural
Medicine, 16, pp: 81-102, 1993.
[27] Theodorakis, Y., ÔÇÿPlanned behaviour, attitude strength, role identity, and
the prediction of exercise behaviour-, The Sport Psychologist, 8, pp:149-
165, 1994
[28] Valois, P., Turgeon, H., Godin, G., Blondeau, D., and Cote, F.,
ÔÇÿInfluence of a persuasive strategy on nursing students- beliefs and
attitudes toward provision of care to people living with HIV/AIDS-,
Journal of Nursing Education, 40, pp: 354-358, 2001.
[29] Quine, L., Rutter D. R. and Arnold L., ÔÇÿPersuading school-age cyclists to
use safety helmets: effectiveness of an intervention based on the theory
of planned behaviour-, British Journal of Health Psychology, 6, pp: 327-
345, 2001.
[30] Gehringer, E.F. "Choosing Passwords: Security and Human Factors",
International Symposium on Technology and Society, ISTAS-02, pp
369-373, 2002.
[31] Microsoft 2006. "Strong Passwords: How to Create and Use Them."
Retrieved 29 August, 2006 from
http://www.microsoft.com/athome/security/privacy/ password.mspx
[32] Monash University "Unwanted/Unsolicited Email or Spam." Retrieved
25 August, 2006 from http://www.its.monash.edu.au/staff/email/spam/,
2006a
[33] Monash University 2006b. "Beware of Malicious Emails and Web
Pages." Retrieved 25 August, 2006 from
http://www.its.monash.edu.au/staff/security/staff-only/home/emails.html
[34] Zviran, M., and Haga, W.J. "Password Security: An Empirical Study,",
Journal of Management Information Systems, (15:4), pp 161-185, 1999.
[35] Lyman J. "Spam Costs $20 Billion Each Year in Lost Productivity",
Retrieved 3 November, 2006 from
http://www.linuxinsider.com/story/32478.html, 2003.
[36] CERT "Email Bombing and Spamming." Retrieved 6 November, 2006,
from http://www.cert.org/tech_tips/email_bombing_spamming.html,
2002.
[37] O- Reilly, D. "10-step Security." Retrieved 29 August, 2006 from
http://www.pcworld.com/article/id,122500-page,1/article.html, 2005.
[38] University of California. "Email Safety Tips." Retrieved 11 June, 2008
from http://www.security.uci.edu/email/, 2006.
[39] OECD Report "Malicious Software (Malware): A security threat to the
internet economy", Ministerial Background Report, Seoul, Korea, 17-18
June., 2008.
[40] CAIDA "CAIDA Analysis of Code-Red." Retrieved 25 October, 2006,
from http://www.caida.org/analysis/security/code-red/, 2006
[41] CSI 2005. "2005 CSI/FBI Computer Crime and Security Survey."
Retrieved 3 December, 2006 from
http://www.cpppe.umd.edu/Bookstore/Documents/2005CSISurvey.pdf
[42] Plous S., The Psychology of Judgment and Decision Making, McGraw-
Hill, New York, 1993.
[43] Ajzen, I, ÔÇÿConstructing a TPB Questionnaire: conceptual and
methodological considerations-, available at:
http://people.umass.edu/aizen/pdf/tpb.measurement.pdf, 2002.
[1] Stanton, J. M., Kathryn R.S., Indira G. & Cavinda C., "Examining the
linkage between organizational commitment and information security"-,
in IEEE International Conference on Systems, Man and Cybernetics. pp:
2501-2506, 2003.
[2] Deloitte, ÔÇÿ2005 Global security survey-, Deloitte, available at:
http://www.deloitte.com/dtt/cda/doc/content/2005%20Global%20Securit
y%20Survey%281%29.pdf, 2005
[3] CIO, "CIO research reports", CIO, available at:
http://www2.cio.com/research/surveyreport.cfm?id=93, 2005
[4] Straub D. W., "Effective IS security: an empirical study"-, Information
System Research, Vol.1, No.2, pp:255-277, 1990.
[5] Straub, D. W. and Welke, R. J., "Coping with systems risk: Security
planning models for management decision making", MIS Q, Vol.22, No.
4, pp: 441-469, 1998.
[6] Leach, J., "Improving user security behaviour", Computers and Security.
Vol.22, No.8, pp: 685-692, 2003.
[7] AUSCERT, "2006 Australian Computer Crime and Security Survey",
Available at: www.auscert.org.au, 2006
[8] Ajzen, I., and Fishbein, M. Understanding attitudes and predicting
social behaviour, Englewood Cliffs, NJ: Prentic-Hall, 1980.
[9] Thomson, M. and R. von Solms, 1998, ÔÇÿInformation security awareness:
educating your users effectively-, Information Management and
computer security, Vol.6, No.4, pp: 167-173.
[10] Fogg B.J., Persuasive Technology: using computers to change what we
think and do, Morgan Kaufmann Publishers, CA, 2003
[11] Fogg B.J., ÔÇÿPersuasive Computers: Perspectives and Research
Directions-, CHI98 Conference of ACM (CA: ACM Press, 1998), pp:
225-232.
[12] Fogg B.J. and Clifford Nass, ÔÇÿHow users reciprocate to computers: an
experiment that demonstrates behaviour change-, in Extended Abstracts
of the CHI97 Conference of the ACM/SIGCHI (New York: ACM Press,
1997), pp: 331-332.
[13] Lapolla, N.A. and Salvucci, A., ÔÇÿEvaluation of a Youth Driving
Simulator Program-, available at:
http://apha.confex.com/apha/128am/techprogram/paper_13286.htm,
2000.
[14] Lenert L, Mu├▒oz RF, Stoddard J, Delucchi K, Bansod A, Skoczen S,
Pérez-Stable EJ., ÔÇÿDesign and Pilot Evaluation of an Internet smoking
cessation program-, J AM Med Inform Assoc., 10 (1), pp:16-20, 2003.
[15] Ajzen, I.´╝îÔÇÿThe theory of planned behaviour-, Organizational Behaviour
and Human Decision Processes, 50, 179-211, 1991.
[16] Siponen, M. T., ÔÇÿA conceptual foundation for organizational information
security awareness-, Information Management and Computer Security,
Vol.8, No.1, pp: 31-41, 2000.
[17] IJsselsteijn, W.A., de Kort, Y.A.W., Midden, C., Eggen, B., and van den
Hoven, E., ÔÇÿPersuasive technology for human well-being: setting the
scene-, Persuasive 06 Eindhoven: Springer, 2006
[18] Chau, P., ÔÇÿAn empirical assessment of a modified technology acceptance
model-, Journal of Management Information Systems, Vol.13 No. 2, pp:
185-205, 1996.
[19] Mathieson, K., ÔÇÿPredicting user intentions: comparing the technology
acceptance model with the theory of planned behaviour-, Information
System Research, Vol. 3, No. 2, pp: 173-191, 1991.
[20] Chan, D.K.-S., and Fishbein, M. , 1993, ÔÇÿDeterminants of college
women-s intentions to tell their partners to use condoms-, Journal of
Applied Social Psychology, 23, pp: 1445-1470.
[21] Libbus, K., ÔÇÿWomen-s beliefs concerning condom acquisition and use-,
Public Health Nursing, 12, pp: 341-347, 1995.
[22] Reinecke, J., Schmidt, P., and Ajzen, I., ÔÇÿApplication of the theory of
planned behaviour to adolescents- condom use: A panel study-, Journal
of Applied Social Psychology, 26, pp: 749-772, 1996.
[23] Ajzen, I.,and Madden, T. J., ÔÇÿPrediction of goal-directed behaviour:
Attitudes, intentions, and perceived behavioural control-, Journal of
Experimental Social Psychology, 22, pp: 453-474, 1986.
[24] Prislin, R.,andKovrlija, N., ÔÇÿPredicting behaviour of high and lowselfmonitors:
an application of the theory of planned behaviour-,
Psychological Reports, 70, pp:1131-1138, 1992.
[25] Ajzen, I., and Driver, B. E., ÔÇÿApplication of the theory of planned
behaviour to leisure choice-, Journal of Leisure Research, 24, pp:207-
224, 1992
[26] Godin, G.,Valois, P. and Lepage, L., ÔÇÿThe pattern of influence of
perceived behavioural control upon exercising behaviour: an application
of Ajzen-s theory of planned behaviour-, Journal of Behavioural
Medicine, 16, pp: 81-102, 1993.
[27] Theodorakis, Y., ÔÇÿPlanned behaviour, attitude strength, role identity, and
the prediction of exercise behaviour-, The Sport Psychologist, 8, pp:149-
165, 1994
[28] Valois, P., Turgeon, H., Godin, G., Blondeau, D., and Cote, F.,
ÔÇÿInfluence of a persuasive strategy on nursing students- beliefs and
attitudes toward provision of care to people living with HIV/AIDS-,
Journal of Nursing Education, 40, pp: 354-358, 2001.
[29] Quine, L., Rutter D. R. and Arnold L., ÔÇÿPersuading school-age cyclists to
use safety helmets: effectiveness of an intervention based on the theory
of planned behaviour-, British Journal of Health Psychology, 6, pp: 327-
345, 2001.
[30] Gehringer, E.F. "Choosing Passwords: Security and Human Factors",
International Symposium on Technology and Society, ISTAS-02, pp
369-373, 2002.
[31] Microsoft 2006. "Strong Passwords: How to Create and Use Them."
Retrieved 29 August, 2006 from
http://www.microsoft.com/athome/security/privacy/ password.mspx
[32] Monash University "Unwanted/Unsolicited Email or Spam." Retrieved
25 August, 2006 from http://www.its.monash.edu.au/staff/email/spam/,
2006a
[33] Monash University 2006b. "Beware of Malicious Emails and Web
Pages." Retrieved 25 August, 2006 from
http://www.its.monash.edu.au/staff/security/staff-only/home/emails.html
[34] Zviran, M., and Haga, W.J. "Password Security: An Empirical Study,",
Journal of Management Information Systems, (15:4), pp 161-185, 1999.
[35] Lyman J. "Spam Costs $20 Billion Each Year in Lost Productivity",
Retrieved 3 November, 2006 from
http://www.linuxinsider.com/story/32478.html, 2003.
[36] CERT "Email Bombing and Spamming." Retrieved 6 November, 2006,
from http://www.cert.org/tech_tips/email_bombing_spamming.html,
2002.
[37] O- Reilly, D. "10-step Security." Retrieved 29 August, 2006 from
http://www.pcworld.com/article/id,122500-page,1/article.html, 2005.
[38] University of California. "Email Safety Tips." Retrieved 11 June, 2008
from http://www.security.uci.edu/email/, 2006.
[39] OECD Report "Malicious Software (Malware): A security threat to the
internet economy", Ministerial Background Report, Seoul, Korea, 17-18
June., 2008.
[40] CAIDA "CAIDA Analysis of Code-Red." Retrieved 25 October, 2006,
from http://www.caida.org/analysis/security/code-red/, 2006
[41] CSI 2005. "2005 CSI/FBI Computer Crime and Security Survey."
Retrieved 3 December, 2006 from
http://www.cpppe.umd.edu/Bookstore/Documents/2005CSISurvey.pdf
[42] Plous S., The Psychology of Judgment and Decision Making, McGraw-
Hill, New York, 1993.
[43] Ajzen, I, ÔÇÿConstructing a TPB Questionnaire: conceptual and
methodological considerations-, available at:
http://people.umass.edu/aizen/pdf/tpb.measurement.pdf, 2002.
@article{"International Journal of Business, Human and Social Sciences:63955", author = "Ai Cheo Yeo and Md. Mahbubur Rahim and Yin Ying Ren", title = "Use of Persuasive Technology to Change End-Users- IT Security Aware Behaviour: A Pilot Study", abstract = "Persuasive technology has been applied in marketing,
health, environmental conservation, safety and other domains and is
found to be quite effective in changing people-s attitude and
behaviours. This research extends the application domains of
persuasive technology to information security awareness and uses a
theory-driven approach to evaluate the effectiveness of a web-based
program developed based on the principles of persuasive technology
to improve the information security awareness of end users. The
findings confirm the existence of a very strong effect of the webbased
program in raising users- attitude towards information security
aware behavior. This finding is useful to the IT researchers and
practitioners in developing appropriate and effective education
strategies for improving the information security attitudes for endusers.", keywords = "Information security, persuasive technology, ITsecurity-aware behaviour, theory of planned behaviour survey.", volume = "2", number = "10", pages = "1186-7", }
