The effects of awareness programs on information security in banks: The roles of protection motivation and monitoring

Abstract

Our aim is to understand how information security awareness (ISA) programs affect the intention of employees for compliant information security behavior. We draw on Protection Motivation Theory (PMT) to uncover indirect influences of ISA programs, and seek to identify the extent to which intention translates into actual compliance is contingent on monitoring. Based on partial least squares structural equation modeling analysis of 183 survey responses consisting of German bank employees, we find strong empirical evidence for the importance of ISA programs, protection motivation and monitoring. While ISA programs effectively change how employees cope with and assess security threats, only coping appraisal is an important condition for the positive behavioral effects of such programs to occur. However, ISA programs may cause a false sense of security, as vulnerability perceptions are reduced by consuming ISA programs but not affecting intentions for compliant security behavior. Perceived monitoring strengthens this confirmed intention-behavior link.