隨著資訊科技的日益月異與普及化，使得資訊安全議題逐漸受到重視。目前在資訊安全方面的研究主要著重在組織背景下探討員工的資訊安全行為，但是不同於員工在組織內的工作環境，一般電腦使用者並沒有受到組織在資訊安全方面的訓練或政策的規定，所以只能由使用者本身主動去實行資訊安全行為。對於一般電腦使用者來說，在面臨恐懼或危險時，可能會改變他們的態度或行為，而保護動機理論解釋了個人保護自己免於受到潛在威脅影響的動機，因此保護動機理論也被視為是解釋個人從事資訊安全相關保護行為最有利的理論。保護動機理論指出，個人的保護行為可由威脅評估和應對評估來預測，並會受到個人因素及環境因素的影響，但是過去以保護動機為理論基礎的資訊安全行為研究，大多僅從威脅評估和應對評估的角度來探討使用者採取安全措施的行為意圖，並沒有同時考慮到環境因素和個人因素對保護動機過程的影響。因此本研究以一般使用者為研究對象，擴展完整的保護動機理論模型，結合環境因素中的社會影響，以及個人因素中的先前安全經驗和資訊安全意識，探討其對威脅評估和應對評估的影響，進而討論對資訊安全行為意圖的影響效果。本研究對象為具有個人電腦的使用者，以網路問卷的方式來調查。研究結果發現，社會影響會顯著影響個人對威脅的評估，資訊安全意識則會顯著影響個人應對的評估，而先前安全經驗對威脅評估和應對評估都有顯著的影響，另外除了威脅評估中的感知易感性對於資訊安全行為意圖的影響效果不顯著外，應對評估中的回應成本會顯著負向影響資訊安全行為意圖，威脅評估中的感知嚴重性以及應對評估中的自我效能和回應效能皆會顯著正向影響資訊安全行為意圖。本研究認為，使用者先前的安全經驗、資訊安全的意識及社會影響皆可提升威脅評估以及應對評估的程度，進而增加資訊安全行為的意圖。

With the rapid development of information technology, information security issues are more and more important. Currently, behavioral information security research primary focuses on the behaviors of employees in organization. Unlike employees in the work environment, general computer users have no organized security trainings or information security policies to follow, thus the protection of general users’ computers is based on the security behaviors of the users. According to the literature, when discussing the issues that users faced with fear or danger, the protection motivation theory is one of the most powerful theories describing individual intentions to take protective actions to protect themselves from threats. Protection motivation theory predicts personal protective behavior through threat appraisal and coping appraisal influenced by personal factors and environmental factors. However, most previous protection motivation security studies discussed information security behavioral intention from the threat appraisal and coping appraisal, but neglected the effects of environmental factors and personal factors on cognitive process. Therefore, this study considers the whole picture of protection motivation theory to include the social influence of environmental factors as well as previous security experience and information security awareness of personal factors then explores these impacts on threat appraisal and coping appraisal. We also discuss the impacts of threat appraisal and coping appraisal on information security behavioral intentions. Through the survey of online web questionnaires, we found that social influence significantly impacted threat appraisal, information security awareness significantly impacted coping appraisal, and previous security experience significantly impacted threat appraisal and coping appraisal. The perceived severity, self-efficacy and response efficacy had positive effects on information security behavioral intention, and response cost negatively impacted information security behavioral intention. The perceived vulnerability of threat appraisal had no significant impact on information security behavioral intention. This study suggests that the level of threat appraisal and coping appraisal can be raised by increasing user's previous security experience, information security awareness and social influence, and thereby increase the information security behavior intention.

目錄

壹、	緒論(Introduction)	1
一、	研究背景與動機	1
二、	研究目的	6

貳、	文獻探討(Literature review)	7
一、	保護動機理論(Protection motivation theory)	7
(一)	威脅評估(Threat appraisal)	8
(二)	應對評估(Coping appraisal)	10
(三)	保護動機來源	19
二、	資訊安全行為意圖(Information security behavioral intentions)	24

參、	研究假說(Research hypothesis)	36
一、	研究架構	36
二、	研究假說	38
(一)	威脅評估和應對評估與資訊安全行為意圖	38
(二)	社會影響與威脅評估	41
(三)	先前安全經驗與威脅評估和應對評估	42
(四)	資訊安全意識與應對評估	45

肆、	研究方法(Research methods)	47
一、	資料蒐集	47
二、	構念衡量	48
(一)	社會影響	49
(二)	先前安全經驗	49
(三)	資訊安全意識	50
(四)	感知嚴重性	51
(五)	感知易感性	52
(六)	自我效能	52
(七)	回應效能	53
(八)	回應成本	53
(九)	資訊安全行為意圖	54

伍、	資料分析與結果(Data analysis)	56
一、	資料分析方法	56
二、	基本資料描述	56
三、	信度與效度分析	58
四、	結構模型分析	63
五、	資料分析結果	66

陸、	討論與建議(Discussion)	67
一、	研究結果	67
(一)	社會影響對威脅評估假設檢定結果	67
(二)	先前安全經驗對威脅評估與應對評估假設檢定結果	67
(三)	資訊安全意識對應對評估假設檢定結果	68
(四)	威脅評估與應對評估對資訊安全行為意圖假設檢定結果	68
二、	學術上的貢獻	69
三、	管理上的意涵	70
四、	研究限制	72
五、	未來研究建議	72

參考文獻	74
附錄一 研究問卷	84

表目錄

表2- 1 保護動機理論的元素	12
表2- 2 回顧保護動機理論對組織使用者在資訊安全行為領域之研究	13
表2- 3 回顧保護動機理論對一般使用者在資訊安全行為領域之研究	16
表2- 4 組織使用者的資訊安全研究	24
表2- 5 家庭或一般使用者的資訊安全之研究	28

表4- 1 前測信度分析	47
表4- 2 社會影響衡量題項	49
表4- 3 先前安全經驗衡量題項	50
表4- 4 資訊安全意識衡量題項	50
表4- 5 感知嚴重性衡量題項	51
表4- 6 感知易感性衡量題項	52
表4- 7 自我效能衡量題項	52
表4- 8 回應效能衡量題項	53
表4- 9 回應成本衡量題項	54
表4- 10 資訊安全行為意圖衡量題項	54

表5- 1 基本資料統計數據(N=681)	57
表5- 2 信度分析表	58
表5- 3 收斂效度分析表	59
表5- 4 區別效度分析表	62
表5- 5 假說檢定結果	66

圖目錄

圖2- 1 保護動機理論架構圖	8
圖2- 2 保護動機理論模型	8
圖2- 3 經驗學習週期	22

圖3- 1 本研究模型	37

圖5- 1 研究模型之路徑分析	65

1.	Abraham, S., and Chengalur-Smith, I. 2010. "An overview of social engineering malware: Trends, tactics, and implications," Technology in Society (32:3), pp. 183-196.
2.	AIPM 2012. "AIPM project manager reader survey," Australian Institute of Project Management: Australian.
3.	Ajzen, I. 1991. "The theory of planned behavior," Organizational behavior and human decision processes (50:2), pp. 179-211.
4.	Anderson, C. L., and Agarwal, R. 2010. "Practicing safe computing: A multimedia empirical examination of home computer user security behavioral intentions," MIS Quarterly (34:3), pp. 613-643.
5.	Bandura, A. 1977. "Self-efficacy: Toward a unifying theory of behavioral change," Psychological Review (84:2), pp. 191-215.
6.	Bandura, A. 1986. "Social foundations of thought and action," The health psychology reader), pp. 94-106.
7.	Bandura, A. 1998. "Health promotion from the perspective of social cognitive theory," Psychology and Health (13:4), pp. 623-649.
8.	Bandura, A., Adams, N., Hardy, A., and Howells, G. 1980. "Tests of the generality of self-efficacy theory," Cognitive Therapy and Research (4:1), pp. 39-66.
9.	Belanger, F., Hiller, J. S., and Smith, W. J. 2002. "Trustworthiness in electronic commerce: The role of privacy, security, and site attributes," Journal of Strategic Information Systems (11:3-4), pp. 245-270.
10.	Boer, H., and Seydel, E. R. 1996. Protection motivation theory, Open University Press: Buckingham.
11.	Bollen, K. A., and Stine, R. A. 1992. "Bootstrapping goodness-of-fit measures in structural equation models," Sociological Methods & Research (21:2), pp. 205-229.
12.	Bondarouk, T. V. 2006. "Action-oriented group learning in the implementation of information technologies: Results from three case studies," European Journal of Information Systems (15:1), pp. 42-53.
13.	Bulgurcu, B., Cavusoglu, H., and Benbasat, I. 2010. "Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness," MIS Quarterly: Management Information Systems (34:3), pp. 523-548.
14.	Chai, S., Bagchi-Sen, S., Morrell, C., Rao, H. R., and Upadhyaya, S. J. 2009. "Internet and online information privacy: An exploratory study of preteens and early teens," IEEE Transactions on Professional Communication (52:2), pp. 167-182.
15.	Chang, M. 1998. "Predicting unethical behavior: A comparison of the theory of reasoned action and the theory of planned behavior," Journal of Business Ethics (17:16), pp. 1825-1834.
16.	Chen, C. C., Medlin, B. D., and Shaw, R. 2008. "A cross-cultural investigation of situational information security awareness programs," Information Management and Computer Security (16:4), pp. 360-376.
17.	Chen, R., Wang, J., Herath, T., and Rao, H. R. 2011. "An investigation of email processing from a risky decision making perspective," Decision Support Systems (52:1), pp. 73-81.
18.	Chenoweth, T., Minch, R., and Gattiker, T. 2009. "Application of protection motivation theory to adoption of protective technologies," Proceedings of the 42nd Hawaii International Conference on System Sciences, Hawaii, pp. 1-10.
19.	Chin 1998. "The partial least squares approach to structural equation modeling," Modern Methods for Business Research, pp. 295-336.
20.	Cho, H., Lee, J.-S., and Chung, S. 2010. "Optimistic bias about online privacy risks: Testing the moderating effects of perceived controllability and prior experience," Computers in Human Behavior (26:5), pp. 987-995.
21.	Claar, C., and Johnson, J. 2012. "Analyzing home PC security adoption behavior," Journal of Computer Information Systems (52:4), pp. 20-29.
22.	Conklin, W. A. 2006. Computer security behaviors of home PC users: A diffusion of innovation approach, The University of Texas.
23.	D'Arcy, J., and Herath, T. 2011. "A review and analysis of deterrence theory in the IS security literature: Making sense of the disparate findings," European Journal of Information Systems (20:6), pp. 643-658.
24.	D'Arcy, J., and Hovav, A. 2009. "Does one size fit all? Examining the differential effects of IS security countermeasures," Journal of Business Ethics (89), pp. 59-71.
25.	D'Arcy, J., Hovav, A., and Galletta, D. 2009. "User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach," Information Systems Research (20:1), pp. 79-98.
26.	Davis, C. J., and Hufnagel, E. M. 2007. "Through the eyes of experts: A socio-cognitive perspective on the automation of fingerprint work," MIS Quarterly: Management Information Systems (31:4), pp. 681-703.
27.	Dhillon, G. 2001. "Violation of safeguards by trusted personnel and understanding related information security concerns," Computers and Security (20:2), pp. 165-172.
28.	Dinev, T., Goo, J., Hu, Q., and Nam, K. 2009. "User behaviour towards protective information technologies: The role of national cultural differences," Information Systems Journal (19:4), pp. 391-412.
29.	Dinev, T., and Hu, Q. 2007. "The centrality of awareness in the formation of user behavioral intention toward protective information technologies," Journal of the Association of Information Systems (8:7), pp. 386-408.
30.	Dodge Jr, R. C., Carver, C., and Ferguson, A. J. 2007. "Phishing for user security awareness," Computers & Security (26:1), pp. 73-80.
31.	Donaldson, T., and Dunfee, T. W. 1994. "Toward a unified conception of business ethics: Integrative social contracts theory," The Academy of Management Review (19:2), pp. 252-284.
32.	Dorn, L., and Brown, B. 2003. "Making sense of invulnerability at work—a qualitative study of police drivers," Safety Science (41:10), pp. 837-859.
33.	Ettredge, M. L., and Richardson, V. J. 2003. "Information transfer among internet firms: the case of hacker attacks," Journal of Information Systems (17:2), pp. 71-82.
34.	Fishbein, M., and Ajzen, I. 1975. Belief, attitude, intention and behavior: An introduction to theory and research.
35.	Floyd, D. L., Prentice-Dunn, S., and Rogers, R. W. 2000. "A meta-analysis of research on protection motivation theory," Journal of Applied Social Psychology (30:2), pp. 407-429.
36.	Fornell, C., and Larcker, D. F. 1981. "Evaluating structural equation models with unobservable variables and measurement error," Journal of Marketing Research (18:1), pp. 39-50.
37.	Frank, K. A., Zhao, Y., and Borman, K. 2004. "Social capital and the diffusion of innovations within organizations: The case of computer technology in schools," Sociology of Education (77:2), pp. 148-171.
38.	Fulk, J. 1993. "Social construction of communication technology," Academy of Management Journal (36:5), pp. 921-950.
39.	Furnell, S. M., Bryant, P., and Phippen, A. D. 2007. "Assessing the security perceptions of personal Internet users," Computers and Security (26:5), pp. 410-417.
40.	Gardner, M., and Steinberg, L. 2005. "Peer influence on risk taking, risk preference, and risky decision making in adolescence and adulthood: An experimental study," Developmental psychology (41:4), pp. 625-635.
41.	Goddard, R. D., Hoy, W. K., and Hoy, A. W. 2004. "Collective efficacy beliefs: Theoretical developments, empirical evidence, and future directions," Educational Researcher (33:3), pp. 3-13.
42.	Goodhue, D. L., and Straub, D. W. 1991. "Security concerns of system users: A study of perceptions of the adequacy of security," Information and Management (20:1), pp. 13-27.
43.	Grothmann, T., and Reusswig, F. 2006. "People at risk of flooding: Why some residents take precautionary action while others do not," Natural Hazards (38:1-2), pp. 101-120.
44.	Gurung, A., Luo, X., and Liao, Q. 2009. "Consumer motivations in taking action against spyware: An empirical investigation," Information Management and Computer Security (17:3), pp. 276-289.
45.	Harrington, S., Anderson, C. L., and Agarwal, R. 2006. "Practicing safe computing: Message framing, self-view, and home computer user security behavior intentions," Proceedings of the 27th International Conference on Information Systems, pp. 1543-1561.
46.	Harrington, S. J. 1996. "The effect of codes of ethics and personal denial of responsibility on computer abuse judgments and intentions," MIS Quarterly (20:3), pp. 257-277.
47.	Herath, T., and Rao, H. R. 2009a. "Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness," Decision Support Systems (47:2), pp. 154-165.
48.	Herath, T., and Rao, H. R. 2009b. "Protection motivation and deterrence: A framework for security policy compliance in organisations," European Journal of Information Systems (18:2), pp. 106-125.
49.	Higgins, N. C., St Amand, M. D., and Poole, G. D. 1997. "The controllability of negative life experiences mediates unrealistic optimism," Social Indicators Research (42:3), pp. 299-323.
50.	Hong, S.-J., and Tam, K. Y. 2006. "Understanding the adoption of multipurpose information appliances: The case of mobile data services," Information Systems Research (17:2), pp. 162-179.
51.	Hovav, A., and D'Arcy, J. 2012. "Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the U.S. and South Korea," Information and Management (49:2), pp. 99-110.
52.	Howe, A. E., Ray, I., Roberts, M., Urbanska, M., and Byrne, Z. 2012. "The psychology of security for the home computer user," Proceedings of the 2012 IEEE Symposium on Security and Privacy, pp. 209-223.
53.	Hu, Q., and Dinev, T. 2005. "Is spyware an internet nuisance or public menace?," Communications of the ACM (48:8), pp. 61-66.
54.	Hu, Q., Hart, P., and Cooke, D. 2006. "The role of external influences on organizational information security practices: An institutional perspective," Proceedings of the 39th Annual Hawaii International Conference, pp. 1-10a.
55.	Ifinedo, P. 2012. "Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory," Computers and Security (31:1), pp. 83-95.
56.	IWS 2011. "World internet usage and population statistics," Internet World Stats: America.
57.	Janoff-Bulman, R., and Frieze, I. H. 1983. "A theoretical perspective for understanding reactions to victimization," Journal of Social Issues (39:2), pp. 1-17.
58.	Jefferson, D., Rubin, A. D., Simons, B., and Wagner, D. 2004. "Analyzing internet voting security," Communications of the ACM (47:10), pp. 59-64.
59.	Johnston, A. C., and Warkentin, M. 2010. "Fear appeals and information security behaviors: An empirical study," MIS Quarterly (34:3), pp. 549-566.
60.	Junglas, I. A., Johnson, N. A., and Spitzmuller, C. 2008. "Personality traits and concern for privacy: An empirical study in the context of location-based services," European Journal of Information Systems (17:4), pp. 387-402.
61.	Jutla, D. N., and Bodorik, P. 2005. "Sociotechnical architecture for online privacy," Security & Privacy, IEEE (3:2), pp. 29-39.
62.	Kara, M., and AŞTi, T. 2004. "Effect of education on self-efficacy of Turkish patients with chronic obstructive pulmonary disease," Patient Education and Counseling (55:1), pp. 114-120.
63.	Kaspersky 2012. "Digital consumer's online trends and risks," Kaspersky Corporation.
64.	Kiili, K. 2005. "Digital game-based learning: Towards an experiential gaming model," Internet and Higher Education (8:1), pp. 13-24.
65.	Kolb, A. Y., and Kolb, D. A. 2007. Experiential learning theory: A dynamic, holistic approach to management learning, education and development, Sage Publications: London.
66.	Kritzinger, E., and von Solms, S. H. 2010. "Cyber security for home users: A new way of protection through awareness enforcement," Computers & Security (29:8), pp. 840-847.
67.	Kumar, N., Mohan, K., and Holowczak, R. 2008. "Locking the door but leaving the computer vulnerable: Factors inhibiting home users' adoption of software firewalls," Decision Support Systems (46:1), pp. 254-264.
68.	Kuo, F.-Y., Chu, T.-H., Hsu, M.-H., and Hsieh, H.-S. 2004. "An investigation of effort–accuracy trade-off and the impact of self-efficacy on Web searching behaviors," Decision Support Systems (37:3), pp. 331-342.
69.	Lai, F., Li, D., and Hsieh, C. T. 2012. "Fighting identity theft: The coping perspective," Decision Support Systems (52:2), pp. 353-363.
70.	Lazarus, R. S. 1993. "Coping theory and research: Past, present, and future," Fifty Years of the Research and Theory of RS Lazarus: An Analysis of Historical and Perennial Issues), pp. 366-388.
71.	Lee, D., Larose, R., and Rifon, N. 2008. "Keeping our network safe: A model of online protection behaviour," Behaviour and Information Technology (27:5), pp. 445-454.
72.	Lee, S. M., Lee, S. G., and Yoo, S. 2004. "An integrative model of computer abuse based on social control and general deterrence theories," Information and Management (41:6), pp. 707-718.
73.	Lee, Y. 2011. "Understanding anti-plagiarism software adoption: An extended protection motivation theory perspective," Decision Support Systems (50:2), pp. 361-369.
74.	Lee, Y., and Kozar, K. 2008. "An empirical investigation of anti-spyware software adoption: A multitheoretical perspective," Information and Management (45:2), pp. 109-119.
75.	Lee, Y., and Kozar, K. A. 2005. "Investigating factors affecting the adoption of anti-spyware systems," Communications of the ACM (48:8), pp. 72-77.
76.	Lee, Y., and Larsen, K. R. 2009. "Threat or coping appraisal: Determinants of SMB executives′ decision to adopt anti-malware software," European Journal of Information Systems (18:2), pp. 177-187.
77.	Li, H., Zhang, J., and Sarathy, R. 2010. "Understanding compliance with internet use policy from the perspective of rational choice theory," Decision Support Systems (48:4), pp. 635-645.
78.	Li, Y. 2012. "Theories in online information privacy research: A critical review and an integrated framework," Decision Support Systems (54:1), pp. 471-481.
79.	Li, Y., and Siponen, M. 2011. "A call for research on home users' information security behavior," Proceedings of the 15th Pacific Asia Conference on Information Systems, Brisbane, pp. 1-11.
80.	Liang, H., and Xue, Y. 2010. "Understanding security behaviors in personal computer usage: A threat avoidance perspective," Journal of the Association for Information Systems (11:7), pp. 394-413.
81.	Madsen, D. 1987. "Political self-efficacy tested," The American Political Science Review (81:2), pp. 571-581.
82.	Matwyshyn, A. 2006. "Penetrating the zombie collective: Spam as an international security issue," SCRIPTed (3:4), pp. 370-388.
83.	Milne, S., Sheeran, P., and Orbell, S. 2000. "Prediction and intervention in health-related behavior: A meta-analytic review of protection motivation theory," Journal of Applied Social Psychology (30:1), pp. 106-143.
84.	Mohamed, N., and Ahmad, I. H. 2012. "Information privacy concerns, antecedents and privacy measure use in social networking sites: Evidence from Malaysia," Computers in Human Behavior (28:6), pp. 2366-2375.
85.	Moody, G. 2011. A multi-theoretical perspective on IS security behaviors, University of Oulu.
86.	Myyry, L., Siponen, M., Pahnila, S., Vartiainen, T., and Vance, A. 2009. "What levels of moral reasoning and values explain adherence to information security rules? An empirical study," European Journal of Information Systems (18:2), pp. 126-139.
87.	Neuwirth, K., Dunwoody, S., and Griffin, R. J. 2000. "Protection motivation and risk communication," Risk Analysis (20:5), pp. 721-734.
88.	Ng, B. Y., Kankanhalli, A., and Xu, Y. C. 2009. "Studying users' computer security behavior: A health belief perspective," Decision Support Systems (46), pp. 815-825.
89.	Ng, B. Y., and Rahim, M. A. 2005. "A socio-behavioral study of home computer users' intention to practice security," Proceedings of the 9th Pacific Asia Conference on Information Systems, Bangkok, pp. 234-247.
90.	Nunnally, J. 1978. Assessment of Reliability, McGraw-Hill: New York.
91.	Pahnila, S., Siponen, M., and Mahmood, A. 2007. "Employees' behavior towards IS security policy compliance," Proceedings of the Annual Hawaii International Conference on System Sciences, Island, pp. 156-166.
92.	Parle, M., Maguire, P., and Heaven, C. 1997. "The development of a training model to improve health professionals' skills, self-efficacy and outcome expectancies when communicating with cancer patients," Social Science and Medicine (44:2), pp. 231-240.
93.	Pechmann, C., Zhao, G., Goldberg, M. E., and Reibling, E. T. 2003. "What to convey in antismoking advertisements for adolescents: The use of protection motivation theory to identify effective message themes," Journal of Marketing (67:2), pp. 1-18.
94.	Perry , W. G. 1970. Forms of intellectual and ethical development in the college years: A scheme. jossey-bass higher and adult education series.
95.	Piaget, J. 1975. The equilibrium of cognitive structures: The central problem of intellectual development, Chicago University Press.
96.	Pyszczynski, T., Greenberg, J., and Sheldon, S. 1997. "Why do we need what we need? A terror management perspective on the roots of human social motivation," Psychological Inquiry (8:1), pp. 1-20.
97.	Rhee, H. S., Kim, C., and Ryu, Y. U. 2009. "Self-efficacy in information security: Its influence on end users' information security practice behavior," Computers and Security (28:8), pp. 816-826.
98.	Richardson, B., Sorensen, J., and Soderstrom, E. J. 1987. "Explaining the social and psychological impacts of a nuclear power plant accident," Journal of Applied Social Psychology (17:1), pp. 16-36.
99.	Roe-Berning, S., and Straker, G. 1997. "The association between illusions of invulnerability and exposure to trauma," Journal of Traumatic Stress (10:2), pp. 319-327.
100.	Rogers, E. M. 1995. Diffusion of innovations, Simon and Schuster.
101.	Rogers, R. W. 1975. "A protection motivation theory of fear appeals and attitude change," Journal of Psychology (91:1), pp. 93-114.
102.	Rosenstock, I. M. 1966. "Why people use health services," The Milbank Memorial Fund Quarterly (83:4), pp. 94-127.
103.	Ruiter, R. A. C., Verplanken, B., Kok, G., and Werrij, M. Q. 2003. "The role of coping appraisal in reactions to fear appeals: Do we need threat information?," Journal of Health Psychology (8:4), pp. 465-474.
104.	Ryan, J. J. C. H. 2004. "Information security tools and practices: What works?," IEEE Transactions on Computers (53:8), pp. 1060-1063.
105.	Sasse, M. A., Brostoff, S., and Weirich, D. 2001. "Transforming the ‘weakest link’: A human/computer interaction approach to usable and effective security," BT Technology Journal (19:3), pp. 122-131.
106.	Schmitz, J., and Fulk, J. 1991. "Organizational colleagues, media richness, and electronic mail a test of the social Influence model of technology use," Communication Research (18:4), pp. 487-523.
107.	Shaw, R. S., Chen, C. C., Harris, A. L., and Huang, H. J. 2009. "The impact of information richness on information security awareness training effectiveness," Computers and Education (52:1), pp. 92-100.
108.	Sheeran, P. 2002. "Intention—behavior relations: A conceptual and empirical review," European Review of Social Psychology (12:1), pp. 1-36.
109.	Siponen, M., Pahnila, S., and Mahmood, A. 2006. "Factors influencing protection motivation and IS security policy a compliance," Proceedings of the 2006 Innovations in Information Technology, Dubai, pp. 1-5.
110.	Siponen, M., Pahnila, S., and Mahmood, A. 2007. "Employees’ adherence to information security policies: An empirical study," Proceedings of the IFIP International Federation for Information Processing, Springer US, pp. 133-144.
111.	Siponen, M., and Vance, A. 2010. "Neutralization: New insights into the problem of employee information systems security policy violations," MIS Quarterly (34:3), pp. 487-502.
112.	Siponen, M., Vance, A., and Willison, R. 2012. "New insights into the problem of software piracy: The effects of neutralization, shame, and moral beliefs," Information and Management (49:7-8), pp. 334-341.
113.	Sitkin, S. B., and Weingart, L. R. 1995. "Determinants of risky decision-making behavior: A test of the mediating role of risk perceptions and propensity," The Academy of Management Journal (38:6), pp. 1573-1592.
114.	Son, J. Y. 2011. "Out of fear or desire? Toward a better understanding of employees' motivation to follow IS security policies," Information and Management (48:7), pp. 296-302.
115.	Stafford, T. F., and Urbaczewski, A. 2004. "Spyware: The ghost in the machine," Communications of the Association for Information Systems (14), pp. 291-306.
116.	Stajkovic, A. D., and Luthans, F. 1998. "Self-efficacy and work-related performance: A meta-analysis," Psychological Bulletin (124:2), pp. 240-261.
117.	Stanton, J. M., Stam, K. R., Mastrangelo, P., and Jolton, J. 2005. "Analysis of end user security behaviors," Computers & Security (24:2), pp. 124-133.
118.	Stanton, J. M., Stam, K. R., Mastrangelo, P. R., and Jolton, J. 2004. "Behavioral information security: Two end user survey studies of motivation and security practices," Proceedings of the 10th Americas Conference on Information Systems, New York, pp. 1-7.
119.	Stephen J. Hoch 2002. "Product experience is seductive," Journal of Consumer Research (29:3), pp. 448-454.
120.	Symantec 2012. "Annual symantec internet security threat report peveals 81 percent increase in malicious attacks," Symantec Corporation: Calif.
121.	Tsui, L. 2000. "Effects of campus culture on students' critical thinking," The Review of Higher Education (23:4), pp. 421-441.
122.	Vance, A., Siponen, M., and Pahnila, S. 2012. "Motivating IS security compliance: Insights from habit and protection motivation theory," Information and Management (49:3-4), pp. 190-198.
123.	Venkatesh, V., and Brown, S. A. 2001. "A longitudinal investigation of personal computers in homes: Adoption determinants and emerging challenges," MIS Quarterly (25:1), pp. 71-98.
124.	Venkatesh, V., and Davis, F. D. 2000. "A theoretical extension of the technology acceptance model: Four longitudinal field studies," Management science (46:2), pp. 186-204.
125.	Venkatesh, V., and Morris, M. G. 2000. "Why don't men ever stop to ask for directions? Gender, social influence, and their role in technology acceptance and usage behavior," MIS Quarterly: Management Information Systems (24:1), pp. 115-136.
126.	Venkatesh, V., Morris, M. G., Gordon, B. D., and Davis, F. D. 2003. "User acceptance of information technology: Toward a unified view," MIS Quarterly (27:3), pp. 425-478.
127.	Villeneuve, N., Deibert, R., and Rohozinski, R. 2010. Koobface: Inside a crimeware network, Munk School of Global Affairs.
128.	Vroom, C., and vonSolms, R. 2004. "Towards information security behavioural compliance," Computers & Security (23), pp. 191-198.
129.	Ward, M. R., and Hunsinger, D. S. 2010. "Spyware: What influences college students to use anti-spyware tools?," Journal of Information Systems Applied Research (3:4), pp. 3-13.
130.	Webb, T. L., and Sheeran, P. 2006. "Does changing behavioral intentions engender behavior change? A meta-analysis of the experimental evidence," Psychological Bulletin (132:2), pp. 249-268.
131.	Weirich, D., and Sasse, M. A. 2001. "Pretty good persuasion: a first step towards effective password security in the real world," Proceedings of the 2001 workshop on New security paradigms, pp. 137-143.
132.	Wood, R., and Bandura, A. 1989. "Social cognitive theory of organizational management," The Academy of Management Review (14:3), pp. 361-384.
133.	Woon, I., Tan, G.-W., and Low, R. 2005. "A protection motivation theory approach to home wireless security," Proceedings of the 26th International Conference on Information Systems, Las Vegas, pp. 367-380.
134.	Workman, M., Bommer, W. H., and Straub, D. 2008. "Security lapses and the omission of information security measures: A threat control model and empirical test," Computers in Human Behavior (24:6), pp. 2799-2816.
135.	Youn, S. 2009. "Determinants of online privacy concern and its influence on privacy protection behaviors among young adolescents," Journal of Consumer Affairs (43:3), pp. 389-418.
136.	Zhang, L., and McDowell, W. C. 2009. "Am I really at risk? Determinants of online users' intentions to use strong passwords," Journal of Internet Commerce (8:3-4), pp. 180-197.