Difference between revisions of "Technology Threat Avoidance Theory (TTAT)"

From IS Theory
Jump to: navigation, search
(Concise description of theory)
m (Minor grammar edits)
Line 17: Line 17:
  
 
== Concise description of theory ==
 
== Concise description of theory ==
Technology Threat Avoidance Theory (TTAT) explains why and how individual IT users are engaged in threat avoidance behavior in voluntary setting. Against most studies that have examined IT security at the organizational level, TTAT provides a framework at the individual user level. The theory has been developed by Liang and Xue<ref name=":0"><small>Liang, H., & Xue, Y. (2009, March). Avoidance of Information Technology Threats: A Theoretical Perspective. ''MIS Quarterly, 33''(1), 71-90.</small></ref> by synthesizing the literature from diverse areas including psychology, health care, risk analysis, and information systems. The basic premise of TTAT is that when users perceive that an IT threat exists, they will be motivated to ''actively'' avoid an IT threat by taking a safeguarding measure if they believe that the threat can be avoidable by the safeguarding measure, or they will passively avoid the threat through emotion-focused coping if they perceive the threat not to be avoidable by any safeguarding measure available to them<ref name=":0" />.
+
Technology Threat Avoidance Theory (TTAT) explains why and how individual IT users engage in threat avoidance behaviors. Unlike most studies that have examined IT security at the organizational level, TTAT provides a framework at the individual user level. The theory has been developed by Liang and Xue<ref name=":0"><small>Liang, H., & Xue, Y. (2009, March). Avoidance of Information Technology Threats: A Theoretical Perspective. ''MIS Quarterly, 33''(1), 71-90.</small></ref> by synthesizing the literature from diverse areas including psychology, health care, risk analysis, and information systems. The basic premise of TTAT is that when users perceive that an IT threat exists, they will be motivated to ''actively'' avoid an IT threat by taking a safeguarding measure if they believe that the threat can be avoided by following the safeguarding measure, or they will passively avoid the threat through emotion-focused coping if they perceive the threat not to be avoidable by any safeguarding measure available to them<ref name=":0" />.
  
 
TTAT describes the processes and factors influencing individual users’ IT threat avoidance behavior. Drawing on cybernetic theory<ref><small>Carver, C. S., & Scheier, M. F. (1982). Control Theory: A Useful Conceptual Framework for Personality-Social, Clinical, and Health Psychology. ''Psychological Bulletin, 92''(1), 111-135.</small></ref><ref><small>Edwards, J. (1992). A Cybernetic Theory of Stress, Coping, and Weil-Being in Organizations. ''Academy of Management Review, 17''(2), 238-274.</small></ref>, TTAT posits that IT threat avoidance behavior can be represented by a cybernetic process in which users intend to enlarge the distance between their current security state and the undesired (unsafe) end state. With the help of coping theory<ref><small>Lazarus, R. (1966). ''Psychological Stress and the Coping Process.'' New York: McGraw-Hill.</small></ref><ref><small>Lazarus, R., & Folkman, S. (1984). ''Stress, Coping, and Adaptation.'' New York: Springer-Verlag.</small></ref>, TTAT submits that users experience two cognitive processes, threat appraisal and coping appraisal.  First, users appraise or assess the situation whether the IT threat exists and to what degree it exists. Then they decide what action they will take to avoid it—problem-focused coping and/or emotion-focused coping. TTAT identifies some key factors that explain user perception and motivation in this process. Integrating the literature of risk analysis<ref><small>Baskerville, R. (1991a). "Risk Analysis: An Interpretive Feasibility Tool in Justifying Information Systems Security". ''European Journal of Information Systems, 1''(2), 121-130.</small></ref><ref><small>Baskerville, R. (1991b). "Risk Analysis as a Source of Professional Knowledge". ''Computer & Security, 10''(8), 749-764.</small></ref> and health psychology<ref name=":1"><small>Janz, N. K., & Becker, M. H. (1984). The Health Belief Model: A Decade Later. ''Health Education Quarterly, 11''(1), 1-45.</small></ref><ref><small>Rogers, R. W. (1983). Cognitive and Physiological Process in Fear Appeals and Attitude Change: A Revised Theory of Protection Motivation. In R. Petty, ''Social Psychophysiology: A Source Book'' (pp. 153-176). New York: Guilford Press.</small></ref><ref><small>Weinstein, N. D. (2000). Perceived Probability, Perceived Severity, and Health-Protective Behavior. ''Health Psychology, 19''(1), 65-74.</small></ref>, TTAT suggests that users’ threat perception is determined by the perceived probability of the threat's occurrence and the perceived severity of the threat's negative consequences. Based on prior research on health protective behavior<ref name=":1" /><ref><small>Maddus, J. E., & Rogers, R. W. (1983). Protection Motivation and Self-Efficacy : A Revised Theory of Fear Appeals and Attitude Change. ''Journal of Experimental Social Psychology, 19'', 469-479.</small></ref> and self-efficacy<ref><small>Bandura, A. (1982). Self-Efficacy Mechanism in Human Agency. ''American Psychologist, 37'', 122-147.</small></ref><ref><small>Compeau, D. R., & Higgins, C. A. (1995). Computer Self-Efficacy: Development of A Measure and Initial Test. ''MIS Quarterly, 19''(2), 189-211.</small></ref>, TTAT proposes that users conceive three factors to assess to what extent the threat can be made avoidable by taking a safeguarding measure—the effectiveness of the safeguarding measure, the costs of the measure, and users' self-efficacy of applying the measure.
 
TTAT describes the processes and factors influencing individual users’ IT threat avoidance behavior. Drawing on cybernetic theory<ref><small>Carver, C. S., & Scheier, M. F. (1982). Control Theory: A Useful Conceptual Framework for Personality-Social, Clinical, and Health Psychology. ''Psychological Bulletin, 92''(1), 111-135.</small></ref><ref><small>Edwards, J. (1992). A Cybernetic Theory of Stress, Coping, and Weil-Being in Organizations. ''Academy of Management Review, 17''(2), 238-274.</small></ref>, TTAT posits that IT threat avoidance behavior can be represented by a cybernetic process in which users intend to enlarge the distance between their current security state and the undesired (unsafe) end state. With the help of coping theory<ref><small>Lazarus, R. (1966). ''Psychological Stress and the Coping Process.'' New York: McGraw-Hill.</small></ref><ref><small>Lazarus, R., & Folkman, S. (1984). ''Stress, Coping, and Adaptation.'' New York: Springer-Verlag.</small></ref>, TTAT submits that users experience two cognitive processes, threat appraisal and coping appraisal.  First, users appraise or assess the situation whether the IT threat exists and to what degree it exists. Then they decide what action they will take to avoid it—problem-focused coping and/or emotion-focused coping. TTAT identifies some key factors that explain user perception and motivation in this process. Integrating the literature of risk analysis<ref><small>Baskerville, R. (1991a). "Risk Analysis: An Interpretive Feasibility Tool in Justifying Information Systems Security". ''European Journal of Information Systems, 1''(2), 121-130.</small></ref><ref><small>Baskerville, R. (1991b). "Risk Analysis as a Source of Professional Knowledge". ''Computer & Security, 10''(8), 749-764.</small></ref> and health psychology<ref name=":1"><small>Janz, N. K., & Becker, M. H. (1984). The Health Belief Model: A Decade Later. ''Health Education Quarterly, 11''(1), 1-45.</small></ref><ref><small>Rogers, R. W. (1983). Cognitive and Physiological Process in Fear Appeals and Attitude Change: A Revised Theory of Protection Motivation. In R. Petty, ''Social Psychophysiology: A Source Book'' (pp. 153-176). New York: Guilford Press.</small></ref><ref><small>Weinstein, N. D. (2000). Perceived Probability, Perceived Severity, and Health-Protective Behavior. ''Health Psychology, 19''(1), 65-74.</small></ref>, TTAT suggests that users’ threat perception is determined by the perceived probability of the threat's occurrence and the perceived severity of the threat's negative consequences. Based on prior research on health protective behavior<ref name=":1" /><ref><small>Maddus, J. E., & Rogers, R. W. (1983). Protection Motivation and Self-Efficacy : A Revised Theory of Fear Appeals and Attitude Change. ''Journal of Experimental Social Psychology, 19'', 469-479.</small></ref> and self-efficacy<ref><small>Bandura, A. (1982). Self-Efficacy Mechanism in Human Agency. ''American Psychologist, 37'', 122-147.</small></ref><ref><small>Compeau, D. R., & Higgins, C. A. (1995). Computer Self-Efficacy: Development of A Measure and Initial Test. ''MIS Quarterly, 19''(2), 189-211.</small></ref>, TTAT proposes that users conceive three factors to assess to what extent the threat can be made avoidable by taking a safeguarding measure—the effectiveness of the safeguarding measure, the costs of the measure, and users' self-efficacy of applying the measure.

Revision as of 15:20, 23 February 2017

Acronym

  • TTAT

Alternate name(s)

Main dependent construct(s)/factor(s)

Avoidance behavior

Emotion-focused coping

Main independent construct(s)/factor(s)

Risk tolerance, Social influence

Users’ perceived susceptibility and severity of malicious IT

A safeguarding measure's effectiveness, costs, and users' self-efficacy toward it

Concise description of theory

Technology Threat Avoidance Theory (TTAT) explains why and how individual IT users engage in threat avoidance behaviors. Unlike most studies that have examined IT security at the organizational level, TTAT provides a framework at the individual user level. The theory has been developed by Liang and Xue[1] by synthesizing the literature from diverse areas including psychology, health care, risk analysis, and information systems. The basic premise of TTAT is that when users perceive that an IT threat exists, they will be motivated to actively avoid an IT threat by taking a safeguarding measure if they believe that the threat can be avoided by following the safeguarding measure, or they will passively avoid the threat through emotion-focused coping if they perceive the threat not to be avoidable by any safeguarding measure available to them[1].

TTAT describes the processes and factors influencing individual users’ IT threat avoidance behavior. Drawing on cybernetic theory[2][3], TTAT posits that IT threat avoidance behavior can be represented by a cybernetic process in which users intend to enlarge the distance between their current security state and the undesired (unsafe) end state. With the help of coping theory[4][5], TTAT submits that users experience two cognitive processes, threat appraisal and coping appraisal.  First, users appraise or assess the situation whether the IT threat exists and to what degree it exists. Then they decide what action they will take to avoid it—problem-focused coping and/or emotion-focused coping. TTAT identifies some key factors that explain user perception and motivation in this process. Integrating the literature of risk analysis[6][7] and health psychology[8][9][10], TTAT suggests that users’ threat perception is determined by the perceived probability of the threat's occurrence and the perceived severity of the threat's negative consequences. Based on prior research on health protective behavior[8][11] and self-efficacy[12][13], TTAT proposes that users conceive three factors to assess to what extent the threat can be made avoidable by taking a safeguarding measure—the effectiveness of the safeguarding measure, the costs of the measure, and users' self-efficacy of applying the measure.

References:

Bandura, A. (1982). Self-Efficacy Mechanism in Human Agency. American Psychologist, 37, 122-147.

Baskerville, R. (1991a). "Risk Analysis: An Interpretive Feasibility Tool in Justifying Information Systems Security". European Journal of Information Systems, 1(2), 121-130.

Baskerville, R. (1991b). "Risk Analysis as a Source of Professional Knowledge". Computer & Security, 10(8), 749-764.

Carver, C. S., & Scheier, M. F. (1982). Control Theory: A Useful Conceptual Framework for Personality-Social, Clinical, and Health Psychology. Psychological Bulletin, 92(1), 111-135.

Compeau, D. R., & Higgins, C. A. (1995). Computer Self-Efficacy: Development of A Measure and Initial Test. MIS Quarterly, 19(2), 189-211.

Edwards, J. (1992). A Cybernetic Theory of Stress, Coping, and Weil-Being in Organizations. Academy of Management Review, 17(2), 238-274.

Janz, N. K., & Becker, M. H. (1984). The Health Belief Model: A Decade Later. Health Education Quarterly, 11(1), 1-45.

Lazarus, R. (1966). Psychological Stress and the Coping Process. New York: McGraw-Hill.

Lazarus, R., & Folkman, S. (1984). Stress, Coping, and Adaptation. New York: Springer-Verlag.

Liang, H., & Xue, Y. (2009, March). Avoidance of Information Technology Threats: A Theoretical Perspective. MIS Quarterly, 33(1), 71-90.

Maddus, J. E., & Rogers, R. W. (1983). Protection Motivation and Self-Efficacy : A Revised Theory of Fear Appeals and Attitude Change. Journal of Experimental Social Psychology, 19, 469-479.

Rogers, R. W. (1983). Cognitive and Physiological Process in Fear Appeals and Attitude Change: A Revised Theory of Protection Motivation. In R. Petty, Social Psychophysiology: A Source Book (pp. 153-176). New York: Guilford Press.

Weinstein, N. D. (2000). Perceived Probability, Perceived Severity, and Health-Protective Behavior. Health Psychology, 19(1), 65-74.

Diagram/schematic of theory

Originating author(s)

  • Liang and Xue (2009)

Seminal articles

Liang, H., & Xue, Y. (2009, March). Avoidance of Information Technology Threats: A Theoretical Perspective. MIS Quarterly, 33(1), 71-90.

Originating area

Level of analysis

  • Individual

Links to WWW sites describing theory

Links from this theory to other theories

IS articles that use the theory

Arachchilage, N. A., & Love, S. (2014, September). Security awareness of computer users: A phishing threat avoidance perspective. Computers in Human Behavior, 38, 304-312.

Herath, T., Chen, R., Wang, J., Banjara, K., Wilbur, J., & Rao, H. R. (2014, January). Security services as coping mechanisms: an investigation into user intention to adopt an email authentication service. Information Systems Journal, 24(1), 61-84

Lai, F., Li, D., & Hsieh, C.-T. (2012, January). Fighting Identity Theft: The Coping Perspective. Decision Support Systems, 52(2), 353-363.

Liang, H., & Xue, Y. (2010, July). Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective. Journal of the Association for Information Systems, 11(7), 394-413.

Contributor(s)

  • Anupriya Khan

Date last updated

  • 1.0 1.1 Liang, H., & Xue, Y. (2009, March). Avoidance of Information Technology Threats: A Theoretical Perspective. MIS Quarterly, 33(1), 71-90.
  • Carver, C. S., & Scheier, M. F. (1982). Control Theory: A Useful Conceptual Framework for Personality-Social, Clinical, and Health Psychology. Psychological Bulletin, 92(1), 111-135.
  • Edwards, J. (1992). A Cybernetic Theory of Stress, Coping, and Weil-Being in Organizations. Academy of Management Review, 17(2), 238-274.
  • Lazarus, R. (1966). Psychological Stress and the Coping Process. New York: McGraw-Hill.
  • Lazarus, R., & Folkman, S. (1984). Stress, Coping, and Adaptation. New York: Springer-Verlag.
  • Baskerville, R. (1991a). "Risk Analysis: An Interpretive Feasibility Tool in Justifying Information Systems Security". European Journal of Information Systems, 1(2), 121-130.
  • Baskerville, R. (1991b). "Risk Analysis as a Source of Professional Knowledge". Computer & Security, 10(8), 749-764.
  • 8.0 8.1 Janz, N. K., & Becker, M. H. (1984). The Health Belief Model: A Decade Later. Health Education Quarterly, 11(1), 1-45.
  • Rogers, R. W. (1983). Cognitive and Physiological Process in Fear Appeals and Attitude Change: A Revised Theory of Protection Motivation. In R. Petty, Social Psychophysiology: A Source Book (pp. 153-176). New York: Guilford Press.
  • Weinstein, N. D. (2000). Perceived Probability, Perceived Severity, and Health-Protective Behavior. Health Psychology, 19(1), 65-74.
  • Maddus, J. E., & Rogers, R. W. (1983). Protection Motivation and Self-Efficacy : A Revised Theory of Fear Appeals and Attitude Change. Journal of Experimental Social Psychology, 19, 469-479.
  • Bandura, A. (1982). Self-Efficacy Mechanism in Human Agency. American Psychologist, 37, 122-147.
  • Compeau, D. R., & Higgins, C. A. (1995). Computer Self-Efficacy: Development of A Measure and Initial Test. MIS Quarterly, 19(2), 189-211.