Through a prime lens: a review of the extension of protection motivation theory to study user information security behaviours within organisations

Abstract

Information security breaches have become more prevalent and severe for organisations, with users often being labelled as both the cause of such breaches and, lately, the first line of defence against such breaches. The dual role of users in information security has led to the study of user information security behaviour, especially in understanding the factors that influence users' motivation to behave in a manner that enhances or exposes organisational information security. Behavioural Information Security, a field dedicated to the study of user information security behaviour, has emerged and grown to provide a sturdy foundation for scholarly advancements in the field; however, the literature has remained contradictory and divergent. Although reviews have been conducted to address the disjointed literature, this review employs Protection Motivation Theory as a primary theory to synthesise the literature, examining how it has been extended in specific contexts. In doing so, it highlights how the theory is integrated with others to understand user behaviour in organisational information security, using a common base. This paper reviews existing literature using the PRISMA framework, identifying and analysing prominent academic research papers in Behavioural Information Security. Eight dimensions that share commonalities with the Protection Motivation Theory in Behavioural Information Security were highlighted. These eight dimensions are examined, gaps identified, and a roadmap for future research is provided.