Compliance with security guidelines in teenagers
The conflicting role of peer influence and personal norms
What drives teenagers to comply with computer password guidelines? Using an extended form of protection motivation theory (PMT) (Rogers, 1983), we found that even if teenage computer users believe they are susceptible to being hacked, or that being hacked would be detrimental, it has no bearing on their password choices. Other motives outside of PMT also drive teenage security behaviour. Personal norms fully mediate the relationship between the perceived severity of threat and compliance intentions such that perceived severity is not sufficient to encourage compliance. Teenagers must actually feel obligated to comply. While personal norms may encourage compliance, concerns about feeling embarrassed or ashamed if their social media accounts are hacked into actually encourages compliance. On the other hand, peer influence, such as the fear of being teased about someone hacking into their account, discourages compliance. Our study contributes to understanding early security practices and highlights potential differences between adult and teenage behaviours to consider in future studies. For example, our findings suggest that password security guidelines alone will not suffice to ensure teenage compliance; they may need enforced password rules at the authentication level to eliminate any opportunity to violate password rules. Our study will benefit children and parents as well as organizations that have changed work practices to enable employees to work from home, but which places children in danger of clicking on malicious links on their parents’ computers. To our knowledge, this is the first password security study that applies PMT to examine computer-based security behaviours in teenagers.
Ablon, L., Libicki, M. C., & Golay, A. (2014). Markets for Cybercrime Tools and Stolen Data: Hackers' Bazaar. RAND Corporation.
ACMA. (2011). Young Australians’ experience of social media: Qualitative research report. Retrieved from https://www.acma.gov.au/-/media/mediacomms/Report/pdf/Like-post-share-Young-Australians-experiences-of-social-media-Qualitative-research-report.pdf?la=en
ACMA. (2013). Young Australians’ experience of social media: Quantitative research report. Retrieved from https://www.acma.gov.au/-/media/mediacomms/Report/pdf/Like-post-share-Young-Australians-experience-of-social-media-Quantitative-research-report.pdf?la=en
ACMA. (2016). Aussie teens and kids online. Retrieved from https://www.acma.gov.au/theACMA/engage-blogs/engage-blogs/Research-snapshots/Aussie-teens-and-kids-online
Ajzen, I. (1991). The theory of planned behavior. Organizational Behavior and Human Decision Processes, 50(2), 179–211.
Albert, D., Chein, J., & Steinberg, L. (2013). The teenage brain: Peer influences on adolescent decision making. Current directions in psychological science, 22(2) 114–120. BBC. (2012). Hackers spread malware via children's gaming websites. BBC Technology News. Retrieved from https://www.bbc.com/news/technology-16576542
Benitez, J., Henseler, J., Castillo, A., & Schuberth, F. (2020). How to perform and report an impactful analysis using partial least squares: Guidelines for confirmatory and explanatory IS research. Information & Management, 57(2), 103–168.
Boss, S., Galletta, D., Lowry, P. B., Moody, G. D., & Polak, P. (2015). What do systems users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors. MIS Quarterly (MISQ), 39(4), 837–864).
Braue, D. (2020). Cyber attackers target children at home. Australian Computer Society, ICT News. Retrieved from https://ia.acs.org.au/article/2020/cyber-attackers-target-children-at-home.html
Brown, B. B. (2004). Adolescents’ relationships with peers. Handbook of adolescent psychology, 2. 363–394.
Buckingham, D., Banaji, S., Carr, D., Cranmer, S., & Willett, R. (2005). The media literacy of children and young people: A review of the research literature. pp. 1–76. London: London Knowledge Lab.
Burnett, S., Bird, G., Moll, J., Frith, C., & Blakemore, S.-J. (2009). Development during adolescence of the neural processing of social emotion. Journal of cognitive neuroscience, 21(9), 1736–1750.
Carrión, G. C., Nitzl, C., & Roldán, J. L. (2017). Mediation analyses in partial least squares structural equation modeling: Guidelines and empirical examples. In Partial least squares path modeling. (pp. 173–195). Springer, Cham.
Compeau, D. R., & Higgins, C. A. (1995). Computer self-efficacy: Development of a measure and initial test. MIS Quarterly, 19(2), 189–211.
Corron, L. (2018). Social Cyber Threats Facing Children and Teens in 2018. Retrieved from https://staysafeonline.org/blog/social-cyber-threats-facing-children-teens-2018/
Crossler, R. E., Andoh-Baidoo, F. K., & Menard, P. (2019). Espoused cultural values as antecedents of individuals’ threat and coping appraisal toward protective information technologies: Study of US and Ghana. Information & Management, 56(5), 754–766.
Cybersafe.org. (2016). Children's Internet Usage Study. Center for Cyber Safety and Education. Retrieved from https://www.iamcybersafe.org/s/parent-research
De Groot, J. I. M. (2010). Morality and Nuclear Energy: Perceptions of Risks and Benefits, Personal Norms, and Willingness to Take Action Related to Nuclear Energy Morality and Nuclear Energy. Risk analysis, 30(9), 1363–1373. doi:10.1111/j.1539-6924.2010.01419.x
De Groot, J. I. M., & Steg, L. (2009). Morality and prosocial behavior: The role of awareness, responsibility, and norms in the norm activation model. The Journal of social psychology, 149(4), 425–449.
DQ-Institute. (2018). Outsmart the Cyber-Pandemic: Empower Every Child with Digital Intelligence by 2020. Retrieved from https://www.dqinstitute.org/wp-content/uploads/2018/08/2018-DQ-Impact-Report.pdf
Elek, E., Miller-Day, M., & Hecht, M. L. (2006). Influences of personal, injunctive, and descriptive norms on early adolescent substance use. Journal of Drug Issues, 36(1), 147–172.
Fishbein, M., & Ajzen, I. (2010). Prediction and change of behavior: The reasoned action approach. New York: Psychology Press.
Floyd, D., Prentice-Dunn, S., & Rogers, R. (2000). A meta-analysis of research on protection motivation theory. Journal of applied social psychology, 30(2), 407–429.
Gardner, M., & Steinberg, L. (2005). Peer influence on risk taking, risk preference, and risky decision making in adolescence and adulthood: an experimental study. Developmental psychology, 41(4), 625.
Grasmick, H. G., & Bursik Jr, R. J. (1990). Conscience, significant others, and rational choice: Extending the deterrence model. Law and society review, 837–861.
Hair, J. F., Hult, G. T. M., Ringle, C., & Sarstedt, M. (2016). A primer on partial least squares structural equation modeling (PLS-SEM). Sage Publications.
Hair, J. F., Risher, J. J., Sarstedt, M., & Ringle, C. M. (2019). When to use and how to report the results of PLS-SEM. European Business Review, 31(1), 2-24. doi:10.1108/EBR-11-2018-0203
Henseler, J., Ringle, C. M., & Sarstedt, M. (2015). A new criterion for assessing discriminant validity in variance-based structural equation modeling. Journal of the academy of marketing science, 43(1), 115–135.
Henseler, J., & Sarstedt, M. (2013). Goodness-of-fit indices for partial least squares path modeling. Computational Statistics, 28(2), 565–580.
Jenkins, J. L., Grimes, M., Proudfoot, J. G., & Lowry, P. B. (2014). Improving password cyber security through inexpensive and minimally invasive means: Detecting and deterring password reuse through keystroke-dynamics monitoring and just-in-time fear appeals. Information Technology for Development, 20(2), 196–213.
Johnston, A. C., Warkentin, M., & Siponen, M. (2015). An enhanced fear appeal rhetorical framework: Leveraging threats to the human asset through sanctioning rhetoric. MIS quarterly, 39(1), 113-134.
Kock, N. (2015). Common method bias in PLS-SEM: A full collinearity assessment approach. International Journal of e-Collaboration (IJEC), 11(4), 1–10.
Lee, Y., & Larsen, K. R. (2009). Threat or coping appraisal: Determinants of SMB executives decision to adopt anti-malware software. European Journal of Information Systems, 18(2), 177–187.
Li, L., He, W., Xu, L., Ash, I., Anwar, M., & Yuan, X. (2019). Investigating the impact of cyber security policy awareness on employees’ cyber security behavior. International Journal of Information Management, 45, 13–24. doi:https://doi.org/10.1016/j.ijinfomgt.2018.10.017
Livingstone, S., Mascheroni, G., & Staksrud, E. (2017). European research on children’s internet use: Assessing the past and anticipating the future. New media & society, 20(3), 1103–1122. doi:10.1177/1461444816685930
Lowry, P. B., & Gaskin, J. (2014). Partial least squares (PLS) structural equation modeling (SEM) for building and testing behavioral causal theory: When to choose it and how to use it. IEEE transactions on professional communication, 57(2), 123–146.
Lwin, M. O., Li, B., & Ang, R. P. (2012). Stop bugging me: An examination of adolescents’ protection behavior against online harassment. Journal of Adolescence, 35(1), 31–41. doi:https://doi.org/10.1016/j.adolescence.2011.06.007
Maddux, J. E., & Rogers, R. W. (1983). Protection motivation and self-efficacy: A revised theory of fear appeals and attitude change. Journal of Experimental Social Psychology, 19(5), 469–479.
Maor, E. (2020). Recycling Credentials in Four Easy Steps. Retrieved from https://intsights.com/blog/recycling-credentials-in-four-easy-steps
Menard, P. (2018). The impact of collectivism and psychological ownership on protection motivation: A cross-cultural examination. Computers & Security, 75, 147–166. doi:10.1016/j.cose.2018.01.020
Menard, P., Bott, G. J., & Crossler, R. E. (2017). User motivations in protecting information security: Protection motivation theory versus self-determination theory. Journal of Management Information Systems, 34(4), 1203–1230.
Milne, S., Orbell, S., & Sheeran, P. (2000). Prediction and intervention in health-related behavior: A meta-analytic review of protection motivation theory. Journal of applied social psychology, 30(1), 106–143.
Milne, S., Orbell, S., & Sheeran, P. (2002). Combining motivational and volitional interventions to promote exercise participation: Protection motivation theory and implementation intentions. British Journal of Health Psychology, 7(2), 163–184.
Mwagwabi, F., McGill, T. J., & Dixon, M. (2018). Short-term and Long-term Effects of Fear Appeals in Improving Compliance with Password Guidelines. CAIS, 42, 7.
Ofcom. (2018). Children and parents: Media use and attitudes. Retrieved from https://www.ofcom.org.uk/__data/assets/pdf_file/0024/134907/Children-and-Parents-Media-Use-and-Attitudes-2018.pdf
Onwezen, M. C., Antonides, G., & Bartels, J. (2013). The Norm Activation Model: An exploration of the functions of anticipated pride and guilt in pro-environmental behaviour. Journal of Economic Psychology, 39, 141–153.
Posey, C., Roberts, T. L., & Lowry, P. B. (2015). The impact of organizational commitment on insiders’ motivation to protect organizational information assets. Journal of Management Information Systems, 32(4), 179–214.
Prentice-Dunn, S., & Rogers, R. (1986). Protection motivation theory and preventive health: Beyond the health belief model. Health Education Research, 1(3), 153–161.
Ringle, C., Wende, S., & Becker, J.-M. (2015). SmartPLS 3. SmartPLS GmbH, Boenningstedt. Journal of Service Science and Management, 10(3).
Rogers, R. (1975). A protection motivation theory of fear appeals and attitude change. Journal of Psychology, 91(1), 93–114.
Rogers, R. (1983). Cognitive and physiological processes in fear appeals and attitude change: A revised theory of protection motivation. In J. T. Cacioppo & R. E. Petty (Eds.), Social Psychophysiology (pp. 153–176). New York: Guilford Press.
Ryan, R. M., & Deci, E. L. (2000). Intrinsic and extrinsic motivations: Classic definitions and new directions. Contemporary educational psychology, 25(1), 54–67.
Schwartz, S. H. (1977). Normative influences on altruism. In Advances in experimental social psychology (Vol. 10, pp. 221–279). Academic Press.
Sheldon, K. M., Osin, E. N., Gordeeva, T. O., Suchkov, D. D., & Sychev, O. A. (2017). Evaluating the dimensionality of self-determination theory’s relative autonomy continuum. Personality and Social Psychology Bulletin, 43(9), 1215–1238.
Soh, P. C. H., Chew, K. W., Koay, K. Y., & Ang, P. H. (2018). Parents vs peers’ influence on teenagers’ Internet addiction and risky online activities. Telematics and Informatics, 35(1), 225–236.
Somerville, L. H., Jones, R. M., Ruberry, E. J., & Dyke, J. P. (2013). The Medial Prefrontal Cortex and the Emergence of Self-Conscious Emotion in Adolescence. Psychological science, 24(8), 1554–1562. doi:10.1177/0956797613475633
Steinberg, L. (2008). A Social Neuroscience Perspective on Adolescent Risk-Taking. Developmental review: DR, 28(1), 78–106. doi:10.1016/j.dr.2007.08.002
Tayouri, D. (2015). The human factor in the social media security—combining education and technology to reduce social engineering risks and damages. Procedia Manufacturing, 3(1), 1096–1100.
Thompson, N., McGill, T. J., & Wang, X. (2017). “Security begins at home”: Determinants of home computer and mobile device security behavior. Computers & Security, 70, 376–391.
Tsirtsis, A., Tsapatsoulis, N., Stamatelatos, M., Papadamou, K., & Sirivianos, M. (2016). Cyber security risks for minors: a taxonomy and a software architecture. Paper presented at the 2016 11th International Workshop on Semantic and Social Media Adaptation and Personalization (SMAP).
Weinstein, N. (1984). Why it won’t happen to me: Perceptions of risk factors and susceptibility. Health Psychology, 3(5), 431–457.
Youn, S. (2009). Determinants of online privacy concern and its influence on privacy protection behaviors among young adolescents. Journal of Consumer affairs, 43(3), 389–418.
Zhang, L., & McDowell, W. C. (2009). Am I really at risk? Determinants of online users' intentions to use strong passwords. Journal of Internet Commerce, 8(3), 180–197.
Zhao, X., Lynch Jr, J. G., & Chen, Q. (2010). Reconsidering Baron and Kenny: Myths and truths about mediation analysis. Journal of consumer research, 37(2), 197–206.
AJIS publishes open-access articles distributed under the terms of a Creative Commons Non-Commercial and Attribution License which permits non-commercial use, distribution, and reproduction in any medium, provided the original author and AJIS are credited. All other rights including granting permissions beyond those in the above license remain the property of the author(s).