10095_Impact of framing and priming on users’ behavior in cybersecurity

Scholars’ Mine
Scholars’ Mine
Masters Theses
Student Theses and Dissertations
Spring 2017
Impact of framing and priming on users’ behavior in cybersecurity
Impact of framing and priming on users’ behavior in cybersecurity
Kavya Sharma
Follow this and additional works at: https://scholarsmine.mst.edu/masters_theses
Part of the Technology and Innovation Commons
Department:
Department:
Recommended Citation
Recommended Citation
Sharma, Kavya, “Impact of framing and priming on users’ behavior in cybersecurity” (2017). Masters
Theses. 7660.
https://scholarsmine.mst.edu/masters_theses/7660
This thesis is brought to you by Scholars’ Mine, a service of the Missouri S&T Library and Learning Resources. This
work is protected by U. S. Copyright Law. Unauthorized use including reproduction for redistribution requires the
permission of the copyright holder. For more information, please contact scholarsmine@mst.edu.

IMPACT OF FRAMING AND PRIMING ON USERS’
BEHAVIOR IN CYBERSECURITY

by
KAVYA SHARMA
A THESIS

Presented to the Faculty of the Graduate School of the
MISSOURI UNIVERSITY OF SCIENCE AND TECHNOLOGY
In Partial Fulfillment of the Requirements for the Degree

MASTER OF SCIENCE IN INFORMATION SCIENCE & TECHNOLOGY
2017
Approved by

Dr. Fiona Fui-Hoon Nah
Dr. Keng Siau
Dr. Richard Hall

 2017
Kavya Sharma
All Rights Reserved

iii
ABSTRACT

This research examines the impact of framing and priming on users’ behavior
(i.e., action) in a cybersecurity setting. It also examines perceptual outcomes (i.e.,
confidence, perceived severity, perceived susceptibility, trust, and fear) associated with
the users’ cybersecurity action. The research draws on prospect theory in the behavioral
economics literature and instance-based learning theory in the education literature to
generate the hypotheses for the research. A between-subject experimental design
(N=129) was used. The results suggest that priming users to cybersecurity risks reduces
their risk-taking behavior associated with cybersecurity whereas negative framing of
messages associated with cybersecurity has no significant effect on users’ behavior. The
results also suggest that users who had taken a risk adverse cybersecurity action exhibited
greater confidence associated with their action, perceived greater severity associated with
cybersecurity risks, perceived lower susceptibility of their computer to cybersecurity
risks, and perceived lower trust in the download link they had encountered in the
experiment. This research suggests that priming is an effective way to reduce
cybersecurity risks faced by users.
Keywords: Cybersecurity, Framing, Priming, Users’ Behavior, Confidence,
Perceived Severity, Perceived Susceptibility, Trust, and Fear

iv
ACKNOWLEDGMENTS

I would like to express my gratitude to my advisor, Dr. Fiona Fui-Hoon Nah, for
the endless support, guidance, and encouragement. Her patience and knowledge has been
exceptional. She helped me from the start till the end of this research and provided me
with all the knowledge required to complete my research as well as assisted me with data
analysis. It has been a great learning experience under her supervision. Also, it has been a
gratifying experience to become one of her co-authors for a paper published in the
Lecture Notes in Computer Science.
I would like to express my gratitude to the rest of my thesis committee members,
Dr. Keng Siau and Dr. Richard Hall, for their support and feedback that assisted me to
further improve and enhance this research. I would like to thank Dr. Wei Jiang for his
help in having his students participate as pilot subjects for the study. I would also like to
thank Dr. Chevy Fang, Mr. Nick Oswald and Ms. Carla Bates for allowing me to recruit
subjects for the experiment in their classes.
I would like to thank my fellow research student, Samuel Smith, for providing his
insights on how to proceed with simulation of the system and helping me with conducting
the experimental study. I would also like to express my gratitude to all the Laboratory of
Information Technology and Evaluation (LITE) students for helping me in setting up the
lab sessions for conducting the experimental study.
Finally, I would like to thank my husband, my family and all my friends for
having faith in me and encouraging me throughout my master’s degree program.

v
TABLE OF CONTENTS

ABSTRACT
……………………………………………………………………………………………………….. iii
ACKNOWLEDGMENTS ……………………………………………………………………………………. iv
LIST OF ILLUSTRATIONS
………………………………………………………………………………. viii
LIST OF TABLES
………………………………………………………………………………………………. ix
SECTION
1. INTRODUCTION ……………………………………………………………………………………….1
2. LITERATURE REVIEW ……………………………………………………………………………..3
2.1. USERS’ BEHAVIOR IN CYBERSECURITY …………………………………………3
2.2. LITERATURE REVIEW ON MESSAGE FRAMING ……………………………..4
2.3. LITERATURE REVIEW ON PRIMING
…………………………………………………5
3. THEORETICAL FOUNDATION AND HYPOTHESES …………………………………8
3.1. PROSPECT THEORY…………………………………………………………………………..8
3.2. INSTANCE-BASED LEARNING THEORY
…………………………………………10
4. RESEARCH METHODOLOGY …………………………………………………………………12
4.1. EXPERIMENTAL DESIGN ………………………………………………………………..12
4.2. RESEARCH PROCEDURES
……………………………………………………………….12
4.3. MEASUREMENT ………………………………………………………………………………14
4.3.1. Confidence With Action ……………………………………………………………..14
4.3.2. Perceived Severity ……………………………………………………………………..15
4.3.3. Perceived Susceptibility
………………………………………………………………15
4.3.4. Trust
…………………………………………………………………………………………16
4.3.5. Fear ………………………………………………………………………………………….16

vi
4.3.6. Framing Manipulation Check ………………………………………………………17
4.3.7. Priming Manipulation Check
……………………………………………………….17
4.3.8. Subject Background Questionnaire ………………………………………………18
4.4. PILOT TESTS ……………………………………………………………………………………18
5. DATA ANALYSIS ……………………………………………………………………………………19
5.1. MANIPULATION CHECK ANALYSIS……………………………………………….21
5.2. MEASUREMENT VALIDATION ……………………………………………………….21
5.3. BINARY LOGISTIC REGRESSION ANALYSIS………………………………….24
5.3.1. Framing
…………………………………………………………………………………….25
5.3.2. Priming …………………………………………………………………………………….25
5.4. MULTIVARIATE ANALYSIS OF VARIANCE
……………………………………26
5.4.1. Confidence With Action ……………………………………………………………..28
5.4.2. Perceived Severity ……………………………………………………………………..29
5.4.3. Perceived Susceptibility
………………………………………………………………29
5.4.4. Trust
…………………………………………………………………………………………29
5.4.5. Fear ………………………………………………………………………………………….30
6. DISCUSSIONS………………………………………………………………………………………….31
7. LIMITATIONS AND FUTURE RESEARCH ………………………………………………32
8. CONCLUSIONS ……………………………………………………………………………………….33
APPENDICES
A. SCENARIO DETAILS
………………………………………………………………………………34
B. EXPERIMENTAL CONDITIONS FOR 3X2 FACTORIAL DESIGN
…………….36
C. SUBJECT BACKGROUND QUESTIONNAIRE …………………………………………43

vii
D. CYBERSECURITY AWARENESS QUESTIONNAIRE
………………………………45
E. SUMMARY OF LITERATURE REVIEW
…………………………………………………..47
BIBLIOGRAPHY
………………………………………………………………………………………………..52
VITA ………………………………………………………………………………………………………………….56

viii
LIST OF ILLUSTRATIONS

Figure 3.1. Research Model …………………………………………………………………………………..11

ix
LIST OF TABLES

Table 4.1. Measurement Scale for Confidence With Action ………………………………………14
Table 4.2. Measurement Scale for Perceived Severity ………………………………………………15
Table 4.3. Measurement Scale for Perceived Susceptibility
……………………………………….16
Table 4.4. Measurement Scale for Trust
………………………………………………………………….16
Table 4.5. Measurement Scale for Fear …………………………………………………………………..17
Table 4.6. Measurement Scale for Framing Manipulation Check ……………………………….17
Table 4.7. Measurement Scale for Priming Manipulation Check
………………………………..18
Table 5.1. Summary of Demographic Details of Subjects
………………………………………….20
Table 5.2. Results of Factor Analysis ……………………………………………………………………..22
Table 5.3. Results of Factor Analysis (without item THSV4)
…………………………………….23
Table 5.4. Results of Cronbach’s alpha coefficient …………………………………………………..24
Table 5.5. Results of Binary Logistic Regression……………………………………………………..25
Table 5.6. Multivariate ANOVA Results ………………………………………………………………..27
Table 5.7. Descriptive Statistics……………………………………………………………………………..28
Table 5.8. Results of t-test …………………………………………………………………………………….28
Table 5.9. Results of Hypothesis Testing ………………………………………………………………..30

1. INTRODUCTION

Information technology corporations are greatly reliant on the usage of
information systems for managing, communicating and storing data. In order to keep data
secured in computer systems, it is necessary to protect the privacy, reliability and asset
accessibility of these systems. However, there has been an increasing number of security
related issues due to the rise in organizational dependency on computer systems
(Kankanhalli, Teo, Tan, & Wei, 2003). In a CSI/FBI survey, majority of the respondents
indicated that their organization faced information systems related security issues
(Gordon, Loeb, Lucyshyn, & Richardson, 2006). Thus, it is crucial for organizations to
defend themselves from cybersecurity risks. USA Department of Homeland Security
refers to cybersecurity in “National Strategy to Secure Cyberspace” as sustaining the
effective working of the organization that maintains critical data (DHS, 2003).
According to a report by IBM, more than 95% of the security occurrences in IBM
were attributed to ‘human errors’ (IBM Corporation, 2014). An exceedingly propelled
security framework comprising of firewalls might not be efficient at ensuring an
organization’s cyberspace security due to unintentional users’ security behavior (Whitten
& Tygar, 1999). Users play a vital role in identification and prevention of cybersecurity
threats (Stanton, Mastrangelo, Stam, & Jolton, 2004). For instance, they must choose
whether to install anti-virus software on their computer to shield it from viruses,
download documents from anonymous sources, or provide personal credit card
information for online transactions. Such choices include actions that could bring about
different negative outcomes (e.g., loss of information, lower PC performance or damage

2
to a PC’s hard drive). Therefore, there has been a shift toward studying user behavior in
cybersecurity.
According to a cyber behavior decision model proposed by Aytes and Connolly
(2004), people settle on a decision to either take part in protected or perilous cyber
behavior. Aytes and Conolly’s (2004) decision model states that users’ cyber behavior is
driven by views of the value of protected and risky practices and the outcomes of each.
The model shows how the knowledge of prior cybersecurity related issues, one’s relevant
views on cybersecurity, and one’s hazard attitudes can impact cybersecurity decision-
making (Aytes & Connolly, 2004).
An imperative aspect of user behavior in cybersecurity is how users access and
retort to goal-framed security messages that are intended to convince users to either
impede or enhance their information security stance (Hong, 2012). The way in which the
data exhibited to a user is framed has intermittently been recognized as a prime factor
that affects user behavior. Users’ security behavior plays a significant role in attaining
cybersecurity (McNeese, et al., 2012).
In this research, a laboratory experiment was conducted to assess the impact of
message framing and priming on users’ behavior in cybersecurity. Specifically, we are
interested in studying whether negatively framed security messages and the presence of
priming lead users to take risk adverse actions.
This thesis is organized as follows. First, the literature review is presented which
is followed by the theoretical foundation and the hypotheses. Next, the research
methodology is described, after which the findings are presented and discussed. Finally,
the limitations and directions for future research are also highlighted.

3
2. LITERATURE REVIEW

USERS’ BEHAVIOR IN CYBERSECURITY
There exist various techniques for addressing cybersecurity, such as the technical
framework for implementing security procedures and additional socio-technical methods
of cybersecurity. In this literature review, we will focus on empirical studies that are
related to factors affecting user behavior in information systems security. Users are the
weakest target towards cybersecurity related threats (Siponen, 2000) and many
researchers have studied the reasons for users’ security responses and conduct (Lebek,
Uffen, Breitner, Neumann, & Hohler, 2013).
A study that uses Protection Motivation Theory (PMT) has indicated that self-
efficacy can predict secure behavior of customers (LaRose, Rifon, & Enbody, 2008).
Based on the survey study by Woon et al. (2005), the perceived outcomes that influence
end-users’ cybersecurity actions are perceived severity, response cost, perceived
susceptibility and self-efficacy (Woon, Tan, & Low, 2005). Pahnila et al. (2007) used
various other features such as rewards, habits, sanctions, and information quality in order
to study their effects on user behavior in cybersecurity (Pahnila, Siponen, & Mahmood,
2007).
The efficacy of coping response affects behavioral intents of the end-user in a
positive manner for implementing suggested compliance behavior (Maddux & Rogers,
1983). Researchers studied the effect of fear appeal on security behavior of users under a
high-risk environment for reducing the security threats using suggested instructions.
Although having a fear appeal helps in persuading the user security behavior to follow
the suggested instructions for risk mitigation, its effect is not consistent among all users.

4
Further, the effect of fear appeal on user security behavior depends on self-efficacy,
gravity of the risk, and social impact (Johnston & Warkentin, 2010).
Several studies in information systems security suggest that though the prior
knowledge of risks and suitable reactions is required to improve user security-related
behavior, it is not enough (Lee & Kozar, 2005; Stanton, Stam, Mastrangelo, & Jolton,
2005; Sasse, Brostoff, & Weirich, 2001). It is essential to find the drivers of user
behavior in cybersecurity in various situations and the ways to mitigate cybersecurity
risks taken by users. Organizational cybersecurity continues to be adversely influenced
by user security behavior. Hence, we have a long way to go in studying and analyzing the
user factors leading to unfavorable security behavior in cybersecurity.

LITERATURE REVIEW ON MESSAGE FRAMING
Various researchers have utilized prospect theory to evaluate the impact of
positively vs. negatively framed messages on users’ behavior (Aaker & Lee, 2001; Shiv,
Edell, & Payne, 2004). Prospect theory explains the procedure of decision-making that
comprises a framing and an assessment stage. Even though positively vs. negatively
framed messages may communicate the same information, the way a message is framed
can impact the decision making process and outcomes of an individual (Tversky &
Kahneman, 1986). Amidst the assessment stage, users assess choices by partly taking into
account their individual values and outcomes in terms of whether a choice is seen to be
an advantage or a disadvantage. The concept of loss aversion in prospect theory
illustrates that users are more likely to react more to losses as compared to gains.
Messages that accentuate the adverse results of an option are seen as possible damages to

5
which users are likely to maintain a greater distance as compared to the messages that
underline the constructive results (Tversky & Kahneman, 1984).
Message framing includes underlining either the constructive facets of choosing
an option, or the adverse facets of not choosing the option (Aaker & Lee, 2001).
Protection Motivation Theory (PMT) has, to a great extent, been connected to health and
natural settings to figure out which promotional messages adequately spur a man to make
a move when confronted with a risk (for instance anti-smoking messages in the wellbeing
context (Pechmann, Zhao, Goldberg, & Reibling, 2003) and water preservation messages
in the eco-friendly context (Obermiller, 1995)).
The impact of message framing has been researched from both the financial and
socio psychological standpoints in a diversity of decision-making perspectives, such as
funds and societal predicaments (Brewer & Kramer, 1986). Researchers have studied the
impact of message framing on various reliant variables covering intents (Block & Keller,
1995), idealness of messages, perceived prominence (Aaker & Lee, 2001) and threat
awareness (Lee & Aaker, 2004). Users’ behavioral intentions in cybersecurity can be
further swayed by the usage of suitable messaging (LaRose, Rifon, & Enbody, 2008).

LITERATURE REVIEW ON PRIMING
If security threats are known to the individual in advance, then prior beliefs are
formed by the individual regarding the severity of the security threats (Johnston &
Warkentin, 2010; Workman, Bommer, & Straub, 2008; LaRose, Rifon, & Enbody, 2008).
At the point when individuals get away from an approaching catastrophe by coincidence,
they have encountered a “near miss.” A near miss is an event where a risky or lethal
effect could have happened, but it didn’t happen (Dillon & Tinsley, 2008). According to

6
Tinsley et al. (2012), near miss is of two types, resilient near miss (that did not happen)
and vulnerable near miss (debacle that almost occurred).
According to the disaster literature, user behavior is influenced by near miss or hit
events. When individuals assess the danger of some unsafe occasions to be low, they are
probably not going to take part in mitigation events. Moreover, any potential harm from
previous debacles has been reported to considerably impact user perceptions of future
hazards and to persuade more defensive conduct (Dillon, Tinsley, & Cronin, 2011).
Having information of an experience of a hit encounter, including harmful effects in the
past, would upsurge feelings of helplessness, and would lead the individuals to opt for a
safer option.
When encountering an imminent risk, individuals ought to evaluate the risk,
which is in fact an element of the likelihood of the incident happening and the damage
that results from the incident if that happens (Kaplan & Garrick, 1981). Such evaluations
utilize the current data, but individuals also incorporate any prior knowledge or
information about the incident into their assessment of the hazard (Fishbein & Ajzen,
2010). This concept is explained in the subjective expected utility (SEU) model. Despite
the fact that the SEU model gives a solid foundation for portraying how individuals
choose to react to hazards, previous research has demonstrated that the model
components can differ on the basis of the attributes of the condition (i.e., the same
individual can opt for the safer option in one situation or can choose the risky option in
another situation) (Fox & Tversky, 1995).
According to Krizan and Windschitl (2007), during a risky event, individuals
must evaluate the data in light of what they know about that risky event based on their

7
prior knowledge. The sequence of proceedings while evaluating a situation is as follows:
after experiencing a threat, individuals recall related information from memory about that
threat; a precise assessment of the danger of the threat is made by utilizing the SEU
model; and after assessing the threat, individuals unequivocally pick what conduct to take
(Kahneman & Miller, 1986).

8
3. THEORETICAL FOUNDATION AND HYPOTHESES
The goal of this research is to study the impact of framing and priming on users’
behavior in cybersecurity. To generate the hypotheses for this research, prospect theory,
instance-based learning theory, and reinforcement theory are used to explain framing and
priming in cybersecurity context. The research model is presented in Figure 3.1.

3.1. PROSPECT THEORY
Prospect theory explains one’s choices under states of threat (Tversky &
Kahneman, 1986). Choices depend on acumen, and acumen relates to evaluation about
the exterior conditions of the world. Choices are made specifically tough under states of
instability, where it is hard to anticipate the results with certainty or precision. Making
choices can be hard when decisions endorse conflicting standards and objectives. The
fundamental way to comprehend any rational decision-making condition is to consider
the kind of data or information that the user possesses or has access to in order to form
the basis of the decision. In the cybersecurity context, both the data and the manner in
which the data is framed may influence their judgments and decisions (Tversky &
Kahneman, 1984). The process of decision-making by utilizing quantified risks as a
metric can be divided into two steps (McDermott, 1991). First, the security risk is
assessed by evaluating system susceptibilities and available hazards. Second, the way in
which information is presented or framed can influence decision-making (McDermott,
1991).
Prospect theory addresses how decisions are confined and assessed. The key
concepts of prospect theory are split into two phases. First, users make decisions by

9
assessing the risks based on the reference points rather than on final consequences. The
impact of this subjective assessment is known as framing, which is the way a prospect is
subjectively estimated as either a loss or a gain. This phase involves the organization and
reformulation of all the possible options in order to simplify the resulting evaluation and
decision (Tversky & Kahneman, 1984). After framing all the possible alternatives, the
user assesses each of the alternatives that are perceived as either gains or losses and
selects the one with the highest value. Second, judgments are loss-aversive, which means
that damages are perceived comparatively stronger than gains (Verendel, 2009).
Framing effect in the prospect theory describes that individuals respond to a
specific decision differently by relying upon how it is displayed such as a positive or a
negative message (Plous, 1993). Individuals have a tendency to keep away from threats
when a positive message is displayed and identify threats when a negative message is
displayed (Tversky & Kahneman, 1984). Prospect theory indicates that a damage is
perceived to be more substantial than a benefit of the same quantity, i.e., a definite
benefit is preferred to a potential benefit and a potential damage is favored over a sure
damage (Tversky & Kahneman, 1986). Loss aversion in prospect theory explains that
users are more likely to react to losses as compared to gains. Coping evaluation indicates
the users’ ability to manage and handle any security threat. Efficacy is the users’
anticipation that threats can be subdued by following recommendations. Risk appraisal
evaluates the vulnerability of the threat and analyzes how critical the threat is (Rogers,
1975). Messages that highlight the adverse consequences of an option are seen as
possible damages to which users are likely to react more as compared to the messages

10
that underlines the profitable results (Tversky & Kahneman, 1984). Based on the prospect
theory, we propose that:
H1: Negatively framed security messages will lead users to take a more risk
adverse cybersecurity action as compared to positively framed security messages and no
security messages.

3.2. INSTANCE-BASED LEARNING THEORY
IBLT (Instance-Based Learning Theory) is a theory of decision making from
instance-based knowledge. The IBLT model illustrates how individuals make choices or
decisions based on their knowledge of similar instances. IBLT suggests that in dynamic
decision-making circumstances, individuals learn by accumulation, identification, and
refinement of occurrences. “IBLT proposes that every decision situation is represented as
an instance that is stored in the memory. Each instance in the memory is composed of
three parts: situation (S) (the knowledge of attributes that describe an event), a Decision
(D) (the action taken in a situation) and utility (U) (a measure of the expected result of a
decision that is to be made for an event)” (Kanaparthi, Reddy, & Dutt, 2013, p. 331).
According to the IBLT model, two cognitive factors that impact users’ discovery
of cyber threats are recency and inertia; recency is how user choices rely on similar
encounters, and inertia is how users’ present verdicts repeat the last made choices. The
IBLT’s procedure begins with the acknowledgment stage in scanning for choices to
characterize a series of incidents as a cyber threat. Amid acknowledgment, an experience
or knowledge with the most astounding activation and nearest resemblance with the
system incident is recovered from memory and is utilized to make this characterization.
Next, in the judgment stage, the recovered knowledge or information is utilized to assess

11
whether the present incident that is being assessed is seen as a risk or not. A decision is
made among the choices based upon inertia or the recency procedure recommended by
the model (Gonzalez & Dutt, 2011).
When users are primed with a cybersecurity instance containing information
about the outcome of a decision related to that particular situation, the instance gets
stored in the users’ memory. While experiencing a similar situation, the recognition
process takes place and the stored cybersecurity instance gets retrieved from the memory
and users make their decision based on the best course of action. Based on the IBLT, we
hypothesize that:
H2: Priming users on cybersecurity risks reduces their risk-taking behavior
associated with their cybersecurity action.

H1

H2

Figure 3.1 Research Model

Framing
User Behavior
Priming

12
4. RESEARCH METHODOLOGY
4.1. EXPERIMENTAL DESIGN

We conducted an experimental study and a questionnaire survey study for
evaluating the hypotheses, H1 and H2. We recruited undergraduate and graduate subjects
from Missouri University of Science & Technology to participate in the experimental and
questionnaire survey study. The sample subject size of the experiment was 129. The
subjects were provided with a cybersecurity online scenario in order to evaluate their
behavior. A between-subject 3 × 2 factorial design was used for evaluating hypotheses
H1 and H2. The experimental study had 3 levels for framing (i.e., positive framing,
negative framing, and no framing) and 2 levels for priming (i.e., with and without
priming). No framing and no priming served as the control conditions.

4.2. RESEARCH PROCEDURES

This research study was conducted in Missouri S & T computer labs. The research
procedures are as follows: The cybersecurity scenario involved security threats related to
downloading of a media player from a site for online training purposes (Appendix A).
The experiment is a 3×2 factorial design with priming and framing as the two
independent variables. Appendix B provides the screenshots of all the six experimental
conditions. Subjects were randomly assigned to one of the six conditions, and their
operationalizations are explained next.
The positively framed security messages emphasizes the advantages of executing
security safeguards, for example, dependability, consistency and mental peace for both
people and associations. The negatively framed security messages emphasizes the results

13
of not taking security safety measures, accordingly focusing on the seriousness and
likelihood of dangers. Priming was operationalized by providing a user story about a
similar security scenario containing the consequences of a known cybersecurity threat.
The subjects were asked to opt for either a safe (not to download) option or a
risky (to download) option, which was used to evaluate the users’ behavior in dealing
with cybersecurity incidents. After completing the cybersecurity online scenario posted to
them where subjects made a decision to download or not to download the media player,
subjects completed a questionnaire survey based on the 7-point Likert scale (1 = strongly
disagree to 7 = strongly agree). In summary, each subject was provided with positively
framed security messages or negatively framed security messages or no security message
as well as with or without a user story depicting a prior cybersecurity related incident.
The scenarios presented to the subjects were completely simulated by a software
application, and hence, there was no real risk involved in the study. The survey
comprised of questions that helped in measuring perceptual outcomes associated with the
users’ action (i.e., confidence with action, perceived severity, perceived susceptibility,
trust, and fear). We also performed a secondary analysis for assessing the effect of action
on perceptual outcomes.
Subjects were provided with a consent form prior to the beginning of the study.
The consent form clearly indicated that their participation in the research study is
voluntary. It also stated that they might choose not to participate and to withdraw their
consent to participate at any time. The consent form indicated that they will not be
penalized in any way should they decide not to participate or to withdraw from the study.

14
Subjects’ decisions to download or not to download the media player were captured in
order to evaluate the decision or action taken towards the security incident.

4.3. MEASUREMENT

The post-study questionnaire was used to assess the perceptual outcomes
associated with user actions, i.e., confidence with action, perceived severity, perceived
susceptibility, trust, and fear. It was also used to assess framing and priming manipulation
checks, cybersecurity awareness, and background and demographic information of the
subjects.
4.3.1. Confidence With Action. The confidence with action scale was used to
assess the confidence associated with the subjects’ action in downloading the software
(see Table 4.1 for the items). The measurement items for confidence with action were
developed by the researcher. The 7-point Likert scale (strongly disagree = 1 to strongly
agree = 7) was used.

Table 4.1. Measurement Scale for Confidence With Action

Measurement Items

Confidence
With Action
(CONF1) I am confident about the action I took.
(CONF2) I would choose the same action again.
(CONF3) I believe I had taken the right action.
(CONF4) I am confident about my action.

15
4.3.2. Perceived Severity. The perceived severity scale was used to assess the
severity perceived by the subjects in downloading the software (see Table 4.2 for the
items). The measurement items for perceived severity were adopted from Johnston and
Warkentin (2010). The 7-point Likert scale (strongly disagree = 1 to strongly agree = 7)
was used.

Table 4.2. Measurement Scale for Perceived Severity

4.3.3. Perceived Susceptibility. The perceived susceptibility scale was used to
assess the susceptibility of the subjects’ action in downloading the software (see Table
4.3 for the items). The measurement items for perceived susceptibility were adopted from
Johnston and Warkentin (2010). The 7-point Likert scale (strongly disagree = 1 to
strongly agree = 7) was used.

Measurement Items

Perceived
Severity
(THSV1) If malware would infect my computer, it would
be severe.
(THSV2) If malware would infect my computer, it would
be serious.
(THSV3) If malware would infect my computer, it would be
significant.
(THSV4) Having my identity stolen is a serious
problem for me.