Predictors of the intention in taking security measures against malware and scams

The Internet made possible online transactions and other interactions. Unfortunately, its importance also fosters a growing wave of cybercrime that impacts citizens, businesses and governments.

Humans are often considered the weakest link. Indeed, if individuals do not use security measures properly or are negligent in using basic security strategies then cybersecurity measures become useless. Rather than blaming individuals, we should focus on their motivation to protect themselves.

Using the protection motivation theory (PMT), Marjin Marten and his colleagues from Ghent University, Belgium, investigate and discuss the variables that influence the intention to take security measures. They analyzed and compared what they called “technical” cybercrimes (malware) and “social” cybercrimes (scams). As scams rely on human error, they can be perceived as a “social” cybercrime. Malware needs more technical knowledge to deploy and delete, they can be perceived as a more “technical” cybercrime.

The PMT offered a framework to explain people’s behaviour to protect oneself against risks in a healthcare context. Recently, the PMT has been used to gain better insight into the intention to perform protective behavior in the context of cybercrime. It has been argued that the PMT helps to develop communication strategies to motivate people to take protective measures against the risks of cybercrime.

PMT can be divided into three consecutive processes:

1) The processing of sources of information such as environmental information (verbal persuasion and observational learning) and intrapersonal information (personality and prior experience);

(2) the cognitive mediating process (threat appraisal which is the cognitive process by which an individual evaluates a certain threat and the risk it entails) and coping appraisal which is the cognitive process in which an individual evaluates the various protection methods, and;

(3) the intention to implement certain protection methods.

The results of this study suggest that the perception of the opinion of people around someone (subjective norm) is a stronger predictor for the intention toward protective behaviour than attitudes. Furthermore, the results indicated that the attitude toward protective behaviour is constructed differently for malware than for scams with the differences mainly situated in the transition of sources of information to the cognitive mediating process.

The results also showed that the more someone is aware of malware, the more he or she perceives malware as severe. This could be explained due to the technical complexity of protection methods against malware, which needs more specialized knowledge to grasp. The authors argued that people who know malware and possess technical knowledge can more accurately estimate the severity of malware. On the contrary, the more someone is aware of scams, the less he or she feels vulnerable. A possible explanation could be that when people are aware of obvious scams, they could feel like experts and subsequently overestimate their skills and underestimate the likelihood of becoming victimized.

By comparing the PMT model for scams with the PMT model for malware, the study suggests that a differentiated approach is needed in prevention and awareness campaigns. It would be essential to target a specific cybercrime and focus on the predictors that are relevant in encouraging protective behaviour for that particular cybercrime.


Cite: Martens, M., De Wolf, R. and De Marez, L. (2019). Investigating and comparing the predictors of the intention towards taking security measures against malware, scams and cybercrime in general. Computer in Human Behavior, 92, 139-150.