pc virus attacks in small firms: effects of risk

51

PC VIRUS ATTACKS IN SMALL FIRMS: EFFECTS OF RISK PERCEPTIONS

AND INFORMATION TECHNOLOGY COMPETENCE ON PREVENTIVE BEHAVIORS

MARCO G. MARIANI SALVATORE ZAPPALÀ

UNIVERSITY OF BOLOGNA

While Information Technology (IT) is undeniably useful in improving organizational efficiency, it is also vulnerable: a virus attack can interrupt the work of many employees. Human behaviors, practices and errors are possible causes of a computer virus attack and the consequent infections. Even if preven-tive behavior is studied in health psychology and other fields, the prevention of personal computer (PC) virus attacks is a fairly new area of research. In this study it is hypothesized that both risk perception of actions that might cause a virus attack and IT self-rated competencies influence the implementation of behaviors aiming to prevent virus attacks. It is also hypothesized that risk perception is related to IT competencies. Employees (� = 134) working in four organizations participated in the study by complet-ing a questionnaire. Structural equation modeling was used to test the model. Results show that risk per-ception does not have a significant effect on preventive behaviors; in contrast, IT competencies influence the actual preventive behaviors and are related to the perception of risk of virus attacks.

Key words: PC virus attacks; Risk perception; Information security; Preventive behavior.

Correspondence concerning this article should be addressed to Marco G. Mariani, Dipartimento di Psicologia, U-

niversità di Bologna, Piazza Aldo Moro 90, 47521 Cesena (FC), Italy. Email: [email protected]

“... An infected USB stick was plugged into a PC and the virus quickly infected large swathes of the Company network. The network had to be shut down, infected PCs were rebuilt, and 200 devices had to be replaced. Some services took weeks to re-instate, leaving the Company with a bill of €591,000 ...” (Mary, 2009). Direct evidence of this type can be found on many online forums. In fact, organizational processes are now so dependent on Information Technol-ogy (IT) and the organizational intranet that a virus that produces a crash in many computers may have devastating consequences. This is particularly the case in small firms that often do not have guidelines on what to do in case of a virus attack. Network Associates has indeed observed that small European firms are particularly vulnerable to viruses, spam and hackers. A virus attack can knock out the computers of a company for days and costs, on average, €5,000 to clean them up. Specialists have estimated that computer crimes cost small European firms about €22 billion a year in cleaning up and recovery (Kramarenko, 2004).

A security survey (Coles, 2002), based on a sample of 641 organizations, showed that 61% of companies had suffered one or more virus incidents in the previous year, sustaining an average cost of $162,000 (€117,000). The “10th Computer Virus Prevalence Survey,” conducted by ICSA Labs (2005) in public organizations with more than 500 PCs, showed that in 2004, virus encounters increased by nearly 50% in comparison to 2003, with a rate of 400 encounters per

TPM Vol. 21, No. 1, March 2014 – 51-65 – doi:10.4473/TPM21.1.4 – © 2014 Cises

TPM Vol. 21, No. 1, March 2014 51-65

© 2014 Cises

Mariani, M. G., & Zappalà, S., PC Virus attacks in small firms

52

1,000 machines per month. The number of virus disasters was up 12% from the previous year. The same survey also reported that almost all examined organizations used firewalls and anti-virus software and 80% of them used anti-spyware tools. More recently, the “13th Computer Crime & Security Survey,” conducted by the Computer Security Institute (2008) in US organiza-tions,1 showed that virus incidents were more frequent than expected and were reported by 49% of the respondent organizations. A survey conducted by the Computer Security Institute in 20102 substantially confirmed this data, showing that 46 percent of respondents had suffered at least one crime attack in the previous year.

These incidents are very expensive for organizations because they waste valuable work time and are responsible for the loss of important data. Nevertheless, a recent Eurostat survey (Giannakouris & Smihily, 2010) reported that only 22% of small European enterprises had a formally defined ICT security policy.

Previous studies (e.g., Bissett & Shipton, 2000) showed that human behaviors, practices and errors are involved in computer infection. These results suggest that three important issues are to be considered when discussing virus attacks in small firms: the first one concerns employees’ beliefs about probabilities and consequences of a virus attack and, more precisely, the risk percep-tion of the losses that could occur in these negative events. The second issue is related to employ-ees’ ability to cope with the virus attack, and more precisely to their self-perception of being com-petent with Information Technology. The third issue concerns the daily behavior of employees in relation to the use of the IT, and what may prevent or facilitate the virus attack. Thus, taking these ideas into account, the present study aims to answer the following research questions:

1. Are virus attacks perceived as a risky event? 2. What are the actions with the highest perceived risks of causing a virus attack? 3. Are computer preventive behaviors influenced by employees’ perceived self-competence

in computer usage and employees’ risk perception of the actions that can cause a virus attack? In the following sections we describe some psychological aspects related to PC virus at-

tacks in organizations, namely risk perception, preventive behavior and IT self-rated competen-cies. Then we report the empirical results of this study by focusing on the role that the above-mentioned variables have on the prevention of PC virus attacks.

CONCEPTUAL BACKGROUND

Technological Risk Perception Two perspectives are commonly used to evaluate risks: an “objective” one, based on sta-

tistical estimates, and a “subjective” one, based on judgments resulting from previous personal experience or individual reasoning. Subjective risk perception is defined as a function of the probability that an undesired event may occur and the extent of the negative consequences asso-ciated with the undesired event (Sjöberg, 1999).

Many aspects of technological risk perception have been examined in the last 30 years. Starr (1969), one of the first researchers in the field, carried out a historical analysis to compre-hend the acceptance level of different technological risks. He concluded that the voluntary accep-tance of the risk was one of the main factors in the acceptance of technological risks.

TPM Vol. 21, No. 1, March 2014 51-65

© 2014 Cises


53

Some years later, Fischhoff, Slovic, Lichtenstein, Read, and Combs (1978) developed a model to measure individual perception of risk and the aspects associated with specific risk situa-tions (i.e., controllable versus uncontrollable, immediate versus delayed). Slovic (1987) used fac-torial analysis and defined risks as characterized by two main dimensions: new versus old risks and dreaded versus not dread risks. This is also called the “psychometric paradigm,” named after the psychometric methods used to evaluate risk perception .

In the early 1980s, Douglas and Wildavsky (1982) developed the cultural theory. Indi-viduals are classified on the basis of their most important values and the authors claimed that such values predicted personal disposition in the assessment of technological risks. The crossing of two criteria, group (the level of solidarity among members of the society) and grid (the level of exter-nally-imposed and formalized regulation of the actions of individuals) defined the four values which drive risk perception: egalitarian, individualistic, hierarchical, and fatalistic values. For ex-ample, egalitarians advocate the precautionary principle and cling to traditional ways of life that are proven to be sustainable, rather than risking trying new technologies. However, other scholars have disagreed with the risk perception hypothesis of the cultural theory (Sjöberg, 1998).

Other investigated dimensions of risk are: the consequences of perceived risk (Sjöberg, 1999), the demands for risk mitigation (Sjöberg, 1999), the importance of the media and the social amplification of risk (Slovic, 1993) and the personal level of hazard (Löfstedt & Frewer, 1998). More recently, the perception of risks involved in the use of IT and, in particular, Internet applica-tions, began to be investigated and continues to date. Sjöberg and Fromm (2001) studied the risks related to IT in a representative sample of the Swedish population. Results showed that “getting viruses” and “criminal activities facilitated by the Internet” were among the highest IT-related risks. Kuttschreuter and Gutteling (2004) observed that perception of risk changed when the feared event was approaching. The millennium bug, also known as the Y2K problem, was used to exam-ine changes in risk perception: such perception decreased when information on the Y2K problem became more available. Instead, Coles and Hodgkinson (2008) investigated the causes of being infected by viruses. They observed that personal and/or organizational negligence (e.g., inadver-tent disclosure of personal data, poor software, data entry error) were among the most cited causes.

IT Self-Competence Self-competence is defined as the evaluation of one’s ability to successfully bring about de-

sired outcomes (Bosson & Swann, 1999). Self-competence is considered as a psychological com-ponent of competence (Ford, 1985) and is also related to expectancies of one’s own performance: individuals who perceive themselves as competent expect to reach a high level of performance.

Tafarodi and Swann (1995) considered self-competence and self-liking (one’s feelings of being loved, likable, and socially worthy) as two components of self-esteem (Mannarini, 2010). Self-competence is a sense of one’s capability and derives from the multiple experiences of suc-cessful intentional goal pursuit (Tafarodi & Swann, 2001). Self-competence is also related to specific situations or specific tasks or settings. The sense of self-competence may thus change in accordance with the effects of the task (i.e., a well performed task may increase self-competence), hence it is influenced by past performances, but may also be modified by actual experiences and future expectancies.

TPM Vol. 21, No. 1, March 2014 51-65

© 2014 Cises


54

Mar, DeYoung, Higgins, and Peterson (2006) found that self-competence was positively correlated with some personality traits (extroversion, emotional stability and conscientiousness), ability (IQ) and academic achievement (grade point average). They concluded that the association with these traits was consistent with the conceptualization of self-competence as a self-evaluation based on successful goals pursuit. As personal computers, or the Internet, are often used to pursue an activity and reach a goal, previous studies showed that competencies and self-competence are also related to the use of computers and the Internet (Sabella, Poynton, & Isaacs, 2010). A recent research (Mariani, Curcuruto, & Gaetani, 2013) found that IT self-competence has a direct influence on PC self-efficacy, and an indirect one through the mediation of the intention to use IT devices.

Preventive Behavior Behaviors aimed to prevent some type of negative consequence, by anticipating negative

events and protecting oneself, have been extensively studied in many fields, such as health and safety psychology. Nonetheless, behaviors aiming to prevent PC virus attacks is a fairly new area of research and to date few studies have been conducted on this issue. Below we describe the three theoretical models most used to explain preventive health behavior.

The Precaution Adoption Process Model, proposed by Weinstein (1988) in the health field, describes the sequence of beliefs that individuals have to develop to enact the preventive behavior that reduces the threat of negative consequences for one’s health. In the first step, indi-viduals have to realize that a specific risk exists; in the second one, they have to realize that the risk is significant and can affect them and/or other people; in the third, they have to realize that they are vulnerable to the risk. If these necessary steps are met, then behaviors or behavioral changes will depend on the perceived severity of the consequences for one’s health. Efficacy and costs of the preventive behaviors are also considered by individuals.

A second widely used approach is the Health Belief Model (Van der Pligt, 1996). The model, primarily concerned with decisions about the utility of specific actions, distinguishes four factors that are assumed to determine the adoption of preventive actions. Preventive actions are more likely to take place when the perceived severity of damage, susceptibility, and perceived benefits are high, while the costs of behavioral changes are low. The Health Belief Model as-sumes that individuals will adopt a health-related behavior if they realize that a negative health condition can be avoided, if they expect that a recommended action will avoid a negative health condition and believe that they can successfully implement the recommended health action.

The third approach, also developed in health psychology, is the Information/Motivation/ Behavioral Skills (IMB) model of AIDS preventive behavior (Fisher & Fisher, 2000). The IMB model suggests that preventive behavior requires acknowledging the healthy/unhealthy implica-tions of behavior, enhancing motivation for behavior change, and possessing the requisite skills needed to enact behavioral changes. A recent study tested the IMB model in South Africa and the USA, and showed that IMB constructs are correlated to risk perception and risk reduction behav-ior (Kalichman et al., 2006).

In another empirical study, Guàrdia-Olmos and colleagues (2010) observed that imple-menting responsible preventive behaviors is easier for individuals with a specific set of psycho-logical characteristics. These psychological characteristics, or the psychological profile, consist

TPM Vol. 21, No. 1, March 2014 51-65

© 2014 Cises


55

of higher emotional stability, confidence/self-assurance, cognitive control, social adjustment, tol-erance, social intelligence and social desirability. In contrast, individuals with the non-preventive profile showed higher mean scores in anxiety. These results suggest that psychological character-istics influence preventive behaviors and also that these characteristics tend to group together, forming a complex psychological profile.

AIMS AND HYPOTHESES On the basis of the previously reviewed literature, the aims of the present study are: to

describe employees’ risk perception of actions that can cause an IT virus attack, and the per-ceived severity of the consequences of the attacks; to observe behaviors implemented by workers to prevent virus attacks; to test a model in which preventive virus attack behavior is predicted by risk perception and IT self-rated competencies.

Perception of risk plays an important role in adapting to the environment and in avoiding or changing dangerous or potentially dangerous situations. In line with what Weinstein (1988) found, it is argued that individuals who adopt preventive actions against PC virus attacks have perceived such attacks as risky ones. Perception of risks in PC use should stimulate employees to behave in a way that may anticipate the negative event and defend the system from virus attacks.

H1. Risk perception of actions that can cause a virus attack influences virus attack pre-ventive behaviors.

Moreover, only individuals with the necessary resources, such as the competencies on how to use a PC or an antivirus software, can adopt preventive actions against PC virus attacks. Skills and knowledge on the use of technology and on how to contrast a technological threat, are requisite resources for preventive behaviors against PC virus attacks.

H2. IT self-competencies influence virus attack preventive behaviors. Finally, other studies showed that individuals who believe to be less able and less compe-

tent when facing unknown or uncertain situations tend to perceive those situations as more risky in comparison to people with a higher level of those beliefs (Bandura,1997). So we expect a negative correlation between self-competencies on managing PC virus attacks and risk perception of actions that can cause a virus attack.

H3. Perception of risk is negatively correlated with IT self-competencies. Previous studies, following the reflective model (Coltman, Devinney, Midgley, & Ve-

naik, 2008), considered risk perception (i.e., Rodgers, 1999), self-competence (i.e., Tafarodi & Swann, 1995) and preventive behaviors (i.e., Guàrdia-Olmos et al., 2010) as underlying latent constructs; this study adopts a reflective model approach.

RESEARCH METHODOLOGY

Participants One hundred thirty-four employees were involved in this study: they were salespersons, ad-

ministrative officials and technical employees, working in four small firms in different sectors

TPM Vol. 21, No. 1, March 2014 51-65

© 2014 Cises


56

(manufacturing, construction, retail trade, and welfare-related activities). Of the respondents, 62% were male, 53% completed secondary education, and mean age was 36.7 years (SD = 10.6; range 20-59). All participants had been using PCs in the workplace for an average of 7.5 years, and used PCs for about 5.6 hours each day (SD = 2.2; range 1-10). The most frequently used softwares were e-mail and word processor. Knowledge of the definition of a PC virus was very high (91% of the respon-dents selected the correct virus definition among four items), and such information derived mostly from social sources (47% had information about PC viruses from work colleagues and 43% from friends). Almost half of the participants had previous experience of a virus attack: 41% had had a vi-rus infection in the previous two years, and 13% of them had suffered some damage. The four firms employing the participants did not provide employees with any guidelines on how to prevent or manage a PC virus attack. A structured anonymous questionnaire was used to collect data. Partici-pants completed the questionnaire individually in the workplace; all questionnaires were filled in and collected in one week to control external events that may affect participant responses.

Measures The questionnaire included three scales (the number of items, range, mean, standard de-

viation and Cronbach’s alpha for each scale are reported in Table 1). The first scale, risk percep-tion, concerns the risks of activities that might result in a virus attack. Because a scale was not available in literature, we decided to construct it. Firstly, after examining the literature (i.e., ICSA, 2005), a list of nine PC virus hazards (items) was created. Content validity of the items was ana-lyzed by three experts who excluded one item. A 5-point response format (decidedly low to decid-

edly high) was used in the questionnaire. The unidimensionality of the scale was checked by using principal components analysis; the three items with the highest loadings were selected for further analyses. Items, introduced by the sentence “Considering the likelihood and severity of the conse-quences of a virus attack,” were: “How risky is receiving an e-mail?” “How risky is downloading software from the Internet?” and “How risky is copying files from a pen drive?”

TABLE 1 Scales included in the questionnaire

Scales Items Scale range

M SD Alpha

Risk perception (e.g., How risky is receiving an e-mail?) 3 1-5 3.73 1.15 .71

Self-competence (e.g., What is your level of compe-tence when using a computer?)

3 1-5 2.98 0.92 .86

Preventive behaviors (e.g., How often do you check that your antivirus is active?)

4 1-5 3.42 1.08 .62

The second scale concerns IT self-competence. The same procedure and the same three experts were used to check unidimensionality of this scale. The scale consists of three questions

TPM Vol. 21, No. 1, March 2014 51-65

© 2014 Cises


57

(“What is your level of competence when using a computer?” “What is your level of competence when using the Internet?” and “What is your level of competence when defending a computer from a virus attack?”). A 5-point (very low to very high) response format was used.

The third scale measures preventive behaviors. The content validity was analyzed by the three judges who accepted four items (“How often do you check antivirus updates?” “How often do you back-up your data to prevent damage from possible virus attacks?” “How often do you check that your antivirus is active?” and “How often do you open e-mails from unknown peo-ple?”). A 5-point scale was used anchored by never and always. Scales and item intercorrelations are reported in the Appendix.

Finally, the questionnaire included two open questions (the number of weekly hours of computer use; the number of virus attacks and losses, caused by virus attacks on individual work, in the last 24 months) and four multiple choice questions (definition of PC virus; sources of knowledge about PC viruses; perception of consequences and severities resulting from a virus in-fection of PCs; actions taken by participants to manage and solve a PC virus attack).

Data Analyses Statistical analyses followed these steps: 1) calculation of the descriptive statistics of the

variables, 2) the normality test of the variables used in the model and examination of the common method effect, 3) the use of a structural equation model to test the theoretical model, 4) the mod-eration analysis based on the third-phase results. The descriptive statistics are reported in Table 1. The structural equation model consisted of two sub-models: the first specified how the observed variables were related to the latent variables (measurement model). This sub-model included three distinct measures: one on risk perception, one on IT self-competence, and the last one on IT preventive behavior. The second sub-model specified how the latent variables were related to each other (the structural model). Obviously the test of the general model included a test of the divergent and convergent validity of the scales.

As mentioned above, a reflective model was used in this research because we chose to adopt a psychological approach. Also, we considered the latent constructs existing regardless of the measures used, and causing variance in its reflective indicators (Cenfetelli & Bassellier, 2009).

Before analyzing the hypothesized model, normality assumptions were tested in the sec-ond step of the statistical analysis process: multivariate normality was not supported (Mardia’s Skewness p-value = .000; Mardia’s Kurtosis p-value = .000). The study used a one-wave self-report design; thus we examined if common method variance could bias our analyses. Harman’s single-factor test (Podsakoff, MacKenzie, Lee, & Podsakoff, 2003) by confirmative factor analy-sis (CFA) was performed to test the hypothesis that a single factor can account for all of the vari-ance in our data.

Given that the normality of variables was not supported, we used the Maximum Likeli-hood Method (ML) of MPLUS 5.0 to test the hypotheses, in the third step of statistical analysis. The ML estimates a mean-adjusted chi-square test that is robust to non-normality. The ML chi-square test is also referred to as the Satorra-Bentler chi-square (Muthén & Muthén, 2007). More-over, as indicated by the literature (Hu & Bentler, 1999), the following threshold values were adopted for the indices used to define the goodness of fit of the models: CFI ≥ .95, RMSEA ≤

TPM Vol. 21, No. 1, March 2014 51-65

© 2014 Cises


58

.06, SMRM ≤ .08. To measure reliability, we used the H index proposed by Hancock and Mueller (2001) because, as pointed by the authors, this index is particularly appropriate when structural equation models are used. The H index3 is based on the factor loadings that emerge from confirma-tory factor analysis. It has variability from 0 to 1 and can be evaluated like other reliability indices such as alpha. Cronbach’s alphas (Table 1) are reported to make comparisons with other studies.

RESULTS Table 2 shows that the two actions with the highest perceived risk of causing a virus at-

tack were: “Downloading software from the Internet” and “Receiving an e-mail.” The lowest risk actions were “Using search engine” and “Online shopping.” In between there were all the other actions which can potentially cause a virus infection. This result is similar to what was observed in ICSA research (2005): in that case too, the two actions implying the most frequent risk for workplace computers were “Receiving e-mails” and “Internet downloads”.

TABLE 2 Risk perception of actions that can cause a virus attack (� = 134)

M SD

A = Downloading software from the Internet 3.96 1.05 B = Receiving an e-mail 3.88 1.12 C = Downloading documents from the Internet 3.72 1.24 D = Browsing new sites 3.64 1.34 E = Copying files from a pen drive 3.40 1.27 F = Online gaming 3.32 1.23 G = Online shopping 2.60 1.28 H = Using search engine 2.20 1.23

�ote. On the 5-point scale, the higher the score the greater the perception of risk. Predicting the severity of consequences is a significant aspect of risk perception: results

showed that the worst expected consequence was that a virus deletes some PC data. Other serious consequences were that a virus modifies PC data or that a virus obliges the employee to re-install some software (Table 3). When a PC virus attack occurred, 47% of participants tried to use an antivirus software (22% of participants tried to delete the virus by using an antivirus), 42% con-tacted technical support and 18% called colleagues for help.4

The correlation between the scale of perceived risk, that some actions might cause a virus attack, and hours of computer use did not show a significant association. Moreover, risk perception was neither related to the number of previous virus attacks experienced, nor to the loss of data from their PCs in the previous 24 months. Additionally, the aggregate measure of preventive be-havior did not correlate, respectively, with the hours of computer use, the number of virus attacks and the impact of losses suffered. However, the scale of IT self-competence was related to the hours of computer use (r = .32, p < .001), but not to the number of previous virus attacks (r = .09, p = .290) and the impact of losses incurred (r = .11, p = .201).

TPM Vol. 21, No. 1, March 2014 51-65

© 2014 Cises


59

TABLE 3 Perceived severity of virus attack consequences (� = 134)

M SD

Some data is deleted 4.17 0.94 Some data is modified 3.83 1.11 It is necessary to install software again 3.80 1.12 Hackers attack the PC 3.36 1.34 Data is e-mailed to another PC within the firm 3.09 1.28 Data is e-mailed to a PC outside of the firm 3.06 1.25

�ote. On the 5-point scale, the higher the score the greater the perceived consequences of the virus attack.

Before testing our model and considering the one-wave self-report design of the study, the common-method variance bias was analyzed. Harman’s single-factor test showed fit indexes not adequate for only one-factor model, CFI = .66, RMSEA = .19. So the hypothesis that the common method variance could explain a substantial amount of covariance among variables was rejected.

Having rejected the common method bias, we tested the hypothesized model. Results showed a good fit, Satorra-Bentler χ2 = 49.84, df = 32, p = .02; CFI = .95, RMSEA = .06, SRMR = .05. It is important to note that the model did not hypothesize correlations between item-errors.

In relation to the measurement model, all loadings were significant (p < .01), which dem-onstrate convergent validity (Anderson & Gerbing, 1988). The H indexes showed excellent reli-ability for risk perception (.91) and for self-competence (.92), and good reliability for preventive behaviors (.79). This latter evidence compensates the low Cronbach alpha of the preventive be-haviors scale (Table 1).

Results showed that IT self-competence predicted preventive behavior (standardized re-gression coefficient = .44, p < .001) and was negatively correlated with the perception of risk of a virus attack (r = –.20, p = .021). The perception of risk of activities that might result in a virus attack did not predict preventive behavior at a significance level of .05 (standardized regression coefficient = –.16, p = .064) (Figure 1). Thus, the H2 and H3 hypotheses were confirmed, but not the H1 hypothesis. However, the model did not explain a high level of variance of the preventive behavior construct (R2 = .20) variance.5

DISCUSSION, IMPLICATIONS, AND LIMITATIONS

“Downloading software from the Internet” and “Receiving an e-mail” were, for the par-ticipants, the two activities with the highest risks of producing a virus infection. These perceptions are in line with the results of ICSA (2005) research and these findings are not obvious because re-search by Fischhoff et al. (1978) showed that risk perception is rarely similar to objective risk.

This result may be related to the characteristics of our sample, that consisted of small company employees that do not manage large amounts of confidential data, like those working in personal, judicial, health or financial fields, or to the items that addressed the consequences of vi-rus attacks on employees’ individual work.

TPM Vol. 21, No. 1, March 2014 51-65

© 2014 Cises


60

FIGURE 1

Structural equation model, completely standardized solution.

The risk perception of activities that might result in a virus attack did not influence pre-ventive behavior; hypothesis H1 was not supported. Computer self-competence, instead, positively predicted behaviors aimed at preventing computer virus attacks, thus confirming hypothesis H2.

In health psychology, risk perception is a predictor, although modest, of self-protective and preventive health behavior, as when smoking cigarettes or drinking alcohol are examined (Van der Pligt, 1996). Similarly, risk perception is important when frequent and dreadful hazards, like earthquakes, flooding or tsunamis, are considered (Slovic, 1987). Our results show, instead, that working on a PC and being infected by a virus (like other common, everyday activities) are not influenced by risk perception. One explanation may be that probabilities and consequences of negative events can be underestimated. Employees, working on a PC for many hours a day and receiving and sending dozens of emails, could perceive the risk of being infected as less relevant for them.

Our results also show that risk perception of activities that might result in a virus attack do not influence preventive behaviors. This unexpected result may have different explanations. First of all, a low level of preventive behaviors may be observed if employees underestimate the risks deriving from some of their computer activities. It is also possible that the risk perception of an IT virus attack exceeds employees’ capacity to control and manage it, thus it is difficult to pre-vent something for which there is limited knowledge and competencies. Finally, the low level of the technological resources of the company might decrease preventive behaviors; in other words, if, for instance, the antivirus software is not updated (for financial or any other reason), then it might be useless to implement preventive behaviors if there are other pitfalls in the computer sys-tem. IT self-rated competencies concern not only the perception of possessing suitable skills (that allow the implementation of preventive behaviors reported by our participants, i.e., frequently

RP

SC

PB

RP_1

RP_2

RP_3

SC_1

SC_2

SC_3

PB_1

PB_2

PB_3

PB_4

e_r1

e_r2

e_r3

e_s1

e_s2

e_s3

e_p1

e_p2

e_p3

e_p4

e_pb

.44

–.16

–.20

.43

.87

.35

–.49

.95

.59

.51

.94

.89

.65

RP

SC

PB

RP_1

RP_2

RP_3

SC_1

SC_2

SC_3

PB_1

PB_2

PB_3

PB_4

e_r1

e_r2

e_r3

e_s1

e_s2

e_s3

e_p1

e_p2

e_p3

e_p4

e_pb

.44

–.16

–.20

.43

.87

.35

–.49

.95

.59

.51

.94

.89

.65

TPM Vol. 21, No. 1, March 2014 51-65

© 2014 Cises


61

running a backup of data and checking antivirus updates) but also knowledge of the efficacy of these preventive actions. From this perspective, self-competence may be a motivational factor because it induces employees to anticipate events and/or take actions.

Risk perception of computer virus attacks was negatively related to IT self-competence, thus confirming hypothesis H3, and also previous research which showed that IT self-competence was negatively correlated to risk perception when making online purchases (e.g., Zappalà & Gray, 2006).

In conclusion, being competent and having an adequate level of knowledge and skills on IT, is required to manage computer virus attacks and implement preventive behaviors. Risk per-ception of activities that might result in a virus attack can instead stimulate individuals to learn and improve skills on how to defend PCs from viruses.

The main limitations of this study concern different aspects. The classic risk perception measurement approach (Finucane, Alhakami, Slovic, & Johnson, 2000), which studies both judgments of probability and severity of consequences, was not adopted in the model because it needs a double version of items. The items that were used in the model invited participants to an-swer questions about PC activities, jointly considering perceived likelihood and severity of con-sequences. This mixed approach could have placed more importance on one of the two risk per-ception components.

At the content level, psychological scales have different focuses: risk perception of com-puter activities and preventive behavior on virus-attack. This might be one of the reasons why risk perception is not correlated with preventive behavior. Ordinarily, when the danger is big, in-dividuals tend to protect themselves, even if this hazard effect is not always factual: other reasons for not protecting oneself might include shielding intentions (for example protections are uncom-fortable, cost too much, and so forth).

Limitations at the method level concern the not large number of items of the scales even if the measures showed a good convergent validity and a good reliability. However, the alpha of the preventive behavior scale has to be taken into account, even if it was higher than in other studies on health preventive behavior in which Cronbach’s alpha was between .50 and .60 (see Claassen, Henneman, Kindt, Marteau, & Timmermans, 2010). Future research needs scales with better psy-chometric quality. Another limitation is the small number of firms, only four, participating in this research, which reduces variability of hazards, defences and type of data to be protected by the or-ganizations. In addition, items mapping consequences of virus attacks were focused on the first di-rect impacts of the attack: damage to employees’ PCs and loss of information. The study did not include indirect impacts of the attacks, such as legal, financial or organizational consequences. Moreover, we did not analyze the optimistic bias of participants which could have influenced risk perception of individuals (Campbell, Greenauer, Macaluso, & End, 2007; Cho, Lee, & Chung, 2010). The number of participants was not high, although it was suitable: indeed Ding, Velicer, and Harlow (1995) note that 100-150 participants are sufficient to conduct a structural equation model analysis.

The explained variance of preventive behavior was not so high, suggesting that other variables may influence preventive behavior. Some models that could play a role in explaining preventive behavior are the Technology Acceptance Model (TAM; Davis, 1989) and the Trust in Information System Technology model (TIST; Lippert, 2002). TAM suggests that perceived use-fulness and perceived ease of use of an information technology influence the intention to use that

TPM Vol. 21, No. 1, March 2014 51-65

© 2014 Cises


62

IT in the workplaces. Future research could study the perception of the usefulness of using anti-virus technology and the effort to implement preventive behaviors.

Moreover, the concept of trust could help to understand the safe use of technology. The TIST model describes how users develop expectations of predictability and reliability of an IT system, and how these expectations positively influence users’ trust in the future performances of technology. Future research could study the expectations of reliability and predictability of an IT system designed to defend PCs from virus attacks. Finally, we think that there should be a more in-depth examination of the role of risk in this phenomenon, particularly in the light of the indi-vidual differences in risk-taking (Vecchione & Barbaranelli, 2005).

Implications of this study mostly concern the importance of training (Davinson & Sil-lence, 2010) and education provided by companies to employees. Training, for instance, should include a description of the actions or behaviors that cause infection and spreading of viruses, and improve competencies on PC, Internet and antivirus usage. Strategies to cope with infection and to delete the PC viruses should also be improved (Kehoe et al., 2009). Support and help (Battis-telli & Mariani, 2011) from experienced colleagues could also develop employees’ IT-competence and thus prevent computer hazards. Moreover, specific guidelines on how to prevent and solve virus attacks should be developed by the company and shared with employees. In addi-tion to employees, the technological side should also be considered: antivirus softwares should have a higher level of usability.

In conclusion, this research shows that creating a climate of fear through spreading a high risk perception of virus attacks among personnel is not the most important thing; improving PC competencies of employees could be more effective.

NOTES

1. Survey results were based on the responses of 522 computer security officers in US corporations, gov-ernment agencies, financial institutions, medical institutions and universities.

2. Analytical participants were 351 information security and information technology professionals in United States corporations, the survey was carried out in the period from July 2009 to June 2010.

3. ( )

−+= ∑

=

k

i

ii l/l//H1

22 1111

l2 is computed as the squared standardized loading; k is the number of measured variables associated with

a given latent factor. 4. The sum of percentages is over 100 because it was possible to report more than one action at the same

time. 5. This result suggests the possibility that IT self-competence could moderate the relationship between

risk perception and preventive behaviors. For this reason a moderator analysis was performed (Dawson, 2014). Using hierarchical multiple regression, we entered the risk perception centered variable and IT self-competence variables in Block 1, and then entered the multiplicative term in Block 2: the interac-tion was not significant (∆R

2 = .00, F = .09). This result showed that, there was no relation between risk perception and preventive behaviors even if a moderator effect of IT self-competence was considered.

REFERENCES

Anderson, J. C., & Gerbing, D. W. (1988). Structural equation modeling in practice: A review and recom-mended two-step approach. Psychological Bulletin, 103, 411-423. doi:10.1037/0033-2909.103.3.411

Bandura, A. (1997). Self-efficacy: The exercise of control. New York, NY: H. Freeman. Battistelli, A., & Mariani, M. (2011). Supporto organizzativo: validazione della versione italiana della Sur-

vey of Perceived Organizational Support (versione a 8 item) [Organizational support: Validation of

TPM Vol. 21, No. 1, March 2014 51-65

© 2014 Cises


63

the Italian version of the Survey of Perceived Organizational Support (8 items)]. Giornale Italiano di Psicologia, 38(1), 189-210. doi:10.1421/34845

Bissett, A., & Shipton, G. (2000). Some human dimensions of computer virus creation and infection. Inter-national Journal of Human-Computer Studies, 52, 899-913. doi:10.1006/ijhc.1999.0361

Bosson, J. K., & Swann, W. B. (1999). Self-liking, self-competence, and the quest for self-verification. Personality and Social Psychology Bulletin, 25, 1230-1241. doi:10.1177/0146167299258005

Campbell, J., Greenauer, N., Macaluso, K., & End, C. (2007). Unrealistic optimism in Internet events. Computers in Human Behavior, 23(3), 1273-1284. doi:10.1016/j.chb.2004.12.005

Cenfetelli, R. T., & Bassellier, G. (2009). Interpretation of formative measurement in information systems research. MIS Quarterly, 33, 689-707.

Cho, H., Lee, J., & Chung, S. (2010). Optimistic bias about online privacy risks: Testing the moderating effects of perceived controllability and prior experience. Computers in Human Behavior, 26(5), 987-995. doi:10.1016/j.chb.2010.02.012

Claassen, L., Henneman, L., Kindt, I., Marteau, T. M., & Timmermans, D. M. (2010). Perceived risk and representations of cardiovascular disease and preventive behaviour in people diagnosed with famil-ial hypercholesterolemia: A cross-sectional questionnaire study. Journal of Health Psychology, 15(1), 33-43. doi:10.1177/1359105309345170

Coles, R. (2002). Global information security survey 2002. London: KPMG. Coles, R., & Hodgkinson, G. P. (2008). A psychometric study of information technology risks in the work-

place. Risk Analysis, 28, 81-93. doi:10.1111/j.1539-6924.2007.00963.x Coltman, T., Devinney, T. M., Midgley, D. F., & Venaik, S. (2008). Formative versus reflective measure-

ment models: Two applications of formative measurement. Journal of Business Research, 61(12), 1250-1262. doi:10.1016/j.jbusres.2008.01.013

Computer Security Institute (2008). Computer crime & security survey. Retrieved February 12, 2011, from http://www.gocsi.com/sites/default/files/uploads/CSIsurvey2008.pdf.

Computer Security Institute (2010). Computer crime & security survey. Retrieved February 12, 2011, from http://www.gocsi.com/survey.

Davinson, N., & Sillence, E. (2010). It won’t happen to me: Promoting secure behaviour among Internet users. Computers in Human Behavior, 26(6), 1739-1747. doi:10.1016/j.chb.2010.06.023

Davis, F. D. (1989). Perceived usefulness, perceived ease of use, and user acceptance of information tech-nology. MIS Quarterly, 13(3), 319-341.

Dawson, J. F. (2014). Moderation in management research: What, why, when, and how. Journal of Busi-ness and Psychology, 29, 1-19. doi:10.1007/s10869-013-9308-7.

Ding, L., Velicer, W. F., & Harlow, L. L. (1995). Effects of estimation methods, number of indicators per factor, and improper solutions on structural equation modeling fit indices. Structural Equation Mod-eling, 2, 119-143. doi:10.1080/10705519509540000

Douglas, M., & Wildavsky, A. (1982). Risk and culture. Berkley, CA: University of California Press. Finucane, M., Alhakami, A., Slovic, P., & Johnson, S. M. (2000). The affect heuristic in judgments of risks and

benefits. Journal of Behavioral Decision Making, 13, 1-17. doi:10.1002/(SICI)1099-771(200001/03)13 Fischhoff, B., Slovic, P., Lichtenstein, S., Read, S., & Combs, B. (1978). How safe is safe enough? A psy-

chometric study of attitudes towards technological risks and benefits. Policy Sciences, 9, 127-152. Fisher, J. D., & Fisher, W. A. (2000). Theoretical approaches to individual-level change in HIV risk behav-

iour. In J. L. Peterson & R. J. DiClemente (Eds.), Handbook of HIV prevention (pp. 3-55). New York, NY: Kluwer Academic/Plenum.

Ford, M. E. (1985). The concept of competence: Themes and variations. In H. A. Marlowe, Jr., & R. B. Weinberg (Eds.), Competence development (pp. 3-49). Springfield, IL: C.C. Thomas.

Giannakouris, K., & Smihily, M. (2010). ICT security in enterprises. Retrieved February 12, 2011, from http://epp.eurostat.ec.europa.eu/cache/ITY_OFFPUB/KS-SF-11-007/EN/KS-SF-11-007-EN.PDF.

Guàrdia-Olmos, J., Peró-Cebollero, M., Horta-Faja, E., Jarne-Esparcia, A., Gordóvil-Merino, A., & Bé-nitez-Borrego, S. (2010). Psychological profile of subjects facilitating responsible preventive behavior. Quality & Quantity: International Journal of Methodology, 44(3), 499-507. doi:10.1007/s11135-008-9207-6

Hancock, G. R., & Mueller, R. O. (2001). Rethinking construct reliability within latent variable systems. In R. Cudeck, S. du Toit, & D. Sörbom (Eds.), Structural Equation Modeling: Present and Future − Festschrift in honor of Karl Jöreskog (pp. 195-216). Lincolnwood, IL: Scientific Software Interna-tional.

Hu, L., & Bentler, P. (1999). Cutoff criteria for fit indexes in covariance structure analysis: Conventional crite-ria versus new alternatives. Structural Equation Modeling, 6, 1-55. doi:10.1080/10705519909540118

ICSA Labs (2005). Computer virus prevalence survey. Retrieved December 12, 2007, from http://www. cybertrust.com/intelligence/white_papers.html

Kalichman, S. C., Simbayi, L. C., Cain, D., Jooste, S., Skinner, D., & Cherry, C. (2006). Generalizing a model of health behaviour change and AIDS stigma for use with sexually transmitted infection clinic patients in Cape Town, South Africa. AIDS-Care, 18, 178-182. doi:10.1080/09540120500456292

TPM Vol. 21, No. 1, March 2014 51-65

© 2014 Cises


64

Kehoe, E., Bednall, T. C., Yin, L., Olsen, K. N., Pitts, C., Henry, J. D., & Bailey, P. E. (2009). Training adult novices to use computers: Effects of different types of illustrations. Computers in Human Be-havior, 25(2), 275-283. doi:10.1016/j.chb.2008.12.005

Kramarenko, D. (2004). The price of security. Retrieved April 25, 2011, from http://www.crime-research.org/news/05.04.2004/172/.

Kuttschreuter, M., & Gutteling, J. M. (2004). Time will tell: Changes in risk perception and the processing of risk information about the Y2K-risk. Computers in Human Behavior, 20, 801-821. doi:10.1016/ j.chb.2003.11.004

Lippert, S. K. (2002). Contributing to a unified model of technology trust: Understanding trust in informa-tion systems technology. Academy of Business and Information Technology Meeting, 2(4), 343-364.

Löfstedt, R. L., & Frewer, L. (1998). Introduction. In R. L. Löfstedt & L. Frewer (Eds.), Risk and modern society (pp. 3-30). London: Earthscan.

Mannarini, S. (2010). Assessing the Rosenberg Self-Esteem Scale dimensionality and items functioning in relation to self-efficacy and attachment styles. TPM – Testing, Psychometrics, Methodology in Ap-plied Psychology, 17(4), 229-242.

Mar, R. A., DeYoung, C. G., Higgins, D. M., & Peterson, J. B. (2006). Self-liking and self-competence separate self-evaluation from self-deception: Associations with personality, ability, and achieve-ment. Journal of Personality, 74, 1047-1078. doi:10.1111/j.1467-6494.2006.00402.x

Mariani, M. G., Curcuruto M., & Gaetani, I. (2013). Training opportunities, technology acceptance and job satisfaction: A study of Italian organizations. Journal of Workplace Learning, 7, 455-475. doi:10. 1108/JWL-12-2011-0071

Mary (2009). Virus attack [electronic mailing list message]. Retrieved January 12, 2009, from http://community. norton.com/

Muthén, L. K., & Muthén, B. O. (2007). Mplus user’s guide. Los Angeles: Muthén and Muthén. Podsakoff, P. M., MacKenzie, S. B., Lee, J. L., & Podsakoff, N. P. (2003). Common method biases in be-

havioral research: A critical view of the literature and recommended remedies. Journal of Applied Psychology, 88, 879-903. doi:10.1037/0021-9010.88.5.879

Rodgers, W. (1999). The influences of conflicting information on novices and loan officers’ actions. Jour-nal of Economic Psychology, 20(2), 123-145. doi:10.1016/S0167-4870(99)00002-1

Sabella, R. A., Poynton, T. A., & Isaacs, M. L. (2010). School counselors perceived importance of counseling technology competencies. Computers in Human Behavior, 26(4), 609-617. doi:10.1016/j.chb.2009. 12.014

Sjöberg, L. (1998). Explaining risk perception: An empirical evaluation of cultural theory. In R. L. Löfstedt & L. Frewer (Eds.), Risk and modern society (pp.115-133). London: Earthscan.

Sjöberg, L. (1999). Risk perception in Western Europe. Ambio, 28, 543-549. Sjöberg, L., & Fromm J. (2001). Information technology risks as seen by the public. Risk Analysis, 23,

427-441. doi:10.1111/0272-4332.213123 Slovic, P. (1987). Perception of risk. Science, 236, 280-285. doi:10.1126/science.3563507 Slovic, P. (1993). Perceived risk, trust and democracy. Risk Analysis, 13, 675-682. doi:10.1111/j.1539-6924.

1993.tb01329.x Starr, C. (1969). Social benefit versus technological risk. Science, 165, 1232-1238. doi:10.1126/science.

165.3899.1232 Tafarodi, R. W., & Swann, W. B., Jr. (1995). Self-liking and self-competence as dimensions of global self-

esteem: Initial validation of a measure. Journal of Personality Assessment, 65, 322-342. doi:10.1207 /s15327752jpa6502_8

Tafarodi, R. W., & Swann, W. B. (2001). Two-dimensional self-esteem: Theory and measurement. Per-sonality and Individual Differences, 31(5), 653-673. doi:10.1016/S0191-8869(00)00169-02001-11257-001. 10.1016/S0191-8869(00)00169-0

Van der Pligt, J. (1996). Risk perception and self-protective behaviour. European Psychologist, 1, 34-43. doi:10.1027/1016-9040.1.1.34

Vecchione, M., & Barbaranelli, C. (2005). Propensione al rischio e investimenti: Un contributo psicomet-rico alla validazione Italiana della Declared risk-taking scale e della Investment risk-taking scale [Risk taking and investment behavior: An italian version of Declared risk-taking scale and Invest-ment risk-taking scale]. TPM − Testing, Psychometrics, Methodology in Applied Psychology, 12(3), 183-202.

Weinstein, N. D. (1988). The precaution adoption process. Health Psychology, 7, 355-386. doi:10.1037/ 0278-6133.7.4.355

Zappalà, S., & Gray, C. (2006). Impact of e-commerce on consumers and small firms. London: Ashgate.

TPM Vol. 21, No. 1, March 2014 51-65

© 2014 Cises


65

APPENDIX

Scale Items and Intercorrelations

The following items were selected; a 5-point scale was used. Risk perception Considering the likelihood and severity of the consequences of a virus attack: R1) How risky is receiving an e-mail? R2) How risky is downloading software from the Internet? R3) How risky is copying files from a pen drive? IT self-competence SC1) What is your level of competence when using a computer? SC2) What is your level of competence when using the Internet? SC3) What is your level of competence when defending a computer from a virus attack? Preventive behaviors PB1) How often do you check antivirus updates? PB2) How often do you back-up your data to prevent damage from possible virus attacks? PB3) How often do you check that your antivirus is active? PB4) How often do you open e-mails from unknown people?

Intercorrelations among the items of the three scales

R1 R2 R3 SC1 SC2 SC3 PB1 PB2 PB3 PB4

R1 1.00

R2 .56 1.00

R3 .49 .31 1.00

SC1 –.23 –.21 .01 1.00

SC2 –.18 –.24 –.01 .84 1.00

SC3 –.21 –.07 .01 .60 .59 1.00

PB1 –.02 –.03 –.13 .14 .01 .10 1.00

PB2 –.14 –.07 –.13 .38 .31 .39 .36 1.00

PB3 .07 .23 .22 .13 .10 .09 .29 .29 1.00

PB4 .09 .13 .08 –.20 –.12 –.12 –.23 –.43 –.20 1.00

pc virus attacks in small firms: effects of risk

Documents