Measuring the Human Factor in Information Security and Privacy Marc J. Dupuis University of Washington marcjd@uw.edu Robert E. Crossler Mississippi State University rob.crossler@msstate.edu Barbara Endicott-Popovsky University of Washington endicott@uw.edu Abstract In this paper, we describe the development and validation of three survey instruments designed to measure the human factor in information security and privacy. These instruments are intended to measure the extent to which people engage in the responses necessary to mitigate three different information security and privacy threats: computer performance compromise, personal information compromise, and loss of data and files. This paper makes a significant contribution by providing validated survey instruments that can be used by other researchers in the future. The instruments may be used in combination with various theoretical approaches, such as Protection Motivation Theory. Likewise, researchers may opt to use one, two, or all three survey instruments, depending on the particular needs of the research question(s) being addressed. Response pattern statistics are also provided along with suggestions for how the instruments may be used. 1. Introduction Understanding the information security and privacy behavior of home users is a complex task that requires careful planning and a thoughtful approach. One could simply develop a list of best practices related to information security and privacy behaviors and assume that those who engage in more of these practices have superior information security and privacy behavior compared to those who do not. However, this approach ultimately does not take into account the context of the behavior. This may not be critical in all research that examines the information security and privacy behaviors of home users [1], but in the current research it is considered important given the different motivations that may come into play in response to varying threats. Therefore, the approach employed here examines three significant information security and privacy threats to home users and the responses necessary to mitigate these threats. The use of threat response pairs is an effective way to account for varying contexts and the approach employed here is similar to the one used by Crossler and Bélanger [2] in their examination of the responses necessary to protect one from the threat of losing data and files. This involves first identifying a threat and then determining the response(s) necessary to mitigate the threat. For example, one of the responses necessary to mitigate the threat of losing one’s data and files may be keeping current backups of data. Following the general guidelines from Churchill [3] and Straub [4], three new survey instruments were developed to assess the responses necessary to protect individuals from three different information security and privacy threats: loss of data and files, personal information compromise, and computer performance compromise. These three threats were chosen based on their potential to negatively impact the three primary areas of concern for information security and privacy: confidentiality, integrity, and availability [5]–[9]. The development of these three new survey instruments included an extensive literature review, convening an expert panel review, pre-testing the resulting instruments, pilot testing the revised instruments, and finally administration of the main study with slight revisions made from the pilot study. The remainder of this article discusses an important distinction between behavioral intention and self- reported behavior, describes the process employed, outcomes, and associated statistical analyses, followed by some recommended uses of these new instruments. We start with a discussion on using self-reported behavior rather than behavioral intentions. 2. Behavioral Intention vs. Self-Reports of Behavior This study used information on an individual’s reported behavior rather than behavioral intentions. Although most of the theories that have been used to understand behavior within the information systems domain include a behavioral intention construct that acts as the main determinant of behavior (Ajzen, 1985; Fishbein & Ajzen, 1975; Rogers, 1975; Triandis, 1977), it may not be the most appropriate way to 2016 49th Hawaii International Conference on System Sciences 1530-1605/16 $31.00 © 2016 IEEE DOI 10.1109/HICSS.2016.459 3675 2016 49th Hawaii International Conference on System Sciences 1530-1605/16 $31.00 © 2016 IEEE DOI 10.1109/HICSS.2016.459 3676