Factors to Motivate Protection against Cyber Attacks across Organizations 

Introduction

 Security is a growing issue for all organizations with I.T. facilities (Dixit et al.,

2022). Businesses that belong to different industries and organizations have experienced an

increased frequency of cyber-attacks (Li et al., 2022; Vrhovec & Mihelič, 2021; Siponen et al.,

2014; Vance et al., 2012). However, since the covid 19 pandemic, there has been a steep increase

in social engineering attacks (Siddiqi et al., 2022) (Hijji & Alam, 2021). Social engineering

attacks target the psychology of the user, unlike other network attacks. The reasons behind this

problem are a lack of employee awareness and employee compliance failures with information

security policies and procedures (Sulaiman et al., 2022; Li et al., 2022; Haag et al., 2021; Yeng

et al., 2021; Siponen et al., 2014). Therefore it is significant to improve employees' awareness

and motivate employees to enhance their cybersecurity compliance behavior. This quantitative

regression study aims to measure employee awareness and employees' cybersecurity protection

actions. 

Search Strategy

Google Scholar, IEEE, ACM journals, Sage publications, and the University of

Cumberlands library will be used to gather the literature. Keywords used were "cyber attacks

across organizations" and "cyber attacks and protection motivation theory." First, review articles

were studied to find gaps in the existing research articles and then narrowed down to the specific

problem of increasing cyber-attacks. Sometimes a snowballing approach is also used to find

relevant articles. The article types that are included are peer-reviewed published papers from

journals. In addition to that, there are also some conference papers that are included.
 Factors to Motivate Protection against Cyber Attacks across Organizations  

Theoretical Framework

Several decades ago, Protection Motivation Theory was initially used in the research of

the health domain to create a model of disease prevention and health promotion (Floyd et al.,

2000). A meta-analysis that was done at that time on two decades of research revealed threat

severity, threat vulnerability, response efficacy, and self-efficacy resulted in adaptive behaviors.

It also indicated that a decrease in maladaptive response rewards and adaptive response costs

facilitated adaptive behaviors or intentions. Irrespective of intentions or behaviors, the measures

hold true

The author postulated three components of fear appeal (Rogers, 1975). They are the

magnitude of noxiousness of the depicted event, probability of occurrence of that event, and

efficacy of protective response. The above-mentioned communication variables trigger the

cognitive process that can change attitudes. The below diagram explains the constructs and was

adopted from Rogers in 1975 (Rogers, 1975)

 Factors to Motivate Protection against Cyber Attacks across Organizations  

In 1983 the model was revisited by the authors (Maddux & Rogers, 1983). It was further

studied to understand the effect of fear appeals on persuasion behavior by combining protection

motivation theory with self-efficacy theory. It was found that the probability of threat occurrence

and effectiveness of coping response has a positive influence on adopting preventive health

behavior. It was also found that self-efficacy as a fourth component supports the protection

motivation theory. It can influence the intentions due to its direct influence and its interactions

with the other two variables of PMT. The interaction effect can be interpreted as two new

decision-making strategies that people use when confronted with fear which is a preventive

strategy and a hyper-defensive strategy. Finally, the resultant model combining self-efficacy

theory and protection motivation theory resulted in a general model for attitude change.

In another meta-analytic review, it was found that threat and coping appraisal

components are useful in predicting health behaviors (Milne et al., 2000). However, they could

only be concurrent behaviors but not future behaviors. It was also found that the coping appraisal

component has greater predictability than the threat appraisal component. The below diagram is

adapted from (Milne et al., 2000)

 Factors to Motivate Protection against Cyber Attacks across Organizations  

Protection Motivation Theory begins with the person receiving the information and

evaluating it to take protective action (Crossler & Bélanger, 2014). One of the external sources

from which this information is received can be prior experience based on which a user performs

an action. The cognitive mediation process that comprises threat and coping appraisal processes

has two coping modes. One is adaptive coping, which talks about protecting oneself and also

protecting others. Another one is maladaptive coping, which is about not protecting oneself and

others.

PMT propounds that threat appraisal is one determinant to specify whether a person

adopts coping behavior or not (Crossler & Bélanger, 2014). Thus the below model combines the

PMT proposed by Rogers and Floyd.

The below diagram was adopted from (Crossler & Bélanger, 2014)
 Factors to Motivate Protection against Cyber Attacks across Organizations  

Over decades the studies that are based on PMT ignored the full nomology of PMT and

considered only the core constructs of PMT (Boss et al., 2015). A fear appeal based on which

PMT is formed is ignored. Information security studies that used PMT did not model or measure

fear, and in addition to that, most of the predictions were based on the intentions rather than the

actual behavior.

The below figure is from Boss et al. (2015).

 Factors to Motivate Protection against Cyber Attacks across Organizations  

Managers are concerned about motivating their employees to engage in secure behaviors.

Previous studies have used PMT to better understand users' performance toward secure behavior.

However, the adaption of PMT yielded inconsistent results. Below model adapted from (Menard

et al., 2017) integrated PMT and Self Determination Theory (SDT) to explain users' motivation

to comply with security policies. Motivation is a measurable construct of SDT, and through this

study, it was shown that motivation to engage in secure behaviors could be achieved through

intrinsic motivation rather than fear. Secure messages have been constructed that appeal to

intrinsic motivation rather than fear. While users exhibiting security measures might trigger a

threat, the primary focus of using fear may not be an effective way of eliciting motivational

behaviors. However, this model tested only the behavioral intentions but not the actual behavior.
 Factors to Motivate Protection against Cyber Attacks across Organizations  

Another study investigated the impact of employee cybersecurity policy awareness on

employees' cybersecurity behavior rather than on their intentions (Li et al., 2019). The

investigated results proved that employees' awareness of cyber security policies made them

exhibit security behaviors. In addition to that, the study also indicated that organizational,

informational security policy environment positively influences their threat and coping appraisal

processes that further lead to cybersecurity behavior.

Below model adopted by (Li et al., 2019)

This study is an extension of the previous study and is the basis for the current study,

where it considers the effect of antecedents and mediating factors that contribute to the security

behaviors in addition to the core constructs of the PMT. The below diagram is adopted from (Li

et al., 2022) and is the current model of the study. It includes five core constructs of PMT that

can influence protection behavior.

Perceived Severity
 Factors to Motivate Protection against Cyber Attacks across Organizations  

It is when a user perceives a danger of a cyber attack, for example, the danger of getting

their system infected by opening a suspicious email attachment.

Perceived Vulnerability

It explains a user's perception of a malicious attack, for example, vulnerability to a

phishing email.

Perceived Response Efficacy

It deals with a user carrying an expected preventive behavior in response to a threat or a

vulnerability

Perceived Self Efficacy

It explains how well an employee or a user is confident in his abilities to perform the

prescribed procedures successfully.

Response Costs

It explains how well an employee can be compliant with security policies that help the

organization keep security breaches down. These five factors are the core constructs of PMT.

It also proved that coping factors are reliable predictors in predicting motivational

behavior. In addition to that, several practical implications are provided with respect to gender,

organization type, and also generation. For example, government organizations took good

measures in motivating sec security behavior than other businesses, etc. There is also a

significant difference in generations exhibiting security behaviors. Based on these, cybersecurity

training can be enhanced. Below diagram is adapted from (Li et al., 2022)
 Factors to Motivate Protection against Cyber Attacks across Organizations  

PMT model is rooted in literature and states that its constructs which are threat appeal

and coping appeal, can influence the motivational behavior of individuals. Disciplines like

psychology, information technology, health care, etc. validated the PMT model.28 publications

based on PMT and information security were reviewed, and it was found that some core

constructs were missing among 19 studies. Also, most of the studies did not consider the actual

behavior, but they only tested the intentions. Feal appeal messages have also been found to have

an impact on protection behavior. Overall this calls for an extended PMT model to reflect the

unique behavior in an information security setting.

The extended PMT model has organization effort as an antecedent to promote cognitive

processes, which are threat and coping appeals, and they further promote employee protection

behavior. Employee awareness is also considered another antecedent that can result from the

organizational effort. Employee awareness can promote positive cognitive behavior, which will

motivate protection behavior. In addition to that, demographic factors are also considered in this

model
 Factors to Motivate Protection against Cyber Attacks across Organizations  

Literature Review

Social Engineering Attack

Although cybersecurity strategies are enhancing, cybercriminals are mutating

cyberattacks (Siddiqi et al., 2022). They exploit human factors to bypass technical measures, as it

is easy to compromise a human than to find a vulnerability in the security system. Social

engineering attacks are onerous to detect as they do not follow a specific pattern. There are many

kinds of cyber attacks that are based on social engineering attacks. For example, phishing

attacks, dumpster diving, scareware, waterhole, reverse social engineering, and deepfake.

Phishing

In this kind of attack, the attackers use deceitful communication to steal information

(Choudhary et al., 2022). Depending on the type of communication, they are further classified.

Email phishing is where the attacker uses email to send malicious links. Smishing is another

subtype where SMS is used to send phishing attacks and is often targeted at individuals. Vishing

is also another subcategory where phishing happens through voice via phone calls. Pharming is

another kind that does not need any communication mechanism. In this kind of attack, the victim

is misdirected as the attacker modifies DNS entries.

Extortion

In this kind of attack, the attacker morphs images of victims onto images and videos

using deep learning techniques like DeepFake, and the attacker exhorts money from the victims

(Choudhary et al., 2022).

Malware
 Factors to Motivate Protection against Cyber Attacks across Organizations  

This kind of attack is carried through malicious code called malware (Choudhary et al.,

2022). Malware is deployed through phishing attacks. Ransomware, spyware, adware, and

spyware are some of the types of malware. Social media platforms are often targeted to send

links through images or videos (Etuh et al., 2021).

Spam

An unwanted email is time-consuming for the reader and is also a source of Java applets

that can execute automatically upon reading the message (Saravanan & Bama, 2019). A few

examples of fifth-generation cyber attacks are AdvisorsBot, Fireball, Trickbot, etc.

Organizations under Cyber Attacks

Many organizations have experienced a sharp increase in cyber attacks following covid

19 pandemic (Verma & Shri, 2022). Below are some examples of organizations that were

victims of cyber attacks. There are case studies that can be further expanded.

Various organizations and industries have been exploited by cybercriminals during the

pandemic (Hijji & Alam, 2021). They are hospitals, public and private sectors, government

institutions, banking, and finance. Among these, the top targets are healthcare companies and

hospitals, as they have weak security controls set up.

Banking Sector

Online banking through computers and mobile apps helps in faster bank transactions to

customers from anywhere (Ashok, 2021). However, cybercriminals are applying different kinds

of social engineering attacks to steal funds.

Health Organizations
 Factors to Motivate Protection against Cyber Attacks across Organizations  

Cyber threats against organizations have put not only patients' privacy at risk but also

their safety, and only very few studies have considered cyber threats against health care (Bhuyan

et al., 2020). Four major players in cybersecurity threats in health care are cyber attackers, cyber

defenders, developers, and end-users. In addition to that, there are four major types of cyber

threats against health care.

Impact of Cyber Attacks

There is an exponential increase in economic impact due to the rising number of attacks

(Hijji & Alam, 2021). Accenture's annual security report shows a 67% increase in security

breaches, and companies spent $110 billion worldwide for protection against cyber attacks.

University of California San Fransico Schoo of Medicine paid $1.14 million dollars to remove

ransomware. Russian malware that targeted Ukraine systems encrypted crucial data making it

useless. The damage cost is estimated to be 10 million. One of the predictions is that Global

Cybersecurity Market will total $152 billion USD by 2025 due to the growing number of cyber-

attacks.

In 2018 FBI received around 100 complaints regarding phishing attacks targeted at health

care, education, air travel, etc., that resulted in a net loss of 100 million dollars (Alabdan, 2020).

In 2010, the total number of complaints was 1,470,306, which increased to 5,737,265 in 2021,

where the growth rate spiked to 290.21% (Md Haris Uddin Sharif & Mehmood Ali Mohammed,

2022).
 Factors to Motivate Protection against Cyber Attacks across Organizations  

Examing Cyber Attacks through PMT Lens

Although several studies have used theories such as PMT, Theory of Planned Behaviour,

Self Dettterance theory, etc., to understand user behavior in cyber security construct, PMT has

been a widely accepted theory(Lee et al., 2022).

Research Questions

1. Does employee awareness significantly impacts protection motivation behavior?

2. Is there a distinction between male and female protection motivation behavior against

cyber attacks?

3. Do generations (elderly versus younger) show any difference in protection motivation

behavior

Perceived Threat

Although there has been research related to identifying factors that contribute to

employee compliance with cybersecurity behavior, there are some limitations. A study was

conducted to understand the factors that contributed to compliance in teenagers. The results

indicated that teenagers are mostly influenced by personal norms, such as being guilty or being

embarrassed if their accounts are hacked will make them more compliant with security behaviors

(Mwagwabi & Jiow, 2021). However, the survey given to the teens was lengthy and tedious, and

research was only conducted in Singapore. Cultural differences might arise and might impact the

results when the survey gets conducted in other countries. One of the studies found that

perceived threat is directly related to cybersecurity behavior (Mat et al., 2021). This leads to the

hypothesis

Hypothesis 1: Perceived severity has a significant impact on cybersecurity behavior.

 Factors to Motivate Protection against Cyber Attacks across Organizations  

Organization Effort

Being non-compliant with security policy is one of the issues with employees (Hai Goh

& Ping Teoh, 2021). Failure to comply can be because of the attitude, or it can be an

organizational factor. Employees may feel that policy is too stringent and hinders daily work,

which is unfair to comply with, and they might fail to comply. The results were, however,

theoretical and did not proven through statistics. It is proved in another study that measures

related to awareness improved users' privacy protection behavior (Gabel et al., n.d.)

Li et al. (2021) expounded some of the factors that can motivate employees to enhance

their protection behavior are cybersecurity culture and awareness programs that organizations

can develop (Lie et al., 2021). In addition to using advanced technologies for protection against

cyberattacks, organizations should also invest in the culture. The author provided only theoretical

insights; however, there are no statistics proving the theory. This leads to the hypothesis

Hypothesis 2: Organization effort has a significant impact on employee awareness.

Self Efficacy

Kalhoro et al. (2021) conducted an extensive review of published literature from 2010 to

20202 and identified several factors that can impact software engineers to exhibit cyber hygiene

behavior. Self-efficacy is found to be one of the positive factors, which then leads to the

hypothesis that

Hypothesis 3: Self-efficacy significantly impacts security protection behavior (Kalhoro et

al., 2021).
 Factors to Motivate Protection against Cyber Attacks across Organizations  

Five main factors were identified by Hull et al. (2021) that can motivate employees to

take protection against cyber attacks. Knowledge, motivation, confidence, propensity to take

risks, and self-typed characteristics. Among all the five, knowledge was highly determinant.

However, the limitation of this research is participants recruited from CrowdFlower may not

represent the general population.

A Mix of PMT Constructs

A study conducted to identify the factors that motivated users to protect their privacy was

done under the lens of protection motivation theory (Boerman et al., 2021). Perceived threat is

found to be high and motivated users to adopt secure behavior. There is a mix of coping

appraisal variables; self-efficacy was low in users for protecting their privacy online. Perceived

severity and response efficacy effects privacy protection behavior.

Hypothesis 4: Stronger response efficacy impacts protection motivation behavior

Micro, small and medium enterprises are at risk of cyber threats, especially those

enterprises that are new to cybersecurity (Bisma et al., 2021). A quantitative study on those

enterprises indicates that perceived severity and self-efficacy have a significant impact on

protection behavior intention.

Hypothesis 5: Perceived Severity can significantly impact protection motivation behavior

Organization Culture

The author determines through him that organizational resiliency depends on the

perception of employees' awareness, cybersecurity policy, and culture(Andronache, 2021).

 Factors to Motivate Protection against Cyber Attacks across Organizations  

Security awareness can be increased through the lens of cultural concepts. They both are good

factors to integrate as they both depend on expanding knowledge and enforcing good practices.

An employee's knowledge of cybersecurity can be improvised through leadership and

mediated by organizational culture (Onumo et al., 2021). In addition to knowledge, employees'

cognitive belief system can also influence their intentions to comply with security policies. It is

identified that security tools can be used to moderate employees' cognitive belief systems. It can

further extemporize their compliance behavior. The limitation of this study is the low sample

size.

In another study, the author explains that organizational culture and team culture

increases employees' cognitive abilities to deal with the threat and coping appraisals, which in

turn impacts their behavioral intentions to comply with information security policies (Sharma &

Aparicio, 2022). However, the survey respondents were self-selected as the survey was posted on

Mturk for financial benefit. In addition to involvement, consistency, adaptability, and mission,

there are other subcultures that are not considered under organizational culture.

PMT Extensions

A study was conducted to assess the awareness of cyber attacks in Palestinian learners.

Results indicated that internet users were careless against security measures, knowledge, and

practice. They did not even try to attend an awareness course to improvise their knowledge.

Among those users, some of them with knowledge of cyber-attacks acted in a more professional

way. The survey was conducted only among educational institutions (Salem et al., 2021).

A study extended PMT by considering organization effort and employee awareness as

antecedents to threat appraisal and coping appraisal (Li et al., 2022). The findings proved that
 Factors to Motivate Protection against Cyber Attacks across Organizations  

organizational effort increases employee awareness which further increases threat and coping

appraisals. The threat and coping appraisals of PMT are then found to significantly impact the

protection behavior of the employees.

In a similar study, instead of employee awareness and organization effort as antecedents,

the author considered SETA programs as antecedents of threat and countermeasure awareness

and which are further mediated by threat and coping appraisal and finally lead to protection

behavior (Hassandoust & Techatassanasoontorn, 2020).

In another study, the author extended PMT by considering perceived knowledge and

internet trust as antecedents and proved that users who tend to believe that they have knowledge

about cybercrime are more inclined to take protective measures (De Kimpe et al., 2022).

However, when the actual knowledge of respondents was considered, the results might vary.

Factors beyond psychological were not considered; for example, experience or technology

features were not considered.

Similarly, in another study that extended, PMT procedural countermeasure awareness

was considered an antecedent that led employees to take protection motivation behavior.

However problem with this research was the survey conducted in Malayasia was taken during

the movement control order (Humaidi & Abdallah Alghazo, 2022). One of the latest

technologies used in providing awareness is A.I. (Ansari, 2022). It was proven through the

survey results that A.I. based security training programs significantly impact employees' risk

scores. On a similar note, another author too mentioned that game-based approaches could

enhance the security awareness of the employees (Alqahtani & Kavakli-Thorne, 2020).
 Factors to Motivate Protection against Cyber Attacks across Organizations  

A qualitative study conducted in the healthcare domain revealed three key security

barriers (Coventry et al., 2020). The first one is security perceived as a barrier; the second is poor

awareness of consequences, and the third is lack of policies and reinforcement of secure

behavior.

Psychological Contract Breach

A study that used TPB found that Psychological contract breach (PCB) negatively

impacts information security policy compliance (Lee et al., 2022). PCB is said to generate

negative beliefs against the organization, thus making employees non-compliant.

Fear

The core constructs of PMT are threat and coping appraisal processes that can give rise

to attitude ambivalence (Ng et al., 2021). The attitude ambivalence negatively influences

protection behavior. By designing effective fear appeals, attitude ambivalence can be mitigated.

Fear appeals are dropped from other research as their effect is there temporary (Fischer-Preßler

et al., 2022). Fear appeals only work when they are combined with strong efficacy messages.

However, in a study, an author mentioned that the full nomology of PMT is not used in most of

the studies. Especially fear appeals are not considered (Boss et al., 2015)

At the same time, it is interesting to note that fear of cyber attacks dampens the

relationship between self-efficacy and protection motivation (Vrhovec & Mihelič, 2021). In the

presence of fear, self-efficacy cannot influence protection motivation behavior. Measures that

tend to raise protection motivation should tend to increase individual perceived vulnerability and

efficacy of self-protective measures by stressing the consequences of cyberattacks against the

 Factors to Motivate Protection against Cyber Attacks across Organizations  

organization. However, the survey was conducted in an academic environment where the

workforce is highly educated.

Compliant/Non-Compliant Behavior

In another study, it was evident that security system anxiety and non-compliant peer

behavior negatively impact employees' compliance behavior toward security policies (Alzahrani,

2021). Security system anxiety might be the result of the employee's unwillingness to report

security incidents. One of the reasons is fear of punishment. It is also determined that security

education and security visibility positively impact compliant behavior. However, the study was

carried out among students and not in an actual organizational setting. Another study mentioned

that in addition to security-related stress, value conflicts and neutralization are also additional

factors that contribute to the non-compliant behavior of employees(Ali et al., 2021).

It has been identified that internal factors significantly motivate compliance behavior

more than external factors (Alassaf & Alkhalifah, 2021). Internal factors include trust,

information security awareness, organizational citizenship behavior, and demographics. Another

study on internal factors that motivate employees to comply to with security policies mentioned

that psychological ownership, perceived control, and self-efficacy increase employees' intent to

protect organizational data (Raddatz et al., 2019). In another study, the author too identified

some internal and external factors that motivated employees to exhibit compliance behavior (Ali

et al., 2021). They are culture, management behaviors, deterrence techniques, and information

security awareness.

The author came up with a completely different finding for employees' non-compliant

behavior (Jalali et al., 2020). An experiment-based approach combined with a survey-based

 Factors to Motivate Protection against Cyber Attacks across Organizations  

approach revealed that hospitals should effectively manage employees' workload so that they are

more compliant with security policies and refrain from clicking any phishing emails.

Another reason for non-compliance is a lack of understanding of information security

policies and procedures (Verkijika). In addition to that, carelessness and indifference are also

identified. Organizational culture is considered to be one of the factors that can make employees

compliant with information security policies (Ejigu et al., n.d.)

BYOD

BYOD devices are also one of the top security risks experienced by companies (Ameen

et al., 2020). However, a study on this security policy compliance revealed that there is a lack of

awareness among employees regarding smartphone security policies, and there is also a gender

gap in complying with security policies. Females in the USA have difficulty complying with

their organization's BYOD security recommendations. However, the age group of participants is

18-35 and considered only in USA and UAE.

Nudges

Nudges are proven to be another excellent tool for increasing motivational behavior

(Prange et al., 2022). The author conducted an experiment to investigate the motivating behavior

in the selection of smart home configurations and concluded that nudges fostered secure

behavior among the users. However, another study mentioned that there is little known about

how the content of warning messages changes the attitude, belief, and motivation that further

leads to secure behavior. Inspired by PMT constructs, the author conducted an online experiment

with a coping message and threat appeal, mentioning users to practice safety measures and the

consequences of not following that. Results indicated that the coping message alone and also
 Factors to Motivate Protection against Cyber Attacks across Organizations  

when combined with a threat has a significant impact on security behavior. However, the threat

appeal alone did not have any significant impact.

Other Factors

Although behavior changes are observed after awareness programs, they have not lasted

long-term (Seddon, 2022). Therefore repeated exposure to awareness programs is needed to

sustain the behavioral changes. Fear appeals are used for password compliance, but since it is

also short-term, they may not be suitable as a method of increasing cybersecurity awareness.

The below diagram is adapted from Motivating security compliance through habit (Vance et al.,

2012).
 Factors to Motivate Protection against Cyber Attacks across Organizations  

Gender and Generations

Studies have shown that older women are more susceptible to phishing attacks (Alabdan,

2020)

Gaps

Moderating and meditating variables have received less attention in research studies that

used behavioral and organizational theories (Alassaf & Alkhalifah, 2021). Also, the population

in health care was also not considered frequently in these studies, and the majority of cyber

attacks took place in health care. External factors include the SETA program, corporate social

responsibility, supportive organization culture, and compliance audit. Another study also

mentioned that study of cyber security threats against health care was not much considered

(Bhuyan et al., 2020)

In order to mitigate the security compliance problem, several gaps have to be addressed,

which are identified by reviewing theories and other relevant theories. The gaps are around the

geographical context of the studies, the role of gender in complying with CIS, roles of

responsibility, and theory integration (Sulaiman et al., 2022).

In another study, the author mentions that there is a gap related to information security

models study as most of them were able to predict the security intentions but not the actual

behaviors (Lee et al., 2022). Future research should consider response appeals which are self-

efficacy, response efficacy, and response cost (Mou et al., 2022)

 Factors to Motivate Protection against Cyber Attacks across Organizations  

Testing Review

Motivating protection behavior against cyber attacks has been considered across the

population that belongs to educational institutions, health care, finance, the government sector,

etc.

Student's Contribution

Some of the gaps have been identified in the literature, which will be addressed in the

current study. One is moderating and mediating variables were addressed less in the previous

studies and will be considered in this study. The second healthcare population was considered

less in past studies. Therefore healthcare population will be included in the current study. Third,

there is a need to consider external factors such as organizational effort or culture rather than

considering only the core constructs of PMT. Fourth, response appeals are considered in this

research as there is a need to consider more research in response appeals. Lastly, PMT

relationships are not considered linear or non-linear, which will be addressed in the current

study.

Conclusion

Increasing cyber-attacks are a threat to organizations and further to nations. Since the

pandemic, there is also a steep increase in social engineering attacks. This paper discusses cyber

attacks that target employees on a work computer. The problem of social engineering attacks

targeted at employees is observed through the lens of protection motivation theory. Based on the

extended PMT model, hypotheses were formed that helped to address the gaps found in the

literature. Addressing these gaps will further contribute to the body of the literature on employee

motivation.
 Factors to Motivate Protection against Cyber Attacks across Organizations  

References

Alabdan, R. (2020). Phishing Attacks Survey: Types, Vectors, and Technical Approaches.

Future Internet, 12(10), 168. https://doi.org/10.3390/fi12100168

Alassaf, M., & Alkhalifah, A. (2021). Exploring the Influence of Direct and Indirect Factors on

Information Security Policy Compliance: A Systematic Literature Review. IEEE Access, 9,

162687–162705. https://doi.org/10.1109/ACCESS.2021.3132574

Ali, R. F., Dominic, P. D. D., Ali, S. E. A., Rehman, M., & Sohail, A. (2021). Information

Security Behavior and Information Security Policy Compliance: A Systematic Literature

Review for Identifying the Transformation Process from Noncompliance to Compliance.

Applied Sciences, 11(8), 3383. https://doi.org/10.3390/app11083383

Alqahtani, H., & Kavakli-Thorne, M. (2020). Design and Evaluation of an Augmented Reality

Game for Cybersecurity Awareness (CybAR). Information, 11(2), 121.

https://doi.org/10.3390/info11020121

Alzahrani, L. (2021). Factors Impacting Users’ Compliance with Information Security Policies:

An Empirical Study. International Journal of Advanced Computer Science and

Applications, 12. https://doi.org/10.14569/IJACSA.2021.0121049

Ameen, N., Tarhini, A., Hussain Shah, M., & Madichie, N. O. (2020). Employees’ behavioural

intention to smartphone security: A gender-based, cross-national study. Computers in

Human Behavior, 104, 106184. https://doi.org/10.1016/j.chb.2019.106184

Andronache, A. (2021). Increasing Security Awarenesss Through Lenses of Cybersecurity

Culture. 15.
 Factors to Motivate Protection against Cyber Attacks across Organizations  

Ansari, M. (2022). A Quantitative Study of Risk Scores and the Effectiveness of AI-Based

Cybersecurity Awareness Training Programs. International Journal of Smart Sensor and

Adhoc Network., 1–8. https://doi.org/10.47893/IJSSAN.2022.1212

Bhuyan, S. S., Kabir, U. Y., Escareno, J. M., Ector, K., Palakodeti, S., Wyant, D., Kumar, S.,

Levy, M., Kedia, S., Dasgupta, D., & Dobalian, A. (2020). Transforming Healthcare

Cybersecurity from Reactive to Proactive: Current Status and Future Recommendations.

Journal of Medical Systems, 44(5), 98. https://doi.org/10.1007/s10916-019-1507-y

Bisma, R., Winarto, S. R., & Puspita, Y. C. (2021). Investigating Cyber Security Factors

Influencing The Perception Behavioral Intention of Small and Medium Enterprise. 2021

Fourth International Conference on Vocational Education and Electrical Engineering

(ICVEE), 1–7. https://doi.org/10.1109/ICVEE54186.2021.9649719

Boerman, S. C., Kruikemeier, S., & Zuiderveen Borgesius, F. J. (2021). Exploring Motivations

for Online Privacy Protection Behavior: Insights From Panel Data. Communication

Research, 48(7), 953–977. https://doi.org/10.1177/0093650218800915

Boss, S. R., Galletta, D. F., University of Pittsburgh, Lowry, P. B., City University of Hong

Kong, Moody, G. D., University of Nevada, Las Vegas, Polak, P., & Florida International

University. (2015). What Do Systems Users Have to Fear? Using Fear Appeals to

Engender Threats and Fear that Motivate Protective Security Behaviors. MIS Quarterly,

39(4), 837–864. https://doi.org/10.25300/MISQ/2015/39.4.5

Choudhary, A., Choudhary, G., Pareek, K., Kunndra, C., Luthra, J., & Dragon, N. (2022).

Emerging Cyber Security Challenges after COVID Pandemic: A Survey. Journal of

Internet Services and Information Security, 12(2), 21–50.

https://doi.org/10.22667/JISIS.2022.05.31.021
 Factors to Motivate Protection against Cyber Attacks across Organizations  

Coventry, L., Branley-Bell, D., Sillence, E., Magalini, S., Mari, P., Magkanaraki, A., &

Anastasopoulou, K. (2020). Cyber-Risk in Healthcare: Exploring Facilitators and Barriers

to Secure Behaviour. In A. Moallem (Ed.), HCI for Cybersecurity, Privacy and Trust

(Vol. 12210, pp. 105–122). Springer International Publishing.

https://doi.org/10.1007/978-3-030-50309-3_8

Crossler, R., & Bélanger, F. (2014). An Extended Perspective on Individual Security Behaviors:

Protection Motivation Theory and a Unified Security Practices (USP) Instrument. ACM

SIGMIS Database: The DATABASE for Advances in Information Systems, 45(4), 51–71.

https://doi.org/10.1145/2691517.2691521

De Kimpe, L., Walrave, M., Verdegem, P., & Ponnet, K. (2022). What we think we know about

cybersecurity: An investigation of the relationship between perceived knowledge, internet

trust, and protection motivation in a cybercrime context. Behaviour & Information

Technology, 41(8), 1796–1808. https://doi.org/10.1080/0144929X.2021.1905066

Ejigu, K., Siponen, M., & Muluneh, T. (n.d.). Influence of Organizational Culture on Employees

Information Security Policy Compliance in Ethiopian Companies. 11.

Etuh, E., S. Bakpo, F., & A.H, E. (2021). Social Media Network Attacks and their Preventive

Mechanisms: A Review. Computing Advances & Trends, 59–74.

https://doi.org/10.5121/csit.2021.112405

Fischer-Preßler, D., Bonaretti, D., & Fischbach, K. (2022). A Protection-Motivation Perspective

to Explain Intention to Use and Continue to Use Mobile Warning Systems. Business &

Information Systems Engineering, 64(2), 167–182. https://doi.org/10.1007/s12599-021-

00704-0
 Factors to Motivate Protection against Cyber Attacks across Organizations  

Floyd, D. L., Prentice-Dunn, S., & Rogers, R. W. (2000). A Meta-Analysis of Research on

Protection Motivation Theory. Journal of Applied Social Psychology, 30(2), 407–429.

https://doi.org/10.1111/j.1559-1816.2000.tb02323.x

Gabel, M., Foege, J. N., & Nã, S. (n.d.). Privacy Awareness under Scrutiny: Field Experimental

Evidence on Health Data Protection in Underserved Communities. 18.

Hai Goh, C., & Ping Teoh, A. (2021). Determining Bring Your Own Device (Byod) Security

Policy Compliance Among Malaysian Teleworkers: Perceived Cybersecurity Governance

as Moderator. 2021 IEEE 5th International Conference on Information Technology,

Information Systems and Electrical Engineering (ICITISEE), 305–310.

https://doi.org/10.1109/ICITISEE53823.2021.9655895

Hassandoust, F., & Techatassanasoontorn, A. A. (2020). Understanding users’ information

security awareness and intentions. In Cyber Influence and Cognitive Threats (pp. 129–

143). Elsevier. https://doi.org/10.1016/B978-0-12-819204-7.00007-5

Hijji, M., & Alam, G. (2021). A Multivocal Literature Review on Growing Social Engineering

Based Cyber-Attacks/Threats During the COVID-19 Pandemic: Challenges and

Prospective Solutions. IEEE Access, 9, 7152–7169.

https://doi.org/10.1109/ACCESS.2020.3048839

Humaidi, N., & Abdallah Alghazo, S. H. (2022). Procedural Information Security

Countermeasure Awareness and Cybersecurity Protection Motivation in Enhancing

Employee’s Cybersecurity Protective Behaviour. 2022 10th International Symposium on

Digital Forensics and Security (ISDFS), 1–10.

https://doi.org/10.1109/ISDFS55398.2022.9800834
 Factors to Motivate Protection against Cyber Attacks across Organizations  

Jalali, M. S., Bruckes, M., Westmattelmann, D., & Schewe, G. (2020). Why Employees (Still)

Click on Phishing Links: An Investigation in Hospitals. Journal of Medical Internet

Research, 22(1), e16775. https://doi.org/10.2196/16775

Kalhoro, S., Rehman, M., Ponnusamy, V., & Shaikh, F. B. (2021). Extracting Key Factors of

Cyber Hygiene Behaviour Among Software Engineers: A Systematic Literature Review.

IEEE Access, 9, 99339–99363. https://doi.org/10.1109/ACCESS.2021.3097144

Lee, D., Michaelides, N., & Lallie, H. (2022). The Impact of an Employee’s Psychological

Contract Breach on Compliance with Information Security Policies: Intrinsic and

Extrinsic Motivation [Preprint]. In Review. https://doi.org/10.21203/rs.3.rs-1447260/v1

Li, L., He, W., Xu, L., Ash, I., Anwar, M., & Yuan, X. (2019). Investigating the impact of

cybersecurity policy awareness on employees’ cybersecurity behavior. International

Journal of Information Management, 45, 13–24.

https://doi.org/10.1016/j.ijinfomgt.2018.10.017

Li, L., Xu, L., & He, W. (2022). The effects of antecedents and mediating factors on

cybersecurity protection behavior. Computers in Human Behavior Reports, 5, 100165.

https://doi.org/10.1016/j.chbr.2021.100165

Lie, L. B., Utomo, P., & Winarno, P. M. (2021). Investigating the Impact of Cybersecurity

Culture on Employees’ Cybersecurity Protection Behaviours: A Conceptual Paper.

Conference Series, 3(2), 295–305. https://doi.org/10.34306/conferenceseries.v3i2.598

Maddux, J. E., & Rogers, R. W. (1983). Protection motivation and self-efficacy: A revised

theory of fear appeals and attitude change. Journal of Experimental Social Psychology,

19(5), 469–479. https://doi.org/10.1016/0022-1031(83)90023-9

 Factors to Motivate Protection against Cyber Attacks across Organizations  

Mat, N. K. N., Sulaiman, Y., Perumal, S., & Ghazi, W. (2021). The Predictors of Cybersecurity

Behavior in E-Hailing Services: The Mediating Role of Perceived Threat. 27, 15.

Md Haris Uddin Sharif & Mehmood Ali Mohammed. (2022). A literature review of financial

losses statistics for cyber security and future trend. World Journal of Advanced Research

and Reviews, 15(1), 138–156. https://doi.org/10.30574/wjarr.2022.15.1.0573

Menard, P., Bott, G. J., & Crossler, R. E. (2017). User Motivations in Protecting Information

Security: Protection Motivation Theory Versus Self-Determination Theory. Journal of

Management Information Systems, 34(4), 1203–1230.

https://doi.org/10.1080/07421222.2017.1394083

Milne, S., Sheeran, P., & Orbell, S. (2000). Prediction and Intervention in Health-Related

Behavior: A Meta-Analytic Review of Protection Motivation Theory. Journal of Applied

Social Psychology, 30(1), 106–143. https://doi.org/10.1111/j.1559-1816.2000.tb02308.x

Mou, J., Pusan National University, Republic of Korea, Cohen, J., University of the

Witwatersrand, South Africa, Bhattacherjee, A., University of South Florida, USA, Kim,

J., & Pusan National University, Republic of Korea. (2022). A Test of Protection

Motivation Theory in the Information Security Literature: A Meta-Analytic Structural

Equation Modeling Approach in Search Advertising. Journal of the Association for

Information Systems, 23(1), 196–236. https://doi.org/10.17705/1jais.00723

Mwagwabi, F., & Jiow, J. H. (2021). Compliance with security guidelines in teenagers:

Australasian Journal of Information Systems, 25. https://doi.org/10.3127/ajis.v25i0.2953

Ng, K. C., Zhang, X., Thong, J. Y. L., & Tam, K. Y. (2021). Protecting Against Threats to

Information Security: An Attitudinal Ambivalence Perspective. Journal of Management

Information Systems, 38(3), 732–764. https://doi.org/10.1080/07421222.2021.1962601

 Factors to Motivate Protection against Cyber Attacks across Organizations  

Onumo, A., Ullah-Awan, I., & Cullen, A. (2021). Assessing the Moderating Effect of Security

Technologies on Employees Compliance with Cybersecurity Control Procedures. ACM

Transactions on Management Information Systems, 12(2), 1–29.

https://doi.org/10.1145/3424282

Prange, S., Thiem, N., Fröhlich, M., & Alt, F. (2022). “Secure settings are quick and easy!” –

Motivating End-Users to Choose Secure Smart Home Configurations. Proceedings of the

2022 International Conference on Advanced Visual Interfaces, 1–9.

https://doi.org/10.1145/3531073.3531089

Raddatz, N., Coyne, J., & Trinkle, B. (2019). Internal Motivators for the Protection of

Organizational Data. Journal of Information Systems, 34. https://doi.org/10.2308/isys-18-

067

Rogers, R. W. (1975). A Protection Motivation Theory of Fear Appeals and Attitude Change1.

The Journal of Psychology, 91(1), 93–114.

https://doi.org/10.1080/00223980.1975.9915803

Salem, Y., Moreb, M., & Rabayah, K. S. (2021). Evaluation of Information Security Awareness

among Palestinian Learners. 2021 International Conference on Information Technology

(ICIT), 21–26. https://doi.org/10.1109/ICIT52682.2021.9491639

Saravanan, A., & Bama, S. S. (2019). A Review on Cyber Security and the Fifth Generation

Cyberattacks. Oriental Journal of Computer Science and Technology, 12(2), 50–56.

https://doi.org/10.13005/ojcst12.02.04

Seddon, J. (2022). The application of psychological behaviour change strategies to

cybersecurity awareness training. https://doi.org/10.13140/RG.2.2.30850.20161

 Factors to Motivate Protection against Cyber Attacks across Organizations  

Sharma, S., & Aparicio, E. (2022). Organizational and team culture as antecedents of protection

motivation among IT employees. Computers & Security, 120, 102774.

https://doi.org/10.1016/j.cose.2022.102774

Siddiqi, M. A., Pak, W., & Siddiqi, M. A. (2022). A Study on the Psychology of Social

Engineering-Based Cyberattacks and Existing Countermeasures. Applied Sciences,

12(12), 6042. https://doi.org/10.3390/app12126042

Sulaiman, N. S., Fauzi, M. A., Wider, W., Rajadurai, J., Hussain, S., & Harun, S. A. (2022).

Cyber–Information Security Compliance and Violation Behaviour in Organisations: A

Systematic Review. Social Sciences, 11(9), 386. https://doi.org/10.3390/socsci11090386

Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating IS security compliance: Insights from

Habit and Protection Motivation Theory. Information & Management, 49(3–4), 190–198.

https://doi.org/10.1016/j.im.2012.04.002

Verma, A., & Shri, C. (2022). Cyber Security: A Review of Cyber Crimes, Security Challenges

and Measures to Control. Vision: The Journal of Business Perspective,

097226292210747. https://doi.org/10.1177/09722629221074760

Vrhovec, S., & Mihelič, A. (2021). Redefining threat appraisals of organizational insiders and

exploring the moderating role of fear in cyberattack protection motivation. Computers &

Security, 106, 102309. https://doi.org/10.1016/j.cose.2021.102309