WHAT INFLUENCES INFORMATION SECURITY BEHAVIOR? A STUDY WITH BRAZILIAN USERS

The popularization of software to mitigate Information Security threats can produce an exaggerated notion about its full effectiveness in the elimination of any threat. This situation can result reckless users behavior, increasing vulnerability. Based on behavioral theories, a theoretical model and hypotheses were developed to understand the extent to which human perception of threat, control and disgruntlement can induce responsible behavior. A self-administered questionnaire was created and validated. The data were collected in Brazil


INTRODUCTION
The popularization of software intended to mitigate threats to Information Security has given users a sensation that software and hardware are enough to reduce Information Security breaches and suppress threats.This mistaken sensation may have originated from obtaining partial information on the subject or from the lack of adequate awareness (Liang and Xue, 2009) and also negligence, apathy, mischief, and resistance (Safa, Von Solms and Furnell, 2015), This is a human factor that might increase vulnerabilities provided it could influence Information Systems (IS) users to behave recklessly (Liginlal, Sim and Khansa, 2009).Human aspects of information security remain a critical and challenging component of a safe and secure information environment However, this misconception alone does not explain breaches in Information Security caused by human factors.Another important insight is the efforts perceived as necessary to achieve the responsible behavior, which added to aspects such as indifference to the guidelines and human error may also induce vulnerability and breaches.Information Security refers to the protection of organizational assets from loss, undue exposure and damage (Dazazi et al., 2009).This concern has been gaining ground and popularity in recent decades due to IT artifacts that have gradually enabled the generation, processing and ubiquity of unprecedented information and have also fostered the possibility of threats (King and Raja, 2012).This article investigates the impact of user behavior on Information Security vulnerabilities.The study is grounded in user perceptions related to threats, control, and the effort to behave responsibly.Vance, Siponen and Pahnila (2012) conceptualize the vulnerability as the probability of an unwanted incident occurring if no measures are taken to prevent it.Roratto and Dias (2014) define vulnerability as a weakness in the computer system or its surroundings, which can become a security risk.
According to Kjell (2015), the organizations choose optimal defense, which is costly and consists in investing in Information Technology Security to protect their assets.Simultaneously, hackers collect information in various manners, and attempt to gain access to organizations' information security breaches, collected by the organizations themselves.Albrechtsen and Hovden (2009) consider the users to be a liability when they do not possess the necessary skills and knowledge, thereby causing the reckless use of network connections and information or practicing unsafe acts within the organization.User perceptions may be enhanced through Security Education, Training, and Awareness (SETA) programs, which explain potential threats facing the organization and provide methods for users to improve information security practices (D'Arcy et al. 2009).
However the perception of threat is not the only thing that encourages responsible behavior provided the threat imminence perception varies from individual to individual.The effort required for responsible behavior and the relative perception of control in addition to the mitigating factors of responsible behavior that result from the context experienced by the individual are also based on individual perception.When threats are not perceived as eminent, the efforts to follow rules and best practices in Information Security may be considered unnecessary unproductive and merely a regulatory formality (Herath and Rao 2009a).In this circumstance the procedures that provide Information Security may be unsuccessful or circumvented depending on the individual perception about the balance of control/punishment and benefits.Furthermore, the disgruntlement of a user with organizations or people who set standards may produce actions that circumvent security either as a means of demonstrating their discontent (Willisom and Warkentin 2013) or simply through low motivation to comply with them (Kelloway et al. 2010).
Da Veiga and Eloff (2010) argue that the Information Security approach in an organization should be focused on employee behavior, provided that success or failure on protecting information depends on what employees do or don't do.So the way users behave may stem from perceptions about perceived threats, controls and punishments and about perceived effort as well as environmental factors such as work overload, fatigue (Kraemer and Carayon, 2007) and disgruntlement (Willison and Warkentin, 2013;Kelloway et al., 2010).These factors may contribute to behaviors that generate vulnerability and breaches, compromising all the Information Security principles and turning information into useless pieces of data due to their loss of reliability.
Based on the concepts addressed, this article aims to identify the influence of the user's perception of the threat, control, effort and disgruntlement in safe behavior regarding Information Security.
This introduction shows the subject, research problem and goal.The theoretical basis is presented in Section 2, followed by the research model and hypotheses (Section 3).The methodological aspects are presented in Section 4, followed by the results (Section 5) and the discussion of the findings (Section 6).

THEORETICAL BACKGROUND
According to Liang and Xue (2010) the perceived threat is defined by the degree in which an individual perceives a malicious IT attack as dangerous or harmful.IT users develop threat perception, monitoring their computing environment and detecting potential dangers.Based on health psychology and risk analysis, the authors suggest that the perception of threat is formed by perceived susceptibility and perceived severity.
Perceived susceptibility is defined by Liang and Xue (2010) as the subjective probability of an individual that a malicious IT attack (malware) will adversely affect it.On the other hand, the perceived severity is defined as the degree to which an individual perceives that adverse effects caused by malware will be severe.According to the authors, previous studies on health protection behavior have provided a theoretical and empirical foundation on careful behavior among patients, influenced by perceptions related to the threat, which can be adapted to Information Security.The authors argue that the perceived likelihood and the negative consequences of the severity of a disease may result in the perception of a health threat, which motivates people to take measures to protect their health.
The threat assessment may cover the perceived severity of a violation (Herath and Rao (2009a) or the perceived likelihood of a security breach (2009b).The severity is the level of potential impact the threat and damage may cause, i.e., the severity of a security breach and the possibility of an adverse event caused by such (Vance, Siponen and Pahnila, 2012).Herath and Rao (2009b) found that the perception of the severity of the breach does not impact on the compliance of regulations or security policies.In contrast, Workman, Bommer and Straub (2008) found that the perceived severity was significant for compliance, as well as the likelihood of a security breach.Johnston and Warkentin (2010) found indications that perceptions regarding the severity of a threat negatively influence the perceptions regarding the response effectiveness and also regarding the perceptions of the self-efficacy related to the threat.
Several authors have studied the perception of susceptibility.Ng, Kankanhalli and Xu (2009) have demonstrated that perceived susceptibility affects users' behavior regarding emails.According to the authors, when users are aware of the likelihood of threats (perceived susceptibility) and of the effectiveness of security controls (perceived benefits), they may make a conscious decision to behave appropriately.However, perceived severity was not decisive in influencing the users' safe behavior.The research of Johnston and Warkentin (2010) was not able to demonstrate that perceived susceptibility of threats negatively influences the perceived efficacy of response, or that the perceived susceptibility of threats negatively influences the perception of selfefficacy.However, they demonstrated that perceived severity of the threat negatively influences perceived efficacy of response and the perceptions of self-efficacy.
According to Herath and Rao (2009a), gaps are security breaches.Moreover employee negligence and non-compliance with the rules often causes damage to organizations.However the behavior of the users can help to reduce these gaps by following better practices, such as protecting data with suitable passwords or logging off when leaving the computer that is being used.Workman, Bommer and Straub (2008) show that perceived vulnerability and severity have an effect on users Information Security behavior.Herath and Rao (2009b) suggest that perceptions regarding the severity of the breaches, the effectiveness of the response and self-efficacy are likely to have a positive effect on attitudes towards security policies, whilst the cost of response negatively influences favorable attitudes.They also suggest that social influence has a significant impact on intentions to comply with Information Security policies.The availability of resources is a significant factor in the increase of self-efficacy, which in turn is important to predict the intention to comply with Information Security policies.Moreover, organizational commitment plays a dual role, having a direct impact on intentions, as well as on promoting the belief that the actions of employees have a global effect on the Information Security of an organization.
Despite the difference between the results, the consensus among researchers is that users assess the susceptibility and the severity of negative consequences in order to determine the threat they are facing.
Apart from the use of technologies that aim to guarantee the organizational Information Security these technologies are not enough to avoid gaps because Information Security cannot be defined or understood as a pure technical problem (Kearney and Kruger, 2016).Based on that, studies about the Information Security users' behavior are obtaining more attention (Herath e Rao 2009b).

MODEL AND HYPOTHESES
The model (Figure 1) was developed based on the theoretical background exposed previously.
According to Ng, Kankanhalli and Xu (2009), the risks and damages perception in Information Security and its possibility of occurrence depend on the measurement capacity of individuals.

Figure 1 -Theoretical model and hypotheses
It covers the perception of susceptibility to the threat and the severity of the threat, because when individuals perceive a greater susceptibility to security incidents, they are likely to exhibit a higher level of safe behavior.Based on these concepts, the following hypothesis was formulated: H1: The perceived susceptibility of the threat to Information Security positively influences safe behavior regarding Information Security.
Workman, Bommer and Straub (2008) found that the perceived severity was significant for compliance with Information Security Policy guidelines and for the likelihood of a security breach.For Liang and Xue (2009), the perceived severity is defined as the degree to which an individual perceives that negative consequences caused by malware will be severe.According to Ng, Kankanhalli and Xu (2009), when users are aware of the susceptibility and severity of the threats, they can make informed decisions to exercise adequate preventive behavior.Bearing these concepts in mind, the following hypothesis was formulated: H2: The perceived severity of the threat to Information Security positively influences safe behavior regarding Information Security.Herath and Rao (2009b), in their research on the effects of deterrence, found that the certainty of detection has a positive impact on the intentions to comply with the Security Policy guidelines.When employees perceive a high probability of being discovered violating the guidelines, they will be more likely to follow them.This concept produced the following hypothesis:

H3: The perception of the certainty of detection of not following the guidelines on Information Security positively influences safe behavior regarding Information Security.
Sanctions are defined as punishments, material or otherwise, incurred by an employee for failure to comply with information security policies (Bulgurcu, Cavusoglu and Benbasat, 2010).Examples of sanctions include demotions, loss of reputation, reprimands, financial or non-financial penalties, and unfavorable evaluations.The perception of these sanctions regarding non-compliance with the rules influences the user to behave responsibly, in accordance with the certainty of detection of noncompliance with the security standards, the severity and the swiftness of punishment (Herath andRao, 2009a and2009b).From the combination of these concepts the following hypothesis was formulated: H4: The perception of the Punishment Severity for not following the guidelines regarding Information Security positively influences safe behavior in terms of Information Security.
According to Liang and Xue, 2009, the safeguard effort refers to physical and cognitive efforts -such as time, money, inconvenience and understanding -necessary for the safeguarding action.These efforts tend to create behavioral barriers and reduce the motivation for Safe Behavior regarding Information Security, due to the cost-benefit analysis.The authors cite the example of people's behavior regarding their health, when comparing the costs and benefits of a particular healthy behavior before deciding to practice it.If the costs are considered high when compared to the benefits, people are not likely to adopt the behavior recommended by health professionals.Thus, the user's motivation to avoid any Information Security threat may be mitigated by the potential cost to safeguard (Liang and Xue, 2010).According to these concepts the following hypothesis was developed:

H5: The perception of effort to safeguard when following the Information Security guidelines negatively influences safe behavior related to Information Security.
There is the possibility of breaches occurring due to lack of motivation to follow the safety guidelines (Kelloway et al., 2010), disgruntlement with the organization or colleagues (Willison and Warkentin, 2013;Spector et al, 2006), or as a form of protest resulting from an unsatisfactory situation (Spector et al., 2006).According to this possibility the following hypothesis was formulated:

H6: Satisfaction with colleagues, superiors or organization positively influences Safe Behavior regarding Information Security.
The control variable presented on the theoretical model indicates that the data analysis will be performed on the sample of respondents who received verbal or written guidance on Information Security from the organization for which they worked at the data collection time.This selection allows us to obtain the perceptions of respondents who already have some insight into the threats such as the level of control and monitoring and the punishment for not following the guidelines received.It also allows the comparison of the results with the group of respondents who did not receive the same kind of guidance.

METHODOLOGY
The research used an exploratory approach by conducting a survey through a self-administered questionnaire for quantitative cross-sectional data collection.
The population of this survey was composed of Information Systems users in an organizational environment from organizations of any size, industry or field of activity.However, the respondents had to have received in writing or oral Information Security guidance, by the organization they worked for by the time they completed the questionnaire.The sampling process was not probabilistic for convenience (HAIR et al., 2005).
The survey instrument was developed from consolidated instruments on the subject, as shown in the Appendix.The instrument used a Likert type scale ranging across five categories, from 1 (strongly disagree) to 5 (strongly agree), based on the instruments used in the three original surveys used as a reference for the theoretical model.
During pre-tests, a set of previous validations was conducted in order to have a suitable measuring instrument.This is the recommendation of Malhotra (2009) when the instrument is formed by others previously used in other researches.
The first part of the instrument validation was carried out by face and content validation and involved a group of professors in MIS.As a result, some questions were amended in terms of their content and order.The most significant change was the alteration of the construct of Disgruntlement, originated in Willison and Warkentin (2013), which were reversed: after this step of validation it went on to validate the disgruntlement from the perspective of the lack of contentment.
The validation of the instrument was performed by applying the instrument to a sample of 229 Brazilian IT users (non-probability sample for convenience).After the exclusion of incomplete questionnaires, 216 valid respondents remained.However, after applying the filter keeping only those respondents who received some guidance on Information Security, 135 respondents remained valid in the pre-test sample.
After the adaptation of the questionnaire, data collection was conducted through a printed form and simultaneously through an electronic survey in order to increase the amount of respondents.A number of 171 valid questionnaires were obtained (completely filled in and without errors).Among them, 112 received some Information Security guidance and with work experience from 1 to 30 years.This sample was used in the final data analysis.When considering 112 respondents and 15 questions in the final data analysis, the rate of respondents per question was 7.46, which is higher than the rate of five recommended by Malhotra (2009).As indicated by Hair et al. (2011) the T-Test was conducted to ascertain whether there were differences between the responses of the samples collected on paper compared to the responses obtained from the online survey, which did not occur.
All the analyses were performed using the SPSS Statistics version 20 software.

RESULTS
In order to validate the reliability of the survey instrument in the pre-test phase, Cronbach's alpha was used.At this stage of validation, a multivariate analysis was also performed in order to verify the structure of the factors that make up the scales.In order to do this, a principal component analysis with varimax rotation was used, following the recommendations of Hair et al. (2009).
The research sample (final collection) consisted of 112 respondents.Figure 2 shows respondents education profile.

Figure 3 -Respondents' Gender and Work Experience
The normality of the collected data was verified with the Descriptive Univariate Analysis.Verification of normality was performed through the analysis of symmetry and of kurtosis.
The reliability of the scales was assessed by Cronbach's Alpha coefficient.A Cronbach's Alpha of 0.767 was obtained for the set of all 15 mandatory variables, which measured the constructs of the models.Cronbach alphas for each construct are shown in Table 1 The optional questions of the variables obtained a low coefficient of Cronbach's Alpha due to the low number of respondents who answered these questions (N=35).Thus the construct Effort in Safeguarding and respective variables (based on LIANG and XUE 2010) were not used in the survey resulting in the absence of support for the H5 hypothesis.Other statistical indicators were also taken into account in that decision, such as the difference in the T-Test and the lack of convergence for the respective factor in the Convergent Factor Analysis, shown in Table 2

Table 2 -Convergent Factor Analysis
In order to increase the consistency and the potential to generalize the results,, a Convergent Factor Analysis was conducted.The dependent factor in the theoretical model (BEH) was obtained from three dependent variables (BEH1, BEH2 and BEH3).The five independent factors that were obtained by Factor Analysis from the independent variables explained 79.371% of the variance.
During the Factor Analysis, the Kaiser-Meyer-Olkin index (KMO) was verified.The index obtained was 0.677 for the independent constructs and 0.646 for the dependent constructs, and the sphericity test indicates that the result is valid (p<0.001).In the Convergent Factor Analysis, the commonalities showed satisfactory results.The commonalities were extracted by the Principal Component Analysis method, with no variable indicating a rate below 0.5.

The multicollinearity was verified by calculating values of tolerance and the Variance Inflation Factor (VIF).
In the analysis of the scatter plots, there was symmetrical dispersion of data values, indicating that there was homoscedasticity.Linearity was assessed by inspection of the bivariate scatter plots.All dimensions of the model studied showed linear relationships with no curvilinear relationships emerging (quadratic or cubic).
In order to confirm the relationship between the constructs from the factors of the Factor Analysis, a Multiple Linear Regression Analysis was conducted between the independent factors and the dependent factor and was used to predict the Safe Behavior from the Susceptibility to the Threat, Severity of the Threat, Certainty of Detection, Punishment Severity and Disgruntlement.
The squared correlation coefficient obtained by the final theoretical research model (R2) was 0.413, indicating that the constructs (factors) measured by the final model explained 41.3% of the Safe Behavior of the respondent users of this survey.
The research by Herath and Rao (2009a), which was used as the source for the questions regarding the constructs of the Certainty of Detection and Punishment Severity, reached a very close R2 (0.42).For Hair et al. (2011), a correlation coefficient that is in the value range of ±0.41 to ±0.7 has a force of moderate association.
The standardized Beta regression coefficients are presented, indicating the impact of the association between the dependent and the independent variable, and reflect the importance of the independent variable on the dependent (HAIR et al., 2011).The summary of the supported or unsupported associations that support the hypotheses set out in the final research model, which is shown in Figure 4.The Variance Inflation Factor obtained was 1.0 indicating that there is no multicollinearity (HAIR et al., 2011).

Figure 4 -Linear regression of the final model
The dashed line indicates the unsupported hypothesis and the solid lines indicate the supported hypothesis, in which the association rate between the independent variable and the dependent variable provides support to the hypothesis.The asterisks indicate statistical significance.
The results show that perceptions of Susceptibility to the Threat, Severity of the Threat and Satisfaction are determinants of Safe Behavior when it comes to care about malware in emails, providing support to hypotheses H1, H2, H6 and partially to hypothesis H3.They also show that the main effects of the perceived Punishment Severity are not significant, without providing support to the H4 hypothesis in this research.
Regarding the H5 hypothesis according to Herath and Rao (2009a) Information Security causes a greater number of procedures and tasks to be performed.As a result, a greater potential effort to carry out the additional actions may be mistakenly perceived as an unintentional hindrance, which may compromise the users' actions for the sake of safe behavior.It was not possible to determine the perception of Effort in Safeguard in this study (based on the questions of Liang and Xue, 2009) because they are optional and are based on obtaining antispyware.In the opinion of the majority of respondents (72%), antispyware software was already installed and did not need be obtained, making it impossible to measure and consequently support the H5 hypothesis.
Yet, the correlations of Certainty of Detection and Punishment Severity (hypotheses H3 and H4) with the Safe Behavior are smaller than in the research arising from these constructs (HERATH and RAO 2009a).This may indicate that the respondents did not consider, in the context of this research, the Certainty of Detection and especially the Punishment Severity as strong inducing factors to Safe Behavior.However there may be contingency effects, i.e., the effect of these factors in isolation may not be effective in indicating the practice of Safe Behavior, but the combination of these factors can lead to Information Security Safe Behavior.In other words, the Punishment Severity did not appear to be significant in its own right, but may operate alongside other factors in order to predict Information Security Safe in future researches.On the other hand, the low perception of the Certainty of Detection is consistent with the low perception of the Punishment Severity, because the users who do not believe that will be discovered, contrary to the Information Security guidelines, might consider that they will not be punished.
The H6 hypothesis on disgruntlement with the organization, colleagues and superiors, which after survey instrument face and content validation evaluates satisfaction, had a significant effect with an important role in influencing Safe Behavior.This was the most significant factor in predicting the Safe Behavior in the context of this research.
The results also indicate that the Information Security guidance of users is significant in determining the Safe Behavior.During the linear regression it became apparent that guidance is an important control variable influencing the correlation coefficient.When conducting the linear regression of the model factors with all 171 respondents and disregarding the Information Security guidance filter, the correlations obtained lower values (R2: 0.242).This may indicate that organizational efforts, such as awareness programs, are significant in triggering Safe Behavior.However, this does not exclude other forms of stimuli for this behavior, such as individual experience or other forms of external communications to the organization, which are not measured by this research.
Thus, the results demonstrate the importance of Information Security periodic guidance, focusing particularly on the security of the organization's information assets.The disclosure of deterrence measures, with emphasis on the monitoring carried out by the organization, and examples of rebukes for inadequate behavior should also be considered in the context of this awareness (SIPONEN and VANCE 2010).
The awareness programs should train users on the objectives and security controls (technical, physical or normative), enabling users to understand the benefits of the controls and how to reduce the risk of security threats.According to Ng, Kankanhalli and Xu (2009), when users are aware of the susceptibility to and the severity of the threats, they can make informed decisions to exercise adequate preventive behavior.Thus, awareness guidelines need to be developed to highlight the Severity of the Threat and the Susceptibility of the Threat and should focus on educating users about the possibility of and the damage caused by threats.This can enable the user to understand the need for security, their role and their responsibility in protecting organizational data and other information assets.

FINAL REMARKS
This research revealed factors influencing the Safe Behavior regarding e-mail by applying a theoretical model that combined three surveys from Information Security field.The result was a new instrument, which used large, solid and repeated validation methods, hereinafter enabling the use in new application contexts and likewise in new explanatory or descriptive research.
Academically, this study contributes to understand a user's Computer Safe Behavior in an organizational context and made it possible to combine concepts from several behavioral theories.In particular, the construct of satisfaction is new to the field of Information Security and even more unusual in quantitative research in this area.Another contribution of this study is to research Brazilian users.In this country, studies on users' behavior are still far behind compared to foreign researches.Brazilian studies on Information Security are mainly focused on technical aspects, making it important to identify the local context peculiarities.As an example, Brazilian users do not show consistent privacy concerns (Britto-da-Silva, Luciano e Magnagnagno, 2015), which goes against international studies tendencies and arises concerns how far Brazilian users are from behavioral Information Security issues.
The study undertaken provides a range of managerial implications applicable to organizations that provide Information Security training and guidance.Nevertheless it addresses some more comprehensive points, which should be considered by organizations in search of greater security.The role of the lack of guidance in Information Security is highlighted and accordingly a warning is released about the risk of a lack of guidance.It also covers implications for professionals who prepare Information Security guidelines or awareness programs.In particular, the importance of Perceived Severity and Perceived Susceptibility should be highlighted in the formulation of the content of Information Security awareness guidelines within organizations.Users' disgruntlement with the organization, colleagues or superiors is a factor to be considered in the awareness programs.
According to Bulgurcu, Cavusoglu and Benbasat (2010), the strengthening of Information Security depends on employees complying with the Information Security guidelines -rules and regulations, which should be formulated according to the organizational needs (Albuquerque Junior & Santos, 2015).For Puhakainen and Siponen (2010), employees who do not comply with the Information Security policy guidelines are a serious risk to their companies.The serious consequences of breaches and vulnerabilities in Information Security and their implications for the employees and for the organization should be emphasized in the security guidelines, permitting employees to understand the gravity and serving as a driving force to practice Safe Behavior.According to Ng, Kankanhalli and Xu (2009), the security guidelines provided to employees can be even more effective when the possibility and severity of the damage to the organization information assets are explained.By emphasizing the gravity of security incidents, employees will be motivated to practice appropriate guideline behavior, provided they are not disgruntled with the organization, superiors or colleagues (WILLISON and WARKENTIN 2013).
The results show that employee behavior plays an important role in avoiding vulnerabilities and breaches in Information Security and this requires more research to study the factors that influence the decision of the individual to practice Information Security Safe Behavior.
In this study, only the practice of Information Security regarding emails was measured, which limits the generalization of the results to other practices, such as lack of software updates, access to suspicious hyperlinks, password loans or the use of weak passwords, among others.Future studies on other security practices can help uncover the common causal relationships that can strengthen a Safe Behavior or cause breaches and vulnerabilities in Information Security.It would also be useful to compare the results of those respondents who did not have previous malware incidents with those who already have.

Figure 2 -
Figure 2 -Respondents Gender and Education Profiles
* Rotation converged in 5 iterations; Extraction Method: Principal Components Analysis; Rotation Method: Varimax with Kaiser Normalization