Eyes wide open: The role of situational information security awareness for security-related behaviour

Most contemporary studies on information security focus on largely static phenomena in examining security-related behaviours. We take a more dynamic, situational and interactionist approach that proposes that security-related behaviours result from an interaction between the person and the perception of a threatening situation. We derive and define situational information security awareness based on situation awareness literature, and examine how individual-level (innate traits, experience) and system-level factors (design variations, warning signal) influence awareness, and how it influences subsequent threat and coping appraisals, and ultimately security-related behaviours in a multi-method phishing experiment including eye tracking and survey components with 107 employees. The results underscore the importance of situational information security awareness and show that past experience with phishing and a security warning increase awareness, while phishing emails' contextual relevance and misplaced salience decrease awareness. Situational information security awareness, in turn, increases perceived threat and perceived coping efficacy and, ultimately, actual behavioural responses to phishing attacks.

Automated summary

The study suggests that security-related behaviors are influenced by interactions between individuals and their perceptions of threatening situations. Past experience with phishing and security warnings increase awareness, while contextual relevance and misplaced salience of phishing emails decrease awareness.