To Report or Not to Report? Exploring Protection Motivation Theory to Understand Decision-Making of Cybersecurity Researchers Who Discover Vulnerabilities Andy Green, Dejarvis Oliver, and Amy Woszczynski Coles Research Symposium on Homeland Security, Special Issue, SIFALL23-06, October 2023
OVERVIEW
Protection Motivation Theory (PMT) has been applied to the information security context to understand why and how people make decisions when faced with a risky situation. While PMT has been studied in the personal and work contexts, using fear appeals and positive rewards to encourage employees to adopt pro-security behaviors, no studies to date have reviewed the decision-making process for the cybersecurity researcher who discovers a vulnerability and is faced with the choice to report to the organization or not. Using Qualtrics, we surveyed 196 US- based respondents who reported at least one vulnerability in the last 24 months. We found that beliefs related to response- and self-efficacy had significant influence on protection motivation intentions, while response costs, threat appraisals, threat severity, and fear did not. We recommend forming clear, well-publicized vulnerability disclosure policies to encourage robust reporting processes and support growing relationships between cybersecurity researchers and organizations.
38 | Coles Research Symposium
Made with FlippingBook - Online catalogs