Asia pacific journal of information systems

The Korea Society of Management Information Systems (한국경영정보학회)
권호 표지
DOI QR코드

DOI QR Code

Affective Response to Feelings of Password Fatigue by Password Change Requirements

  • Received : 2023.01.11
  • Accepted : 2023.05.24
  • Published : 2023.09.30
Download PDF
⟨ Previous Next ⟩

Abstract

While prior work has conducted individuals' password security behavior, there is a relatively neglect to examine individuals' affect and feelings of password fatigue in password change context. Therefore, this study explicated individuals' affective response to the feelings of password fatigue by drawing on several theoretical lens. Survey data collected from 267 users were used to test the model using partial least square analysis. This study found that feelings of password fatigue positively affected the negative password fatigue-induced affect, and also both the feelings of password fatigue and the negative password fatigue-induced affect were negatively related to attitude toward changing passwords, which in turn, leads to the intention to change passwords. Furthermore, this study found that shadow work recognition negatively moderated the relationship between attitude and behavioral intention. This study could offer a new theoretical perspective to understand an individual's security behavior and provide empirical evidences for practitioners in charge of IT security in organizations.

Keywords

Acknowledgement

This work was supported by the Ministry of Education of the Republic of Korea and the National Research Foundation of Korea (NRF-2021S1A3A2A02089809).

References

  1. Ackerman, P. L, and Kanfer, R. (2009). Test length and cognitive fatigue: An empirical examination of effects on performance and test-taker reactions. Journal of Experimental Psychology: Applied, 15(2), 163-181. https://doi.org/10.1037/a0015719
  2. Ajzen, I. (1991). The theory of planned behavior. Organizational Behavior and Human Decision Processes, 50(2), 179-211. https://doi.org/10.1016/0749-5978(91)90020-T
  3. Ajzen, I., and Fishbein, M. (2000). Attitudes and the attitude-behavior relation: Reasoned and automatic processes. European Review of Social Psychology, 11(1), 1-33. https://doi.org/10.1080/14792779943000116
  4. Bagozzi, R. P. (1982). A field investigation of causal relations among cognitions, affect, intentions, and behavior. Journal of Marketing Research, 19(4), 562-584. https://doi.org/10.1177/002224378201900415
  5. Bethoux, F. (2006). Fatigue and multiple sclerosis. Annales de Readaptation et de Medecine Physique, 49(6), 355-360. https://doi.org/10.1016/j.annrmp.2006.04.022
  6. Brockner, J., and Higgins, E. T. (2001). Regulatory focus theory: Implications for the study of emotions at work. Organizational Behavior and Human Decision Processes, 86(1), 35-66. https://doi.org/10.1006/obhd.2001.2972
  7. Bryman, A. (2016). Social Research Methods. Oxford University Press.
  8. Bulgurcu, B., Cavusoglu, H., and Benbasat, I. (2010). Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523-548. https://doi.org/10.2307/25750690
  9. Callegaro, M., Murakami, M. H., Tepman, Z., and Henderson, V. (2015). Yes-no answers versus check-all in sself-administered modes: A systematic review and analyses. International Journal of Market Research, 57(2), 203-224. https://doi.org/10.2501/IJMR-2015-014a
  10. Cameron, C. (1973). A theory of fatigue. Ergonomics, 16(5), 633-648. https://doi.org/10.1080/00140137308924554
  11. Chin, W. W. (1998). The Partial Least Squares Approach to Structural Equation Modeling. Mahwah, NJ:Lawrence Erlbaum.
  12. Cram, W. A., Proudfoot, J. G., and D'Arcy, J. (2021). When enough is enough: investigating the antecedents and consequences of information security fatigue. Information Systems Journal, 31(4), 521-549. https://doi.org/10.1111/isj.12319
  13. D'Arcy, J., and Lowry, P. B. (2019). Cognitive affective drivers of employees' daily compliance with information security policies: A multilevel, longitudinal study. Information Systems Journal, 29(1), 43-69. https://doi.org/10.1111/isj.12173
  14. D'Arcy, J., and The, P. L. (2019). Predicting employee information security policy compliance on a daily basis: the interplay of security-related stress, emotions, and neutralization. Information & Management, 56(7), 103-151. https://doi.org/10.1016/j.im.2019.02.006
  15. Derbaix, C. M. (1995). The impact of affective reactions on attitudes toward the advertisement and the brand: A step toward ecological validity. Journal of Marketing Research, 32(4), 470-479. https://doi.org/10. 1177/002224379503200409 https://doi.org/10.1177/002224379503200409
  16. Efron, B., and Tibshirani, R. (1993). An Introduction to The Bootstrap. New York: Chapman Hall.
  17. Feldman, B. L., and Russel, J. A. (1998). Independence and bipolarity in the structure of current affect. Journal of Personality and Social Psychology, 74(4), 967-984. https://doi.org/10.1037/0022-3514.74.4.967
  18. Forgas, J. P. (2008). Affect and cognition. Perspectives on Psychological Science, 3(2), 94-101. https://doi.org/10.1080/026999307 01437931
  19. Forgas, J. P. (1995). Mood and judgment: The affect infusion model (AIM). Psychological Bulletin, 117(1), 39-66. https://doi.org/10.1037/0033-2909.117.1.39
  20. Forgas, J. P., and George, J. M. (2001). Affective influences on judgments and behavior in organizations: An information processing perspective. Organizational Behavior and Human Decision Processes, 86(1), 3-34. https://doi.org/10.1006/obhd.2001.2971
  21. Fornell, C., and Larcker, D. F. (1981). Evaluating structural equation models with unobservable variables and measurement error. Journal of Marketing Research, 18(1), 39-50. https://doi.org/10.1177/002224378101800104
  22. Furnell, S., Khern-am-nuai, W., Esmael, R., Yang, W., and Li, N. (2018). Enhancing security behaviour by supporting the user. Computers & Security, 75(June), 1-9. https://doi.org/10.1016/j.cose.2018.01.016
  23. Furnell, S., and Thomson, K. L. (2009). Recognising and addressing 'security fatigue'. Computer Fraud & Security, 11(Novermber), 7-11. https://doi.org/10.1016/S1361-3723 (09)70139-3
  24. Greene, K. K, and Choong, Y. Y. (2017). Must I, can I? I don't understand your ambiguous password rules. Information & Computer Security, 25(1), 80-99. https://doi.org/10.1108/ICS-06-2016-0043
  25. Gulenko, I. (2014). Improving passwords: influence of emotions on security behaviour. Information Management & Computer Security, 22(2), 167-178. https://doi.org/10. 1108/IMCS-09-2013-0068 https://doi.org/10.1108/IMCS-09-2013-0068
  26. Hair, J. F., Anderson, R. E., Tatham R. L., and Black, W. C. (1998). Multivariate Data Analysis (5th ed.). Upper Saddle River, NJ: Prentice-Hall.
  27. Hair, J. F., Hollingsworth, C. L., Randolph, A. B., and Chong, A. Y. L. (2012). An assessment of the use of partial least squares structural equation modeling in marketing research. Journal of the Academy of Marketing Science, 40(3), 414-433. https://doi.org/10.1007/s11747-011-0261-6
  28. Hair, J. F., Sarstedt, M., Ringle, C. M., and Mena, J. A. (2012). An assessment of the use of partial least squares structural equation modeling in marketing research. Journal of the Academy of Marketing Science, 40(3), 414-433. https://doi.org/10.1007/s11747-011-0261-6
  29. Hartwig, K., and Reuter, C. (2022). Nudging users towards better security decisions in password creation using whitebox-based multidimensional visualisations. Behaviour & Information Technology, 41(7), 1357-1380. https://doi.org/10.1080/0144929X.2021.1876167
  30. Henseler, J., Ringle, C. M., and Sarstedt, M. (2015). A new criterion for assessing discriminant validity in variance-based structural equation modeling. Journal of the Academy of Marketing Science, 43(1), 115-135. https://doi.org/10.1007/s11747-014-0403-8
  31. Huber, F., Herrmann, A., Frederik, M., Vogel, J., and Vollhardt, K. (2008). Kausalmodellierung Mit Partial Least Squares: Eine Anwendungsorientierte Einfuhrung. Springer-Verlag.
  32. Ilies, R., Scott, B. A., and Judge, T. A. (2006). The interactive effects of personal traits and experienced states on intraindividual patterns of citizenship behavior. Academy of Management Journal, 49(3), 561-575. https://doi.org/10.5465/amj.2006.21794672
  33. Inzlicht, M., Schmeichel, B. J., and Macrae, C. N. (2014). Why self-control seems (but may not be) limited. Trends in Cognitive Sciences, 18(3), 127-133. https://doi.org/10.1016/j.tics.2013.12.009
  34. Illich, I. (1981). Shadow Work. Salem, New Hampshire and London: Marion Boyars.
  35. Judge, T. A., Scott, B. A., and Ilies, R. (2006). Hostility, job attitudes, and workplace deviance: Test of a multilevel model. Journal of Applied Psychology, 91(1), 126-138. https://doi.org/10.1037/0021-9010.91.1.126
  36. Kaleta, J. P, Lee, J. S., and Yoo, S. (2019). Nudging with construal level theory to improve online password use and intended password choice: A security-usability tradeoff perspective. Information Technology & People, 32(4), 993-1020. https://doi. org/10.1108/ITP-01-2018-0001
  37. Keith, M., Shao, B., and Steinbart, P. (2009). A behavioral analysis of passphrase design and effectiveness. Journal of the Association for Information Systems, 10(2), 63-89. https://doi.org/10.17705/1jais.00184
  38. Khern-am-nuai, W., Hashim, M. J., Pinsonneault, A., Yang, W., and Li, N. (2022). Augmenting password strength meter design using the elaboration likelihood model: evidence from randomized experiments. Information Systems Research, Articles in Advance, 1-21.
  39. Kim, J., and Kang, D. (2008). A study on the factors affecting the information systems security effectiveness of password. Asia Pacific Journal of Information Systems, 18(4), 1-26.
  40. Kluger, B. M, Krupp, L. B., and Enoka, R. M. (2013). Fatigue and fatigability in neurologic illnesses: Proposal for a unified taxonomy. Neurology, 80(4), 409-416. https://doi.org/10.1212/WNL.0b013e31827f07be
  41. Kock, N. (2015). Common method bias in pls-sem: a full collinearity assessment approach. International Journal of e-Collaboration, 11(4), 1-10. https://doi.org/10.4018/ijec.2015100101
  42. Lambert, C. (2015). Shadow Work: The Unpaid, Unseen Jobs That Fill Your Day. Catapult.
  43. Lee, Y., and Kozar, K. A. (2005). Investigating factors affecting the adoption of anti-spyware systems. Communications of the ACM, 48(8), 72-77. https://doi.org/10.1145/1076211.1076243
  44. Li, Y., Zhang, N., and Siponen, M. (2019). Keeping secure to the end: a long-term perspective to understand employees' consequence-delayed information security violation. Behaviour & Information Technology, 38(5), 435-453. https://doi.org/10.1080/0144929X.2018.1539519
  45. Lowry, P. B., Twyman, N. W., Pickard, M., and Jenkins, J. L. (2014). Proposing the affect-trust infusion model (ATIM) to explain and predict the influence of high and low affect infusion on web vendor trust. Information & Management, 51(5), 579-594. https://doi.org/10.1016/j.im.2014.03.005
  46. Martin, J., Knopoff, K., and Beckman, C. (1998). An alternative to bureaucratic impersonality and emotional labor: bounded emotionality at the body shop. Administrative Science Quarterly, 43(2), 429-469. https://doi.org/10.2307/2393858
  47. Merdenyan, B., and Petrie, H. (2022). Two studies of the perceptions of risk, benefits and likelihood of undertaking password management behaviours. Behaviour & Information Technology, Article in Advance.
  48. Mittal, V., and Ross W. T. (1998). The impact of positive and negative affect and issue framing on issue interpretation and risk taking. Organizational Behavior and Human Decision Processes, 76(3), 298-324. https://doi.org/10.1006/obhd.1998.2808
  49. Oreg, S., Bartunek, J. M., Lee, G., and Do, B. (2018). An affect-based model of recipients' responses to organizational change events. Academy of Management Review, 43(1), 65-86. https://doi.org/10.5465/amr.2014.0335
  50. Oreg, S., Vakola, M., and Armenakis, A. (2011). Change recipients' reactions to organizational change: A 60-year review of quantitative studies. The Journal of Applied Behavioral Science, 47(4), 461-524. https://doi.org/10.1177/0021886310396550
  51. Park, J., and Oh, C. G. (2016). Cognitive bias and information security research: Research trends and opportunities. Asia Pacific Journal of Information Systems, 26(2), 290-298. https://doi.org/10.14329/apjis.2016.26.2.290
  52. Renaud, K., Zimmermann, V., Schurmann, T., and Bohm, C. (2021). Exploring cybersecurity-related emotions and finding that they are challenging to measure. Humanities and Social Sciences Communications, 8(1), 1-17. https://doi.org/10.1057/s41599-021-00746-5
  53. Schaubroeck, J., and Jones, J. R. (2000). Antecedents of workplace emotional labor dimensions and moderators of their effects on physical symptoms. Journal of Organizational Behavior: The International Journal of Industrial, Occupational and Organizational Psychology and Behavior, 21(2), 163-183. https://doi.org/10.1002/(SICI)1099-1379 (200003)21:2<163::AID-JOB37>3.0.CO;2-L
  54. Seo, M. G., Barrett, L. F., and Bartunek, J. M. (2004). The role of affective experience in work motivation. Academy of Management Review, 29(3), 423-439. https://doi.org/10.2307/20159052
  55. Shen, J., Barbera, J., and Shapiro, C. M. (2006). Distinguishing sleepiness and fatigue: Focus on definition and measurement. Sleep Medicine Reviews, 10(1), 63-76. https://doi.org/10.1016/j.smrv.2005.05.004
  56. Slovic, P., Finucane, M. L., Peters, E., and MacGregor, D. G. (2004). Risk as analysis and risk as feelings: Some thoughts about affect, reason, risk, and rationality. Risk Analysis, 24(2), pp. 311-322. https://doi.org/10.1111/j.0272-4332.2004.00433.x
  57. Stanton, B., Theofanos, M. F., Prettyman, S. S., and Furman, S. (2016). Security fatigue. IT Professional, 18(5), 26-32. https://doi.org/10.1109/MITP.2016.84
  58. Stobert, E., and Biddle, R. (2014). The password life cycle: User behaviour in managing passwords. In Paper presented at the 10th symposium on usable privacy and security (SOUPS 2014).
  59. Tam, L., Glassman, M., and Vandenwauver, M. (2010). The psychology of password management: A tradeoff between security and convenience. Behaviour & Information Technology, 29(3), 233-244. https://doi.org/10.1080/01449290903121386
  60. Urbach, N., and Ahlemann, F. (2010). Structural equation modeling in information systems research using partial least squares. Journal of Information Technology Theory and Application, 11(2), 5-40.
  61. Venkatesh, V., Morris, M. G., Davis, G. B., and Davis, F. D. (2003). User acceptance of information technology: Toward a unified view. MIS Quarterly, 27(3), 425-478. https://doi.org/10.2307/30036540
  62. Wei, M., Golla, M., and Ur, B. (2018). The password doesn't fall far: How service influences password choice. Who Are You, 87, 108-112.
  63. Weiss, H. M., Nicholas, J., and Daus, C. (1993). Affective and Cognitive Influences on Job Satisfaction. San Francisco, CA: Society of Industrial and Organizational Psychology.
  64. Weiss, H. M., and Cropanzano, R. (1996). Affective events theory: A theoretical discussion of the structure, causes and consequences of affective experiences at Work. In B. M. Staw, & L. L. Cummings (Eds.), Research in Organizational Behavior: an Annual Series of Analytical Essays and Critical Reviews (pp. 1-74). Greenwich, CT: JAI Press.
  65. Weiss, H. M., Nicholas, J. P., and Daus, C. S. (1999). An examination of the joint effects of affective experiences and job beliefs on job satisfaction and variations in affective experiences over time. Organizational Behavior and Human Decision Processes, 78(1), 1-24. https://doi.org/10.1006/obhd.1999.2824
  66. Wetzels, M., Odekerken-Schroder, G., and van Oppen, C. (2009). Using PLS path modeling for assessing hierarchical construct models: Guidelines and empirical illustration. MIS Quarterly, 33(1), 177-195. https://doi.org/10.2307/20650284
  67. Woods, N., and Siponen, M., (2019). Improving password memorability, while not inconveniencing the user. International Journal of Human-Computer Studies, 128(6), 61-71. https://doi.org/10.1016/j.ijhcs.2019.02.003
  68. Yildirim, M, and Mackie, I. (2019). Encouraging users to improve password security and memorability. International Journal of Information Security, 18(6), 741-759. https://doi.org/10.1007/s10207-019-00429-y
  69. Zhang, P. (2013). The affective response model: a theoretical framework of affective concepts and their relationships in the ICT context. MIS Quarterly, 37(1), 247-274. https://doi.org/10.25300/MISQ/2013/37.1.11
  70. Zimmermann, V., and Gerber, N. (2020), The password is dead, long live the password: A laboratory study on user perceptions of authentication schemes. International Journal of Human-Computer Studies, 133(January), 26-44. https://doi.org/10.1016/j.ijhcs.2019.08.006
  71. Zviran, M., and Haga, W. J. (1999). Password security: An empirical study. Journal of Management Information Systems, 15(4), 161-185. https://doi.org/10.1080/07421222.1999.11518226