https://orcid.org/0009-0000-1189-7835
Abstract
Delay discounting is a behavioral process, which explains certain peculiarities of human decision-making when choices and their consequences are separated from each other in time. The concept has been used in psychology and behavioral economics to explain how individuals make suboptimal choices with undesirable individual and societal consequences. Existing research shows that individuals can be characterized by several discounting parameters (k) across contexts, capturing the rate at which future gains and losses decrease in value as seen from the present. This present paper investigates how the concept of delay discounting can be utilized to better understand human choices regarding the implementation of information security controls in organizational settings. The study relies on a validated psychometric instrument (MCQ-21) to collect gold-standard k parameters with monetary outcomes. Furthermore, two novel variants are developed to estimate individuals’ k parameters with outcomes specific to the information security context. Within the framework of a nonexperimental correlational research design, an online survey was distributed among the employees (|$n = 135$|) of three Norwegian organizations. Contrary to expectations, none of the k parameters provided predictive power as predictors of real-world behavior in organizational settings. Nevertheless, the same behaviors were predicted by an attitude-based measure with an accuracy (adjusted |$R^2=0.22$|), which is observed generally in the literature of behavior prediction using attitudes as predictors. This paper contributes the first results on assessing the effectiveness of delay discounting parameters for behavior prediction within the context of information security.
Introduction
The increasing sophistication of cyber threats poses significant challenges for organizations, which must safeguard their information assets against evolving risks. While technological measures are often prioritized in security strategies, human behavior remains the most vulnerable element. Research shows that employees can unintentionally or intentionally compromise organizational security [1–4]. Despite secure technical components, organizational vulnerability persists if users do not comply with policies. Security-related human decision-making is influenced by multiple factors, including attitudes, personality traits, and cognitive biases [5]. Delay discounting (DD), which describes the preference for smaller immediate rewards over large delayed rewards, is particularly relevant in this context as it impacts everyday decision-making [6,7]. Despite awareness of the risk, employees often delay implementing security measures or fail to comply with established protocols. This tendency persists even when they recognize that compliance reduces security risks [1–4]. Understanding how DD affects security-related decisions can provide insights into why employees struggle with compliance and how to design more effective interventions. This research paper investigates the extent to which discounting influences decision-making in information security (IS). The study aims to contribute to the growing body of knowledge by focusing on cognitive mechanisms affecting security practices.
DD captures how people make trade-offs between immediate and delayed benefits and/or costs. People—in general—tend to favor smaller instant rewards over larger delayed ones [6,7]. Delayed rewards are discounted by a factor that increases with the length of the delay [8–10]. The DD parameter denoted by k, quantifies the rate at which future rewards or losses are discounted when viewed from the present [10]. A higher value of k indicates higher impulsivity (i.e. higher degree of present bias). Empirical investigations have demonstrated that the choices of real-world decision-makers are best approximated by a hyperbolic function [6,11], shown in the following equation:
where V is the discounted present value of a delayed reward, A is the objective amount of the reward, k is an individual’s DD parameter, and D is the amount of delay until the receipt of the reward/loss. Unit of delay may be minutes, hours, days, months, or years, but it is important to note that the unit of delay impacts its value. If delays are expressed in days rather than months, k should be adjusted accordingly.
Figure 1 illustrates preference reversal [i.e. change of preference from a larger delayed reward (LDR) to a smaller immediate reward (SIR) with the passage of time]. The vertical axis specifies perceived utility (i.e. discounted present value of delayed rewards). The horizontal axis specifies calendar time when the subject is asked to state his perceived utility of SIR and LDR as a function of time, defining the subject’s utility functions.
The concept of hyperbolic DD: The vertical axis represents the discounted present value (perceived utility) of delayed rewards, the horizontal axis represents calendar time when the subject is asked to state his perceived utility of SIR and LDR as a function of time. Adapted from [12].
Notation is as follows:
|$V_{\rm SIR}(t), V_{\rm LDR}(t)$|: perceived utility of SIR and LDR, respectively at time t.
|$t_{\rm SIR}, t_{\rm LDR}$| : time when subject is to receive SIR and LDR, respectively. These times are constant, and told to the subject ahead.
|$t_A$|: time when the experiment starts.
|$t_B$|: time when preference reversal occurs.
The relative preference of SIR versus LDR is determined by checking the sign of |$V_{\rm LDR}(t) - V_{\rm SIR}(t)$|, when |$t_A \le t \le t_{\rm SIR}$|. Note that it is not meaningful to rank the preferences after |$t_{\rm SIR}$|, as this would be a time when SIR has already been given to the subject; thus, there is no longer a choice situation. We see that preference reversal occurs at time |$t_B$|. The relationship between the preference reversal graph and the hyperbolic discounting function above can then be expressed as follows:
|$V_{\rm LDR}(t) = A_{\rm LDR} / (1 + k * (t_{\rm LDR} - t)),$|
|$V_{\rm SIR}(t) =A_{\rm SIR} / (1 + k {\times} (t_{\rm SIR} - t)).$|
Problem statement and research questions
This study aims to address two main assumptions about individuals and IS: (i) they delay implementing security measures and (ii) they do not fully comply, even when aware that compliance reduces risk [13].
While DD has been successfully used in a variety of fields for explaining individual differences in choices [14], the concept has also generated mixed and often contradictory findings [15]. A review of the DD construct and its measures revealed that DD is highly context-dependent, meaning that people use different discounting parameters depending on the outcomes under consideration (e.g. money, health, etc.) [16]. Similarly, a systematic review of the literature found evidence for both state-like and trait-like characteristics of DD [15]. The key finding was that people use different discounting functions across different contexts or domains. Nevertheless, the concept has some degree of stability across contexts: People who discount at a high rate in one context tend to discount at a high rate in other contexts as well. These pieces of evidence necessitate the adaptation of existing instruments and the development of new ones to enable the accurate estimation of DD parameters within the context of IS for behavior prediction. Furthermore, instruments are lacking for the measurement of DD parameters in terms of losses within the context of IS, which represents a significant obstacle to the prediction of individuals’ choices in real-world settings. Based on these considerations, the following research questions (RQs) were formulated:
Research questions
RQ1: To what extent can individuals’ discounting parameter k derived from a validated instrument predict self-reported IS-related behaviors in real-world organizational settings?
RQ2: To what extent can two novel psychometric instruments operationalizing discounting parameter ks adapted to an IS context increase the original instrument’s predictive power?
RQ3: To what extent can individuals’ IS attitudes derived from a validated instrument predict self-reported IS-related behaviors in real-world organizational settings?
RQ4: What is the maximum accuracy for predicting self-reported IS-related behaviors in organizational settings using a combination of predictor variables based on demographics, DD and attitudes?
This paper is structured as follows: The “Related work” section presents existing results about DD in the context of IS. The “Methods” section presents the sample and instruments for data collection. The “Results” section presents the results of the analyses. The “Discussion” section discusses results in the context of existing knowledge, including limitations and future work. The “Conclusion” section provides conclusions of the study and supplementary materials are provided in a separate document.
Related work
Acquisti [17] highlights DD as a potential factor influencing rational decision-making when individuals make privacy-related choices. Even well-informed individuals often neglect security measures when present needs outweigh future concerns, leading to a disconnect between security attitudes and behaviors. In another study, Acquisti and Grossklags [18] investigate information disclosure during online purchases. They examine the role of discounting and its interplay with privacy concerns. Through experiments involving varied rewards, personal information requests, and requester reliability, they uncover that participants discount their personal information’s value. This prompts greater information sharing for smaller rewards, an effect amplified among those less privacy concerned. Notably, privacy concerns can override discounting, as participants aware of privacy risks resist sharing despite higher rewards.
Grossklags and Barradale [19] emphasize the economic evaluation underlying privacy decisions, where investing in security now prevents future breaches. Their work explores the impatience of individuals across different socioeconomic backgrounds, illuminating the gap between security attitudes and actions. Mishra and Lalumière [20] delve into the connection between DD, risk-related behaviors, and traits. They unveil context-dependent variations in individuals’ risk acceptance, suggesting varied DD rates. Uncertainty plays a pivotal role: People favor immediate rewards under uncertain future conditions and future rewards under uncertain present conditions. Individual differences further modulate rates of DD.
Frik et al. [21] mention the challenge of timing when implementing security controls. People delay costs and expedite benefits, impacting security decisions. Their study reveals preferences for delayed system updates, reflecting convenience concerns. Vaniea and Rashidi [22] find individuals disabling automatic updates due to inconvenient timing. Rajivan et al. [23] demonstrate, through behavioral economics experiments, that experiencing cyber attacks leads to underestimation of future risks, influencing suboptimal updating decisions. Despite the best approach being immediate updating, most participants delay or skip updates.
Evaluation of instruments for operationalizing and measuring DD can be found in research papers reviewing the existing literature [15,16].
Methods
This section provides an overview of the methodology, sample, selection, and development of the instruments utilized in the online survey for data collection and details of data preparation and analysis procedures.
This study employed correlational and regression analyses to explore relationships between DD scores and security behaviors. A stepwise regression analysis was conducted to determine the relative predictive power of DD and attitudes toward security behaviors. The analysis approach was determined a priori to align with our exploratory sequential mixed-methods design. A mixed-method design implies that the RQs require both quantitative and qualitative data [24–26].
Sample and procedure
For the purpose of the study, an online survey was developed and hosted on university servers, which provided secure access to the survey for potential participants in possession of the link. The survey was completely anonymous and started with a description of the study’s purpose, followed by a mandatory informed consent form before start. The survey link was distributed to contact persons at three small- and medium-sized enterprises (SMEs) both from public and private sectors in Norway. The contact persons forwarded the invitation within their organizations reaching approximately 400 employees using non-probabilistic convenience sampling technique. The survey was available in Norwegian and English, the Norwegian translation was completed by one of the authors and the final version was refined following the feedback of a native speaker IS professional. The survey encouraged the participants to answer honestly and as if they were in a situation where the choice had to be taken as a measure toward bias.
A total of 135 participants (77 male—57.0%, 56 female—41.5%, and 2 respondents with unspecified gender—1.5%) completed the survey resulting in an approximate response rate of 33.25%. Most participants completed the Norwegian (92.6%) version of the survey, while 7.4% of subjects completed it in English. All demographic data collected from respondents are provided in Table 1. The survey was open for participants for a total of 15 days and the average completion time of the survey was 34.2 min (median:11.4 min). Removal of outliers on completion time did not have a significant impact on the results; therefore, all 135 participants who completed the entire survey were retained in the final dataset.
Descriptive statistics of sample demographics.
| n | % | n | % | ||
|---|---|---|---|---|---|
| Language | Occupation | ||||
| Norwegian | 125 | 92.6 | Purchasing and logistics | 8 | 5.9 |
| English | 10 | 7.4 | Finance | 1 | 0.7 |
| 135 | 100.0 | IT and IS | 72 | 53.3 | |
| HR | 1 | 0.7 | |||
| Age | Sustainability | 0 | 0.0 | ||
| 18–29 | 28 | 20.7 | Marketing | 3 | 2.2 |
| 30–39 | 19 | 14.1 | Communication | 2 | 1.5 |
| 40–49 | 35 | 25.9 | Production | 2 | 1.5 |
| 50–59 | 40 | 29.6 | General administrator and support | 7 | 5.2 |
| >60 | 12 | 8.9 | Healthcare | 26 | 19.3 |
| Prefer not to say | 1 | 0.7 | Other | 10 | 7.4 |
| 135 | 100.0 | Prefer not to say | 3 | 2.2 | |
| 135 | 100.0 | ||||
| Gender | Role | ||||
| Male | 77 | 57.0 | Manager | 38 | 28.1 |
| Female | 56 | 41.5 | No managerial responsibilities | 94 | 69.6 |
| Prefer not to say | 2 | 1.5 | Prefer not to say | 3 | 2.2 |
| 135 | 100.0 | 135 | 100.0 | ||
| n | % | n | % | ||
|---|---|---|---|---|---|
| Language | Occupation | ||||
| Norwegian | 125 | 92.6 | Purchasing and logistics | 8 | 5.9 |
| English | 10 | 7.4 | Finance | 1 | 0.7 |
| 135 | 100.0 | IT and IS | 72 | 53.3 | |
| HR | 1 | 0.7 | |||
| Age | Sustainability | 0 | 0.0 | ||
| 18–29 | 28 | 20.7 | Marketing | 3 | 2.2 |
| 30–39 | 19 | 14.1 | Communication | 2 | 1.5 |
| 40–49 | 35 | 25.9 | Production | 2 | 1.5 |
| 50–59 | 40 | 29.6 | General administrator and support | 7 | 5.2 |
| >60 | 12 | 8.9 | Healthcare | 26 | 19.3 |
| Prefer not to say | 1 | 0.7 | Other | 10 | 7.4 |
| 135 | 100.0 | Prefer not to say | 3 | 2.2 | |
| 135 | 100.0 | ||||
| Gender | Role | ||||
| Male | 77 | 57.0 | Manager | 38 | 28.1 |
| Female | 56 | 41.5 | No managerial responsibilities | 94 | 69.6 |
| Prefer not to say | 2 | 1.5 | Prefer not to say | 3 | 2.2 |
| 135 | 100.0 | 135 | 100.0 | ||
Descriptive statistics of sample demographics.
| n | % | n | % | ||
|---|---|---|---|---|---|
| Language | Occupation | ||||
| Norwegian | 125 | 92.6 | Purchasing and logistics | 8 | 5.9 |
| English | 10 | 7.4 | Finance | 1 | 0.7 |
| 135 | 100.0 | IT and IS | 72 | 53.3 | |
| HR | 1 | 0.7 | |||
| Age | Sustainability | 0 | 0.0 | ||
| 18–29 | 28 | 20.7 | Marketing | 3 | 2.2 |
| 30–39 | 19 | 14.1 | Communication | 2 | 1.5 |
| 40–49 | 35 | 25.9 | Production | 2 | 1.5 |
| 50–59 | 40 | 29.6 | General administrator and support | 7 | 5.2 |
| >60 | 12 | 8.9 | Healthcare | 26 | 19.3 |
| Prefer not to say | 1 | 0.7 | Other | 10 | 7.4 |
| 135 | 100.0 | Prefer not to say | 3 | 2.2 | |
| 135 | 100.0 | ||||
| Gender | Role | ||||
| Male | 77 | 57.0 | Manager | 38 | 28.1 |
| Female | 56 | 41.5 | No managerial responsibilities | 94 | 69.6 |
| Prefer not to say | 2 | 1.5 | Prefer not to say | 3 | 2.2 |
| 135 | 100.0 | 135 | 100.0 | ||
| n | % | n | % | ||
|---|---|---|---|---|---|
| Language | Occupation | ||||
| Norwegian | 125 | 92.6 | Purchasing and logistics | 8 | 5.9 |
| English | 10 | 7.4 | Finance | 1 | 0.7 |
| 135 | 100.0 | IT and IS | 72 | 53.3 | |
| HR | 1 | 0.7 | |||
| Age | Sustainability | 0 | 0.0 | ||
| 18–29 | 28 | 20.7 | Marketing | 3 | 2.2 |
| 30–39 | 19 | 14.1 | Communication | 2 | 1.5 |
| 40–49 | 35 | 25.9 | Production | 2 | 1.5 |
| 50–59 | 40 | 29.6 | General administrator and support | 7 | 5.2 |
| >60 | 12 | 8.9 | Healthcare | 26 | 19.3 |
| Prefer not to say | 1 | 0.7 | Other | 10 | 7.4 |
| 135 | 100.0 | Prefer not to say | 3 | 2.2 | |
| 135 | 100.0 | ||||
| Gender | Role | ||||
| Male | 77 | 57.0 | Manager | 38 | 28.1 |
| Female | 56 | 41.5 | No managerial responsibilities | 94 | 69.6 |
| Prefer not to say | 2 | 1.5 | Prefer not to say | 3 | 2.2 |
| 135 | 100.0 | 135 | 100.0 | ||
Instruments in the online survey were presented in the following blocks in a fixed order: demographic questions, MCQ-21 (original instrument) [11], IS control-related behaviors, DISCQ-L (new instrument), SA-6, and DISCQ-G (new instrument). Items within blocks were also presented in a fixed order. The English variant of the whole survey (including all instruments) is provided as supplementary material. All analyses were conducted using RStudio (Build 421).
Measures
DD with monetary outcomes (MCQ-21)
A slightly modified version of the Monetary Choice Questionnaire (MCQ-21) was utilized to collect responses from participants to calculate their discounting parameter k [11]. The MCQ-21 presents 21 binary choice tasks (trials) to assess preference between SIR and LDR in terms of monetary outcomes. MCQ is one of the most commonly used discounting scales in clinical and research settings [10]. In each choice task, respondents have to make a choice between an SIR and an LDR across three levels of LDR reward size: 7 small ($30–$35), 7 medium ($55–$65), and 7 large ($70–$85). For each pair of alternatives, the value of the k parameter can be calculated for which the discounted value of the LDR is equal to the SIR by rearranging equation (1) so that k is on the left side of the equation |$k = \frac{\frac{A}{V}-1}{D}$|. Thus, for each trial, the SIR amount corresponding to an indifference point is calculated by the predefined k values, which were established for each trial in the original MCQ and remain fixed when using the original instrument. MCQ uses days as units of delay between SIRs and LDRs (range: 10–75 days). The final parameter estimation is based on the 20 bounded ranges of discounting parameter values as explained in [11] and in [10]. A Microsoft Excel-based scoring tool was used to calculate the value of each respondent’s discounting parameter k from the raw binary choices assuming a hyperbolic discounting function [10]. The scoring tool provides several metrics at the subject level and for the sample: consistency metrics, overall k and geomean k (determined by taking the geometric mean of the small, medium, and large k values). Both metrics are available in nontransformed and logarithmic-transformed forms. Since the k values tend to be skewed, the analyses rely on the log-transformed form of the geomean scores for each respondent. Log-transformation turns raw k values from the range 0.0007 to 0.13116 to the range |$-3.15$| to |$-0.88$|, as no k values measured by the instrument is > or = 1. A deviation from the original MCQ-21 was that monetary amounts, which were presented in the Norwegian krone (NOK) currency instead of USD by converting all of the original USD amounts to NOK based on the actual currency conversation rates (1 USD |$=$| 10.58 NOK [27]) before survey distribution. Thus, the original first item of the MCQ “Would you prefer 30 dollars (SIR) tonight or 85 dollars (LDR) in 14 days (delay)?” resulted in “Would you prefer 317 NOK tonight, or 899 NOK in 14 days ?” in the English version of the survey (see item 1 in the supplementary materials).
DD in the context of IS (DISCQ-L and DISCQ-G)
The Discounting within IS Choice Questionnaire-Loss variant (DISCQ-L) and the Discounting within IS Choice Questionnaire-Gain variant (DISCQ-G) were utilized for collecting the necessary data to quantify discounting parameter k in an IS context. Both questionnaires were based on the original MCQ-21 due to a lack of scales operationalizing the DD concept in the context of IS. To maintain desirable properties (i.e. construct validity, process for parameter estimation, efficiency) of the original MCQ-21 and its automated scoring tool, both variants rely on the same number of trials and same discounting parameter ks in each trial. The questionnaire instructions, framing of choice trials, delays, and reward/loss amounts were adjusted based on considerations relevant for the IS context. During the adaptation of both versions, an iterative approach was followed, where the relevant literature, experts, and end-users were consulted in order to reach an optimal format for the instruments. The aim of the adaptation procedure was to identify the most suitable format (including framing, dimensions along which trade-offs occur, units of measurement) for both variants, which fulfill key criteria such as objectively quantifiable and unambiguous dimensions and units of measurement, universal applicability to all kinds of IS controls, applicability to a broad range of stakeholders, considering existing results about user perceptions that facilitate/inhibit adoption of IS-controls for end-users, minimal number of external conditions that the outcomes depend on (i.e. least dependencies other than the end-user’s choice in the present), and real-world relevance (units provided on a dimension for each item have a matching realistic scenario in the real world, e.g. time to implement 2fa can be measured in 5–15 min of time sacrificed). Options were framed as gains/losses from a reference point, which was defined in the questionnaire’s instructions as follows: “Cybersecurity is a dynamic field, where the external environment changes constantly due to new threats and vulnerabilities”. For DISCQ-L, instructions continue as follows: “This means that there are several security controls that are implemented to keep security at a desired level. However, some security controls require a loss of productivity or workflow since they are to be done during work”. For DISCQ-G, instructions continue as follows: “This means that in order to maintain your desired/previous level of cybersecurity over time, you need to actively execute some actions on the systems you interact with”.
For the DISCQ-L variant, a relevant and unambiguously quantifiable dimension underlying most decisions was determined to be time (i.e. time sacrificed by end-users when implementing/using IS controls) [28,29]. Minutes (of user effort) were selected as the most appropriate unit of time, as this unit made it possible to express a wide range of loss amounts corresponding to controls with varying levels of required user effort. Following the logic of the original MCQ-21, three ranges of larger delayed losses (LDLs) were defined: small (1–10 min), medium (11–59 min), and large (60–200 min). Thus, each category reflects varying levels of effort required for implementing/using control measures (e.g. small loss: entering a PIN, medium loss: installing software updates, and large loss: education, learning about security controls). Within each category, seven values were selected as LDL amounts, which were used to calculate the associated smaller immediate loss (SIL) amounts using the original amount of delays (in days) and the original discounting parameter value ks for each trial. Although using time as a measure of losses differ from more direct approaches, such as losses due to security incidents, a time-based metric offered a standardized way to reflect effort and personal investment that is both universal and relatable. Direct measures of loss from security incidents can vary significantly in scale and are influenced by unpredictable factors (e.g., the likelihood and severity of attacks), potentially leading to inconsistency and ambiguity in responses. A time-based scale seemed to effectively represent user effort related to security measures. All choice trials used the following format: “Would you prefer to spend 21 minutes (SIL) on implementing a security control immediately or spend 60 minutes (LDL) on implementing a security control after 14 days (delay)?”. As the outcomes of decisions in the IS domain are highly uncertain and depend on a wide range of factors beyond the user’s control (e.g. probability of attacks, motivation, skill of attackers, etc.), it is challenging to develop an instrument, which can accommodate all the complexities involved in real-world decisions and outcomes. Therefore, the aim was to construct a basic instrument where trade-offs are in the same one dimension (a bit of time sacrificed now vs. more time sacrificed later) without the introduction of other dimensions (e.g. sacrifice of some user time + loss of certain data with some probability at an uncertain point in the future) that would make the results more ambiguous and more difficult to interpret. DISCQ-L is available in the supplementary material.
Since finding a true gain-frame within IS—which is strongly associated with (potential) losses—is challenging, for the DISCQ-G variant, the “protection from a number of potentially successful cyber attacks” was selected as an appropriate (i.e. quantifiable, easy to understand with real-world relevance) dimension quantifying the amount of rewards. Lack of reliable data sources presented a challenge when defining the range of potential LDR amounts representing realistic values. Therefore, three categories (small: 2–10 attacks, medium: 50–150 attacks, large: 500–1000 attacks) were created to cover a wide range of possibilities suitable for decision-makers in various sectors and roles [30–33]. Amounts of delay were expressed in minutes using each unique LDL amount from DISCQ-L, since they captured realistic estimates about the time needed to implement/use a control measure; thus, they are equivalent to the objective amount of delay between maintaining the current level of protection by not doing anything versus implementing a control and gaining increased protection. Finally, for each choice trial, the associated SIR amounts were precalculated using the delay amounts (in minutes) and the original k values. For example, item 9 of DISCQ-G (where the amount of delay equals the amount of LDL from item 1 of DISCQ-L) reads as follows: “Would you prefer protection from 42 potentially successful cyber attacks (SIR) immediately, or protection from 50 potentially successful cyber attacks (LDR) after 60 minutes (delay)?”. DISCQ-G is available in the supplementary material.
Raw data were entered from all variants into the original automated scoring tool [10], and the log-transformed geomean scores were used for each respondent in all analyses to enable an unbiased comparison between variants.
IS attitudes (SA-6)
General attitudes about IS were collected by a self-report measure of end-user security attitudes (SA-6) [34]. SA-6 is a validated six-item instrument to quantify end-user IS attitudes, which can be completed in a short time and has demonstrated desirable psychometric properties (i.e. convergent, discriminant, and predictive validity, generating sufficient response variance) in the validation study. The six items of SA-6 explore various aspects of IS-related attitudes and respondents are asked to rate their degree of agreement/disagreement with six statements using a 5-point response format (1 = strongly disagree and 5 = strongly agree). A total score for attitudes is derived by taking the average of the six item-level scores, where higher scores represent more favorable attitudes toward IS [35]. In the present analysis, the sum of item-level raw scores was used (range: 6–30). The inclusion of SA-6 was motivated by the need to establish a baseline for assessing the predictive performance of the other instruments. Finally, the inclusion of SA-6 was important when considering established findings from several meta-analyses related to the importance of the attitude concept: Attitudes are the most important antecedents of behavioral intentions, which are the direct antecedents of behavior in the Theory of Reasoned Action and Theory of Planned Behavior (TPB). TPB represents a state-of-the-art theoretical model for behavior prediction utilized across many domains, and attitudes are deemed the most useful predictors of real-world behavior [36,37]. SA-6 is available in the supplementary material.
IS control-related behaviors
In order to assess the extent to which the previously discussed constructs can predict real-world behavior, various data collection possibilities were considered in terms of validity and availability. While stated preferences (preferences reported by people) may deviate from revealed preferences (i.e. choices in the real world) [18], collecting evidence of revealed preferences would have required intrusive data collection methods (providing access to organizational systems) and a high degree of commitment and effort from subjects, which would have negatively impacted response rates. Therefore, the study relies on the elicitation of stated preferences.
It was decided to develop a custom set of questions instead of using existing survey material to measure IS behavior. To maintain respondent engagement and gather reliable data without overburdening participants, the decision to tailor the survey was made. The set of questions was designed to elicit responses about past actions and planned future behaviors from subjects. Five well-known IS controls mechanisms were identified (i.e. two-factor authentication, screen lock, password manager, automatic updates, and verifying the sender’s email address when receiving an e-mail) and a 6-point response format was designed, which fulfills requirements for generating data at the ratio level (i.e. values represent an underlying continuum, values are ordered, and equal distance between values and 0 represents a true absence of the variable) [38]. Respondents were asked to rate all five IS control mechanisms following the question: “Which of the following options best describe your past actions or future plans regarding the implementation of [control] ? The response format for the options was as— follows: 0—“I have not implemented the control. I am not planning to ever implement it”. 1—“I have not implemented the control. I am planning to implement it later than this year”. 2—“I have not implemented the control. I am planning to implement it this year”. 3—“I have implemented the control less than a year ago”. 4—“I have implemented the control between 1 year and 2 years ago”. 5—“I have implemented the control more than 2 years ago”. Control was replaced by the name of the specific control mechanisms in each case. Higher scores capture longer times spent with improved protection against potential cyber attacks, lower scores represent the varying levels of behavioral intentions, while 0 captures total lack of intention.
Since most of the control-related behavior items exhibited ceiling effects, the raw scores were summed, generating an overall behavior score metric with the range 0–25. The overall behavior scores were used in subsequent analyses. The set of questions operationalizing past experiences / intentions related to IS control-related behaviors is available in the supplementary material.
Ethics considerations
This study followed ethical guidelines to ensure participant privacy and the protection of sensitive information. The questionnaire was administered anonymously using Nettskjema, a secure online platform that supports participant anonymity. Ethics approval was not required as no sensitive personal data were collected, but voluntary participation and the right to withdraw at any point were clearly communicated to participants.
Results
This section provides a detailed description of the analyses performed to investigate the quality of the dataset to support comparisons between studies before reporting the results related to each RQ.
Descriptive statistics
Overview of descriptive statistics for the k discounting parameters derived from MCQ-21, DISCQ-L, and DISCQ-G, total score from SA-6, and overall behavior score from the IS control-related questions are shown in Table 2. The range of values for the three discounting parameter k variants (i.e. k_MCQ-21, k_DISQ-L, and k_DISQ-G) is identical since the novel variants are based on the original instrument’s internal logic and scoring mechanism to estimate k parameters.
Summary of descriptive statistics.
| Variable | Min | Max | Median | Mean | SD |
|---|---|---|---|---|---|
| k_MCQ-21 | |$-$|3.15 | |$-$|0.88 | |$-$|2.06 | |$-$|2.14 | 0.69 |
| k_DISQ-L | |$-$|3.15 | |$-$|0.88 | |$-$|0.88 | |$-$|1.16 | 0.53 |
| k_DISQ-G | |$-$|3.15 | |$-$|0.88 | |$-$|1.92 | |$-$|1.93 | 0.83 |
| Total SA-6 score | 6.00 | 30.00 | 22.00 | 21.53 | 4.67 |
| Overall behavior score | 0.00 | 25.00 | 20.00 | 19.74 | 4.76 |
| Variable | Min | Max | Median | Mean | SD |
|---|---|---|---|---|---|
| k_MCQ-21 | |$-$|3.15 | |$-$|0.88 | |$-$|2.06 | |$-$|2.14 | 0.69 |
| k_DISQ-L | |$-$|3.15 | |$-$|0.88 | |$-$|0.88 | |$-$|1.16 | 0.53 |
| k_DISQ-G | |$-$|3.15 | |$-$|0.88 | |$-$|1.92 | |$-$|1.93 | 0.83 |
| Total SA-6 score | 6.00 | 30.00 | 22.00 | 21.53 | 4.67 |
| Overall behavior score | 0.00 | 25.00 | 20.00 | 19.74 | 4.76 |
k_MCQ-21, k_DISQ-L, and k_DISQ-G: geomean of log-transformed k parameters from MCQ-21, DISCQ-L, and DISCQ-G, respectively, and SA-6: Security Attitudes questionnaire.
Summary of descriptive statistics.
| Variable | Min | Max | Median | Mean | SD |
|---|---|---|---|---|---|
| k_MCQ-21 | |$-$|3.15 | |$-$|0.88 | |$-$|2.06 | |$-$|2.14 | 0.69 |
| k_DISQ-L | |$-$|3.15 | |$-$|0.88 | |$-$|0.88 | |$-$|1.16 | 0.53 |
| k_DISQ-G | |$-$|3.15 | |$-$|0.88 | |$-$|1.92 | |$-$|1.93 | 0.83 |
| Total SA-6 score | 6.00 | 30.00 | 22.00 | 21.53 | 4.67 |
| Overall behavior score | 0.00 | 25.00 | 20.00 | 19.74 | 4.76 |
| Variable | Min | Max | Median | Mean | SD |
|---|---|---|---|---|---|
| k_MCQ-21 | |$-$|3.15 | |$-$|0.88 | |$-$|2.06 | |$-$|2.14 | 0.69 |
| k_DISQ-L | |$-$|3.15 | |$-$|0.88 | |$-$|0.88 | |$-$|1.16 | 0.53 |
| k_DISQ-G | |$-$|3.15 | |$-$|0.88 | |$-$|1.92 | |$-$|1.93 | 0.83 |
| Total SA-6 score | 6.00 | 30.00 | 22.00 | 21.53 | 4.67 |
| Overall behavior score | 0.00 | 25.00 | 20.00 | 19.74 | 4.76 |
k_MCQ-21, k_DISQ-L, and k_DISQ-G: geomean of log-transformed k parameters from MCQ-21, DISCQ-L, and DISCQ-G, respectively, and SA-6: Security Attitudes questionnaire.
The item-level and overall distribution of scores for the MCQ-21, DISCQ-L, and DISCQ-G are shown in Fig. 2.
Distribution of k parameter values from three instruments.
The lowest DD mean scores were generated by MCQ-21, showing that in terms of monetary outcomes, the sample exhibited a great degree of self-control and respondents rarely selected SIRs over LDRs. Losses in terms of productivity from DISCQ-L generated the highest mean k score signifying that in case of losses, people prefer smaller losses sooner than greater losses later. In this study, the DISQ-L scale measures the tendency to DD with respect to losses. A higher score on the DISQ-L scale indicates a greater preference for immediate smaller losses over LDLs, suggesting higher impulsivity or a stronger present bias. Conversely, a lower score reflects a greater willingness to delay losses, indicating more self-control and a lower degree of impulsivity.
The data suggest that the general assumption “that underlies most of the models is that realization of a desirable outcome is preferred sooner to later, whereas realization of an undesirable outcome is preferred later to sooner [39]” does not hold in this context.
The vast majority of respondents preferred an SIL to an LDL. For DISCQ-G, the sample showed greater variance, but the mean k score indicates that respondents were more likely to select an SIR instead of an LDR (higher impulsivity), when the questions are related to IS security controls compared to monetary outcomes.
The distribution of SA-6 scores (item level and total) is presented in Fig. 3. SA-6 demonstrated a high internal consistency as measured by Cronbach’s alpha coefficient (|$\alpha = .86$|), similar to the value (|$\alpha = .84$|) reported in the questionnaire’s validation study [34]. The overall mean score in the present sample calculated according to the original instructions (M = 3.58) falls within the range of reference scores (3.57–3.99) obtained in a U.S. sample [35].
Distribution of SA-6 item scores and overall SA-6 score.
The distribution of IS control-related behavior scores (item level and total) is presented in Fig. 4. Most IS control-related questions produced ceiling effects signifying that most of the respondents have already implemented the relevant control measures a long time ago. Screen locks on office equipment were implemented by nearly all respondents more than 2 years ago, whereas verifying a sender’s e-mail address and the use of a password manager generated higher variances. Combining the item-level scores into an overall behavior metric resulted in greater variance, but a negative skew was still remaining.
Distribution of control-related behavior scores for each item and overall behavior score.
Estimation results
The existence of group differences across demographic nominal/ordinal variables and the rest of the variables were investigated with the Kruskal–Wallis rank correlation test. It is a rank-based nonparametric test to assess whether there are statistically significant differences between two or more groups of an independent variable on a continuous or ordinal dependent variable.
In terms of the three variants of the log-transformed geomean k scores, no significant differences were detected across the various levels of the demographic variables (i.e. language of survey, age, gender, occupation, or role).
With respect to total SA-6 scores, the following differences were identified: Males (M = 22.5, SD = 4.60) had a significantly higher SA-6 total score than females (M = 20.1, SD = 4.49) based on the Kruskal–Wallis test |$\chi ^2$|(2, N = 133) = 11.25, P |$\lt $|.05. Another difference was detected |$\chi ^2$|(10, N = 108) = 33.50, P |$\lt $|.001, such that employees in IT and IS (M = 23.1, SD = 4.33) had significantly higher SA-6 scores compared to employees in healthcare (M = 19.5, SD = 4.47) and employees in other functions (M = 18.3, SD = 3.59) as well.
A similar pattern was identified regarding overall behavior scores: There was a significant difference |$\chi ^2$|(2, N = 133) = 9.38, P |$\lt $|.05 between males (M = 20.9, SD = 3.96) and females (M = 18.2, SD = 5.25). Furthermore, significant differences |$\chi ^2$|(10, N = 108) = 29.52, P |$\lt $|.05 were found between IT and IS workers (M = 21.5, SD = 3.80), employees in healthcare (M = 17.1, SD = 6.34) and employees in other functions (M = 16.1, SD = 3.14).
All variables were tested with the Shapiro–Wilk normality test and in all cases the variables were significantly different from a normal distribution; therefore, Table 3 provides all the zero-order correlations among items and total scores using Spearman’s |$\rho$|, which is a nonparametric measure of association between variables.
Correlations (Spearman’s |$\rho$|) between instruments and items.
| Overall behavior score | SA-6 total score | k_MCQ-21 | k_DISQ-L | k_DISQ-G | |
|---|---|---|---|---|---|
| 2FA | .65*** | .35*** | .01 | .10 | .13 |
| SL | .16 | |$-$|.01 | −.25** | |$-$|.06 | |$-$|.14 |
| PM | .70*** | .32*** | .09 | .09 | .05 |
| AU | .53*** | .18* | |$-$|.03 | .07 | .09 |
| VE | .77*** | .40*** | .02 | .11 | .10 |
| SA-6_item 1 | .43*** | .79*** | .03 | .25** | .00 |
| SA-6_item 2 | .36*** | .71*** | .07 | .27** | .06 |
| SA-6_item 3 | .32*** | .70*** | .07 | .22* | .21* |
| SA-6_item 4 | .35*** | .84*** | .08 | .12 | .02 |
| SA-6_item 5 | .20* | .62*** | .06 | .27** | .12 |
| SA-6_item 6 | .46*** | .78*** | .04 | .14 | .12 |
| SA-6 total score | .48*** | ||||
| k_MCQ-21 | .04 | .05 | |||
| k_DISQ-L | .13 | .29** | |$-$|.05 | ||
| k_DISQ-G | .09 | .08 | .38*** | .08 |
| Overall behavior score | SA-6 total score | k_MCQ-21 | k_DISQ-L | k_DISQ-G | |
|---|---|---|---|---|---|
| 2FA | .65*** | .35*** | .01 | .10 | .13 |
| SL | .16 | |$-$|.01 | −.25** | |$-$|.06 | |$-$|.14 |
| PM | .70*** | .32*** | .09 | .09 | .05 |
| AU | .53*** | .18* | |$-$|.03 | .07 | .09 |
| VE | .77*** | .40*** | .02 | .11 | .10 |
| SA-6_item 1 | .43*** | .79*** | .03 | .25** | .00 |
| SA-6_item 2 | .36*** | .71*** | .07 | .27** | .06 |
| SA-6_item 3 | .32*** | .70*** | .07 | .22* | .21* |
| SA-6_item 4 | .35*** | .84*** | .08 | .12 | .02 |
| SA-6_item 5 | .20* | .62*** | .06 | .27** | .12 |
| SA-6_item 6 | .46*** | .78*** | .04 | .14 | .12 |
| SA-6 total score | .48*** | ||||
| k_MCQ-21 | .04 | .05 | |||
| k_DISQ-L | .13 | .29** | |$-$|.05 | ||
| k_DISQ-G | .09 | .08 | .38*** | .08 |
2FA: two-factor authentication, SL: screen lock, PM: password manager, AU: automatic updates, VE: verifying e-mail sender, SA-6: Security Attitudes questionnaire, k_MCQ-21, k_DISQ-L, and k_DISQ-G: geomean of log-transformed k parameters from MCQ-21, DISCQ-L, and DISCQ-G, respectively.
*P |$\lt $|.05, **P |$\lt $|.01, ***P |$\lt $|.001.
Correlations (Spearman’s |$\rho$|) between instruments and items.
| Overall behavior score | SA-6 total score | k_MCQ-21 | k_DISQ-L | k_DISQ-G | |
|---|---|---|---|---|---|
| 2FA | .65*** | .35*** | .01 | .10 | .13 |
| SL | .16 | |$-$|.01 | −.25** | |$-$|.06 | |$-$|.14 |
| PM | .70*** | .32*** | .09 | .09 | .05 |
| AU | .53*** | .18* | |$-$|.03 | .07 | .09 |
| VE | .77*** | .40*** | .02 | .11 | .10 |
| SA-6_item 1 | .43*** | .79*** | .03 | .25** | .00 |
| SA-6_item 2 | .36*** | .71*** | .07 | .27** | .06 |
| SA-6_item 3 | .32*** | .70*** | .07 | .22* | .21* |
| SA-6_item 4 | .35*** | .84*** | .08 | .12 | .02 |
| SA-6_item 5 | .20* | .62*** | .06 | .27** | .12 |
| SA-6_item 6 | .46*** | .78*** | .04 | .14 | .12 |
| SA-6 total score | .48*** | ||||
| k_MCQ-21 | .04 | .05 | |||
| k_DISQ-L | .13 | .29** | |$-$|.05 | ||
| k_DISQ-G | .09 | .08 | .38*** | .08 |
| Overall behavior score | SA-6 total score | k_MCQ-21 | k_DISQ-L | k_DISQ-G | |
|---|---|---|---|---|---|
| 2FA | .65*** | .35*** | .01 | .10 | .13 |
| SL | .16 | |$-$|.01 | −.25** | |$-$|.06 | |$-$|.14 |
| PM | .70*** | .32*** | .09 | .09 | .05 |
| AU | .53*** | .18* | |$-$|.03 | .07 | .09 |
| VE | .77*** | .40*** | .02 | .11 | .10 |
| SA-6_item 1 | .43*** | .79*** | .03 | .25** | .00 |
| SA-6_item 2 | .36*** | .71*** | .07 | .27** | .06 |
| SA-6_item 3 | .32*** | .70*** | .07 | .22* | .21* |
| SA-6_item 4 | .35*** | .84*** | .08 | .12 | .02 |
| SA-6_item 5 | .20* | .62*** | .06 | .27** | .12 |
| SA-6_item 6 | .46*** | .78*** | .04 | .14 | .12 |
| SA-6 total score | .48*** | ||||
| k_MCQ-21 | .04 | .05 | |||
| k_DISQ-L | .13 | .29** | |$-$|.05 | ||
| k_DISQ-G | .09 | .08 | .38*** | .08 |
2FA: two-factor authentication, SL: screen lock, PM: password manager, AU: automatic updates, VE: verifying e-mail sender, SA-6: Security Attitudes questionnaire, k_MCQ-21, k_DISQ-L, and k_DISQ-G: geomean of log-transformed k parameters from MCQ-21, DISCQ-L, and DISCQ-G, respectively.
*P |$\lt $|.05, **P |$\lt $|.01, ***P |$\lt $|.001.
The K scores derived from the original MCQ-21 showed a positive correlation with the k scores from DISCQ-G (.38, P|$\lt $|.01). A weak negative correlation (−.25, P |$\lt $|.01) was detected between the MCQ-21-derived k scores and the implementation of screen locks. Only the k scores derived from DISCQ-L showed correlation with SA-6 total scores (.29, P |$\lt $|.01), indicating that out of the three k variants, losses may be closest to capturing similar behavioral tendencies as the attitude-based measure. None of the correlations between the k variants and overall behavior scores were significant, whereas the correlation between overall behavior score and SA-6 total score is among the highest (.48, P |$\lt $|.001).
Hypotheses testing
To answer each of the RQs, a total of five linear regression models were constructed (four simple linear regression models and one multiple linear regression model). For each model, overall behavior score was entered as the dependent variable to assess the extent to which each independent variable is capable of predicting real-world behaviors individually and in combination. Thus, the first model used the discounting k parameters derived from the original MCQ-21 instrument as a single predictor variable (RQ 1). The second and third models used the discounting k parameters derived from the DISCQ-L and DISCQ-G instruments adapted to an IS context as single predictor variables, respectively (RQ 2). The fourth model used SA-6 overall score as a single predictor, as attitudes provide the gold standard for prediction of behavioral intentions and actual behavior, establishing a baseline for comparison (RQ 3). The fifth model combined all independent variables derived from the instruments with demographic variables to assess the maximum predictive accuracy achievable using the available predictors (RQ 4). The final model was constructed using a stepwise backward method for variable selection. The initial model contained all independent variables and in each step, a predictor, which did not significantly reduce the Akaike information criterion (AIC—a measure of prediction error) metric got removed [40]. The final model, which reached the minimal overall prediction error (i.e. lowest AIC score), contained a total of three predictors (i.e. two levels of the role demographic variable and SA-6 overall score). Details of the five regression models are presented in Table 4, including the coefficients, error terms, and the overall model performance metrics.
Summary of five regression models for predicting overall behavior scores.
| DV: behavior score | Regression | Residuals | Overall model performance | |||||||
|---|---|---|---|---|---|---|---|---|---|---|
| IVs | |$\beta$| | S.E. |$\beta$| | t | df | S.E. | df | F | |$R^2$| | Adjusted |$R^2$| | |
| Model 1 | constant | 20.22 | 1.35 | 15.02*** | 1 | 4.77 | 133 | 0.14 | 0.00 | −0.01 |
| k_MCQ-21 | 0.22 | 0.60 | 0.37 | |||||||
| Model 2 | constant | 20.56 | 0.99 | 20.84*** | 1 | 4.76 | 133 | 0.84 | 0.01 | −0.00 |
| k_DISQ-L | 0.71 | 0.77 | 0.92 | |||||||
| Model 3 | constant | 20.71 | 1.04 | 19.98*** | 1 | 4.76 | 133 | 1.04 | 0.01 | 0.00 |
| k_DISQ-G | 0.51 | 0.49 | 1.02 | |||||||
| Model 4 | constant | 9.45 | 1.72 | 5.50*** | 1 | 4.22 | 133 | 37.63*** | 0.22 | 0.22 |
| SA-6 | 0.48 | 0.08 | 6.13*** | |||||||
| Model 5 | constant | 3.19 | 2.89 | 1.10 | 3 | 4.13 | 131 | 15.49*** | 0.26 | 0.25 |
| role 1 | 6.21 | 2.48 | 2.51* | |||||||
| role 2 | 6.55 | 2.42 | 2.70** | |||||||
| SA-6 | 0.48 | 0.08 | 6.22*** | |||||||
| DV: behavior score | Regression | Residuals | Overall model performance | |||||||
|---|---|---|---|---|---|---|---|---|---|---|
| IVs | |$\beta$| | S.E. |$\beta$| | t | df | S.E. | df | F | |$R^2$| | Adjusted |$R^2$| | |
| Model 1 | constant | 20.22 | 1.35 | 15.02*** | 1 | 4.77 | 133 | 0.14 | 0.00 | −0.01 |
| k_MCQ-21 | 0.22 | 0.60 | 0.37 | |||||||
| Model 2 | constant | 20.56 | 0.99 | 20.84*** | 1 | 4.76 | 133 | 0.84 | 0.01 | −0.00 |
| k_DISQ-L | 0.71 | 0.77 | 0.92 | |||||||
| Model 3 | constant | 20.71 | 1.04 | 19.98*** | 1 | 4.76 | 133 | 1.04 | 0.01 | 0.00 |
| k_DISQ-G | 0.51 | 0.49 | 1.02 | |||||||
| Model 4 | constant | 9.45 | 1.72 | 5.50*** | 1 | 4.22 | 133 | 37.63*** | 0.22 | 0.22 |
| SA-6 | 0.48 | 0.08 | 6.13*** | |||||||
| Model 5 | constant | 3.19 | 2.89 | 1.10 | 3 | 4.13 | 131 | 15.49*** | 0.26 | 0.25 |
| role 1 | 6.21 | 2.48 | 2.51* | |||||||
| role 2 | 6.55 | 2.42 | 2.70** | |||||||
| SA-6 | 0.48 | 0.08 | 6.22*** | |||||||
DV: dependent variable, IVs: independent variables, S.E.: standard error, k_MCQ-21, k_DISQ-L, and k_DISQ-G: geomean of log-transformed k parameters from MCQ-21, DISCQ-L, and DISCQ-G, respectively, SA-6: total score from Security Attitudes questionnaire.
*P |$\lt $|.05, **P |$\lt $|.01, ***P |$\lt $|.001.
Summary of five regression models for predicting overall behavior scores.
| DV: behavior score | Regression | Residuals | Overall model performance | |||||||
|---|---|---|---|---|---|---|---|---|---|---|
| IVs | |$\beta$| | S.E. |$\beta$| | t | df | S.E. | df | F | |$R^2$| | Adjusted |$R^2$| | |
| Model 1 | constant | 20.22 | 1.35 | 15.02*** | 1 | 4.77 | 133 | 0.14 | 0.00 | −0.01 |
| k_MCQ-21 | 0.22 | 0.60 | 0.37 | |||||||
| Model 2 | constant | 20.56 | 0.99 | 20.84*** | 1 | 4.76 | 133 | 0.84 | 0.01 | −0.00 |
| k_DISQ-L | 0.71 | 0.77 | 0.92 | |||||||
| Model 3 | constant | 20.71 | 1.04 | 19.98*** | 1 | 4.76 | 133 | 1.04 | 0.01 | 0.00 |
| k_DISQ-G | 0.51 | 0.49 | 1.02 | |||||||
| Model 4 | constant | 9.45 | 1.72 | 5.50*** | 1 | 4.22 | 133 | 37.63*** | 0.22 | 0.22 |
| SA-6 | 0.48 | 0.08 | 6.13*** | |||||||
| Model 5 | constant | 3.19 | 2.89 | 1.10 | 3 | 4.13 | 131 | 15.49*** | 0.26 | 0.25 |
| role 1 | 6.21 | 2.48 | 2.51* | |||||||
| role 2 | 6.55 | 2.42 | 2.70** | |||||||
| SA-6 | 0.48 | 0.08 | 6.22*** | |||||||
| DV: behavior score | Regression | Residuals | Overall model performance | |||||||
|---|---|---|---|---|---|---|---|---|---|---|
| IVs | |$\beta$| | S.E. |$\beta$| | t | df | S.E. | df | F | |$R^2$| | Adjusted |$R^2$| | |
| Model 1 | constant | 20.22 | 1.35 | 15.02*** | 1 | 4.77 | 133 | 0.14 | 0.00 | −0.01 |
| k_MCQ-21 | 0.22 | 0.60 | 0.37 | |||||||
| Model 2 | constant | 20.56 | 0.99 | 20.84*** | 1 | 4.76 | 133 | 0.84 | 0.01 | −0.00 |
| k_DISQ-L | 0.71 | 0.77 | 0.92 | |||||||
| Model 3 | constant | 20.71 | 1.04 | 19.98*** | 1 | 4.76 | 133 | 1.04 | 0.01 | 0.00 |
| k_DISQ-G | 0.51 | 0.49 | 1.02 | |||||||
| Model 4 | constant | 9.45 | 1.72 | 5.50*** | 1 | 4.22 | 133 | 37.63*** | 0.22 | 0.22 |
| SA-6 | 0.48 | 0.08 | 6.13*** | |||||||
| Model 5 | constant | 3.19 | 2.89 | 1.10 | 3 | 4.13 | 131 | 15.49*** | 0.26 | 0.25 |
| role 1 | 6.21 | 2.48 | 2.51* | |||||||
| role 2 | 6.55 | 2.42 | 2.70** | |||||||
| SA-6 | 0.48 | 0.08 | 6.22*** | |||||||
DV: dependent variable, IVs: independent variables, S.E.: standard error, k_MCQ-21, k_DISQ-L, and k_DISQ-G: geomean of log-transformed k parameters from MCQ-21, DISCQ-L, and DISCQ-G, respectively, SA-6: total score from Security Attitudes questionnaire.
*P |$\lt $|.05, **P |$\lt $|.01, ***P |$\lt $|.001.
None of the simple linear regression models containing the k parameters as sole predictors performed better than an intercept-only model. Thus, the individual contribution of the DD k values for the prediction of real-world IS control-related behaviors in the present sample was zero. The same behaviors were predicted by security-related attitudes (i.e. overall SA-6 score) significantly better, reaching an overall of 0.22 in terms of the adjusted |$R^2$| metric. Adjusted |$R^2$| is a more appropriate metric for model fit than |$R^2$| as it penalizes a model with more predictors, whereas |$R^2$| automatically increases by the inclusion of more predictor variables [41]. The final combined predictive model achieved an adjusted |$R^2$| score of 0.25, which represents a small significant improvement compared to the fourth model by the inclusion of the role variable. Specifically, respondents with/without managerial responsibilities are significantly different from the reference group (prefer not to say). The independent variables collectively account for 25% of the variance in the dependent variable without any significant contribution from any of the DD k parameters.
Discussion
This study expands existing research on decision-making biases in IS by focusing specifically on DD. Other biases, such as those related to privacy risk perception and procrastination in security updates [18,21], illustrate how cognitive biases broadly impact IS behaviors. By exploring the effects of DD on end-users’ IS control-related behaviors in real-world organizational settings, this research contributes to the existing body of knowledge. The study leveraged the validated MCQ-21 to derive standard discounting factors for each participant and adapted it to create new instruments that address the context-dependence of DD. This approach ensures that IS-specific trade-offs are objectively captured, extending the analysis beyond gains to include losses. Such an expansion is crucial, as traditional instruments such as MCQ-21 do not quantify the present value of potential losses. The inclusion of SA-6 as a baseline for predictive performance aligns with the understanding that attitudes are strong predictors of behavior [36,37]. Collecting self-reported behavioral data related to basic IS controls provides further insights into how DD, alongside attitudes, influences real-world security compliance. This research aligns with findings from prior work, reinforcing that DD is part of a broader pattern of cognitive biases that must be considered when designing interventions to improve security behavior.
Results show that employees of three Norwegian SMEs have a great degree of patience demonstrated by overall low discounting scores as measured by the MCQ-21. The implementation of five fundamental IS controls were investigated based on expert advice and recommended best practices. The results show that the sample had a high average overall behavior score, signifying that almost all of the participants implemented most of the controls a long time ago in their organizations. The overall low average discounting score and high overall behavior scores are consistent with expectations based on the theory of DD: People with low discounting scores tend to make more optimal choices [16,42].
Analyses of MCQ-21 and the two novel adapted versions (i.e. DISCQ-L and DISCQ-G) indicate differences in discounting rates among the three versions suggesting the degree of convergent validity (the extent to which instruments measure the same concept) and discriminant validity (the extent to which instrument measures different concepts) [43]. Specifically, the results from DISCQ-L reveal that individuals tend to favor SILs over LDLs. Respondents showed a preference for minimizing the time lost due to the implementation of IS controls. These findings contradict the assumptions that people typically prefer an undesirable outcome later to sooner [39], and that people delay implementing security controls [21–23], when IS controls are framed as potential losses. This perspective is supported by research indicating that decisions often deviate from standard loss aversion models, where losses do not always loom larger than gains and are contextually dependent [44]. The findings suggest that the traditional view of preferring delayed losses may not hold in all contexts. Spearman’s correlation analyses revealed an insignificant negative correlation between MCQ-21 and DISCQ-L suggesting that there was no meaningful linear relationship between these two instruments. DISCQ-G showed a positive correlation with MCQ-21 (.38, P |$\lt $|.01), which could indicate the trait-like characteristic of the DD concept (i.e. people who discount at a high rate in one context, discount at a high rate also in other contexts) [15]. Additionally, with respect to attitudes, DISCQ-L showed a weak positive correlation (.29, P|$\lt $|.01) with SA-6, indicating that the DD with respect to losses (in terms of time and productivity) is more strongly associated with behaviors and attitudes than the prospect of gains (in terms of security). Thus, it may be meaningful to focus on losses (of time and productivity) due to the implementation of IS controls when trying to motivate behaviors with desirable outcomes.
While the data offer insights into decision-making dynamics, direct comparisons between gains and losses must be approached cautiously due to differences in the scales and contexts of these outcomes, such as gains being measured in cyber attacks defended and losses being measured in time. Additionally, the concept of loss aversion suggest that losses tend to have a stronger psychological impact than gains of an equivalent magnitude [45,46], which could potentially bias the estimation of k. While this principle is widely accepted, recent studies indicate that this impact varies by context, with cases where gains can have a similar or even greater impact, challenging its universality [46,47]. In this study, direct comparisons between gains and losses are limited by differences in scale and context, complicating interpretations. Evidence shows that loss aversion is not consistent across all scenarios, but influenced by situational variables, framing, and other attributes. The nuance is critical for IS decision-making, where the perceived value of gains versus losses may fluctuate, and general assumptions of loss aversion may not hold.
Regarding the RQs, results are as follows: The analyses related to RQ 1 and RQ 2 indicate that none of the DD parameters derived from the three instruments (MCQ-21, DISCQ-L, and DISCQ-G) turned out to be useful predictors of self-reported IS-related real-world behavior in the present sample. This is demonstrated by the fact that none of the simple linear regression models using discounting parameter k performed better than an intercept-only model.
However, with respect to RQ 3, the attitude-based measure (SA-6) was found to be a significantly better predictor (0.22 in terms of adjusted |$R^2$|) of self-reported IS-related real-world behavior compared to discounting parameters.
Finally, with respect to RQ 4, the combination of all independent variables resulted in a predictive model in which the attitude-based measure (SA-6) and two fixed values of one demographic variable in combination improved the overall predictive accuracy from 0.22 to 0.25 according to the adjusted |$R^2$| metric. It is important to acknowledge that feature selection without adequate testing for overfitting can introduce risks and potentially yield spurious results. Such scenarios may necessitate further validation.
As some of the results contradict expectations based on existing results (i.e. lack of association of discounting parameters and real-world behaviors), while some of the results fulfill expectations (i.e. attitudes are strongly associated with with real-world behaviors), it is important to investigate limitations of the present study and to provide suggestions for further work.
Limitations
This study focuses exclusively on hyperbolic discounting, represented by the k parameter, to model DD in IS decision-making. However, research suggests that decision makers tend to exhibit a distinct present bias, captured by an additional parameter |$\beta$| in quasi-hyperbolic discounting models [48]. The exclusion of |$\beta$| implies that the analysis may underestimate the extent of present bias. While the results provide insights using the k parameter, it may miss nuances of immediate bias.
A main limitation of the present study is related to data quality. Due to the highly skewed control-related behavior scores, a follow-up questionnaire was sent to the three contact persons at the organizations to gain a better understanding of the existing IS policies and regulations. Response was received months after the initial data collection from two organizations. Based on the responses, it became evident that most of the IS controls were set up as default settings for all employees in the organizations. Two controls were exceptions to this (i.e. password manager and verifying the sender’s e-mail address), which generated the highest variances among control-related behaviors. These pieces of information explain the highly skewed IS control variables and may explain the DD concept’s lack of predictive power. Given the number of correlations tested, it is important to interpret individual findings with caution. When multiple independent tests are conducted, the probability of at least one false positive result increases significantly. In addition, it should be noted that a significant proportion of respondents (53.3%) belonged to the IT and IS professions. Consequently, caution is warranted when generalizing the findings of this study to the broader population of employees within SMEs due to the potential selection bias inherent in the sampled population. A potential limitation of this study is the small number who selected “prefer not to say” for managerial responsibilities. This subgroup may affect the interpretability of the role variables in Model 5, presented in Table 4. This variable could be simplified into a binary format to enhance statistical reliability.
It is worth noting that the concept of DD has generated a variety of research results, often with mixed or contradicting findings. Several instruments have been developed to derive discounting factors, which often make comparisons between studies problematic [16]. It is important to have standardized, collectively established criteria for the evaluation of instruments operationalizing the constructs. This study used MCQ-21, which is regarded a state-of-the-art instrument developed for research purposes in a clinical setting. However, as the instruments developed and presented in this study relied on MCQ-21, they could have inherited some of the weaknesses of the original instrument. Respondent groups in a study providing external validity of MCQ-21 were substance abusers and healthy controls [49]. The requirements in terms of sensitivity and specificity for an instrument, which aims to distinguish between people with substance abuse disorders and healthy controls may be different from the sensitivity and specificity requirements of an instrument, which aims to distinguish between high and low discounters in an IS context from the healthy general population. Thus, the novel instruments presented in this paper may require further improvements in terms of their sensitivity and specificity.
Future work
To overcome the limitations of the present study and to better assess the effectiveness of the DD construct in predicting real-world IS control-related behaviors, various possibilities may be considered.
A replication study in a private context using the instruments presented here could provide evidence whether DD has more relevance when people have more freedom to act according to their own preferences. Thus, it would be important to investigate whether DD has stronger association with real-world behavior in settings where organization-wide default settings related to IS controls are lacking. However, such a study also needs to consider various default settings and policies existing at service providers, which people interact with frequently. The decision to create custom items for behaviors was driven by the need to maintain a manageable survey length to prevent respondent fatigue. Future work should consider the use of a validated instrument to measure IS behaviors.
Future research should consider incorporating the |$\beta$| parameter from quasi-hyperbolic discounting models to capture present bias. Including |$\beta$| would allow to distinguish between the immediate preference for rewards or DD with respect to losses and the overall tendency to discount future outcomes as captured by k. Additionally, future research should aim to address the limitations associated with comparing gains and losses by developing methods that better control for differences in scale and context. The findings of this study highlight that gains and losses are measured on different scales, complicating direct comparisons. Integrating parameters that capture present bias and loss aversion more comprehensively could provide deeper insights into how individuals prioritize immediate versus delayed outcomes, enhancing the predictive accuracy of IS behavior models.
Research shows that there are scenarios where gains can have a similar or greater psychological effect than losses, challenging the universality of loss aversion. This perspective suggests that while loss aversion should be considered, it should not bias the interpretation of results toward a singular psychological viewpoint. Instead, a balanced approach that acknowledges variability across different contexts can provide more nuanced insights into IS decision-making.
A probabilistic sampling method needs to be implemented to generate representative samples in order to improve the generalizability of the findings to all SMEs and other organizations.
Future research should consider running a combined regression model with both SA and k-DISQ-L as predictors to determine if SA maintains its significance when k-DISQ-L is included. This could strengthen the conclusion that SA is a more robust predictor of behavior.
The use of nonreactive (i.e. not relying on self-reports and direct interaction with participants) observational measures represents a crucial task for future studies. Such measures could rely on logs at the organizations or on private devices but would require a careful assessment of privacy implications and its impact on respondents’ willingness to provide access to such data.
The subjects in this particular context and with the given survey frames might be better characterized by other discounting models. While this research paper explores the hyperbolic discounting function, another suggestion for future work involves a comparative analysis of other discounting models.
Finally, due to the highly dynamic nature of the IS field (i.e. evolving threats, novel vulnerabilities, new controls, etc.), it is highly unlikely that the same controls (which were investigated in the present study) will be regarded as best practice in a few years. To achieve reliable predictions about adaptive human behavior in a dynamic environment, it is crucial to identify invariant features of the entire system. At the conceptual level of constructs, attitudes, and DD may represent potential invariant constructs depending on their level of cross-cultural applicability. When invariant constructs are identified at the conceptual level, the task of accurately assessing the local parameters associated with the constructs (i.e. at the level of individuals or organizations) still remains. Therefore, further studies are needed to (i) discover other invariant constructs at the conceptual level and (ii) develop instruments that can reliably assess parameters of the constructs.
Conclusion
The main purpose of this paper was to explore how the construct of DD can be utilized to predict end-users’ IS control-related behavior in organizational settings. The DD concept has been used successfully to explain individual differences related to temporal trade-off decisions with various outcomes (e.g. monetary health, addiction, exercise, etc.), but there are also inconsistencies and mixed findings in the literature. Furthermore, there is a scarcity of investigations related to the links between DD and real-world IS control-related decisions. Therefore, this study provided a general overview about the concept of DD, its use in various contexts, and existing results about its use in explaining IS-related behaviors.
The study measured individual’s discounting factors by a validated psychometric instrument and developed two novel variants to capture context-specific details relevant in the field of IS. The predictive performance of the three instruments was assessed against an attitude-based measure, which represents the most useful construct for behavior prediction based on the literature.
Several findings are in line with expectations based on existing literature, such as attitudes being the best performing predictors of behaviors; low average discounting scores detected in the sample concurrently with high levels of compliance with IS security best practices—signifying that the results are not self-contradictory as people who have low DD k parameters tend to make more optimal choices, in general; thus, they might make more optimal IS-related decisions as well, compared to high discounters. However, some important results challenge prevailing views about DD, such as lack of detectable predictive power. DD seems to be a useful explanatory variable, but its predictive power in organizational contexts (where default IS settings are enforced) is negligible. The results suggest that employees highly value their time, particularly concerning potential losses in workflow or productivity at work, as evidenced by their predominant preference for the SIL options. DD with respect to losses (i.e. avoiding spending more time later in implementing a security control, but not in terms of losses due to potential data breaches) appears to be a more compelling motivator than the pursuit of gain (in terms of improved security).
Acknowledgments
The authors thank the anonymous reviewers for their valuable suggestions.
Author contribution
Marte Marjorie Søgnen (Conceptualization, Formal analysis, Investigation, Methodology, Resources, Supervision, Visualization, Writing–original draft, Writing–review & editing), Adam Szekeres (Conceptualization, Formal analysis, Investigation, Methodology, Resources, Supervision, Validation, Visualization, Writing–original draft, Writing–review & editing), Einar Arthur Snekkenes (Funding acquisition, Supervision, Validation)
Conflict of interest
None declared.
Funding
This work was partially supported by the Health Democratization project, funded by the Research Council of Norway, IKTPLUSS program, grant number 288856.
