[en] What drives employees to ensure security when handling information assets in organizations? There is growing interest from the security behavior community in how autonomous motivators shape employees’ security-related behaviors. To reconcile the scattered viewpoints on autonomous motivation and synthesize findings from studies utilizing various theoretical frameworks, we systematically reviewed relevant publications. We present a preregistered literature review that investigated (a) what forms of autonomous motivation have been examined in organizational security contexts, (b) which behaviors/behavioral intentions are related to autonomous motivators, and (c) how autonomous motivation affects employees’ security behaviors. Based on an initial set of 432 papers, filtered down to 45 studies, we identified 17 unique autonomous motivators and three types of related security behaviors. This review not only develops a refined taxonomy of autonomous motivation related to security behaviors but also charts a path forward for future research on autonomous motivation in human-centered security.
Research center :
Education, Culture, Cognition & Society (ECCS) > Institute of Cognitive Science and Assessment (COSA)
Disciplines :
Computer science
Author, co-author :
CHEN, Xiaowei ; University of Luxembourg > Faculty of Humanities, Education and Social Sciences (FHSE) > Department of Behavioural and Cognitive Sciences (DBCS) > Cognitive Science and Assessment
Schöni, Lorin; ETH Zürich > Department of Humanities, Social and Political Sciences
Distler, Verena ✱; Aalto University > Computer Science
Zimmermann, Verena ✱; ETH Zürich > Department of Humanities, Social and Political Sciences
✱ These authors have contributed equally to this work.
External co-authors :
yes
Language :
English
Title :
Beyond Deterrence: A Systematic Review of the Role of Autonomous Motivation in Organizational Security Behavior Studies
Publication date :
26 April 2025
Event name :
2025 CHI Conference on Human Factors in Computing Systems
Event organizer :
Association of Computing Machinery
Event place :
Yokohama, Japan
Event date :
from 26 April to 1 May 2025
Audience :
International
Main work title :
Proceedings of the 2025 CHI Conference on Human Factors in Computing Systems
Publisher :
Association of Computing Machinery, New York, United States
Pages :
1-28
Peer reviewed :
Peer reviewed
Focus Area :
Computational Sciences Security, Reliability and Trust Educational Sciences
Development Goals :
8. Decent work and economic growth 9. Industry, innovation and infrastructure
Author 1 acknowledges the financial support of the Institute for Advanced Studies at the University of Luxembourg through a Young Academic Grant (2021). The Doctoral School in Humanities and Social Sciences at the University of Luxembourg supported the project with the Research Support Grants for 2024 and 2025.
Anne Adams and Martina Angela Sasse. 1999. Users are not the enemy. Commun. ACM 42, 12 (1999), 40-46.
Icek Ajzen. 1991. The theory of planned behavior. Organizational behavior and human decision processes 50, 2 (1991), 179-211.
Icek Ajzen. 2020. The theory of planned behavior: Frequently asked questions. Human behavior and emerging technologies 2, 4 (2020), 314-324.
Saad Alahmari, Karen Renaud, and Inah Omoronyia. 2023. Moving beyond cyber security awareness and training to engendering security knowledge sharing. Information Systems and e-Business Management 21, 1 (2023), 123-158.
Yasser Alhelaly, Gurpreet Dhillon, and Tiago Oliveira. 2023. When expectation fails and motivation prevails: the mediating role of awareness in bridging the expectancy-capability gap in mobile identity protection. Computers & Security 134 (2023), 103470.
Rao Faizan Ali, PDD Dominic, Syed Emad Azhar Ali, Mobashar Rehman, and Abid Sohail. 2021. Information security behavior and information security policy compliance: A systematic literature review for identifying the transformation process from noncompliance to compliance. Applied Sciences 11, 8 (2021), 3383.
Rawan A Alsharida, Bander Ali Saleh Al-rimy, Mostafa Al-Emran, and Anazida Zainal. 2023. A systematic review of multi perspectives on human cybersecurity behavior. Technology in society 73 (2023), 102258.
Florian Alt, Mariam Hassib, and Verena Distler. 2023. Human-centered Behavioral and Physiological Security. In New Security Paradigms Workshop. ACM, Segovia Spain, 48-61. doi:10.1145/3633500.3633504
Steven Alter. 2014. Theory of Workarounds. Communications of the Association for Information Systems 34, 1 (2014), 55. http://aisel.aisnet.org/cais/vol34/iss1/55
Ahmed Alzahrani and Christopher Johnson. 2019. AHP-based Security decision making: How intention and intrinsic motivation affect policy compliance. International Journal of Advanced Computer Science and Applications 10, 6 (2019), 1-8.
Ahmed Alzahrani, Chris Johnson, and Saad Altamimi. 2018. Information security policy compliance: Investigating the role of intrinsic motivation towards policy compliance in the organisation. In 2018 4th international conference on information management (ICIM). IEEE, New York, NY, USA, 125-132.
Salim Awudu and Sotirios Terzis. 2023. Investigating Staff Information Security Policy Compliance in Electronic Identity Systems: The Ghanaian National Identity System. In International Conference for International Association for Development of the Information Society (IADIS): Proceedings of International Conferences e-society and Mobile Learning. ERIC, USA, 68-75.
Albert Bandura and Dale H Schunk. 1981. Cultivating competence, self-efficacy, and intrinsic interest through proximal self-motivation. Journal of personality and social psychology 41, 3 (1981), 586.
Adam Beautement, Ingolf Becker, Simon Parkin, Kat Krol, and M. Angela Sasse. 2016. Productive security: a scalable methodology for analysing employee security behaviours. In Proceedings of the Twelfth USENIX Conference on Usable Privacy and Security (Denver, CO, USA) (SOUPS '16). USENIX Association, USA, 253-270.
Adam Beautement, M. Angela Sasse, and Mike Wonham. 2008. The compliance budget: managing security behaviour in organisations. In Proceedings of the 2008 New Security Paradigms Workshop (Lake Tahoe, California, USA) (NSPW '08). Association for Computing Machinery, New York, NY, USA, 47-58. doi:10. 1145/1595676.1595684
Ingolf Becker, Simon Parkin, and M Angela Sasse. 2017. Finding security champions in blends of organisational culture. In Proceedings of the 2nd European Workshop on Usable Security, Vol. 11. Internet Society, Paris, France, 124.
Daniel Bennett and Elisa Mekler. January 2024. Beyond Intrinsic Motivation: The Role of Autonomous Motivation in User Experience. ACM Transactions on Computer-Human Interaction 1, 1 (January 2024), 1-44.
Benjamin Maximilian Berens, Florian Schaub, Mattia Mossano, and Melanie Volkamer. 2024. Better Together: The Interplay Between a Phishing Awareness Video and a Link-centric Phishing Support Tool. In Proceedings of the 2024 CHI Conference on Human Factors in Computing Systems (Honolulu, HI, USA) (CHI '24). Association for Computing Machinery, New York, NY, USA, Article 826, 60 pages. doi:10.1145/3613904.3642843
John F. Binning. 2016. Construct. https://www.britannica.com/science/construct. Encyclopedia Britannica.
John M Blythe and Lynne Coventry. 2018. Costly but effective: Comparing the factors that influence employee anti-malware behaviours. Computers in Human Behavior 87 (2018), 87-97.
John M Blythe, Lynne Coventry, and Linda Little. 2015. Unpacking security policy compliance: The motivators and barriers of employees' security behaviors. In Eleventh Symposium On Usable Privacy and Security ({SOUPS} 2015). Usenix, Berkeley, CA, USA, 103-122.
Nele Borgert, Luisa Jansen, Imke Bose, Jennifer Friedauer, M Angela Sasse, and Malte Elson. 2024. Self-Efficacy and Security Behavior: Results from a Systematic Review of Research Methods. In Proceedings of the CHI Conference on Human Factors in Computing Systems. Association for Computing Machinery, Honolulu, USA, 1-32.
Sharon S Brehm and Jack W Brehm. 2013. Psychological reactance: A theory of freedom and control. Academic Press, New York, USA.
Burcu Bulgurcu, Hasan Cavusoglu, and Izak Benbasat. 2010. Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS quarterly 34, 3 (2010), 523-548.
Pavlo Burda, Luca Allodi, and Nicola Zannone. 2020. Don't forget the human: a crowdsourced approach to automate response and containment against spear phishing attacks. In 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). IEEE, New York, NY, USA, 471-476.
Pavlo Burda, Luca Allodi, and Nicola Zannone. 2024. Cognition in social engineering empirical research: a systematic literature review. ACM Transactions on Computer-Human Interaction 31, 2 (2024), 1-55.
AJ Burns, Tom L Roberts, Clay Posey, Paul Benjamin Lowry, and Bryan Fuller. 2023. Going beyond deterrence: A middle-range theory of motives and controls for insider computer abuse. Information Systems Research 34, 1 (2023), 342-362.
Hao Chen and Wenli Li. 2019. Understanding commitment and apathy in is security extra-role behavior from a person-organization fit perspective. Behaviour & Information Technology 38, 5 (2019), 454-468.
Xiaowei Chen, Sophie Doublet, and Verena Distler. 2024. Making Motivation Theories Accessible: Introducing Motivation Cards to Map Motivators for Security and Privacy Education. In S&PEI Workshop of the Twentieth Symposium on Usable Privacy and Security (SOUPS 2024).
Xiaowei Chen, Sophie Doublet, Anastasia Sergeeva, Gabriele Lenzini, Vincent Koenig, and Verena Distler. 2024. What Motivates and Discourages Employees in Phishing Interventions: An Exploration of Expectancy-Value Theory. In Twentieth Symposium on Usable Privacy and Security (SOUPS 2024). Usenix, Berkely, CA, USA, 487-506.
Xiaowei Chen, Margault Sacre, Gabriele Lenzini, Samuel Greiff, Verena Distler, and Anastasia Sergeeva. 2024. The Effects of Group Discussion and Roleplaying Training on Self-efficacy, Support-seeking, and Reporting Phishing Emails: Evidence from a Mixed-design Experiment. In Proceedings of the 2024 CHI Conference on Human Factors in Computing Systems (Honolulu, HI, USA) (CHI '24). Association for Computing Machinery, New York, NY, USA, Article 829, 21 pages. doi:10.1145/3613904.3641943
Xiaowei Chen, Verena Zimmermann, Lorin Schoni, and Verena Distler. 2024. Systematic literature review on autonomous motivation in organizational cybersecurity behaviors. https://osf.io/jxtk9.
W Alec Cram, John D'arcy, and Jeffrey G Proudfoot. 2019. Seeing the forest and the trees: a meta-analysis of the antecedents to information security policy compliance. MIS quarterly 43, 2 (2019), 525-554.
Russell Cropanzano and Marie S Mitchell. 2005. Social exchange theory: An interdisciplinary review. Journal of management 31, 6 (2005), 874-900.
Robert E Crossler, Allen C Johnston, Paul Benjamin Lowry, Qing Hu, Merrill Warkentin, and Richard Baskerville. 2013. Future directions for behavioral information security research. computers & security 32 (2013), 90-101.
Joseph Da Silva and Rikke Bjerg Jensen. 2022. " Cyber security is a dark art": The CISO as Soothsayer. Proceedings of the ACM on Human-Computer Interaction 6, CSCW2 (2022), 1-31.
John D'Arcy, Anat Hovav, and Dennis Galletta. 2009. User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information systems research 20, 1 (2009), 79-98.
Joshua Davis, Deepti Agrawal, and Xiang Guo. 2023. Enhancing users' security engagement through cultivating commitment: the role of psychological needs fulfilment. European Journal of Information Systems 32, 2 (2023), 195-206.
Joshua M Davis, Deepti Agrawal, and Obi Ogbanufe. 2025. Shaping extra-role security behaviors through employee-agent relations: A dual-channel motivational perspective. International Journal of Information Management 80 (2025), 102833.
Edward L Deci and Richard M Ryan. 2008. Facilitating optimal motivation and psychological well-being across life's domains. Canadian psychology/Psychologie canadienne 49, 1 (2008), 14.
Edward L Deci and Richard M Ryan. 2008. Self-determination theory: A macrotheory of human motivation, development, and health. Canadian psychology/ Psychologie canadienne 49, 3 (2008), 182.
Edward L Deci and Richard M Ryan. 2014. The importance of universal psychological needs for understanding motivation in the workplace. The Oxford handbook of work engagement, motivation, and self-determination theory 13 (2014), 13-32.
Gurpreet Dhillon, Yurita Yakimini Abdul Talib, and Winnie Ng Picoto. 2020. The mediating role of psychological empowerment in information security compliance intentions. Journal of the Association for Information Systems 21, 1 (2020), 5.
Antonio Diaz Andrade, Monideepa Tarafdar, RobertMDavison, Andrew Hardin, Angsana A Techatassanasoontorn, Paul Benjamin Lowry, Sutirtha Chatterjee, and Gerhard Schwabe. 2023. The importance of theory at the Information Systems Journal. Information Systems Journal 33 (2023), 693-702.
Verena Distler. 2023. The Influence of Context on Response to Spear-Phishing Attacks: an In-Situ Deception Study. In Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems. ACM, Hamburg Germany, 1-18. doi:10. 1145/3544548.3581170
P Drogkaris and A Bourka. 2019. Cybersecurity culture guidelines: Behavioural aspects of cybersecurity. European Union Agency for Network and Information Security (ENISA) (2019).
Jacquelynne S Eccles and Allan Wigfield. 1995. In the mind of the actor: The structure of adolescents' achievement task values and expectancy-related beliefs. Personality and social psychology bulletin 21, 3 (1995), 215-225.
Jacquelynne S Eccles and Allan Wigfield. 2020. From expectancy-value theory to situated expectancy-value theory: A developmental, social cognitive, and sociocultural perspective on motivation. Contemporary educational psychology 61 (2020), 101859.
Cori Faklaris, Laura A Dabbish, and Jason I Hong. 2019. A self-report measure of end-user security attitudes (SA-6). In Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019). USENIX, Santa Clara, USA, 61-77.
Muriel Frank and Clara Ament. 2021. How motivation shapes the sharing of information security incident experience. In Proceedings of the 54th Hawaii International Conference on System Sciences. ScholarSpace, Hawaii, USA, 4528- 4537.
Muriel Frank and Vanessa Kohn. 2023. Understanding extra-role security behaviors: An integration of self-determination theory and construal level theory. Computers & Security 132 (2023), 103386.
Anjuli Franz, Verena Zimmermann, Gregor Albrecht, Katrin Hartwig, Christian Reuter, Alexander Benlian, and Joachim Vogt. 2021. SoK: still plenty of phish in the sea-A taxonomy of user-oriented phishing interventions and avenues for future research. In Proceedings of the Seventeenth USENIX Conference on Usable Privacy and Security (SOUPS'21). USENIX Association, USA, Article 18, 19 pages.
Trevor Gabriel and Steven Furnell. 2011. Selecting security champions. Computer Fraud & Security 2011, 8 (2011), 8-12.
Yotamu Gangire, Adele Da Veiga, and Marlien Herselman. 2021. Assessing information security behaviour: A self-determination theory perspective. Information & Computer Security 29, 4 (2021), 625-646.
Cornelia Gerdenitsch, DanielaWurhofer, and Manfred Tscheligi. 2023. Working conditions and cybersecurity: Time pressure, autonomy and threat appraisal shaping employees' security behavior. Cyberpsychology: Journal of Psychosocial Research on Cyberspace 17, 4 (2023), 19.
Zhiwei Guan, Shirley Lee, Elisabeth Cuddihy, and Judith Ramey. 2006. The validity of the stimulated retrospective think-aloud method as measured by eye tracking. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Montreal, Quebec, Canada) (CHI '06). Association for Computing Machinery, New York, NY, USA, 1253-1262. doi:10.1145/1124772.1124961
Ken H Guo, Yufei Yuan, Norman P Archer, and Catherine E Connelly. 2011. Understanding nonmalicious security violations in the workplace: A composite behavior model. Journal of management information systems 28, 2 (2011), 203- 236.
Marco Gutfleisch, Markus Schops, Stefan Albert Horstmann, Daniel Wichmann, and M. Angela Sasse. 2023. Security Champions Without Support: Results from a Case Study with OWASP SAMM in a Large-Scale E-Commerce Enterprise. In Proceedings of the 2023 European Symposium on Usable Security (Copenhagen, Denmark) (EuroUSEC '23). Association for Computing Machinery, New York, NY, USA, 260-276. doi:10.1145/3617072.3617115
Steffi Haag, Mikko Siponen, and Fufan Liu. 2021. Protection motivation theory in information systems security research: A review of the past and a road map for the future. ACM SIGMIS Database: the DATABASE for Advances in Information Systems 52, 2 (2021), 25-67.
JR Hackman. 1976. Motivation through the design work: Test of the theory. Organizational Behavior and Human Performance 16 (1976), 250-279.
Neal R Haddaway, Matthew J Page, Chris C Pritchard, and Luke A McGuinness. 2022. PRISMA2020: An R package and Shiny app for producing PRISMA 2020- compliant flow diagrams, with interactivity for optimised digital transparency and Open Synthesis. Campbell systematic reviews 18, 2 (2022), e1230.
Felix Haeussinger and Johann Kranz. 2013. Information security awareness: Its antecedents and mediating effects on security compliant behavior. In Thirty Fourth International Conference on Information Systems. Citeseer, Milan, 1-16.
Julie M Haney and Wayne G Lutters. 2019. Motivating cybersecurity advocates: Implications for recruitment and retention. In Proceedings of the 2019 on Computers and People Research Conference. Association for Computing Machinery, New York, NY, USA, 109-117.
Tejaswini Herath and H Raghav Rao. 2009. Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision support systems 47, 2 (2009), 154-165.
Cormac Herley. 2009. So long, and no thanks for the externalities: the rational rejection of security advice by users. In Proceedings of the 2009Workshop on New Security ParadigmsWorkshop (Oxford, United Kingdom) (NSPW'09). Association for Computing Machinery, New York, NY, USA, 133-144. doi:10.1145/1719030. 1719050
Jonas Hielscher, Annette Kluge, Uta Menges, and M Angela Sasse. 2021. "taking out the trash": Why security behavior change requires intentional forgetting. In Proceedings of the 2021 New Security Paradigms Workshop. Association for Computing Machinery, Virtual Event, USA, 108-122.
Jonas Hielscher, Uta Menges, Simon Parkin, Annette Kluge, and M. Angela Sasse. 2023. "Employees who don't accept the time security takes are not aware enough": the CISO view of human-centred security. In Proceedings of the 32nd USENIX Conference on Security Symposium (Anaheim, CA, USA) (SEC '23). USENIX Association, USA, Article 130, 18 pages.
Jonas Hielscher and Simon Parkin. 2024. " What Keeps People Secure is That They Met The Security Team": Deconstructing Drivers And Goals of Organizational Security Awareness. In 33nd USENIX Security Symposium (USENIX Security 23). USENIX, Philadephia, USA, 3295-3312.
Jonas Hielscher, Markus Schops, Uta Menges, Marco Gutfleisch, Mirko Helbling, and M. Angela Sasse. 2023. Lacking the tools and support to fix friction: results from an interview study with security managers. In Proceedings of the Nineteenth USENIX Conference on Usable Privacy and Security (Anaheim, CA, USA) (SOUPS '23). USENIX Association, USA, Article 8, 20 pages.
Duncan Hodges and Oliver Buckley. 2017. Its not all about the money: Selfefficacy and motivation in defensive and offensive cyber security professionals. In Human Aspects of Information Security, Privacy and Trust: 5th International Conference, HAS 2017, Held as Part of HCI International 2017, Vancouver, BC, Canada, July 9-14, 2017, Proceedings 5. Springer, Berlin/Heidelberg, Germany, 494-506.
Yuxiang Hong and Mengyi Xu. 2021. Autonomous motivation and information security policy compliance: role of job satisfaction, responsibility, and deterrence. Journal of Organizational and End User Computing (JOEUC) 33, 6 (2021), 1-17.
Princely Ifinedo. 2014. Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition. Information & Management 51, 1 (2014), 69-79.
Sitwala Imenda. 2014. Is there a conceptual difference between theoretical and conceptual frameworks? Journal of social sciences 38, 2 (2014), 185-195.
Philip G. Inglesant and M. Angela Sasse. 2010. The true cost of unusable password policies: password use in the wild. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Atlanta, Georgia, USA) (CHI '10). Association for Computing Machinery, New York, NY, USA, 383-392. doi:10.1145/1753326.1753384
Lennart Jaeger and Andreas Eckhardt. 2021. Eyes wide open: The role of situational information security awareness for security-related behaviour. Information Systems Journal 31, 3 (2021), 429-472.
Soohyun Jeon and Anat Hovav. 2015. Empowerment or control: Reconsidering employee security policy compliance in terms of authorization. In 2015 48th Hawaii International Conference on System Sciences. IEEE, New York, NY, USA, 3473-3482.
Soohyun Jeon, Anat Hovav, Jinyoung Han, and Steven Alter. 2018. Rethinking the prevailing security paradigm: can user empowerment with traceability reduce the rate of security policy circumvention? ACM SIGMIS Database: the DATABASE for Advances in Information Systems 49, 3 (2018), 54-77.
Soohyun Jeon, Insoo Son, and Jinyoung Han. 2020. Exploring the role of intrinsic motivation in ISSP compliance: enterprise digital rights management system case. Information Technology & People 34, 2 (2020), 599-616.
Soohyun Jeon, Insoo Son, and Jinyoung Han. 2023. Understanding employee's emotional reactions to ISSP compliance: focus on frustration from security requirements. Behaviour & Information Technology 42, 13 (2023), 2093-2110.
Heidi Julien, Jen JL Pecoskie, and Kathleen Reed. 2011. Trends in information behavior research, 1999-2008: A content analysis. Library & Information Science Research 33, 1 (2011), 19-24.
Kristian Kannelonning and Sokratis K Katsikas. 2023. A systematic literature review of how cybersecurity-related behavior has been assessed. Information & Computer Security 31, 4 (2023), 463-477.
Herbert C Kelman. 1958. Compliance, identification, and internalization three processes of attitude change. Journal of conflict resolution 2, 1 (1958), 51-60.
Johann Kranz and Felix Haeussinger. 2014. Why deterrence is not enough: The role of endogenous motivations on employees' information security behavior. In Thirty Fifth International Conference on Information Systems. Association for Information Systems, Atlanta, GA, USA, 1-14.
Kuang-Ming Kuo, Paul C Talley, and Chi-Hsien Huang. 2020. A meta-analysis of the deterrence theory in security-compliant and security-risk behaviors. Computers & Security 96 (2020), 101928.
Dominika Kwasnicka, Stephan U Dombrowski, Martin White, and Falko Sniehotta. 2016. Theoretical explanations for maintenance of behaviour change: a systematic review of behaviour theories. Health psychology review 10, 3 (2016), 277-296.
Richard S Lazarus. 1991. Cognition and motivation in emotion. American psychologist 46, 4 (1991), 352.
Benedikt Lebek, Jorg Uffen, Michael H Breitner, Markus Neumann, and Bernd Hohler. 2013. Employees' information security awareness and behavior: A literature review. In 2013 46th Hawaii International Conference on System Sciences. IEEE, Hawaii, USA, 2978-2987.
Benedikt Lebek, Jorg Uffen, Markus Neumann, Bernd Hohler, and Michael H. Breitner. 2014. Information security awareness and behavior: a theory-based literature review. Management Research Review 37, 12 (2014), 1049-1092.
Daeun Lee, Harjinder Singh Lallie, and Nadine Michaelides. 2023. The impact of an employee's psychological contract breach on compliance with information security policies: intrinsic and extrinsic motivation. Cognition, Technology & Work 25, 2 (2023), 273-289.
Han Li, Rathindra Sarathy, Jie Zhang, and Xin Luo. 2014. Exploring the effects of organizational justice, personal ethics and sanction on internet use policy compliance. Information Systems Journal 24, 6 (2014), 479-502.
Rachid Ait Maalem Lahcen, Bruce Caulkins, Ram Mohapatra, and Manish Kumar. 2020. Review and insight on the behavioral aspects of cybersecurity. Cybersecurity 3 (2020), 1-18.
Philip Menard, Gregory J Bott, and Robert E Crossler. 2017. User motivations in protecting information security: Protection motivation theory versus selfdetermination theory. Journal of Management Information Systems 34, 4 (2017), 1203-1230.
Uta Menges, Jonas Hielscher, Laura Kocksch, Annette Kluge, and M. Angela Sasse. 2023. Caring Not Scaring - An Evaluation of aWorkshop to Train Apprentices as Security Champions. In Proceedings of the 2023 European Symposium on Usable Security (Copenhagen, Denmark) (EuroUSEC '23). Association for Computing Machinery, New York, NY, USA, 237-252. doi:10.1145/3617072.3617099
John P Meyer, Natalie J Allen, and Catherine A Smith. 1993. Commitment to organizations and occupations: Extension and test of a three-component conceptualization. Journal of applied psychology 78, 4 (1993), 538.
Marianne Miserandino. 1996. Children who do well in school: Individual differences in perceived competence and autonomy in above-average children. Journal of educational psychology 88, 2 (1996), 203.
David Moher, Alessandro Liberati, Jennifer Tetzlaff, Douglas G Altman, Prisma Group, et al. 2010. Preferred reporting items for systematic reviews and metaanalyses: the PRISMA statement. International journal of surgery 8, 5 (2010), 336-341.
Gregory D Moody, Mikko Siponen, and Seppo Pahnila. 2018. Toward a unified model of information security policy compliance. MIS quarterly 42, 1 (2018), 285-A22.
Frederick P Morgeson and Stephen E Humphrey. 2006. The Work Design Questionnaire (WDQ): developing and validating a comprehensive measure for assessing job design and the nature of work. Journal of applied psychology 91, 6 (2006), 1321.
Alena Naiakshina, Anastasia Danilova, Eva Gerlitz, and Matthew Smith. 2020. On Conducting Security Developer Studies with CS Students: Examining a Password-Storage Study with CS Students, Freelancers, and Company Developers. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems (Honolulu, HI, USA) (CHI '20). Association for Computing Machinery, New York, NY, USA, 1-13. doi:10.1145/3313831.3376791
Alena Naiakshina, Anastasia Danilova, Eva Gerlitz, Emanuel von Zezschwitz, and Matthew Smith. 2019. "If you want, I can store the encrypted password": A Password-Storage Field Study with Freelance Developers. In Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems (Glasgow, Scotland Uk) (CHI '19). Association for Computing Machinery, New York, NY, USA, 1-12. doi:10.1145/3290605.3300370
Jeanne Nakamura, Mihaly Csikszentmihalyi, et al. 2009. Flow theory and research. Handbook of positive psychology 195 (2009), 206.
Jakub Stepan Novak, Jan Masner, Petr Benda, Pavel Simek, and Vojtech Merunka. 2024. Eye Tracking, Usability, and User Experience: A Systematic Review. International Journal of Human-Computer Interaction 40, 17 (Sept. 2024), 4484- 4500. doi:10.1080/10447318.2023.2221600
Obi Ogbanufe and Ling Ge. 2023. A comparative evaluation of behavioral security motives: Protection, intrinsic, and identity motivations. Computers & Security 128 (2023), 103136.
Obi Ogbanufe, Russell Torres, and Katia Guerra. 2023. BYOA and Security: Examining Perspective-Taking and Self-Determination. Journal of Computer Information Systems 2023 (2023), 1-17.
Keshnee Padayachee. 2012. Taxonomy of compliant information security behavior. Computers & Security 31, 5 (2012), 673-680.
Minjung Park and Sangmi Chai. 2018. Internalization of information security policy and information security practice: A comparison with compliance. In 51st Hawaii International Conference on System Sciences. University of Hawai'i, Hawai'i, USA, 4723-4731.
Douglas D Perkins and Marc A Zimmerman. 1995. Empowerment theory, research, and application. American journal of community psychology 23 (1995), 569-579.
Clay Posey, Tom Roberts, Paul Benjamin Lowry, Becky Bennett, and James Courtney. 2010. Insiders' Protection of Organizational Information Assets: A Multidimensional Scaling Study of Protection-Motivated Behaviors. In Roode Workshop on IS Security Research. SSRN, Boston, MA, USA, 233-277.
Clay Posey, Tom Roberts, Paul Benjamin Lowry, James Courtney, and Becky Bennett. 2011. Motivating the insider to protect organizational information assets: Evidence from protection motivation theory and rival explanations. In The Dewald Roode workshop in information systems security. SSRN, Kennesaw, GA, 1-51.
Clay Posey, Tom L Roberts, and Paul Benjamin Lowry. 2015. The impact of organizational commitment on insiders' motivation to protect organizational information assets. Journal of Management Information Systems 32, 4 (2015), 179-214.
Clay Posey, Tom L Roberts, Paul Benjamin Lowry, Rebecca J Bennett, and James F Courtney. 2013. Insiders' protection of organizational information assets: Development of a systematics-based taxonomy and theory of diversity for protection-motivated behaviors. Mis Quarterly 37, 4 (2013), 1189-1210.
Travis C Pratt, Francis T Cullen, Kristie R Blevins, Leah E Daigle, and Tamara D Madensen. 2006. The empirical status of deterrence theory: A meta-analysis. In Taking stock: The status of criminological theory. Transaction Publishers, New Jersey, USA, 367-395.
Johnmarshall Reeve, Edward L Deci, and Richard M Ryan. 2004. Selfdetermination theory: a dialectical framework for understanding sociocultural influences on student. Big theories revisited 4 (2004), 31.
Ronald W Rogers. 1975. A protection motivation theory of fear appeals and attitude change1. The journal of psychology 91, 1 (1975), 93-114.
Benjamin D Rosenberg and Jason T Siegel. 2018. A 50-year review of psychological reactance theory: Do not read this article. Motivation Science 4, 4 (2018), 281.
Richard M Ryan. 2017. Self-determination theory: Basic psychological needs in motivation, development, and wellness. Guilford Press, New York, USA.
Richard M Ryan and Edward L Deci. 2000. Intrinsic and extrinsic motivations: Classic definitions and new directions. Contemporary educational psychology 25, 1 (2000), 54-67.
Richard M Ryan and Edward L Deci. 2020. Intrinsic and extrinsic motivation from a self-determination theory perspective: Definitions, theory, practices, and future directions. Contemporary educational psychology 61 (2020), 101860.
Richard M Ryan, Edward L Deci, et al. 2002. Overview of self-determination theory: An organismic dialectical perspective. Handbook of self-determination research 2, 3-33 (2002), 36.
Nader Sohrabi Safa and Rossouw Von Solms. 2016. An information security knowledge sharing model in organizations. Computers in Human Behavior 57 (2016), 442-451.
M. Angela Sasse, Jonas Hielscher, Jennifer Friedauer, and Annalina Buckmann. 2023. Rebooting IT Security Awareness - How Organisations Can Encourage and Sustain Secure Behaviours. In Computer Security. ESORICS 2022 International Workshops: CyberICPS 2022, SECPRE 2022, SPOSE 2022, CPS4CIP 2022, CDT&SECOMANE 2022, EIS 2022, and SecAssure 2022, Copenhagen, Denmark, September 26-30, 2022, Revised Selected Papers (Copenhagen, Denmark). Springer- Verlag, Berlin, Heidelberg, 248-265. doi:10.1007/978-3-031-25460-4_14
Yukiko Sawaya, Mahmood Sharif, Nicolas Christin, Ayumu Kubota, Akihiro Nakarai, and Akira Yamada. 2017. Self-confidence trumps knowledge: A crosscultural study of security behavior. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems. Association for Computing Machinery, Denver, USA, 2202-2214.
Lorin Schoni, Victor Carles, Martin Strohmeier, Peter Mayer, and Verena Zimmermann. 2024. You Know What?-Evaluation of a Personalised Phishing Training Based on Users' Phishing Knowledge and Detection Skills. In The 2024 European Symposium on Usable Security. Association for Computing Machinery, Karlstad, Sweden, 1-14.
Michiel Schotten, Wim JN Meester, Susanne Steiginga, Cameron A Ross, et al. 2017. A brief history of Scopus: Theworld's largest abstract and citation database of scientific literature. In Research analytics. Auerbach Publications, Boca Raton, FL, USA, 31-58.
Dale H Schunk and Maria K DiBenedetto. 2020. Motivation and social cognitive theory. Contemporary educational psychology 60 (2020), 101832.
Scott E Seibert, Gang Wang, and Stephen H Courtright. 2011. Antecedents and consequences of psychological and team empowerment in organizations: a meta-analytic review. Journal of applied psychology 96, 5 (2011), 981.
Ahmad Bakhtiyari Shahri, Zuraini Ismail, and Shahram Mohanna. 2016. The impact of the security competency on "self-efficacy in information security" for effective health information security in Iran. Journal of medical systems 40 (2016), 1-9.
Susan P Shapiro. 2005. Agency theory. Annu. Rev. Sociol. 31, 1 (2005), 263-284.
Alireza Shojaifar, Samuel A Fricker, and Martin Gwerder. 2020. Automating the communication of cybersecurity knowledge: Multi-case study. In Information Security Education. Information Security in Action. WISE 2020. IFIP Advances in Information and Communication Technology. Springer, Cham, Switzerland, 110-124.
Mario Silic and Paul Benjamin Lowry. 2020. Using design-science based gamification to improve organizational security training and compliance. Journal of management information systems 37, 1 (2020), 129-161.
Gavin R Slemp, Mark A Lee, and LaraH Mossman. 2021. Interventions to support autonomy, competence, and relatedness needs in organizations: A systematic review with recommendations for research and practice. Journal of Occupational and Organizational Psychology 94, 2 (2021), 427-457.
Teodor Sommestad, Henrik Karlzen, and Jonas Hallberg. 2019. The theory of planned behavior and information security policy compliance. Journal of Computer Information Systems 59:4 (2019), 344-353.
Jai-Yeol Son. 2011. Out of fear or desire? Toward a better understanding of employees' motivation to follow IS security policies. Information & Management 48, 7 (2011), 296-302.
Paul E Spector. 1982. Behavior in organizations as a function of employee's locus of control. Psychological bulletin 91, 3 (1982), 482.
Gretchen M Spreitzer. 1995. Psychological empowerment in the workplace: Dimensions, measurement, and validation. Academy of management Journal 38, 5 (1995), 1442-1465.
Jeffrey M Stanton, Kathryn R Stam, Paul Mastrangelo, and Jeffrey Jolton. 2005. Analysis of end user security behaviors. Computers & security 24, 2 (2005), 124-133.
Dan N Stone, Edward L Deci, and Richard M Ryan. 2009. Beyond talk: Creating autonomous motivation through self-determination theory. Journal of general management 34, 3 (2009), 75-91.
Noor Suhani Sulaiman, Muhammad Ashraf Fauzi, Walton Wider, Jegatheesan Rajadurai, Suhaidah Hussain, and Siti Aminah Harun. 2022. Cyber-information security compliance and violation behaviour in organisations: A systematic review. Social Sciences 11, 9 (2022), 386.
Robert I Sutton and Barry M Staw. 1995. What theory is not. Administrative science quarterly 40:3 (1995), 371-384.
Maja Tadic Vujcic, Wido GM Oerlemans, and Arnold B Bakker. 2017. How challenging was your work today? The role of autonomous work motivation. European Journal of Work and Organizational Psychology 26, 1 (2017), 81-93.
Mohammad Tahaei, Alisa Frik, and Kami Vaniea. 2021. Privacy champions in software teams: Understanding their motivations, strategies, and challenges. In Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems. 1-15.
Yurita Abdul Talib and Gurpreet Dhillon. 2015. Employee ISP compliance intentions: an empirical test of empowerment. In Thirty Sixth International Conference of Information Systems,. Association for Information Systems, Fort Worth, USA, 1-19.
Gurvirender PS Tejay and Zareef A Mohammed. 2023. Cultivating security culture for information security success: A mixed-methods study based on anthropological perspective. Information & Management 60, 3 (2023), 103751.
Kenneth W Thomas and Betty A Velthouse. 1990. Cognitive elements of empowerment: An "interpretive" model of intrinsic task motivation. Academy of management review 15, 4 (1990), 666-681.
April Tyack and Elisa D. Mekler. 2020. Self-Determination Theory in HCI Games Research: Current Uses and Open Questions. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems (Honolulu, HI, USA) (CHI '20). Association for Computing Machinery, New York, NY, USA, 1-22. doi:10.1145/3313831.3376723
Daniel Udo-Akang. 2012. Theoretical constructs, concepts, and applications. American International Journal of Contemporary Research 2, 9 (2012), 89-97.
O Van den Akker, GJY Peters, C Bakker, R Carlsson, NA Coles, KS Corker, G Feldman, DT Mellor, D Moreau, T Nordstrom, et al. 2020. Generalized systematic review registration form.
Ali Vedadi, Merrill Warkentin, Detmar W Straub, and Jordan Shropshire. 2024. Fostering information security compliance as organizational citizenship behavior. Information & Management 61, 5 (2024), 103968.
Antje C. Venjakob and Claudia R. Mello-Thoms. 2015. Review of prospects and challenges of eye tracking in volumetric imaging. Journal of Medical Imaging 3, 1 (Sept. 2015), 011002. doi:10.1117/1.JMI.3.1.011002 Publisher: SPIE.
Alexandra von Preuschen, Monika C Schuhmacher, and Verena Zimmermann. 2024. Beyond fear and frustration-towards a holistic understanding of emotions in cybersecurity. In Twentieth Symposium on Usable Privacy and Security (SOUPS 2024). USENIX Association, Philadephia, USA, 623-642.
Maximilian von Welck, Manuel Trenz, Tina Blegind Jensen, and Daniel Veit. 2017. Empowerment and BYOx: Towards Improved IS Security Compliance. In 38th International Conference on Information Systems: Transforming Society with Digital Innovation, ICIS 2017: Transforming Society with Digital Innovation. Association for Information Systems, Atlanta, GA, USA, 1-11.
Joan IJWagner, Greta Cummings, Donna L Smith, Joanne Olson, Lynn Anderson, and Sharon Warren. 2010. The relationship between structural empowerment and psychological empowerment for nurses: a systematic review. Journal of nursing management 18, 4 (2010), 448-462.
Rene Walendy, Markus Weber, Jingjie Li, Steffen Becker, Carina Wiesen, Malte Elson, Younghyun Kim, Kassem Fawaz, Nikol Rummel, and Christof Paar. 2024. I see an IC: A Mixed-Methods Approach to Study Human Problem-Solving Processes in Hardware Reverse Engineering. In Proceedings of the 2024 CHI Conference on Human Factors in Computing Systems (Honolulu, HI, USA) (CHI '24). Association for Computing Machinery, New York, NY, USA, Article 831, 20 pages. doi:10.1145/3613904.3642837
Jeffrey DWall, Prashant Palvia, and Paul Benjamin Lowry. 2013. Control-related motivations and information security policy compliance: The role of autonomy and efficacy. Journal of Information Privacy and Security 9, 4 (2013), 52-79.
Zikai AlexWen, Zhiqiu Lin, Rowena Chen, and Erik Andersen. 2019. What. hack: engaging anti-phishing training through a role-playing phishing simulation game. In Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems. Association for Computing Machinery, Glasgow, Scotland, Uk, 1-12.
Alma Whitten and J. D. Tygar. 1999. Why Johnny can't encrypt: a usability evaluation of PGP 5.0. In Proceedings of the 8th Conference on USENIX Security Symposium - Volume 8 (Washington, D.C.) (SSYM'99). USENIX Association, USA, 14.
Allan Wigfield and Jacquelynne S Eccles. 2000. Expectancy-value theory of achievement motivation. Contemporary educational psychology 25, 1 (2000), 68-81.
Robert Willison and Merrill Warkentin. 2013. Beyond deterrence: An expanded view of employee computer abuse. MIS quarterly 37, 1 (2013), 1-20.
Michael Workman, William H. Bommer, and Detmar Straub. 2008. Security lapses and the omission of information security measures: A threat control model and empirical test. Comput. Hum. Behav. 24, 6 (Sept. 2008), 2799-2816. doi:10.1016/j.chb.2008.04.005
Ning Yang, Tripti Singh, and Allen Johnston. 2020. A Replication Study of User Motivation in Protecting Information Security using Protection Motivation Theory and Self Determination Theory. AIS Transactions on Replication Research 6, 1 (2020), 10.
Verena Zimmermann, Lorin Schoni, Thierry Schaltegger, Benjamin Ambuehl, Melanie Knieps, and Nico Ebert. 2024. Human-Centered Cybersecurity Revisited: From Enemies to Partners. Commun. ACM 67, 11 (Oct. 2024), 72-81. doi:10. 1145/3665665
Yixin Zou, Khue Le, Peter Mayer, Alessandro Acquisti, Adam J Aviv, and Florian Schaub. April, 2024. Encouraging Users to Change Breached Passwords Using the Protection Motivation Theory. ACM Transactions on Computer-Human Interaction 1, 1 (April, 2024), 1-45.
Mary Ellen Zurko and Richard T. Simon. 1996. User-centered security. In Proceedings of the 1996 Workshop on New Security Paradigms (Lake Arrowhead, California, USA) (NSPW '96). Association for Computing Machinery, New York, NY, USA, 27-33. doi:10.1145/304851.304859
