The quest for complete security: An empirical analysis of users’ multi-layered protection from security threats

Individuals can perform many different behaviors to protect themselves from computer security threats. Research, however, generally explores computer security behaviors in isolation, typically looking at one behavior per study, such as usage of malware or strong passwords. However, defense in depth requires that multiple behaviors be performed concurrently for one’s computer to be protected. Addressing this gap in prior research, this study measures 279 individuals’ computer security behaviors and analyzes them with multi-dimensional scaling. We examined three security threats: security related performance degradation, identify theft, and data loss. The results present a mapping of security behaviors performed together with other behaviors on two dimensions for each of these threats. Using expert reviews of the resulting dimensions, the study proposes that response efficacy and response cost help explain why people perform certain behaviors together. These findings can help explain inconsistent results in prior information security research because they focused on one behavior only whereas people perform various security behaviors together in an effort to mitigate specific security threats. The study informs research and practice by identifying security threat-response pairs via expert interviews, surveying individuals on how they perform multiple security behaviors concurrently to mitigate security threats, identifying why certain behaviors are performed together, and using these findings to identify reasons why IS security research has confounding results based on specific individual threat-response pairs used in prior studies.