Abstract
This study presents an empirical investigation of factors affecting small- and medium-sized business (SMB) executives’ decision to adopt anti-malware software for their organizations. A research model was developed by adopting and expanding the protection motivation theory from health psychology, which has successfully been used to investigate the effect of threat and coping appraisal on protective actions. A questionnaire-based field survey with 239 U.S. SMB executives was conducted, and the data were analyzed using partial least squares (PLS). This study demonstrates that threat and coping appraisal successfully predict SMB executives’ anti-malware software adoption intention, leading to SMB adoption. In addition, considerable variance in adoption intention and actual SMB adoption is addressed by social influence from key stakeholders and situation-specific variables, such as IT budget and vendor support. Further, the generalizability of the model was tested using industry type and IS expertise. The adoption intention of IS experts and IT intensive industries was mainly affected by threat appraisal and social influence, while that of non-IS experts and non-IT intensive industries was significantly influenced by coping appraisal and IT budget. Vendor support was a key facilitator of the anti-malware adoption for IS experts and IT intensive industry groups, while IT budget was for non-IS expert and non-IT intensive industry groups. Key implications for theory and practice are discussed.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Addis M (2003) Basic skills and small business competitiveness: some conceptual considerations. Education+Training 43 (3), 152–161.
Bandura A (1977) Self efficacy: toward a unifying theory of behavioral change. Psychological Review 84, 191–215.
Bandura A, Freeman WH and Lightsey R (1999) Self-efficacy: the exercise of control. Journal of Cognitive Psychotherapy 13 (2), 158–166.
Beccaria C (1963) On Crime and Punishments. Bobbs Merril, Indianapolis, IN.
Beck L and Ajzen I (1991) Predicting dishonest actions using the theory of planned behavior. Journal of Research in Personality 25, 285–301.
Bruschi D, Martignoni L and Monga M (2007) Code normalization for self-mutating malware. IEEE Security & Privacy 5 (2), 46–54.
Chau PYK and Tam KY (1997) Factors affecting the adoption of open systems: an exploratory study. MIS Quarterly 21 (1), 1–24.
Chenoweth T, Minch R and Tabor S (2007) Expanding views of technology acceptance: seeking factors explaining security control adoption. AMCIS 2007 Proceedings 321–328.
Chin WW (1998) The Partial Least Squares Approach to Structural Equation Modeling. Lawrence Erlbaum Associates Mahwah, NJ.
Cody E, Sharman R, Rao RH and Upadhyaya S (2008) Security in grid computing: a review and synthesis. Decision Support Systems 44 (4), 749–764.
Delone WH and Mclean ER (2003) The Delone and Mclean model of information systems success: a ten-year update. Journal of Management Information Systems 19, 9–30.
Etsebeth V (2007) Malware: the new legal risk. The Electronic Library 25 (5), 534–542.
Forman C (2005) The corporate digital divide: determinants of internet adoption. Management Science 51 (4), 641–654.
Fornell C and Larcker DF (1981) Evaluating structural equations models with unobservable variables and measurement error. Journal of Marketing Research 18 (1), 39–50.
Fry RB and Prentice-Dunn S (2005) Effects of coping information and value affirmation on responses to a perceived health threat. Health Communication 17, 133–147.
Grimes RA (2001) Malicious Mobile Code: Virus Protection for Windows. O’Reilly & Associates, Inc., Sebastopol, CA.
Grothmann T and Reusswig F (2006) People at risk of flooding: why some residents take precautionary action while others do not. Natural Hazards 38, 101–120.
Helmes AW (2002) Application of the protection motivation theory to genetic testing for breast cancer risk. Preventive Medicine 35, 453–462.
Ho R (2000) Predicting intention for protective health behaviour: a test of the protection versus the ordered protection motivation model. Australian Journal of Psychology 52 (2), 110–118.
Hu Q and Dinev T (2005) Is spyware an internet nuisance or public menace? Communications of the ACM 48 (8), 61–66.
Iacovou CL, Benbasat I and Dexter AS (1995) Electronic data interchange and small organizations: adoption and impact of technology. MIS Quarterly 19 (4), 465–485.
Kambil A, Kalis A, Koufaris M and Lucas HC (2000) Influences on the corporate adoption of web technology. Communications of the ACM 43 (11), 264–271.
Lee Y and Kozar KA (2005) Investigating factors affecting the adoption of anti-spyware systems. Communications of the ACM 48 (3), 72–78.
Lee J and Lee Y (2002) A holistic model of computer abuse. Information Management & Computer Security 10 (2), 57–63.
Lee D and Larose R (2004) Keeping our network safe: a model of online safety behavior. Proceedings of the Association for Education in Journalism and Mass Communication, Toronto, Canada.
Lent RW, Hoffman MA, Hill CE, Treistman D, Mount M and Singley D (2006) Client-specific counselor self-efficacy in novice counselors: relation to perceptions of session quality. Journal of Counseling Psychology 53, 453–463.
Malhotra NK, Kim SS and Patil A (2006) Common method variance in IS research: a comparison of alternative approaches and a reanalysis of past research. Management Science 52 (12), 1865–1883.
Marakas GM, Johnson RD and Clay PF (2007) The evolving nature of the computer self-efficacy construct: an empirical investigation of measurement construction, validity, reliability, and stability over time. Journal of the Association for Information Systems 8 (1), 16–46.
Mcclendon BT and Prentice-Dunn S (2001) Reducing skin cancer risk: an intervention based on protection motivation theory. Journal of Health Psychology 6, 321–328.
Mcmath BF and Prentice-Dunn S (2005) Protection motivation theory and skin cancer risk: the role of individual differences in responses to persuasive appeals. Journal of Applied Social Psychology 35, 621–635.
Milne S, Sheeran P and Orbell S (2000) Prediction and intervention in health-related behavior: a meta-analytic of protection motivation theory. Journal of Applied Social Psychology 30 (1), 106–143.
Orlikowski WJ (1992) The duality of technology: rethinking the concept of technology in organizations. Organization Science 3 (3), 398–427.
Pechmann C, Zhao G, Goldberg ME and Reibling ET (2003) What to convey in antismoking advertisements for adolescents: the use of protection motivation theory to identify effective message theme. Journal of Marketing 67 (April), 1–18.
Petter S, Straub DW and Raj A (2007) Specifying formative constructs in IS research. MIS Quarterly 31 (4), 623–656.
Riemenschneider CK, Harrison DA and Mykytyn PP (2003) Understanding IT adoption decisions in small business: integrating current theories. Information and Management 40 (4), 269–285.
Rogers R (1983) Cognitive and physiological processes in fear-based attitude change: a revised theory of protection motivation. In Social Psychophysiology: A Sourcebook (Cacioppo J and Petty R, Eds), pp 153–176, Guilford Press, New York.
Straub DW (1989) Validating instruments in MIS research. MIS Quarterly 13 (2), 147–169.
Straub DW, Weill P and Schwaig KS (2008) Strategic dependence on the IT resource and outsourcing: a test of the strategic control model. Information Systems Frontier 10, 195–210.
Straub DW and Welke RJ (1998) Coping with systems risk: security planning models for management decision making. MIS Quarterly 22 (4), 441–465.
Thong JYL (1999) An integrated model of information systems adoption in small businesses. Journal of Management Information Systems 15 (4), 187–214.
Venkatesh V, Morris MG, Davis GB and Davis FD (2003) User acceptance of information technology: toward a unified view. MIS Quarterly 27 (3), 425–478.
Willison R and Backhouse J (2006) Opportunities for computer crime: considering systems risk from a criminological perspective. European Journal of Information Systems 15 (4), 403–414.
Wold H (1982) Soft modelling: the basic design and some extensions. In Systems Under Indirect Observation, Part II (Jöreskog, K. and Wold W. Eds), North Holland Press, Amsterdam.
Woon IMY, Tan GW and Low RT (2005) A protection motivation theory approach to home wireless security. In Proceedings of the Twenty-Sixth International Conference on Information Systems (AVISON D, GALLETTA D and DEGROSS J, Eds), Las Vegas, NV, pp 367–380.
Zhao G and Pechmann C (2007) The impact of regulatory focus on adolescents’ response to antismoking advertising campaigns. Journal of Marketing Research XLIV, 671–687.
Acknowledgements
The authors gratefully acknowledge grant support from Webroot Inc.
Author information
Authors and Affiliations
Appendix
Appendix
See Table A1.
Rights and permissions
About this article
Cite this article
Lee, Y., Larsen, K. Threat or coping appraisal: determinants of SMB executives’ decision to adopt anti-malware software. Eur J Inf Syst 18, 177–187 (2009). https://doi.org/10.1057/ejis.2009.11
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1057/ejis.2009.11