computers & security 79 (2018) 68–79

Available online at www.sciencedirect.com

journal homepage: www.elsevier.com/locate/cose

The impact of security awarness on

information technology professionals’ behavior

Ron Torten a, Carmen Reaiche b, Stephen Boyle c,∗

a InphiCorporation, 2953 Bunker Hill Lane, Suite 300, Santa Clara, CA 95054, United States
b Entrepreneurship, Commercialisation and Innovation Centre, University of Adelaide, Adelaide, SA 5000, Australia
c Business School, University of South Australia, Adelaide, SA 5000, Australia

a r t i c l e i n f o a b s t r a c t

Article history: Protecting digital assets is a growing concern for corporations, as cyberattacks affect busi-
Received 19 October 2017 ness performance, reputation, and compromise intellectual property. Information technol-
Revised 20 August 2018 ogy (IT) security in general and cyber security, in particular, is a fast-evolving area that
Accepted 20 August 2018 requires continuous evaluation and innovation. The objective of cyber-attacks has not
Available online 30 August 2018 changed over time however there is a shift in the attack methods through the increased use
of social engineering, concentrating on the human elements as the weakest link in the secu-
Keywords: rity posture of any system network. This research looks at the relationship between threat
Information Technology Security awareness and countermeasure awareness on IT professionals’ compliance with desktop
IT Professionals security behaviors. The model originally put forward by Hanus and Wu (2016), was tested
Cybersecurity on a population of 400 IT professionals across a broad range of IT roles and company sizes in
Social Engineering the United States. The overall findings show that 61.2% of the variability in desktop security
Protective Motivation Theory behavior can be explained by threat awareness and countermeasure awareness. In addition,
Security Behavior the research found a determinant relationship between threat awareness and countermea-
Human Behavior sure awareness with the five elements of protective motivation theory (PMT), which include
Security Awareness Programs perceived severity, perceived vulnerability, self-efficacy, response efficacy, and response cost.
Finally, the research shows that all elements of PMT, with the exception of perceived vul-
nerability, significantly determine desktop security behavior.
© 2018 Elsevier Ltd. All rights reserved.

as they attempt to install ransomware, violate intellectual

1. Introduction property, steal medical records, execute unauthorized bank-
ing transactions, or misuse credit cards (Seong-kee and Tae-
Protecting digital assets is a growing concern for corporations
in 2015). An area of security that has been largely ignored is
as cyberattacks impact reputation and compromise intellec-
social engineering, which starts at the human/desktop inter-
tual property. Information technology (IT) security in general
face to the network (Crossler 2010). Social engineering con-
and cyber security, in particular, is a fast-evolving area that
centrates on the human elements, as humans are the weakest
requires continuous evaluation and innovation (Borrett et al.
link in the security posture of any system network (Boss et al.
2013). Cyber attackers increased their use of social engineer-
2009; Hinde 2001; Kumar et al. 2008). These human elements
ing (Mickelberg et al. 2014) in an effort to combat the improve-
result in attacks that start at the desktop, as social engineering
ments in security systems that utilize multi-layer firewalls.
works to have the user share their username and password
The objective of cyber attackers have not changed over time

∗
Corresponding author.
E-mail address: stephen.boyle@unisa.edu.au (S. Boyle).

https://doi.org/10.1016/j.cose.2018.08.007
0167-4048/© 2018 Elsevier Ltd. All rights reserved.
 computers & security 79 (2018) 68–79
with the attacker who can then use them to gain access to
the network. Unlike the attacks on the human elements, auto-
mated attacks create a common signature or method that can
be shared among IT professionals and security companies.
IT professionals’ credentials, including user name and
password, are of great interest to any hacker due to the IT
professional’s potential broad access to sensitive areas of
the network, including root access and network description,
which would enable a hacker to roam freely, download data
from the network, or simply monitor information of interest.
The present study will focus on the effectiveness of awareness
of this specific population: IT professionals. Unfortunately,
cyber-attacks have been growing at an annual rate of 200%
resulting in $400 billion in annual losses to corporations
and individuals 2015, up from $100 billion in 2013 (Morgan
2016). These rates are critical for businesses as they face
an increased reliance on information systems in terms of
intellectual property creation and big data analytics to reach
competitive advantage. Therefore, it is essential that their
information remain secure and awareness aiming protection
is given to IT professionals (James et al. 2013).
This study extends the work of Hanus and Wu (2016) to a
more valued population in the eyes of hackers: the IT profes-
sionals. While the original research was conducted on univer-
sity students in a university setting, the current research will
examine how IT professionals respond to security awareness
in terms of desktop security behavior. The study will also con-
tributes to the literature by focusing on an additional behavior
influencor, the protection motivation theory (PMT).
2. Literature review
The human behavior literature, establishes several theories to
predict human response to specific situations, a critical ele-
ment of the proposed conceptual framework evaluated in this
research. These include the theory of Planned Behavior, the
theory of Neutralization and the theory of Knowledge, Atti-
tude and Practice – KAP (Armitage and Conner 2001). These
theories can provide useful conceptual frameworks for deal-
ing with the complexities of information security. At the same
time, there are some constraints in relation to the time in
which behavior responses to security threats can be stud-
ied. For instance, the Neutralization Theory (NT) attempts to
justify a deviant or crime. NT provides a rationale to jus-
tify actions and neutralize guilt. This was deemed not ap-
propriate for this study as it looks at behavior post action,
where this research aims to look at ways to modify behav-
ior to protect against misbehavior. The theory of Planned Be-
havior (PB) aims to underlie the foundations of one’s beliefs
about their behavior, aiming to trace subjective norms and at-
titudes (Ajzen 1991). PB theory covers off on intentions prior
to actions, which is driven by the values of the individuals to
behave. As this relies on understanding individual intentions,
morals, values, beliefs, it would be a much larger study requir-
ing qualitative interpretation of norms and beliefs of the in-
dividual. KAP - Knowledge, Attitude and Practice theory is a
useful framework for analyzing the effectiveness of a training
process in where new skills, knowledge, and attitudes are de-
veloped. The KAP approach has a powerful appeal to test out
69
the effectiveness of the training process itself and measure
change in attitudes and behaviors. This approach could ex-
tend this current study by analyzing the training process and
motivations to learn and adapt their behavior by those under-
taking the training.
This study will focus on an additional behavioral influ-
encer, by utilizing the Protection Motivation Theory (PMT),
which evolved from the theory of fear appeal (Maddux and
Rogers 1983). PMT was first proposed by Rogers to predict peo-
ples’ engagement in health risk prevention, (Rogers, 1975). The
theory identifies three elements that lead to a fear appeal: the
impact of the event, the probability of the event occurring, and
the efficacy of the individual in protecting oneself from the
event. Fear on its own has a direct impact on an individual’s
behavior. The experience of fear is a motivation for response,
but the level and type of response is affected by all three ele-
ments of PMT. PMT was later expanded by Bandura (1977) and
Maddux and Rogers (1983). These made two major contribu-
tions: First, they demonstrated the existing PMT elements and,
as predicted, showed that threat occurrence and coping re-
sponse have positive effects on the intent to adopt recommen-
dations to prevent unhealthy behavior. Second, they provided
evidence that self-efficacy expectancy is an additional key
element of PMT. In 1991, Tranner Jr et al. continued the as-
sessment of PMT by reviewing its applicability to marketing
material in the medical field. In developing the PMT model fur-
ther, Tanner Jr et al. (1991) expanded the review of the theory
in four ways and assessed additional variables both theoreti-
cally and empirically. Additional variables tested included the
emotional aspect of fear, something that was mostly ignored
in the original theory. The elements of PMT follow an appraisal
process, thus individuals apply behaviors that deal with their
fear as opposed to behaviors that reduce the threat. The nor-
mative and social components of fear were also reviewed, as
many social behaviors are influenced not just by an individ-
ualistic assessment of a given situation but also by the social
context.
The ability to use PMT as a behavior independent variable
was evaluated by Hodgkins and Orbell (1998) through a lon-
gitudinal study. The findings showed that previous intentions
are a significant predictor of behavior and that adding earlier
intentions to the variables of PMT significantly improved its
predictability value. The results also indicated that coping ap-
praisal is a significant determinant of protection motivation
and that self-efficacy is the only predictor of future intentions.
Hodgkins and Orbell (1998) concluded that the PMT variables
were not sufficient to define future behavior in a longitudinal
context.
2.1. Protection Motivation: information security and
security awareness
Early work in the area of protective technology, which may
include products that protect against items such as viruses,
spyware, unauthorized access, and disruption, revealed that
protective technology adoption is different from the adoption
of technology in general (Dinev and Hu 2007). Empirical
quantitative research conducted by Dinev and Hu (2007) on
339 subjects (50% IT professionals and 50% business students
from a large southeastern U.S. university) showed that the
70 computers & security 79 (2018) 68–79
adoption of protective technologies are highly motivated by
awareness and fear. The findings revealed that the effect
of awareness on individual behavior intention is greater
for those with stronger technology knowledge than those
with weaker knowledge. Given that protective technology
use is motivated by fear, awareness has a greater impact on
adoption than that it does in the case of positive technologies
(i.e., those that deliver productivity improvements).
As organizations look to achieve compliance with secu-
rity policies, an element of fear is normally incorporated
into awareness communication. Johnston and Warkentin
(2010) developed an empirical experimental study to evaluate
the relationship between fear and end users’ compliance with
the security posture, using a model that extended PMT to in-
clude social influences. The results indicated that a fear ap-
peal affects user behavior related to compliance with security
policies, but the magnitude of the effect is not uniform. The
results showed that self-efficacy, response efficacy, and threat
severity all affect the level of response, as suggested by PMT.
These results are consistent with the findings of Gurung et al.
(2009) and Herath and Rao (2009). Johnston and Warkentin
(2010) expanded on those findings by stating that social influ-
ences also inform the effectiveness of fear in behavior modi-
fication. The results are also consistent with those of Siponen
(2000), who argued that persuasive messages are positively re-
lated to attitudes and motivations.
Given the high frequency of information breaches, which
occur once a year on average, compliance with policies must
be a high priority for any information security team. Habit
toward compliance with information security policies has a
significant impact on all the elements of PMT (Vance et al.,
2012). Thus, habits not only support compliance with informa-
tion security but also affect the level of response efficacy and
self-efficacy, which in turn will influence employees’ intent to
comply. Vance et al. (2012) PMT study supported the notion
that employees who felt inconvenienced by the security poli-
cies evaluated the cost of compliance as high and were more
likely not to comply with the policies, as predicted by PMT.
Building on the earlier works described above, Hanus and
Wu (2016) studied the impact of security awareness on desk-
top security awareness through the PMT lens. They found that
security awareness significantly affects key elements of PMT,
including perceived severity, response efficacy, self-efficacy,
and response cost. The findings demonstrated that when it
comes to home users, similar to corporate and government
employees, security awareness can influence the contributing
factors of PMT and, in turn, the users’ response to security pol-
icy and expected behavior. These results bring into question
how awareness programs are constructed and delivered.
The review of the PMT literature in general and as it relates
to information security in particular demonstrates that PMT
is central to any IT user’s behavior in terms of compliance
and actions to protect their information technology assets
while awareness also plays a key role on PMT. While security
awareness programs can be designed from a PMT perspec-
tive, using the cognitive response to security in the context
of perceived severity, perceived vulnerability, self-efficacy,
response efficacy, and response cost (Hanus and Wu 2016),
the training process could also be evaluated in the context of
organizational learning. Awareness programs should foster
organizational learning (see for example: Herath and Rao,
2009; James et al., 2013; Sumner, 2009 and Wu et al., 2012).
As such, when learning tools, such as cognitive maps, are
used in the learning process, the learning will build security
awareness as one type of distributed cognition. Thus, with
the proper design, the program should include individual
expertise, knowledge, and experience and place them in
procedural and declarative organizational memory.
Various studies have validated the importance of PMT to
information security. For example, Woon et al. (2005) provided
a conceptual foundation of PMT to home wireless security.
In particular, their research identified key cognitive behaviors
between individuals that secured their wireless access and
those who did not. Chenoweth et al (2009) used PMT to stud-
ied users’ intentions to adopt anti-spyware software, arguing
that PMT is a valuable tool for understanding and explaining
individuals’ pattern of adopting protective technologies.
Crossler (2010) also indicated the effectiveness of PMT to
understand behaviors of individuals’ intention to technology
adoption. Specifically, Crossler’s research showed that secu-
rity self-efficacy and response efficacy positively influenced
the backing up of data and use of technology to support
this. Vance et al (2012) expanded PMT to evaluate employees’
failure to comply with IS security procedures, recognizing
that IS security compliance strongly reinforced the cognitive
processes theorized by PMT. Information security has become
a critical element of computing systems due to the expanding
use of the Internet as a communication vehicle and the
explosion of digital information that it has generated. The
literature indicates that security awareness influences user
behavior related to defending against information security
risks (see for example the various PMT application to infor-
mation security and risks: Herath and Rao, 2009; Thomson
and Solms, 1998 and Puhakainen and Siponene, 2010). It
also suggests that PMT is an effective model that can inform
training programs in a way that maximizes their value and
effectiveness.
When protecting against attacks, it is important to under-
stand the weakest link in the security infrastructure, as hack-
ers will look to exploit that area (Hinde, 2001). The weakest
link is not a stagnant problem, as technologies and processes
are put in place to resolve it. Items such as fraudulent certifi-
cates, wireless hotspots, and screensavers are some examples
of weakest links that have been identified and for which tech-
nological solutions have been proposed (Hinde, 2001).
Modern security infrastructure defense postures requires
an adequate response to phishing, a rapidly growing attack
vector that circumvents many of the technological based se-
curity systems and focuses on the human element falling prey
to a cyber attacker. The next section will present a review of
the literature on phishing and present a broader view of the
human element impact in terms of enabling phishing through
risky behaviors.
2.2. Human elements in cyber attack vulnerability
Despite continued developments in technical security mea-
sures, the critical risk that is commonly described as the
weakest link is the human element (Boss et al. 2009). Hu-
man behavior has a multitude of elements that need to be
 computers & security 79 (2018) 68–79
addressed in the context of information security. The study
of Aleem et al. (2013) expanded on the findings of James
et al. (2013) and Charbonneau (2011); going beyond the human
behavior of corporate citizens trying to protect corporate or
personal data and recognized that corporate citizens with ma-
licious intent could be at the heart of an attack. In such a sit-
uation, training for employees may serve more than just the
purpose of looking for phishing attacks, as it may also serve
the purpose of evaluating behaviors of peers and identifying
behaviors that may not be consistent with the best interests
of the company (Jansson and von Solms, 2013).
Given the complex nature of cyber warfare and the human
element as an enabling gateway to the network (Aleem et al.
2013; James et al. 2013), the defense process needs to be both
dynamic and complex. Security against the growing, human-
focused attack vectors requires a multi-layered adaptive
approach. A layered approach is a technical solution that com-
bines threat assessment and the automated assignment of
security techniques. The layered approach starts at the pa-
rameter of the information system, with authentication and
authorization, and ends with data encryption (Seong-kee
and Tae-in, 2015). In between these layers, steps are taken to
evaluate normal data patterns as well as any data movement
and connections that violate normal network behaviors. Even
upon the successful compromise of a human element, the
defense systems may identify abnormal data movements
or human behaviors that would automatically suggest a
compromise to the security team (Krombholz et al. (2015). For
example, when an employee who has never before requested
to move files from a secured area of the network suddenly
Perceived
Severity
(PS)
Threat
Awareness
(TA)
Perceived
Vulnerability
(PV)
Self-Efficacy
(SE)
Countermeasur Response
e Awareness Efficacy
(CA) (RE)
Response
Cost
(RC)
Fig. 1 – Research framework (Hanus and Wu 2016).
71
requests a movement, the request may be flagged and quar-
antined for additional approvals. Reducing the number of
attacks, which is the goal of the awareness research proposed,
will reduce the number of anomalies in the network and in-
crease the success of such systems to successfully detect
cyber attackers.
Humans are increasingly becoming the primary conduit
for IT attacks. According to Lemos (2016), 91% of companies
have experienced phishing attacks, and 84% of these compa-
nies claimed that these attacks were successful. Phishing at-
tacks focus on the human element and work to gain access to
critical resources by acquiring information from the network’s
weakest link. To better protect the IT environment, it is crucial
to understand human nature in terms of what would moti-
vate employees to comply with security guidelines and poli-
cies, and then incorporate that learning into security aware-
ness programs.
The most common targets of spear phishing are IT profes-
sionals, followed by finance professionals (Greengard, 2016).
IT professionals would be a valuable source of information
that would help attackers reach critical elements of the net-
work. While every IT user is can create risk to the IT infrastruc-
ture, IT professional have the most access to IT assets and as
such, need the most protection. Awareness programs are im-
plemented to improve user behavior and much research has
been conducted, mostly on students, to assess their effective-
ness. The current research focuses its evaluation on the effect
of awareness programs on IT professionals and evaluates how
they impact their behaviors in terms of protecting their desk-
top and policy compliance.
Desktop
Security
Behavior
(DSB)
72 computers & security 79 (2018) 68–79

3. Research model and method Table 1 – Study variables.

Independent Variable Dependent variable

The research model and variables in this study (see Fig. 1) is
Threat awareness Perceived severity
based on Hanus and Wu (2016). This model is considered ap-
Countermeasure awareness Perceived vulnerability
propriate to this research as it studied the effect of awareness
Self-efficacy
on desktop behavior using a student population but in doing Response efficacy
so, the study did not encompass the importance of the IT pro- Response cost
fessional as a key target for hackers seeking to access sen- Desktop security
sitive areas of the network through cyber-attacks. This is an
area considered critical in the IT field and a research gap aim
to be filled in this research. Social engineering, taking the form response efficacy, response cost, and desktop security behav-
of phishing and spear phishing, has been successful in evad- ior), the following research questions are answered:
ing the technical solutions for cyber resilience, thus making
it more critical that employees in general, and IT profession- Research question 1: Hypothesis
als in particular are aware of risks and organizational policies What relationship does threat H1A : Threat awareness is a
and comply with them (Boss et al. 2009; Kumar et al. 2008). awareness of IT direct determinant of IT
This study, in addition to expanding Hanus and Wu (2016) in professionals have as a professionals’ perceived
terms of population further broadens the geographic reach as potential determinant of severity.
perceived severity and H1B : Threat awareness is a
well by including the United States as opposed to a single uni-
perceived vulnerability? direct determinant of IT
versity. professionals’ perceived
The model incorporates the relationship of existing per- vulnerability.
ceptions on security threats based on the PMT literature ear-
lier discussed and as adopted by Hanus and Wu (2016). The Research question 2: Hypothesis
model conceptualizes the impact on two processes: the evalu- What relationship does H2A : Countermeasure
ation process, i.e. Perceived Severity (PS), Perceived Vulnerabil- countermeasure awareness awareness is a direct
ity (PV), and the coping process, i.e. Self-Efficacy (SE), Response of IT professionals have as a determinant of IT
potential determinant of professionals’ self-efficacy.
Efficacy (RE), and Response Cost (RC) and in turn, Desktop Se-
self-efficacy, response H2B : Countermeasure
curity Behavior (DSB). These formed the dependent variables
efficacy, and response cost? awareness is a direct
for this study. The model introduces two main constructs: determinant of IT
Threat Awareness (TA) and Countermeasure Awareness (CA). professionals’ response
These two constructs are set to identify IT professionals’ per- efficacy.
ceptions, roots and causes of threats and countermeasures H2C : Countermeasure
that can minimize the risks associated with threats. These awareness is a direct
determinant of IT
two forms of awareness have different impacts when applied
professionals’ response cost.
within the PMT theory. For instance, when IT professionals are
aware of potential desktop security threats the knowledge of Research question 3: Hypothesis
these threats should in turn result in threat avoidance, accu-
What relationship does H3A : Perceived severity of IT
rate risks measures, and efficacy in evaluating real responsive perceived severity, perceived professionals is a direct
measures. Integrating PMT theory, we can evaluate the degree vulnerability, self-efficacy, determinant of desktop
of impact that TA positively has on the PS, PV constructs at response efficacy, and security behavior.
the perception process point, while evaluating the influence response cost of IT H3B : Perceived vulnerability of
of CA on IT professionals in the coping – responsive process professionals have as IT professionals is a direct
potential determinants of determinant of desktop
point, i.e. RE, SE and RC. The model provides a concept of how
desktop security behaviors? security behavior.
the independent variables, Threat Awareness (TA) and Coun- H3C : Self-efficacy of IT
termeasure Awareness (CA) awareness, affect the dependent professionals is a direct
variables that are core to the PMT theoretical framework and determinant of desktop
in turn lead to the recommended security protection via desk- security behavior.
top security behaviors (DSB). Rather than direct behaviors of H3D : Response efficacy of IT
professionals is a direct
intentions, the research will explore the impact of threat and
determinant of desktop
coping – response appraisals directly on behavior as suggested
security behavior.
by Hanus and Wu (2016). H3E : Response cost of IT
This study aims to evaluate three research questions. professionals is a direct
The relationships between the variables identified in the determinant of desktop
model and listed in Table 1 are examined to evaluate their security behavior.
consistency with predictions that could be made using
the theoretical framework. By reviewing the relationships 3.1. Instrumentation/Measures
between the independent variables (threat awareness and
countermeasure awareness) and the dependent variables The instrument developed by Hanus and Wu (2016) was
(perceived severity, perceived vulnerability, self-efficacy, used to assess perceived severity, perceived vulnerability,
 computers & security 79 (2018) 68–79 73

self-efficacy, response efficacy, response cost, and desktop se-

Table 2 – Reliability measures – Construct correlation and
curity cost (dependent variables), as well as threat aware-
Cronbach’s Alpha (Hanus and Wu 2016).
ness and countermeasure awareness (independent variables).
The instrument, developed and tested by Hanus and Wu Variable CR Alpha
(2016) used a 7-point Likert scale and the instrument was used Threat awareness (TA) 0.91 0.86
in the same way in this study. Countermeasure awareness (CA) 0.92 0.87
Desktop security (DS) 0.92 0.87
3.2. Data collection and analysis Perceived severity (PS) 0.96 0.96
Perceived vulnerability (PV) 0.96 0.95
Response cost (RC) 0.93 0.91
This research was done through online surveys distributed to Response efficacy (RE) 0.96 0.94
IT professionals through Qualtrics.com. The sample for this Self-efficacy (SE) 0.93 0.89
research is composed of 400 IT professionals across a broad
range of IT roles and company sizes in the United States. The
sample size was selected based on the suggestion of Gay and
Airasian (2000), who indicated that for populations greater Age Distribution
than 5,000 population size no longer affects the sample size
250
and a sample of 400 is adequate.
The data analysis techniques included a combination of 200

predictive measures to assess the strength of the relationships 150

between the independent variable and dependent variable, as 100
well as descriptive statistics to look for any biases that may
50
have affected the results. The relationship between the inde-
pendent variable and dependent variable were assessed us- 0
21-30 31-40 41-50 51-60 61-70
ing the partial least squares (PLS) method. The use of PLS as
the method for evaluating relationships between variables in
human behavior in the area of information security has been Fig. 2 – Number of participant by age group.
the most common approach in quantitative studies (see for
example: Gurung et al. 2009; Kumar et al. 2008; Liang and
Xue 2010; Vance et al. 2012, and Hanus and Wu 2016) and values were above the recommended target of 0.7 (Henseler
therefore was considered appropriate for the context of this et al. 2009).
research Approximately 6700 surveys were sent to IT professionals.
Of these, approximately 3000 surveys were started and 478
3.3. Validity and reliability were fully completed; of those, 408 were determined to have
been completed correctly.
As noted above the instrument used for this study was previ-
ously used by Hanus and Wu (2016), enabling a direct compar- 3.4. Descriptive statistics
ison of results between the student population that was re-
searched in that study and the IT professionals that were the In terms of population, the 408 final surveys represented
subject of the current study. Hanus and Wu (2016), followed participation of a highly diversified IT professional popula-
the recommendation of Henseler et al. (2009) confirmed the tion, supporting the intent to perform a broad nationwide
reliability and validity of the instrument as explained below. assessment. With regard to gender, 38% of the participants
Given the complexity of the model, as shown in Figure 1 the were female and 62% were male. Given the screening criteria,
validity and reliability of the survey required two steps. In the all participants were older than 21 years of age. As shown in
first step, the outer model, relating the relationship between
awareness and desktop behaviors needs to be validated. Then
the outer model, relating the relationship between security
Working Disciplines within IT
awareness and PMT elements and PMT elements and desktop
behaviors needs to be tested. Thus, the PLS evaluation of the 160
140
validity and reliability of the inner model was only possible 120
after evaluating the validity and reliability of the outer model 100
(Henseler et al. 2009). Both inner and outer models have been 80
60
tested by Hanus and Wu (2016) for reliability, using Cronbach’s 40
alpha as well as composite reliability measures. The reason 20
0
for using both approaches is due to concerns that Cronbach’s
alpha assumes the equal reliability of all indicators while in
the case of PLS, reliability is prioritized by items as well as
concern over underestimation of Cronbach’s alpha due to la-
tent variables in PLS model. Therefore, it was best to use both
approaches and include composite reliability as suggested by Fig. 3 – Number of participants by IT discipline.
Werts et al. (1974). In either approach, as shown in Table 2, the
74 computers & security 79 (2018) 68–79
Fig. 4 – PLS results for the research model.
Table 3 – P Value for PLS path model presented in Fig. 6.
Path CA-RC CA-RC CA-SE PS-DSB
P Value 0.00∗ 0.00∗ 0.00∗ 0.04∗
∗
indicates significance less than 0.05.
Fig. 2, a broad distribution of age groups helps generalize the
results to all IT professionals over the age of 21.
While the intent was to capture a broad cross-section
of industries, the response was highly skewed toward the
information technology industry with 46% participants.
Fig. 3 illustrates the number of IT professionals based on
IT disciplines. While the disciplines were not equally dis-
tributed, a good representation exists across several areas of
IT. Therefore, the results could be applied to a broad group of
IT professionals. With 72% of respondents working in desktop
support, networking, storage, or security, the results are
clearly applicable to IT professionals with access to sensitive
areas of the network, be it desktops or networks, which are
critical areas of focus for hackers looking to reach sensitive
assets.
3.5. Inferential statistics
PLS was used to calculate the R2 and loading of the research
model. Fig. 4 summarizes the results of the PLS model, demon-
strating that the model explains 62% of the users’ desktop be-
havior. While there is a strong determinant relationship and
high path coefficient between threat awareness and perceived
PV-DSB RC-DSB RE-DSB SE-DSB TA-PS TS-PV
0.94 0.00∗ 0.00∗ 0.00∗ 0.00∗ 0.00∗
severity, with 41% of the perceived severity explained by threat
awareness, there is little loading and no statistically signifi-
cant relationship between perceived severity and desktop be-
havior (see Table 3). Thus, threat awareness has little influence
on desktop behavior in spite of its strong relationship with
perceived severity.
The findings suggest that countermeasure awareness has
the strongest statistically significant loading on the self-
efficacy, response efficacy, and response cost elements of PMT
(self-efficacy, response efficacy, and response cost, and that
these elements further have significant effects on desktop se-
curity behavior. Therefore, it can be concluded that counter-
measure awareness in the surveyed population has a stronger
relationship with IT professional behaviors than threat
awareness.
Table 3 further demonstrates that the relationship as-
sumed in the research model applies to the researched popu-
lation of IT professionals across the US. The only relationship
that does not show statistical significance is the one between
perceived vulnerability and desktop security behavior. These
findings indicate that the model, using PMT as a lens for as-
sessing user behavior, is mostly consistent with the expected
assessment of behavior.
 computers & security 79 (2018) 68–79 75

Table 4 – Summary of Hypotheses 1 testing results. Table 6 – Summary of Hypotheses 30 and 31 testing re-
sults.
TA-PS TA-PV
PS-DSB PV-DSB
R2 Loading Sig R2 Loading Sig
∗ ∗ Loading Sig Loading Sig
0.416 0.645 0.138 0.371
∗
−0.006 – −0.116
∗
indicates significance less than 0.05.
∗
indicates significance less than 0.05.

Table 5 – Summary of Hypotheses 2 testing results.

Table 7 – Summary of Hypotheses 32 , 33 , and 34 testing
CA-SE CA-RE CA-RC
results.
R2 Loading Sig R2 Loading Sig R2 Loading Sig
SE-DSB RE-DSB RC-DSB
∗ ∗ ∗
0.317 0.563 0.324 0.570 0.1 0.316
Loading Sig Loading Sig Loading Sig
∗
indicates significance less than 0.05. ∗ ∗ ∗
0.235 0.425 0.327

∗
indicates significance less than 0.05.

SmartPLS 3.0 was used to evaluate the path statistics of the

model in order to assess the answers to the research questions statistically significant relationship between IT profession-
and test the applicability of the proposed model presented in als’ countermeasure awareness and self-efficacy, response
Fig. 1. The next section uses the results presented in Fig. 4 and efficacy, and response cost of desktop security.
Table 3 to test the hypotheses that were generated to answer
Research question 3: Hypothesis
the research questions.
What relationship does H3A : Perceived severity of IT
perceived severity, perceived professionals is a direct
vulnerability, self-efficacy, determinant of desktop
4. Findings
response efficacy, and security behavior.
response cost of IT H3B : Perceived vulnerability of
Research question 1: Hypothesis professionals have as IT professionals is a direct
potential determinants of determinant of desktop
What relationship does threat H1A : Threat awareness is a desktop security behaviors? security behavior.
awareness of IT direct determinant of IT H3C : Self-efficacy of IT
professionals have as a professionals’ perceived professionals is a direct
potential determinant of severity. determinant of desktop
perceived severity and H11B : Threat awareness is a security behavior.
perceived vulnerability? direct determinant of IT H3D : Response efficacy of IT
professionals’ perceived professionals is a direct
vulnerability. determinant of desktop
Table 4 summarizes the statistical analyses using PLS. It indi- security behavior.
H3E : Response cost of IT
cates that the p-value of p < 0.05 therefore there is sufficient
professionals is a direct
evidence to reject the null hypothesis. Therefore, there is a
determinant of desktop
statistically significant relationship between IT professionals’ security behavior.
threat awareness and the perceived severity and perceived
In order to summarize the results for research question
vulnerability of desktop security.
3, the results are presented in two tables. First, the results
Research question 2: Hypothesis are summarized, as they relate to the variable TA in the re-
What relationship does H2A : Countermeasure search model, followed by the results that relate to TC. Be-
countermeasure awareness awareness is a direct cause the PLS model provides overall R2 for desktop security
of IT professionals have as a determinant of IT behavior, these tables include loading and significance, but do
potential determinant of professionals’ self-efficacy.
not present the R2 value for each PMT parameter.
self-efficacy, response H2B : Countermeasure
Table 6 shows that for perceived severity, there is insuffi-
efficacy, and response cost? awareness is a direct
determinant of IT cient evidence to reject the null hypothesis since the p-value is
professionals’ response greater than 0.05. Therefore, there is no statistically significant
efficacy. relationship between IT professionals’ perceived severity and
H2C : Countermeasure desktop security behavior. In terms of perceived vulnerability,
awareness is a direct there is a significant but negative relationship with desktop
determinant of IT
security behavior, given the relatively low loading; at −0.116,
professionals’ response cost.
the impact is smaller than that of any other PMT factor tested
Table 5 summarizes the statistical analyses using PLS. It in this study.
indicates that since the p-value of p < 0.05 there is sufficient Table 7 summarizes the statistical analyses using PLS. It
evidence to reject the null hypothesis. Therefore, there is a indicates that since the p-value of p < 0.05 provides sufficient
76 computers & security 79 (2018) 68–79
evidence to reject the null hypotheses. Because the loading
represents the magnitude of the effect, there is evidence to
support the hypothesis that response efficacy by IT profes-
sionals had the strongest effect on desktop security behavior,
followed by response cost and self-efficacy, respectively.
The inferential analysis using SmartPLS shows that all
model paths, with the exception of perceived severity, have
statistically significant effects on IT professionals’ desktop se-
curity behavior. These findings suggest that awareness affects
IT professionals, as predicted by PMT, with the exclusion of
perceived severity. The findings also provide information on
the relative importance of threat awareness and countermea-
sure awareness on behavior, showing that countermeasure
awareness has a greater effect.
5. Discussion
The external research model assesses the relationships
among threat awareness, countermeasure awareness, and
desktop security behaviors. Given the use of PLS, the exter-
nal model is evaluated as a part of the PLS analysis technique
chosen for this study. Given that no prior research exists on IT
professionals and desktop security behavior, no direct com-
parison can be reached between the findings of this study
and prior ones; however, given the earlier research by Hanus
and Wu (2016), the results across different populations can be
compared.
An overall R2 of 0.619 indicates the model explains 61.2%
of the variance in desktop security behavior. When compar-
ing this with the findings of Hanus and Wu (2016), which had
an R2 of 0.461, it appears that the model is stronger for IT pro-
fessionals than it is for a student population. In fact, the rela-
tionship can be described as strong for the IT professionals and
moderate for the student population (Chin 1998; Hair Jr et al.
2016).
The increased explanatory strength of the model when
evaluated on IT professionals may be explained by IT pro-
fessionals’ appreciation of the impact of desktop security be-
havior on their daily life. For a security professional, a breach
could lead to significant work in data recovery, removal of mal-
ware, or affect intellectual property and productivity in the
event that a breach led to data exfiltration. The idea that IT
professionals are more affected by awareness than students is
consistent with the conclusions by Dinev and Hu (2007), who
specifically set out to compare students and IT professionals’
behavior (although that study did not evaluate this difference
in the context of desktop security behavior).
The analysis provides support that a determinant re-
lationship exists between threat awareness and perceived
severity. The R2 of 0.416 indicates that 41.6% of the variability
in perceived severity can be explained by threat awareness.
While the earlier research identified a significant relationship
between threat awareness and perceived severity, the R2 of
0.03 suggests that the relationship is much stronger in the IT
professional population than it is in the student population
researched by Hanus and Wu (2016). This difference could
be attributed to the broader knowledge that IT professionals
have on the impact of security on computer systems; as such,
increased awareness leads to a stronger perception of risk.
The analysis also supports that a determinant relationship
exists between threat awareness and perceived vulnerability.
The R2 of 0.138 indicates that 13.8% of the perceived vulner-
ability can be attributed to threat awareness. The findings
show a weaker relationship between threat awareness and
perceived vulnerability, relative to threat awareness and per-
ceived severity. This may indicate that IT professionals have a
better understanding of severity than vulnerability and thus
can relate to the threat more directly with severity. Hanus
and Wu (2016) found no relationship between threat aware-
ness and perceived vulnerability. This may be attributed to the
overall weaker determinant relationships found between the
variables in the student population; these, in turn, might lead
to weak relationships in IT professionals, equating to an in-
significant relationship in the student population.
In terms of countermeasure awareness, the findings sug-
gest a positive relationship with coping appraisal, as mea-
sured by self-efficacy, response efficacy, and response cost,
which provided a path coefficient of 0.563, 0.570, and 0.316,
respectively and an R2 of 0.317, 0.324, and 0.1 respectively.
These findings are consistent with the findings of Hanus and
Wu (2016), but show a stronger, more pronounced effect of
countermeasure awareness in the IT professional population
relative to that of students. As discussed earlier, the more
pronounced effect in a knowledgeable group is consistent
with the findings of Dinev and Hu (2007) and LaRose et al.
(2008), and may be attributed to the better understanding of
the application of countermeasures and the confidence in be-
ing able to translate knowledge into action. This finding is
also consistent with that of Liang and Xue (2010), who de-
scribed the user response to technology threat awareness the-
ory and found that individuals will take appropriate action
to deal with threats based on their perceptions and motiva-
tions. Thus, IT professionals would be able to utilize coun-
termeasure awareness more successfully than non-technical
students would.
In terms of the relationship between threat appraisals (as
measured by perceived severity and perceived vulnerability)
and desktop security behavior, the findings indicate mixed re-
sults. The results indicate a significant relationship between
perceived severity and desktop security behavior; no signif-
icant relationship was found between perceived vulnerabil-
ity and desktop security behavior. These findings differ from
those of Hanus and Wu (2016), who did not find any statisti-
cally significant relationship between either factor (threat ap-
praisal or desktop security behavior). Similar to other findings,
the student population appears to be less responsive to aware-
ness programs as well as less responsive in terms of action.
Perhaps this is due to lower concern about the effects associ-
ated with this type of risk.
In terms of coping appraisal and desktop security mea-
sures, the findings identified a positive significant relationship
across all three measures of coping appraisals; Hanus and Wu
(2016), however, did not find a significant relationship with re-
sponse cost. This finding may be due to students not caring
about the cost or the overall lower relationship across all fac-
tors, leading the weakest relationship to become insignificant
in the case of students.
Overall, the findings suggest that IT professionals are
affected more significantly than students by awareness, in
 computers & security 79 (2018) 68–79
terms of both threat awareness and countermeasure aware-
ness, and that PMT is an effective theory to assess their
response to awareness. Furthermore, 61.9% of the desktop
behavior of IT professionals can be explained by awareness;
this supports the idea that awareness programs are critical
to the security posture of any organization, as proposed by
Siponen (2000), Wolf et al. (2011), James et al. (2013), and
Hanus and Wu (2016). There are important implications to
this study, which are discussed below.
6. Implications
As the world continues to increase its reliance on digital data
for every aspect of life, IT security continues to grow in impor-
tance. Lack of adequate security systems can put corporations
and individuals at risk of security breaches that can have
devastating implications. Target, for example, lost millions of
dollars from one breach, and suffered a significant negative
impact on its reputation. As security systems continued to
improve in response to known attack signatures, hackers
moved their focus to the weakest element of the security
infrastructure, the human element. Unlike technology-based
solutions, which scan data for patterns that appear or that are
known to be malicious, humans vary in their application of
security systems, compliance with policies, and response to
phishing and spear-phishing attacks. Therefore, it is critically
important to understand how humans respond to attempts
to improve their compliance and behavior in the face of this
growing risk. Such understanding is vital to any organization
that may be affected by loss of proprietary information,
release of personal identifying information, lack of com-
pliance with regulatory requirements such as the Health
Insurance Portability and Accountability Act of 1996 (HIPAA)
and Sarbanes-Oxley (SOX), or even access to its computing
infrastructure to conduct its business.
Protection motivation theory (PMT) was shown to be an
effective lens through which to predict the response of em-
ployees, both IT professionals and others, to programs that
highlight the risks and responses in terms of their desktop se-
curity behaviors. Thus, organizations should invest significant
effort in developing and delivering training to all employees.
While employee response to such training is important, this
study found that IT professionals respond more strongly to
training than the general population. This finding is encour-
aging, as IT professionals may have access to critical elements
of the computing infrastructure, including root access to the
network, which would be highly valuable to any attacker. This
means that when awareness programs are implementing, it
is important to include all the IT professionals in the program
and not assume that any individual would comply with
desktop behavior policy without training. It is also important
to understand that awareness training is not as effective on
the general population, and therefore should be augmented
with other incentives and assessments to reach compliance.
Another key implication of this study relates to the focus
areas for awareness. The findings suggest that threat aware-
ness has a weaker relationship with desktop security behav-
ior than countermeasure awareness does. While both show
stronger relationships with IT professionals than with the
77
general population, awareness programs should focus much
more heavily on countermeasure awareness to affect policy
compliance.
This research contributes to the body of knowledge in sev-
eral respects. First, it is the first study to build upon the work
of Hanus and Wu (2016) and explore how IT professionals re-
spond to security awareness in terms of desktop security be-
havior. Second, it is the first nationwide survey to evaluate
the effects of awareness on IT professionals using PMT in a
work environment. Third, the research provides primary data
that was not previously available, which can be used for fu-
ture comparative studies. Finally, it is one of very few behav-
ioral studies in information security to go beyond a student
body population. The results indicate that awareness training
for IT professionals, especially in the area of countermeasure
activities, would greatly improve the strength of the weakest
link in the security chain, the human element; furthermore,
the results indicate that this type of training is effective for IT
professionals.
7. Practitioner model
The findings suggest that security compliance training should
focus primarily on countermeasure awareness, since threat
awareness has only a small impact on desktop security behav-
ior. Fig. 5 provides a simplified version of the research model
that is most relevant to practitioners, based on this research
finding.
To further simplify the model for practical application,
the PMT elements are removed to create a more direct re-
lationship between training and desktop security behaviors.
With some modification to the wording, an easily remembered
model is presented in Fig. 6, playing on the acronym for the
Central Intelligence Agency (CIA), to show that CIA leads to
CIS. This simplified model (Fig. 6), “CIA leads to CIS,” can help
consultants and practitioners remember, teach, and imple-
ment effective security programs.
Building upon these findings, an approach to the security
training process has been developed. To easily remember the
model, the proposed model uses the acronym “ACE”, as de-
scribed below as well as a pictorial captured as shown in Fig. 7:
A: Awareness program implementation
C: Countermeasure focused training
E: Evaluate effectiveness
8. Recommendations for future studies
The research provided insight into the relationship between
awareness programs and desktop security behaviors of IT pro-
fessionals across the US. While this research expanded on
the body of knowledge by focusing on IT professionals, future
study can further narrow the focus to IT professionals with
root access. A security breach at the desktop of a user with root
access could present an excellent target for a hacker looking
for broad access to the network. In addition, future research
can broaden the scope of the population by doing a compara-
tive study across geographic regions, to see whether IT profes-
sionals in different regions respond differently to awareness.
78 computers & security 79 (2018) 68–79
Fig. 5 – Relationship between awareness and desktop behavior.
Fig. 6 – Practitioner model, CIA leads to CIS.
Fig. 7 – Pictorial.
For multinational organizations, having such insight would
enhance their ability to assess risks across regions and de-
velop training that would have a greater effect in the targeted
regions. As noted in the literature on PMT, it is important to
understand the different sources of information that a user
may draw upon for risk assessment and action (Hanus and
Wu, 2016; Milne et al., 2000). As this study focused on the
impact of security awareness training of IT professionals the
source in question was through formal training. Future re-
search could include evaluating the effects of different sources
of information including both formal and informal channels.
Finally, there may be generational differences with the effec-
tiveness of training on IT professionals. In that regard, future
studies may focus on doing a comparison study across age
groups, to see whether awareness training should be tailored
differently based on their findings.
R E F E R E N C E S
Aleem A, Wakefield A, Button M. Addressing the weakest link:
implementing converged security. Secur J 2013;26(4):236–48.
Ajzen I. The theory of planned behaviour. Organ Behav Hum
Decis Process 1991;50:179–211.
Armitage CJ, Conner M. Efficacy of the theory of planned
behaviour: a meta-analytic review. Br J Soc Psychol
2001;40:471–99.
Bandura A. Self-efficacy: toward a unifying theory of behavioral
change. Psychol Rev 1977;84(2):191–215.
Borrett M, Carter R, Wespi A. How is cyber threat evolving and
what do organisations need to consider? J Bus Contin Emerg
Plan 2013;7(2):163–71.
Boss SR, Kirsch LJ, Angermeier I, Shingler RA, Boss RW. If
someone is watching, I’ll do what i’m asked: mandatoriness,
control, and information security. Eur J Inf Syst
2009;18(2):151–64.
Charbonneau S. The role of user-driven security in data loss
prevention. Comput Fraud Secur 2011 2011;11:5–8.
Chenoweth T, Minch R, Gattiker T. Application of protection
motivation theory to adoption of protective technologies. In:
Proceedings of the IEEE 42nd Hawaii International conference on
system sciences (HICSS), 2009; 2009. p. 1–10.
Chin WW. The partial least squares approach to structural
equation modeling. Mod Methods Bus Res 1998;295(2):
295–336.
Crossler R. Protection motivation theory: understanding
determinants to backing up personal data. In: Proceedings of
the IEEE 43rd Hawaii international conference on system
sciences (HICSS), 2010; 2010. p. 1–10.
Dinev T, Hu Q. The centrality of awareness in the formation of
user behavioral intention toward protective information
technologies. J Assoc Inf Syst 2007;8(7):386–92.
Gay, L.R., & Airasian, P.W. (2000). Educational research:
competencies for analysis and application.
Greengard S., How Spear phishing puts businesses on the hook,
CIO Insight 2016, 1-1. Available online:
https://www.cioinsight.com/security/slideshows/
how- spear- phishing- puts- businesses- on- the- hook.html.
 computers & security 79 (2018) 68–79
Gurung A, Luo X, Liao Q. Consumer motivations in taking action
against spyware: an empirical investigation. Inf Manag
Comput Secur 2009;17(3):276–89.
Jr Hair, F J, Hult GTM, Ringle C, Sarstedt M. A Primer on partial
least squares structural equation modeling (Pls-Sem). Sage
Publications; 2016.
Hanus B, Wu YA. Impact of users’ security awareness on desktop
security behavior: a protection motivation theory perspective.
Inf Syst Manag 2016;33(1):2–16.
Henseler J, Ringle CM, Sinkovics RR. The use of partial least
squares path modeling in international marketing. Adv Int
Mark 2009;20(1):277–319.
Herath T, Rao HR. Protection motivation and deterrence: a
framework for security policy compliance in organisations.
Eur J Inf Syst 2009;18(2):106–25.
Hinde S. The weakest link. Comput Secur 2001;20(4):295–301.
Hodgkins S, Orbell S. Can protection motivation theory predict
behaviour? A longitudinal test exploring the role of previous
behaviour. Psychol Health 1998;13(2):237–50.
James T, Nottingham Q, Kim BC. Determining the antecedents of
digital security practices in the general public dimension. Inf
Technol Manag 2013;14(2):69–89.
Jansson K, von Solms R. Phishing for phishing awareness. Behav
Inf Technol 2013;32(6):584–93.
Johnston AC, Warkentin M. Fear appeals and information
security behaviors: an empirical study. MIS Q 2010;34(3):
549–566.
Krombholz K, Hobel H, Huber M, Weippl E. Advanced social
engineering attacks. J Inf Secur Appl 2015;22:113–22.
Kumar N, Mohan K, Holowczak R. Locking the door but leaving
the computer vulnerable: factors inhibiting home users’
adoption of software firewalls. Decis Supp Syst
2008;46(1):254–64.
LaRose R, Rifon NJ, Enbody R. Promoting personal responsibility
for internet safety. Commun. ACM 2008;51(3):71–6.
Lemos R., Phishing attacks continue to sneak past defenses,
eWeek 2016, 1-1. Available online: http://www.eweek.com/
security/phishing- attacks- continue- to- sneak- past- defenses.
Liang H, Xue Y. Understanding security behaviors in personal
computer usage: a threat avoidance perspective. J Assoc Inf
Syst 2010;11(7):394–413.
Maddux JE, Rogers RW. Protection motivation and self-efficacy: a
revised theory of fear appeals and attitude change. J Exp Soc
Psychol 1983;19(5):469–79.
Mickelberg K., Pollard N. and Schive L., US cybercrime: Rising
risks, reduced readiness (2014) US State of cybercrime Survey:
https://collabra.email/wp-content/uploads/2015/04/
2014- us- state- of- cybercrime.pdf.
Milne S, Sheeran P, Orbell S. Prediction and Intervention in
health-related behavior: a meta-analytic review of protection
motivation theory. J Appl Soc Psychol 2000;30(1):106–43.
Morgan S. Cyber crime costs projected to reach $2 Trillion by
2019, 22. Forbes; 2016. Retrieved September.
Puhakainen P, Siponen M. Improving employee’s compliance
through information systems security training: an action
research study. MIS Q 2010;34(4):757–78.
79
Rogers RW. A protection motivation theory of fear appeals and
attitude change. J Psychol 1975;91(1):93.
Seong-kee L, Tae-in K. Adaptive multi-layer security approach for
cyber defense. J Internet Comput Serv 2015;16(5):1–9.
Siponen MT. A conceptual foundation for organizational
information security awareness. Inf Manag Comput Secur
2000;8(1):31–41.
Sumner M. Information security threats: a comparative analysis
of impact, probability, and preparedness. Inf Syst Manag
2009;26(1):2–12.
Tanner Jr JF, Hunt JB, Eppright DR. The protection motivation
model: a normative model of fear appeals. J Mark
1991;55(3):36–45.
Thomson ME, Solms Rv. Information Security awareness:
educating your users effectively. Inf Manag Comput Secur
1998;6(4):167–73.
Vance A, Siponen M, Pahnila S. Motivating is security compliance:
insights from habit and protection motivation theory. Inf
Manag 2012;49(3–4):190–8.
Werts CE, Linn RL, Jöreskog KG. Intraclass reliability estimates:
testing structural assumptions. Educ Psychol Meas
1974;34(1):25–33.
Wolf M, Haworth D, Pietron L. Measuring an information security
awareness program. Rev Bus Inf Syst 2011;15(3):9–21.
Woon I, Tan G, Low R. A protection motvation theory approach to
home wireless security. Proceedings of the ICIS, 2005, 2005.
Wu Y, Guynes CS, Windsor J. Security awareness programs. Rev
Bus Inf Syst (Online) 2012;16(4):165.
Dr Ron Torten is Senior Vice President, World Wide Operations and
IT at Inphi Corporation in California. He is also a visiting Profes-
sor of Business at Tiffin University. He has completed his DBA at
Capella University and is currently completing his Doctor of In-
formation Technology Data Assurance and Security at the same
institution.
Dr Carmen Reaiche Carmen Reaiche’s main expertise is in Sys-
tems Thinking and Project Management. Prior to joining The Uni-
versity of Adelaide and since coming to Australia in 1993 she has
held a number of senior management positions as well as aca-
demic appointments, where she has coordinated various under-
graduate and postgraduate courses. In industry she designed and
project managed the implementation of information systems and
policy processes for businesses such as Mobil, IBM, Centrelink and
Business SA.
Professor Stephen Boyle is the Dean: Academic at the University
of South Australia Business School. His research spans many ar-
eas and includes Economics, Organisational Behaviour, Identity
and Culture, Innovation and Strategy. He completed his Ph.D. in
Economics at Macquarie University and has been at the Univer-
sity of South Australia since 2001. He is also a visiting Professor at
the University of International Business and Economics in Beijing,
China.