User information security behaviour in sub-Saharan Africa: A case of Ghana from an extended protection motivation perspective

Abstract

Personal computer users are increasingly becoming the prime targets of cybercriminals. With the standing of the individual user as the “weakest link” in the information security chain, compounded by noncompliance with security protocols, and the assumption that they are solely responsible for their online safety, maintaining the protection of the information security of the individual computer user also known as personal computer security is thus a necessary part of overall information security.

Protection Motivation Theory (PMT) has been extensively applied to explain how users behave regarding information security. Despite the above progress, several opportunities remain for enhancing our grasp of information security behaviour within the personal computing context. First and foremost, a primary gap seems to be the lack of studies concerning PMT, concerning how home computer and mobile device users approach information security behaviour. Whilst the current research acknowledges the contributions of studies that have explored this subject matter through the lens of PMT in various settings, there seems to be a lack of exploration in non-Western contexts where factors such as inadequate infrastructure, unconventional usage patterns, and IT identities prevalent in those regions. In addition, to the above, past PMT studies have also explored factors influencing user information security behaviour in this domain of research, however, the impact of perceived severity in shaping security intention is not yet fully understood. Additionally, the literature underscores the importance of investigating how factors such as security routines impacts security behaviour. In that regard, addressing these gaps in the literature is vital, as implementing security solutions designed in developed nations, without accounting for the local context, may prove to be ineffective.

The present study seeks to explore how individuals in Ghana (a sub-Saharan country) protect their personal computers from information security breach based on the framework of PMT. By utilising a mixed method approach specifically an explanatory sequential mixed method design, 632 individual personal computer users consisting of home computer and mobile device users were investigated using surveys and focus groups. Collated quantitative data was meticulously analysed using Partial Least Squares Structural Equation Modelling (PLS-SEM) whilst NVivo was employed for the qualitative data analysis. The results demonstrate the crucial role of IT-identity in shaping an individual information security behavioural choice through threat and coping mechanisms of PMT, including security habit. Most of the threat and coping components of PMT significantly influence security intention. However, it was evident that there is no significant difference between home computer users and mobile device users regarding the determinants of their security behaviour. The overall sample attitudes towards information security were consistent across device types.

Beyond the substantive findings, this study contributes theoretically to the academic discourse within circles on user information security behaviour research by introducing the concept of IT-identity as a factor that influences the cognitive processes of PMT, including the formation of security habits. It also adds to list of limited number of existing studies that have applied an explanatory sequential mixed-methods approach to this area of research (using a novel dataset) which has traditionally been explored through quantitative methods. Practically, it offers insights for various stakeholders across the sub-Saharan African region such as practitioners in the field and those responsible for designing security controls and training programs by recommending the implementation of a holistic IT-identity-PMT model.