Time Will Tell: The Case for an Idiographic Approach to Behavioral Cybersecurity Research

In stock

Open [Lock] Access Open access

Publication History

Received: August 13, 2021
Revised: May 26, 2022; February 10, 2023; July 20, 2023
Accepted: August 1, 2023
Published Online in Issue: March 1, 2024


Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.

Downloadable File

Many of the theories used in behavioral cybersecurity research have been applied with a nomothetic approach, which is characterized by cross-sectional data (e.g., one-time surveys) that identify patterns across a population of individuals. Although this can provide valuable between-person, point-in-time insights (e.g., employees who use neutralization techniques, such as denying responsibility for cybersecurity policy violations, tend to comply less), it is unable to reveal within-person patterns that account for varying experiences and situations over time. This paper articulates why an idiographic approach, which undertakes a within-person analysis of longitudinal data, can: (1) help validate widely used theories in behavioral cybersecurity research that imply patterns of behavior within a given person over time and (2) provide distinct theoretical insights on behavioral cybersecurity phenomena by accounting for such within-person patterns. To these ends, we apply an idiographic approach to an established theory in behavioral cybersecurity research—neutralization theory—and empirically test a within-person variant of this theory using a four-week experience sampling study. Our results support a more granular application of neutralization theory in the cybersecurity context that considers the behavior of a given person over time. We conclude the paper by highlighting the contexts and theories that provide the most promising opportunities for future behavioral cybersecurity research using an idiographic approach.

Additional Details
Author W. Alec Cram, John D'Arcy, and Alexander Benlian
Year 2024
Volume 48
Issue 1
Keywords Cybersecurity, information security, idiographic, nomothetic, longitudinal, within-person, between-person, compliance, policy
Page Numbers 95-136
Copyright © 2023 MISQ. All rights reserved.