Impact of Protection Motivation Theory and General Deterrence Theory on the Behavioral Intention to Implement and Misuse Active Cyber Defense

Current cybersecurity measures have become a major concern for commercial organizations in the United States. As the cyber-attack landscape expands and the skills and knowledge of the cyber-attacker become broader, the current measures that are taken and the laws structured around them are making it increasingly difficult for commercial organizations to detect and prevent infiltration of their more sensitive networks and systems, resulting in subsequent data breaches. For this reason, it has become important to investigate active cyber defense towards developing a balance between the ever-evolving skills of the cyber attacker and the growing need for advanced cybersecurity protection mechanisms. Thus, this research aims to study how fear of cyber-attack, the growing costs associated with defense, and the presumed skill of both attacker and defender impact a cybersecurity experts' intention towards implementing active cyber defense. In addition, this study includes surveying how the certainty and severity of punishment impact the potential to misuse such capabilities. To conduct this research, the quantitative methodology was used, incorporating a survey of cybersecurity experts in commercial organizations. Commercial organizations for the purpose of this study consist of all non-government organization within the US, regardless of industry. This produced 92 complete responses. Linear multiple regression analysis was performed to test and analyze the impact of the variables perceived vulnerability, response efficacy, response cost, self-efficacy, and resource availability of protection motivation theory; and the variables, perceived certainty and perceived severity, of general deterrence theory, on a cybersecurity experts' behavioral intention to implement and potentially misuse active cyber defense, respectively. Statistical analysis of this study shows that there is a positive correlation between the independent variables of protection motivation theory identified in this study and a cybersecurity experts' behavioral intention to implement active cyber defense while also showing the positive behavioral intention to potentially misuse active cyber defense tools once they have been implemented. The implications, based on the results, call for increased discussion with regards to the implementation of active cyber defense in commercial organizations. The results seem to suggest the need for implementing monitoring and auditing as well and also provides the argument to include more controls for adequate attribution and accountability. [The dissertation citations contained here are published with the permission of ProQuest LLC. Further reproduction is prohibited without permission. Copies of dissertations may be obtained by Telephone (800) 1-800-521-0600. Web page: http://www.proquest.com/en-US/products/dissertations/individuals.shtml.]