Who Is Smart with Their Smartphones? Determinants of Smartphone Security Behavior

Abstract

Smartphones have recently become a major target for cybercriminals due to large amounts of sensitive data and credentials being stored on the devices. To protect themselves against cyberthreats, users can employ a range of security behaviors. Although research has largely focused on computer security, relatively little is known about personal smartphone security behavior. The goal of our study was to evaluate determinants of smartphone security behavior based on the combination of the Health Belief Model and Protection Motivation Theory. We extended the models by including the construct of general security orientation. We also developed a smartphone security behavior scale that measured various aspects of this behavior. The sample included 331 Czech Android smartphone users aged between 26 and 81 years who were not IT specialists by employment or education. Path analysis showed that individuals who perceived a potential smartphone security threat as more severe, had higher smartphone self-efficacy, and general orientation and interest in digital security, and less personal experience with a digital security incident reported more secure behavior on their smartphones. Perceived susceptibility to security threats and family and friends' previous experience with digital security incidents did not predict smartphone security behavior. General security orientation affected smartphone security behavior also indirectly through perceived severity. These findings have theoretical implications for the models and also emphasize the importance of general digital security awareness as well as smartphone training to increase smartphone security behavior.

Introduction

The use of smartphones is constantly increasing.¹ Nowadays, smartphone users use their devices, among others, to store sensitive data or to use financial services.^2–4 Recently, personal smartphones have also been used to log into work-related systems, where additional sensitive data might be processed. This ubiquitous usage has made smartphones a primary target for cybercriminals.⁵ Thus, it is important to evaluate smartphone security behavior and its determinants to improve the security and protect users and organizations.

A lot of research attention has been devoted to studying IT security on organizational^6–9 and personal^10–12 level. Only recently has the research focused on the determinants of behaving securely specifically on smartphones, and it has provided mixed results.^13–15 To study the determinants of IT security behaviors, behavior-change models have been used. We combine the two most widely used models to explain secure behavior on smartphones: the Protection Motivation Theory (PMT)¹⁶ and the Health Belief Model (HBM).^17,18 PMT proposes that protection motivation is predicted by threat and coping appraisals.¹⁶ Threat appraisal is determined by perceived severity and vulnerability, whereas coping appraisal is determined by self-efficacy, response efficacy, and response cost. Protection motivation then predicts the preventive action. Similarly, HBM proposes that perceived severity, susceptibility, benefits and barriers, cues to action, and self-efficacy (added later) are related to behavior.^17,18 These models have plenty of variations and extensions (e.g., general security orientation^7,19). Although developed separately, most of their versions include overlapping constructs. Both models propose that a protective behavior is influenced by the perceived susceptibility/vulnerability and the perceived severity/seriousness of the problem and its consequences, and self-efficacy to perform the protective behavior. Some versions of the PMT also include previous experience with a security incident,¹³ which corresponds to HBM cues to action. In the PMT, these variables influence intention (i.e., protection motivation), which in turn influences behavior, whereas HBM proposes that these variables influence the likelihood of the preventive action directly. This likelihood is often replaced with self-reported protective behavior (as in Ng et al.⁷), which is also the approach in our study.

Our study focuses on several overlapping constructs from both models, namely perceived severity, susceptibility, self-efficacy, and cues to action. To keep our model parsimonious, we omitted constructs specific for each model—perceived barriers and benefits from the HBM, and response efficacy, cost, and rewards from the PMT. Our aim is to evaluate their effects on smartphone security behavior across age groups, including retired users, who are often lacking among respondents in similar studies. We also extend the previous studies by including general security orientation, which is a construct from the HBM that has been scarcely researched.⁷ In addition, a scale to measure various aspects of secure smartphone behavior as opposed to focusing on a single behavior (e.g., phishing avoidance²⁰) was developed for our study, providing a stronger measure for this construct. The proposed model is shown in Figure 1 and the rationale for each hypothesis is presented hereunder.

FIG. 1.

Tested model including hypothesized relationships and control variables.

Perceived severity

Perceived severity describes the subjective evaluation of the seriousness of a problem and its consequences,¹⁸ that is, a smartphone security threat. It is proposed that individuals who perceive the threat as more serious will behave more securely.^16,18 Several studies supported this relationship,^8,12,21,22 however, others did not,^7,10 or provided inconsistent results.^13,23 For example, Thompson et al.¹³ found that perceived severity only predicted smartphone security behavior but that it did not predict computer security behavior. Interestingly, Das and Khan²³ only supported this relationship for users of Blackberry smartphones but not for Android and iOS smartphones.

Nevertheless, consistent with the theory and the majority of research, we hypothesize that perceived severity positively predicts smartphone security behavior (H1).

Perceived susceptibility

Perceived susceptibility is defined as the subjective evaluation of the risk of contracting the problem,¹⁸ that is, a smartphone security threat. Higher susceptibility should lead to higher intention to behave securely and more secure behavior in the end.^16,18 Although studies in the organizational domain support this relationship,^6–9 there is contradictory evidence related to home computer and smartphone security. Although Thompson et al.¹³ supported the positive relationship between susceptibility and secure behavior intentions for both home computer- and smartphone-related behavior, Das and Khan²³ again found this relationship only for Blackberry users. Moreover, several studies did not find any significant effect.^10–12,22

Despite the lack of clarity about this relationship, consistent with the HBM and the PMT, we hypothesize that perceived susceptibility positively predicts smartphone security behavior (H2).

Self-efficacy

Self-efficacy refers to individuals' beliefs about their competence to successfully perform a behavior,^18,24 that is, efficient smartphone usage. The proposed positive influence of self-efficacy on information security behavior has been supported by studies in both the organizational and personal domains.^{7,10,12–14,20} Although there have been a few studies that did not find the effect,^22,25 it is one of the strongest and most supported predictors, both in the PMT and in the HBM.

Thus, we hypothesize that smartphone self-efficacy positively predicts smartphone security behavior both directly (H3a) and through perceived severity (H3b) and susceptibility (H3c).

General security orientation

General security orientation is based on the construct of general health orientation,²⁶ defined as a habit or general predisposition toward health-seeking behaviors. Although health orientation has been found to predict (preventive) health-related behaviors,^19,27 its variation of general security orientation has not been widely researched. The few studies that examined it show inconsistent findings. For instance, Ng et al.⁷ did not show a direct effect for general security orientation on organizational secure email behavior. In contrast, Al-diabat²⁸ recently concluded that general security orientation predicted college students' information security behavior.

We hypothesize that general security orientation positively predicts smartphone security behavior both directly (H4a) and through perceived severity (H4b) and susceptibility (H4c).

Cues to action

Cues to action proposes that a trigger (a cue) is necessary to engage in a desired behavior.¹⁷ In the case of security-related behavior, cues to action can include experience with a security incident, or awareness training and information.^7,29 Two independent sources of experiences were assessed in our study: users' own (personal) and family/friends' experience with a digital security incident. The role of previous experience has been researched by several studies with mixed results. Tsai et al.¹¹ found that previous experience with safety hazards predicted information security intentions. Thompson et al.¹³ suggested that previous experience with a security breach influenced secure behavior intentions on both computers and smartphones through perceived vulnerability. On the contrary, Mi et al.³⁰ and Schymik and Du¹⁰ did not find any effects of previous experience.

We hypothesize that personal (H5a) and family/friends' previous experience (H5b) with a digital security incident positively predict smartphone security behavior.

In line with the original model, we add demographics and experience with smartphones to control for possible confounding effects.

Materials and Methods

Sample

A total of 502 Czech smartphone (Android OS) users participated in the study. Approximately half of the sample, participants aged 26–54 years, was based on quota sampling according to age, gender, and the municipality size by a professional survey agency. Owing to the difficulty of locating older smartphone users (55+ years), we used convenience sampling for this age group. We advertised our study at the university events for older adults and through various organizations (e.g., leisure groups for seniors). Most of the older participants were found through our 24 trained student interviewers.

Out of the total sample, three participants were excluded due to poor data quality and 31 participants because they reported education or employment in the IT sector, which could have biased the results. The main analysis was carried out on a sample without missing values on any of the examined variables and consisted of 331 participants, aged 26–81 years (M = 48.53, Me = 52, SD = 13.94; 57.4 percent women). The reasons for the relatively large attrition are due to the specifics of the smartphone security scale and related missing values (see Measures and Discussion sections). Out of the final sample, 61.6 percent of the participants had primary and secondary levels of education, 38.4 percent had tertiary education. Regarding their occupation status, 63.4 percent worked full time, 7.6 percent worked part time, 14.8 percent were pensioners, 7.6 percent were on maternity leave, 1.5 percent were unemployed, 2.1 percent were students, and 3.0 percent did not provide responses.

Procedure

Data were collected from May 2019 to January 2020 as part of a large-scale face-to-face user evaluation of smartphone authentication methods. After signing an informed consent form, participants completed a questionnaire about their demographics, smartphone security behavior, and smartphone-related variables (∼10 minutes). Then, the participants went through testing scenarios using different authentication methods. After the tasks, participants evaluated the tested methods and provided additional information about their experience with smartphones, and digital threats (∼20 minutes). The study was approved by the institutional review board.

Measures

Measures are presented in Table 1. Items for perceived severity, susceptibility, smartphone self-efficacy, general security orientation, and smartphone security behavior were mostly derived from previous studies and adapted to fit our study (e.g., rephrased from focusing on computers to smartphones). Furthermore, several items were self-developed to precisely capture the intended constructs. Most constructs were measured by three most relevant items, as suggested by Velicer and Fava.³³ The items went through cognitive and pilot testing to ensure their comprehensibility.

Table 1.

Items Used to Measure Constructs and Descriptive Statistics

Items	Answering scale	Source	Descriptive statistics M (SD); Cronbach's α
Perceived severity
1. A security breach on my smartphone would be a serious problem for me. 2. Loss of data caused by someone hacking into my smartphone would be a serious problem for me. 3. Having my confidential information on my smartphone accessed by a stranger would be a serious problem for me.	1 (I disagree) to 4 (I agree)	Verkijika¹⁴; Thompson et al.¹³; derived from Ifinedo⁶; Woon et al.³¹ Adapted from Verkijika¹⁴; Ifinedo⁶; Thompson et al.¹³; Woon et al.³¹ Adapted from Verkijika¹⁴; Thompson et al.¹³; derived from Ifinedo⁶; Woon et al.³¹	3.33 (0.71); 0.87
Perceived susceptibility
1. It is likely that my smartphone will be attacked online. 2. I feel that my smartphone could be vulnerable to a security threat. 3. If I fail to follow basic smartphone security practices, my smartphone could be attacked online.	1 (I disagree) to 4 (I agree)	Adapted from Thompson et al.¹³; derived from Ifinedo⁶ Verkijika¹⁴; Thompson et al.,¹³ derived from Woon et al.³¹ Adapted from Verkijika¹⁴; Ifinedo⁶; Thompson et al.¹³	3.05 (0.61); 0.72
Smartphone self-efficacy
1. I can make use of all the functions that my smartphone offers. 2. I believe that I can work efficiently with my smartphone. 3. I can secure my smartphone myself.	1 (I disagree) to 4 (I agree)	Self-developed Self-developed Adapted from Thompson et al.¹³	2.62 (0.71); 0.81.
General security orientation
1. I try to prevent security incidents in online environment. 2. I am interested in new information in the field of digital security. 3. Digital security is important to me.	1 (I disagree) to 4 (I agree)	Adapted from Ng et al.⁷ Adapted from Ng et al.⁷ Self-developed, derived from security recommendation overview by Watson and Zheng³²	3.26 (0.54); 0.65
Smartphone security behavior
1. I only install applications from trusted providers on my smartphone. 2. I only connect to public Wi-Fi networks on my smartphone that I think are secure. 3. When communicating with other people on my smartphone, I primarily use applications that encrypt communication. 4. I immediately uninstall applications from my smartphone that I have learned may have security issues. 5. When installing applications on my smartphone, I pay attention to what they require access to (e.g., contacts, photos). 6. When I lend someone my smartphone, I pay close attention to what they do with it. 7. I usually use some security feature to unlock my smartphone after the screen turns off (e.g., gesture or numeric code)	1 (I disagree) to 4 (I agree), 5 (not relevant)	Derived from Watson and Zheng³² Self-developed Derived from Watson and Zheng³² Self-developed Self-developed, derived from security recommendation overview by Watson and Zheng³² Self-developed Self-developed, but excluded from the final scale due to low factor loading (standardized loading of 0.267, R² = 0.071)	3.12 (0.60); 0.76 Robust scale fit statistics: χ² = 15.459, p = 0.079, df = 9, χ²/df = 1.718, CFI = 0.980, TLI = 0.967, SRMR = 0.036, RMSEA = 0.054, CI (0.000–0.098)
Smartphone use (years)
1. How long have you been using smartphone?		Self-developed	6.16 (3.60)
Cues to action
Digital security threats include, for example, a virus infecting a computer, smartphone, or tablet, misusing credentials or identity theft. 1. In the past 5 years, how often has something similar happened to you? 2. In the past 5 years, how often has something similar happened to someone close to you?	1 (never) to 7 (very often), recoded for analysis into 0 (no experience), 1 (at least one experience)	Self-developed	Personal experience 24.2 percentFamily/friends' experience 49.7 percent

The scale scores were computed by averaging the scores for individual items where all answers were valid.

CFI, comparative fit index; RMSEA, root-mean-squared error of approximation; SRMR, standardized root mean of the residual; TLI, Tucker–Lewis index.

Smartphone security behavior scale originally consisted of seven items. One item was excluded due to low factor loading. Confirmatory factor analysis supported the unidimensionality (see statistics in Table 1). Unlike in other scales, the answers also included the “not relevant” option, because the scale relied on specific behaviors that not all users might engage in. For a relatively large number of respondents, at least one such behavior was reported as not relevant. We decided to omit these respondents from the analysis, which caused the aforementioned drop in sample size. We compared these respondents in other examined variables (Table 2) and took this into consideration in the Discussion section.

Table 2.

Bivariate Comparison Between Smartphone Security Behavior Scale Subgroups

	Participants with full answers M (SD) or percent	Participants with some “not relevant” answers M (SD) or percent	Independent samples t-test or χ² test
Gender	58 percent females	63.6 percent females	χ² (1, N = 459) = 1.18, p = 0.28, Cramer's V = 0.051
Age	48.81 (13.97)	56.48 (12.99)	t(457) = −5.46, p < 0.001, Cohen's d = −0.56
Education	62.1 percent primary or secondary	55.1 percent primary or secondary	χ² (1, N = 456) = 1.81, p = 0.18, Cramer's V = 0.063
Smartphone use	6.12 (3.59)	4.77 (3.24)	t(452) = 3.59, p < 0.001, Cohen's d = 0.38
Smartphone self-efficacy	2.62 (0.71)	1.98 (0.71)	t(454) = 8.58, p < 0.001, Cohen's d = 0.091
General security orientation	3.26 (0.54)	3.18 (0.68)	t(456) = 1.27, p = 0.21, Cohen's d = 0.15
Perceived severity	3.33 (0.72)	3.31 (0.80)	t(456) = 0.22, p = 0.83, Cohen's d = 0.02
Perceived susceptibility	3.05 (0.61)	3.00 (0.72)	t(455) = 0.72, p = 0.47, Cohen's d = 0.08
Previous experience with incidents: personal	24.1 percent previous experience	15.5 percent previous experience	χ² (1, N = 452) = 3.72, p = 0.054, Cramer's V = 0.091
Previous experience with incidents: family/friends	49.9 percent previous experience	36.5 percent previous experience	χ² (1, N = 450) = 6.12, p = 0.013, Cramer's V = 0.117

To limit the common method bias, the anonymity and confidentiality of the data and the fact that there are no right or wrong answers were stressed. The predictor and dependent variables were also psychologically separated (in different sections of the questionnaire). Owing to the complexity of a latent common method factor model, this approach could not be used to evaluate common method bias. Nevertheless, we included all scale items in confirmatory factor analysis (Harman's single factor test) that did not support unidimensionality, indicating that common method bias is unlikely (robust fit statistics: χ² = 1,093.642, p < 0.001, df = 135, χ²/df = 8.101, comparative fit index [CFI] = 0.500, Tucker–Lewis index [TLI] = 0.434, standardized root mean of the residual [SRMR] = 0.125, root-mean-squared error of approximation [RMSEA] = 0.155, 95 percent CI [0.138–0.153]).

Results

Analyses were performed using IBM SPSS 25 and RStudio (R version 3.5.2). Path analysis with manifest variables was conducted. The model was estimated using robust maximum likelihood estimator. Residual correlation between perceived severity and susceptibility was 0.149. Because both concepts reflect the threat appraisal and their association is theoretically meaningful,^19,22 we continued with a model where the association was allowed. Pearson correlations of the variables are presented in Table 3. The model is depicted in Figure 2 and Table 4.

FIG. 2.

Tested model with standardized estimates. Black arrows indicate significant relationships, gray arrows indicate nonsignificant relationships (*p < 0.05, **p < 0.01). For control variables, standardized estimates are provided for significant paths only.

Table 3.

Pearson Correlation Coefficients

		1	2	3	4	5	6	7	8	9	10
1	Gender (female = 1)
2	Age	0.005
3	Education	−0.051	0.041
4	Smartphone use	−0.279^**	−0.365^**	0.043
5	Perceived severity	0.141^**	0.076	0.016	−0.038
6	Perceived susceptibility	−0.092^*	0.264^**	0.017	−0.111^*	0.327^**
7	Smartphone self-efficacy	−0.166^**	−0.349^**	−0.077	0.441^**	0.097^*	−0.049
8	General security orientation	−0.032	0.201^**	−0.066	0.04	0.380^**	0.405^**	0.239^**
9	Experience with digital threats: personal	−0.076	−0.106^*	0.027	0.182^**	−0.02	0.043	0.08	−0.032
10	Experience with digital threats: family/friends	−0.120^*	−0.106^*	0.041	0.152^**	0.014	0.038	0.147^**	0.053	0.409^**
11	Smartphone security behavior	0.042	0.079	−0.07	0.007	0.444^**	0.165^**	0.317^**	0.516^**	−0.131^*	−0.003

Significant at the 0.05 level.

Significant at the 0.01 level.

Table 4.

Estimates of Direct Effects

Regression path	Estimate	SE	Sig.	CI	Stand. estimate β
SSB ∼ Perceived severity	0.244	0.044	<0.001	0.157 to 0.330	0.287
SSB ∼ Perceived susceptibility	−0.041	0.045	0.354	−0.129 to 0.046	−0.042
SSB ∼ Smartphone self-efficacy	0.189	0.041	<0.001	0.107 to 0.270	0.219
SSB ∼ General security orientation	0.411	0.065	<0.001	0.284 to 0.539	0.368
SSB ∼ Previous experience: personal	−0.173	0.060	0.004	−0.291 to −0.055	−0.122
SSB ∼ Previous experience: family/friends	0.008	0.055	0.880	−0.100 to 0.117	0.007
Perceived severity ∼ smartphone self-efficacy	0.085	0.061	0.161	−0.034 to 0.204	0.084
Perceived severity ∼ general security orientation	0.493	0.078	<0.001	0.341 to 0.645	0.375
Perceived severity ∼ gender	0.284	0.077	<0.001	0.132 to 0.435	0.197
Perceived severity ∼ age	0.001	0.003	0.835	−0.005 to 0.007	0.012
Perceived severity ∼ education	0.044	0.071	0.532	−0.095 to 0.183	0.030
Perceived severity ∼ smartphone use	−0.009	0.012	0.432	−0.032 to 0.014	−0.046
Perceived susceptibility ∼ smartphone self-efficacy	−0.090	0.047	0.057	−0.182 to 0.003	−0.104
Perceived susceptibility ∼ general security orientation	0.469	0.062	<0.001	0.348 to 0.591	0.418
Perceived susceptibility ∼ gender	−0.163	0.065	0.012	−0.290 to −0.036	−0.132
Perceived susceptibility ∼ age	0.004	0.002	0.103	−0.001 to 0.009	0.089
Perceived susceptibility ∼ education	−0.007	0.059	0.909	−0.122 to 0.109	−0.005
Perceived susceptibility ∼ smartphone use	−0.019	0.009	0.037	−0.038 to −0.001	−0.115
SSB R² = 0.404
Perceived severity R² = 0.194
Perceived susceptibility R² = 0.230

Model fit: robust estimations: χ² = 8.869; df = 8; χ²/df ratio was 1.109; CFI = 0.997; TLI = 0.990; SRMR = 0.019; RMSEA = 0.019, 95 percent CI (0.000–0.070).

SSB, smartphone security behavior.

Perceived severity was positively predicted by general security orientation. Moreover, women perceived the threat to their smartphone security as more severe. Perceived susceptibility was also positively predicted by general security orientation. In this case, women felt less susceptible to a threat. Years of smartphone use also negatively predicted perceived susceptibility. No other effects on perceived severity or susceptibility were significant.

Smartphone security behavior was positively predicted by perceived severity (H1 supported), smartphone self-efficacy (H3a supported), general security orientation (H4a supported), and negatively by previous personal experience with digital incidents (H5a not supported). Smartphone security behavior was not significantly predicted by perceived susceptibility (H2 not supported) nor family/friends' experience with digital incidents (H5b not supported). General security orientation exerted its influence on smartphone security behavior also indirectly through perceived severity (H4b supported). No other indirect effects were significant (H3b, H3c, and H4c not supported).

Discussion

Our study evaluated the determinants of smartphone security behavior based on the combination of the HBM and the PMT, extended with general security orientation, and supported a number of effects. It provides an important addition to research on smartphone security behavior by evaluating a largely understudied determinant—general security orientation as well as by including users across all age groups.

The finding that general security orientation positively predicts perceived severity and susceptibility is a novel addition to previous studies that focused solely on direct effects of general security orientation on behavior.^7,28 Moreover, general security orientation exerted its influence on smartphone security behavior both directly and through perceived severity. Based on our findings, we suggest that general security orientation should be included into theoretical models that aim to explain individuals' secure behavior. This finding has strong practical implications and shows that it is vital to emphasize the importance of security and security awareness, which can in turn lead to more secure behavior.

Perceived severity and susceptibility were further influenced by gender. Regarding perceived severity, women perceived it as higher, which is in line with Tsai et al.¹¹ In contrast, women felt less susceptible to threats, which contrasts with Tsai et al.,¹¹ who found the opposite. These effects of gender were not particularly strong and warrant further research. In addition, perceived susceptibility was negatively predicted by years of smartphone usage. This indicates that even when controlling for smartphone self-efficacy, longer experience with smartphones is related to feeling less susceptible to smartphone security threats.

The finding that individuals who perceive a potential smartphone security threat as more serious exhibit higher levels of smartphone security behavior is in line with a number of previous studies^8,12,22 and supports the inclusion of perceived severity in the model. Interestingly, Das and Khan²³ found the effect only for Blackberry users. It is possible that during the data collection in 2013, the Blackberry users differed from the users of other devices in the amount of stored sensitive information. Blackberry phones have been predominantly used by corporations and governments as they offered high security features.^34,35 Whereas, with the present-day expansion of smartphones, more sensitive data are processed irrespective of the operating system (OS). Thus, users might have become more aware of the possible severity of security threats and this has become an important determinant of their behavior.

Another determinant of smartphone security behavior was smartphone self-efficacy. Previous studies largely supported the notion that more competent users behave more securely.^10,13,14 Our definition of self-efficacy was broader to include general smartphone use, yet our results show that even general perceived competence with the device affects secure behavior.

Another predictor of smartphone security behavior was previous personal experience with digital incidents. However, contrary to our hypothesis, participants with personal experience reported lower smartphone security behavior. This is an intriguing finding that is contrary to theory and previous research on information security.¹¹ Nevertheless, when focusing on smartphone behavior specifically, Mi et al.³⁰ did not find any effect of an experience with a hacker attack. A possible explanation might be in the nature of the incident—how severe it was or how easy/difficult it was to solve. If the incident was perceived as trivial, investing energy into preventive action might be perceived as wasted, thus leading to less secure behavior. Future studies should focus on the nature of the experience in more detail. Unlike personal experience, family/friends' experiences did not exert significant influence on smartphone security behavior. An explanation could be that a family/friends' incident could be perceived as a more distant experience than a personal one, thus, it would not influence smartphone security behavior.

Interestingly, our study did not find perceived susceptibility to be a significant predictor of smartphone security behavior, which is contrary to some studies^8,13 and the theory. However, several previous studies did not detect this relationship either.^10,12,22 It could be the case that smartphone users do not fully realize the risks and vulnerabilities associated with the ubiquitous use of mobile computing. From the theoretical point of view, the role of perceived susceptibility, one of the core mechanisms of protection behavior in other areas, remains an open question in digital security. It is possible that in the digital security domain, users' grasp of security threats is still very vague, unlike in other domains (i.e., health). The susceptibility's role, while theoretically plausible, might have an effect only for some people, who reach at least some level of understanding this domain. Assessing and incorporating such a construct (i.e., the users' knowledge) to the theoretical model might be an important theoretical addition that takes into consideration the specifics of digital security.

Limitations and Future Research

Our study has several limitations. First, the tested model did not include all of the determinants from the HBM and the PMT. However, we included the overlapping constructs and aimed for a simple parsimonious model, which would be theoretically justified, usable in short surveys, and still have sufficient explanatory power.

Second, smartphone security behavior was measured on a new scale. As the smartphone features and functionality are continuously evolving, and items from the scale become obsolete quickly, we opted not to conduct a separate study to pretest the scale. Nevertheless, confirmatory factor analysis supported the unidimensionality and functioning of the scale, and the scale also showed a number of expected relationships with other variables, strengthening our confidence in its validity. However, one specific issue relates to our measurement. The scale included different behaviors and as was already mentioned, some behaviors have proven to be irrelevant to a relatively large portion of the participants. These participants were older, had less experience with smartphones, reported lower smartphone self-efficacy, and were less exposed to others' experiences with digital security incidents. Excluding these participants from the analyses led to lower variability on some variables of interest that could have resulted in slightly underestimated effects. The evaluated model might not appropriately describe participants who have lower smartphone self-efficacy and usage. Future studies should focus on this user segment and consider items that would suit less experienced users.

Another important note is that our sample consisted of Android smartphone users only. User security behavior can differ according to used technology,^23,36 probably as a consequence of how manufacturers present, ensure, and promote security or define privacy.³⁷ From this perspective, using only Android users eliminates this possible systematic bias. Nevertheless, we encourage replication of our study with users of different systems.

Practical implications

Our findings have important practical implications. We found that the most significant determinant of smartphone security behavior is general security orientation. This implies that it is crucial to make security a habit for users, to increase their security awareness, and to underscore the importance of their safety and employing security measures. Awareness about the seriousness of a problem could also improve perceived severity, which emerged as another predictor of smartphone secure behavior. Even if awareness improvement is still one of the current challenges, it seems worth investigating how to improve it. However, it should not be misinterpreted that it is desirable to frighten users with possible consequences. Our study also revealed that family/friends' previous experiences with digital incidents did not affect users' smartphone security behavior. Therefore, showing negative examples of digital threats might have limited effect on users. Although we did not assess whether and how relevant the family/friends' experience was to the participant, we presume that the effect would be apparent in cases wherein users perceive high relevance and similarity. We would thus recommend security preventists to provide threat examples that would reflect the typical usage patterns of the program target population.

Another important predictor in our study was smartphone self-efficacy. This believed competence to successfully perform a behavior shows the importance of skills and knowledge—users need to be able to successfully perform intended actions and have control over their smartphone. An intuitive user interface, where users are informed about actions processed on the device (e.g., by clear notifications), can help them to improve their skills and knowledge and make them feel more confident about their smartphone competences. Smartphone OS vendors should continually focus on usability when developing their products.

Footnotes

Authors' Contributions

All authors contributed to all stages of the research process (i.e., study conception, data collection, data analysis, and article writing).

Acknowledgments

The authors would like to thank their grant co-funded collaborator, AHEAD iTec, for developing the evaluated authentication applications and collaborating on the study.

Author Disclosure Statement

None of the authors have any competing interests, personal financial interests, funding or employment interest, or any other competing interests.

Funding Information

This study was supported by the Technology Agency of the Czech Republic under grant number TL01000207.

References

Silver

Smartphone ownership is growing rapidly around the world, but not always equally. Pew Research Center: Global Attitudes & Trends, February 5, 2019. https://www.pewresearch.org/global/2019/02/05/smartphone-ownership-is-growing-rapidly-around-the-world-but-not-always-equally/ (accessed Aug. 1, 2020).

Letić

Mobile banking statistics: the future of money is in the palm of your hand. DataProt, February 6, 2020. https://dataprot.net/statistics/mobile-banking-statistics/ (accessed Aug. 1, 2020).

Cherowbrier

Share of people using internet banking in Great Britain 2007–2019. Statista, June 11, 2020. https://www.statista.com/statistics/286273/internet-banking-penetration-in-great-britain/ (accessed Aug. 1, 2020).

Baluni

Mobile medical apps: a game changing healthcare innovation. Health Works Collective. https://www.healthworkscollective.com/mobile-medical-apps-a-game-changing-healthcare-innovation/ (accessed Aug. 1, 2020).

Chebyshev

Mobile malware evolution 2019. AO Kaspersky Lab, February 25, 2020. https://securelist.com/mobile-malware-evolution-2019/96280/ (accessed Aug. 1, 2020).

Ifinedo

. Understanding information systems security policy compliance: an integration of the theory of planned behavior and the protection motivation theory. Computers & Security, 2012; 31:83–95.

B-Y

, Kankanhalli

, Xu Y(C). Studying users' computer security behavior: a health belief perspective. Decision Support Systems, 2009; 46:815–825.

Siponen

, Adam Mahmood

, Pahnila

. Employees' adherence to information security policies: an exploratory field study. Information & Management, 2014; 51:217–224.

Workman

, Bommer

, Straub

. Security lapses and the omission of information security measures: a threat control model and empirical test. Computers in Human Behavior, 2008; 24:2799–2816.

10.

Schymik

, Du

. Student intentions and behaviors related to email security: an application of the health belief model. Journal of Information Systems Applied Research, 2018; 11:14–24.

11.

Tsai

, Jiang

, Alhabash

, et al. Understanding online safety behaviors: a protection motivation theory perspective. Computers & Security, 2016; 59:138–150.

12.

Yoon

, Hwang

J-W

, Kim

. Exploring factors that influence students' behaviors in information security. Journal of Information Systems Education, 2012; 23:407–415.

13.

Thompson

, Mcgill

, Wang

. “Security begins at home”: determinants of home computer and mobile device security behavior. Computers & Security, 2017; 70:376–391.

14.

Verkijika

. Understanding smartphone security behaviors: an extension of the protection motivation theory with anticipated regret. Computers & Security, 2018; 77:860–870.

15.

Zhou

, Gou

, Gan

, et al. Risk awareness, self-efficacy, and social support predict secure smartphone usage: a threat control model and empirical test. Frontiers in Psychology, 2020; 11:2799–2816.

16.

Rogers

. (1983) Cognitive and physiological processes in fear appeals and attitude change: A revised theory of protection motivation. In: Cacioppo

, Petty

, eds. Social psychophysiology. New York: Guilford Publications, pp. 153–176.

17.

Rosenstock

. Why people use health services. The Milbank Memorial Fund Quarterly, 1966; 4:94–127.

18.

Rosenstock

, Strecher

, Becker

. Social learning theory and the health belief model. Health Education Quarterly, 1988; 15:175–183.

19.

Yazdanpanah

, Forouzani

, Hojjati

. Willingness of Iranian young adults to eat organic foods: application of the Health Belief Model. Food Quality and Preference, 2015; 41:75–83.

20.

Verkijika

. “If you know what to do, will you take action to avoid mobile phishing attacks”: self-efficacy, anticipated regret, and gender. Computers in Human Behavior, 2019; 101:286–296.

21.

Vance

, Siponen

, Pahnila

. Motivating IS security compliance: insights from Habit and Protection Motivation Theory. Information & Management, 2012; 49:190–198.

22.

Martens

, De Wolf

, De Marez

. Investigating and comparing the predictors of the intention towards taking security measures against malware, scams and cybercrime in general. Computers in Human Behavior, 2019; 92:139–150.

23.

Das

, Khan

. Security behaviors of smartphone users. Information & Computer Security, 2016; 24:116–134.

24.

Schwarzer

. (1992) Self-efficacy in the adoption and maintenance of health behaviors: theoretical approaches and a new model. In Schwarzer

, ed. Self-efficacy: thought control of action. Washington, DC: Hemisphere, pp. 217–242.

25.

Ameen

, Tarhini

, Hussain Shah

, et al. Employees' behavioural intention to smartphone security: a gender-based, cross-national study. Computers in Human Behavior, 2020; 104:106184.

26.

Walker

, Thomas

. Beyond expectancy theory: an integrative motivational model from health care. Academy of Management Review, 1982; 7:187–194.

27.

Jayanti

, Burns

. The antecedents of preventive health care behavior: an empirical study. Journal of the Academy of Marketing Science, 1998; 26:6–15.

28.

Al-Diabat

. Investigating the determinants of college students information security behavior using a validated multiple regression models. International Journal of Computer Science and Information Technology, 2018; 10: 81–96.

29.

Janz

, Becker

. The health belief model: a decade later. Health Education Quarterly, 1984; 11:1–47.

30.

, Gou

, Zhou

, et al. Effects of planning and action control on smartphone security behavior. Computers & Security, 2020; 97:101954.

31.

Woon

, Tan

, Low

. (2005) A protection motivation theory approach to home wireless security. In Proceedings 26th International Conference on Information Systems (ICIS 2005) Association for Information Systems. Las Vegas, Nevada, pp. 367–380.

32.

Watson

, Zheng

. (2017) On the user awareness of mobile security recommendations. In Proceedings of the SouthEast Conference (ACM SE '17). New York: Association for Computing Machinery, pp. 120–127. DOI: 10.1145/3077286.307, 7563.

33.

Velicer

, Fava

. Effects of variable and subject sampling on factor pattern recovery. Psychological Methods, 1998; 3:231–251.

34.

Jurevicius

SWOT analysis of Blackberry. Strategic Management Insight, February 16, 2013. https://strategicmanagementinsight.com/swot-analyses/blackberry-swot-analysis.html (accessed Aug. 1, 2020).

35.

Kang

BlackBerry smartphones still reign in Washington, slow-poke capital. Washington Post, September 25, 2013. https://www.washingtonpost.com/business/technology/blackberrys-hope-lies-in-slow-poke-federal-washington/2013/09/25/61b304ee-2610-11e3-b3e9-d97fb087acd6_story.html (accessed Aug. 1, 2020).

36.

Breitinger

, Tully-Doyle

, Hassenfeldt

. A survey on smartphone user's security choices, awareness and education. Computers & Security, 2020; 88:101647.

37.

Green

, Shilton

. Platform privacies: governance, collaboration, and the different meanings of “privacy” in iOS and Android development. New Media & Society, 2018; 20:1640–1657.