InfoSec Process Action Model (IPAM): Systematically Addressing Individual Security Behavior.

While much of the extant InfoSec research relies on single assessment models that predict intent to act, this article proposes a multi-stage InfoSec Process Action Model (IPAM) that can positively change individual InfoSec behavior. We believe that this model will allow InfoSec researchers to focus more directly on the process that leads to action and develop better interventions that address problematic security behaviors. Building on successful healthcare efforts that resulted in smoking cessation, regular exercise, and a healthier diet, among others, IPAM is a hybrid predictive process approach to behavioral InfoSec improvement. IPAM formulates the motivational antecedents of intent as separate from the volitional drivers of behavior. Singular fear appeals often seen in InfoSec research are replaced by more nuanced treatments appropriately differentiated to support behavioral change as part of a process; phase-appropriate measures of self-efficacy are employed to more precisely assess the likelihood that a participant will act on good intentions; and decisional balance assessment of pro and con perceptions is monitored over time. These notions better align InfoSec research with both leading security practice and successful comparators in healthcare. We believe IPAM can both help InfoSec research models better explain actual behavior and better inform practical security behavior improvement initiatives.