Redefining threat appraisals of organizational insiders and exploring the moderating role of fear in cyberattack protection motivation

Increasingly sophisticated cyberattacks often systematically target organizational insiders. Their motivation for self-protection has therefore an important role in cybersecurity of orga-nizations. Protection motivation studies in information security literature are largely based on the protection motivation theory (PMT) without proper adaptation to the organizational context. Additionally, only few studies consider the role of fear in protection motivation al-though PMT itself is based on fear appeals. This paper aims to revise PMT to better fit the or-ganizational context of organizational insiders. A survey was conducted among academics ( N = 255) at six Slovenian universities to reexamine threat appraisals of organizational insid-ers, and the mediating and moderating roles of fear of cyberattacks in protection motivation. CB-SEM analysis of survey data supports the distinction between appraisals of threats to the individual and to the organization. It also supports differentiatingbetween perceived threats and fear of cyberattacks. Although we did not find support for the mediating role of fear of cyberattacks, perceived threats may mediate the association between perceived severity and vulnerability, and protection motivation. Only perceived vulnerability of the individual and perceived severity of consequences for the organization affect perceived threats. Perceived threats and measure efficacy influence protection motivation. Fear of cyberattacks damp-ens the positive relationship between self-efficacy and protection motivation. Self-efficacy influences protection motivation only when fear of cyberattacks is low. Interventions aim-ing to increase protection motivation need to focus on raising the perceived vulnerability of individuals, emphasizing the consequences for the organization, and increasing the efficacy of self-protective measures. Interventions aiming to improve self-efficacy may be effective only when there is low fear of cyberattacks and can be avoided when high fear of cyberat-tacks is expected. (c) 2021 Elsevier Ltd. All rights reserved.