The Impact of Threatening Cybersecurity Situations on Employees: A Conceptualization of Security Perplexity

1. Introduction

The cybersecurity landscape has undergone a significant shift in recent years. Cybersecurity threats have become more frequent, severe, and sophisticated (Fortinet 2025, World Economic Forum 2025). Evolving phishing attacks, ransomware-as-a-service attacks, and zero-day exploits now pose rapid and unpredictable threats to organizations, increasingly targeting employees as entry points rather than relying solely on technical vulnerabilities (Oz et al. 2022, Mirsky et al. 2023). Attackers frequently leverage artificial intelligence (AI)-enabled tools (e.g., FraudGPT) to accelerate attack execution, scale campaigns, and manipulate employees into disclosing sensitive information (Fortinet 2025). As a result, employees are routinely confronted with threatening cybersecurity situations that require immediate responses to prevent harm to themselves and their organizations. The expansion of remote and hybrid work has exacerbated these challenges, because employees often manage security-critical situations alone (Torres and Crossler 2025).

To improve the understanding of how employees cope with and combat cybersecurity threats, information security (ISec) researchers have extensively examined the factors that shape employees’ protection motivation, including their threat perceptions, self-efficacy, and emotions (Moody et al. 2018, Cram et al. 2019, Greulich et al. 2024). Recent ISec research has also addressed the situational factors that shape how employees interpret and respond to threats (D’Arcy and Teh 2019, Qahri-Saremi and Turel 2023). Emerging threats in particular have increased the cognitive and behavioral demands on employees (Fortinet 2025, World Economic Forum 2025). Cybersecurity incidents are often ambiguous, unexpected, and technically complex, making it difficult for employees to quickly understand what is happening and decide how to respond (He et al. 2022, Kotsias et al. 2023, Lu et al. 2025, Schneier and Vance 2025). For instance, phishers use sophisticated design tactics to distract employees, and complex security warnings may obscure appropriate courses of action (Jaeger and Eckhardt 2021). In such situations, employees may recognize a serious threat while remaining unsure about how to respond effectively (Chen et al. 2021).

We suggest that these conditions can give rise to perplexity among employees (cf. Berlyne 1960, Shokeen et al. 2023). Perplexity is a temporary cognitive state in which individuals struggle to understand a situation and determine how to respond (Berlyne 1960, Dewey 1997). It arises in situations that resist understanding but demand action (Berlyne 1960, Ryan et al. 2001, Shokeen et al. 2023). Such situations are common in cybersecurity environments, in which employees may encounter phishing attacks, colleagues’ engagement in nonsecure behaviors, or sudden system failures. When cybersecurity situations require immediate action, perplexity can disrupt an employee’s intended response and consequently delay action (Shokeen et al. 2023). Because timely responses are critical for mitigating cyberattacks, such delays can have serious consequences.

Recent ISec research has similarly recognized the importance of the situational demands placed on employees coping with cybersecurity threats (D’Arcy and Teh 2019, Bansal et al. 2021, Jaeger and Eckhardt 2021, Qahri-Saremi and Turel 2023, Lu et al. 2025). Although prior research has examined concepts related to perplexity, such as confusion, response efficacy, cognitive load, and pressure (Haney and Lutters 2018, Jeon et al. 2023, Lowry et al. 2023, Wright et al. 2023, Lu et al. 2025), it remains unclear how perplexity manifests in cybersecurity situations or how it shapes employees’ coping responses. As a result, ISec research has not clearly conceptualized perplexity or demonstrated its predictive value (Greulich et al. 2020). To address this gap, our paper asks two questions: (1) How should security perplexity be conceptualized? and (2) How does it impact employees’ coping processes in threatening situations?

We conceptualize security perplexity, develop a scale to measure it, and examine its impact on employees’ coping processes across three research stages. These stages use qualitative and quantitative methods and follow established guidelines for construct development and validation in the information systems literature (Bagozzi 2011, MacKenzie et al. 2011). We embed security perplexity in employees’ coping processes by drawing on coping theory (Lazarus and Folkman 1984, Lazarus 1991) and the extended parallel process model (EPPM; Witte 1992). We argue that security perplexity reflects a tense cognitive state experienced by employees in threatening cybersecurity situations that arises from a conflict between perceived pressure to act and a simultaneous state of confusion and uncertainty about how to do so. This tension between urgency and limited actionable understanding distinguishes security perplexity from related concepts. We show that employees’ threat appraisals increase their security perplexity, which in turn disrupts their coping appraisals and leads to a distinct set of emotions and coping responses in cybersecurity-threat situations.

2. Overview of Research Design

Although ISec research has examined many antecedents of secure behavior (Moody et al. 2018, Cram et al. 2019), the study of security perplexity offers important opportunities for research and practice (Greulich et al. 2020). First, perplexity manifests in situations marked by puzzlement, gaps between existing knowledge and new information, and uncertainty about which countermeasures to enact (Berlyne 1960, Ryan et al. 2001, Shokeen et al. 2023). Given the complexity of the cybersecurity landscape (Schneier and Vance 2025) and the rise of threats that directly target employees (Fortinet 2025, World Economic Forum 2025), employees increasingly encounter cybersecurity situations they do not fully understand but are expected to address.

Second, although perplexity resembles confusion, it has distinct attributes (Dewey 1997, Shokeen et al. 2023). It is therefore important to distinguish security perplexity from related concepts, such as security-related stress (D’Arcy et al. 2014) and situational security awareness (Jaeger and Eckhardt 2021). Research that clarifies such distinctions can help organizations develop approaches to identifying and addressing employees’ perplexity as opposed to simply resolving their confusion.

Third, educational research has shown that perplexity has dual outcomes. On one hand, perplexity can lead to frustration and delay action, thereby disrupting employees’ responses (Shokeen et al. 2023). Consider a financial controller who, as a result of perplexity, fails to report a suspicious email or falls prey to a social-engineering attack (Pienta et al. 2020). In such cases, perplexity can harm the organization by prompting inappropriate actions or delaying necessary ones. On the other hand, as educational research has suggested, perplexity can stimulate reflective thinking and motivate individuals to resolve situations (Dewey 1997, Rodgers 2002). That is, the perplexity a problem creates can strengthen an individual’s interest in understanding and solving it (Shokeen et al. 2023). For instance, a perplexed network administrator facing a novel form of malware may become deeply engaged in diagnosing irregular network traffic. Understanding the dual outcomes of security perplexity can help researchers and practitioners determine how to mitigate its negative effects while strengthening its positive influence on employees’ coping processes.

Understanding when and why security perplexity arises, what distinguishes it, and how employees respond to it can create opportunities for theorizing (Grover and Lyytinen 2015, Greulich et al. 2020) and help scholars understand complex cybersecurity situations (Jaeger and Eckhardt 2021, Schneier and Vance 2025). Given the limited understanding of security perplexity, our study used qualitative and quantitative research methods (Table 1) and followed established guidelines for construct development and validation (Moore and Benbasat 1991, Bagozzi 2011, MacKenzie et al. 2011). We conducted three stages of empirical research: conceptualizing the construct, validating a measurement scale, and examining the construct’s nomological validity.

Table 1. Overview of the Multistage Research Design

Stage 1, which corresponded to Step 1 of MacKenzie et al. (2011), used an inductive qualitative approach to develop a conceptualization of security perplexity. We reviewed related research and dictionary definitions of “perplexity” (Online Appendix A.1) and collected 430 descriptions of perplexing cybersecurity situations from 298 employees across two online panels. Following MacKenzie et al. (2011), we used iterative coding to specify the construct’s conceptual domain as a cognitive state and its conceptual theme as three situation-bound dimensions. We coded the data iteratively using the six phases of thematic analysis (Braun and Clarke 2006) and followed established qualitative-research guidelines (Lincoln and Guba 1985, Patton 2015, Wiesche et al. 2017). We then compared security perplexity with related ISec constructs to identify its unique attributes (Online Appendix A.5). Section 3 presents the resulting definition and conceptualization.

Stage 2, which comprised multiple studies, validated the scale for measuring security perplexity (steps 2–8 of MacKenzie et al. 2011). We developed measurement items by adapting previously developed scales and reexamining the situations identified in Stage 1 and assessed content validity using an item-ranking task and supplementary analyses, including latent semantic analysis and Word2Vec. We then specified the measurement model and refined the scale through a pilot study with 60 US ISec students and a survey of 229 employees. A subsequent survey of 570 employees provided further evidence of reliability and nomological validity, including relationships with coping responses and security-related chronic stress. Taken as a whole, Stage 2 provided an initial assessment of the outcomes of security perplexity and its effects on employees’ intentions and behaviors. Online Appendix B provides detailed information about the scale-validation studies.

Building on coping theory (Lazarus and Folkman 1984, Lazarus 1991) and the EPPM (Witte 1992) to contextualize coping in cybersecurity settings, Stage 3 embedded security perplexity in the coping process. We developed a research model that embeds security perplexity in employees’ cognitive appraisals and emotional responses, which jointly shape coping efforts. We tested this model using an online experiment with 645 information technology (IT) employees, which corresponded to steps 8 and 9 of MacKenzie et al. (2011), and evaluated its robustness analyses with data from a survey of 401 employees. Online Appendix C provides additional methodological details, and Section 4 presents the research model, methods, and findings.

3. Conceptualization of Security Perplexity

Our review of the literature revealed conceptual ambiguity across disciplines regarding the concept of perplexity (see Online Appendix A.1; Greulich et al. 2020). Most definitions describe perplexity as a temporary cognitive state in which individuals struggle to understand a situation and determine how to proceed (Berlyne 1960, Dewey 1997, Ryan et al. 2001, Shokeen et al. 2023). Perplexity is commonly framed as a situational experience linked to individuals’ awareness of complex conditions. Based on this framing, we identified the core dimensions of security perplexity. To do so, we conducted an inductive qualitative study in an organizational-cybersecurity context, as in step 1 of MacKenzie et al. (2011), to identify the attributes that define the construct and distinguish it from related cybersecurity concepts.

3.1. Collecting Data on Perplexing Cybersecurity Situations

To develop the construct, we administered a structured online survey that asked employees to describe perplexing cybersecurity situations they had encountered at work. We conducted two rounds of data collection. In the first round, we recruited 110 U.S.-based employees through Amazon Mechanical Turk, applying standard quality thresholds (e.g., at least a 95% approval rating and at least 5,000 completed tasks) to ensure reliable responses. In the second round, we used Cint to recruit employees working in IT and security-related roles, focusing on participants who regularly used computers, who handled sensitive information, and who had been exposed to cybersecurity threats at work. This second round yielded responses from 536 employees.

We structured both of the surveys as follows (Online Appendix A.2). The participants received a brief introduction to the cybersecurity context. They then received a short definition and explanation of perplexity, which we paired with illustrative examples drawn from our literature and dictionary review. The participants then identified and described up to three perplexing cybersecurity situations they had encountered at work, explained how they recognized perplexity, and described its consequences for themselves or others. They then provided their demographic information (Online Appendix A.3).

3.2. Analyzing Data to Reveal the Nature of Security Perplexity

A total of 646 employees, including managers, security professionals, developers, administrators, and end users, participated in the surveys. We reviewed all the responses and assessed data quality. Seven participants were excluded for rushing through the survey; on average, these participants completed it in less than 4 minutes (the average for the entire sample was 13.5 minutes), and they typically provided low-quality responses. We excluded 61 responses that did not describe a perplexing situation, such as those that simply left text fields empty, and 34 responses in which participants explicitly reported that they had not experienced a perplexing cybersecurity situation. We removed 133 additional responses that we assessed as low in quality, including responses in which participants expressed an inability to describe a perplexing situation (e.g., “I don’t know”), failed to describe one meaningfully (e.g., “Improve cybersecurity and develop the security system”), or provided irrelevant or repetitive responses (e.g., “hacking; being hacked; being hacked” and “Most of the situation I feel perplexed about cybersecurity at work”).

To ensure data authenticity, we implemented a multistep screening process that identified and excluded AI-generated content. First, we assessed suspicious responses using multiple AI-detection tools in parallel, which flagged content with a high probability of AI generation. Second, we generated a control set of AI-generated responses by prompting ChatGPT and Gemini. This control set provided a direct baseline for comparison that allowed us to identify patterns and specific syntactic markers characteristic of AI-generated content in the participant data. We flagged responses that exhibited high levels of semantic overlap with our AI-generated control set or lacked the context-specific nuances typical of lived workplace experiences. Finally, we reviewed all the flagged responses carefully to ensure that none of them reflected genuine human experiences. This rigorous assessment resulted in the exclusion of 113 responses. Although substantial, this high exclusion rate resulted from a deliberate effort to protect the integrity of our qualitative analysis and ensure that all the responses in our data set reflected authentic workplace situations. After these exclusions, the data set included 298 reliable responses.

Our participants described 609 perplexing situations in total, and many participants described multiple situations. We assessed each situation for quality and contextual fit. After we removed 179 situations that did not meet the study criteria, such as those that did not occur in a work context, the data set comprised 430 valid workplace situation descriptions. For example, one of the invalid responses read as follows: “With the rapid development of technology, the means of network attacks are also evolving and changing. New vulnerabilities are constantly being discovered, and hackers’ attack techniques are becoming increasingly sophisticated.” We excluded this response because it described a general state of uncertainty rather than a specific situation. The final data set contained descriptions of 430 situations, totaling approximately 47,000 words, or about 166 pages.

We used thematic analysis (Braun and Clarke 2006) to code the data and followed the procedure developed by MacKenzie et al. (2011) to specify the construct’s nature. We developed the codes iteratively across the six phases of thematic analysis (Braun and Clarke 2006); the coding process began with the first round of data collection and was supported by ATLAS.ti. We followed established qualitative-research practices, including constant comparison, memoing, and maintaining an audit trail (Lincoln and Guba 1985, Patton 2015, Wiesche et al. 2017). To strengthen reliability and reduce interpretation bias, we assigned the analysis to four coders, including one independent researcher. We met regularly to resolve discrepancies and refine the coding scheme until full consensus was reached. Online Appendix A.2 provides additional details of the qualitative analyses.

We familiarized ourselves with the data (Phase 1; Braun and Clarke 2006) by reviewing each situational description and noting recurring patterns, such as emotional reactions to perplexing situations. We also noted situational conditions that characterized types of cybersecurity situations. Most of the participants’ descriptions of perplexity involved dealing with security countermeasures or incidents (see Section 4.1.1).

Next, we generated initial codes to extract concepts from the data, focusing on preliminary dimensions of security perplexity, its antecedents (i.e., situational conditions), and its consequences (Phase 2; Braun and Clarke 2006), thereby following the established qualitative-research practice of coding for causes, actions, and outcomes (Corbin and Strauss 2015). We used data-driven coding, extracting text segments and labeling them with one or more codes that reflected the language participants used in their descriptions. In the first iteration, we labeled 1,844 text segments with 66 codes in total. For example, we labeled the segment “There was a glitch at work that caused a disturbance situation. Everyone got so scared and did not know what to do to stop the breach” with the code “Perplexity Dimension_Response Uncertainty.”

Next, to aggregate the codes and move to higher levels of abstraction, we identified themes in the coded data (Phase 3; Braun and Clarke 2006). We reviewed the codes and associated text segments to identify sets that corresponded to the overarching themes. For example, because segments coded as “Antecedent_Suprise” and “Antecedent_Malfunction_Countermeasure” described unexpected situations, we merged them into the theme “Antecedent_Unexpected.” This process yielded 30 candidate themes.

We then refined the candidate themes through iterative review (Phase 4; Braun and Clarke 2006). We reanalyzed the text segments associated with each theme to identify the theme’s defining features and, where necessary, introduced additional codes. For example, under the candidate theme “Seeking Help,” we added the codes “Colleagues” and “IT Department” to capture the parties participants approached to alleviate their perplexity. During this review, we observed that genuinely perplexing situations featured a recurring tension between confusion and an urgent need to act. For instance, one participant noted, “I realized it that I was perplexed because I knew we were under attack and needed a solution quickly.” Similar patterns appeared in descriptions of situations that demanded an immediate response, such as “We had to get on this issue [a distributed-denial-of-service (DDoS) attack] quickly and also fix it which prevented it from getting worse or causing more problems,” and in descriptions of situations that disrupted work, such as “It delays the work. Was unable to submit report for the day.” To capture this pattern, we introduced “pressure to act” as a core dimension of security perplexity. We further refined the themes by applying the criteria of Patton (2015) of internal homogeneity and external heterogeneity, merging conceptually similar themes where appropriate. For example, we combined “Antecedent_Lack of Knowledge” and “Antecedent_Not Understanding the Situation” into “Antecedent_Incomprehension.” This process resulted in 1,891 text segments, 121 codes, and 11 themes, which comprised 35 subthemes.

We then identified the essential attributes of each theme (Phase 5; Braun and Clarke 2006), and this led to minor refinements in the coding. Guided by MacKenzie et al. (2011), we clarified the nature of security perplexity, examined how situational conditions give rise to it, and classified its consequences as adaptive or maladaptive coping responses based on prior coping research (Lazarus and Folkman 1984, Carver et al. 1989). Figure 1 summarizes the resulting preliminary nomological network. Online Appendix A.2 provides additional details about the nomological network, and the following section reports the findings, thereby completing the final phase of thematic analysis (Phase 6; Braun and Clarke 2006).

3.3. Conceptualizing Security Perplexity and Identifying Its Unique Attributes

We define security perplexity as a tense cognitive state experienced by employees in threatening cybersecurity situations that arises from a conflict between perceived pressure to act and a simultaneous state of confusion and uncertainty about how to do so. This tension reflects the combination of an urgent need to take action (pressure to act) with an inability to make sense of the situation (confusion) and uncertainty about appropriate coping options (response uncertainty).

Accordingly, we conceptualized security perplexity as a superordinate construct with three interdependent but conflicting subdimensions (MacKenzie et al. 2011, Wright et al. 2012): confusion, response uncertainty, and pressure to act. These dimensions manifest simultaneously and jointly constitute the experience of security perplexity (i.e., they resemble a reflective nature of the construct). Confusion and response uncertainty create a cognitive impasse while at the same time situational pressures demand immediate action. This tension between urgency and limited actionable understanding is a unique attribute of security perplexity. Following MacKenzie et al. (2011), we explain each of the dimensions and the tension arising from their interdependence. Table 2 summarizes the construct’s conceptualization, and Online Appendix A.4 provides illustrative quotes for each dimension.

Table 2. Construct Conceptualization Based on the Scheme Developed by MacKenzie et al. (2011)

Confusion is an employee’s failure to correctly understand and interpret a cybersecurity situation, and it may involve a momentary or sustained cognitive impasse (Turnbull et al. 2000). Many participants struggled to understand how an attack occurred, how it operated, or what it implied for themselves or others. For example, one participant noted, “Unexpected network slowdowns and inconsistent firewall alerts created confusion over a potential threat. I realized I was perplexed when I couldn’t pinpoint the cause of the network issues”; another stated, “A trap using AI was set. I had never seen something like it before”; and a third wrote, “I realized I was perplexed when I struggled to interpret the security alerts.” Confusion also arose when security measures had unexpected outcomes or appeared ineffective. One participant asked, “How can data be compromised or stolen with strong protections in place to prevent?” and another reported difficulty in using protective technologies: “I was confused when our VPN software suddenly flagged my routine login attempt as suspicious.” These observations aligned with the findings of prior research on confusing cybersecurity situations, including those involving security training programs (Reeves et al. 2021), security policies (Alshaikh and Adamson 2021, McKellar et al. 2024), situational complexity (Jaeger and Eckhardt 2021, Schneier and Vance 2025), and security alerts (Baruwal Chhetri et al. 2024).

The intensification of employees’ confusion by situational complexity or novelty is a unique attribute of security perplexity. For example, one participant noted, “I realized I was deeply puzzled when I couldn’t make sense of the technical steps required to implement an encryption protocol”; another stated, “There was a data breach at my job where our personal information was captured. I just couldn’t figure out how this could happen”; and a third reported that “I run up against a wall of not understanding what’s happening.” This emphasis on deep puzzlement aligns with dictionary definitions of perplexity, which describe it as marked by bewilderment (Online Appendix A.1). Because confusion reflects employees’ difficulty in understanding situational conditions, response requirements, and the implications of cybersecurity events for themselves or others, it is a core dimension of security perplexity.

Response uncertainty is an employee’s inability to identify and select an appropriate course of action in response to a cybersecurity situation without creating additional risk or harm. It can take two forms, the first of which involves an employee’s lack of awareness of the available countermeasures. As one participant explained, “We initially had no info on what to do during the 2024 CrowdStrike-related incident. So this made things even worse”; as another noted, “In an actual small-scale cyberattack, I’m not clear about what specific responsibilities and actions I should take in my position.”

The second form of response uncertainty involves an employee’s inability to determine whether the available countermeasures will effectively and securely resolve a cybersecurity situation. As one participant explained, “There was a breach in my data from outside sources, and I didn’t know what to do next. I knew it was happening, but was uncertain about the next steps.” Even when employees were aware of potential remedies, they remained unsure about which option would be effective, as reflected in the following comment, “Because of confusion, I may not be thoughtful enough when developing security strategies, resulting in a response strategy that is not comprehensive or effective.” As another participant noted, this uncertainty was often accompanied by a fear of worsening the situation: “I was afraid to do anything and even more afraid to do something that would make it worse.” Prior research on perplexity has similarly highlighted the challenge of choosing among options without knowing which one is best (Berlyne 1960, Shokeen et al. 2023). In cybersecurity contexts, this dilemma is especially consequential, because ineffective actions can cause severe harm to organizations or individuals, as the following observation illustrated: “I realized I was perplexed because we had no way to gain access to our system or stop them from accessing data.” Taken together, these accounts showed that many participants lacked a clear understanding of effective response options.

Pressure to act is an employee’s perceived need, driven by intrinsic or extrinsic forces, to promptly resolve problems arising from a cybersecurity situation. Participants often described an internal drive to overcome confusion and uncertainty in an effort to respond effectively. For example, one participant noted, “The consequence of my perplexity was primarily a delay in the implementation of the DLP [data-loss-prevention] system. I wanted to make sure we got it right, so I spent a lot of time analyzing the different options and configurations.” Such accounts of intrinsic pressure aligned with research showing that perplexity can function as a motivating challenge (Shokeen et al. 2023) by prompting reflective thinking and learning (Dewey 1997, Rodgers 2002).

Participants described pressure stemming from extrinsic forces more often than pressure originating from intrinsic ones. This imbalance reflected the threatening and demanding nature of cybersecurity situations at work. Participants frequently felt responsible for protecting their organizations, as illustrated by comments such as “We had to get on this issue quickly and also fix it, which prevented it from getting worse or causing more problems” and “The security of our company’s data were more vulnerable for a temporary period.” Prior ISec research has similarly shown that perceived security threats can exert pressure on employees (Chen and Zahedi 2016, Liang et al. 2019). Urgency cues, such as deadlines embedded in communications, also increased the pressure experienced by participants, one of whom reported that “I didn’t have an account yet and felt really perplexed because I was given a deadline in the email to have it fixed.” Work-related demands, including expectations that tasks be completed on time, further amplified this pressure, as was reflected in statements like “I stopped midtask, unsure if granting admin access was safe. Task completion was delayed as I waited for IT’s advice” and “The consequences of my perplexity were that I was unable to complete my work on time, causing issues for myself at the start of my job.”

Although educational research on perplexity has not explicitly examined extrinsic pressures, it has investigated perplexity in the context of learning tasks that require timely responses, such as solving math problems (Ryan et al. 2001) or choosing an action in a learning game (Shokeen et al. 2023). Across contexts, a common feature of perplexing situations is thus perceived pressure to respond immediately. In cybersecurity settings, the intensity of this pressure varies with the strength of the intrinsic and extrinsic forces that drive it.

Confusion, response uncertainty, and pressure are interrelated yet conflicting dimensions of security perplexity. They jointly constitute the cognitive tension that is a unique attribute of the construct. Security perplexity is a multidimensional construct, and its dimensions represent manifestations of an underlying cognitive state (MacKenzie et al. 2011). As with other multidimensional constructs, such as trust (McKnight et al. 2002) or source credibility (Pornpitakpan 2004), changes in perplexity affect all of its dimensions. Although the relative strength of each dimension can vary across situations, each of the dimensions reflects a distinct and essential attribute of the construct, and omitting any of them would substantially restrict the construct’s domain (MacKenzie et al. 2011). Put another way, confusion or lack of knowledge alone does not constitute perplexity. Perplexity manifests only when confusion, response uncertainty, and pressure to act are simultaneously present.

Notably, confusion and response uncertainty are related because they have overlapping elements and jointly form a cognitive impasse. Confusion about situational demands can limit employees’ ability to identify effective responses. As one participant explained, “My confusion caused delays in securing sensitive data, leaving me unsure of how to proceed.” Another noted that “confusing alerts and unclear response steps left me uncertain.” Despite this overlap between response uncertainty and confusion, they are distinct dimensions. Even a confused employee can apply countermeasures learned through prior training, but an employee experiencing response uncertainty feels unsure about which countermeasures will be effective. Response uncertainty therefore adds to the experience of perplexity an inability to cope. Further, as prior research has shown, response uncertainty becomes salient when decisions must be made quickly, such as in the presence of a threat (Milliken 1987).

Most importantly, the coupling of pressure to act with confusion and response uncertainty creates cognitive tension for employees. Employees feel compelled to respond immediately even though they lack the knowledge needed to choose and execute an effective countermeasure. According to one participant’s description of a phishing incident, “There was a phishing attack and suddenly everyone was freaking out. IT sent all these confusing emails about changing passwords and checking for suspicious activity. I had no idea what I was supposed to do or if my account was compromised. I wasted a ton of time trying to figure out what to do about the phishing thing.” Pressure to act fundamentally alters the cognitive impasse created by confusion and uncertainty. Confused employees who have sufficient time to act may disengage or become curious, but confused employees who face urgent demands are forced to become aware of their inability to cope. This produces a dissonant state in which employees are compelled to act yet simultaneously unable to do so. Participants often described this tension as paralysis or shock, noting that “I felt stuck and unsure how to proceed” or “I was just in a state of shock.” Participants’ reports of this tension aligned with the description of perplexity of Berlyne (1960) as a conflict between competing beliefs that is exacerbated by urgency and leaves employees disoriented as they attempt to reconcile incompatible demands.

3.4. Distinguishing Security Perplexity from Related Cybersecurity Concepts

Our review of ISec research suggests that employees’ cybersecurity beliefs and traits can be broadly categorized as either relatively stable and enduring (e.g., security-related chronic stress; D’Arcy et al. 2014) or situation specific (e.g., situational ISec awareness; Jaeger and Eckhardt 2021). In this section, we explain how security perplexity relates to these categories. Online Appendix A.5 summarizes related cybersecurity phenomena and their relationships to security perplexity.

At a more general level, prior research has shown that security requirements, including policies and procedures, can lead to chronic stress (D’Arcy et al. 2014), burnout (Pham et al. 2019), and security fatigue (Cram et al. 2021). These stress-related cybersecurity phenomena reflect relatively stable or chronic responses to security demands, such as stress arising from security requirements (D’Arcy et al. 2014) or fatigue due to security policies (Cram et al. 2021). However, such general responses do not reveal what actually happens in stressful situations (D’Arcy and Teh 2019).

Although we acknowledge the general importance of constructs that capture enduring security-related responses, they do not capture the situation-specific factors that shape employees’ cybersecurity behaviors (Jaeger and Eckhardt 2021). Recent ISec research has therefore emphasized situational analysis (Jaeger and Eckhardt 2021, Qahri-Saremi and Turel 2023, Lu et al. 2025). Consistent with this emphasis, we conceptualized security behavior as arising from employees’ perceptions of specific situations. The concept of security perplexity enables researchers to examine employees’ cognitive states in cybersecurity situations, which operate at a different level than the stable beliefs and traits typically examined in security research.

Moreover, the cognitive state captured by our conceptualization is related to but distinct from the situational cybersecurity feelings and beliefs examined in prior research (Online Appendix A.5). Security perplexity shares sources and outcomes with cybersecurity-related emotions, such as irritation, anxiety, and fear. For example, both perplexity and irritation can arise from interruptions in an employee’s workflow (Haney and Lutters 2018, Wu et al. 2020), and perceived security threats can exert pressure to act (Liang et al. 2019), contributing to perplexity. Research has also examined episodic stress, which results from situational stressors, including overload (Galluch et al. 2015) and hindrance (D’Arcy and Teh 2019). Our qualitative data similarly indicate that perplexity can lead to episodic stress (refer to Section 4.1.3). Despite these similarities, however, security perplexity is conceptually and theoretically distinct from stress in terms of its temporality, inner functioning, and role in the nomological network. Perplexity reflects a cognitive tension, whereas stress reflects psychological depletion when demands exceed employees’ capacities (Lazarus and Folkman 1984, Tarafdar et al. 2019). Perplexity disrupts coping appraisal (see Section 4), whereas stress is a process that manifests as strain (Ayyagari et al. 2011, Maier et al. 2015, Tarafdar et al. 2019). Online Appendix A.5 provides a detailed account of these distinctions.

Moreover, unlike related situational concepts, the concept of security perplexity captures a cognitive state that can lead to both adaptive and maladaptive coping responses. For example, user irritation reflects a negative reaction to disruptive stimuli (Wu et al. 2020), but it does not have dual outcomes. Security perplexity is also distinguished by its interaction with individuals’ information processing, including situational ISec awareness (Jaeger and Eckhardt 2021). Because perplexity can disrupt information processing (Shokeen et al. 2023), it may diminish the ability of perplexed employees to interpret situational cues and understand what is at stake, thereby undermining situational ISec awareness. Overall, our conceptualization distinguishes security perplexity from related concepts and shows why studying it can yield unique insights into cybersecurity behavior. In the next section, we embed security perplexity in a nomological network to clarify its role and value.

4. Impact of Security Perplexity on Employees’ Coping Processes

4.1. Embedding Security Perplexity in the Coping Process

Because our concept of security perplexity is novel, its predictive value and its fit with widely used cybersecurity theories remain unclear. ISec research has often focused on what motivates individuals to protect their own and their organization’s information resources against “any threat for which there is an effective recommended response that can be carried out by the individual” (Floyd et al. 2000, p. 409). To explain how security perplexity shapes protection motivation, we drew on coping theory, a well-established framework for understanding how individuals interpret and respond to threatening situations. Coping theory conceptualizes responses as a process of cognitive appraisal followed by emotional reactions that jointly shape behavioral efforts to address a threat (Lazarus and Folkman 1984, Lazarus 1991). We embedded security perplexity in employees’ coping processes by synthesizing coping theory with findings from Stages 1 and 2 of our study (Figure 2). We propose that perplexity disrupts the core, interrelated components of coping, as follows:

1. Situation: Employees encounter potentially threatening or challenging situations that require action to protect themselves and their organization. Employees often become perplexed when facing security incidents or considering challenging security countermeasures. Situational conditions, including incomprehensibility, overwhelm, unexpectedness, and threat, along with personal conditions, such as chronic stress or security knowledge, shape employees’ cognitive appraisals and contribute to the experience of security perplexity.

2. Appraisal: Employees assess the situation and its specific conditions through cognitive appraisal. They engage in primary appraisal to evaluate the nature and severity of a threat and in secondary appraisal to assess the available countermeasures and their ability to manage the situation. When employees appraise threats as moderate to high, the cognitive demands of primary appraisal increase, strengthening the likelihood that security perplexity will emerge. Perplexity then disrupts secondary appraisal, because employees feel pressure to act while they remain disoriented and unsure about how to do so.

3. Emotional responses: Employees experience emotional responses that depend on the outcomes of the appraisal process. We argue that the cognitive impasse and tension associated with perplexity give rise to negative emotions, including fear, frustration, embarrassment, and episodic stress. Although it is possible that these conditions of perplexity could also occasion positive emotions, such as relief or joy (Lazarus 1991), we did not observe such emotions during Stage 1.

4. Coping: Based on the interaction of the preceding components, employees manage the situation and regulate their emotions through coping. Perplexed employees may engage in strategies of adaptive coping, such as addressing the threat and reducing its impact, or in those of maladaptive coping, such as adopting a defensive posture to manage emotional discomfort. We argue that perplexity increases the likelihood of maladaptive coping because it disrupts employees’ assessments of their coping efficacy, leading them to prioritize defensive responses over direct threat mitigation.

Although the coping process is constrained by environmental conditions and the availability of countermeasures, it is dynamic and recursive. Each component of the process influences the others through feedback loops, such as those in which emotions shape subsequent cognitive appraisals (Lazarus and Folkman 1984, Beaudry and Pinsonneault 2010).

Coping theory is well suited to explaining how employees respond to cybersecurity incidents, because it links cognitive assessments of and emotional responses to threatening situations to employees’ thoughts and actions. Its components therefore underpin several prominent theories of security behavior, including the EPPM (Witte 1992), protection motivation theory (PMT) and its extensions (Rogers 1975, Floyd et al. 2000), technology threat avoidance theory (Liang and Xue 2009), and the unified model of ISec policy compliance (Moody et al. 2018).

As Lazarus and Folkman (1984) emphasized, “coping thoughts and actions are always directed toward particular conditions” (p. 143). It is therefore crucial to examine coping in a narrow context. We built on the EPPM (Witte 1992, Witte et al. 1996) and our preliminary findings from Stages 1 and 2 to contextualize employees’ coping processes and explain the effect of security perplexity. We used the EPPM because (1) it has been widely used to study protection motivation and how employees respond to threatening situations at work (Chen et al. 2021, Lowry et al. 2023) and complements related theories, such as PMT (Boss et al. 2015, Lowry et al. 2023); (2) it specifies constructs relevant to threat and coping appraisal (e.g., fear, perceived threat severity and susceptibility), thereby helping us contextualize general coping theory (Witte 1992); (3) it permits the development of a dual-route model that includes adaptive and maladaptive outcomes (Witte 1992, Chen et al. 2021), which aligns with the dual outcomes of perplexity (Dewey 1997, Shokeen et al. 2023); and (4) it proposes a discriminant value (Witte 1992) that helped us determine when perplexity leads to adaptive coping responses and when it leads to maladaptive responses.

In the next section, we explain how security perplexity is embedded in the coping process (Figure 2) and interacts with the EPPM’s core predictions (Figure 3).

4.1.1. Situation: Situational and Internal Conditions Relevant to Perplexing Situations.

At the heart of the coping process is a threatening, challenging, or potentially harmful situation encountered by an employee (Lazarus and Folkman 1984, Witte 1992). Our analysis of perplexing situations indicated that participants experienced perplexity when encountering a variety of events, providing empirical evidence of its presence. These events can be broadly classified as either threatening security incidents (e.g., a phishing attack) or challenging security countermeasures (e.g., setting up multifactor authentication). Table 3 summarizes these situations, and Online Appendix A.2 provides illustrative quotes for each.

Table 3. Overview of Perplexing Cybersecurity Situations at Work (#coded)

According to coping theory, the specific conditions of a situation (e.g., its predictability) affect the coping process (Lazarus and Folkman 1984, Bagozzi 1992). These conditions determine whether employees deem a situation threatening or challenging during appraisal. To explain how perplexity impacts the coping process, it is therefore crucial to identify the situational conditions that foster its emergence. Our Stage 1 findings revealed that perplexing situations are characterized by four situational conditions: Situations were (1) incomprehensible, (2) overwhelming, (3) unexpected, or (4) threatening. Participants often became perplexed when a combination of these conditions was present or when certain conditions were particularly pronounced.

Perplexing situations were incomprehensible when they contained a high degree of ambiguity or contradiction. This was the case when a participant received an authentic-looking phishing email: “The communication was sent by an internal resource and with specific company information for an event that could not plausibly occur short of it being an inside job. That was the perplexing factor, because outside of an internal employee with very specific knowledge to cite an event of its nature, there’s no way an external threat could’ve posed the same communication convincingly.” Other participants were perplexed by sudden malfunctions in security features that interrupted their work: “One day the 2FA stopped working for me, and I couldn’t figure out why.” Even though participants may have received cybersecurity training, they may have been unable to understand the situation, may have lacked relevant knowledge, or may have been unable to interpret its demands due to the situation’s novelty. Like our participants’ reports, educational research has suggested that perplexity emerges when individuals lack relevant knowledge or encounter new information (Ryan et al. 2001).

Some participants reported that perplexity arose in overwhelming situations characterized by frequent and complex warnings, which taxed their ability to process information and select a response. Participants struggled to prioritize cues and determine appropriate actions, leading to hesitation and indecision. As one participant explained, “I realized that I was confused because I often hesitated and didn’t know how to choose when faced with various prompts and options that popped up by antivirus software.”

Likewise, unexpected situational conditions increased the likelihood of perplexity by disrupting employees’ expectations and sensemaking. For example, one participant described a surprising cyberattack: “I was surprised by the damage the attack did and how it took down all the servers.” Participants reacted similarly when security measures failed, systems malfunctioned, or unexpected notifications appeared. Consistent with research showing that discrepancies between expectations foster perplexity (Ryan et al. 2001), the shock triggered by such events can impair employees’ cognitive processing (Lee and Mitchell 1994).

Finally, participants experienced a variety of situations as threatening, which heightened their perplexity by increasing perceived risk and urgency. Participants described their concerns about the likelihood and severity of attacks as well as experiences of suspicion that were triggered by situational cues. As one participant reported, “I received an email from a potential client including instructions that seemed suspicious.” Perceived threat thus intensified perplexity by amplifying the need to respond in the midst of unresolved uncertainty.

In addition to situational conditions, coping theory emphasizes the role of personal conditions in shaping appraisal (Lazarus and Folkman 1984). These conditions include personality traits, commitments, and stable beliefs, which influence what employees attend to, how they interpret situations, and how they respond emotionally and behaviorally. Our Stage 2 findings provided preliminary evidence that high levels of security perplexity are associated with low levels of resilience (Smith et al. 2008) and heightened security-related chronic stress (D’Arcy et al. 2014). Personal conditions therefore shaped both the emergence of security perplexity and its effects on participants’ coping processes.

4.1.2. Appraisal: Security Perplexity’s Role in Employees’ Primary and Secondary Appraisal Processes.

Employees engage in two interrelated cognitive appraisal processes to determine whether and how to cope with a situation: threat appraisal and coping appraisal (Lazarus and Folkman 1984, Moody et al. 2018, Lowry et al. 2023). When employees encounter a threatening or challenging situation, such as a fear-inducing message, they first conduct a primary appraisal to assess the nature and severity of the threat (Witte 1992, Lowry et al. 2023). In other words, employees first ask, “What is happening? What is at risk in this situation?” They then engage in secondary coping appraisal by evaluating whether they have the ability and resources to respond effectively (e.g., “Do I know how to resolve this?”). These appraisals can occur deliberately or automatically, depending on the situational and personal conditions (Bagozzi et al. 1999). Based on our findings from Stages 1 and 2 and prior ISec research, we propose that security perplexity plays a central role in both appraisal processes; that is, the primary appraisal of situational conditions and threats increases employees’ perplexity, which then impairs their coping appraisal and shapes their evaluations of their ability to respond.

4.1.2.1. Primary Appraisal: Perceived Threat Fosters the Emergence of Security Perplexity.

According to coping theory, primary appraisal involves an employee’s evaluation of a situation’s nature, conditions, relevance, and potential consequences (Lazarus and Folkman 1984). When employees encounter a security incident, such as a suspected data breach, this appraisal is triggered by an immediate attempt to understand what is happening and what is at risk (Chen et al. 2021). During this appraisal, employees assess both the potential severity of harm and the likelihood that such harm will occur, forming perceptions of threat severity and vulnerability (Witte 1992, Lowry et al. 2023). Employees actively interpret situational cues to determine whether the situation represents a manageable challenge or a serious threat (Lazarus and Folkman 1984, Chen et al. 2021). Therefore, situational conditions, such as overwhelm and unexpectedness, play a critical role in shaping this appraisal.

Coping theory posits that perceived threat level shapes an employee’s ability to draw on coping resources (Lazarus and Folkman 1984). When employees appraise a situation as moderately to highly threatening, they may struggle to form a coherent understanding of what is occurring and what is at risk. Our Stage 1 findings showed that participants often experienced such high-threat situations as incomprehensible, overwhelming, or unexpected; these conditions can impede sensemaking during primary appraisal. For example, employees may be overwhelmed by the complexity of an AI-based phishing attack or shocked by an unexpected ransomware warning. As a result, primary appraisal can reach a cognitive impasse in which urgent attention is required but understanding remains limited, increasing the likelihood that security perplexity will emerge.

Accordingly, we propose that security perplexity emerges during primary appraisal and that perceived threat serves as a central catalyst of that emergence. Formally, when employees appraise a cybersecurity situation as moderately to highly threatening based on situational and personal conditions, the cognitive demands of primary appraisal increase, triggering the emergence of security perplexity across its three dimensions.

First, high-threat situations foster confusion. Modern cybersecurity attacks are increasingly complex and difficult for employees to understand (Chaudhary et al. 2018), reflecting a “cybersecurity landscape [that] faces unprecedented challenges due to the sophistication and frequency of modern cyber threats” (e.g., botnets and zero-day exploits; Salem et al. 2024, p. 2). Employees may struggle to understand how an attack operates, how systems are affected, or what consequences may follow. A participant who observed repeated network attacks described this confusion: “We could see in real time the continuous, high number of connection attempts that were being made from foreign countries. I realized I was perplexed because this information was overwhelming to me. I never thought about them in live terms. We are a high value target.” When threats are perceived as severe, unexpected, or overwhelming, employees may be unable to make sense of the situation and may instead experience confusion.

Second, the evolving nature of severe threats intensifies employees’ response uncertainty. As AI-driven attacks and advanced persistent threats become more sophisticated and evasive, it is increasingly difficult for employees to identify secure responses (Oz et al. 2022, Mirsky et al. 2023, Fortinet 2025). In high-threat scenarios, employees must also evaluate the effectiveness of multiple defensive layers, which range from technical safeguards to mindful actions (Dhillon et al. 2021). Our qualitative findings showed that even some experienced security professionals became uncertain when confronting novel threats or unexpected failures of security measures. As one participant noted, “I was perplexed because we have never been exposed to something like this before, with our high protection.” When threats are harmful or unfamiliar, employees struggle to determine which countermeasures will be effective.

Third, perceived threat functions as an extrinsic force that generates pressure to act (Liang et al. 2019). When employees appraise a threat as severe and likely, they experience an urgent need to resolve it in order to limit potential harm (Goode et al. 2017, Naseer et al. 2024) and are generally more motivated to protect their organization (Chen et al. 2021). Urgency cues associated with severe threats further constrain cognitive resources, narrowing employees’ attention and diminishing their ability to evaluate alternative responses (Vishwanath et al. 2011). As a result, pressure to act limits the time and cognitive capacity needed to resolve confusion and uncertainty, which increases the likelihood that employees will remain in a state of security perplexity.

In sum, we argue that an employee’s appraisal of threat severity and vulnerability increases the likelihood that security perplexity will emerge. As a result of such appraisals, employees may feel pressure to act to avert severe consequences even though they are confused about how a threat operates and uncertain about which countermeasures will be effective. Accordingly, we propose the following.

4.1.2.2. Secondary Appraisal: Security Perplexity Disrupts Employees’ Coping Appraisals.

When employees perceive the severity of a threat as moderate to high, they initiate the secondary appraisal process (Lazarus and Folkman 1984, Witte 1992), in which they evaluate the available countermeasures, the potential effectiveness of the countermeasures, and their ability to carry them out (Witte 1992, Vance et al. 2022). In cybersecurity contexts, this appraisal centers on response efficacy and self-efficacy (Witte 1994, Lowry et al. 2023). Because security perplexity combines confusion and uncertainty with urgency, we propose that it disrupts employees’ coping appraisals, impairing their ability to determine which countermeasures will be effective and executable.

First, confusion can undermine employees’ coping efficacy. Perplexed employees often struggle to meet situational demands because their confusion limits their understanding of what is occurring. As one participant noted, “The consequence of my confusion is that I can’t solve this problem”; another stated, “We could not figure out how to completely fix the damage from the DOS attack.” However, as Jaeger and Eckhardt (2021) showed, effective coping requires “up-to-the-minute understanding of the situation” (p. 438), which enables employees to feel confident in selecting and executing appropriate responses. In contrast, because perplexed employees are confused by and uncertain about how to respond to threats, they are less likely to feel capable of addressing them.

Moreover, assessing the effectiveness of countermeasures is inherently difficult in cybersecurity contexts, because reliable metrics are scarce and the absence of incidents does not imply that countermeasures are effective (Zhang and Malacaria 2025). Perplexity amplifies this difficulty by undermining employees’ ability to determine which responses will reduce a threat. As one participant explained, “An email that contained a virus, based on my previous training, it was unclear how I needed to proceed to protect my computer. When I found multiple avenues to go down to fix my situation, there wasn’t a clearly defined path.” Decision-making research has shown that uncertainty constrains information processing and can delay or prevent action (Milliken 1987, Lipshitz and Strauss 1997). As one comment indicated, perplexed participants sometimes recognized multiple response options yet understood that no perfect response existed: “I must have read those phishing alert emails five times and still didn’t know what actions to take.” As a result, response uncertainty weakened participants’ ability to appraise response effectiveness during coping appraisal.

Perplexed employees also experience pressure to act, which further undermines their ability to cope. Decision-making research has shown that time pressure constrains evaluation, leading individuals to consider fewer options and to make decisions before fully assessing the alternatives (Starcke and Brand 2012, Wu et al. 2022). Participants repeatedly noted that perplexing situations involved this kind of urgency. As one stated, “We were under attack and needed a solution quickly”; and, as another reported, “We had to get on this issue quickly.” This pressure constrained their deliberation, exacerbating the difficulty of selecting an effective countermeasure.

In summary, security perplexity combines confusion, response uncertainty, and perceived urgency, reducing employees’ ability to engage in effective coping appraisal. Accordingly, we propose the following.

4.1.3. Emotional Response: Security Perplexity Evokes a Set of Emotions.

According to coping theory, emotions arise from appraisal outcomes (Lazarus 1991), a view consistent with broader emotion frameworks (Bagozzi 1992) and information systems research on coping (Beaudry and Pinsonneault 2010, D’Arcy and Teh 2019). Emotions reflect states of cognitive readiness, and they are accompanied by physiological responses and action tendencies that shape coping behavior (Bagozzi 1992). Although appraisal typically precedes emotions, feedback loops and reappraisal processes allow emotions to influence subsequent appraisal and coping (Lazarus 1991, Bagozzi 1992).

Because security perplexity emerges during and disrupts the appraisal process, appraisal outcomes and the resulting emotions are likely to change (Lazarus 1991). We argue that the tense cognitive impasse created by perplexity drives negative emotional responses. Drawing on our Stage 1 findings, we focused on four emotions linked to distinct appraisal outcomes: fear, which occurs when perplexity heightens concern about a threat; frustration, which occurs when it obstructs goal attainment; embarrassment, which occurs when it threatens the employee’s social image; and strain, which results from the episodic stress associated with the disruption of appraisal (Lazarus 1991, Beaudry and Pinsonneault 2010). Emotional responses are likely to vary among employees, because individual employees may appraise the same situation differently (Lazarus 1991, Beaudry and Pinsonneault 2010).

4.1.3.1. Fear.

Fear is a negatively valenced emotion that arises in response to perceived danger and manifests as anxiety, nervousness, or worry (Witte 1992, 1994; Boss et al. 2015; Lowry et al. 2023). Perplexed participants frequently experienced such feelings, noting that “I felt overwhelmed with anxiety at not knowing which data could be stolen,” “I lived in a state of worry. I was very afraid my info would be taken,” and “I spent the entire day scared for my job.” Confusion about a threat’s potential consequences and uncertainty about the effectiveness of countermeasures amplified the fear of perplexed participants as they struggled to assess losses and prevent harm; for example, one participant “felt uneasy and sought validation from colleagues.” Research has similarly shown that uncertainty fosters fear (Carleton et al. 2007, Carleton 2016) and that threat-laden situations heighten emotional discomfort (Liang and Xue 2009). Thus, we posit that security perplexity increases employees’ fear.

4.1.3.2. Frustration.

Frustration arises when individuals encounter obstacles that block their goal attainment (Dollard et al. 1939, Berkowitz 1989). In the context of a cybersecurity incident, an employee’s primary goal is to resolve the threat so that normal work can resume. Security perplexity functions as a cognitive obstacle, because confusion and response uncertainty obscure the path to an effective solution, thereby fostering frustration. Our qualitative data reflected this dynamic; participants noted that “frustration built up due to encountering obstacles that couldn’t be overcome” and “decision-making slowed, causing frustration.” Prior research has similarly shown that interruptions and ambiguity that impede goal progress evoke frustration (Dollard et al. 1939, Bessière et al. 2006), particularly during the performance of security-related tasks (Jeon et al. 2023, von Preuschen et al. 2024). Unlike a simple lack of skill, response uncertainty reflects a state of disorientation in which the path to a secure solution is obscured, reducing the likelihood of goal attainment and fostering frustration (González-Gómez and Hudson 2024). This dynamic was reflected in participant statements such as “frustrated that we couldn’t fix the situation on our own and had to call in experts.” Pressure to act exacerbates this cognitive obstacle by forcing employees to become aware of their inability to resolve the problem immediately. When employees strongly desire to achieve the goal and avoid time losses or organizational damage yet lack a clear and actionable path forward, their frustration is amplified (Ceaparu et al. 2004, Bessière et al. 2006). Accordingly, we propose that security perplexity increases frustration when employees cannot control the situation or its outcomes despite its high stakes.

4.1.3.3. Embarrassment.

Embarrassment arises when individuals determine that their behavior violates social expectations and threatens their social image (Miller 1992, Šipka et al. 2025). Such social evaluation is salient in cybersecurity contexts, in which employees seek to avoid peer disapproval or supervisory sanctions when performing security-related tasks (Herath and Rao 2009, Siponen et al. 2014). Security perplexity increases the likelihood of embarrassment, because it undermines employees’ ability to enact socially appropriate security behaviors in observable situations. When perplexed, participants can struggle to interpret incidents appropriately and sometimes chose countermeasures that were later judged as inappropriate by others, particularly IT staff. As one participant confessed, “I felt really dumb that I was spending so much time fighting with the virus software.” Uncertainty about how to proceed under observation is a common trigger of embarrassment (Miller 1992, Keltner and Buswell 1997). Pressure to act reduced participants’ opportunities to seek clarification or conceal their uncertainty, which increased the visibility of their hesitation. As one respondent noted, “Credibility suffered as colleagues observed the struggle.” Help seeking can exacerbate embarrassment, because turning to the IT department creates a form of forced disclosure in which employees’ competence is subjected to evaluation by security specialists (cf. Pienta et al. 2024), which elicits embarrassment (Keltner and Buswell 1997, Šipka et al. 2025). Accordingly, we posit the following.

4.1.3.4. Emotional Strain as an Outcome of Episodic Security-Related Stress.

Security-related stress is a form of psychological technostress that arises when employees perceive an imbalance between situational security demands and their cognitive abilities (Ayyagari et al. 2011, D’Arcy and Teh 2019). Consistent with coping theory, such stress emerges from the appraisal of security demands (referred to as stress creators) and manifests as psychological strain, which includes emotional exhaustion and fatigue (Ayyagari et al. 2011, Nastjuk et al. 2024). For example, employees may feel overloaded when security requirements increase their workload or impose additional time pressure on everyday tasks (D’Arcy et al. 2014).

We posit that security perplexity fosters strain as an outcome of episodic stress. On one hand, it disrupts employees’ appraisal processes. Perplexity emerges during the primary appraisal of a threatening situation, prompting employees to pause their work to understand the threat. Such task interruptions can increase strain (Galluch et al. 2015). Perplexity is also likely to heighten employees’ awareness of the demand–resource imbalance, because confusion and response uncertainty signal insufficient understanding of security demands. This heightened recognition of imbalance increases stress (Tarafdar et al. 2007).

On the other hand, security perplexity disrupts coping appraisal and consumes cognitive resources. It manifests as a cognitive impasse in which employees feel stuck, unable to determine what is at stake or how to proceed. As one of our participants commented, “I felt stuck and unsure how to proceed.” Perplexed employees consequently engage in urgent sensemaking efforts to resolve their confusion and response uncertainty, which requires substantial cognitive effort. This increased cognitive demand depletes resources and heightens stress (Ayyagari et al. 2011). Perceived urgency further accelerates resource depletion, placing additional strain on employees (Vishwanath et al. 2011).

Security perplexity amplifies episodic stress by increasing employees’ awareness of the demand–resource imbalance and accelerating cognitive-resource depletion during appraisal. Accordingly, we posit the following.

4.1.4. Coping: The Outcomes of Security Perplexity Depend on the Discriminant Value.

Employees’ coping responses are both shaped by cognitive appraisal and emotional states and constrained by the range of available resources and environmental conditions (Lazarus and Folkman 1984, Lazarus 1991, Bagozzi 1992). Employees manage threatening situations through cognitive and behavioral coping efforts, which are commonly categorized as adaptive or maladaptive (Wang et al. 2017, Chen et al. 2021).¹ Our Stage 1 findings show that participants engaged in both forms of coping when facing perplexing situations. Adaptive coping involves directly addressing the threat to reduce its impact, consistent with protection motivation (Lazarus and Folkman 1984, Chen et al. 2021). Maladaptive coping involves adopting a defensive posture, focusing on emotional regulation, avoidance, or negative reactions rather than threat mitigation.

We build on the EPPM to determine when perplexed employees are likely to engage in adaptive coping and when they are likely to engage in maladaptive coping. The EPPM posits that threat appraisal, coping appraisal, and the resulting fear jointly determine coping responses. When employees perceive a threat, they engage in danger control or fear control (Witte 1992, 1994; Chen et al. 2021). Witte (1992, 1996) introduced a discriminant value as a tipping point to distinguish these responses, based on the comparison between perceived coping efficacy and perceived threat. When perceived threat outweighs coping efficacy, fear control dominates. We use this tipping-point logic to explain how security perplexity leads to dual coping responses among employees.

Employees engage in danger control when perceived coping efficacy outweighs perceived threat (Witte 1992, 1994). Under these conditions, employees deliberately confront the threat by engaging in adaptive coping behaviors to reduce its impact. Our Stage 1 findings showed that many participants engaged in adaptive coping despite experiencing security perplexity. Some participants reported engaging in task-focused coping, such as pausing to reflect and evaluate options, as illustrated by comments like “I paused” and “When confused, I may spend more time researching and thinking, causing a delay in the decision-making process.” Employees also engaged in help seeking to overcome confusion and uncertainty (Carver et al. 1989), seeking additional information or consulting trusted colleagues or the IT department.

Building on the EPPM, we argue that perplexed employees engage in adaptive coping only when perceived coping efficacy remains sufficient despite their perplexity. Employees must possess enough security self-efficacy to overcome their confusion and response uncertainty (Rhee et al. 2009) and engage in reflective thought about how to address the threat (Dewey 1997, Rodgers 2002). Perplexed employees who can reflect on the situation and who feel confident about their ability to respond are therefore likely to engage in danger control.

When employees believe that the available countermeasures can mitigate the threat and thus perceive responses as effective, adaptive coping may take the form of help seeking. Discussing remedies with colleagues or elaborating on online guidance for handling the situation also requires adequate self-efficacy, as a participant’s comment illustrated: “I realized I was perplexed when I found myself spending hours researching different DLP solutions and reading articles about data security best practices.” Employees who lack coping efficacy are less likely to seek support, often due to concerns about negative repercussions or threats to their self-image (Milliken et al. 2003). Accordingly, adaptive coping occurs only when coping efficacy outweighs perceived threat, even under conditions of security perplexity.

In contrast, fear control occurs when employees perceive a serious threat but lack sufficient coping efficacy and therefore doubt their ability to alleviate it (Witte 1992, 1994). Employees engaging in fear control do not focus on reducing the threat. Instead, they cope with fear through maladaptive responses. Our observations showed that perplexed participants frequently engaged in emotion-focused coping to regulate discomfort, which did not alter the threatening situation and therefore did not support protection motivation (Lazarus and Folkman 1984). We also observed avoidance-focused coping (Carver et al. 1989), including disengagement, inaction, or unsafe behaviors that violated policy, which was illustrated in comments such as “We trust that incident could pass along” and “I did not follow instructions and created the same password for everyone.” Because confusion, response uncertainty, and urgency undermine coping efficacy, perplexed employees are unable to reduce the threat’s danger and instead rely on emotion- and avoidance-focused coping. These responses often involve rationalizing inaction or downplaying security risks, which relieve the immediate burden of decision-making without resolving the threat. Accordingly, we propose that when coping efficacy is insufficient, security perplexity increases maladaptive coping.

In sum, the discriminant value explains the dual outcomes of security perplexity. Perplexed employees who perceive sufficient coping efficacy are likely to engage in adaptive coping, whereas those who lack coping efficacy are likely to engage in maladaptive coping. Consistent with Hypothesis 2, we also expect perplexed employees to be more likely to engage in fear control than in danger control, because perplexity undermines coping efficacy. Accordingly, we propose the following.

4.2. Experimental Design and Manipulation

We conducted an online experiment to examine the role of security perplexity in employees’ coping processes. Following prior ISec research, we used a scenario-based design in which participants assumed the role of a trusted colleague in their organization (Siponen and Vance 2010, Chen et al. 2021). We used a 2 × 2 between-subjects experiment with a control group, manipulating perceived threat (high versus low) and security perplexity (perplexed versus not perplexed). Participants were introduced to the cybersecurity context, informed that the study concerned protecting organizational data and systems, and then completed control measures that assessed their cybersecurity knowledge and security-related chronic stress.

Second, we asked the participants to consider a report of a recent cybersecurity incident presented by their colleague Jamie, an employee of the affected organization. To perform systematic manipulations, we randomly assigned participants to one of two scenarios, each of which was accompanied by a text that described the corresponding incident: (1) an antivirus-software alert (adapted from Boss et al. (2015)) or (2) a data breach resulting from a man-in-the-middle (MITM) attack. Online Appendix C.1.1 presents the texts and examples. We randomly assigned the participants to a treatment or control group.

We designed each of the texts as a fear appeal; they presented information about a threat and a recommended countermeasure (Witte 1992, Lowry et al. 2023). The first paragraph of each text manipulated perceived threat, describing either a high-threat situation (e.g., a ransomware alert or MITM attack that occurred while the employee was working from home) or a low-threat situation (e.g., an adware virus or an MITM attack at an airport). The second paragraph presented a recommended countermeasure, which was held constant across the conditions to avoid confounding coping efficacy. The third paragraph manipulated security perplexity, describing Jamie as either (1) confused, uncertain about how to respond, and under urgent pressure to act or (2) in possession of a clear understanding of the situation and sufficient time to respond. We developed the texts based on prior ISec literature (Schuetz et al. 2021, Lowry et al. 2023) and insights from the study’s early stages. The participants answered comprehension questions and were directed to reread the text if they answered any questions incorrectly.

We then measured the participants’ intentions to perform the recommended action along with their coping responses (task-focused coping, help seeking, and emotion- and avoidance-focused coping), emotional responses (fear, frustration, embarrassment, and strain), threat perceptions, and coping efficacy. We measured perceived strain as an indicator of episodic stress, following prior work (Ayyagari et al. 2011, Nastjuk et al. 2024). Next, we measured security perplexity and situational complexity (Strasheim et al. 2007) and situational incomprehension (MacInnis et al. 2002, Smith et al. 2008) to validate our Stage 1 findings and control for situational conditions. Finally, we collected demographic information and provided the participants with a brief study summary. Online Appendix C.1.2 reports the measurement details. We pretested the experiment and measures with five faculty members and 50 participants.

4.3. Data Collection and Sample Description

We recruited participants via Cint, the same panel provider we used in Stages 1 and 2, and applied three eligibility criteria. Participants were required to reside in the United States, work in the IT industry, and regularly use computers; their computer use had to involve handling sensitive information and an experience of exposure to at least low-level cybersecurity threats. We received a total of 978 responses, from which we excluded responses by participants who rushed through the survey, failed multiple attention checks, or exhibited irregular response patterns (Kline 2016). The final sample comprised 645 valid responses. The participants were predominantly male (66.5%), had a mean age of 41 years (range: 20–77), and had worked for their current employer for an average of 8 years. Most participants held an associate’s degree (11%), bachelor’s degree (31%), or master’s degree (38%) and worked as managers (71%), technicians (15%), or professional or administrative staff (14%). The participants reported high cybersecurity knowledge (mean (M) = 5.53, standard deviation (SD) = 1.32; seven-point scale) and frequent handling of sensitive information (M = 3.93, SD = 1.00; five-point scale). The access levels comprised public information (60%), internal information (67%), confidential information (74%), and restricted information (47%). Over half of the sample (52%) held roles related to security management, and the participants reported high involvement in security management activities (M = 5.56, SD = 1.48; seven-point scale). Most had completed security training in the previous year (59%), about one-third of the participants (35.8%) worked from home one or two days per week, and 28% worked from home more than three days per week (23% did not work in a home office).

4.4. Measurement-Model Validation and Hypothesis Testing

We performed preanalyses to evaluate (1) data quality, (2) construct validity and reliability and model fit, (3) model invariance across scenarios, (4) common-method bias, (5) structural differences between participants in the treatment and control groups, and (6) manipulations. Online Appendix C.1.3 provides a detailed account of these analyses. We used SPSS AMOS to compute the latent-factor scores (LFSs), which we used in the analyses of variance (ANOVAs) with which we tested the hypotheses (Chen et al. 2021).

Participants who perceived threat severity as high reported significantly higher security perplexity than those who perceived it as low (F(1, 643) = 10.639, p = 0.001; mean LFS difference = 0.396), supporting Hypothesis 1. Moreover, perplexed participants reported lower coping efficacy than those with low levels of perplexity (F(1, 643) = 83.088, p < 0.001; mean LFS difference = 0.497), supporting Hypothesis 2. In line with Hypothesis 3, a multivariate ANOVA indicated that perplexed participants experienced stronger negative emotional responses than those with low levels of perplexity (F(4, 639) = 145.041, p < 0.001; Wilk’s Λ = 0.524). Our follow-up tests showed significant effects for fear (F(1, 643) = 54.250, p < 0.001; mean LFS difference = 0.937), frustration (F(1, 643) = 272.621, p < 0.001; mean LFS difference = 1.763), embarrassment (F(1, 643) = 160.492, p < 0.001; mean LFS difference = 1.394), and strain defined as an outcome of episodic stress (F(1, 643) = 571.700, p < 0.001; mean LFS difference = 2.258), supporting Hypothesis 3a–Hypothesis 3d.

Following Witte (1994) and Chen et al. (2021), we conducted discriminant analyses to test Hypothesis 4. We classified the participants into danger-control or fear-control groups based on whether their discriminant value was greater than zero or less than or equal to zero, respectively. We calculated the discriminant value using the formula of Witte (1994), which defines the discriminant value as coping efficacy minus perceived threat.

The results showed that perplexed participants with a positive discriminant value engaged more strongly in adaptive coping than those with a negative discriminant value (Figure 4). Specifically, we observed significant differences in help seeking (F(1, 322) = 7.322, p = 0.007; mean LFS difference = 0.297) and task-focused coping (F(1, 322) = 4.848, p = 0.028; mean LFS difference = 0.252). At the same time, perplexed participants with a positive discriminant value engaged in less maladaptive coping, including avoidance-focused coping (F(1, 322) = 27.693, p < 0.001; mean LFS difference = 1.053) and emotion-focused coping (F(1, 322) = 24.213, p < 0.001; mean LFS difference = 0.820), than those with a negative discriminant value. These findings indicated that perplexed participants engaged primarily in danger control when coping efficacy was sufficient, despite their confusion and uncertainty. In contrast, perplexed participants with insufficient coping efficacy engaged primarily in fear control. Further, the mean comparisons showed that even participants engaging in fear control engaged in limited help seeking and that participants engaging in danger control reported low levels of emotion-focused coping (Figure 4). Thus, our results partially supported Hypothesis 4a.

Finally, participants with high security perplexity had a significantly lower discriminant value than those with low perplexity (F(1, 643) = 179.738, p < 0.001; mean difference = 0.463), supporting Hypothesis 4b and indicating that perplexed participants were more likely to engage in fear control than in danger control.

4.5. Post Hoc and Robustness Analyses

To assess robustness, we also applied the alternative discriminant-value formula proposed by Chen et al. (2021). This formula adapts Witte’s traditional formula to the cybersecurity context by using individuals’ feelings of fear instead of their threat perceptions to calculate the discriminant value. The results replicated the primary findings, showing that perplexed participants with a positive discriminant value engaged more strongly in adaptive coping than in maladaptive coping, whereas those with a negative discriminant value engaged more strongly in avoidance-focused coping (Online Appendix C.1.4).

We then used covariance-based structural equation modeling (CB-SEM) to examine the role of security perplexity in the nomological network (Figure 5). The results indicated that threat (β = 0.175, p ≤ 0.001), situational complexity (β = 0.125, p ≤ 0.001), and incomprehension (β = 0.660, p ≤ 0.001) were significant antecedents of perplexity. In turn, perplexity was associated with strong emotional responses, including fear (β = 0.617, p ≤ 0.001), frustration (β = 0.713, p ≤ 0.001), embarrassment (β = 0.520, p ≤ 0.001), and episodic stress measured as strain (β = 0.726, p ≤ 0.001). These findings corroborated the Stage 1 results and provided further evidence that perplexed participants rely heavily on emotion-focused coping when managing frustration, embarrassment, and episodic stress.

We conducted additional robustness analyses to assess the reliability of our findings (Online Appendix C.1.5), including discriminant-validity analysis, model and group comparisons, measurement-invariance tests, and reverse-causality tests. We also surveyed 419 European employees; the survey presented them with a ransomware-attack scenario to gather additional data and assess the empirical distinctness of security perplexity (Online Appendix C.2). These analyses provided further support for (1) the unique value of embedding security perplexity, (2) the empirical distinctness of security perplexity from emotional responses, and (3) the overall pattern of the results.

5. Discussion

5.1. Summary of Findings

Using three stages of empirical research, this study defines and conceptualizes security perplexity as a cognitive state. In Stage 1, we used an inductive qualitative approach complemented by literature and dictionary reviews to conceptualize security perplexity as a superordinate construct with three interdependent yet conflicting dimensions: confusion, response uncertainty, and pressure to act. In Stage 2, we validated a measurement scale comprising four items per dimension. In Stage 3, we developed and tested the research model we used to examine the role of security perplexity in employees’ coping processes.

Across these stages, we examined the experience of participants with diverse roles, from diverse industries, and with varying levels of security responsibility. The results show that perplexed participants engage in adaptive or maladaptive coping depending on their appraisals and emotional responses and that outcomes are shaped by a tipping point at which perceived threat outweighs coping efficacy. We further demonstrate that security perplexity is theoretically and empirically distinct from existing ISec constructs. Taken together, our findings confirm the presence and relevance of security perplexity in cybersecurity contexts.

We note that the ISec literature on protection is based on a shared set of core theories, including the EPPM, PMT, and general deterrence theory, that have been repeatedly refined and extended to explain employees’ cybersecurity behaviors (Moody et al. 2018; Cram et al. 2019, 2021). Although this literature has established a strong foundation, our study extends its core models by introducing security perplexity as a situation-specific phenomenon that reflects employees’ experiences when cybersecurity incidents leave them confused and uncertain about how to respond (Haney and Lutters 2018, Wu et al. 2020, Alshaikh and Adamson 2021, Reeves et al. 2021, Baruwal Chhetri et al. 2024, McKellar et al. 2024). We provide empirical evidence that employees do in fact experience such perplexity in cybersecurity situations. Moreover, existing models leave substantial variance in cybersecurity outcomes unexplained, often between 50% and 70% (D’Arcy et al. 2014, Cram et al. 2021); security perplexity is a theoretically grounded construct that aligns with threat- and coping-appraisal processes and helps explain this residual variance.

5.2. Implications for Research

Our study makes four important research contributions. First, it provides a rigorous conceptualization of security perplexity and a validated scale for measuring it. Drawing on participants’ accounts of adverse cybersecurity situations (Table 3), we identify the phenomenon of security perplexity as an emerging and important topic of inquiry in ISec research. We show that security perplexity arises when employees appraise threats as moderate to high in severity, which in turn disrupts coping appraisal. Consistent with inductive approaches to theorizing in ISec research (Cram et al. 2021), our study establishes a close connection between practical cybersecurity challenges and theory development. In doing so, it demonstrates that inductive research can serve as an entry point for rich and robust theorizing (Grover and Lyytinen 2015) and that security perplexity is a multifaceted construct comprising three interdependent yet conflicting dimensions that jointly create a tense cognitive state.

Second, our results provide clear evidence that security perplexity shapes employees’ coping responses. We show that security perplexity can be a central source of maladaptive security behavior because perplexed employees are likely to experience negative emotions and engage in maladaptive coping. Importantly, we demonstrate that security perplexity is theoretically and empirically distinct from related constructs, such as episodic stress, underscoring its unique role in cybersecurity behavior. These findings highlight the value of studying situational cybersecurity phenomena (Jaeger and Eckhardt 2021) alongside stable individual traits and beliefs (D’Arcy et al. 2014). For example, our Stage 3 results show that security perplexity gives rise to episodic stress, offering insight into how situational cognitive states translate into stress-related behavioral outcomes (Galluch et al. 2015). In sum, incorporating security perplexity into ISec models can increase explanatory and predictive power in studies of employee security behavior.

Third, whereas prior research on adverse work events has emphasized adaptive coping (Chen et al. 2021), we jointly examine adaptive and maladaptive coping responses, as recent ISec research has recommended (Liang et al. 2019, Yazdanmehr et al. 2023). This integrated perspective provides a more complete account of how employees respond to security perplexity and, consistent with research showing that perplexity can have either constructive or detrimental outcomes (Dewey 1997), reveals its dual influence on coping.

Building on the EPPM, we identify a tipping point that determines when security perplexity leads to adaptive coping and when it leads to maladaptive coping. When employees have sufficient coping efficacy, perplexity can facilitate adaptive responses, including task-focused coping and help-seeking behaviors, such as consulting coworkers to resolve perplexing situations. This finding indicates that perplexity can be productive when employees retain confidence in their ability to address the threat.

Our results also show that perplexed employees frequently engage in emotion- and avoidance-focused coping, which can lead to suboptimal cybersecurity behaviors (Liang et al. 2019, Chen et al. 2021). Perplexing situations elicited strong emotional responses, including fear, frustration, embarrassment, and episodic stress, underscoring the importance of maladaptive coping in shaping cybersecurity behavior. By explicitly examining these responses, our study addresses calls in ISec research to broaden attention to emotion-focused coping (Chen et al. 2021) and aligns with work showing that such coping helps explain irrational or counterproductive behavior under adverse security conditions (Liang et al. 2019).

Finally, this study contributes to the limited literature on perplexity by identifying three core dimensions of security perplexity and demonstrating that they jointly create a tense cognitive state, based on an analysis of 430 perplexing work situations. Our study extends educational research that has examined perplexity as a conflict between beliefs (Berlyne 1960) or a task-related experience (Shokeen et al. 2023) by foregrounding the role of pressure, which intensifies the conflict between the desire for resolution and the inability to achieve it. Moreover, we advance educational literature by introducing a tipping-point explanation that specifies when perplexity leads to adaptive outcomes and when it leads to maladaptive outcomes. Although prior research has acknowledged that perplexity has dual outcomes (Dewey 1997, Rodgers 2002), our findings show that in cybersecurity contexts these outcomes depend on the discriminant value between perceived threat and coping efficacy.

5.3. Implications for Practice

Our study has important implications for cybersecurity managers. We show that everyday cybersecurity work is often perplexing for employees, particularly when they face threatening incidents or must implement complex countermeasures. Managers should therefore expect security perplexity to be a recurring organizational challenge. Based on our discriminant analysis and tipping-point logic, we suggest that managers actively address the conditions under which perplexity emerges, given that it can lead to either adaptive or maladaptive outcomes.

First, managers should support accurate security-threat appraisal. Clear and well-calibrated appraisals can reduce the likelihood that employees will become perplexed and pass the tipping point into fear control. During incidents such as data breaches, ransomware attacks, or phishing campaigns, managers can use transparent and timely communication to clarify the nature, severity, and implications of the threat and how to respond. At the same time, managers should avoid overstating risk, because ambiguous or exaggerated threat messages can heighten perceived danger and urgency, increasing employees’ susceptibility to fear and emotional overload (Witte 1992, Witte et al. 1996, D’Arcy et al. 2014).

Second, managers should strengthen employees’ capacities for coping appraisal, particularly their perceptions of response efficacy. Rather than expecting employees to resolve incidents independently, organizations should provide clear procedural guidance, especially when introducing new systems or countermeasures. Because security perplexity is most likely to emerge in situations that are unexpected, incomprehensible, or overwhelming, managers can mitigate it through walkthroughs, hands-on training, and accessible support. Rolling out systems gradually and avoiding abrupt access restrictions can further reduce urgency and cognitive tension (Acquisti et al. 2018). In some contexts, assigning installation or configuration tasks to IT staff rather than end users may also help prevent perplexity among less experienced employees.

Third, organizations should adopt a pause-and-assess principle for incident-response protocols and security training. Our findings show that perplexity often arises when employees feel pressure to act immediately without sufficient situational clarity. Encouraging employees to pause, assess the situation, and seek guidance before acting can reduce emotional escalation and promote adaptive responses. This recommendation aligns with research on security mindfulness, which has demonstrated that mindfulness-based training helps users slow down, improve their situational awareness, and reduce security errors (Jensen et al. 2017). Practical implementations include brief system prompts, decision checklists, and scenario-based training exercises that reinforce this behavior.

Fourth, cybersecurity training and security initiatives should explicitly address how employees manage uncertainty in novel or ambiguous situations. Many programs emphasize threat-detection practices, such as identifying phishing attempts, but provide limited guidance on how to act when a threat is suspected yet unclear. Training should simulate ambiguous scenarios, including multifactor-authentication failures, ransomware warnings, or conflicting system messages, and walk employees through appropriate responses (Jensen et al. 2017). As our findings indicate, employees equipped with strategies to manage perplexity have a strong ability to maintain control and avoid maladaptive coping.

Fifth, managers should take steps to alleviate negative emotional reactions associated with security perplexity. Organizations can provide training on emotion-regulation strategies to help employees manage frustration, strain, and embarrassment in demanding situations (D’Arcy and Teh 2019). Prior research has shown that such strategies can be effective in organizational contexts (Grandey 2000, Gross 2015). A particularly relevant approach is cognitive reappraisal, which involves reframing emotionally charged situations to reduce negative emotional impact.

Sixth, organizations should discourage emotion- and avoidance-focused coping, which can manifest as ignoring security alerts or becoming paralyzed during critical incidents. To avoid these outcomes, managers should promote problem-focused coping by providing structured guidance and easily accessible support channels. As our findings and those of prior research suggest, help seeking is a productive coping strategy that enables employees to resolve uncertainty without disengaging (Shokeen et al. 2023). Cybersecurity communications and training should therefore clearly specify when and how to seek help and normalize help seeking as an appropriate response.

Finally, managers should foster a transparent and supportive security climate. Doing so includes explaining the rationale for security countermeasures, providing guidance on their implementation, and encouraging open discussion of security challenges (Cram et al. 2019). When employees understand the purpose of security protocols, they are more likely to comply and less likely to experience confusion. Accordingly, security education training awareness initiatives should move beyond threat detection and place greater emphasis on countermeasure use and rationale. Managers may also benefit from testing challenging security initiatives with subsets of users to identify points of perplexity and introduce corrective actions, such as additional training or support. Promoting open dialogue among both technical and nontechnical employees can reduce embarrassment, enable early intervention, and strengthen organizational readiness (Liang et al. 2019, Jaeger and Eckhardt 2021).

5.4. Limitations and Future Research

Our study has several limitations, and they suggest avenues for future research. First, our data collection occurred partly during the COVID-19 pandemic and may have influenced responses in Stages 1 and 2. Second, although we mitigated interpretation bias in the qualitative analysis through researcher triangulation, such bias cannot be fully ruled out. Third, we collected independent and dependent variables simultaneously. Although we implemented procedural and statistical remedies and found no evidence of common-method bias, future research could use longitudinal designs or alternative data sources to strengthen causal inference (Cram et al. 2024). Fourth, we examined employees’ intentions and coping responses rather observing their behavior directly. Because secure behaviors can require substantial effort, future studies could employ field experiments or behavioral data to triangulate findings (Cram et al. 2019). Finally, in view of differences in populations and scenario framings, we did not test for strict measurement invariance across the samples. Because we conceptualize security perplexity as a situational state, some variation in item interpretation across contexts is expected, but future work could further assess cross-context measurement properties.

Our conceptualization of security perplexity opens several promising avenues for future research. We encourage scholars to further examine the causes of perplexity, building on our framework and the evidence from Stage 3 to deepen the understanding of how and why perplexity emerges in cybersecurity contexts. There is also a need for research that clarifies the relationship between security perplexity and security-related chronic stress, given the mixed findings across Stages 2 and 3. Finally, future studies could compare employees with different security roles and levels of cybersecurity expertise to develop more nuanced insights into the emergence and manifestation of perplexity.

We show that unlike the many cybersecurity phenomena that have predominantly positive or predominantly negative behavioral outcomes (e.g., user irritation; Wu et al. 2020), security perplexity can give rise to both adaptive and maladaptive coping responses. Further research on the dual outcomes of security perplexity could strengthen theory development and help practitioners improve the design of organizational-security interventions. In particular, understanding what enables employees to learn and cope productively in perplexing situations rather than defaulting to maladaptive responses can shed light on why employees enact certain security behaviors and avoid others. We therefore encourage researchers to identify mechanisms that discourage maladaptive coping and foster adaptive responses among perplexed employees, a task that is increasingly important given the rise of adverse cybersecurity situations in the workplace.

6. Conclusion

Using a multistage research approach, this study provides evidence for the existence of security perplexity, its conceptualization as a multidimensional superordinate construct, and its role in a nomological network. We show that security perplexity can prompt not only adaptive cybersecurity behavior but also avoidance- and emotion-focused coping, which undermine effective security action. When perplexity drives maladaptive coping and inattention, it can weaken organizational security efforts. By examining the causes, manifestations, and consequences of security perplexity, our study opens important avenues for behavioral ISec research on its dual role in shaping the security behavior of employees.