Help
Cart
Skip main navigation

Available Issues

April 10, 2013 - April 2, 2026

Available Issues

April 10, 2013 - April 2, 2026

The Impact of Threatening Cybersecurity Situations on Employees: A Conceptualization of Security Perplexity

Published Online:2 Jun 2026https://doi.org/10.1287/isre.2023.0626

References

  • Acquisti A, Adjerid I, Balebako R, Brandimarte L, Cranor LF, Komanduri S, Leon PG, et al. (2018) Nudges for privacy and security. ACM Comput. Survey 50(3):1–41.CrossrefGoogle Scholar
  • Alshaikh M, Adamson B (2021) From awareness to influence: Toward a model for improving employees’ security behaviour. Personality Ubiquitous Comput. 25(5):829–841.CrossrefGoogle Scholar
  • Ayyagari R, Grover V, Purvis RL (2011) Technostress: Technological antecedents and implications. MIS Quart. 35(4):831–858.CrossrefGoogle Scholar
  • Bagozzi RP (1992) The self-regulation of attitudes, intentions, and behavior. Soc. Psych. Quart. 55(2):178–204.CrossrefGoogle Scholar
  • Bagozzi RP (2011) Measurement and meaning in information systems and organizational research: Methodological and philosophical foundations. MIS Quart. 35(2):261–292.CrossrefGoogle Scholar
  • Bagozzi RP, Gopinath M, Nyer PU (1999) The role of emotions in marketing. J. Acad. Marketing Sci. 27(2):184–206.CrossrefGoogle Scholar
  • Bansal G, Muzatko S, Shin SI (2021) Information system security policy noncompliance: The role of situation-specific ethical orientation. Inform. Tech. People 34(1):250–296.CrossrefGoogle Scholar
  • Baruwal Chhetri M, Tariq S, Singh R, Jalalvand F, Paris C, Nepal S (2024) Towards human-AI teaming to mitigate alert fatigue in security operations centres. ACM Trans. Internet Tech. 24(3):1–22.CrossrefGoogle Scholar
  • Beaudry A, Pinsonneault A (2010) The other side of acceptance: Studying the direct and indirect effects of emotions on information technology use. MIS Quart. 34(4):689–710.CrossrefGoogle Scholar
  • Berkowitz L (1989) Frustration-aggression hypothesis: Examination and reformulation. Psych. Bull. 106(1):59–73.CrossrefGoogle Scholar
  • Berlyne DE (1960) Conflict, Arousal, and Curiosity (McGraw-Hill, Columbus, OH).CrossrefGoogle Scholar
  • Bessière K, Newhagen JE, Robinson JP, Shneiderman B (2006) A model for computer frustration: The role of instrumental and dispositional factors on incident, session, and post-session frustration and mood. Comput. Human Behav. 22(6):941–961.CrossrefGoogle Scholar
  • Boss SR, Galletta DF, Lowry PB, Moody GD, Polak P (2015) What do systems users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors. MIS Quart. 39(4):837–864.CrossrefGoogle Scholar
  • Braun V, Clarke V (2006) Using thematic analysis in psychology. Qual. Res. Psych. 3(2):77–101.CrossrefGoogle Scholar
  • Carleton RN (2016) Fear of the unknown: One fear to rule them all? J. Anxiety Disorders 41:5–21.CrossrefGoogle Scholar
  • Carleton RN, Sharpe D, Asmundson GJG (2007) Anxiety sensitivity and intolerance of uncertainty: Requisites of the fundamental fears? Behav. Res. Therapy 45(10):2307–2316.CrossrefGoogle Scholar
  • Carver CS, Scheier MF, Weintraub JK (1989) Assessing coping strategies: A theoretically based approach. J. Personality Soc. Psych. 56(2):267–283.CrossrefGoogle Scholar
  • Ceaparu I, Lazar J, Bessiere K, Robinson J, Shneiderman B (2004) Determining causes and severity of end-user frustration. Internat. J. Human-Comput. Interaction 17(3):333–356.CrossrefGoogle Scholar
  • Chaudhary T, Jordan J, Salomone M, Baxter P (2018) Patchwork of confusion: The cybersecurity coordination problem. J. Cybersecurity 4(1):1–13.CrossrefGoogle Scholar
  • Chen Y, Zahedi FM (2016) Individuals’ internet security perceptions and behaviors: Polycontextual contrasts between the United States and China. MIS Quart. 40(1):205–222.CrossrefGoogle Scholar
  • Chen Y, Galletta D, Lowry PB, Luo X, Moody GD, Willison RL (2021) Understanding inconsistent employee compliance with information security policies through the lens of the extended parallel process model. Inform. Systems Res. 32(3):1043–1065.LinkGoogle Scholar
  • Corbin J, Strauss A (2015) Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory, 4th ed. (SAGE Publications, Thousand Oaks, CA).Google Scholar
  • Cram WA, D’Arcy J, Benlian A (2024) Time will tell: The case for an idiographic approach to behavioral cybersecurity research. MIS Quart. 48(1):95–136.CrossrefGoogle Scholar
  • Cram WA, D’Arcy J, Proudfoot JG (2019) Seeing the forest and the trees: A meta-analysis of the antecedents to information security policy compliance. MIS Quart. 43(2):525–554.CrossrefGoogle Scholar
  • Cram WA, Proudfoot JG, D’Arcy J (2021) When enough is enough: Investigating the antecedents and consequences of information security fatigue. Inform. Systems J. 31(4):521–549.CrossrefGoogle Scholar
  • D’Arcy J, Teh P-L (2019) Predicting employee information security policy compliance on a daily basis: The interplay of security-related stress, emotions, and neutralization. Inform. Management 56(7):103151.CrossrefGoogle Scholar
  • D’Arcy J, Herath T, Shoss MK (2014) Understanding employee responses to stressful information security requirements: A coping perspective. J. Management Inform. Systems 31(2):285–318.CrossrefGoogle Scholar
  • Dewey J (1997) How We Think, new edition (Dover Publications, New York).Google Scholar
  • Dhillon G, Smith K, Dissanayaka I (2021) Information systems security research agenda: Exploring the gap between research and practice. J. Strategic Inform. Systems 30(4):1–17.CrossrefGoogle Scholar
  • Dollard J, Miller NE, Doob LW, Mowrer OH, Sears RR (1939) Frustration and Aggression (Yale University Press, New Haven, CT).CrossrefGoogle Scholar
  • Floyd DL, Prentice-Dunn S, Rogers RW (2000) A meta-analysis of research on protection motivation theory. J. Appl. Soc. Psych. 30(2):407–429.CrossrefGoogle Scholar
  • Fortinet (2025) Global threat landscape report. Accessed April 5, 2026, https://www.fortinet.com/content/dam/fortinet/assets/threat-reports/threat-landscape-report-2025.pdf.Google Scholar
  • Galluch P, Grover V, Thatcher JB (2015) Interrupting the workplace: Examining stressors in an information technology context. J. Assoc. Inform. Systems 16(1):1–47.Google Scholar
  • González-Gómez HV, Hudson S (2024) Employee frustration with information systems: Appraisals and resources. Eur. Management J. 42(3):425–436.Google Scholar
  • Goode S, Hoehle H, Venkatesh V, Brown SA (2017) User compensation as a data breach recovery action: An investigation of the Sony PlayStation network breach. MIS Quart. 41(3):703–727.CrossrefGoogle Scholar
  • Grandey AA (2000) Emotion regulation in the workplace: A new way to conceptualize emotional labor. J. Occupational Health Psych. 5(1):95–110.CrossrefGoogle Scholar
  • Greulich M, Lins S, Pienta D, Thatcher JB, Sunyaev A (2020) Toward conceptualizing perplexity in cybersecurity: An exploratory study. Proc. Pre-ICIS Workshop Inform. Security Privacy (Association for Information Systems, Atlanta), 1–18.Google Scholar
  • Greulich M, Lins S, Pienta D, Thatcher JB, Sunyaev A (2024) exploring contrasting effects of trust in organizational security practices and protective structures on employees’ security-related precaution taking. Inform. Systems Res. 35(4):1586–1608.LinkGoogle Scholar
  • Gross JJ (2015) Emotion regulation: Current status and future prospects. Psych. Inquiry 26(1):1–26.CrossrefGoogle Scholar
  • Grover V, Lyytinen K (2015) New state of play in information systems research: The push to the edges. MIS Quart. 39(2):271–296.CrossrefGoogle Scholar
  • Haney JM, Lutters WG (2018) “It’s scary…it’s confusing…it’s dull”: How cybersecurity advocates overcome negative perceptions of security. Zurko ME, Lipford HR, Chiasson S, Reeder R, eds. Proc. 14th USENIX Conf. Usable Privacy Security (USENIX Association, Berkeley, CA), 411–425.Google Scholar
  • He Y, Zamani ED, Lloyd S, Luo C (2022) Agile incident response (AIR): Improving the incident response process in healthcare. Internat. J. Inform. Management 62:102435.Google Scholar
  • Herath T, Rao HR (2009) Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems 47(2):154–165.CrossrefGoogle Scholar
  • Jaeger L, Eckhardt A (2021) Eyes wide open: The role of situational information security awareness for security‐related behaviour. Inform. Systems J. 31(3):429–472.CrossrefGoogle Scholar
  • Jensen ML, Dinger M, Wright RT, Thatcher JB (2017) Training to mitigate phishing attacks using mindfulness techniques. J. Management Inform. Systems 34(2):597–626.CrossrefGoogle Scholar
  • Jeon S, Son I, Han J (2023) Understanding employee’s emotional reactions to ISSP compliance: Focus on frustration from security requirements. Behaviour Inform. Tech. 42(13):2093–2110.CrossrefGoogle Scholar
  • Keltner D, Buswell BN (1997) Embarrassment: Its distinct form and appeasement functions. Psych. Bull. 122(3):250–270.CrossrefGoogle Scholar
  • Kline RB (2016) Principles and Practice of Structural Equation Modeling, 4th ed. (Guilford Press, New York).Google Scholar
  • Kotsias J, Ahmad A, Scheepers R (2023) Adopting and integrating cyber-threat intelligence in a commercial organisation. Eur. J. Inform. Systems 32(1):35–51.CrossrefGoogle Scholar
  • Lazarus RS (1991) Emotion and Adaptation (Oxford University Press, Oxford, UK).CrossrefGoogle Scholar
  • Lazarus RS, Folkman S (1984) Stress, Appraisal, and Coping (Springer, Berlin). Google Scholar
  • Lee TW, Mitchell TR (1994) An alternative approach: The unfolding model of voluntary employee turnover. Acad. Management Rev. 19(1):51–89.CrossrefGoogle Scholar
  • Liang H, Xue Y (2009) Avoidance of information technology threats: A theoretical perspective. MIS Quart. 33(1):71–90.CrossrefGoogle Scholar
  • Liang H, Xue Y, Pinsonneault A, Wu Y (2019) What users do besides problem-focused coping when facing IT security threats: An emotion-focused coping perspective. MIS Quart. 43(2):373–394.CrossrefGoogle Scholar
  • Lincoln YS, Guba EG (1985) Naturalistic Inquiry (Sage Publications, Thousand Oaks, CA).CrossrefGoogle Scholar
  • Lipshitz R, Strauss O (1997) Coping with uncertainty: A naturalistic decision-making analysis. Organ. Behav. Human Decision Processing 69(2):149–163.CrossrefGoogle Scholar
  • Lowry PB, Moody GD, Parameswaran S, Brown NJ (2023) Examining the differential effectiveness of fear appeals in information security management using two-stage meta-analysis. J. Management Inform. Systems 40(4):1099–1138.CrossrefGoogle Scholar
  • Lu X, Jiang J, Head M, Yang J (2025) Phishing detection in multitasking contexts: The impact of working memory load, goal activation, and message framing cue on detection performance. Eur. J. Inform. Systems 35(1):1–31.Google Scholar
  • MacInnis DJ, Rao AG, Weiss AM (2002) Assessing when increased media weight of real-world advertisements helps sales. J. Marketing Res. 39(4):391–407.CrossrefGoogle Scholar
  • MacKenzie SB, Podsakoff PM, Podsakoff NP (2011) Construct measurement and validation procedures in MIS and behavioral research: Integrating new and existing techniques. MIS Quart. 35(2):293–334.CrossrefGoogle Scholar
  • Maier C, Laumer S, Weinert C, Weitzel T (2015) The effects of technostress and switching stress on discontinued use of social networking services: A study of Facebook use. Inform. Systems J. 25(3):275–308.CrossrefGoogle Scholar
  • McKellar K, Sillence E, Neave N, Briggs P (2024) Digital accumulation behaviours and information management in the workplace: Exploring the tensions between digital data hoarding, organisational culture and policy. Behaviour Inform. Tech. 43(6):1206–1218.CrossrefGoogle Scholar
  • McKnight DH, Choudhury V, Kacmar C (2002) Developing and validating trust measures for e-commerce: An integrative typology. Inform. Systems Res. 13(3):334–359.LinkGoogle Scholar
  • Miller RS (1992) The nature and severity of self-reported embarrassing circumstances. Personality Soc. Psych. Bull. 18(2):190–198.CrossrefGoogle Scholar
  • Milliken FJ (1987) Three types of perceived uncertainty about the environment: State, effect, and response uncertainty. Acad. Management Rev. 12(1):133–143.CrossrefGoogle Scholar
  • Milliken FJ, Morrison EW, Hewlin PF (2003) An exploratory study of employee silence: Issues that employees don’t communicate upward why. J. Management Stud. 40(6):1453–1476.CrossrefGoogle Scholar
  • Mirsky Y, Demontis A, Kotak J, Shankar R, Gelei D, Yang L, Zhang X, et al. (2023) The threat of offensive AI to organizations. Comput. Security 124:1–23.CrossrefGoogle Scholar
  • Moody GD, Siponen M, Pahnila S (2018) Toward a unified model of information security policy compliance. MIS Quart. 42(1):285–311.CrossrefGoogle Scholar
  • Moore GC, Benbasat I (1991) Development of an instrument to measure the perceptions of adopting an information technology innovation. Inform. Systems Res. 2(3):192–222.LinkGoogle Scholar
  • Naseer H, Desouza K, Maynard SB, Ahmad A (2024) Enabling cybersecurity incident response agility through dynamic capabilities: The role of real-time analytics. Eur. J. Inform. Systems 33(2):200–220.CrossrefGoogle Scholar
  • Nastjuk I, Trang S, Grummeck-Braamt J-V, Adam MTP, Tarafdar M (2024) Integrating and synthesising technostress research: A meta-analysis on technostress creators, outcomes, and IS usage contexts. Eur. J. Inform. Systems 33(3):361–382.CrossrefGoogle Scholar
  • Oz H, Aris A, Levi A, Uluagac AS (2022) A survey on ransomware: Evolution, taxonomy, and defense solutions. ACM Comput. Survey 54(11):1–37.CrossrefGoogle Scholar
  • Patton MQ (2015) Qualitative Research and Evaluation Methods: Integrating Theory and Practice, 4th ed. (Sage Publications, Thousand Oaks, CA).Google Scholar
  • Pham HC, Brennan L, Furnell S (2019) Information security burnout: Identification of sources and mitigating factors from security demands and resources. J. Inform. Security Appl. 46:96–107.Google Scholar
  • Pienta D, Thatcher JB, Johnston A (2020) Protecting a whale in a sea of phish. J. Inform. Tech. 35(3):214–231.CrossrefGoogle Scholar
  • Pienta D, Thatcher JB, Wright RT, Roth PL (2024) An empirical investigation of the unintended consequences of vulnerability assessments leading to betrayal. J. Assoc. Inform. Systems 25(4):1079–1116.Google Scholar
  • Pornpitakpan C (2004) The persuasiveness of source credibility: A critical review of five decades’ evidence. J. Appl. Soc. Psych. 34(2):243–281.CrossrefGoogle Scholar
  • Qahri-Saremi H, Turel O (2023) Situational contingencies in susceptibility of social media to phishing: A temptation and restraint model. J. Management Inform. Systems 40(2):503–540.CrossrefGoogle Scholar
  • Reeves A, Calic D, Delfabbro P (2021) “Get a red-hot poker and open up my eyes, it’s so boring”: Employee perceptions of cybersecurity training. Comput. Security 106:1–13.CrossrefGoogle Scholar
  • Rhee H-S, Kim C, Ryu YU (2009) Self-efficacy in information security: Its influence on end users’ information security practice behavior. Comput. Security 28(8):816–826.CrossrefGoogle Scholar
  • Rodgers C (2002) Defining reflection: Another look at John Dewey and reflective thinking. Teachers College Rec. 104(4):842–866.CrossrefGoogle Scholar
  • Rogers RW (1975) A protection motivation theory of fear appeals and attitude change. J. Psych. 91(1):93–114.CrossrefGoogle Scholar
  • Ryan AM, Pintrich PR, Midgley C (2001) Avoiding seeking help in the classroom: Who and why? Ed. Psych. Rev. 13(2):93–114.CrossrefGoogle Scholar
  • Salem AH, Azzam SM, Emam OE, Abohany AA (2024) Advancing cybersecurity: A comprehensive review of AI-driven detection techniques. J. Big Data 11(1):1–38.CrossrefGoogle Scholar
  • Schneier B, Vance A (2025) “Complexity is the worst enemy of security”: Studying cybersecurity through the lens of organizational complexity. MIS Quart. 49(1):205–210.CrossrefGoogle Scholar
  • Schuetz SW, Lowry PB, Pienta D, Thatcher JB (2021) Improving the design of information security messages by leveraging the effects of temporal distance and argument nature. J. Assoc. Inform. Systems 22(5):1376–1428.Google Scholar
  • Shokeen E, Weintrop D, Pellicone AJ, Moon PF, Ketelhut D, Cukier M, Plane JD (2023) Defining perplexity and reflective thinking in a game-based learning environment. Inform. Learn. Sci. 124(3/4):110–127.CrossrefGoogle Scholar
  • Šipka D, Vlasenko B, Stein M, Dierks T, Magimai-Doss M, Morishima Y (2025) Multidisciplinary characterization of embarrassment through behavioral and acoustic modeling. Sci. Rep. 15(1):9643.CrossrefGoogle Scholar
  • Siponen M, Vance A (2010) Neutralization: New insights into the problem of employee information systems security policy violations. MIS Quart. 34(3):487–502.CrossrefGoogle Scholar
  • Siponen M, Mahmood MA, Pahnila S (2014) Employees’ adherence to information security policies: An exploratory field study. Inform. Management 51(2):217–224.CrossrefGoogle Scholar
  • Smith RE, Chen J, Yang X (2008) The impact of advertising creativity on the hierarchy of effects. J. Advertising 37(4):47–61.CrossrefGoogle Scholar
  • Smith BW, Dalen J, Wiggins K, Tooley E, Christopher P, Bernard J (2008) The brief resilience scale: Assessing the ability to bounce back. Internat. J. Behav. Medicine 15(3):194–200.CrossrefGoogle Scholar
  • Starcke K, Brand M (2012) Decision making under stress: A selective review. Neurosci. Biobehav. Rev. 36(4):1228–1248.CrossrefGoogle Scholar
  • Strasheim A, Pitt L, Caruana A (2007) Psychometric properties of the Schlinger viewer response profile (VRP): Evidence from a large sample. J. Advertising 36(4):101–114.CrossrefGoogle Scholar
  • Tarafdar M, Cooper CL, Stich J-F (2019) The technostress trifecta: Techno eustress, techno distress and design: Theoretical directions and an agenda for research. Inform. Systems J. 29(1):6–42.CrossrefGoogle Scholar
  • Tarafdar M, Tu Q, Ragu-Nathan BS, Ragu-Nathan TS (2007) The impact of technostress on role stress and productivity. J. Management Inform. Systems 24(1):301–328.CrossrefGoogle Scholar
  • Torres CI, Crossler RE (2025) Promoting security behaviors in remote work environments: Personal values shaping information security policy compliance. Inform. Systems Res. 36(2):647–1267.LinkGoogle Scholar
  • Turnbull PW, Leek S, Ying G (2000) Customer confusion: The mobile phone market. J. Marketing Management 16(1–3):143–163.Google Scholar
  • Vance A, Eargle D, Eggett D, Straub D, Ouimet K (2022) Do security fear appeals work when they interrupt tasks? A multi-method examination of password strength. MIS Quart. 45(3):1721–1738.CrossrefGoogle Scholar
  • Vishwanath A, Herath T, Chen R, Wang J, Rao HR (2011) Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model. Decision Support Systems 51(3):576–586.CrossrefGoogle Scholar
  • von Preuschen A, Schuhmacher MC, Zimmermann V (2024) Beyond fear and frustration-towards a holistic understanding of emotions in cybersecurity. Kelley PG, Kapadia A, eds. Proc. 20th Sympos. Usable Privacy Security (USENIX Association, Berkeley, CA), 623–642.Google Scholar
  • Wang J, Li Y, Rao HR (2017) Coping responses in phishing detection: An investigation of antecedents and consequences. Inform. Systems Res. 28(2):378–396.LinkGoogle Scholar
  • Wiesche M, Jurisch MC, Yetton PW, Krcmar H (2017) Grounded theory methodology in information systems research. MIS Quart. 41(3):685–701.CrossrefGoogle Scholar
  • Witte K (1992) Putting the fear back into fear appeals: The extended parallel process model. Comm. Monographs 59(4):329–349.CrossrefGoogle Scholar
  • Witte K (1994) Fear control and danger control: A test of the extended parallel process model (EPPM). Comm. Monographs 61(2):113–134.CrossrefGoogle Scholar
  • Witte K (1996) Fear as motivator, fear as inhibitor. Andersen PA, Guerrero LK, eds. Handbook of Communication and Emotion: Research, Theory, Applications, and Contexts (Elsevier, Amsterdam), 423–450.CrossrefGoogle Scholar
  • Witte K, Cameron KA, McKeon JK, Berkowitz JM (1996) Predicting risk behaviors: Development and validation of a diagnostic scale. J. Health Comm. 1(4):317–341.CrossrefGoogle Scholar
  • World Economic Forum (2025) Global cybersecurity outlook 2025. Accessed April 5, 2026, https://reports.weforum.org/docs/WEF_Global_Cybersecurity_Outlook_2025.pdf.Google Scholar
  • Wright RT, Johnson S, Kitchens B (2023) Phishing susceptibility in context: A multilevel information processing perspective on deception detection. MIS Quart. 47(2):803–832.CrossrefGoogle Scholar
  • Wright RT, Campbell DE, Thatcher JB, Roberts N (2012) Operationalizing multidimensional constructs in structural equation modeling: Recommendations for IS research. Comm. Assoc. Inform. Systems 30:367–412.Google Scholar
  • Wu D, Moody GD, Zhang J, Lowry PB (2020) Effects of the design of mobile security notifications and mobile app usability on users’ security perceptions and continued-use intention. Inform. Management 57(5):103235.CrossrefGoogle Scholar
  • Wu CM, Schulz E, Pleskac TJ, Speekenbrink M (2022) Time pressure changes how people explore and respond to uncertainty. Sci. Rep. 12(1):1–14.Google Scholar
  • Yazdanmehr A, Li Y, Wang J (2023) Does stress reduce violation intention? Insights from eustress and distress processes on employee reaction to information security policies. Eur. J. Inform. Systems 32(6):1033–1051.CrossrefGoogle Scholar
  • Zhang Y, Malacaria P (2025) Dealing with uncertainty in cybersecurity decision support. Comput. Security 148:104153.CrossrefGoogle Scholar
Back to Top
Next
INFORMS site uses cookies to store information on your computer. Some are essential to make our site work; Others help us improve the user experience. By using this site, you consent to the placement of these cookies. Please read our Privacy Statement to learn more.
Agree