Time Will Tell: The Case for an Idiographic Approach to Behavioral Cybersecurity Research
Authors: Cram, W. Alec; D’Arcy, John; Benlian, Alexander
Journal: MIS Quarterly (2024)
<jats:p>Many of the theories used in behavioral cybersecurity research have been applied with a nomothetic approach, which is characterized by cross-sectional data (e.g., one-time surveys) that identify patterns across a population of individuals. Although this can provide valuable between-person, point-in-time insights (e.g., employees who use neutralization techniques, such as denying responsibility for cybersecurity policy violations, tend to comply less), it is unable to reveal within-person patterns that account for varying experiences and situations over time. This paper articulates why an idiographic approach, which undertakes a within-person analysis of longitudinal data, can: (1) help validate widely used theories in behavioral cybersecurity research that imply patterns of behavior within a given person over time and (2) provide distinct theoretical insights on behavioral cybersecurity phenomena by accounting for such within-person patterns. To these ends, we apply an idiographic approach to an established theory in behavioral cybersecurity research—neutralization theory—and empirically test a within-person variant of this theory using a four-week experience sampling stud…