CCE Theses and Dissertations

Date of Award


Document Type


Degree Name

Doctor of Philosophy (PhD)


College of Computing and Engineering


Ling Wang

Committee Member

Wei Li

Committee Member

Inkyoung Hur


cybersecurity, information security, partial least square, protection motivation theory, social engineering, user behavior


User behavior is one of the most significant information security risks. Information Security is all about being aware of who and what to trust and behaving accordingly. Due to technology becoming an integral part of nearly everything in people's daily lives, the organization's need for protection from security threats has continuously increased. Social engineering is the act of tricking a user into revealing information or taking action. One of the riskiest aspects of social engineering is that it depends mainly upon user errors and is not necessarily a technology shortcoming. User behavior should be one of the first apprehensions when it comes to social engineering. Unfortunately, there are few specific studies to understand factors that affect users' information security protection behavior towards social engineering breaches.

The focus of the information security literature is shifting from technology to user behavior in recent times. SETA (Security Education Training Awareness) program aids organizations in teaching their users about information security issues and expectations to prevent information security breaches. Information security policies depict the rules and regulations that everyone must follow utilizing an organization's information technology resources. This research study used Protection Motivation Theory (PMT) combined with the SETA program and security policies to determine factors that affect users' information security protection behavior towards social engineering breaches. This research study was an empirical and quantitative study to congregate data utilizing a web survey and PLS-SEM (Partial Least Squares Structural Equation Modeling) technique. As a result, the research study supported all three hypotheses associated with fear, including a positive impact of perceived severity on fear, perceived vulnerability on fear, and fear on protection motivation. Moreover, the research study substantiated the positive impact of perceived severity, perceived vulnerability, and response efficacy on protection motivation. Furthermore, the research study also confirmed the positive impact of protection motivation and the SETA program on protection behavior.

The findings of this research study derived that, unswerving with the literature, social engineering has arisen as one of the biggest threats in information security. This research study explored factors impacting users' information security protection behavior towards social engineering breaches. Support of all hypotheses for fear appeal is a substantial contribution in view of a lesser-researched fear appeal in preceding research using PMT. This research study provided the groundwork for encouraging and nurturing users' information security protection behavior to prevent social engineering breaches. Finally, this research study contributes to the increasing phenomenon of social engineering in practice and future research.