Reconsidering neutralization techniques in behavioral cybersecurity as cybersecurity hygiene discounting

Abstract

Neutralization Theory (NT), with its popular neutralization techniques, have been established as a major framework to explain or predict cybersecurity policy noncompliance by users. NT states that people anticipating the perpetration of a norm violation activity will excuse their behaviors through self-talk justifications (neutralization) to avoid guilt and shame. NT's appeal for cybersecurity is obvious. One can easily imagine users justifying noncompliance by neutralizing the negative outcomes of their behavior. NT, as originally formulated, assumed that guilt and shame were the exclusive outcomes of anticipated transgressions. However, in the cybersecurity context, the role of guilt and shame as the sole motivators of neutralization excuses is debatable. We argue that users may be motivated by other factors (e.g., fear, boredom, concern for efficiency) in neutralizing that could be causally more relevant in predicting noncompliance behavior in cybersecurity. What holds value for behavioral cybersecurity, we argue, is the general mechanism of NT, the process of neutralizing the impact of an anticipated negative outcome on the decision to move forward (or not) with noncompliance. We call for decoupling the general mechanism of NT (e.g., neutralizing) from the criminologically identified motivations for engaging in NT (e.g., guilt and shame). In doing so, we put forward a behavioral cybersecurity security version of NT – cybersecurity hygiene discounting – and suggest four streams of research.