IS Theory

Protection Motivation Theory Is Trapped in Cybersecurity

PMT shows up in seven of my posts, all about security. A theory about threat and coping appraisal should apply far beyond phishing.

2026-05-20 · 5 min read IS TheoryTechnology AdoptionTrust & Security

I counted the other day. Protection Motivation Theory shows up in seven posts on this blog, and every single one is about cybersecurity. Phishing. Ransomware. Security training. Preemptive defense. Healthcare breach persistence. AI safety fear control. That is not a coincidence. The IS field has filed PMT under security behavior and left it there, and I think that is a waste of a theory that explains far more than password hygiene.

Rogers (1975, 1983) built PMT around two appraisal processes that run in parallel. Threat appraisal asks how severe a danger is and how vulnerable I am to it. Coping appraisal asks whether the recommended response will actually work and whether I can pull it off. Fear motivates protective behavior only when both appraisals are strong. High threat with low coping produces defensive avoidance, not action. This mechanism is general. It applies to any situation where a person perceives a threat, evaluates a response, and decides whether to act. The reason it has been confined to IS security is not because the theory is narrow. It is because the field is lazy about moving constructs across domains.

Moody et al. (2018) made this confinement explicit. Their unified model of information security policy compliance integrated eleven theories, including protection motivation, deterrence, neutralization, planned behavior, and self-regulation. All of them were tested against security policy compliance. None of them were tested against AI adoption resistance, technology rejection in professional settings, or climate-related behavioral change. The model is a genuine contribution for understanding why employees violate security rules, but it also reinforces a boundary. PMT becomes the theory you reach for when the dependent variable is antivirus installation or password policy adherence. The moment the question shifts to why doctors resist a better diagnostic AI, or why experienced accountants refuse to switch to a new ERP system, the field reaches for TAM or UTAUT instead.

That choice is not theoretically required. Johnston and Warkentin (2010) applied PMT to IS security policy compliance and showed that threat appraisal and coping appraisal predict whether employees follow the rules. Boss et al. (2015) added the fear control versus danger control distinction, showing that fear without efficacy pushes people into denial rather than protection. Those findings are robust. But they are also specific to one context. The underlying model, two appraisals that jointly determine action, describes any protective or avoidant behavior where a person perceives risk and evaluates a response. Belanger and Crossler (2011) already mapped how privacy research spans multiple levels in IS. Their review makes clear that security and privacy are not the same thing, and that theoretical tools should travel between them. PMT should travel further.

Think about AI adoption resistance in healthcare. Rogers (1975) originally developed PMT to explain health protective behavior. The irony is that the theory has been imported into IS security but not into IS health. When a physician resists an AI diagnostic tool, the standard explanation is TAM: perceived usefulness and ease of use are low. But a PMT lens would ask different questions. Threat appraisal: how severe is the risk of making a wrong diagnosis with versus without the AI? Coping appraisal: does the physician believe the AI recommendation will actually improve outcomes, and does she believe she can integrate it into her workflow without losing clinical judgment? High threat appraisal combined with low coping appraisal, the AI might help but I cannot use it skillfully, predicts rejection. TAM captures the usefulness judgment. PMT captures the risk and capability judgment that sits underneath it. I am not sure the field has ever tested this directly.

Climate behavior is another obvious candidate. The behavioral science literature on climate action is full of threat messaging that does not produce behavior change. That pattern is exactly what PMT predicts. Bombarding people with severity and vulnerability information without pairing it with response efficacy and self-efficacy produces fear control. People manage their emotional response to climate threat through denial, distancing, or shifting responsibility, rather than managing the actual threat through reduced consumption or political action. The mechanism is identical to the security awareness training problem I wrote about earlier. The difference is that climate researchers sometimes rediscover the wheel under different names, while IS researchers already have the wheel and refuse to roll it outside the parking garage.

Technology rejection in expert professions fits the same structure. An experienced lawyer who refuses to adopt a contract analysis AI is not necessarily making a usefulness calculation. She may be making a coping appraisal calculation. The tool might be useful in the abstract, but the perceived risk of delegating judgment to an opaque system is high, and the perceived self-efficacy for recovering from an AI error is low. TAM would code this as low perceived usefulness. PMT would code it as high threat appraisal combined with low coping appraisal, which predicts avoidance. The predictions are different, and the interventions they imply are different. You do not fix PMT-driven rejection by making the tool more useful. You fix it by increasing response efficacy and self-efficacy, which means showing concrete evidence that the tool reduces error and building training that makes the user feel genuinely capable of supervising it.

The field has good reasons for keeping PMT in security. Security behavior is measurable, policy compliance is an organizational priority, and the variance models fit the survey methodology that dominates the discipline. But those are methodological conveniences, not theoretical boundaries. Rogers built PMT as both a process model and a variance model, tracing sequential mechanisms from threat perception through appraisal to intention while also identifying which perceptual variables explain variance in protection motivation. That dual nature means PMT can address how a decision is made and which factors predict whether it is made, in any domain where threat and coping evaluations matter.

I am not arguing that PMT should replace TAM or UTAUT in adoption research. I am arguing that the field treats PMT as a security theory when it is actually a behavioral theory. The security applications are real and well supported. Johnston and Warkentin (2010) and Boss et al. (2015) did careful work. Moody et al. (2018) synthesized that work impressively. But the cumulative effect has been to ghettoize a general theory inside a specific domain. If the only time you see PMT cited is in a paper about phishing or password policy, you start to believe that is all it does. It does more. The question is whether IS researchers are willing to ask it.

About the author

A
Ali Safari
PhD Student in IS, University of North Texas

Researching AI governance, trust in intelligent systems, and agentic AI. Writing while studying for comps.

in gs

Share

More notes

← Previous
The Replication Crisis Is an IS Problem Too
Next →
The Paradox at the Heart of AI Adoption: 88% Explore, 7% Scale

Related notes

AI & Agentic Systems
When an AI Agent Makes a Decision, Who Is Accountable?
5 min read
IS Theory
Data Governance Is Institutional Work, Not IT Administration
6 min read
IS Theory
ERP Failure Is Not a Technology Problem. It Is a Structuration Problem.
7 min read