Abstract
Email users are vulnerable to phishing threats and a greater understanding of how to protect them is needed. This research investigates how response costs and rewards influence users’ protective and maladaptive security behaviours in the domain of phishing by testing a model that extends Protection Motivation Theory to more explicitly consider the role of maladaptive behaviour. The results show that rewards influence maladaptive behaviour rather than protective behaviour in response to email phishing threats, and that response costs influence both maladaptive and protective behaviours. That is, any perceived benefits from not performing protective behaviours against email phishing threats will result in an increase in the performance of maladaptive behaviours. Similarly, any increases in costs perceived to be incurred for performing protective behaviours against email phishing threats will result in a decrease in protective behaviour and an increase in maladaptive behaviour. These findings have both practical implications and implications for future research into protections against phishing threats.