Protecting your business against ransomware attacks? Explaining the motivations of entrepreneurs to take future protective measures against cybercrimes using an extended protection motivation theory model

Entrepreneurs are likely to be victims of ransomware. Previous studies have found that entrepreneurs tend to adopt few preventive measures, thereby increasing their chances of victimization. Due to a lack of research, however, not much is known about why entrepreneurs lack self-protective behaviors and how they can be encouraged to change said behaviors. Therefore, the purpose of this study is to explain, by means of an extended model of the Protection Motivation Theory (PMT), the motivation for entrepreneurs using protective measures against ransomware in the future. The data for our study were collected thanks to a questionnaire that was answered by 1,020 Dutch entrepreneurs with up to 250 employees. Our Struc-tural Equation Modelling (SEM) analysis revealed that entrepreneurs are more likely to take preventive measures against ransomware if they perceive the risk of ransomware as severe (perceived severity), if they perceive their company as being vulnerable (perceived vulnerability), if they are concerned about the risks (affective response), and if they think that the people and companies around them expect them to apply preventive measures (subjective norms). However, if entrepreneurs think that they are capable of handling the risk (self-efficacy) and are convinced that their adopted preventive measures are effec-tive (response efficacy), they are less likely to take preventive measures. Furthermore, for entrepreneurs that outsource IT security, the significant effect of perceived vulnerability and subjective norms disap-pears. The likelihood of entrepreneurs protecting their business against ransomware is thus influenced by a complex interplay of various motivational factors and is partly dependent on the business' character-istics. Based on these findings, we will discuss security professionals' prospects for increasing the cyber resilience of entrepreneurs, thus preventing cybercrime victimization.(c) 2023 The Author(s). Published by Elsevier Ltd.