RESEARCH ARTICLE

WHAT USERS DO BESIDES PROBLEM-FOCUSED COPING

WHEN FACING IT SECURITY THREATS: AN EMOTION-
FOCUSED COPING PERSPECTIVE1
Huigang Liang and Yajiong Xue
College of Business, East Carolina University,
Greenville, NC 27858 U.S.A. {huigang.liang@gmail.com} {xuey@ecu.edu}

Alain Pinsonneault
Desautels Faculty of Management, McGill University, 1001 Sherbrooke Street West,
Montréal, QC CANADA H3A 1G5 {alain.pinsonneault@mcgill.ca}

Yu “Andy” Wu
College of Business, University of North Texas,
Denton, TX 76203 U.S.A. {andy.wu@unt.edu}

This paper investigates how individuals cope with IT security threats by taking into account both problem-
focused and emotion-focused coping. While problem-focused coping (PFC) has been extensively studied in the
IT security literature, little is known about emotion-focused coping (EFC). We propose that individuals employ
both PFC and EFC to volitionally cope with IT security threats, and conceptually classify EFC into two cate-
gories: inward and outward. Our research model is tested by two studies: an experiment with 140 individuals
and a survey of 934 respondents. Our results indicate that both inward EFC and outward EFC are stimulated
by perceived threat, but that only inward EFC is reduced by perceived avoidability. Interestingly, inward EFC
and outward EFC are found to have opposite effects on PFC. While inward EFC impedes PFC, outward EFC
facilitates PFC. By integrating both EFC and PFC in a single model, we provide a more complete under-
standing of individual behavior under IT security threats. Moreover, by theorizing two categories of EFC and
showing their opposing effects on users’ security behaviors, we further examine the paradoxical relationship
between EFC and PFC, thus making an important contribution to IT security research and practice.

Keywords: Emotion focused coping, emotional support seeking, venting, denial, psychological distancing,
wishful thinking, IT security

Introduction 1 become pervasive. Security breaches often have serious

As information technology (IT) becomes ubiquitous and
indispensable to modern societies, IT security breaches also
1
Sean Xu was the accepting senior editor for this paper. Yulin Fang served
as he associate editor.
The appendices for this paper are located in the “Online Supplements”
section of MIS Quarterly’s website (https://misq.org).
negative impacts on both individuals and organizations,
including financial, reputational, and privacy losses (Liang
and Xue 2010). The current global cybersecurity cost is esti-
mated to be as high as $575 billion (Symantec 2016). Even
worse, cybercriminals continuously invent new ways to cir-
cumvent security safeguards and new derivatives of malware
that cannot be screened or removed by the latest security
software constantly emerge (Cisco 2016; Symantec 2016).
Many high-profile security breaches incessantly ring alarms

DOI: 10.25300/MISQ/2019/14360 MIS Quarterly Vol. 43 No. 2, pp. 373-394/June 2019 373
Liang et al./An Emotion-Focused Coping Perspective
to remind us the gravity of IT security breaches (Duke 2014;
Hu 2014). The most recent mega breaches, which affected
437 million MySpace passwords (Franceschi-Bicchierai 2016)
and over one billion Yahoo accounts (Whittaker 2016),
resoundingly indicate that nobody is safe in this digital age.
To reduce IT security risks, it is imperative to understand how
individuals volitionally cope with IT security threats. Coping
theory (Lazarus and Folkman 1984) suggests that individuals
engage in two mechanisms when facing threats: problem-
focused coping (PFC) and emotion-focused coping (EFC).
Individuals’ protection behavior scrutinized by prior IT secu-
rity research is essentially a type of PFC (Boss et al. 2015; Lai
et al. 2012). EFC is another important response to IT security
threats, but it has never received proportionate attention since
it was introduced into the IT security research arena by Liang
and Xue (2009). EFC regulates negative emotions caused by
different types of threats and influences personal behaviors
and decisions (Lazarus 1991). While traditional wisdom
emphasizes the importance of reasoning in evaluating risks,
recent research demonstrates that intuitive feelings and heu-
ristics based on affects and emotions also play a salient role
in risk evaluations in general (Slovic et al. 2004) and in the IT
security context in particular (Kim et al. 2016; Willison and
Warkentin 2013). EFC provides a theory-based means to
capture this irrational part of human behavior. The IT secu-
rity practitioner community has noticed that users often
behave emotionally beyond reasoning when facing IT security
threats. For example, most security attacks exploit old
methods and tricks well known to the public, but users take no
protective actions even if they are aware of the danger (Pone-
mon Institute 2017). This suggests that reasoning and rational
thinking have limited explanatory power and implies the
functioning of emotion-related heuristic mechanisms. The
limits of reasoning also appear at the organizational level. A
report shows that 64% of organizational IT professionals are
concerned about the risk of using mobile apps, but only 32%
of them think it is urgent to secure mobile apps (Murphy
2016). These observations from the field suggest that indi-
viduals’ security behavior is also influenced by factors outside
the rational domain and likely related to EFC. In line with
these observations, IT security researchers have increasingly
realized the importance of emotions and suggested that emo-
tions play an important role in influencing security behaviors
(Kim et al. 2016; Willison and Warkentin 2013). For ex-
ample, it is empirically demonstrated that fear as an emotion
can be aroused by malware threats and significantly enhance
users’ intention to use anti-malware software (Boss et al.
2015). Thus, the consideration of EFC could greatly enrich
our understanding of how individuals cope with IT security
threats in the volitional context. The current security aware-
ness and training programs are seen as ineffective, failing to
improve users’ security behaviors (ISF 2014). Successful
374 MIS Quarterly Vol. 43 No. 2/June 2019
information security behavioral change impinges on a sound
understanding of how users react to security threats (ISF
2014). With the knowledge of EFC, more targeted behavioral
interventions can be developed to improve individuals’
security behavior to create a safer IT environment. Without
taking EFC into account, it will be extremely difficult, if not
impossible, to explain why individuals take or fail to take
protective actions and resources could be wasted on ineffec-
tive interventions.
Although research on individuals’ IT security behaviors has
made great progress, there are several opportunities to further
advance this field. First, the current literature on individuals’
volitional security behaviors has focused only on the analy-
tical reasoning process that motivates individuals to take
protective actions against security threats.2 The majority of
these studies (Anderson and Agarwal 2010; Johnston and
Warkentin 2010) use the protection motivation theory as their
theoretical foundation. Others (Lee and Kozar 2005; Ng et al.
2009) adopt the health belief model or the theory of planned
behavior. A summary of past studies on volitional IT security
behaviors (see Appendix A) reveals that the common theme
of this literature is that individuals take a PFC approach to
cope with threats through the adoption of protective measures
as a result of cognitive reasoning or cost–benefit analysis no
matter which theory is applied. While significant insights
have been gained from the cognitive models, emotions have
been largely ignored in studies of behavioral reactions to
security threats until recently (Boss et al. 2015; Johnston and
Warkentin 2010; Liang and Xue 2009, 2010). IT security
threats can give rise to an array of emotions. For example, a
report reveals that cybercrimes can arouse strong emotions
such as anger and annoyance (Symantec 2010). Emotions and
different emotion-based defense mechanisms play a powerful
and central role in our IT-related lives (Zhang 2013). They
influence human beliefs and attitudes, guide cognitive
thinking, and often drive decision-making and actions
(Lazarus and Folkman 1984; Lerner et al. 2007; Lerner and
Keltner 2000). If users rely too much on EFC, they may
develop biased perceptions to mistakenly neglect IT security
threats and end up not taking necessary protective measures
(Liang and Xue 2009). Second, this literature has mixed
findings regarding how the major antecedents influence PFC.
The effects of response efficacy, self-efficacy, and perceived
costs are highly inconsistent across studies, varying from
significant to insignificant, or positive to negative (e.g., Boss
et al. 2015; Johnston and Warkentin 2010; Liang and Xue
2
Although protection motivation theory does not assume decision makers to
be rational, it means to suggest that human beings are prone to biases and can
only be boundedly rational (Rogers 1983). The theory is still based on indi-
viduals’ cognitive reasoning of threat and coping and does not explicitly
explain why people can be irrational.

2010). It is possible that the missing variable, EFC, has
contributed to such inconsistency. Finally, the theorization of
EFC is not thorough and clear. Liang and Xue (2009) theo-
retically imply (without empirical verification) that EFC tends
to produce negative effects on users’ security behavior. How-
ever, the coping literature suggests that the effect of EFC
could be either positive or negative, depending on the context
(Folkman et al. 1986a). It remains unclear what outcomes
EFC will produce in the IT security context. Hence, a com-
plete understanding of individuals’ security behavior cannot
be obtained unless their emotion-based response, or EFC, is
taken into consideration.
To address the limitations of the current IT security literature,
this paper draws on coping theory that considers both cog-
nitions and emotions to focus on users’ emotional reactions to
IT security threats, thus providing a more comprehensive
understanding of users’ security behaviors. EFC provides a
complementary angle from which we can observe drivers of
behaviors that are invisible from a problem-focused perspec-
tive. We contend that EFC plays a critical role in shaping
individuals’ reactions to security threats. Some recent studies
treat IT security behaviors as acts of coping (Lai et al. 2012;
Lee and Larsen 2009; Liang and Xue 2010), but they focus
only on PFC, failing to take EFC into account or empirically
study it (Liang and Xue 2009). In this paper, we propose that
individuals take not only problem-focused approaches to
handle a security threat, but also emotion-focused approaches
to restore emotional balance disrupted by the threat. More-
over, we contend that EFC can both facilitate PFC by
retaining a balanced emotional state (Beaudry and Pinson-
neault 2010; Liang and Xue 2009) and impede PFC by
producing distractions or biases (Rippetoe and Rogers 1987;
Scheier et al. 1986). We also reconcile this paradox by
showing that the opposite effects are generated by two dif-
ferent types of EFC. Two studies, an experiment and a field
survey, provide strong support to our hypotheses.
This paper makes three contributions to IS research. First, we
provide a more complete and encompassing model of how
individuals react to IT security threats by taking both PFC and
EFC into account, thus offering an in-depth understanding of
the complex and multifaceted IT security behavior. Second,
we develop a theoretical categorization of EFC consisting of
inward and outward EFC. This categorization helps to illu-
minate the underlying mechanisms of different types of EFC
and is instrumental to future IT security research. Third, we
contribute to technology threat avoidance theory (Liang and
Xue 2009) and coping research by addressing the murky issue
of how EFC is related to PFC. We do this by empirically
demonstrating that inward EFC is negatively associated with
PFC while outward EFC is positively associated with PFC.
This study has important implications for both IT security
Liang et al./An Emotion-Focused Coping Perspective
theory and practice. It suggests that when motivating users to
take security behaviors, fear appeals cannot be overly empha-
sized because perceived threat, despite its positive effect on
PFC, can indirectly reduce PFC by activating inward EFC. It
also suggests that security education programs should include
content on EFC to help users understand what types of EFC
are beneficial and what types of EFC are detrimental. Such an
understanding is essential to increase users’ tendency to per-
form PFC actions so that they are protected from IT security
threats.
Theoretical Foundation: Key
Elements of Coping
Coping theory, widely accepted by psychology researchers,
explains how people cope with stressful situations. Stress is
“a relationship between the person and the environment that
is appraised by the person as relevant to his or her well-being
and in which the person’s resources are taxed or exceeded”
(Folkman and Lazarus 1985, p. 152). A stressful situation in
essence represents a disturbed person–environment relation-
ship and people can implement a number of coping mech-
anisms to deal with it (Folkman and Lazarus 1985). The
coping process consists of two stages: cognitive appraisal and
coping. During the cognitive appraisal, individuals determine
whether the stressful situation impacts their well-being, and
if so, how (Folkman et al. 1986a). It can be further divided
into primary appraisal, in which individuals assess what may
be at stake in the encounter, and secondary appraisal, in
which individuals determine what can be done to prevent or
reduce harm or improve benefits (Carver and Scheier 1994;
Carver et al. 1989; Folkman and Lazarus 1985; Folkman et al.
1986b). The appraisals form the basis of coping, defined as
a person’s “cognitive and behavioral efforts to manage
(reduce, minimize, master, or tolerate) the internal and exter-
nal demands of the person-environment transaction that is
appraised as taxing or exceeding the person’s resources”
(Folkman et al. 1986b, p. 572).
There exist two main types of coping: PFC and EFC. PFC
refers to a function-oriented approach to identify and work on
the cause of stress (Carver et al. 1989; Folkman and Lazarus
1985). In contrast, EFC refers to the approach people take to
pacify or control the emotions aroused by the stressful situa-
tion or to dismiss the emotional discomforts (Carver et al.
1989; Folkman and Lazarus 1985). EFC does not address the
problem at hand; rather, it deals with the feelings and percep-
tions associated with the stressful situation. Individuals can
rely on either or both coping approaches, and the particular
mix of the two gives rise to various outcomes. Coping
research not only acknowledges the coexistence of PFC and
MIS Quarterly Vol. 43 No. 2/June 2019 375
Liang et al./An Emotion-Focused Coping Perspective
EFC, but also implies that EFC can influence PFC. Lazarus
and Folkman (1984) point out that individuals undertake EFC
strategies before PFC strategies in a temporal sequence. They
find that EFC can either facilitate or impede PFC (Folkman
and Lazarus 1985; Lazarus and Folkman 1984). On the one
hand, EFC facilitates PFC possibly because EFC allows
individuals to restore emotional stability and to manage emo-
tions that would otherwise interfere with PFC (Lazarus and
Folkman 1984). On the other hand, EFC can impede PFC
because once emotional stability has been restored, the incen-
tives to perform PFC can diminish (Folkman and Lazarus
1985; Scheier et al. 1986). In another word, EFC can reduce
the saliency of a threat and therefore the impetus to take
protective actions might not be as salient.
Research Model: A Coping Model
of IT Security Threats
Because coping theory examines how individuals cope with
personal threats, it offers a strong theoretical foundation for
studying how individuals react to IT security threats. The two
types of coping mechanisms (EFC and PFC) are highly rele-
vant in the context of IT security threats (Liang and Xue
2009). EFC includes efforts to regulate emotions, especially
in stressful situations like those involving IT security threats.3
Harmful IT artifacts and events can trigger loss emotions such
as anger, disappointment, and frustration and deterrent
emotions such as anxiety, fear, and distress (Beaudry and Pin-
sonneault 2010). These emotions can be either instrumental
or harmful, depending on whether they occur at the right time
and the right intensity level and on how individuals cope with
the situation (Beaudry and Pinsonneault 2010; Gross and
Thompson 2007; Lazarus 1991). Intense emotions, especially
intense negative emotions, are often dysfunctional and disrupt
rational decision processes (Austenfeld and Stanton 2004;
Beaudry and Pinsonneault 2010). By employing EFC strate-
gies, users can placate negative emotions to reach a more
balanced emotional state where rational decision making is
not interrupted (Beaudry and Pinsonneault 2010; Liang and
Xue 2009). Consequently, EFC will facilitate PFC. On the
other hand, when individuals perform EFC to mitigate nega-
tive emotions, they can develop false perception of the threat
or be distracted from PFC efforts (Rippetoe and Rogers 1987;
Scheier et al. 1986). As a result, EFC impedes PFC. Given
the possible mixed effects of EFC on PFC, it is important to
3
Depending on the severity of damage, IT security threats may cause different
levels of stress among users. Users are inclined to cope with the threats not
only when the stress is high, but also when the stress is low. This is sup-
ported by prior research showing that both major life events and daily minor
stressors lead to coping behaviors (Cicognani 2011; Pillow et al. 1996).
376 MIS Quarterly Vol. 43 No. 2/June 2019
know how EFC influences PFC in the IT security context.
Yet, to date there is no systematic explanation of the para-
doxical effects of EFC on PFC. The IT security literature has
mainly focused on PFC and has provided limited knowledge
about EFC. Further, the relationship between EFC and PFC
has not been empirically examined. The technology threat
avoidance theory (TTAT) posits that PFC and EFC can both
be applied to counter IT security threats at the theoretical
level (Liang and Xue 2009), but it has not explored how the
two relate to each other. In this paper, we develop a classifi-
cation for EFC so that we can better understand the relation-
ship between EFC and PFC in the context of IT security
threats.
Two Types of Emotion Focused Coping
Although the coping literature has identified a number of EFC
strategies and these strategies are found to be associated with
different outcomes (Carver et al. 1989; Folkman et al. 1986a),
coping researchers have not attempted to theoretically cate-
gorize different EFC constructs. In an effort to provide a
clearer understanding of the relationship between EFC and
PFC in an IT security context, we draw on the emotion regu-
lation research (Gross 1998; Gross and Thompson 2007) to
develop a categorization of EFC strategies. Because EFC is
conceptually similar to emotion regulation, using the latter to
extend coping research is theoretically justifiable. Both
coping researchers and emotion regulation researchers agree
that EFC is essentially an emotion regulation endeavor (Folk-
man and Moskowitz 2004; Gross 1999; Lazarus 1991).
Folkman and Moskowitz (2004) state that EFC falls under the
rubric of emotion regulation. Gross (1999) admits that the
emotion regulation research originated from coping research
and “it was EFC, in particular, that laid the groundwork for
the study of emotion regulation” (p. 555). Coping researchers
acknowledge that “the work on emotion regulation adds to the
coping literature by providing an in-depth look at the effects
of some forms of emotion-focused types of coping” (Folkman
and Moskowitz 2004, p. 763). Therefore, it is legitimate to
draw upon the emotion regulation research to develop EFC
categorization.
Gross (1998) posits that strategies to regulate emotions can be
classified into two categories, antecedent-focused and
response-focused, based on the four elements of the emotion-
generating process: situation, attention, appraisal, and
response. For emotions to be activated, a situation (e.g., oc-
currence of an event) that has particular meaning to a person
compels attention and gives rise to a coordinated multisystem
(cognitive, behavioral, and physiological) response to the
situation (Gross and Thompson 2007). Antecedent-focused
strategies are concerned with the three antecedents of emotion

(situation, attention, and appraisal), whereas response-focused
strategies deal with the emotional response (Gross 1998;
Gross and Thompson 2007). To adapt this logic into EFC
categorization, we use attention, appraisal, and response as
the basis for categorization. We decide to leave out situation
because emotion regulation strategies intended to change
situations can be confused with PFC given that both involve
actions to objectively modify the source causing stressful
emotions. Specifically, in the IT security context, the threat
of security breaches can create a psychologically stressful
situation that draws users’ attention, and after an appraisal of
valence and value relevance of the situation, users will
produce emotional responses. Following the logic inspired by
the emotion regulation categorization, we propose that EFC
in the IT security context can be classified as inward EFC
(derived from antecedent-focused strategies) and outward
EFC (derived from response-focused strategies).
Inward EFC involves approaches internal to the self and
unobservable to others. Similar to antecedent-focused emo-
tion regulation, it tries to stop negative emotions before they
are generated (Gross and Thompson 2007). It achieves this
goal by applying attentional deployment and cognitive
change.4 Attentional deployment refers to users’ directing
their attention away from IT security threats such as identity
theft and loss of privacy. Users can choose to focus on a less
dreadful aspect of the IT security threat or distract themselves
from the entire situation. Cognitive change refers to altering
how users appraise the IT security threat so that its emotional
significance is changed. Users can reappraise the threat from
a different perspective so that the value relevance of the threat
is different or they can simply distort their appraisal of the
threat (Folkman et al. 1986a; Gross and Thompson 2007). In
contrast, outward EFC refers to individuals’ direct adjustment
of emotional responses or outcome of the emotion-generating
process. It is applied after negative emotions are generated,
which is outward and observable to others. It involves com-
municative strategies to regulate physiological and experi-
ential aspects of emotions so that the negative impact of the
emotions is alleviated. Based on the coping and IS literature
(Beaudry and Pinsonneault 2010; Carver et al. 1989; Folkman
et al. 1986a; Liang and Xue 2009), in the IT security context,
4
Inward EFC and antecedent-based emotion regulation are not exactly the
same. The latter incudes not only attentional deployment and cognitive
change, but also situation selection and situation modification (Gross 1998).
We exclude situation selection and situation modification from inward EFC
due to the following concerns: (1) situation selection is not applicable in the
IT security context because nobody can choose a situation where no IT secu-
rity threats exist; and (2) situation modification is essentially PFC (i.e.,
protective behavior). For example, a user installed a spam filter to stop spam
emails. From the emotion regulation perspective, it is an antecedent-based
strategy to prevent negative emotions caused by spam. From the coping per-
spective, it is simply a PFC to counter spam. Since this research takes the
coping perspective, we do not consider it as part of inward EFC.
Liang et al./An Emotion-Focused Coping Perspective
inward EFC strategies include psychological distancing,
denial, and wishful thinking, and outward EFC strategies
include venting out emotions and emotional support seeking.
In the “Method” section, we will explain how we identify
specific EFC strategies.
Model and Hypothesis Development
To fully understand users’ IT security behaviors by con-
sidering both EFC and PFC, we develop a research model
based on prior coping and IS research (Beaudry and Pinson-
neault 2005; Liang and Xue 2009; Rippetoe and Rogers
1987). As Figure 1 shows, each major coping component is
represented in the model: perceived threat represents the
primary appraisal, perceived avoidability represents the
secondary appraisal, inward and outward EFC represent EFC,
and PFC behavior represents PFC. In threatening situations,
one way to judge whether a coping approach is functional (or
adaptive) is whether it can mitigate the threat (Rippetoe and
Rogers 1987). When facing an IT security threat, PFC is
considered the functional approach because without such
behaviors the threat will not dissolve automatically and
possibly cause serious losses. Therefore, PFC behavior is
identified as the key dependent variable. Specifically, PFC
behavior is defined as the extent to which users apply appro-
priate protective measures to counter IT threats. It reflects the
extent to which users actually act against the IT threat. The
impact of EFC strategies is embodied by their effects on PFC
behavior.
Antecedents of EFC
A person’s selection of EFC mechanisms is influenced by
various factors. Although individual differences such as age,
gender, and personality traits can influence the coping process
(Carver et al. 1993; McCrae and Costa 1986; Scheier et al.
1986), decades of research reveals that the selection of coping
mechanisms is contextual; that is, the selection is shaped by
the characteristics of the stressor and a person’s appraisal of
the situation and the available resources in the encounter
(Carver et al. 1989; Folkman et al. 1986a). Drawing on
TTAT (Liang and Xue 2009), we propose that in the context
of IT security, EFC is determined by two constructs:
perceived threat and perceived avoidability.
Perceived threat is defined as the extent to which an individ-
ual perceives a particular IT event or artifact as dangerous or
harmful (Liang and Xue 2010). The perception of IT security
threats creates a stressful situation where individuals are
concerned that they might become victims of IT threats and
tend to experience emotional disturbance (Liang and Xue
MIS Quarterly Vol. 43 No. 2/June 2019 377
Liang et al./An Emotion-Focused Coping Perspective
Figure 1. Research Model
2009). A prominent characteristic of IT security threats,
which sets them aside from other types of threats, is that they
are ubiquitous and nondiscriminatory. Anybody could be af-
fected anytime, anywhere. Hence, users not only perform
PFC to counter the threat, but also employ EFC to mitigate
their emotional uneasiness and restore emotional stability
(Beaudry and Pinsonneault 2005; Liang and Xue 2009).
Coping research suggests that individuals under threat experi-
ence psychological stress and use various EFC strategies to
maintain their psychological well-being (Carver and Scheier
1982). Perceived threat triggers both inward and outward
EFC through different working mechanisms, and both types
of EFC can regulate the emotional responses to IT security
threats.
First, the IT security threat induces negative emotions such as
fear, worry, and anxiety because users anticipate the threat
might result in significant losses (Beaudry and Pinsonneault
2010). For example, Boss et al. (2015) show that IT security
threats can lead to a strong feeling of fear. These emotions
make users doubt their competence to maintain the basic need
for personal safety (Maslow 1943), giving rise to emotional
imbalance. It is common for human beings to spontaneously
apply defense mechanisms to psychologically manipulate,
deny, or distort reality to protect their feelings of being safe
(Freud 1894). A variety of defense mechanisms can be uti-
lized to protect their safety perceptions such as blocking new
information related to that event (Scherer and Tran 2001),
psychological distancing and directing attention away from
the stressor (Yi and Baumgartner 2004), mental disengage-
ment, escaping, denial, avoidance (Carver et al. 1989; Yi and
Baumgartner 2004), and wishful thinking (Fugate et al. 2002).
Through these defense mechanisms, individuals manage to
satisfy their basic need for feeling safe.
378 MIS Quarterly Vol. 43 No. 2/June 2019
By the same token, individuals could spontaneously apply
inward EFC to alleviate the negative emotions induced by IT
security threats so that their emotional balance can be main-
tained. Inward EFC interferes with users’ appraisal process
in two ways. One is to direct attention away from the situa-
tion, so that the threat perception is diluted. The other is to
alter the perceptions produced by the appraisal process, so
that the altered perceptions, usually distorted and biased, lead
to a more desirable prospect. As a result of applying inward
EFC, users will feel less stressed and retain their emotional
balance. Therefore, we propose that users will likely employ
inward EFC to cope with IT security threats.
H1a: Perceived threat will be positively asso-
ciated with inward EFC.
Individuals facing threatening situations can also rely on
outward EFC, cognitive strategies oriented toward handling
the emotions directly (Loewenstein 2007). Here, the stra-
tegies are not oriented toward inhibition and prevention of the
emotions before their activation (i.e., inward EFC), but rather
they aim at expressing feelings to others (McCrae 1984) and
performing emotional discharge (Moos and Billings 1982)
through actions such as venting (letting off steam; Bushman
et al. 2001) and looking for sympathy, moral support, advice
and encouragement from colleagues, friends, and family
(Bagozzi et al. 1999; Carver et al. 1989; Yi and Baumgartner
2004). Individuals rely on social support to get assistance and
get help in making sense of situations fraught with risk and
uncertainty (Stets and Tsushima 2001). These response-
focused strategies, often referred to as collective coping
(Lazarus 1999), help to cognitively transform or reappraise
situations and restore emotional stability (Loewenstein 2007).

Similarly, IS coping research (e.g., Beaudry and Pinsonneault
2010) suggests that in the context of IT security threat, users
could regulate negative emotions directly by seeking emo-
tional support from their social networks and/or venting their
emotions onto others. This is because negative emotions put
users in a disturbed emotional state, which is an unpleasant
experience for them. Given that it is human nature to ap-
proach pleasure and avoid pain, users are motivated to
circumvent the displeasure of emotional disturbance and try
to restore emotional stability (Liang and Xue 2009). The
outward EFC strategies help users release pressure and stay
mentally balanced. Therefore, we propose that when
threatened by IT security problems users will likely employ
outward EFC.
H1b: Perceived threat will be positively asso-
ciated with outward EFC.
Perceived avoidability refers to users’ assessment of the
likelihood they will be able to avoid the IT security threat
facing them by using available safeguarding measures, taking
into account the safeguards’ effectiveness and costs as well as
the users’ self-efficacy (Liang and Xue 2009).5 The avoid-
ability perception reflects how much control users think they
have over the security threat. A sense of being in control
helps users feel secure and stabilizes their emotional state.
On the contrary, a sense of lacking control makes users feel
insecure and disturbs their emotional state. It has been shown
that in a threatening IT situation, users are unlikely to use
EFC when they perceive strong control over the situation
(Beaudry and Pinsonneault 2010). When users feel that the
security threat is avoidable, they do not anticipate severe
losses and therefore it is unnecessary for them to modify
cognitive appraisals of the situation. The avoidability percep-
tion is related to the users’ confidence that they have adequate
safeguarding resources and self-competence to fend off
security threats and stay safe. If external threats cannot
endanger their basic need for safety, users will not be urged
to start psychological defense mechanisms to distort or deny
reality. For instance, an online banking user who frequently
changes passwords, updates antivirus and antispyware soft-
ware, and installs security patches for her operating system
will have a strong sense of control and not feel stressed by
losing identity in online transactions. She would not perform
inward EFC since she does not predict to have a stirred
emotional state. Therefore, we propose that users are less
5 explicate that it is inward EFC that competes against PFC and
Perceived avoidability is a composite construct that includes response effi-
cacy, response cost, and self-efficacy. It cannot be represented by a single
dimension. For example, a higher level of self-efficacy does not necessary
lead to high perceived avoidability. Consider a user who is very confident
that she can use the security software installed on her computer (high self-
efficacy). If she does not believe that the security software is sufficient to
stop identity theft (low response efficacy), she would still think that identity
theft is unavoidable (low perceived avoidability).
Liang et al./An Emotion-Focused Coping Perspective
likely to employ inward EFC to cope with security threats
when perceived avoidability is higher.
H2a: Perceived avoidability will be negatively
associated with inward EFC.
Moreover, when users have a high level of avoidability per-
ception, they are confident that they can apply the protective
measures that are effective and affordable, which helps to
ensure a feeling of safety and prevent emotional imbalance
(Beaudry and Pinsonneault 2005; Liang and Xue 2009). As
a result, users are unlikely to experience strong negative emo-
tions, and will not employ outward EFC because there are no
negative emotions to be regulated. For example, for a user
who stores confidential data on her computer, if she uses a
special encryption method to encrypt the data and runs a fire-
wall to screen all attempts to access her computer and she
believes that these two measures would effectively protect the
data, she would not have emotional strain over the thought
that her data might be stolen and used for illegal purposes and
consequently she has no need to perform outward EFC. In
contrast, when the level of avoidability perception is low,
users feel that they have little control over the threat. Strong
negative emotions such as fear, stress, and frustration are
likely to emerge, leading to emotional imbalance. Due to the
unpleasantness of emotional imbalance, users naturally desire
to evade it and need outward EFC strategies to channel these
emotions to regain emotional balance. This logic is supported
by the psychology literature which shows that individuals
with self-efficacy are less likely to experience emotional
strain than those with self-doubts (Bandura 1997). Thus,
when perceived avoidability is higher, users are less likely to
employ outward EFC to cope with security threats.
H2b: Perceived avoidability will be negatively
associated with outward EFC.
Impact of EFC
Liang and Xue (2009) suggest that EFC is both competitive
and complementary to PFC. They argue that EFC competes
against PFC because when users take more EFC they are less
likely to take PFC, and EFC complements PFC because when
users take EFC to achieve emotional balance they can more
rationally analyze the situation and engage in PFC. Inte-
grating this notion and our categorization of EFC, we further
it is outward EFC that complements PFC.
Inward EFC can be dysfunctional and lead to mal-adaptation
(Billings and Moos 1984) because it impedes adaptive pro-
cesses and hinders resolution of problems (Folkman et al.
1986a). Folkman and Lazarus (1985) long ago noticed that
MIS Quarterly Vol. 43 No. 2/June 2019 379
Liang et al./An Emotion-Focused Coping Perspective
“some forms of emotion-focused coping…impede problem-
focused coping” (p. 168). In the IT security context, inward
EFC can negatively influence users’ security behaviors
because it subjectively manipulates users’ attention and cog-
nitive evaluations of the threat (Beaudry and Pinsonneault
2005; Liang and Xue 2009). For example, inward EFC can
direct users’ attention away from the IT threat, leading users
to ignore the issue altogether and neglect the existence of the
danger. It can also be used to create an unrealistic illusion
that a miracle will resolve the security problem, or to deny the
consequences of the IT threat. As a result, users are not
motivated to take PFC behaviors because they do not pay
sufficient attention to the situation or they do not think it is
necessary for them to react. Little research has investigated
inward EFC’s effects in the IT security area. Outside the IT
security area, one study finds that psychological distancing is
maladaptive and has a negative influence on IT use (Beaudry
and Pinsonneault 2010). Despite scarcity of empirical evi-
dence in IS, the theoretical meanings of inward EFC and
studies in psychology (e.g., Billings and Moos 1984; Folkman
et al. 1986a) suggest that users will have a low likelihood to
take security actions when they engage in inward EFC.
H3: Inward EFC will be negatively associated with
PFC behavior.
Outward EFC regulates emotions directly. Although it shares
with inward EFC the goal of restoring emotional stability, it
differs from inward EFC in terms of how this goal is
achieved. Inward EFC protects emotional stability by
ignoring or distorting perceptions of the security threat and
consequently prevents the emergence of negative emotions.
In contrast, outward EFC is not intended to, although it could,
alter perceptions of the threat. It regulates the emotions after
they are induced by the threat to regain emotional stability.
Therefore, outward EFC helps to reduce stress without sacri-
ficing objectivity in evaluating the situation. There is strong
evidence that stress can interfere with rational decision
making and lead to deficient behaviors (Dias-Ferreira et al.
2009), which suggests that outward EFC could help to pro-
mote rational behaviors by reducing stress. Next, we explain
how two typical outward EFC strategies, emotional support
seeking and venting, influence users’ PFC behavior.
A great number of studies have found a positive effect of
emotional support on individuals’ psychological well being
and adaptive behaviors (Taylor 2011). Based on the litera-
ture, we propose that emotional support seeking influences
users in the IT security context in at least two ways. First,
when supporters provide emotional support to the users, they
empathize with, legitimize, and explore the users’ feelings
and help the users understand why the security threat causes
their stress. This communicative process alleviates the users’
stressful emotions and assists them to focus on taking actions
380 MIS Quarterly Vol. 43 No. 2/June 2019
to eliminate the threat based on a more objective assessment
of the situation. Second, by definition, users are stressed
because they feel that their resources are exceeded by the
external demand of dealing with security threats (Folkman
and Lazarus 1985). By seeking emotional support, users are
reassured that their stress is a natural reaction to threats and
they are capable of actively protecting themselves (Carver et
al. 1989). Users’ social networks can also enhance their
confidence and empower them to implement coping behaviors
(Beaudry and Pinsonneault 2010). With confidence and
encouragement, users will be more motivated to take security
actions to counter the threat. Although the purpose of emo-
tional support seeking is to regulate negative emotions, it
sometimes alters the perception of threat after emotional
balance is regained. Different from the way inward EFC
strategies distort threat perceptions, emotional support seeking
helps users develop a more realistic threat perception (e.g.,
discussing with others puts things in perspective) as the basis
for rational decision making (Taylor 2011). Hence, emotional
support is unlikely to impede rational problem resolution
(Fugate et al. 2002; McCrae 1984), and tends to enable users
to effectively address the issues they are facing.
Another major outward EFC strategy, venting, is a typical
form of expressing and disclosing negative emotions. Strong
evidence in coping research shows that emotional expression
has the adaptive benefits of improving both psychological and
physical health (Austenfeld and Stanton 2004; McCrae and
Costa 1986). It is well known that negative emotions can
interfere with people’s decision making by distorting their
perceptions and judgments (Johnson and Tversky 1983).
Therefore, venting negative emotions can potentially facilitate
rational decision making under IT security threats. Prior
research shows that emotional venting can lead to positive
outcomes such as personal relationship maintenance (Wen-
dorf and Yang 2015) and problem resolution (Stickney and
Geddes 2014). In contrast, suppression of emotions is found
to associate with problem deterioration (Stickney and Geddes
2014) and lower psychological wellbeing (Gross and John
2003). Therefore, we contend that in the context of IT secu-
rity, after venting negative emotions, users will be able to
calm down and focus on how to use PFC strategies to address
the IT threats.6 Since both emotional support seeking and
6
Some research in psychology suggests that venting could intensify rather
than reduce anger (Bushman 2002). That research stream is confined to
anger only and not conclusive. Recent research suggests that the failure of
venting is probably due to mistaken venting methods and if done correctly,
venting ought to mitigate anger (Scheff 2015). In addition, anger is a loss
emotion which usually occurs after a security breach already caused harm to
the user. Our research is focused on IT security threats, which are potentially
harmful, but do not necessarily turn into real harm. In this context, deterrence
emotions are usually induced, such as fear, worry, distress, and anxiety
(Beaudry and Pinsonneaut, 2005). Hence, anger is unlikely to be a salient
emotion.

venting provide adaptive benefits by motivating users to take
safeguarding actions, we propose that outward EFC will
likely to enhance PFC behavior.
H4: Outward EFC will be positively associated with
PFC behavior.
Supporting Hypotheses
The relationships among perceived threat, perceived avoid-
ability, and PFC behavior have been directly or indirectly
tested in prior research (e.g., Liang and Xue 2010; Ng et al.
2009; Workman et al. 2008). We include them in our model
to create a nomological network and we therefore only present
the essence of the theoretical arguments put forth in the extant
literature.
Because IT threats can cause serious losses, users are moti-
vated to seek ways to remove the source of the threat once it
is noticed. This relationship between threat perceptions and
users’ motivation to take action and solve the problem at hand
(PFC) has been supported by previous IS studies (Liang and
Xue 2010; Ng et al. 2009; Workman et al. 2008). Consistent
with prior research, we propose that users, when facing IT
security threats, tend to take security actions to protect their
interests.
H5: Perceived threat will be positively associated
with PFC behavior after controlling for its
indirect effects through EFC.
Coping research reveals that individuals engage in problem-
solving when they perceive the situation as more controllable
(Carver et al. 1989; Scheier et al. 1986). IS research suggests
that users try to solve the problem at hand to the extent of
their perceived control of the situation (Beaudry and Pinson-
neaut, 2005). IS research also shows that users form a
perception of avoidability based on the effectiveness and costs
of the available safeguarding measures and their confidence
in taking these measures (Liang and Xue 2010). Perceived
avoidability represents an overall assessment of how the IT
threat is controllable in light of available resources that facili-
tate the user to counter the IT threat (Liang and Xue 2009).7
7
Perceived avoidability is related to, but more than perceived controllability.
According to Bandura and Wood (1989), perceived controllability pertains
to generally how changeable or controllable the environment is. It does not
take into account personal factors such as self-efficacy and costs. Thus, a
generally controllable threat may not be controllable for a specific person.
For example, a user may believe that, in general, online banking security is
controllable if the most advanced protective technology is used. However,
she may still think that hacking her online bank account is not avoidable
because she does not know how to apply the technology or is unwilling to
pay for it. In this paper, perceived avoidability incorporates personal con-
Liang et al./An Emotion-Focused Coping Perspective
The more controllable the situation is, the more motivated
users will take safeguarding actions. If users feel that the IT
threat is unavoidable regardless of what they do, they are
unlikely to fight against the threat.
H6: Perceived avoidability will be positively asso-
ciated with PFC behavior after controlling for
its indirect effects through EFC.
Method
Identification of EFC Strategies
Given that EFC has never been investigated in the specific
context of IT security, we followed MacKenzie et al.’s (2011)
recommended steps to first identify the major EFC strategies
relevant to IT security threats. We decided to select EFC
strategies from the Ways of Coping Questionnaire (WCQ)
(Folkman et al. 1986a) and the COPE inventory (Carver et al.
1989) because these two instruments are most widely adopted
by prior coping research and they contained a comprehensive
list of EFC strategies. Since both instruments are intended to
measure general coping behaviors and many items do not fit
the IT security context, to evaluate the relevance of the EFC
strategies in the IT security context, we interviewed 20 under-
graduate students (mean age = 21.48) in a large university and
20 regular computer users (mean age = 46.23) in the United
States. Each interviewee was shown all of the EFC strategies
of WCQ and COPE. Four factors from WCQ (psychological
distancing, self-control, seeking social support, and escape-
avoidance) and four factors from COPE (seeking social sup-
port for emotional reasons, venting of emotions, denial, and
mental disengagement) were the most frequently reported by
the interviewees to cope with IT security threats and the other
strategies were rarely reported. Next, two authors indepen-
dently evaluated the theoretical rationales of the eight user-
reported EFC strategies in the IT security context and com-
pared their assessments. They agreed that the eight EFC stra-
tegies are theoretically meaningful. After collapsing similar
factors, five EFC strategies were identified: denial, psycho-
logical distancing (merged with mental disengagement),
emotional support seeking, emotional venting (merged with
self-control), and wishful thinking (derived from escape-
avoidance).8 Appendix B shows all the coping factors drawn
cerns and can provide a more accurate representation of controllability from
a specific user’s perspective.
8
In WCQ, escape-avoidance contains both wishful thinking and behavioral
efforts to escape or avoid (Folkman et al. 1986a). However, interviews with
the 40 users suggest that behavioral efforts to escape or avoid are not used to
cope with IT security threats. Wishful thinking has been conceptualized and
operationalized as a separate EFC construct (Folkman and Lazarus 1985, p.
MIS Quarterly Vol. 43 No. 2/June 2019 381
Liang et al./An Emotion-Focused Coping Perspective

from WCQ and COPE and explains our reasoning for keeping
the five factors and excluding other factors. We elaborate on
the conceptualization of each EFC strategy in detail as
follows.
Inward EFC Strategies
Inward EFC strategies include psychological distancing,
denial, and wishful thinking. Psychological distancing is
concerned with attentional deployment because it directs
one’s attention away from the IT threat. Psychological dis-
tancing, also known as “mental disengagement” (Carver et al.
1989), refers to efforts to psychologically detach oneself from
the stressor (Folkman et al. 1986b). This is usually accom-
plished by engaging in activities that serve to distract oneself
from thinking about the stressful situation (Carver et al.
1989). Past studies find that people usually employ psycho-
logical distancing during the early and middle phases of a
stressful encounter (Carver and Scheier 1994; Folkman and
Lazarus 1985). It appears that people can experience a
heightened amount of anxiety while they wait for the outcome
of an encounter and, as a result, they try to use psychological
distancing to distract themselves from their worries. As users
engage in prospective coping when facing IT security threats,
they all are in a waiting mode before a security breach occurs.
They do not need to be sure that they will be attacked to feel
stressful; it is the uncertainty that creates stress. Uncertainty
has long been found to be a powerful stressor (Greco and
Roger 2003). Therefore, users are likely to use psychological
distancing to cope with the stress associated with the potential
outbreak of security problems.
The other two inward EFC (denial and wishful thinking)
intend to achieve cognitive change because they affect the
appraisal of the IT threat by either minimizing its probability
of existence (denial) or occurrence to the individual (wishful
thinking). Denial is the refusal to admit the reality of the
stressful situation (Carver et al. 1989; Liang and Xue 2009).
The use of denial tends to correlate with the value relevance
of the negative consequences of IT security problems (Carver
et al. 1989). When the outlook of the situation is optimistic,
people are less likely to adopt the denial coping style (Scheier
et al. 1986). Carver and Scheier (1994) found that people use
denial to cope with threat and harm emotions once the out-
come of the stressor is known. In the IT security context,
most users know the possible outcomes of security breaches
and they often use denial to feel less threatened. For example,
denial is a common emotional reaction of identity theft vic-
tims: “this is not happening.” One of the most notable trends
identified by the Identity Theft Resource Center (ITRC) was
the increase in the victims’ feeling of denial. Among the
respondents to the study, 49% reported denial as an emotional
reaction. Although there has been substantial media coverage
and public education about this crime, people still considered
identity theft as something that only happens to others (ITRC
2010).
Wishful thinking refers to escaping from the stressful situa-
tion by fantasizing that some intervening act or force will turn
things around in a desirable direction (Folkman et al. 1986a).
As a cognitive bias, it is deeply rooted in psychology research
(Bastardi et al. 2011). Wishful thinking increases/decreases
the subjective probability of a pending desirable/undesirable
outcome. It leads to beliefs according to desirability rather
than evidence and reality, which is conceptually similar to
unrealistic optimism (Bastardi et al. 2011; Krizan and Wind-
schitl 2007). Prior studies find a positive linkage between
wishful thinking and neuroticism, suggesting emotionally
unstable individuals tend to have wishful thinking (Bolger
1990; McCrae and Costa 1986). In addition, Folkman and
Lazarus (1985) find that wishful thinking is a primary coping
style when the participants dealt with threat emotions. Wish-
ful thinking is handy for users as an excuse not to take ade-
quate IT security measures (Liang and Xue 2009). For
example, a user may wish that nothing serious will happen
when she opens a suspicious email attachment. An online
bank user who uses an easy-to-guess password may wish that
cybercriminals will never be interested in hacking her account
to commit identity theft. Their fallacy is that they believe it
is true because they want it to be true. However, their odds of
having a security breach will not change due to such wishful
thinking.
The commonality of the three inward EFC strategies is that
they are intended to regulate antecedents of emotions by
diverting attention from or modifying cognitive evaluations of
IT security threats. Although they appear quite different, they
share the same conceptual space and can be applied by a
person concurrently (Gross and Thompson 2007). Ample evi-
dence exists in the coping literature showing that individuals
can experience contradictory emotions and states of mind at
the same time and they often implement simultaneously
multiple coping mechanisms which could conflict with each
other (Folkman and Lazarus 1985). Based on the criteria by
Jarvis et al. (2003), we treat psychological distancing, denial,
and wishful thinking as three components that give rise to a
formative second-order construct: inward EFC.
Outward EFC Strategies

157). Therefore, we identify wishful thinking as a relevant EFC in the IT Outward EFC strategies include venting and seeking emo-
security threat context. tional support because both are efforts to influence emotions

382 MIS Quarterly Vol. 43 No. 2/June 2019


directly. Emotional support seeking means that a person
reaches out to his or her social network to obtain moral sup-
port, sympathy, or understanding, in the presence of a stressor
(Carver et al. 1989; Folkman and Lazarus 1985). Carver and
Scheier (1994) find that emotional support seeking was
significantly related to threat emotions throughout a stressful
encounter. Seeking emotional support is often used by IT
users to cope with negative emotions such as anger and
anxiety related to disruptive IT events (Beaudry and
Pinsonneault 2010). The ITRC noted that many victims
sought emotional support from their social contacts to cope
with the stress.
Venting refers to actions that ventilate the distress being
experienced by a person so that emotional stability is
achieved (Beaudry and Pinsonneault 2010; Carver et al.
1989). It is often shown as a vocal and open expression of
negative emotions to others. The higher the stakes involved
in the stressful situation, the more likely individuals will rely
on emotional venting (Carver et al. 1989). In the IT context,
venting has been studied as a strategy used to express anger
during disruptive IT events (Beaudry and Pinsonneault 2010).
It should be noted that venting as a means to express emotions
is not limited to anger expression. It can be employed to
express any negative emotions one is experiencing and can
involve various ways such as talking to self, expressive
writing, and posting comments to social media (Wendorf and
Yang 2015). Under the pressure of severe IT security threats,
it is not uncommon that users let their emotions out.
Both emotional support seeking and venting regulate emo-
tions directly by taking outward actions. They are theoreti-
cally homogeneous in that they express emotions in an
outward and observable manner. Users desire to regain
emotional stability after IT threats arouse negative emotions,
and they can use both emotional support seeking and venting
to regulate those emotions (Bushman et al. 2001). Again,
based on Jarvis et al. (2003), we propose that emotional
support seeking and venting are two components of a forma-
tive second-order construct: outward EFC. Appendix C
provides a summary of these concepts.
Development of EFC Measures
To develop measures for the five EFC strategies, four items
were selected to measure each EFC strategy based on WCQ
(Folkman et al. 1986a) and COPE (Carver et al. 1989). Thus,
a set of 20 items was created.
Since these items were originally created to measure general
coping, they might not be appropriate for measuring coping
with IT security threats. To make them applicable in our
Liang et al./An Emotion-Focused Coping Perspective
research context, we performed Q-sort to purify and validate
the items by following Moore and Benbasat (1991). We con-
ducted four rounds of sorting. In each round, we recruited
five judges (two business faculty members, two doctoral
students, and an information security professional). At the
end of the four sorting rounds, the average inter-judge raw
agreement, average inter-judge Kappa, and the placement
ratio were 0.921, 0.933, and 0.958, respectively. The EFC
measurement items are shown in Appendix D. The detailed
Q-sort procedures and results are presented in Appendix E.
In short, the measures for EFC are firmly grounded in coping
theory and the Q-sort results demonstrate that they have
strong content validity.
Development of Other Measures
Measures for perceived threat were adapted from a previous
study (Liang and Xue 2010). The measure for PFC behavior
was developed based on the most recommended security
actions for consumers and home computer users by authori-
tative organizations (e.g., FBI 2014; FCC 2014; Kent and
Steiner 2012). The perceived avoidability measure was self-
developed for this study based on its theoretical and practical
meanings. In addition, we measured PFC intention as an
alternative representation of PFC by using items from Liang
and Xue (2010). PFC intention is defined as the degree to
which users intend to perform PFC behaviors. It reflects
users’ motivation and planning to act against the IT threat,
which may be used to predict future PFC behavior (Liang and
Xue 2009). These measures are shown in Appendix D.
We carried out a pilot test to evaluate the psychometric
quality of our measures. Survey data were collected from 244
undergraduate students at a major university in the United
States. The analysis results provide preliminary evidence that
the measures have strong reliability (greater than .80),
convergent validity (factor loadings greater than .60), and
discriminant validity (factor loadings greater than cross
loadings). The pilot test results are shown in Appendix F.
Procedures
We carried out a multimethod research by conducting two
studies to test the research model. First, an experiment was
used to verify that the IT security threat situation can indeed
induce EFC responses. Given that EFC has never been
studied in the IT security domain, it is necessary to use a
rigorous experiment to demonstrate the causal relationship
between IT security threats and EFC so that its existence is
squarely established. It is also important to eliminate the
suspicion of reverse causation between perceived threat and
MIS Quarterly Vol. 43 No. 2/June 2019 383
Liang et al./An Emotion-Focused Coping Perspective
EFC. Second, a field survey was conducted to estimate the
full research model based on individuals’ real experiences
with IT security threats. Our research design fulfilled three
purposes of multimethod research: expansion, corroboration,
and compensation (Venkatesh et al. 2013). First, by testing
both antecedents and consequences of EFC, the survey study
expanded the experiment study which only examined EFC’s
antecedents. Second, the two studies corroborated each other
by showing how the findings converged across methods.
Third, our design leveraged the strengths and compensated for
the limitations of each approach: the experiment provides
evidence for causal inference, while the survey tests a breadth
of relationships based on users’ real experience.
Study One: Experiment
The experiment employed a 2 × 2 (high versus low threat and
high versus low avoidability) between-subjects factorial de-
sign. Sample size was set to 35 subjects per group to achieve
power of 0.9, assuming a medium effect size and 0.05 signi-
ficance level. A total of 140 students (66 females, Mage =
22.81, SD = 2.44) at a large university in the United States
were recruited. Using college students is widely practiced in
the IT security research (see Table A1 in Appendix A for
examples). More important, the goal of the experiment is to
demonstrate potential causal relationships in theory rather
than to generalize findings across settings and populations.
Following Compeau et al.’s (2012) recommendation, using
students as subjects is deemed appropriate in this study.
The participants were randomly assigned into each group.
Each participant was asked to read carefully a scenario of IT
security threat and assume that he/she is the person described
in the scenario. The scenario intended to manipulate their
perceptions of threat and avoidability so that either perception
can be high or low. Specifically, the participants were asked
to imagine that they downloaded a free movie and suspected
that malware was attached to it. Perceived threat was manipu-
lated by indicating that the malware could lead to either
identity theft (high threat) or pop-up ads (low threat), and
perceived avoidability was manipulated by indicating whether
they have the means to protect themselves from the threat (see
Appendix G for details). Then we measured their inward and
outward EFC, perceived threat, and perceived avoidability.
Study Two: Survey
A field survey was conducted to test the full research model.
We hired a professional survey research company to collect
data. The target population is personal IT users who use com-
384 MIS Quarterly Vol. 43 No. 2/June 2019
puters in nonwork settings in the United States. Respondents
were asked to recall a specific situation involving an IT
security threat in the past month and answer each survey
question based on their experience of that situation. The IT
security threat was defined as any potential harm caused by
external IT-related entities such as malware and cyber-
criminals. The respondents reported a variety of threats such
as virus, spyware, adware, phishing, spam email, hacking, and
identity theft, which allowed us to observe a range of variance
in their threat perceptions.
Of the 2,349 users who accessed the survey, 1,151 were
screened out because they did not encounter an IT security
threat in the previous month. Of the remaining 1,198
respondents, 264 did not complete the survey. Finally, we
collected 934 valid responses. The survey software recorded
the time taken for completing each survey. The average time
is 11.81 minutes (SD = 9.48), suggesting that the respondents
filled out the survey carefully. The respondents’ average age
is 44.39 (SD = 14.19). Over 63.5% of them are female. Most
of them have received at least a high school education, with
8.2% having graduate degrees, 57.3% having college degrees,
33.8% having high school diplomas, and only 0.6% below
high school. On average, they have 17.41 years of computer
experience (SD = 5.95), and spend 6.62 hours per day (SD =
6.29) on the Internet. Each respondent has experienced about
2.9 incidents of IT security problems (SD = 5.16).
To mitigate common method bias associated with single-
source survey data, we implemented three procedural
remedies (Podsakoff et al. 2003). First, we methodologically
divided the survey into two parts. One part included the EFC
measurements and the other part contained the measurements
for other constructs. A short video, the content of which was
totally unrelated to IT security, was played after the first part
was completed, so that the respondents’ short-term memory
could be cleared to help prevent biases. Second, respondents’
anonymity was protected to reduce their evaluation appre-
hension. We also assured them that there are no right or
wrong answers and encouraged them to answer each question
honestly. Finally, we followed rigorous procedures to im-
prove scale items. All measurements were pretested to ensure
content validity and understandability.
Results
Study One: Experiment Results
We conducted manipulation checks by comparing perceived
threat between the high versus low threat conditions (6.59
versus 2.07, t138 = 40.92, p <.01) and perceived avoidability
 Liang et al./An Emotion-Focused Coping Perspective

Table 1. MANOVA Results of the Experiment

Threat Avoidability
High Low High Low
Mean (SD) Mean (SD) F Mean (SD) Mean (SD) F
Distancing 3.15 (2.24) 2.00 (1.31) 14.93** 2.12 (2.00) 3.02 (1.74) 9.57**
Denial 3.39 (1.89) 1.96 (1.21) 29.04** 2.38 (1.88) 2.97 (1.53) 5.49*
Wishful Thinking 3.98 (2.13) 2.42 (1.38) 25.96** 2.88 (2.07) 3.53 (1.78) 4.65*
Emotional Support Seeking 4.54 (1.76) 2.64 (1.60) 42.91** 3.69 (2.04) 3.49 (1.82) .46
Venting 5.40 (1.64) 2.84 (1.73) 78.31** 4.00 (2.18) 4.24 (2.07) .69
**p < .01, *p < .05

Table 2. Effects of Control Variables

Computer Online Security Breach
Age Gender Education Experience Hours Experience
Inward EFC -0.19** -0.04 0.06 -0.22** 0.01 0.12*
Outward EFC 0.002 0.11* 0.003 -0.19** 0.01 0.16**
PFC behavior 0.09* -0.04 -0.02 0.09* 0.01 0.02
**p < 0.01, *p < 0.05

between the high versus low avoidability conditions (6.73
versus 4.55, t138= 16.77, p < .01). The tests indicated that our
manipulation was effective. We also found no significant
difference in age (F3, 136 = 1.66, p = .18) and gender (χ2 = 2.41,
p = .49) across the four conditions, suggesting successful
randomization.
We employed MANOVA to test the difference in the five
EFC constructs across conditions. Both threat (F = 17.98, p
< .01) and avoidability (F = 2.44, p < .05) were found to have
significant effects on the EFC constructs. As Table 1 shows,
all five EFC constructs have a higher score in the high threat
condition than in the low threat condition, suggesting that
perceived threat has a positive effect on individuals’ tendency
to take all EFC strategies. In contrast, the avoidability condi-
tion has a negative effect on EFC and only influences inward
EFC. The scores of distancing, denial, and wishful thinking
are significantly lower in the high avoidability condition than
in the low avoidability condition, while the scores of emo-
tional support seeking and venting remain approximately the
same between the two conditions. Taken together, these
results reveal that perceived threat and perceived avoidability
have opposite effects on inward EFC: threat increases both
inward and outward EFC, while avoidability reduces inward
EFC only. Thus, H1a, H1b, and H2a are supported, but H2b
is not.
Study Two: Survey Results
We first assessed two potential biases associated with survey
data, nonresponse bias and common method bias, and vali-
dated the measurement model with confirmatory factor
analysis. The results indicate that the biases are unlikely to
exist and the measurements have adequate reliability and
validity (see Appendix H for details). We then estimated the
research model by a structural equation modeling approach
using AMOS. As Figure 2 shows, all fit indices meet or
exceed the thresholds (Gefen et al. 2011). The model ex-
plains 17% of the variance in inward EFC, 24% of the
variance in outward EFC, and 28% of the variance in PFC
behavior. Perceived threat gives rise to both inward EFC (β
= .13, p < .01) and outward EFC (β = .40, p < .01), supporting
H1a and H1b. Perceived avoidability is negatively related to
inward EFC (β = -.23, p < .01), but not significantly related to
outward EFC (β = -.04, p > .05), supporting H2a but not H2b.
Inward EFC reduces PFC behavior (β = -.26, p < .01), sup-
porting H3. In contrast, outward EFC enhances PFC behavior
(β = .15, p < .01), supporting H4. Both perceived threat (β =
.20, p < .01) and perceived avoidability (β = .29, p < .01) are
positively related to PFC behavior, supporting H5 and H6.
Demographic variables have been found to influence individ-
uals’ IT behavior (Brown and Venkatesh 2005). To rule out
alternative explanations, we control for the effects of six vari-

MIS Quarterly Vol. 43 No. 2/June 2019 385

Liang et al./An Emotion-Focused Coping Perspective
Notes: **p < .01; *p < .05
χ² = 717.94; df = 254; CFI = .96; TLI - .95; RMSEA = .04
Six control variables (Age, Gender, Education, Computer Experience, Online Hours, Security Breach, Experience) were included on the
three endogenous constructs. See Table 2 for their coefficients.
Double-bordered box: second-order construct. Single-bordered box: first-order construct.
Figure 2. Model Testing Results
ables: age, gender (1 = male, 2 = female), education level (1
= under high school, 2 = high school, 3 = college, 4 = gradu-
ate), computer experience (in years), daily online hours, and
security breach experience (number of breaches experienced)
on each of the three endogenous constructs: inward EFC,
outward EFC, and PFC behavior. As Table 2 shows, age is
negatively related to inward EFC and positively related to
PFC behavior, suggesting that older people are less likely to
engage in inward EFC and more likely to take security
behaviors. Gender is positively related to outward EFC,
implying that women are more likely to use outward EFC than
men. Education level and daily online hours have no signi-fi-
cant effect on any of the four constructs. Computer experi-
ence is negatively related to inward EFC and outward EFC
and positively to PFC behavior. Thus, computer novices are
more likely to use both inward and outward EFC and less
likely to take security actions. Security breach experience is
positively related to both inward and outward EFC, sug-
gesting that victims of IT security threats are more likely to
engage in inward and outward EFC than those who have not
been affected by IT security threats.
Finally, we performed a robustness test to examine whether
our model is also able to explain PFC intention. Similar to the
effects on PFC behavior, the test shows that inward EFC
reduces while outward EFC enhances PFC intention, veri-
fying the robustness of our research model (see Appendix I).
386 MIS Quarterly Vol. 43 No. 2/June 2019
Discussion
This research aims to understand personal IT users’ safe-
guarding behavior when facing IT security threats. Drawing
on coping theory and IT security research (Beaudry and Pin-
sonneault 2010; Lazarus and Folkman 1984; Liang and Xue
2009), we propose that individuals cope with security threats
through both EFC and PFC efforts. The study results provide
support to seven of the eight hypotheses. We find that both
types of EFC were significantly related to PFC behavior.
Interestingly, inward EFC and outward EFC have opposing
effects on PFC: while the former was negatively related to
PFC behavior, the latter was positively related to PFC behav-
ior. Therefore, the effect of EFC is more complicated than it
looks, and our classification of EFC helps to more precisely
delineate the role of different types of EFC: inward EFC
tends to discourage, whereas outward EFC tends to encourage
users to take safeguarding actions to counter IT security
threats.
Consistent with prior IS security research (Boss et al. 2015;
Johnston and Warkentin 2010; Liang and Xue 2009, 2010),
both perceived threat and perceived avoidability are found to
enhance PFC. More important, we find that perceived threat
increases both inward and outward EFC while perceived
avoidability reduces inward EFC. This suggests that when
users notice the existence of IT security threats, they tend to

use both inward EFC and outward EFC to regain emotional
stability. On the other hand, when users believe that they are
in control of the situation, they are unlikely to apply inward
EFC to escape or create illusions. But they still need outward
EFC to cope with the emotions emanating from the stressful
situation, and this emotional need is independent of their
perception of controllability. These findings are confirmed by
both the experiment and the survey studies, suggesting that
EFC can indeed be engendered by perceived threat and
avoidability.
Contributions to Research
This article makes three contributions to research. First, this
paper not only complements, but also extends the extant IT
security literature by focusing on the much neglected user
behavior: emotion-focused coping. Most existing security
studies investigate users’ problem-focused coping in the form
of intention to adopt security safeguards or actual security
behaviors (Aytes and Terry 2004; Johnston and Warkentin
2010; Ng et al. 2009; Workman et al. 2008). Limited
attention is paid to EFC in the context of IT security.
Although TTAT explicitly proposes that EFC is an important
coping behavior parallel to problem-focused coping (Liang
and Xue 2009), to date no efforts have been made to concep-
tualize, categorize, and operationalize EFC and empirically
examine its effects on users’ security behaviors in nonwork
settings. A rare exception is the work of D’Arcy et al. (2014)
which finds EFC, conceptualized as moral disengagement,
increases employees’ violation of security policies. Yet, they
focus on EFC in work settings in which the stressor is organi-
zational requirement rather than the IT security threat itself,
and their conceptualization of EFC is quite different from
ours. EFC of personal users who are free from organizational
policies remains an uncharted area. This paper fills the void
of the security literature by providing an in-depth under-
standing of EFC when users’ security behavior is volitional,
thus making an important contribution to IT security research.
This work is particularly important to the research stream that
heavily relies on protection motivation theory (PMT). Al-
though PMT is derived from coping theory, EFC is rarely
considered in the PMT framework. While IS security re-
searchers applied PMT, EFC has been completely neglected.
This omission could seriously limit the understanding of
users’ security behavior. Our work draws attention to the
important role of EFC, thus greatly extending PMT-based
security research. It would be interesting to examine how the
inclusion of EFC can improve the performance of PMT and
help explain inconsistent findings. Some researchers criti-
cized that the current application of PMT as being insufficient
in IT security research while recommending more faithful
Liang et al./An Emotion-Focused Coping Perspective
application of the original PMT (Boss et al. 2015). It is ques-
tionable whether being faithful to PMT can gain any new
insights, given the innate narrow focus of PMT. The intro-
duction of EFC will help the IT security research stream
switch focus from a pure reasoning-based approach to a
holistic approach incorporating both reasoning and emotions.
Such a holistic framework has been articulated in TTAT and
the advancement of the EFC concept made in this paper will
help researchers further understand its value and boost its
application, thus moving the field forward.
Second, we propose a theoretically based approach to classify
different EFC strategies into inward EFC and outward EFC.
Despite the plethora of research devoted to coping, parti-
cularly in psychology and health care, EFC has been treated
as a single concept. However, a number of EFC strategies
have been referred to in the literature and there is much
confusion about this umbrella concept (Austenfeld and
Stanton 2004). Our theoretical categorization clarifies differ-
ent types of EFC and lays a foundation for research into
coping with IT-related emotions. It also contributes to the
coping literature by delineating the different theoretical
origins and outcomes of inward EFC and outward EFC. In
addition, we identified specific inward and outward EFC
strategies that individuals use to cope with IT security threats
and developed measurements for them. The validity and
reliability of these measurements are rigorously tested. They
can be easily adapted to fit different IT security contexts,
providing useful instruments for IS researchers interested in
studying EFC. For example, EFC can be measured for the
victims of the OPM and Yahoo breaches to investigate how
they cope with the aftermath of these serious events.
Third, we demonstrate nomological validity of inward and
outward EFC by testing their relationships with constructs
relevant in the IT security context. The conventional expec-
tation is that EFC is dysfunctional and should be responsible
for users’ lack of safeguarding behaviors in the face of IT
security threats. Surprisingly, we found different effects of
EFC: whereas inward EFC shows dysfunctional (or maladap-
tive) effects, outward EFC shows functional (or adaptive)
effects. This finding supports Folkman et al.’s (1986a)
recomendation that consequences of the coping mechanisms
should not be assumed a priori. The effects of coping
mechanisms are not necessarily positive or negative. The
coping process is a dynamic one as contextual factors and
characteristics of the situation largely determine how the
individual copes and what consequences will result. This
research makes an important contribution to coping research
by showing that EFC is not necessarily dysfunctional in the IT
security context. Since EFC research is an uncharted territory
in the IS literature, more research is needed to further explore
why the two types of EFC have opposite effects and to
MIS Quarterly Vol. 43 No. 2/June 2019 387
Liang et al./An Emotion-Focused Coping Perspective
identify the contextual characteristics that could moderate
their effects. The nuanced understanding will make it pos-
sible not only to build stronger theory, but also to better
predict individuals’ security behavior and elevate the impact
of IT security research.
Contributions to Practice
This research has significant implications for IT security
practice. IT security is particularly problematic for individ-
uals such as home users and employees working offsite (e.g.,
at home or during travel), because these individuals are not
protected by sophisticated company firewalls and security
software and often do not strictly follow organizational
security policies (Anderson and Agarwal 2010; Liang and
Xue 2010). As a result, they are more likely to become
victims. For home users, a security breach could lead to
computer malfunction, loss of personal information, or iden-
tity theft. For offsite workers, a small or even unnoticeable
security crack on an individual computer could lead to a
serious organizational data breach. An increasingly used
strategy by hackers is to attack companies indirectly through
their employees who often work off-site, the weakest link in
an organization’s security chain (Reisinger 2015). For
example, the seismic Target data breach started with an
employee of a vendor of Target falling victim to a phishing
email that installed a password-stealing malware on his or her
computer and the attacker later used the employee’s creden-
tials to gain access to Target’s systems (Radichel 2014). Our
findings can be applied to improve information security at
both the individual and organizational levels.
Our findings offer a new direction to the practice of infor-
mation security. Security education is a critical component of
the defense system for the general public against security
threats (James et al. 2013). However, since the EFC is
literally unknown to practitioners and the academic literature
offers little understanding about this new concept, current
public security education programs completely neglect EFC.
As users’ security action is significantly influenced by EFC,
to guide users toward proper action, public security education
efforts should include educational materials about EFC and
make users aware of their EFC strategies. EFC is not an
entirely foreign concept to most people, given that they often
exercise EFC to deal with stressful life events such as set-
backs, accidents, and illnesses. The problem is that users may
not be conscious that they also use EFC to cope with IT
security threats. Based on our study, security professionals
can develop an easy-to-use inventory of EFC strategies and
include it into security education, training, and awareness
(SETA) programs. By taking this inventory, individuals can
gain a clear picture of the EFC strategies they use when
388 MIS Quarterly Vol. 43 No. 2/June 2019
facing IT security threats and make necessary adjustments.
For example, potential victims of identity theft can learn from
the SETA programs about the counter-productiveness of
inward EFC strategies such as denial and distancing, as well
as the importance of gaining help from social networks, and
consequently will try to perform PFC and refrain from
performing inward EFC. In order to widely raise awareness
of EFC, security software vendors and governments can also
run public campaigns by using more conspicuous avenues
such as nonprofit online ads and TV commercials.
This study also reveals the positive effect of perceived threats
and the negative effect of perceived avoidability on inward
EFC. To reduce the counter-productive effect of inward EFC,
public security education needs to not only draw attention to
IT security threats, but also be careful not to overdo it by
exaggerating the threats. This calls for caution regarding
prior IT security research touting the importance of fear
appeals in motivating security behaviors (e.g., Boss et al.
2015). While perceived threat can motivate PFC, it can
simultaneously demotivate PFC by activating inward EFC.
Hence, it seems that the level of users’ threat perception
should be kept at a moderate level to reduce inward EFC. In
addition, educational efforts should help users build a proper
degree of confidence in dealing with these threats. Prior IT
security studies repeatedly testify to the importance of self-
efficacy (e.g., Lai et al. 2012; Liang and Xue 2010). Individ-
uals without confidence would feel hopeless, helpless, or
powerless in the face of the threat. Naturally, inward EFC
would be exercised to get away from the problem. In prac-
tice, how-to video tutorials could be an effective way to teach
users to fight against IT security threats and thus build their
confidence. With a higher level of confidence in avoiding IT
security threats, users will be less likely to resort to inward
EFC strategies.
Moreover, although this research is conducted in nonwork
settings, the findings have implications for security manage-
ment in organizations as well. Security policy compliance has
been a serious issue for organizations (Siponen and Vance
2010), and SETA programs are considered essential for
ensuring compliance. Typically, contents of SETA programs
have a strong focus on factual materials (e.g., policies, legal
requirements, procedures, references and resources, etc.).
This study underscores the necessity of including EFC in
SETA programs. Since a primary goal of the SETA program
is to ensure proper employee action when threats are detected
or suspected and, as shown in this study, EFC strategies may
encourage or inhibit PFC action, EFC should be addressed in
SETA programs. The security manager would be able to help
employees become aware of the types of EFC strategies they
are prone to use and the differences between inward EFC and
outward EFC. They can use hypothetical scenarios during

SETA training to help employees understand the cons of
inward EFC and pros of PFC. This is consistent with D’Arcy
et al. (2014) who show that the coping perspective is helpful
in understanding employees’ response to organizational
security requirements. Siponen and Vance (2010) also sug-
gest that if employees are made aware of the neutralization
strategies and the associated consequences, they will unlikely
look for excuses to violate IT security policies. A more
aggressive approach organizations can take is to monitor
employees’ emotional stability on a regular basis. Those who
experience unstable emotional states are likely to be suspects
of security policy violations and there should be an inter-
vention to prevent violations from happening.
Limitations, Boundaries, and
Future Research
This research has two limitations. First, the fact that EFC
strategies were studied retrospectively might have made our
survey data vulnerable to recall bias. To minimize this poten-
tial bias, we designed our study carefully by following how
Beaudry and Pinsonneault (2010) studied retrospective emo-
tions. First, in the survey, we asked respondents to describe
a situation in which they encountered an IT security threat in
the past month. The situation was unique for each respondent
and thus had high personal relevance. In addition, the process
of writing down the situation helped respondents recall the
details. Second, we provided strong anchor points to the
respondents in the questionnaires by reminding them that their
answers to the survey questions should be based on the
situation that they described earlier. Third, we methodo-
logically separated the EFC questions from measures for other
constructs by showing the respondents a video in between.
This was expected to clear the respondents’ short-term
memory and help them base their responses on the situation
rather than the survey context or answers to other survey
questions. Additionally, our experiment results are highly
consistent with the survey results in terms of how perceived
threat and avoid-ability influence inward and outward EFC,
suggesting that recall bias is unlikely to be a serious concern.
Another limitation is that our U.S.-based sample makes it
difficult to generalize our findings to the population of all
personal IT users in the world. Psychology research shows
that culture plays an important role in shaping how indi-
viduals regulate emotions (Gross and Thompson 2007).
Coping researchers have long recognized that it is essential to
consider the context in which coping outcomes are evaluated
(Lazarus and Folkman 1984). Given that the American cul-
tural context is different from that of other countries, the
findings of this study should be interpreted with caution when
researchers try to apply them in other cultural contexts.
Liang et al./An Emotion-Focused Coping Perspective
In addition, we assume that users’ protective behavior is voli-
tional, which makes our findings appropriate for home or
nonwork settings. It is also possible to apply it in work set-
tings, but its boundary conditions need to be clarified because
employees’ IT security behaviors are mostly mandatory
instead of volitional. IS researchers acknowledge the simi-
larity between home users’ and employees’ IT security
behaviors, but also recognize contextual differences between
home and workplace (Anderson and Agarwal 2010; Li and
Siponen 2011), suggesting that theories suitable for one
context may not be applicable in another. As recommended
by Siponen and Vance (2014), boundary conditions for theory
in IT security research should be carefully delineated. For
example, in organizational settings, we expect EFC to have
similar effects on PFC behavior, but the relationship between
perceived threat and EFC might be different in organizational
settings because the threat perception will be based on poten-
tial harm to organizational benefits instead of personal
benefits. It is unclear how employees will emotionally re-
spond to such threat perceptions. Hence, it will be necessary
to examine the generation of EFC in the organizational
context to extend its generalizability.
This research suggests several avenues for future research.
First, given the importance of EFC in the IT security context,
more research is needed to identify antecedents that lead users
to choose EFC, particularly inward EFC, strategies. Although
we find that perceived threat and perceived avoidability are
associated with inward EFC, only 14% of the variance of
inward EFC is explained. More antecedents such as types of
security threats and technological attributes of IT threats may
be helpful to better predict what EFC strategies users would
employ. Other antecedents of EFC that are more manageable
should also be identified to inform IT security practice.
Based on these antecedents, it is possible to design behavioral
interventions to help people use adaptive EFC strategies and
avoid maladaptive EFC strategies. This type of research is
scarce, but would make significant contributions to security
research. In addition, given that coping is a process, a survey
study cannot fully reveal the intricacies of the dynamics of
this process. It is desirable to use longitudinal experiments to
investigate how EFC leads to adaptive or maladaptive
outcomes over time.
Second, although the results find that the effect of inward
EFC is largely maladpative and the effect of outward EFC is
adaptive in the IT security context, the outcomes might be
different in other IT contexts. Coping theory posits that
coping is a dynamic process and coping outcomes are not
inherently adaptive or maladpative (Folkman et al. 1986a).
An EFC strategy that is adaptive in one context could become
maladaptive in another. For example, venting is proposed to
be dysfunctional in the IT use context (Beaudry and
MIS Quarterly Vol. 43 No. 2/June 2019 389
Liang et al./An Emotion-Focused Coping Perspective
Pinsonneault 2010), yet it is found to be positively related to
users’ intention to take safeguarding actions in this study.
Thus, it is necessary to investigate the specific effects of
inward EFC and outward EFC outside the IT security context.
In addition, users might take different EFC strategies to cope
with different IT security threats. While we coined inward
and outward EFC as two general categories and identified six
EFC strategies, this is not necessarily an exhaustive list.
More research is needed to identify and validate specific
relevant EFC strategies within each category for other IT
security contexts.
Third, it would be interesting to take cultural factors into
account when studying EFC. Individuals are always em-
bedded in social networks and their coping decisions and
choices are inevitably influenced by social values and cultural
norms. The developmental psychology literature shows that
the development of children’s emotion-related appraisals is
culturally constructed through socialization processes (Cole
et al. 2002). People in different cultures hold very different
beliefs about appropriate ways of emotional coping appro-
priate (Gross and Thompson 2007). For example, expressing
negative emotions is acceptable in the American culture but
deemed obscene in China. Hence, Chinese users may be less
likely to perform venting than American users when faced
with IT security threats. The IT security literature has shown
that cultural contexts can significantly moderate the relation-
ships between individuals’ perceptions and behaviors related
to IT security (Chen and Zahedi 2016). For example, users in
a weak uncertainty avoidance culture will be more risk-
tolerant than users in a strong uncertainty avoidance culture,
and as a result they would be less likely to cope with IT
security threats. Therefore, cultural factors ought to be
examined to see how they predict or moderate the effects of
EFC on security behaviors.
Fourth, men and women have long been found to have differ-
ent reactions to emotions (Hyde 2014). More needs to be
known about how gender difference will influence individ-
uals’ IT security behavior. This study shows that women
engage in more outward EFC than men. This finding is con-
sistent with the psychology literature, which indicates that
women are more emotionally expressive (Kring and Gordon
1998). Further research needs to examine EFC affects PFC
differently for men and women. Such investigation could
provide a more precise understanding on individuals’ IT
security behavior.
Finally, as TTAT (Liang and Xue 2009) posits, perceived
threat and perceived avoidability could interact with each
other to influence both EFC and PFC. A previous study has
shown that response efficacy (a component of avoidability)
390 MIS Quarterly Vol. 43 No. 2/June 2019
negatively moderates the relationship between perceived
threat and avoidance motivation (Liang and Xue 2010).
Although it is beyond the scope of this research, it would be
interesting to further investigate how perceived avoidability
(including response efficacy, self-efficacy, and perceived
cost) can moderate the effect of perceived threat on EFC and
PFC.
Conclusion
This paper shows that users perform both PFC and EFC to
cope with IT security threats and explicates how EFC influ-
ences PFC. It conceptualizes, categorizes, and operation-
alizes EFC and investigates EFC’s impact on IT users’
security behaviors. It finds that inward EFC leads to malad-
aptive outcomes by decreasing users’ PFC behavior whereas
outward EFC gives rise to adaptive outcomes by enhancing
users’ PFC behavior. This paper complements and extends
the existing IT security literature by focusing on EFC that has
not been empirically investigated in the IT security context.
It also opens new avenues for future research concerned with
IT-related emotions and emotion-focused coping. As such,
we hope that it will stimulate more research interest on this
important topic.
Acknowledgments
This research was partially supported by the National Natural Sci-
ence Foundation of China (#71471080) and China (Xi’an) Silk Road
Research Institute (#2017SZ08). We are also grateful to the senior
editor, the associate editor, and the reviewers for their constructuve
feedback, thoughtful guidance, and support.
References
Anderson, C. L., and Agarwal, R. 2010. “Practicing Safe Com-
puting: A Multimethod Empirical Examination of Home Com-
puter User Security Behavioral Intentions,” MIS Quarterly
(34:3), pp. 613-643.
Austenfeld, J. L., and Stanton, A. L. 2004. “Coping Through Emo-
tional Approach: A New Look at Emotion, Coping, and Health-
Related Outcomes,” Journal of Personality (72:6), pp.
1335-1363.
Aytes, K., and Terry, C. 2004. “Computer Security and Risky
Computing Practices: A Rational Choice Perspective,” Journal
of Organizational and End User Computing (16:3), pp. 22-40.
Bagozzi, R. P., Gopinanth, M., and Nyer, P. U. 1999. “The Role of
Emotions in Marketing,” Journal of the Academy of Marketing
Science (27:2), pp. 184-206.
Bandura, A. 1997. Self-Efficacy: The Exercise of Control, New
York: W. H. Freeman and Company.

Bandura, A., and Wood, R. 1989. “Effect of Perceived Control-
lability and Performance Standards on Self-Regulation of
Complex Decision Making,” Journal of Personality and Social
Psychology (56:5), pp. 805-814.
Bastardi, A., Uhlmann, E. L., and Ross, L. 2011. “Wishful
Thinking Belief, Desire, and the Motivated Evaluation of Scien-
tific Evidence,” Psychological Science (22:6), pp. 731-732.
Beaudry, A., and Pinsonneault, A. 2005. “Understanding User
Responses to Information Technology: A Coping Model of User
Adaptation,” MIS Quarterly (29:3), pp. 493-524.
Beaudry, A., and Pinsonneault, A. 2010. “The Other Side of
Acceptance: Studying the Direct and Indirect Effects of Emo-
tions on Information Technoloyg Use,” MIS Quarterly (34:4), pp.
689-710.
Billings, A. G., and Moos, R. H. 1984. “Coping, Stress, and Social
Resources Among Adults with Unipolar Depression,” Journal of
Personality and Social Psychology (46), pp. 877-891.
Bolger, N. 1990. “Coping as a Personality Process: A Prospective
Study,” Journal of Personality and Social Psychology (59:3), pp.
525-537.
Boss, S. R., Galletta, D. F., Lowry, P. B., Moody, G. D., and
Polak, P. 2015. “What Do Systems Users Have to Fear? Using
Fear Appeals to Engender Threats and Fear That Motivate Pro-
tective Security Behaviors,” MIS Quarterly (39:4), pp. 837-864.
Brown, S., and Venkatesh, V. 2005. “Model of Adoption and
Technology in Households: A Baseline Model Test and Exten-
sion Incorporating Household Life Cycle,” MIS Quarterly (29:3),
pp. 399-436.
Bushman, B. J. 2002. “Does Venting Anger Feed or Extinguish the
Flame? Catharsis, Rumination, Distraction, Anger, and Aggres-
sive Responding,” Personality and Social Psychology Bulletin
(28:6), pp. 724-731.
Bushman, B. J., Baumeister, R. F., and Phillips, C. M. 2001. “Do
People Aggress to Improve Their Mood? Catharsis Beliefs,
Affect Regulation Opportunity, and Aggressive Responding,”
Journal of Personality and Social Psychology (81:1), pp. 17-32.
Carver, C. S., Pozo, C., Harris, S. D., Noriega, V., Scheier, M. F.,
Robinson, D. S., Ketcham, A. S., Moffat Jr., F. L., and Clark,
K. C. 1993. “How Coping Mediates the Effect of Optimism on
Distress: A Study of Women with Early Stage Breast Cancer,”
Journal of Personality and Social Psychology (65:2), pp.
375-390.
Carver, C. S., and Scheier, M. F. 1982. “Control Theory: A Useful
Conceptual Framework for Personality-Social, Clinical, and
Health Psychology,” Psychological Bulletin (92:1), pp. 111-135.
Carver, C. S., and Scheier, M. F. 1994. “Situational Coping and
Coping Dispositions in a Stressful Transaction,” Journal of
Personality and Social Psychology (66:1), pp. 184-195.
Carver, C. S., Scheier, M. F., and Weintraub, J. K. 1989.
“Assessing Coping Strategies: A Theoretically Based Ap-
proach,” Journal of Personality and Social Psychology (56:2),
pp. 267-283.
Chen, Y., and Zahedi, F.M. 2016. “Individuals’ Internet Security
Perceptions and Behaviors: Polycontextual Contrasts Between
the United States and China,” MIS Quarterly (40:1), pp. 205-222.
Cicognani, E. 2011. “Coping Strategies with Minor Stressors in
Adolescence: Relationships with Social Support, Self-Efficacy,
Liang et al./An Emotion-Focused Coping Perspective
and Psychological Well-Being,” Journal of Applied Social
Psychology (41:3), pp. 559-578.
Cisco. 2016. “Cisco 2016 Annual Security Report,” Cisco Systems,
San Jose (https://www.cisco.com/c/dam/en_us/about/annual-
report/2016-annual-report-full.pdf).
Cole, P. M., Bruschi, C. J., and Tamang, B. L. 2002. “Cultural
Differences in Children’s Emotional Reactions to Difficult
Situations,” Child Development (73), pp. 983-996.
Compeau, D., Marcolin, B., Kelley, H., and Higgins, C. 2012.
“Generalizability of Information Systems Research Using
Student Subjects—A Reflection on Our Practices and Recom-
mendations for Future Research,” Information Systems Research
(23:4), pp. 1093-1109.
D’Arcy, J., Herath, T., and Shoss, M. K. 2014. “Understanding
Employee Responses to Stressful Information Security
Requirements: A Coping Perspective,” Journal of Management
Information Systems (31:2), pp. 285-318.
Dias-Ferreira, E., Dias-Ferreira, E., Sousa, J. C., Melo, I.,
Morgado, P., Mesquita, A. R., Cerqueira, J. J., Costa, R. M., and
Sousa, N. 2009. “Chronic Stress Causes Frontostriatal Reorgani-
zation and Affects Decision-Making,” Science (325:5940), pp.
621-625.
Duke, A. 2014. “Five Things to Know about the Celebrity Nude
Photo Hacking Scandal,” CNN Entertainment (http://www.cnn.
com/2014/09/02/showbiz/hacked-nude-photos-five-things/).
FBI. 2014. “How to Protect Your Computer,” Federal Bureau of
Investigation (https://www.fbi. gov/scams-and-safety/on-the-
internet/how-to-protect-your-computer).
FCC. 2014. “Secure Web Navigation and Transactions,” Federal
Communications Commission (http://www.fcc.gov/guides/
secure-web-navigation-and-transactions).
Folkman, S., and Lazarus, R. S. 1985. “If it Changes it must Be a
Process: Study of Emotion and Coping During Three Stages of
a College Examination,” Journal of Personality and Social
Psychology (48:1), pp. 150-170.
Folkman, S., Lazarus, R. S., Dunkel-Schetter, C., DeLongis, A., and
Gruen, R. J. 1986a. “Dynamics of a Stressful Encounter:
Cognitive Appraisal, Coping, and Encounter Outcomes,” Journal
of Personality and Social Psychology (50:5), pp. 992-1003.
Folkman, S., Lazarus, R. S., Gruen, R. J., and DeLongis, A. 1986b.
“Appraisal, Coping, Health Status, and Psychological Symp-
toms,” Journal of Personality and Social Psychology (50:3), pp.
571-579.
Folkman, S., and Moskowitz, J. T. 2004. “Coping: Pitfalls and
Promise,” Annual Review of Psychology (55), pp. 745-774.
Franceschi-Bicchierai, L. 2016. “Hacker Tries to Sell 427 Million
Stolen MySpace Passwords for $2,800,” Motherboard, May 27
(http://motherboard.vice.com/read/427-million-myspace-
passwords-emails-data-breach).
Freud, S. 1894. The Neuro-Psychoses of Defence.
Fugate, M., Kinicki, A. J., and Scheck, C. L. 2002. “Coping with
an Organizational Merger Over Four Stages,” Personnel Psych-
ology (55), pp. 905-928.
Gefen, D., Rigdon, E. E., and Straub, D. 2011. “An Update and
Extension to SEM Guidelines for Administrative and Social
Science Research,” MIS Quarterly (35:2), pp. iii-xiv.
MIS Quarterly Vol. 43 No. 2/June 2019 391
Liang et al./An Emotion-Focused Coping Perspective
Greco, V., and Roger, D. 2003. “Uncertainty, Stress, and Health,”
Personality and Individual Differences (34:6), pp. 1057-1068.
Gross, J. 1998. “Antecedent- and Response-Focused Emotion
Regulation: Divergent Consequences for Experience, Expres-
sion, and Physiology,” Journal of Personality and Social
Psychology (74:1), pp. 224-237.
Gross, J. 1999. “Emotion Regulation: Past, Present, Future,”
Cognition and Emotion (13:5), pp. 551-573.
Gross, J. J., and John, O. P. 2003. “Individual Differences in Two
Emotion Regulation Processes: implications for Affect, Relation-
ships, and Well-Being,” Journal of Personality and Social
Psychology (85:2), pp. 348-362.
Gross, J., and Thompson, R. A. 2007. “Emotion Regulation:
Conceptual Foundations,” in Handbook of Emotion Regulation,
J. J. Gross (ed.), New York: Guilford Press, pp. 3-24.
Hu, E. 2014. “I Feel Nothing: The Home Depot Hack and Data
Breach Fatigue,” National Public Radio, September 3 (https://
www.northcountrypublicradio.org/news/npr/345539074/i-feel-
nothing-the-home-depot-hack-and-data-breach-fatigue).
Hyde, J. S. 2014. “Gender Similarities and Differences,” Annual
Review of Psychology (65), pp. 373-398.
ISF. 2014. “From Promoting Awareness to Embedding Behaviours:
Secure by Choice, Not by Chance,” Information Security Forum.
ITRC. 2010. “Identity Theft: The Aftermath 2009,” Identity Theft
Resource Center, San Diego, CA.
James, T., Nottingham, Q., and Kim, B. C. 2013. “Determining the
Antecedents of Digital Security Practices in the General Public
Dimension,” Information Technology Management (14), pp.
69-89.
Jarvis, C. B., MacKenzie, S. B., and Podsakoff, P. M. 2003.
"Critical Review of Construct Indicators and Measurement
Model Misspecification in Marketing and Consumer Research,"
Journal of Consumer Research (30:2), pp. 199-218.
Johnson, E. J., and Tversky, A. 1983. “Affect, Generalization, and
the Perception of Risk,” Journal of Personality and Social
Psychology (45), pp. 20-31.
Johnston, A. C., and Warkentin, M. 2010. “Fear Appeals and Infor-
mation Security Behaviors: An Empirical Study,” MIS Quarterly
(34:3), pp. 549-566.
Kent, J., and Steiner, K. 2012. “Ten Ways to Improve the Security
of a New Computer,” US-CERT, Carnegie Mellon University
(http://www.athens.edu/pdfs/it/cyber-tips/Ten-Ways-to-Improv
e-New-Computer-Security.pdf?x75869).
Kim, J. J., Park, E. H. E., and Baskerville, R. L. 2016. “A Model
of Emotion and Computer Abuse,” Information & Management
(53:1), pp. 91-108.
Kring, A. M., and Gordon, A. H. 1998. “Sex Differences in
Emotion: Expression, Experience, and Physiology,” Journal of
Personality and Social Psychology (74:3), pp. 686-703.
Krizan, Z., and Windschitl, P. D. 2007. “The Influence of Outcome
Desirability on Optimism,” Psychological Bulletin (133:1), pp.
95-121.
Lai, F., Li, D., and Hsieh, C.-T. 2012. “Fighting Identity Theft:
The Coping Perspective,” Decision Support System (52:2), pp.
353-363.
Lazarus, R. 1991. Emotion and Adaptation, Oxford, UK: Oxford
University Press.
392 MIS Quarterly Vol. 43 No. 2/June 2019
Lazarus, R. 1999. Stress and Emotion: A New Synthesis, New
York: Springer.
Lazarus, R., and Folkman, S. 1984. Stress, Appraisal, and Coping,
New York: Springer.
Lee, Y., and Kozar, K. A. 2005. “Investigating Factors Affecting
the Adoption of Anti-Spyware Systems,” Communications of the
ACM (48:8), pp. 72-77.
Lee, Y., and Larsen, K. R. 2009. “Threats or Coping Appraisal:
Determinants of Smb Executives’ Decision to Adopt Anti-
malware Software,” European Journal of Information Systems
(18), pp. 177-187.
Lerner, J. S., Han, S., and Keltner, D. 2007. “Feelings and
Consumer Decision Making: Extending the Appraisal-Tendency
Framework,” Journal of Consumer Psychology (17:3), pp.
181-187.
Lerner, J. S., and Keltner, D. 2000. “Beyond Valence: Toward a
Model of Emotion-Specific Influences on Judgment and Choice,”
Cognition and Emotion (14:4), pp. 473-493.
Li, Y., and Siponen, M. T. 2011. “A Call for Research on Home
Users’ Information Security Behaviour,” in Proceedings of the
Pacific Asia Conference on Information Systems, p. 112.
Liang, H., and Xue, Y. 2009. “Avoidance of Information
Technology Threats: A Theoretical Perspective,” MIS Quarterly
(33:1), pp. 71-90.
Liang, H., and Xue, Y. 2010. “Understanding Security Behaviors
in Personal Computer Usage: A Threat Avoidance Perspective,”
Journal of the Association for Information Systems (11:7), pp.
394-413.
Loewenstein, G. 2007. “Affect Regulation and Affective Fore-
casting,” in Handbook of Emotion Regulation, J. Gross (ed.),
New York: The Guilford Press, pp. 180-203.
MacKenzie, S. B., Podsakoff, M. P., and Podsakoff, N. P. 2011.
“Construct Measurement and Validation Procedures in MIS and
Behavioral Research: Integrating New and Existing Tech-
niques,” MIS Quarterly (35:2), pp. 293-334.
Maslow, A. H. 1943. “A Theory of Human Motivation,”
Psychological Review (50:4), pp. 370-396.
McCrae, R. R. 1984. “Situational Determinants of Coping
Responses: Loss, Threat, and Challenge,” Journal of Personality
and Social Psychology (46:4), pp. 919-928.
McCrae, R. R., and Costa, P. T. 1986. “Personality, Coping, and
Coping Effectiveness in an Adult Sample,” Journal of Person-
ality (54:2), pp. 385-405.
Moore, G. C., and Benbasat, I. 1991. “Development of an Instru-
ment to Measure the Perceptions of Adopting an Information
Technology Innovation,” Information Systems Research (2:3),
pp. 192-222.
Moos, R. H., and Billings, A. G. 1982. “Conceptualizing and Mea-
suring Coping Resources and Processes,” in Handbook of Stress,
L. Goldberger and S. Breznitz (eds.), New York: The Free Press,
pp. 212-230.
Murphy, I. 2016. “Cyber Defence or More Wishful Thinking,”
Enterprise Times, September 14 (https://www.enterprisetimes.
co.uk/2016/09/14/cyber-defence-wishful-thinking/).
Ng, B.-Y., Kankanhalli, A., and Xu, Y. C. 2009. “Studying Users’
Computer Security Behavior: A Health Belief Perspective,”
Decision Support System (46:4), pp. 815-825.

Pillow, D. R., Zautra, A. J., and Sandler, I. 1996. “Major Life
Events and Minor Stressors: Identifying Mediational Links in the
Stress Process,” Journal of Personality and Social Psychology
(70:2), pp. 381-394.
Podsakoff, P. M., MacKenzie, S. B., Lee, J. Y., and Podsakoff, N.
P. 2003. “Common Method Biases in Behavioral Research: a
Critical Review of the Literature and Recommended Remedies,”
Journal of Applied Psychology (88:5), pp. 879-903.
Ponemon Institute. 2017. “2017 Study on Mobile and IoT
Application Security,” Ponemon Institute Research Report
sponsored by IBM and Axran.
Radichel, T. 2014. “Case Study: Critical Controls that Could Have
Prevented Target Breach,” The SANS Institute.
Reisinger, D. 2015. “Why Employees Are Often the Weakest Link
in Enterprise Security Chain,” eWeek, January 28
(http://www.eweek.com/security/why-employees-are-often-the-
weakest-link-in-enterprise-security-chain).
Rippetoe, P. A., and Rogers, R. W. 1987. “Effects of Components
of Protection-Motivation Theory on Adaptive and Maladaptive
Coping with a Health Threat,” Journal of Personality and Social
Psychology (52:3), pp. 596-604.
Rogers, R. W. 1983. “Cognitive and Pysiological Process in Fear
Appeals and Attitude Change: A Revised Theory of Protection
Motivation,” in Social Psychophysiology: A Source Book, J.
Cacioppo and R Petty (eds.), New York: Guilford Press, pp.
153-176.
Scheff, T. 2015. “Three Scandals in Psychology: The Need for a
New Approach,” Review of General Psychology (19:2), pp.
203-205.
Scheier, M. F., Weintraub, J. K., and Carver, C. S. 1986. “Coping
with Stress: Divergent Strategies of Optimists and Pessimists,”
Journal of Personality and Social Psychology (51:6), pp.
1257-1264.
Scherer, K. R., and Tran, V. 2001. “Effects of Emotion on the
Process of Organizational Learning,” in Handbook of Organi-
zational Learning and Knowledge, M. Dierkes, A. B. Antal,
J. Child, and I. Nonaka (eds.), Oxford, UK: Oxford University
Press, pp. 369-392.
Siponen, M., and Vance, A. 2010. “Neutralization: New Insight
into the Problem of Employee Information Systems Security
Policy Violations,” MIS Quarterly (34:3), pp. 487-502.
Siponen, M., and Vance, A. 2014. “Guidelines for Improving the
Contextual Relevance of Field Surveys: The Case of Information
Security Policy Violations,” European Journal of Information
Systems (23:3), pp. 289-305.
Slovic, P., Finucane, M. L., Peters, E., and MacGregor, D. G. 2004.
“Risk as Analysis and Risk as Feelings: Some Thoughts About
Affect, Reason, Risk, and Rationality,” Risk Analysis (24:2), pp.
311-322.
Stets, J. E., and Tsushima, T. M. 2001. “Negative Emotion and
Coping Responses Within Identity Control Theory,” Social
Psychology Quarterly (64:3), pp. 283-295.
Stickney, L. T., and Geddes, D. 2014. “Positive, Proactive, and
Committed: The Surprising Connection Between Good Citizens
and Expressed (Vs. Suppressed) Anger at Work,” Negotiation
and Conflict Management Research (7:4), pp. 243-264.
Liang et al./An Emotion-Focused Coping Perspective
Symantec. 2010. “The Silent Epidemic: Cybercrime Strikes More
Than Two-Thirds of Internet Users” (https://www.symantec.com/
about/newsroom/press-releases/2010/symantec_0908_01).
Symantec. 2016. “Internet Security Threat Report,” Symantec,
Mountain View, CA.
Taylor, S. E. 2011. “Social Support: A Review,” in The Handbook
of Health Psychology, H. S. Friedman (ed.), Oxford, UK: Oxford
University Press, pp. 189-214.
Venkatesh, V., Brown, S. A., and Bala, H. 2013. “Bridging the
Qualitative–Quantitative Divide: Guidelines for Conducting
Mixed Nethods Research in Information Systems,” MIS
Quarterly (37:1), pp. 21-54.
Wendorf, J. E., and Yang, F. 2015. “Benefits of a Negative Post:
Effects of Computer-Mediated Venting on Relationship Main-
tenance,” Computers in Human Behavior (52), pp. 271-277.
Whittaker, Z. 2016. “Yahoo Hacked Again, More than One Billion
Accounts Stolen,” ZDNet, December 14 (https://www.zdnet.com/
article/yahoo-hacked-again-more-than-one-billion-accounts-
stolen/).
Willison, R., and Warkentin, M. 2013. “Beyond Deterrence: An
Expanded View of Employee Computer Abuse,” MIS Quarterly
(37:1), pp. 1-20.
Workman, M., Bommer, W. H., and Straub, D. 2008. “Security
Lapses and the Omission of Information Security Measures: A
Threat Control Model and Empirical Test,” Computers in Human
Behavior (24:6), pp. 2799-2816.
Yi, S., and Baumgartner, H. 2004. “Coping with Negative Emo-
tions in Purchase-Related Situations,” Journal of Consumer
Psychology (14:3), pp. 303-317.
Zhang, P. 2013. “The Affective Response Model: A Theoretical
Framework of Affective Concepts and Their Relationships in the
ICT Context,” MIS Quarterly (37:1), pp. 247-274.
About the Authors
Huigang Liang is a professor of MIS and the Teer Endowed Chair
at College of Business, East Carolina University. His research
focuses on socio-behavioral, managerial, and analytical IT issues at
both individual and organizational levels in a variety of contexts.
His work has appeared in MIS Quarterly, Information Systems
Research, Journal of MIS, Journal of the AIS, MIT Sloan Manage-
ment Review, Communications of the ACM, Decision Support
Systems, Information Systems Journal, and Journal of Strategic
Information Systems, among others. He served the editorial board
of MIS Quarterly, and is currently serving on the editorial boards of
Information Systems Research, Journal of the AIS, and Information
and Management
Yajiong Xue is a professor of MIS at East Carolina University. She
received her Ph.D. from Auburn University. Her research has ap-
peared in MIS Quarterly, Information Systems Research, Journal of
MIS, Journal of the AIS, Decision Support Systems, Communications
of the ACM, and International Journal of Medical Informatics, and
others. Her research interests include IT governance, strategic man-
MIS Quarterly Vol. 43 No. 2/June 2019 393
Liang et al./An Emotion-Focused Coping Perspective
agement of information technology, and healthcare information
systems. She teaches a data analytics project course and is the coor-
dinator of the data analytics certificate program at East Carolina
University. Yajiong served as the corresponding author for this
paper.
Alain Pinsonneault, Fellow-Royal Society of Canada and Fellow
of the Association for Information Systems, is a James McGill
Professor and the Imasco Chair of information systems in the
Desautels Faculty of management at McGill University. His current
research interests include the organizational and individual impacts
of information technology, user adaptation, social networks, busi-
ness model in the digital economy, e-health, e-integration, strategic
alignment of IT, and the business value of IT. His research has
appeared in numerous journals, including Management Science, MIS
Quarterly, Information Systems Research, Journal of MIS, Decision
Support Systems, and Organization Science. He has served on the
editorial boards of several journals including MIS Quarterly, Infor-
394 MIS Quarterly Vol. 43 No. 2/June 2019
mation Systems Research, Organization Science, and Journal of
MIS.
Yu “Andy” Wu is an associate professor in the Department of
Information Technology and Decision Sciences at the University of
North Texas. Andy obtained his Ph.D. (2007) and Master of
Science (2003) in Management Information Systems from the
University of Central Florida. He also holds a Master’s and a
Bachelor’s in Finance. Andy’s primary research interest is infor-
mation security. His research papers appear in journals such as
Decision Support Systems, The Data Base for Advances in Infor-
mation Systems, IEEE Transactions on Professional Commu-
nication, and Information Systems Management, and in the
proceedings of a number of international conferences. Between his
academic pursuits in finance and MIS, he had seven years of
industry experience in various positions Andy is a Certified
Information Systems Auditor (CISA) and is CompTIA Security+
certified.
 RESEARCH ARTICLE

WHAT USERS DO BESIDES PROBLEM-FOCUSED COPING

WHEN FACING IT SECURITY THREATS: AN EMOTION-
FOCUSED COPING PERSPECTIVE
Huigang Liang and Yajiong Xue
College of Business, East Carolina University,
Greenville, NC 27858 U.S.A. {huigang.liang@gmail.com} {xuey@ecu.edu}

Alain Pinsonneault
Desautels Faculty of Management, McGill University, 1001 Sherbrooke Street West,
Montréal, QC CANADA H3A 1G5 {alain.pinsonneault@mcgill.ca}

Yu “Andy” Wu
College of Business, University of North Texas,
Denton, TX 76203 U.S.A. {andy.wu@unt.edu}

Appendix A
Summary of Past IT Security Research on PFC and EFC

There is a large body of IS research on individuals’ IT security behavior. In the paper, we attempted to understand how individuals cope with
IT security threats when such behavior is volitional. In this appendix, we briefly review the past studies in this domain. The current literature
on individuals’ volitional security behaviors has focused primarily on the cognitive reasoning process that motivates individuals to take
protective actions against IT security threats. As shown in Table A1, this literature has extensively studied individuals’ security behavior in
a variety of threat contexts including malware, spyware, hacking, email spam, phishing, identity theft, and device theft. Major theories applied
include the protection motivation theory (PMT), the technology threat avoidance theory (TTAT), the health belief model (HBM) , and the
theory of planned behavior (TPB). Based on the major theory applied, we grouped the studies in Table A1. Regardless of the theory applied,
these studies share a clear commonality – the focal dependent variable is either the security behavior or intention to perform such behavior.
From the coping perspective, the action or intention to take protective measures to counter threats is essentially a PFC approach. Therefore,
it is conspicuous that the existing research has predominantly investigated PFC. As to EFC, none of the studies that applied PMT, HBM and
TPB has mentioned this concept. We have only found one article (Liang and Xue 2009) that discussed EFC in depth and developed formal
propositions to explain EFC’s relationship with other coping constructs. However, it is a pure theory building paper that offers no empirical
evidence to back up the propositions. Several empirical studies based on TTAT (Arachchilage and Love 2014; Herath et al. 2014; Lai et al.
2012; Liang and Xue 2010) allude to EFC, but it is limited to a brief mention in the literature review. Neither is EFC theoretically elaborated,
nor empirically tested in these studies. To date, in the IT security literature, we still know little about EFC. Questions such as “what EFC
strategies are relevant in the IT security context,” “why do people perform EFC when facing IT security threats,” and “what are the
consequences of EFC” have never been answered.

It should be noted that there is another stream of IT security research focused on employees’ compliance with IS security policies mandated
by organizations. We have conducted a comprehensive search within this stream by using the keyword “emotion-focused coping” and found
one article by D’Arcy et al. (2014) that examines how employees use EFC to cope with security-related stress. This is the only study that
explicitly used the term of EFC in this research stream. However, in this study, the research context is mandatory compliance with information

MIS Quarterly Vol. 43 No. 2–Appendices/June 2019 A1

Liang et al./An Emotion-Focused Coping Perspective

security policies. D’Arcy et al. explain that, in this context, stress is aroused by the overload, complexity, and uncertainty of security policy
compliance. This is in sharp contrast with the volitional context in which users’ stress is aroused by IT security threats. In addition, D’Arcy
et al. did not study EFC directly; instead, they used moral disengagement as a surrogate of EFC. While moral disengagement makes sense when
mandatory compliance is the target behavior, it is not as relevant when volitional security behavior is of interest, because individuals are
unlikely to think their lack of security behavior to be immoral. Therefore, D’Arcy et al.’s study cannot be readily extended to the context of
volitional security behavior. The role of EFC in the volitional context remains unknown.

Table A1. Summary of IS Research on Volitional IT Security Behaviors

Threat Theory Dependent Research
Study Context Applied Variable Sample Design Major Findings EFC PFC
Chen and Internet PMT Protective 480 U.S. home Survey Security concern, response effi- No Yes
Zahedi security action, users and 235 cacy, and self-efficacy influence
(2016) attacks knowledge Chinese home protective action, and their
seeking, users effects are moderated by
avoidance espoused culture.
Tsai et al. Online PMT Security 988 MTurk Survey Coping appraisals increase No Yes
(2016) security intention users security intention, but threat
threat appraisals have no effect.
Boss et al. Data PMT Security Study 1: 104 1: Survey Besides traditional threat and No Yes
(2015) backup, behavior MBA students 2: Experiment coping appraisal variables, fear
Malware Study 2: 327 and maladaptive rewards influ-
college ence behavioral intention, which
students leads to security behavior.
Tu et al. Mobile PMT Coping 339 mobile Survey Response efficacy, self-efficacy, No Yes
(2015) device intention device users perceived threat, and social
theft influence increase coping
intention.
Boehmer et Online PMT Safe online 1: 565 college 1: Survey Personal responsibility, self- No Yes
al. (2015) security behavior students 2: Experiment efficacy and response efficacy
breach 2: 206 college are found to enhance behav-
students ioral intention.
Crossler and General PMT Unified 279 employees Survey Perceived severity, vulnerability, No Yes
Bélanger IT security response efficacy, and self-
(2014) security behaviors efficacy increases unified
threats security behavior.
Herath et al. Email PMT, TTAT Intention to 134 college Survey Risk perception, email No Yes
(2014) spam adopt email students screening self-efficacy, and
authentica- overall appraisal of coping
tion mechanisms increase users’
coping motivation.
Jenkins et al. Hacking PMT Creation of 135 college Experiment Just-in-time fear appeals No Yes
(2014) unique students decrease password reuse.
passwords
Anderson Internet PMT, goal Intention to Study 1: 594 1: survey Behavioral intention is influ- No Yes
and Agarwal security framing perform home users 2: experiment enced by a combination of
(2010) breaches security Study 2: 101 cognitive, social, and psycho-
behavior college logical components. Message
students framing influences the drivers of
intention.
Gurung et al. Spyware PMT Use of anti- 232 college Survey All threat and coping appraisal No Yes
(2008) spyware students variables significantly affect
tool adoption decision.
Johnston Spyware PMT Intention to 275 college Experiment Response efficacy, self-efficacy, No Yes
and adopt anti- faculty, staff, and social influence increase
Warkentin spyware and students adoption intention.
(2010) software

A2 MIS Quarterly Vol. 43 No. 2–Appendices/June 2019

 Liang et al./An Emotion-Focused Coping Perspective

Table A1. Summary of IS Research on Volitional IT Security Behaviors (Continued)

Threat Theory Dependent Research
Study Context Applied Variable Sample Design Major Findings EFC PFC
Lee and Malware PMT Adoption 239 SMB Survey All threat and coping appraisal No Yes
Larsen intention executives variables significantly affect
(2009) adoption decision.
Workman et System PMT, social Omissive 588 employees Survey Threat and coping assessment, No Yes
al. (2008) breaches cognitive behavior self-efficacy, and locus of
theory control affect omissive
behaviors.
Arachchilage Phishing TTAT Avoidance 161 college Survey Procedural and conceptual No Yes
and Love motivation students knowledge jointly influence elf-
(2014) and efficacy which in turn increases
behavior avoidance motivation and
behavior.
Lai et al. Identity TTAT Protective 117 college Survey Both technological and conven- No Yes
(2012) theft behavior students tional coping are effective in
reducing identity theft.
Liang and Spyware TTAT Use of anti- 152 college Survey Threat appraisal variables affect No Yes
Xue (2010) spyware students perceived threat. All coping
software variables affect avoidance moti-
vation, which in turn influence
behavior.
Liang and General TTAT PFC and n/a Theory Individuals engage in both PFC Yes Yes
Xue (2009) IT EFC building and EFC. Perceived threat and
security avoidability interactively deter-
threats mine PFC and EFC.
Ng et al. Email HBM Precaution 134 part-time Survey Perceived susceptibility, No Yes
(2009) virus in reading college perceived benefits, and self-
emails students efficacy are determinants of
computer security behavior.
Lee and Spyware TPB, Intention to 212 Internet Survey Attitude (relative advantage and No Yes
Kozar (2005) innovation adopt anti- users moral compatibility), social
diffusion spyware influence (visibility of others’
theory software use and image) and perceived
behavioral control (computing
capacity and trialability) influ-
ence behavioral intention.

MIS Quarterly Vol. 43 No. 2–Appendices/June 2019 A3

Liang et al./An Emotion-Focused Coping Perspective

Appendix B
Coping Factors from WCQ and COPE

Coping
Type Coping Factor Definition Source Include Justification for Inclusion/Exclusion
Distancing Efforts to detach oneself or WCQ Yes Most users we interviewed reported that they tried to
create a positive outlook. forget the existence of the threat.
Self-control Efforts to regulate one’s own WCQ Yes Security threats can provoke emotions and users need to
feelings and actions. regulate these emotions. Merged with venting.
Seeking social Efforts to seek informational WCQ Yes Social support is widely used by people to cope with
support support, tangible support, stress. In our research, we are only interested in emo-
and emotional support tional support. Merged with emotional support seeking.
Accepting Acknowledging one’s own WCQ No Conceptually it is more in line with problem-focused
responsibility role in the problem with a coping because when a user accepts his/her responsi-
concomitant theme of trying bility when facing IT security threats, he/she would take
to put things right. security behaviors.
Escape- Wishful thinking and WCQ Yes Users are often unrealistically optimistic and wishfully
avoidance behavioral efforts to escape believe they are safer than others. Merged with wishful
or avoid. thinking.
Positive Efforts to create positive WCQ No It is rare for users to positively reappraise the IT security
reappraisal meaning by focusing on threat.
personal growth.
Seeking social Getting moral support, COPE Yes Merged with emotional support seeking.
support for sympathy, or understanding.
emotional
reasons
Focusing on The tendency to focus on COPE Yes Many users we interviewed reported that they expressed
and venting of whatever distress or upset their emotions when they felt the pressure of security
emotions one is experiencing and to threats.
EFC
ventilate those feelings.
Behavioral Reducing one’s effort to COPE No It is an EFC strategy when the behavior causes stress.
disengagement deal with the stressor. For example, when a child is stressed out by practicing
piano, she can disengage herself from piano playing to
reduce stress. In the IT security context, this cannot be
considered as a type of EFC, because the disengage-
ment of security behaviors does not help to regulate
emotions.
Mental dis- Distracting the person from COPE Yes The rationale is the same as for distancing.
engagement thinking about the behav-
ioral dimension or goal with
which the stressor is
interfering.
Positive Construing a stressful trans- COPE No Same as positive reappraisal. Irrelevant for the IT
reinterpretation action in positive terms. security context.
Denial Denying the reality of the COPE Yes Users deny that they are under the threat of security
event. breaches in order to mitigate stress.
Acceptance Acceptance of a stressor as COPE Yes Users develop a perception that IT security threats cannot
real. be completely eliminated and their existence have to be
accepted. This is conceptually the opposite of denial.
Turning to The tendency to turn to COPE No It is very rare for users to turn to religion when facing IT
religion religion in times of stress. security threats. It is usually used when facing major
disasters or life events. IT security threats are not severe
enough to drive people to pray for God’s help.

A4 MIS Quarterly Vol. 43 No. 2–Appendices/June 2019

 Liang et al./An Emotion-Focused Coping Perspective

Coping
Type Coping Factor Definition Source Include Justification for Inclusion/Exclusion
Planful problem Deliberate problem-focused WCQ Yes Users undertake specific actions to solve IT security
solving efforts to alter the situation problems. Some of the actions require appropriate
coupled with an analytical planning and scheduling such as update of security
approach to solving the software, hard disc scan, system backup, and security
problem patching. In the research, the concept of PFC behavior
overlaps with planful problem solving.
Confrontive Aggressive efforts to alter WCQ No It is an “aggressive form of problem-focused coping that
coping the situation. is largely interpersonal” (Folkman et al 1986a, p. 995).
An example item is “I tried to get the person responsible
to change his or her mind.” It is not relevant when
dealing with IT security threats because IT security threat
is intangible.
Active coping Taking active steps to try to COPE Yes Users often actively take protective measures to reduce
remove or circumvent the IT security threats. We included it as PFC behavior.
stressor or to ameliorate its
effects.
Planning Thinking about how to cope COPE Yes It indicates users’ intention to cope with threats.
with a stressor. Consistent with PFC intention, which is considered in our
PFC
robustness test.
Suppression of Putting other projects aside, COPE No This form of coping is most appropriate when the activity
competing trying to avoid becoming to deal with the stressor is complicated and time con-
activities distracted by other events, suming. For example, a Ph.D. candidate preparing for
even letting other things her thesis defense would suppress all other competing
slide, if necessary, in order activities and focus only on her presentation. In the IT
to deal with the stressor. security context, security action is not highly complicated
and doesn’t need a lot of time to complete. Hence, it is
farfetched to claim that one has to suppress other
activities to engage in security action.
Restraint Waiting until an appropriate COPE No Makes little sense in the IT security context. When facing
coping opportunity to act presents IT security threats, it is necessary to act immediately
itself, holding oneself back, rather than wait.
and not acting prematurely.
Seeking social Seeking advice, assistance, COPE No It is an auxiliary PFC behavior because it does not
support for or information. resolve security threats directly. It reduces the threat by
instrumental influencing PFC behavior.
reasons

Note: WCQ = Ways of Coping Questionnaire (Folkman et al. 1986a); COPE = COPE inventory (Carver et al. 1989). The inclusion/exclusion
justifications are based on our deductive reasoning and interviews with 40 IT users.

MIS Quarterly Vol. 43 No. 2–Appendices/June 2019 A5

Liang et al./An Emotion-Focused Coping Perspective

Appendix C
Definitions of EFC Concepts

Concept Definition/Description Source

Emotion-focused A type of coping in which individuals try to pacify or control the emotions Carver et al. 1989; Folkman
coping (EFC) aroused by the stressful situation or to dismiss the emotional and Lazarus 1985; Liang
discomforts. It includes inward and outward EFC. and Xue 2009
Inward EFC A type of EFC that deals with attention and appraisal of the emotion- Folkman et al. 1986a; Gross
arousing situation. It relies on attentional deployment and cognitive and Thompson 2007
change to achieve emotional stability. Three specific inward EFC are
selected in our research context: denial, distancing, and wishful
thinking.
Distancing Psychological distancing, also known as “mental disengagement,” Carver et al. 1989; Folkman
refers to efforts to psychologically detach oneself from the stressor. et al. 1986b
Denial Denial is defined as refusal to admit the reality of the stressful situation. Carver et al. 1989; Liang
and Xue 2009
Wishful thinking Wishful thinking refers to a person’s escaping from the stressful Folkman et al. 1986a
situation by fantasizing that some intervening act or forth will turn things
around in a desirable direction.
Outward EFC It refers to individuals’ direct modulation of emotional responses or Gross and Thompson 2007
outcome of the emotion-generating process. Two specific outward EFC
are selected in our research context: emotional support seeking and
venting.
Emotional Emotional support seeking means that a person reaches out to his or et al. 1989; Folkman and
support seeking her social network to obtain moral support, sympathy, or understanding, Lazarus 1985
in the presence of a stressor.
Venting Venting is the engagement in actions that ventilate whatever the Beaudry and Pinsonneault
distress that a person is experiencing so that emotional stability is 2010; Carver et al. 1989
achieved.

A6 MIS Quarterly Vol. 43 No. 2–Appendices/June 2019

 Liang et al./An Emotion-Focused Coping Perspective

Appendix D
Measurements

For each question, please indicate the extent to which you agree with the statement: 1 = strongly disagree, 2 = disagree, 3 = slightly disagree,
4 = neutral, 5 = slightly agree, 6 = agree, 7 = strongly agree.

Perceived Threat
Please describe how you thought about the IT security threat after you noticed it?
1. The malicious nature of the problem threatened me
2. The threat was fearful
3. The threat made me anxious

Perceived Avoidability
Taking everything into consideration (e.g., effectiveness of countermeasures, costs, and my confidence in employing countermeasures), I
thought …
1. The threat could be prevented
2. I could protect my computer from the threat
3. The threat was avoidable

Please answer the following questions based on what you have done after you noticed the IT security threat.

Emotional Support Seeking

1. I talked to someone about how I feel
2. I tried to get emotional support from friends or relatives.
3. I discussed my feelings with someone.
4. I got sympathy and understanding from someone.

Emotional Venting
1. I got upset and let my emotions out.
2. I let my feelings out.
3. I felt a lot of emotional distress and I found myself expressing those feelings a lot.
4. I got upset, and was really aware of it.

Denial
1. I refused to believe that it could happen.
2. I persuaded myself that it wouldn’t really happen.
3. I acted as though it wouldn’t really happen.
4. I said to myself, “This isn’t real.”

Psychological Distancing
1. I tried not to get too serious about it.
2. I went on as if it has nothing to do with me.
3. I tried not to think about it too much.
4. I tried to forget it as much as I can.

Wishful Thinking
1. I fantasized that it would go away or somehow be over with.
2. I fantasized that I would somehow come across a magical solution for it.
3. I fantasized that all of a sudden it disappears by itself.
4. I fantasized that everything turns out just fine as if nothing happened.

MIS Quarterly Vol. 43 No. 2–Appendices/June 2019 A7

Liang et al./An Emotion-Focused Coping Perspective

PFC Intention (for Robustness Test)

1. I intended to take safeguarding actions to counter the threat immediately.
2. I predicted I would take safeguarding actions to counter the threat immediately.
3. I planned to take safeguarding actions to counter the threat immediately.

PFC Behavior
1. I installed/updated anti-virus software.
2. I installed/updated anti-spyware software.
3. I updated my operating system with the latest security patch.
4. I turned on the Internet firewall.

Appendix E
Q-Sort Procedures and Results
We validated the items with the Q-sort method, largely following the practices by Moore and Benbasat (1991). We performed four rounds of
sorting. In each round, we recruited five judges: two business faculty members, two doctoral students, and an information security professional
who worked in the local area. When selecting the judges, we paid particular attention to their gender, nationality, and educational and profes-
sional background, so that a variety of perspectives could be offered.

We printed each of the candidate items on one 3 × 5 inch index card. In addition, we created 10 test cards for a test run with the judges. These
cards contained 10 statements about automobiles. Some of them were ambiguously worded so that they might appear equally good for two
or more categories to the judges. Before the sorting started, a set of standard instructions were read to the judges and we answered their ques-
tions about the sorting process. Then the judges sorted the 10 test cards by following the instructions. Afterward, we discussed with the judges
the sorting results and resolved problems caused by ambiguous statements. After the judges familiarized themselves with the sorting method
through this test run, we asked them to sort the emotion-focused coping items.

In Round 1, we did not provide the labels or definitions of the constructs to the judges. Each judge was asked to group the items into any
number of categories and to label and define each category with their own language. As a result, two judges came up with seven categories
and the other three came up with eight. A judge might not come up with an equivalent for every construct in our study. Similarly, some of
the categories they identified did not have equivalents in our set of constructs. A judge might also determine that a particular item did not
belong to any constructs. The inter-judge raw agreement scores averaged 0.588 and the Kappa scores averaged 0.532 (Table E1). The overall
placement ratio was 66.72% (Table E2). We examined the off-diagonal entries and found cross-loading between Denial and Psychological
Distancing. Based on this observation as well as comments from the judges, we revised the wording in two items for Denial and two items
for Wishful Thinking. We also added a new item into Wishful Thinking.

In Round 2, the revised items were sorted by another group of five judges. This time, we provided the judges with the labels and definitions
for the constructs. Other than this, the entire process, including the test run, was identical to that of Round 1. As shown in Table E1, the
average inter-judge raw agreement increased to 0.836 and the inter-judge Kappa was 0.813. All Kappa coefficients were above the recommend
threshold of 0.65 (Moore and Benbasat 1991). The overall placement ratio improved to 91.00% (Table E2).

In Round 3, we asked another five judges to participate. To test whether the improvement in inter-judge agreement and placement ratios in
Round 2 were due to the fact that Round 2 judges had the construct labels and definitions, we used the exact same items from Round 2.
However, this time the judges were told to decide by themselves how many categories should be created, how they were to be labeled, and what
their definitions would be. Four judges identified eight constructs and the remaining one found seven. All the identified constructs matched
well with the constructs in this study. Despite not having construct labels and definitions, the placement ratio continued to rise to 91.83%
(Table E2). The average inter-judge raw agreement and Kappa also showed improvement to 0.882 and 0.865, respectively (Table E1). This
assured us that the items had desirable construct validity and that the improvement from the first to the second round was not due to the judges
having construct labels and definitions. In addition, based on comments from the Round 3 judges, we modified the wording of one item for
Psychological Distancing. We also made slight changes to two items for Wishful Thinking. Each of the five constructs had four items. Overall,
we had a set of 20 items.

In Round 4, the 20 items were sorted by another five judges. Similar to Round 2, the judges had the construct labels and definitions when they
started. The sorting results showed further improvement. The average inter-judge raw agreement, average inter-judge Kappa, and the place-
ment ratio increased to 0.921, 0.933, and 95.83%, respectively.

A8 MIS Quarterly Vol. 43 No. 2–Appendices/June 2019

 Liang et al./An Emotion-Focused Coping Perspective

Table E1. Inter-Judge Raw Agreement and Inter-Judge Kappa

Raw Agreement Kappa
Round 1 Round 2 Round 3 Round 4 Round 1 Round 2 Round 3 Round 4
J1-J2 0.594 0.879 0.909 0.909 0.537 0.862 0.896 0.933
J1-J3 0.656 0.697 0.818 0.939 0.605 0.653 0.793 0.966
J1-J4 0.500 0.909 0.939 0.909 0.427 0.896 0.931 0.933
J1-J5 0.625 0.909 0.939 1.000 0.565 0.896 0.931 1.000
J2-J3 0.719 0.727 0.818 0.909 0.682 0.688 0.793 0.899
J2-J4 0.438 0.909 0.909 0.879 0.386 0.896 0.896 0.866
J2-J5 0.562 0.909 0.909 0.909 0.508 0.896 0.896 0.933
J3-J4 0.625 0.727 0.818 0.909 0.576 0.692 0.793 0.899
J3-J5 0.656 0.758 0.818 0.939 0.608 0.723 0.793 0.966
J4-J5 0.500 0.939 0.939 0.909 0.422 0.930 0.931 0.933
Average 0.588 0.836 0.882 0.921 0.532 0.813 0.865 0.933

Table E2. Placement Ratio Summary

Round 1 Round 2 Round 3 Round 4
Emotional support seeking 100.00% 100.00% 95.00% 100.00%
Venting 80.00% 100.00% 90.00% 95.00%
Denial 55.00% 85.00% 90.00% 100.00%
Psychological distancing 60.00% 70.00% 90.00% 80.00%
Wishful thinking 33.33% 95.00% 90.00% 100.00%
Average 66.72% 91.00% 91.83% 95.83%

MIS Quarterly Vol. 43 No. 2–Appendices/June 2019 A9

Liang et al./An Emotion-Focused Coping Perspective

Appendix F
Cross Loadings Generated by the Pilot Study

DIS DNY WT ESS V THR PA INT ACT

Chronbach’s alpha 0.92 0.97 0.96 0.99 0.99 0.88 0.89 0.94 0.91
DIS1 0.80 0.09 0.14 0.08 0.09 -0.16 -0.06 -0.17 -0.001
DIS2 0.80 0.29 0.30 0.06 0.13 -0.01 -0.07 -0.28 -0.05
DIS3 0.82 -0.01 -0.05 -0.02 -0.14 -0.15 -0.18 -0.07 -0.04
DIS4 0.82 0.23 0.24 0.10 0.10 0.02 -0.07 -0.07 0.003
DNY1 0.18 0.91 0.15 0.14 0.06 -0.03 -0.07 -0.06 0.09
DNY2 0.15 0.92 0.05 0.17 0.07 0.02 -0.09 -0.13 0.15
DNY3 0.17 0.91 0.09 0.17 0.08 0.00 -0.16 -0.09 -0.17
DNY4 0.12 0.87 0.13 0.22 0.16 0.01 -0.09 -0.20 0.09
WT1 0.28 0.17 0.83 0.18 0.06 0.07 -0.14 -0.05 0.03
WT2 0.16 0.10 0.90 0.08 0.04 0.05 0.00 -0.12 -0.13
WT3 0.22 0.05 0.89 0.08 0.12 -0.05 -0.05 -0.02 0.03
WT4 0.08 0.12 0.88 0.07 0.12 0.03 0.11 -0.14 -0.10
ESS1 0.10 0.21 0.15 0.81 0.33 0.01 -0.04 -0.06 0.03
ESS2 0.06 0.21 0.13 0.83 0.33 0.01 -0.03 -0.04 0.05
ESS3 0.15 0.22 0.08 0.85 0.23 0.09 -0.04 -0.09 0.06
ESS4 0.12 0.23 0.13 0.88 0.20 0.03 -0.08 -0.12 0.001
V1 0.08 0.11 0.08 0.23 0.89 0.07 -0.03 -0.10 -0.02
V2 0.08 0.06 0.08 0.21 0.91 0.06 -0.08 -0.09 -0.002
V3 0.12 0.14 0.14 0.23 0.86 -0.01 -0.05 -0.15 -0.06
V4 0.07 0.06 0.07 0.21 0.91 0.07 -0.10 -0.08 -0.02
THR1 -0.04 -0.01 0.09 -0.04 -0.13 0.74 -0.16 0.05 0.18
THR2 -0.07 -0.03 -0.04 -0.02 0.14 0.91 -0.05 0.07 0.23
THR3 0.01 0.04 0.06 0.15 0.10 0.86 0.01 0.10 0.10
PA1 -0.03 -0.12 0.01 -0.10 0.01 -0.04 0.90 0.12 0.09
PA2 -0.18 -0.07 -0.06 -0.09 -0.20 -0.05 0.83 0.15 -0.01
PA3 -0.12 -0.15 0.00 0.05 -0.04 -0.06 0.85 0.25 -0.03
INT1 -0.16 -0.09 -0.15 -0.06 -0.15 0.14 0.23 0.87 0.18
INT2 -0.17 -0.13 -0.18 -0.07 -0.13 0.02 0.20 0.88 0.13
INT3 -0.18 -0.26 0.01 -0.16 -0.11 0.01 0.19 0.80 0.06
ACT1 -0.30 -0.05 -0.06 0.37 0.03 0.02 0.03 0.37 0.88
ACT2 -0.48 -0.03 -0.14 0.10 -0.11 -0.01 0.25 0.23 0.88
ACT3 -0.08 -0.03 -0.002 0.22 0.04 -0.07 -0.01 0.43 0.77
ACT4 0.05 -0.07 -0.05 -0.08 -0.04 0.09 0.01 0.08 0.60
Note: DNY = denial; DIS = psychological distancing; WT = wishful thinking; ESS = emotional support seeking; V = venting; THR =
perceived threat; PA = perceived avoidability; INT = PFC intention; ACT = PFC behavior.

A10 MIS Quarterly Vol. 43 No. 2–Appendices/June 2019

 Liang et al./An Emotion-Focused Coping Perspective

Appendix G
Experiment Scenarios
Scenario 1 (High threat, high avoidability):
After you downloaded a free movie from a website that you have never visited before, you suspected that malware could be downloaded onto
your computer along with the movie. The malware could steal your personal information and make you a victim of identity theft and suffer
from serious losses. This is a serious threat. You know that you have firewall and anti-virus and anti-spyware software running on your com-
puter. You trust these protective tools and believe that they can effectively protect your computer from security breaches. You are confident
that you can easily run a scan to find and remove the malware.

Scenario 2 (High threat, low avoidability):

After you downloaded a free movie from a website that you have never visited before, you suspected that malware could be downloaded onto
your computer along with the movie. The malware could steal your personal information and make you a victim of identity theft and suffer
from serious losses. This is a serious threat. You know that you have firewall and anti-virus and anti-spyware software running on your
computer. But you are not sure these tools can protect your computer from the malware, because hackers keep finding new ways to outsmart
the security tools. You feel that there is not much you can do about the malware.

Scenario 3 (Low threat and high avoidability):

After you downloaded a free movie from a website that you have never visited before, you suspected that adware could be downloaded onto
your computer along with the movie. The adware creates pop-up ads whenever you open a new page in the browser. It can be annoying, but
nothing threatening. You know that you have firewall and anti-virus and anti-spyware software running on your computer. You trust these
protective tools and believe that they can effectively protect your computer from security breaches. You are confident that you can easily run
a scan to find and remove the adware.

Scenario 4 (Low threat and low avoidability):

After you downloaded a free movie from a website that you have never visited before, you suspected that adware could be downloaded onto
your computer along with the movie. The adware creates pop-up ads whenever you open a new page in the browser. It can be annoying, but
nothing threatening. You know that you have firewall and anti-virus and anti-spyware software running on your computer to protect your
computer from security breaches. But you are not sure these tools can protect your computer from the adware, because hackers keep finding
new ways to outsmart the security tools. You feel that there is not much you can do about the adware.

Appendix H
Measurement Validation for Study Two
Before validating the measurements, we assessed two potential biases associated with survey data: nonresponse bias and common method bias
(CMB). Following Armstrong and Overton (1977), we compared the demographic variables between the first 100 and last 100 respondents.
T-tests show that the two groups do not differ in age (p = .06), computer experience (p = .86), number of security problems experienced (p =
.59) and Internet hours per day (p = .85). Chi-square tests show that the two groups do not differ in gender (p = .49) and education (p = .41).
These results suggest that nonresponse bias is not likely to exist.

In addition to procedural remedies to reduce CMB, we conducted three statistical tests to evaluate CMB. First, we carried out the Harmon’s
one factor test by following Podsakoff et al. (2003). The items of the 10 first-order theoretical constructs were entered into a principal
component analysis. Nine factors were identified and the first factor of the unrotated solution explains only 23.63% of the total variance,
showing no indication of the existence of CMB. Second, we employed the correlational marker variable technique to assess CMB. Following
Lindell and Whitney (2001), the second smallest positive correlation amongst measurement items (r = .002) was selected as a conservative
estimate of CMB. All of the between-item correlations were adjusted by partialling out the CMB estimate. Results revealed that the
correlations only changed slightly in magnitude and remained unchanged in significance, suggesting that CMB is unlikely a concern. Third,
following Podsakoff et al., we took the single latent method factor approach to testing CMB. A confirmatory factor analysis model including
the 10 first-order constructs was created in AMOS. A latent method factor was added which took all of the construct items as its indicators.

MIS Quarterly Vol. 43 No. 2–Appendices/June 2019 A11

Liang et al./An Emotion-Focused Coping Perspective

Thus, each item was determined by both its theoretical construct and the latent method factor. The results show that the method factor only
explains on average 0.56% variance in the items whereas the theoretical constructs explain on average 64.57% (see Table H1). Variances
explain by common method only accounts for 1.03% of theoretically explained variances, indicating that CMB has no significant influence
on our data.

Table H1. Latent Common Factor Test for Common Method Bias
Factor Method
Item Loading (R1) R1² Loading (R2) R² R2² /R1²
DNY1 0.78 60.06% 0.07 0.46% 0.77%
DNY2 0.87 76.21% 0.05 0.29% 0.38%
DNY3 0.86 73.62% 0.06 0.32% 0.44%
DNY4 0.69 48.02% 0.08 0.58% 1.20%
DIS1 0.78 61.00% 0.05 0.27% 0.44%
DIS2 0.86 73.27% 0.05 0.23% 0.31%
DIS3 0.88 77.26% 0.05 0.28% 0.36%
DIS4 0.79 63.04% 0.06 0.38% 0.61%
WT1 0.84 70.39% 0.06 0.30% 0.43%
WT2 0.85 72.08% 0.05 0.25% 0.35%
WT3 0.90 81.18% 0.04 0.18% 0.22%
WT4 0.87 76.39% 0.05 0.21% 0.28%
ESS1 0.77 58.98% 0.05 0.28% 0.48%
ESS2 0.78 61.00% 0.06 0.37% 0.61%
ESS3 0.90 80.82% 0.04 0.17% 0.21%
ESS4 0.79 62.88% 0.05 0.27% 0.43%
V1 0.87 76.39% 0.05 0.25% 0.33%
V2 0.88 77.62% 0.05 0.28% 0.36%
V3 0.82 67.08% 0.06 0.32% 0.48%
V4 0.79 62.57% 0.05 0.28% 0.45%
THR1 0.74 54.61% 0.08 0.61% 1.11%
THR2 0.86 74.48% 0.07 0.50% 0.68%
THR3 0.81 65.12% 0.06 0.37% 0.57%
PA1 0.72 51.27% 0.16 2.56% 4.99%
PA2 0.80 64.00% 0.15 2.25% 3.52%
PA3 0.52 26.73% 0.13 1.72% 6.42%
INT1 0.82 67.40% 0.09 0.88% 1.31%
INT2 0.72 51.98% 0.11 1.23% 2.37%
INT3 0.78 60.53% 0.11 1.25% 2.07%
BEH1 0.87 80.10% 0.04 0.15% 0.39%
BEH2 0.85 83.36% 0.06 0.35% 0.42%
BEH3 0.79 73.27% 0.08 0.66% 0.48%
BEH4 0.72 63.68% 0.07 0.50% 0.64%
Average 0.81 66.56% 0.07 0.58% 1.03%

We then validated the measurement model with confirmatory factor analysis (CFA) using AMOS 22. For both inward EFC and outward EFC,
we respectively estimated three models: (1) the first-order model, (2) the second-order reflective model, and (3) the second-order formative
model. In covariance-based SEM, it is necessary for a formative construct to have two emitting paths to achieve model identification
(Diamantopoulos 2011; Jarvis et al. 2003). The emitting paths point to two reflective indicators of the formative construct or two other
endogenous constructs (the so-called MIMIC model). Because we did not have any reflective indicators for inward EFC and outward EFC,
we included PFC intention and PFC behavior in the CFA model.

A12 MIS Quarterly Vol. 43 No. 2–Appendices/June 2019

 Liang et al./An Emotion-Focused Coping Perspective

Table H2. Confirmatory Factor Analysis for Measurement Models

Inward EFC Outward EFC
Second-Order Second-Order Second-Order Second-Order
Fit Index Cutoff First-Order Reflective Formative First-Order Reflective Formative
χ 2/df <3 3.013 2.995 2.677 3.13 2.581 2.581
CFIs > 0.90 0.982 0.982 0.985 0.984 0.988 0.988
TLI > 0.90 0.975 0.975 0.979 0.976 0.982 0.982
RMSEA < 0.08 0.046 0.046 0.042 0.048 0.041 0.041

Note: The cutoffs are based on Hu and Bentler (1999) and Gefen et al. (2011). Gefen et al. noted that the the χ²/df ratio can only be used as a
simplifying heuristic and should not be relied on to affirm acceptable model fit. GFI and AGFI are biased by sample size and degrees of freedom
and there is consensus against using these indexes to assess model fit (Sharma et al. 2005). Therefore, we focus on using CFI, TLI, and RMSEA.

As Table H2 shows, for inward EFC, the second-order formative model fits better than the first-order model and the second-order reflective
model, and for outward EFC, the second-order formative and second-order reflective models have identical fit indices and both are better than
the first-order model. However, the differences are marginal, suggesting that all three models could be valid. We selected the second-order
formative model over the first-order model because (1) it is theoretically parsimonious (Cenfetelli and Bassellier 2009; Gerbing and Anderson
1984; Law et al. 1999), and (2) it avoids the muliticollinearity issue if the first-order constructs are used as independent variables (Koufterosa
et al. 2009). We preferred the second-order formative model to the second-order reflective model because the subconstructs conceptually differ
from each other, are not exchangeable, and do not necessarily covary (Jarvis et al. 2003; Petter et al. 2007). Therefore, the formative model
is more theoretically justifiable than the reflective model.

Following Petter et al. (2007), construct validity and reliability of the second-order formative measures were assessed by examining path
weights and the VIF (variance inflation factor) statistics. As Figure H1 shows, each first-order subconstruct has a significant path pointing to
inward or outward EFC, suggesting satisfactory construct validity. The VIF values of the five first-order subconstruct are under the
recommended threshold, 3.3 (see Table H2), indicating acceptable reliability (Diamantopoulos and Siguaw 2006).

Finally, following Gefen et al. (2000), validity of all of the first-order construct measures was tested using two procedures. First, the square
root of each construct’s average variance extracted (AVE) is much greater than the construct’s correlations with all other constructs, suggesting
sufficient discriminant validity (Table H3). Second, factor loadings and cross loadings (Table H4) were generated by conducting a principal
component analysis. All factor loadings on the substantive constructs are over 0.70, suggesting sufficient convergent validity. In addition,
each item’s factor loading is much higher than its cross-loadings on other constructs, confirming the sufficiency of discriminant validity (Hair
et al. 1998). We assessed the internal consistency of each construct by examining Cronbach’s alpha and AVE. As Table 3 shows, all alpha
coefficients exceed Nunnally’s (1978) recommended .70, indicating acceptable internal consistency, and all AVEs are above the .50 level
(Fornell and Larcker 1981).

**p < .01

*p < .05

Figure H1. Second-Order Formative Models for Inward and Outward Emotion-Focused Coping

MIS Quarterly Vol. 43 No. 2–Appendices/June 2019 A13

Liang et al./An Emotion-Focused Coping Perspective

Table H3. Construct Reliability, Variance, and Correlations

Mean
(SD) VIF alpha AVE DN DIS WT ESS V THR PA PFC
DN 2.95 2.09 0.93 0.59 0.77
(1.64)
DIS 2.77 1.39 0.96 0.74 0.52** 0.86
(1.66)
WT 3.34 1.80 0.95 0.69 0.67** 0.39** 0.83
(1.87)
ESS 3.67 1.61 0.92 0.68 0.22** 0.17** 0.19** 0.82
(1.76)
V 3.85 1.65 0.94 0.70 0.26** 0.13** 0.25** 0.62** 0.83
(1.74)
THR 4.82 – 0.89 0.74 0.06 0.11* 0.11* 0.29** 0.34** 0.86
(1.21)
PA 5.38 – 0.86 0.65 -0.09* -0.22** -0.04 0.05 0.02 0.18** 0.81
(1.10)
PFC 5.45 – 0.90 0.67 -0.20* -0.27** -0.20** 0.18** 0.12** 0.29** 0.41** 0.82
(1.15)
Note: alpha = Cronbach’s alpha, DN = denial; DIS = psychological distancing; WT = wishful thinking; ESS = emotional support
seeking; V = venting; THR = perceived threat; PA = perceived avoidability; PFC = PFC behavior. Square roots of AVE are on
diagonal.

A14 MIS Quarterly Vol. 43 No. 2–Appendices/June 2019

 Liang et al./An Emotion-Focused Coping Perspective

Table H4. Loadings and Cross-Loadings of the Formal Study (N = 934)

Mean SD DNY DIS WT ESS V THR PA INT BEH
DNY1 2.79 1.79 .771 .271 .291 .105 .102 .056 -.058 -.043 -.101
DNY2 2.92 1.78 .790 .365 .267 .074 .082 .057 -.084 -.033 -.092
DNY3 3.05 1.85 .769 .375 .295 .044 .080 .064 -.021 -.033 -.134
DNY4 3.08 1.92 .738 .196 .299 .106 .147 .156 -.002 -.005 -.043
DIS1 3.50 1.93 .123 .761 .124 .032 -.091 -.104 -.012 -.038 -.184
DIS2 3.05 1.91 .222 .817 .213 -.027 -.006 -.087 -.043 -.066 -.128
DIS3 3.54 1.94 .164 .876 .178 -.046 -.048 -.048 -.015 -.053 -.097
DIS4 3.38 1.93 .207 .874 .178 -.013 -.023 -.002 -.015 -.034 -.107
WT1 3.19 1.96 .301 .338 .781 .057 .113 .103 -.048 -.017 -.106
WT2 3.34 2.03 .251 .222 .840 .118 .129 .092 .002 -.049 -.067
WT3 3.37 2.08 .250 .277 .856 .077 .120 .086 -.013 -.012 -.062
WT4 3.52 2.09 .254 .315 .832 .042 .057 .092 .018 .003 -.094
ESS1 4.06 2.09 -.031 -.075 .091 .809 .234 .157 .016 .113 .141
ESS2 3.20 1.89 .200 .061 .088 .818 .198 .142 -.003 .091 -.036
ESS3 3.85 2.02 .048 .010 .037 .865 .306 .131 .007 .047 .062
ESS4 3.65 1.98 .056 .048 .041 .817 .298 .123 .030 .021 .030
V1 3.86 1.95 .093 -.021 .092 .280 .862 .186 .011 .060 -.001
V2 4.02 1.90 .042 -.018 .056 .309 .866 .178 .019 .070 .029
V3 3.61 1.90 .152 -.005 .139 .319 .803 .199 -.050 .080 -.001
V4 4.13 1.96 .088 -.091 .111 .233 .824 .239 -.002 .065 .065
THR1 4.97 1.65 -.048 -.074 .063 .073 .061 .832 .049 .088 .111
THR2 4.76 1.72 .078 -.064 .090 .085 .091 .898 .065 .058 .067
THR3 4.30 1.76 .158 -.018 .057 .192 .152 .843 .028 .080 -.016
PA1 5.66 1.17 -.113 -.054 .010 .024 -.028 .154 .799 .137 .188
PA2 5.72 1.16 -.145 -.070 .038 -.002 -.015 .111 .816 .141 .224
PA3 5.33 1.44 -.061 -.018 .079 -.008 -.002 .044 .804 -.014 .121
INT1 5.46 1.41 -.078 -.106 -.042 .098 .091 .135 .251 .818 .260
INT2 5.19 1.42 .036 -.029 -.002 .074 .094 .055 .196 .866 .194
INT3 5.46 1.38 -.066 -.096 -.024 .111 .071 .120 .281 .814 .251
BEH1 5.74 1.48 -.062 -.177 -.052 .070 .001 .102 .153 .210 .859
BEH2 5.68 1.49 -.041 -.180 -.073 .072 .007 .097 .153 .230 .869
BEH3 5.57 1.50 .006 -.186 -.111 .021 -.001 .049 .229 .152 .793
BEH4 5.87 1.37 -.183 -.069 -.053 .027 .071 .044 .164 .080 .744
Note: DNY = denial; DIS = psychological distancing; WT = wishful thinking; ESS = emotional support seeking; V = venting; THR =
perceived threat; PA = perceived avoidability; INT = PFC intention; BEH = PFC behavior.

MIS Quarterly Vol. 43 No. 2–Appendices/June 2019 A15

Liang et al./An Emotion-Focused Coping Perspective

Appendix I
Robustness Test

While PFC behavior is the most central to improve security because it directly counters IT threats, behavioral intention has been widely used
by IT security researchers to infer users’ future security behavior (e.g., Anderson and Agarwal 2010; Johnston and Warkentin 2010). To relate
this research to the broad IT security literature, we estimated an alternative research model in which PFC behavior was replaced by PFC
intention while all the other parts remained unchanged. As Figure I1 shows, the model fit is satisfactory. The left side of the model remains
virtually the same. On the right side of the model, PFC intention is reduced by inward EFC decreases (β = -.23, p < .01), but increased by
outward EFC (β = .27, p < .01), perceived threat (β = .20, p < .01), and perceived avoidability (β = .42, p < .01). Therefore, it is confirmed
that the effects of EFC are consistent, despite some changes in magnitude, on both PFC behavior and PFC intention.

Notes: **p < .01; *p < .05

χ² = 662.48; df = 231; CFI = .96; TLI = .95; RMSEA = .04
Six control variables (Age, Gender, Education, Computer Experience, Online Hours, Security Breach Experience) were included
on the endogenous constructs.

Figure I1. Robustness Test with PFC Intention as the Dependent Variable

References

Anderson, C. L., and Agarwal, R. 2010. “Practicing Safe Computing: A Multimethod Empirical Examination of Home Computer User
Security Behavioral Intentions,” MIS Quarterly (34:3), pp. 613-643.
Arachchilage, N. A. G., and Love, S. 2014. “Security Awareness of Computer Users: A Phishing Threat Avoidance Perspective,” Computers
in Human Behavior (38), pp. 304-312.
Armstrong, J. S., and Overton, T. 1977. “Estimating Nonresponse Bias in Mail Surveys,” Journal of Marketing Research (14), pp. 396-402.
Beaudry, A., and Pinsonneault, A. 2010. “The Other Side of Acceptance: Studying the Direct and Indirect Effects of Emotions on Information
Technoloyg Use “ MIS Quarterly (34:4), pp. 689-710.
Boehmer, J., LaRose, R., Rifon, N., Alhabash, S., and Cotten, S. 2015. “Determinants of Online Safety Behaviour: Towards an Intervention
Strategy for College Students,” Behaviour & Information Technology (34:10), pp. 1022-1035.
Boss, S. R., Galletta, D. F., Lowry, P. B., Moody, G. D., and Polak, P. 2015. “What Do Systems Users Have to Fear? Using Fear Appeals
to Engender Threats and Fear That Motivate Protective Security Behaviors,” MIS Quarterly (39:4), pp. 837-864.
Carver, C. S., Scheier, M. F., and Weintraub, J. K. 1989. “Assessing Coping Strategies: A Theoretically Based Approach,” Journal of
Personality and Social Psychology (56:2), pp. 267-283.
Cenfetelli, R. T., and Bassellier, G. 2009. “Interpretation of Formative Measurement in Information Systems Research,” MIS Quarterly (33:4),
pp. 689-707.

A16 MIS Quarterly Vol. 43 No. 2–Appendices/June 2019

 Liang et al./An Emotion-Focused Coping Perspective

Chen, Y., and Zahedi, F.M. 2016. “Individuals’ Internet Security Perceptions and Behaviors: Polycontextual Contrasts Between the United
States and China,” MIS Quarterly (40:1), pp. 205-222.
Crossler, R., and Bélanger, F. 2014. “An Extended Perspective on Individual Security Behaviors: Protection Motivation Theory and a Unified
Security Practices (USP) Instrument,” ACM SIGMIS Database (45:4), pp. 51-71.
D’Arcy, J., Hovav, A., and Galletta, D. F. 2009. “User Awareness of Security Countermeasures and Its Impact on Information Systems
Misuse: A Deterrence Approach,” Information Systems Research (20:1), pp. 285-318.
Diamantopoulos, A. 2011. “Incorporating Formative Measures into Covariance-Based Structural Equation Models,” MIS Quarterly (35:2),
pp. 335-358.
Diamantopoulos, A., and Siguaw, J. A. 2006. “Formative Versus Reflective Indicators in Organizational Measure Development: A
Comparison and Empirical Illustration,” British Journal of Management (17:4), pp. 263-282.
Folkman, S., and Lazarus, R. S. 1985. “If it Changes it Must be a Process: Study of Emotion and Coping During Three Stages of a College
Examination,” Journal of Personality and Social Psychology (48:1), pp. 150-170.
Folkman, S., Lazarus, R. S., Dunkel-Schetter, C., DeLongis, A., and Gruen, R. J. 1986a. “Dynamics of a Stressful Encounter: Cognitive
Appraisal, Coping, and Encounter Outcomes,” Journal of Personality and Social Psychology (50:5), pp. 992-1003.
Folkman, S., Lazarus, R. S., Gruen, R. J., and DeLongis, A. 1986b. “Appraisal, Coping, Health Status, and Psychological Symptoms,” Journal
of Personality and Social Psychology (50:3), pp. 571-579.
Fornell, C., and Larcker, D. F. 1981. “Evaluating Structural Equation Models with Unobservable Variables and Measurement Error,” Journal
of Marketing Research (18:1), pp. 39-50.
Gefen, D., Rigdon, E. E., and Straub, D. 2011. “An Update and Extension to SEM Guidelines for Administrative and Social Science
Research,” MIS Quarterly (35:2), pp. iii-xiv.
Gefen, D., Straub, D., and Boudreau, M. 2000. “Structural Equation Modeling and Regression: Guidelines for Research Practice,”
Communications of the AIS (4:7).
Gerbing, D. W., and Anderson, J. C. 1984. “On the Meaning of Within-Factor Correlated Measurement Errors,” Journal of Consumer
Research (11:1), pp. 572-580.
Gross, J., and Thompson, R. A. 2007. “Emotion Regulation: Conceptual Foundations,” in Handbook of emotion regulation, J. J. Gross (ed.),
New York: Guilford Press, pp. 3-24.
Hair, J., Anderson, R., Tatham, R., and Black, W. 1998. Multivariate Data Analysis (5th ed.), Englewood Cliffs, NJ: Prentice Hall.
Herath, T., Chen, R., Wang, J., Banjara, K., Wilbur, J., and Rao, H. R. 2014. “Security Services as Coping Mechanisms: An Investigation
into User Intention to Adopt an Email Authentication Service,” Information systems journal (24:1), pp. 61-84.
Hu, L., and Bentler, P. M. 1999. “Cutoff Criteria for Fit Indexes in Covariance Structure Analysis: Conventional Criteria Versus New
Alternatives,” Structural Equation Modeling: A Multidisciplinary Journal (6:1), pp. 1-55.
Jarvis, C. B., MacKenzie, S. B., and Podsakoff, P. M. 2003. “Critical Review of Construct Indicators and Measurement Model
Misspecification in Marketing and Consumer Research,” Journal of Consumer Research (30:2), pp. 199-218.
Jenkins, J. L., Grimes, M., Proudfoot, J. G., and Lowry, P. B. 2014. “Improving Password Cybersecurity Through Inexpensive and Minimally
Invasive Means: Detecting and Deterring Password Reuse Through Keystroke-Dynamics Monitoring and Just-in-Time Fear Appeals,”
Information Technology for Development (20:2), pp. 196-213.
Johnston, A. C., and Warkentin, M. 2010. “Fear Appeals and Information Security Behaviors: An Empirical Study,” MIS Quarterly (34:3),
pp. 549-566.
Koufterosa, X., Babbar, S., and Kaighobadi, M. 2009. “A Paradigm for Examining Second-Order Factor Models Employing Structural
Equation Modeling,” Structural Equation Modeling: A Multidisciplinary Journal (120:2), pp. 633-652.
Lai, F., Li, D., and Hsieh, C.-T. 2012. “Fighting Identity Theft: The Coping Perspective,” Decision Support System (52:2), pp. 353-363.
Law, K. S., Wong, C., and Mobley, W. H. 1999. “Toward a Taxonomy of Multidimensional Constructs,” Academy of Management Review
(23:4), pp. 741-755.
Lee, Y., and Kozar, K. 2005. “Investigating Factors Affecting the Adoption of Anti-Spyware Systems,” Communications of the ACM (48:8),
pp. 72-77.
Lee, Y., and Larsen, K. R. 2009. “Threats or Coping Appraisal? Determinants of SMB Executives’ Decision to Adopt Anti-Malware
Software,” European Journal of Information Systems Research (18), pp. 177-187.
Liang, H., and Xue, Y. 2009. “Avoidance of Information Technology Threats: A Theoretical Perspective,” MIS Quarterly (33:1), pp. 71-90.
Liang, H., and Xue, Y. 2010. “Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective,” Journal
of the Association for Information Systems (11:7), pp. 394-413.
Lindell, M. K., and Whitney, D. J. 2001. “Accounting for Common Method Variance in Cross-Sectional Research Designs,” Journal of
Applied Psychology (86:1), pp. 114-121.
Moore, G. C., and Benbasat, I. 1991. “Development of an Instrument to Measure the Perceptions of Adopting an Information Technology
Innovation,” Information Systems Research (2:3), pp. 192-222.
Ng, B.-Y., Kankanhalli, A., and Xu, Y. C. 2009. “Studying Users’ Computer Security Behavior: A Health Belief Perspective,” Decision
Support System (46:4), pp. 815-825.

MIS Quarterly Vol. 43 No. 2–Appendices/June 2019 A17

Liang et al./An Emotion-Focused Coping Perspective

Nunnally, J. 1978. Psychometric Theory (2nd ed.), New York: McGraw-Hill.

Petter, S., Straub, D., and Rai, A. 2007. “Specifying Formative Constructs in Information Systems Research,” MIS Quarterly (31:4), pp.
623-656.
Podsakoff, P. M., MacKenzie, S. B., Lee, J. Y., and Podsakoff, N. P. 2003. “Common Method Biases in Behavioral Research: A Critical
Review of the Literature and Recommended Remedies,” Journal of Applied Psychology (88:5), pp. 879-903.
Sharma, S., Mukherjee, S., Kumar, A., and Dillon, W. R. 2005. “A Simulation Study to Investigate the Use of Cutoff Values for Assessing
Model Fit in Covariance Structure Models,” Journal of Business Research (58), pp. 935-943.
Tsai, H.-Y. S., Jiang, M., Alhabash, S., LaRose, R., Rifon, N. J., and Cotten, S. R. 2016. “Understanding Online Safety Behaviors: A
Protection Motivation Theory Perspective,” Computers & Security (59), pp. 138-150.
Tu, Z., Turel, O., Yuan, Y., and Archer, N. 2015. “Learning to Cope with Information Security Risks Regarding Mobile Device Loss or Theft:
An Empirical Examination,” Information & Management (52:4), pp. 506-517.
Workman, M., Bommer, W. H., and Straub, D. 2008. “Security Lapses and the Omission of Information Security Measures: A Threat Control
Model and Empirical Test,” Computers in Human Behavior (24:6), pp. 2799-2816.

A18 MIS Quarterly Vol. 43 No. 2–Appendices/June 2019

Copyright of MIS Quarterly is the property of MIS Quarterly and its content may not be
copied or emailed to multiple sites or posted to a listserv without the copyright holder's
express written permission. However, users may print, download, or email articles for
individual use.