Cybersecurity Protection Behavior Among US Military Veterans in White-Collar Jobs

A Dissertation by: Dr. Alex A. Djahankhah (Florida International University)

Date: 2024

Introduction

Cyber threats are accelerating at a remarkable pace in our digitally connected world. Despite growing awareness of online risks, many individuals continue to overlook basic cybersecurity measures—creating a critical “intention-behavior gap.” This dissertation explores how certain individuals, specifically U.S. military veterans in white-collar positions, respond to cybersecurity threats and adopt proactive protection behaviors. By better understanding veterans’ perceived threat awareness, coping strategies, and motivations, we can identify ways to strengthen organizational cybersecurity. Ultimately, this research aims to shed light on strategies to foster robust security practices in professional environments.

Problem Statement

The escalation of cyber threats demands more than just a technological response; it necessitates a deeper look into personal motivation, risk perception, and security habits. Although most professionals acknowledge the dangers of poor cybersecurity practices, it is common to witness a discrepancy between knowing about threats and actively preventing them. The 2021 Colonial Pipeline cyberattack, for example, proved that just one lax password or neglected security step can trigger widespread disruptions. Such incidents highlight the importance of each employee’s commitment to secure online behavior. U.S. military veterans, trained in risk management and mission focus, may hold a particularly unique mindset that could serve as a catalyst for improved workplace cybersecurity.

Significance of the Problem

Cybersecurity is increasingly vital due to our society’s reliance on digital systems. Beyond personal identity theft or organizational data breaches, compromised systems can negatively affect entire industries or national security. For corporations, the role employees play is critical: people who adopt strong cybersecurity habits can prevent costly incidents. In this study, we focus on one segment of the workforce—U.S. military veterans. Veterans have a heightened sense of duty, an innate understanding of high-stakes scenarios, and are accustomed to following protocols under pressure. These traits could positively influence security practices at work.

Nevertheless, while veterans often have valuable real-world risk assessment skills, especially regarding physical threats, digital security can be a new landscape—one not always emphasized in their prior training. Understanding their perceptions, skill gaps, and strengths is key to enhancing security outcomes in the civilian workplace. Studying veterans’ attitudes and behaviors, in turn, offers broader insights into organizational cybersecurity best practices for all employees.

Research Gap

Despite wide recognition of veterans’ leadership and crisis-management abilities, minimal research focuses on the intersection of veterans’ experiences and proactive cybersecurity behaviors. Military veterans often excel under high stress, operate effectively in teams, and are more “company-loyal” than the general population. This combination suggests they might translate their robust sense of mission-focus and discipline into strong cybersecurity behavior, yet the academic community lacks direct empirical evidence. By quantifying veterans’ attitudes toward digital threats and documenting how they cope with cybersecurity responsibilities, this study aims to fill an important gap and provide a foundation for related future research.

Research Questions

This study explores the factors influencing cybersecurity protection behavior among U.S. military veterans holding white-collar positions. Specifically, we ask:

• Key Question: What factors most powerfully shape cybersecurity protection behaviors among veterans in these professional roles?
• How do veterans’ perceptions of threat severity and vulnerability impact their fear of internet security threats?
• How do coping appraisals (e.g., self-efficacy and response efficacy) affect cybersecurity intention?
• Does a veteran’s innate resilience (hardiness) moderate the relationship between their fear of cyber threats and their intention to safeguard systems?

Research Contributions

In investigating the cybersecurity intentions of military veterans, we leverage the Protection Motivation Theory (PMT) framework, enriched by the concept of “hardiness.” While PMT outlines how threat appraisals and coping strategies predict self-protective behaviors, hardiness emphasizes the resilience and commitment veterans often demonstrate. Collectively, these theories can shed new light on the ways veterans might bolster organizational security and reveal targeted strategies to empower a broader workforce. By demonstrating how veterans assess, respond to, and navigate online threats, this research offers a blueprint for tailoring cybersecurity education, designing relevant workplace policies, and strengthening overall defense against cyberattacks.

Background Literature Review and Theory

A. Cybersecurity Environment

The cybersecurity landscape is driven by the growing sophistication of malicious actors, from individuals to state-sponsored groups. Large organizations are prime targets due to the potential payoffs, yet small and midsize enterprises are also increasingly at risk. Human factors—like neglecting strong passwords or ignoring security updates—often create vulnerabilities no matter the technical defenses in place. Researchers emphasize that employee awareness, training, and consistent compliance with security protocols serve as critical bulwarks against cyber threats.

B. Protection Motivation Theory (PMT)

PMT explains individuals’ motivations to adopt protective behaviors when confronted with threats. The theory splits into two categories:

• Threat Appraisal: Perceived severity (is the potential damage severe?) and perceived vulnerability (could it realistically happen to me?).
• Coping Appraisal: Response efficacy (do recommended behaviors effectively mitigate the threat?), self-efficacy (am I confident in my ability to carry out protective actions?), and response costs (is the behavior too inconvenient or time-consuming?).

When people believe a threat is both severe and likely to affect them, and when they feel capable of responding effectively, they are more motivated to engage in protective actions. In the workplace context, ensuring employees have sufficient training and confidence to apply security measures can enhance compliance with best practices.

C. Hardiness

Hardiness is a resilience factor measured by three core attributes: commitment (feeling a strong sense of purpose in life), control (believing one can influence outcomes), and challenge (viewing obstacles as growth opportunities rather than looming threats). Past studies show that hardiness can moderate stress responses, enabling individuals to bounce back more effectively from adversity. For veterans, this can translate into coping well under a range of pressures, including cyber-related threats.

D. Veterans in White-Collar Roles

Transitioning from the military into a civilian profession can be both empowering and challenging. Veterans bring proven leadership, discipline, and team-based skills, which align with cybersecurity demands, yet digital security threats differ significantly from physical, real-world dangers. Identifying how veterans perceive online risks, adapt to new systems, and align their habits with corporate security standards is crucial for maximizing their strengths in the cybersecurity arena.

Research Design

To investigate how veterans view, assess, and respond to cyber threats, a quasi-experimental design was used, supported by an online survey. Participants met these criteria:

• Honorably discharged U.S. veterans
• Currently working in full-time, knowledge-based or “white-collar” roles

Questions assessed their perceived vulnerability, perceived severity, fear of internet threats, self-efficacy, response efficacy, response costs, and overall cybersecurity intentions. Additional items measured the psychological trait of hardiness. Statistical analyses, including exploratory factor analysis (EFA) and structural equation modeling (SEM), were conducted on the collected data to test the proposed hypotheses and relationships.

Participants and Procedures

Subjects were recruited via reputable online platforms and social media channels frequented by veterans. All responses remained anonymous, and participants had the option to exit the survey at any time. Basic demographic information—such as age, gender, military rank, and industry—was collected to ascertain that the sample reflected the diversity of veterans in white-collar fields.

Measurements

The survey used a 7-point Likert scale to capture the intensity of agreement with statements related to PMT variables and hardiness. These measurements were adopted from previously validated instruments in cybersecurity behavior and psychology research. Internal consistency checks (Cronbach’s alpha) ensured the reliability of each factor, while confirmatory factor analysis (CFA) validated the measurement structure.

Data Analysis and Results

Data from 194 veterans were used in the final analysis after eliminating incomplete or ineligible responses. Results indicated the measurement model had an acceptable fit. Key findings include:

• Threat Appraisal: Veterans’ perceived severity and vulnerability to cyber threats significantly increased their fear of such attacks.
• Coping Appraisal: While response cost (time or inconvenience) negatively influenced a veteran’s intention to adopt secure behaviors, self-efficacy and response efficacy did not strongly predict cybersecurity intentions in this dataset. This might suggest overconfidence or a belief that the organization’s broader security environment mitigates personal responsibility.
• Fear’s Role: Higher fear levels correlated with stronger cybersecurity intentions—although the effect was moderate. Some veterans, possibly due to extensive risk training, might manage or even downplay digital threats differently than physical ones.
• Hardiness: The notion that hardiness (commitment, control, challenge) would magnify the link between fear and security intentions was not statistically supported, meaning resiliency and discipline did not necessarily boost the effect of fear on behavior.

Discussion

These findings suggest that veterans do perceive cyber threats realistically, recognizing both the scope and potential seriousness of attacks. Their military training encourages vigilance and situational awareness, explaining the high threat appraisal scores. However, actual coping efforts—such as consistently implementing security patches, rotating strong passwords, or adhering strictly to data protection policies—may be undermined by response costs or a belief that the organization itself has robust security, thus reducing personal pressure to comply.

Moreover, while we might expect highly resilient veterans to transform worry into action more readily, this dataset did not show a significant moderation by hardiness. The complexity of cybersecurity threats—often invisible and intangible—may require specialized training beyond standard organizational awareness programs. Overcoming “invisible threat fatigue” demands ongoing education, up-to-date information, and routine testing of employees’ cybersecurity readiness.

Implications

Practical for Organizations: Companies that employ veterans can leverage their risk awareness and strong sense of duty but should not assume that veterans require no additional support. Enhanced, dedicated cybersecurity training can better align their protective instincts with digital landscapes. Organizations should also minimize “response costs” by simplifying security protocols wherever possible—e.g., user-friendly password management tools or one-click software update processes—so that employees are more likely to comply.

Policy and Training: Ensuring that veterans transition smoothly into civilian workplaces with proper cybersecurity upskilling can be a win-win scenario. Encouraging advanced professional certifications and enabling mentorship programs are practical steps. Policymakers could collaborate with veterans’ organizations to fund and promote specialized cybersecurity pathways for service members nearing discharge.

Encouraging a Forward-Thinking Outlook: Cyber threats are dynamic. Merely relying on past successes—military or otherwise—can be insufficient. We should celebrate veterans’ adaptability and discipline, but also spark continuous learning initiatives, given the ever-shifting digital risk landscape. Equipping veterans to become cybersecurity champions can strengthen both individual careers and the broader security posture of American businesses.

Limitations and Future Research

Limitations include reliance on self-reported data, which can introduce social desirability bias. The broad sampling may also miss the nuances between different military roles or branches, as well as levels of digital literacy. Further work might explore:

• Comparative Studies: Contrasting veterans with non-veterans, or with veterans who served strictly in cyber or intelligence roles.
• Qualitative Insights: Conducting interviews or focus groups to pinpoint when, how, and why veterans adopt or resist various cybersecurity practices.
• Veterans in Leadership: Exploring cybersecurity policies and priorities in veteran-led companies and how executive-level decisions influence employee security culture.

References

Note: Below is a representative listing of references drawn upon in the dissertation. For a complete reference list, please see the full dissertation document.

• Anwar, M., et al. (2017). “Gender Difference and Employees' Cybersecurity Behaviors.” Computers in Human Behavior, 69, 437-443.
• Chen, Y., Luo, X. R., & Li, H. (2022). “Beyond Adaptive Security Coping Behaviors: Theory and Empirical Evidence.” Information & Management, 59(2).
• Kobasa, S. C. (1979). “Stressful Life Events, Personality, and Health: An Inquiry into Hardiness.” Journal of Personality and Social Psychology, 37(1), 1-11.
• Vance, A., Siponen, M., & Pahnila, S. (2012). “Motivating IS Security Compliance: Insights from Habit and Protection Motivation Theory.” Information & Management, 49(3–4), 190–198.
• Egelman, S., & Peer, E. (2015). “Scaling the Security Wall: Developing a Security Behavior Intentions Scale (SeBIS).” CHI 2015 Proceedings.

About the Author:
This dissertation was submitted in partial fulfillment of the requirements for the degree of Doctor of Business Administration at Florida International University, under the supervision of Professor Amin Shoja. The work is © 2024 by the author, all rights reserved.

Encouragement:
As we look ahead, let’s remember that robust cybersecurity is a team effort—one that thrives when individuals bring their talents, training, and unique experiences together. Whether you are a veteran or civilian professional, you can make a meaningful impact by staying curious, taking proactive security steps, and helping shape an environment that is resilient against ever-evolving cyber threats.