Many of the theories used in behavioral cybersecurity research have been applied with a nomothetic approach, which is characterized by cross-sectional data (e.g., one-time surveys) that identify patterns across a population of individuals. Although this can provide valuable between-person, point-in-time insights (e.g., employees who use neutralization techniques, such as denying responsibility for cybersecurity policy violations, tend to comply less), it is unable to reveal within-person patterns that account for varying experiences and situations over time. This paper articulates why an idiographic approach, which undertakes a within-person analysis of longitudinal data, can: (1) help validate widely used theories in behavioral cybersecurity research that imply patterns of behavior within a given person over time and (2) provide distinct theoretical insights on behavioral cybersecurity phenomena by accounting for such within-person patterns. To these ends, we apply an idiographic approach to an established theory in behavioral cybersecurity research—neutralization theory—and empirically test a within-person variant of this theory using a four-week experience sampling study. Our results support a more granular application of neutralization theory in the cybersecurity context that considers the behavior of a given person over time. We conclude the paper by highlighting the contexts and theories that provide the most promising opportunities for future behavioral cybersecurity research using an idiographic approach.

中文翻译：

---

时间会证明一切：行为网络安全研究的具体方法案例

行为网络安全研究中使用的许多理论都采用了规则方法，其特点是通过横截面数据（例如一次性调查）来识别人群中的模式。尽管这可以提供有价值的人与人之间的时间点洞察（例如，使用中和技术的员工，例如否认违反网络安全政策的责任，往往遵守较少），但它无法揭示人内部的模式随着时间的推移，经历和情况会有所不同。本文阐明了为什么对纵向数据进行人内分析的具体方法可以：（1）帮助验证行为网络安全研究中广泛使用的理论，这些理论暗示了特定人随时间的行为模式，（2）提供了不同的通过考虑此类内部模式，对行为网络安全现象进行理论见解。为此，我们对行为网络安全研究中的既定理论（中和理论）应用了具体的方法，并通过为期四个星期的经验抽样研究对该理论的内部变体进行了实证测试。我们的结果支持中和理论在网络安全环境中更精细的应用，该环境考虑了特定人随时间的行为。我们通过强调为未来行为网络安全研究提供最有希望机会的背景和理论来总结本文。