Name of theory

Theory of Planned Behaviour

Key reference

(Ajzen, 1991)


The Theory of Planned Behaviour (TPB) is a model to explain determinants of behaviour and is an extension of the Theory of Reasoned Action. The model consists of four predictors of behaviour: attitudes, subjective norms, perceived behavioural control, and behavioural intention (see Figure 1). Attitudes are considered peoples’ individual beliefs and motivations. What do they think about the target behaviour, and are they motivated to perform this behaviour? Subjective norms consider the role of the environment. What do people around you do? What are their views and values? This can be both peers in terms of age/background, but also co-workers, or people in your neighbourhood. Perceived behavioural control focuses on how easy or difficult it is for an individual do perform the target behaviour. Important to note is that this is a perception, rather than a factual statement. Hence, when people perceive a behaviour to be easy, they are more likely to perform that behaviour, while if they are experiencing many barriers, this could lead to withdrawal. These three factors then lead to the intentions to perform the target behaviour which in turn leads to the actual behaviour occurring. Ajzen also suggested a direct link between perceived behavioural control and behaviour. However, as most research using the Theory of Planned behaviour is about explaining the (non)occurrence of behaviour or is used to predict the impact of behavioural interventions, the specific path from Perceived Behavioural Control to Behaviour is usually not receiving much attention. The difference between the Theory of Planned Behaviour and the Theory of Reasoned Action is the inclusion of Perceived Behavioural Control as a factor in the model.

Application within the field of cybersecurity

As the Theory of Planned Behaviour (TPB) is one of the main behavioural models in behavioural science and psychology, it has been applied to a range of cybersecurity behaviours. Mostly, the discussion around the use of TPB involves whether other factors need to be added to the model to be more useful in the cybersecurity domain. These factors include behaviour specific elements, as well as more broader elements that can be included for the domain of cybersecurity such as habits and anticipated regret, the extent to which someone is expecting to experience feelings of regret in case they do not behave in a certain fashion.

Annotated bibliography

Sommestad et al. (2017). The authors tested a wide range of factors that could be added to the Theory of Planned Behaviour to make it more relevant for security policy compliance projects. These included factors such as cost of compliance, work impediment of compliance and security threat severity. While some factors showed significant relationships with the intention factor in the TPB, only anticipated regret and habits significantly improved the explained variance of the model.

Ifinedo (2012). This study aimed at combining the Theory of Planned Behaviour with Protection Motivation Theory (PMT) to see whether the combination would be better at predicting information systems security policy compliance by running a survey involving information security professionals and business managers. They found that the PMT factors self and response efficacy and perceived vulnerability were useful additions to the Theory of Planned Behaviour.

Wilson et al. (2021). In this paper, a path model analysis of predictors of sexting behaviour is discussed. In this paper, the authors use the two-component model of the Theory of Planned Behaviour, which is expanded on by adding relationship specific factors. While the TPB predicts sexting behaviour, the addition of the relationship specific factors does not show to be relevant in predicting sexting behaviour.


Ajzen, I. (1991). The theory of planned behavior. Organizational behavior and human      decision processes50(2), 179-211.

Ifinedo, P. (2012). Understanding information systems security policy compliance: An      integration of the theory of planned behavior and the protection motivation theory. Computers & Security31(1), 83-95.

Sommestad, T., Karlzén, H., & Hallberg, J. (2017). The theory of planned behavior and      information security policy compliance. Journal of Computer Information Systems.

Wilson, C., van Steen, T., Akinyode, C., Brodie, Z. P., & Scott, G. G. (2021). To sext or not to          sext. The role of social-cognitive processes in the decision to engage in         sexting. Journal of Social and Personal Relationships38(4), 1410-1429.

Download this page as a pdf-file:

Download slides about this topic that you can embed into your presentation / lecture: