Kholekile L. Gwebu,Jing Wang,Michael Y. Hu

DOI: https://doi.org/10.1111/isj.12257

2020-01-01

Abstract:Despite the significant advancements made in understanding the factors that drive employees' compliance and noncompliance behaviours with information security policy (ISP), less is known about how different factors interact to impact such behaviours. Having been drawn on the social information processing theory, this research develops an integrative model that investigates how ethical work climate, beliefs, and neutralization interact to jointly explain ISP noncompliance. The model is tested via a survey of a broad cross section of employees. Neutralization, perceived cost of compliance, and perceived cost of noncompliance are found to significantly impact ISP noncompliance. Egoistic, benevolent, and principled climates are found to differentially influence neutralization and individuals' cognitive beliefs about the cost and benefit of ISP compliance versus noncompliance. Neutralization appears to be a more important moderator of the belief‐noncompliance relationship than the principled climate.

Fan Zhou,Hongxu Lu,Chunping Jiang

DOI: https://doi.org/10.1016/j.ssci.2023.106353

IF: 6.392

2024-01-01

Safety Science

Abstract:Non-compliant behaviors have been indicated to be leading indicators of accidents in workplaces. Though most studies treat intentional non-compliant behavior or violations as monolithic indicators for adverse safety performance, non-compliant behaviors might take different forms with distinct motives and outcomes. To examine and compare the effects of different forms of non-compliant safety behavior, we proposed a construct of risk-adjusted non-compliant behavior, which refers to employees' deliberate deviation from safety rules while considering safety concerns and adjusting their behavior accordingly, and investigated the differential antecedent effects by contextual factors and consequential effects on safety outcomes. By a sample of 390 workers and their supervisors in a power grid construction firm, the results of our study indicated that safety climate and transformational leadership were positively associated with safety compliance and negatively associated with violation by multi-level analyses. However, active transactional leadership also had a positive association with risk-adjusted non-compliant behavior, and this association was moderated by safety climate such that the relationship was stronger in higher level of safety climate. Furthermore, although risk-adjusted non-compliant behavior did not significantly affect penalties for deviance compared to violation behavior, it increased the workers' risk perception of hazard. The implications of these findings for theory were discussed.

Salvatore Aurigemma,Thomas Mattson

DOI: https://doi.org/10.1108/ics-07-2018-0086

2019-01-01

Information and Computer Security

Abstract:PurposeThis paper aims to examine the impact an individual’s long-term orientation (a cultural dimension) has on their attitude, behavioral intention and actual voluntary security actions taken in the context of the dangers related to poor account access management.Design/methodology/approachThe paper relied upon survey data and actual usage information from a culturally diverse sample of 227 individuals who were introduced to the specific security problem and the accepted solution of using a password manager application.FindingsThe paper provides empirical evidence that the effect of positive attitudes increased when individuals were more long-term oriented, but the effect was reversed for average/negative attitudes toward the voluntary security behavior. Furthermore, participants with high long-term orientation and strong positive attitudes toward the security action actually adopted password manager applications 57 per cent more than the average adoption rate across the sample.Research limitations/implicationsDue to the research approach (survey data), security context and sample population, the research results may lack generalizability.Practical implicationsThe findings suggest that security awareness messaging and training should account for differences in long-term orientation of the target audience and integrate the distinctly different types of messages that have been shown to improve an individual’s participation in voluntary security actions.Originality/valueThe paper addresses previous research calls for examining possible cultural differences that impact security behaviors and is the only study that has focused on the impact of long-term orientation, specifically on voluntary security actions.

Jaeung Lee,Jingguo Wang,Melchor C. de Guzman,Manish Gupta,H. Raghav Rao

DOI: https://doi.org/10.1109/tts.2024.3418621

2024-01-01

IEEE Transactions on Technology and Society

Abstract:Employees’ extra-role security behaviors can help organizations reduce safety and security threats in their operational environment and protect organizational assets. What antecedents can foster employees’ engagement in such behaviors is an important question. In this study, we consider such extra-role security behaviors as protective behaviors that are driven by employees’ motivation to protect organizational digital assets. This study draws upon Protection Motivation Theory (PMT) and suggests that employees’ threat appraisal and security self-efficacy are key to such extra-role security behaviors. Also, the study opens the black box of threat appraisal using Routine Activity Theory (RAT), proposing that employees’ appraisal of the threat of data breach is from an understanding of routine activities within their organization. The research model is developed based on the above and test the model with employees working in financial organizations. The analyses show that both perceived threat of data breaches and perceived security efficacy increase employees’ engagement in extra-role behaviors. Further, security efficacy reinforces the effect of the threat of data breaches on extra-role behavior. Finally, the suitability of data as well as, interestingly, the presence of guardianship, increases the perceived threat of data breach.

Ying Li,Ting Pan,Nan Zhang,Nan (Andy) Zhang

DOI: https://doi.org/10.1108/jeim-01-2019-0018

2019-09-23

Journal of Enterprise Information Management

Abstract:Purpose This paper is to investigate how employees respond to information security policies (ISPs) when they view the policies as a challenge rather than a hindrance to work. Specifically, the authors examine the roles of challenge security demands (i.e. continuity and mandatory) and psychological resources (i.e. personal and job resources) in influencing employees’ ISP non-compliance. Design/methodology/approach Applying a hypothetical scenario-based survey method, the authors tested our proposed model in six typical ISPs violation scenarios. In sum, 347 responses were collected from a global company. The data were analyzed using partial least square-based structural equation model. Findings Findings indicated that continuity and mandatory demands increased employees’ level of perseverance of effort, which, in turn, decreased their ISPs non-compliance intention. In addition, job resources, such as the trust enhancement gained from co-workers and the opportunities for professional development, enhanced the perseverance of effort. Practical implications The findings offer implications to practice by suggesting that organizations should design training programs to persuade employees to understand the ISPs in a positive way. Meanwhile, organizations should encourage employees to invest more personal resources by creating a trusting atmosphere and providing them opportunities to learn security knowledge and skills. Originality/value This study is among the few to empirically explore how employees respond and behave when they view the security policies as challenge stressors. The paper also provides a novel understanding of how psychological resources contribute to buffering ISP non-compliance.

information science & library science,management

Xue Yang,Wei T. Yue,Choon Lin Sia

DOI: https://doi.org/10.1007/978-3-642-29873-8_17

2012-01-01

Abstract:IS security policy is one of the essential tools to ensure the secure use of information systems and technological assets. To enhance the effectiveness of policy implementation, organizations rely on security training, education and awareness (STEA) programs to help employees understand the IS security issues of the organization. However, different levels of STEA informativeness may have conflicting effects on employees' compliance decisions. In addition, the urgency of a task may also lead employees to abandon the compliance decision occasionally. The existing corporate information security policy (ISP) could also serve as a deterrence message that would influence compliance decisions. An experimental survey was conducted to examine this phenomenon and test the related hypotheses. The results of this study can be used to inform and guide researchers and practitioners as to how to better enforce an IS security policy through better implementation of STEA programs and improved design of ISP in different task scenarios.

Wenqin Li,Rongmin Liu,Linhui Sun,Zigu Guo,Jie Gao

DOI: https://doi.org/10.3390/ijerph192316038

IF: 4.614

2022-12-01

International Journal of Environmental Research and Public Health

Abstract:Employee security compliance behavior has become an important safeguard to protect the security of corporate information assets. Focusing on human factors, this paper discusses how to regulate and guide employees' compliance with information security systems through effective methods. Based on protection motivation theory (PMT), a model of employees' intention to comply with the information security system was constructed. A questionnaire survey was adopted to obtain 224 valid data points, and SPSS 26.0 was applied to verify the hypotheses underlying the research model. Then, based on the results of a regression analysis, fuzzy set qualitative comparative analysis (fsQCA) was used to explore the conditional configurations that affect employees' intention to comply with the information security system from a holistic perspective. The empirical results demonstrated that perceived severity, perceived vulnerability, response efficacy, and self-efficacy all positively influenced the employees' intention to comply with the information security system; while rewards and response costs had a negative effect. Threat appraisal had a greater effect on employees' intention to comply with the information security system compared to response appraisal. The fsQCA results showed that individual antecedent conditions are not necessary to influence employees' intention to comply with an information security system. Seven pathways exist that influence an employees' intention to comply with an information security system, with reward, self-efficacy, and response cost being the core conditions having the highest probability of occurring in each configuration of pathways, and with perceived severity and self-efficacy appearing in the core conditions of configurations with an original coverage greater than 40%. Theoretically, this study discusses the influence of the elements of PMT on employees' intention to comply with an information security system, reveals the mechanism of influence of the combination of the influencing factors on the outcome variables, and identifies the core factors and auxiliary factors in the condition configurations, providing a new broader perspective for the study of information security compliance behavior and providing some theoretical support for strengthening enterprise security management. Practically, targeted suggestions are proposed based on the research results, to increase the intention of enterprise employees to comply with information security systems, thereby improving the effectiveness of enterprise information security management and the degree of information security in enterprises.

public, environmental & occupational health,environmental sciences

Nader Sohrabi Safa,Carsten Maple,Steve Furnell,Muhammad Ajmal Azad,Charith Perera,Mohammad Dabbagh,Mehdi Sookhak

DOI: https://doi.org/10.1016/j.future.2019.03.024

IF: 7.307

2019-08-01

Future Generation Computer Systems

Abstract:Previous studies show that information security breaches and privacy violations are important issues for organisations and people. It is acknowledged that decreasing the risk in this domain requires consideration of the technological aspects of information security alongside human aspects. Employees intentionally or unintentionally account for a significant portion of the threats to information assets in organisations. This research presents a novel conceptual framework to mitigate the risk of insiders using deterrence and prevention approaches. Deterrence factors discourage employees from engaging in information security misbehaviour in organisations, and situational crime prevention factors encourage them to prevent information security misconduct. Our findings show that perceived sanctions certainty and severity significantly influence individuals’ attitudes and deter them from information security misconduct. In addition, the output revealed that increasing the effort, risk and reducing the reward (benefits of crime) influence the employees’ attitudes towards prevent information security misbehaviour. However, removing excuses and reducing provocations do not significantly influence individuals’ attitudes towards prevent information security misconduct. Finally, the output of the data analysis also showed that subjective norms, perceived behavioural control and attitude influence individuals’ intentions, and, ultimately, their behaviour towards avoiding information security misbehaviour.

Jie Zhen,Zongxiao Xie,Kunxiang Dong,Lin Chen

DOI: https://doi.org/10.1080/0144929X.2021.1921029

2021-05-05

Behaviour and Information Technology

Abstract:Security research on the role of employees' negative emotions in their information security policy (ISP) violations is limited. In this study, we examine how employees' negative emotions influence their intention to violate ISP. To understand how to reduce employees' negative emotions, we investigate the effects of perceived organisational support, psychological ownership, and work engagement. We test our hypotheses using survey data of 318 employees from various organisations in China. Results indicate that employees with negative emotions are more likely to violate ISP, while perceived organisational support, psychological ownership, and work engagement can reduce employees' negative emotions. Furthermore, psychological ownership and work engagement partially mediate the relationship between perceived organisational support and negative emotions. The theoretical and practical significance of these results and the direction of future research are discussed.

ergonomics,computer science, cybernetics

Ashraf Mady,Saurabh Gupta,Merrill Warkentin

DOI: https://doi.org/10.1111/isj.12424

IF: 7.767

2023-01-11

Information Systems Journal

Abstract:Organisations implement a variety of knowledge mechanisms such as information security education, training and awareness (SETA) programs and information security policies, to influence employees' secure behaviour. Despite increased efforts to provide information systems (IS) security knowledge to employees, data breaches and other security incidents resulting from insider behaviour continue. Recent IS security research, primarily grounded on assumptions of employees' rational assessment of numerous factors, has yielded inconsistent results. Challenging this paradigm, we model secure behaviour on security knowledge mechanisms, which focuses on the multidimensional nature of security knowledge breadth, depth and finesse to represent the full array of managerial levers. We further draw on construal level theory to conceptualise users' perceptual judgements of security messages. Two studies support our model, with the second building on the first. Study 1, an experiment with 312 participants, focused on validating the treatments. Study 2, a survey with 219 participants, validated the entire model. Results showed that our model has significantly more explanatory and predictive power than the orthodox paradigm. Our results have practical implications for optimising the organisation of knowledge mechanisms by emphasising the personal relevance of threats and defining the factors that lead to secure behaviour. We also contribute to the discourse on information security research and provide a template for integrating theories, thus opening new avenues for future research.

information science & library science

Salvatore Aurigemma,Thomas Mattson

DOI: https://doi.org/10.1016/j.cose.2017.11.001

IF: 5.105

2018-01-01

Computers & Security

Abstract:In this paper, we investigate the main and qualifying effect of Hofstede's uncertainty avoidance dimension (i.e., a culture's acceptance of ambiguous or uncertain situations) of national culture on an individual's protection motivation intentions (using protection motivation theory) to adopt an information security control voluntarily. Uncertainty avoidance is particularly relevant to protection motivation theory and voluntary security related actions, because individuals often perceive high levels of ambiguity related to the threat and the mitigating control that can be adopted voluntarily. The voluntary action that we investigated in this paper is the adoption of password managers due to the perceived uncertainty associated with the threat of having poor password management practices and the ambiguity related to the efficacy of adopting a password manager to mitigate this threat. Using a survey of 227 nationally diverse individuals, we found that uncertainty avoidance qualified the impact of perceived threat vulnerability and perceived threat severity on protection motivations to adopt a password manager voluntarily. In our data, the differential effect of uncertainty avoidance on perceived threat vulnerabilities was greater for those individuals reporting a below average level of uncertainty avoidance relative to an above average level of uncertainty avoidance, but we found the opposite qualifying effect on perceived threat severity. Counter to what we hypothesized, we found that the effect of uncertainty avoidance on protection motivations was negative. These results generally hold for the core and full PMT models. Our study suggests that a one-size fits all approach to security awareness education and training (especially for voluntary security actions) may not be appropriate due to the differential effect associated with individuals from different national cultures.

John D'Arcy,Paul Benjamin Lowry

DOI: https://doi.org/10.1111/isj.12173

IF: 7.767

2017-11-08

Information Systems Journal

Abstract:We present a model of employee compliance with information security policy (ISP) that (1) explicates stable, cognitive beliefs regarding the consequences of compliance and noncompliance as well as state‐based affective constructs, namely, positive and negative mood states and episodic, security‐related work‐impediment events, and (2) provides an expanded conceptualisation of moral considerations and normative influences regarding employees' ISP compliance. Because affect is central to this theorisation, we ensure that the model captures and explains differences in day‐to‐day affective constructs to account for the often fleeting nature of affective states. We test our multilevel model using an experience‐sampling methodology design, in which employees completed daily surveys over a 2‐week period, followed by a hierarchal linear modelling statistical assessment. Our contribution to theory is a unique account of ISP compliance that integrates affective factors with constructs from rational choice theory and theory of planned behaviour and that diverges from prior conceptualisations of ISP compliance as a purely stable and reason‐based phenomenon. For practitioners, our results suggest that a combination of cognitive and affective influences may produce discrete episodes of ISP compliance that do not coincide with prior behavioural trends.

information science & library science

Aristotle Onumo,Irfan Ullah-Awan,Andrea Cullen

DOI: https://doi.org/10.1145/3424282

2021-06-01

ACM Transactions on Management Information Systems

Abstract:The increase in cybersecurity threats and the challenges for organisations to protect their information technology assets has made adherence to organisational security control processes and procedures a critical issue that needs to be adequately addressed. Drawing insight from organisational theory literature, we develop a multi-theory model, combining the elements of the theory of planned behaviour, competing value framework, and technology—organisational and environmental theory to examine how the organisational mechanisms interact with espoused cultural values and employee cognitive belief to influence cybersecurity control procedures. Using a structured questionnaire, we deployed structural equation modelling (SEM) to analyse the survey data obtained from public sector information technology organisations in Nigeria to test the hypothesis on the relationship of socio-organisational mechanisms and techno-cultural factors with other key determinants of employee security behaviour. The results showed that knowledge of cybersecurity and employee cognitive belief significantly influence the employees’ intentions to comply with organisational cybersecurity control mechanisms. The research further noted that the influence of organisational elements such as leadership on employee security behaviour is mediated by espoused cultural values while the impact of employee cognitive belief is moderated by security technologies. For effective cybersecurity compliance, leaders and policymakers are therefore to promote organisational security initiatives that ensure incorporation of cybersecurity principles and practices into job descriptions, routines, and processes. This study contributes to behavioural security research by highlighting the critical role of leadership and cultural values in fostering organisational adherence to prescribed security control mechanisms.

Jernal H. Abawajy,K. Thatcher,Tai-hoon Kim

DOI: https://doi.org/10.1109/isa.2008.25

2008-01-01

Abstract:Organisations have become increasingly dependenton technology in order to compete in their respective markets. As IT technology advances at a rapid pace, so does its complexity, giving rise to new IT security vulnerabilities and methods of attack. Even though the human factors have been recognized to have a crucial role in information security management, the effects of weakness of will and lack of commitment on the stakeholders (i.e., employers and employees) parts has never been factored into the design and delivery of awareness programs. To this end, this paper investigates the impacts of the availability of awareness programs and end-user drive and lack of commitment to information security awareness program design, delivery and success.

Ding-Long Huang,Pei-Luen Patrick Rau,Gavriel Salvendy,Fei Gao,Jia Zhou

DOI: https://doi.org/10.1016/j.ijhcs.2011.07.007

IF: 4.866

2011-01-01

International Journal of Human-Computer Studies

Abstract:The gap between the perceived security of an information system and its real security level can influence people' decisions and behavior. The objective of this study is to find effective ways to adjust people's perception of information security, in order to enhance their intention to adopt IT appliances and compliance to security practices. Two separate experiments were conducted. In experiment I, 64 participants were asked to transfer money through an e-banking system. Their intention to adopt e-banking was measured by a questionnaire. In experiment II, 64 participants were asked to register on an online forum. Their subjective intention to create a strong password was measured by a questionnaire, and the objective strength of the passwords they created was calculated. Results of the ANOVA and the path models derived from the path analysis indicated that people's adoption intention, such as their intention to adopt e-banking, can be enhanced by changing their perceived Knowledge, Controllability and Awareness, while changing the perceived Controllability is most effective. The results also indicated that people's compliance to security practices, such as setting strong passwords for IT systems, can be enhanced by changing their perceived Knowledge, Severity and Possibility, while changing their perceived Knowledge and Severity is most effective. Implications for further research and practice were also discussed.

Zhengchuan Xu,Ken H. Guo

DOI: https://doi.org/10.1108/JEIM-10-2018-0229

2019-01-01

Journal of Enterprise Information Management

Abstract:Purpose Human factor is often cited as one of the biggest challenges for organizational information security management. The purpose of this paper is to investigate how and why employees fail to carry out required security tasks. Design/methodology/approach On the basis of coping theory, this paper develops a theoretical model to examine employee effortful security behavior (ESB). The model is tested with the data collected through a survey of computer users. Findings The results suggest that employee procrastination of security tasks and psychological detachment from security issues are two antecedents of ESB. Psychological detachment and procrastination are in turn influenced by perceived externalities of security risk and triage of business tasks over security issues by employees. Originality/value This paper contributes to the information systems security literature by providing a nuanced understanding of the antecedents and process of how employees cope with security task demands. It also offers some insights for practitioners in terms of the importance of designing and implementing security measures that are viewed as relevant to employees.

Chao-Min Chiu,Hsiang-Lan Cheng,Jack Shih-Chieh Hsu,Chiew Mei Tan,Chiung Hui Huang

DOI: https://doi.org/10.1080/10447318.2024.2422757

IF: 4.92

2024-11-20

International Journal of Human-Computer Interaction

Abstract:Drawing upon the attitude theory, this study theorizes that commitment affects loafing behaviors and ISP compliance. Further, drawing upon the transfer theory, this study adopts the concepts of loafing and commitment transfer in order to explore whether social loafing will enhance employee cyberloafing and whether organizational commitment can enhance ISP commitment, both of which, in turn, influence ISP compliance intention. This study utilized structural equation modeling (SEM) to analyze survey data collected in July 2023 from 361 Taiwanese individuals affiliated with organizations or companies. The results show that social loafing has a strong positive effect on cyberloafing, which, in turn, has a strong negative effect on ISP compliance intention. Organizational commitment has a strong positive effect on ISP commitment, which, in turn, has a strong positive effect on ISP compliance intention. In addition, distortion of consequences moderates the relationship between social loafing and cyberloafing. Advantageous comparison moderates the relationship between cyberloafing and ISP compliance intention.

computer science, cybernetics,ergonomics

Hui Na Chua,Siew Fan Wong,Yeh Ching Low,Younghoon Chang

DOI: https://doi.org/10.1016/j.tele.2018.05.005

IF: 9.14

2018-01-01

Telematics and Informatics

Abstract:To protect consumer information, many countries have begun enforcing the Personal Data Protection Act. Organizations are required to comply with this Act, failure of which may result in hefty penalties. To ensure compliance, some organizations have introduced their own information security policy to protect consumer information. A review of the literature shows that many employees are either unaware of the policy or tend to ignore it, which increases the risk of noncompliance. To help organizations manage compliance among their employees, in this study, we used demographic factors to develop profiles of employees' policy awareness and their intention to comply. By having an understanding of employee profiles, effective and targeted strategies can be devised to educate employees accordingly. Our data from 607 respondents show that age, working industry and education levels have significant effects on information security policy awareness and compliance.

Salvatore Aurigemma,Thomas Mattson

DOI: https://doi.org/10.1109/hicss.2015.424

2015-01-01

Abstract:Using the theory of planned behavior, this paper investigates the relationship between an employee's social status, perceived controllability of co-workers' actions and individual self-efficacy in terms of predicting an employee's perceived behavioral control over and his/her intention to comply with an organization's information security policies. The reported findings in this paper from a survey of 182 employees of a large government organization suggest that decomposing perceived behavioral control into controllability and self-efficacy has more predictive power than using simpler proxies (i.e. Self-efficacy alone) advocated in previous literature, and an employee's status in the organizational hierarchy has both a direct and a moderating effect on an employee's perceived behavioral control (but not on self-efficacy).

Harrison Stewart,Jan Jürjens

DOI: https://doi.org/10.1108/ics-07-2016-0054

2017-11-13

Information and Computer Security

Abstract:Purpose The aim of this study is to encourage management boards to recognize that employees play a major role in the management of information security. Thus, these issues need to be addressed efficiently, especially in organizations in which data are a valuable asset. Design/methodology/approach Before developing the instrument for the survey, first, effective measurement built upon existing literature review was identified and developed and the survey questionnaires were set according to past studies and the findings based on qualitative analyses. Data were collected by using cross-sectional questionnaire and a Likert scale, whereby each question was related to an item as in the work of Witherspoon et al. (2013). Data analysis was done using the SPSS.3B. Findings Based on the results from three surveys and findings, a principle of information security compliance practices was proposed based on the authors’ proposed nine-five-circle (NFC) principle that enhances information security management by identifying human conduct and IT security-related issues regarding the aspect of information security management. Furthermore, the authors’ principle has enabled closing the gap between technology and humans in this study by proving that the factors in the present study’s finding are interrelated and work together, rather than on their own. Research limitations/implications The main objective of this study was to address the lack of research evidence on what mobilizes and influences information security management development and implementation. This objective has been fulfilled by surveying, collecting and analyzing data and by giving an account of the attributes that hinder information security management. Accordingly, a major practical contribution of the present research is the empirical data it provides that enable obtaining a bigger picture and precise information about the real issues that cause information security management shortcomings. Practical implications In this sense, despite the fact that this study has limitations concerning the development of a diagnostic tool, it is obviously the main procedure for the measurements of a framework to assess information security compliance policies in the organizations surveyed. Social implications The present study’s discoveries recommend in actuality that using flexible tools that can be scoped to meet individual organizational needs have positive effects on the implementation of information security management policies within an organization. Accordingly, the research proposes that organizations should forsake the oversimplified generalized guidelines that neglect the verification of the difference in information security requirements in various organizations. Instead, they should focus on the issue of how to sustain and enhance their organization’s compliance through a dynamic compliance process that involves awareness of the compliance regulation, controlling integration and closing gaps. Originality/value The rapid growth of information technology (IT) has created numerous business opportunities. At the same time, this growth has increased information security risk. IT security risk is an important issue in industrial sectors, and in organizations that are innovating owing to globalization or changes in organizational culture. Previously, technology-associated risk assessments focused on various technology factors, but as of the early twenty-first century, the most important issue identified in technology risk studies is the human factor.