WILLINGNESS AND ABILITY TO PERFORM INFORMATION SECURITY COMPLIANCE BEHAVIOR: PSYCHOLOGICAL OWNERSHIP AND SELF-EFFICACY PERSPECTIVE

Information security policy effectiveness relies on how well an individual employee can follow the specified instruction described in security policies. The actual taking place of such compliance behavior is determined by individuals’ willingness and capability of performing such behavior. In this study, we used psychological ownership to represent the driver of willingness and self-efficacy to represent individuals’ capability belief. In addition to understanding the impacts of these two variables on compliance behavior, we also explore their antecedents. Data collected from 234 employees in organizations with specific security policies were used to examine the proposed hypotheses. We confirmed the positive impact of selfefficacy but, surprisingly, found the negative impact of psychological ownership. Such a result generates some interesting implications for researchers and practitioners

The Mediating Role of Psychological Empowerment in Information Security Compliance Intentions

The issue of employee noncompliance with information security policies is universal. Noncompliance increases the possibility of invasive information security threats, which can result in compromised organizational assets. Although research has empirically revealed a relationship between structural empowerment and employee intention to comply with information security policies, the mediating role of psychological empowerment in the relationship has received limited attention. This study conceptualizes the role of psychological empowerment as a mediator between structural empowerment and the intention to comply with information security policy. It suggests that empowerment work structures, which include information security education, training, and awareness (SETA), access to information security strategic goals, and participation in information security decision-making all increase employees’ feelings of being psychologically empowered, which consequently leads to positive intentions to comply with information security policy

Investigating the Formation of Information Security Climate Perceptions with Social Network Analysis: A Research Proposal

Over the past years, a large amount of studies has advanced knowledge that explains how individuals react to information security cues and why they are motivated to perform secure practices. Nevertheless, those studies predominantly set their focus on the adoption of secure practices at an individual level; therefore they were unable to analyse such adoption at the higher level. As a consequence, the formation and dissemination processes of information security perceptions were overlooked despite their importance. Understanding those processes would inform methods to distribute effectively desirable information security perceptions within the workplace, while potentially explaining why in some cases implementation of information security measures was not successful at changing the employees’ beliefs and behaviours. The first part of this paper reviews the concept of information security climate that emerge from the individual’s interactions with the work environment, which has been under researched and investigated inconsistently. The second part begins with discussing the influence mechanisms that could disseminate information security climate perceptions, then suggests the adoption of social network analysis techniques to analyse those mechanisms. As a result, the paper forwards an integrated framework about information security climate perceptions, as well as proposes a research agenda for future investigations on how those perceptions could be formed and disseminated within the workplace

How Paternalistic Leaders Motivate Employees’ Information Security Policy Compliance? Building Climate or Applying Sanctions

This paper studies the influencing mechanisms of Paternalistic Leadership in motivating employees’ Information Security Polices Compliance. We proposed that Sanctions and Information Security Climate can mediate the impact of different PL dimensions. Based on survey data from 760 participants, we found that, for different PL dimension, their influencing mechanism are different. The impact of AL dimension is partially mediated by employees’ perception of the Sanction, while the impact of BL dimension and ML dimension are partially mediated by employees’ perception of the Information Security Climate. Our research extends the existing literature by introducing the impact of specific leadership styles on employees’ ISP Compliance and discovering the mediating role of Sanction and Information Security Climate. New knowledge is also found about how each PL dimension affects employees’ Compliance in the information security context

Understanding Contextual Factors of Bring Your Own Device and Employee Information Security Behaviors from the Work-Life Domain Perspective

Bring Your Own Device (BYOD) is no longer the exception, but rather the norm. Most prior research on employees’ compliance with organizational security policies has been primarily conducted with the assumption that work takes place in a specified workplace, not remotely. However, due to advances in technology, almost every employee brings his or her own device(s) to work. Further, particularly as a result of the 2020 Covid-19 pandemic, remote working has become very popular, with many employees using their own devices for work- related activities. BYOD brings new challenges in ensuring employees’ compliance with information security rules and policies by creating a gray area between the work and life domains as it diminishes the boundaries that separate them and thus affects employees’ perception of them. As yet, little is known about how BYOD changes individuals’ perception of work-life domains and how such perception may subsequently affect their compliance behavior. Building on prior research on information security behaviors and work-life domain management, this thesis investigates the possible effects of BYOD on employees’ compliance behavior through the changes it brings about in their work-life domain perspective. It extends existing border theory by identifying and empirically validating new border marking factors— namely, device ownership and data sensitivity—in employees’ interpretation of their work and life domains. Subsequently, protection motivation theory, a theory widely used in explaining employees’ compliance behavior, was used to examine why and how the perception of work- life domains is relevant and necessary to consider in examining employees’ intention to comply with information security policies

How to Mitigate Security-Related Stress: The Role of Psychological Capital

In an organizational context, individuals are prone to feel stressed by overwhelming and complicated security requirements, which can result in noncompliance with security policies and guidelines. While previous research has mainly focused on identifying distinct dimensions of security- related stress (SRS) and their behavioral impact, this paper is the first to examine factors for mitigating SRS. A study with more than 130 participants reveals that psychological capital (PsyCap) – here comprising of domain-specific self-efficacy and resilience – may work as such a means as it significantly reduces perceived SRS. However, the positive effect of PsyCap diminishes when becoming a victim of cybercriminals. We discuss our results and highlight theoretical and practical implications for organizations

Do individual employees’ security compliance intentions relate to workgroup security effectiveness?

This paper examines how individual security inputs i.e., security compliance intention and perceived security knowledge, are processed to produce workgroup information security effectiveness in the workgroup. Based on the input-process-output framework, we investigate the multi-level relationships between focal variables. For the analysis, multi-level structural equation model will be used. In particular, the study potentially contributes to the understanding of the security management by showing how individual compliance intention can be mediated by security knowledge coordination and how this mediation works conditionally based on empowering security leadership and perceived security knowledge. Further possible contributions are discussed in the paper

Non-pecuniary Value of Employment and Individual Labor Supply

Recognizing that people value employment not only to earn income to satisfy their consumption needs but also as a means of community involvement that provides socio-psychological (non-pecuniary) benefits, we show that once the non-pecuniary benefits of employment are incorporated in the standard individual’s utility function, then at very low income levels employment can be a source of utility, inducing individuals to supply labor to the extent possible. We also show the conditions under which a greater non-pecuniary effect of employment generates a larger individual labor supply.Non-pecuniary effects, Employment value, Labor supply