The Influence of Self-Determined Motivation on Security Education Training and Awareness (SETA) Programs

Despite the best efforts of many organizations, protection of information assets continues to be a major problem for a number of firms. A large portion of data breaches can be attributed to employees of the organization, who have been commonly identified as the weakest link in an organization’s overall security profile. Organizations implement security policies to give their employees guidelines for appropriate behavior related to information protection. For policies to be effective, employees must exhibit adequate comprehension of the secure behaviors described in the policy. Security Education, Training, and Awareness (SETA) programs have been utilized as an organizational mechanism for communicating the details of security policies and the importance of employees’ compliance. Although researchers have identified the importance of SETA programs in the implementation of security policies, individual differences among employees may contribute to the effectiveness of a SETA program. One such difference is an employee’s orientation toward self-determined (intrinsic) or control-oriented (extrinsic) forms of motivation related to both the workplace context and situational tasks, such as participation in a SETA program. A theoretical model is developed to assess the influence of an employee’s overall work motivation and perceptions of the work environment on his or her situational motivation toward participating in an organization’s SETA program. Methods for capturing the hypothesized relationships and analysis of the associated data are described. The findings indicate that an employee’s perceptions of autonomy, competence, and relatedness while participating in the SETA program have a significant impact on the employee’s motivation toward the SETA program. SETA program motivation significantly influenced an employee’s attitude toward the information security policy (ISP), cognition of ISP concepts, and intention to comply with the ISP while also serving as a significant predictor of an employee’s decision to participate in an additional training program. Implications for both research and practice are discussed

Critical analysis of information security culture definitions

This article aims to advance the understanding of information security culture through a critical reflection on the wide-ranging definitions of information security culture in the literature. It uses the hermeneutic approach for conducting literature reviews. The review identifies 16 definitions of information security culture in the literature. Based on the analysis of these definitions, four different views of culture are distinguished. The shared values view highlights the set of cultural value patterns that are shared across the organization. An action-based view highlights the behaviors of individuals in the organization. A mental model view relates to the abstract view of the individual’s thinking on how information security culture must work. Finally, a problem-solving view emphasizes a combination of understanding from shared value-based and action-based views. The paper analyzes and presents the limitations of these four views of information security culture definitions

Understanding the Roles of Challenge Security Demands, Psychological Resources in Information Security Policy Noncompliance

It is widely agreed that employees’ noncompliance with information security policies (ISP) is still a major problem for organizations. In order to understand the factors that reduce employees’ ISP noncompliance, previous studies have focused on stressful security demands that consequently aggravate noncompliance, and tangible job resources to promote compliance. However, how security demands encourage employees to comply and how intangible resources affect employees’ ISP noncompliance have been largely overlooked. In this study, we posit and argue that challenge security demands and intangible psychological resources can help promote employees’ ISP compliance. Drawing on the Job Demands- Resources Model and the theory of psychological resource, we specifically examine the roles of continuity demand, mandatory demand as challenge security demands, and felt trust, professional development and personal resource as psychological resources in influencing employees’ ISP noncompliance. The proposed model is validated by survey data from 224 employees. The theoretical and practical contributions are also discussed

EFFECT OF UPWARD SOCIAL COMPARISON WITHIN TEAMS THROUGH AFFECTIVE AND COGNITIVE PROCESS WITH THE ROLE OF CONTEXT

학위논문(박사)--서울대학교 대학원 :경영대학 경영학과,2020. 2. 최진남.Employee creativity has become the essential element for the survival and success of contemporary organizations under the fast-changing business environment. The increase in the importance of team systems in the flood of information has increased the attention to creativity in social relationship. This study combines social comparison theory (Festinger, 1954) and a dual-pathway model of creativity (De Dreu, Baas, & Nijstad, 2008) to propose a framework that exhibits the process in which the social comparison of creative ability between team members influences individual creativity. In particular, this study focuses on the upward social comparison that individuals experience frequently in real team situations (Gerber, Wheeler, & Suls, 2018). I proposed the process model that upward social comparison influences individual creativity through emotional and cognitive responses. This study examined the emotional response to upward social comparison within teams based on two dimensions, namely, activation and valence, to answer recent calls for the shift to the dimensional approach of emotions from multiple disciplines. Cognitive demotivation was also added to the cognitive flexibility and persistence, which are the two cognitively motivated states from the dual pathway model, in examining cognitive responses following emotions. This study also explored the processes that emotional and cognitive processes lead to three aspects of creativity, namely, radical creativity, incremental creativity, and creative disengagement. Using a multi-source multi-wave data, this study empirically validated that upward social comparison largely positively affects emotions and is related to radical and incremental creativity through cognitive flexibility. This research provides novel insights for researchers and practitioners by offering theoretical elaboration of the effects of social comparison processes on creativity and providing unique empirical validation of the model in the context of teams in actual organizations.사회발전의 속도가 빨라지고 이에 따라 소비자들의 취향변화도 급격해지면서 사회 각계각층의 다양한 니즈를 맞추기 위하여 기업 인재들의 창의성은 기업의 존속과 성공을 위한 필수적 요소가 되었다. 특히 기술의 고도화와 정보의 홍수속에서 개인보다 팀으로 업무를 처리해야하는 일이 많아지면서, 이러한 사회적 관계속에서의 창의성에 대한 고려가 주목받고 있다. 본 연구는 그 중요성에도 불구하고 창의성 문헌에서 충분히 고려되지 못했던 사회비교이론(Festinger, 1954)을 창의성의 이중경로모델(De Dreu et al., 2008)과 결합시켜, 창의적 능력에 대한 팀원들 간의 비교가 직원 개개인의 창의성에 미치는 프로세스를 새로이 밝혔다. 특히, 실제 팀 조직에서 개인들이 더욱 빈번히 경험하는 상향비교 상황에 초점을 맞추어(Gerber et al., 2018), 창의적 능력에 대한 팀원들과의 상향비교가 정서적, 인지적 반응을 통해 창의성에 도달하는 과정을 살펴보았다. 다양한 문헌에서 정서의 차원적 접근(dimensional approach)의 중요성을 강조함에 따라, 본 연구에서는 활성화(activation)와 정서가(valence) 두 가지 차원을 바탕으로 팀내 상향비교에 대한 정서적 반응을 살펴보았다. 또한, 정서에 이은 인지적 반응을 살펴봄에 있어, 이중경로모델에서 제시한 인지적 유연성, 인지적 지속성에 인지적 비동기화(cognitive demotivation)상태를 추가하였고, 이러한 정서적, 인지적 반응이 창의성의 세가지 측면, 즉 급진적 창의성, 점진적 창의성, 비관여적 창의성으로 연결되는 프로세스를 분석하였다. 한달 간격으로 팀원 및 팀장에게 2회에 걸쳐 수집한 데이터를 통해, 본 연구는 상향비교가 활성화된 긍정적 정서를 통해 인지적 활성화에 영향을 미치며, 인지적으로 유연한 상태일 때 창의성이 발휘됨을 검증했다. 본 논문은 기존에 실험연구를 통해 이론적으로 제시되었던 가설들을 발전시켜 실제 기업에서 최초로 실증 분석함으로써, 현실 기업에서의 팀내 사회적 관계가 창의성에 미치는 영향을 구체적으로 알아보았다는 점에서 의의를 가진다.LIST OF TABLES 6 LIST OF FIGURES 7 CHAPTER 1. INTRODUCTION 8 CHAPTER 2. LITERATURE REVIEW 15 1. Review of Creativity Research 15 1.1. Definitions of Creativity 15 1.2. Radical and Incremental Creativity 17 1.3. Antecedents of Creativity 18 1.4. Emotion and Creativity 22 1.5. Dual Pathway to Creativity 24 2. Review of Social Comparison Theory 26 2.1. Definition of Social Comparison 26 2.2. Upward and Downward Comparison 27 2.3. Affective Consequences of Social Comparison 29 2.4. Focus on Upward Comparison 31 2.5. Discrete Emotion to Emotion Circumplex Model 33 2.5.1. Discrete Emotions 34 2.5.2. Dimensional Approach 35 2.5.3. Discrete Emotion to Dimensional Approach 38 2.6. Possible Determinants of the Affective Consequences of Social Comparison 40 2.6.1. Relevance of the Comparison Dimension 42 2.6.2. Perceived Attainability 44 2.6.3. Social Comparison Orientation 48 3. Conclusions 50 CHAPTER 3. THEORETICAL FRAMEWORK 53 1. Introduction 54 2. Theoretical Development and Hypotheses 58 2.1. Social Comparison Theory 59 2.2. Organizational Context for Creativity: Creative Requirement 62 2.3. Organizational Context for Creativity: Resource for Creativity 63 2.4. Intervening Process: Emotional Reaction to Upward Social Comparison 64 2.5. Intervening Process: Cognitive Process 68 2.6. Radical Creativity, Incremental Creativity, and Creative Disengagement 72 CHAPTER 4. EMPIRICAL STUDY 78 1. Sample and Data Collection Procedure 78 2. Ethical Considerations 80 3. Measurement 80 CHAPTER 5. RESULTS 85 1. Preliminary Analysis 85 2. Multilevel Analytic Strategy 86 3. Hypotheses Testing 90 CHAPTER 6. DISCUSSION 99 Summary of Findings 99 Implications on Creativity Literature 100 Implications on Social Comparison Literature 102 Implications to EmotionCognition Literature 106 Practical Implications 109 Limitations and Future Research Directions 110 CONCLUSION 112 REFERENCE 114 APPENDIX 130 국문초록 134Docto

The mediating effect of intrinsic motivation on perceived work uncertainty for individual information security policy compliance

This dissertation is centered on investigating how employees' intrinsic motivation mediates the relationship between perceived work uncertainty and individual information security policy compliance. As stay-at-home orders, and unemployment increased, surveys indicated that 49% of traditional office employees experienced remote working for the first time. Work systems rapidly shifted to a reliance on home WIFI networks, personal computers, and personal anti-virus software. This move created vulnerabilities to information security policies and procedures where almost 20% of work from home employees were given no tips to improve information security at home (Security 2020). Unemployment increased, and remaining employees had to adapt to changing work tasks, reduced or lacking resources, and minimal technical or managerial support to navigate job uncertainty while maintaining overall information security. With organizational threats to information security increasing, it is becoming clear that little attention has been given to how individuals become intrinsically motivated when the design of work itself becomes uncertain. Taking into account the changing work and job environment and the uncertainty which this environment facilitates, we have identified a research gap in which the need for individuals to rely on their skills and abilities to interpret work needs during uncertain times, and the overall intrinsically driven work motivation required to comply with organizational ISP’s during times of perceived work uncertainty, has not been investigated. Using a theoretical basis of Work Design theory (Wall et al., 2002) and Self-determination theory of work motivation (Gange and Deci, 2005), we performed a cross-sectional survey of 269 participants at the onset and height of the global pandemic. One of the primary implications of this study and our results is the indirect mediation by intrinsic motivation of the relationship between perceived work uncertainty and intentions to comply with information security policies. Another vital aspect of our study’s findings is the view that information security policies (ISP) themselves can become the source of uncertainty in compliance decisions. Most all ISPs are developed to bring clarity to employees on how to address security threats while making compliance decisions. Where ISPs have been investigated about the demands (and impositions) they place on work goal attainment (or inhibiting work requirements), we have found that ISPs may not be able to provide answers to all security threats encountered. Overall, our results should invigorate the debate about which strategies increase intrinsic motivation and what methods should be deployed to maximize positive reactions during uncertainty concerning information security compliance behaviors. This study has provided evidence that organizations should design work practices, especially ISPs, that allow employees latitude to make ISP compliance decisions when ISPs are unclear or uncertain and where managers similarly cannot provide correct courses of remedy or action

Understanding extra-role security behaviors: An integration of self-determination theory and construal level theory

Extra-role security behaviors (ERSBs) – spontaneous security behaviors that are not prescribed in organizational security policies – are seen as a useful addition to securing informational assets in organizations. However, this exploratory study, based on findings obtained through 29 in-depth-interviews, challenges this positive perspective and shows that extra-role security behaviors cut both ways: They are either helpful or harmful. In addition, our results suggest that (1) ERSB contributes to varying degrees to the effectiveness of information security compliance, (2) the self-determination theory contributes to understanding the motivators for ERSB, and (3) the construal level theory of psychological distance explains the differential risk evaluation of ERSB. We discuss implications for researchers and practitioners – particularly in terms of promoting the beneficial nature of extra-role security behaviors – and suggest compelling avenues for future research

Volitional Cybersecurity

This dissertation introduces the “Volitional Cybersecurity” (VCS) theory as a systematic way to think about adoption and manage long-term adherence to cybersecurity approaches. The validation of VCS has been performed in small- and medium-sized enterprises or businesses (SMEs/SMBs) context. The focus on volitional activities promotes theoretical viewpoints. Also, it aids in demystifying the aspects of cybersecurity behaviour in heterogeneous contexts that have neither been systematically elaborated in prior studies nor embedded in cybersecurity solutions. Abundant literature demonstrates a lack of adoption of manifold cybersecurity remediations. It is still not adequately clear how to select and compose cybersecurity approaches into solutions for meeting the needs of many diverse cybersecurity-adopting organisations. Moreover, the studied theories in this context mainly originated from disciplines other than information systems and cybersecurity. The constructs were developed based on data, for instance, in psychology or criminology, that seem not to fit properly for the cybersecurity context. Consequently, discovering new methods and theories that can be of help in active and volitional forms of cybersecurity behaviour in diverse contexts may be conducive to a better quality of cybersecurity engagement. This leads to the main research question of this dissertation: How can we support volitional forms of behaviour with a self-paced tool to increase the quality of cybersecurity engagement? The main contribution of this dissertation is the VCS theory. VCS is a cybersecurity-focused theory structured around the core concept of volitional cybersecurity behaviour. It suggests that a context can be classified based on the cybersecurity competence of target groups and their distinct requirements. This classification diminishes the complexity of the context and is predictive of improvement needs for each class. Further, the theory explicates that supporting three factors: A) personalisation, B) cybersecurity competence, and C) connectedness to cybersecurity expertise affect the adoption of cybersecurity measures and better quality of cybersecurity engagement across all classes of the context. Therefore, approaches that ignore the personalisation of cybersecurity solutions, the cybersecurity competence of target groups, and the connectedness of recipients to cybersecurity expertise may lead to poorer acceptance of the value or utility of solutions. Subsequently, it can cause a lack of motivation for adopting cybersecurity solutions and adherence to best practices. VCS generates various implications. It has implications for cybersecurity research in heterogeneous contexts to transcend the common cybersecurity compliance approaches. Building on VCS, researchers could develop interventions looking for volitional cybersecurity behaviour change. Also, it provides knowledge that can be useful in the design of self-paced cybersecurity tools. VCS explains why the new self-paced cybersecurity tool needs specific features. The findings of this dissertation have been subsequently applied to the follow-up project design. Further, it has implications for practitioners and service providers to reach out to the potential end-users of their solutions

A theoretical and empirical extension of the perceived organizational support construct: three papers examining the role of social comparison, organizational malevolence, and social resources

The perceived organizational support (POS) construct has received a significant degree of attention within the literature, helping scholars and practitioners alike to better understand and interpret the relational dynamic between the employee and their employer. However, this thesis contends that there are a number of assumptions, gaps and confounds that limit the extent to which POS can offer greater construct validity. As such, this thesis presents a collection of three stand-alone scholarly papers that aim to further develop and extend the POS construct as well as organizational support theory (OST), both theoretically and empirically. The first paper explores the theoretical assumption that an individual’s POS is increased by both the direct (i.e. idiosyncratic) receipt of supportive organizational treatment, as well as the observation of coworker (i.e. the group/collective) receipt of such treatment. This presents a potential confound in that OST also holds that POS is systemic of notions that the individual is treated fairly; thus hypothetically, an individual’s appraisal that, in comparison, other coworkers have received more supportive organizational treatment, could lead to notions of unfair treatment due to relative under-benefit. As such this paper explores the influence the social context and social comparison processes have regarding POS, with findings suggesting that employees can and do differentiate between their idiosyncratic receipt of organizational support in comparison to others (perceived organizational support social comparison – POSSC), and that such a perception accounts for unique and meaningful variance with regards to the measurement of POS as well as possessing unique motivational and predictive influence on prosocial outcomes. The second paper examines the assumption that whilst accounting for organizational benevolence, the POS construct also accounts for organizational malevolence. By utilizing the recently proposed theoretical construct of perceived organizational cruelty (POC), this paper explores POS and POC’s convergent and discriminant validity, both theoretically and empirically, and suggests that whilst POS specifically concerns organizational benevolence, POC in turn specifically concerns organizational malevolence. Findings elucidate that the constructs are (antithetically) related, yet are distinct such that each construct possesses differential characteristics as they relate to certain attitudinal and behavioral outcomes. Finally, the third paper explores the mechanisms and motivations that exist within the POS-prosocial outcome dynamic. Extant OST holds that this dynamic is subject to conscious and rational rules and norms relating to social exchange and reciprocity. Conversely, by utilizing conservation of resources and self-determination theories, this paper reasons that the POS-prosocial outcome dynamic could also be subject to subconscious influences relating to self-relevant resources and needs for relatedness. Findings that POS functions through emotional engagement (as opposed to cognitive and physical engagement) offer support for this reasoning, suggesting that rather than being instrumental in nature, POS acts as an emotional resource that facilitates greater emotionally based prosocial outcomes. Overall, in order to test hypotheses in each paper, data from one or a combination of three samples was utilized; with these samples being a longitudinal survey of employees from a large hospital/healthcare provider in the UK, a longitudinal survey of employees of a graduate development scheme within a large international logistics company based in the UK, and a convenience sample of individuals employed in the USA

Encountering stereotype threat in the workplace : how lesbian, gay, bisexual, and transgender employees meet the challenge of negative stereotyping.

Employee retention continues to be a major drain on the resources of organizations, especially in terms of personnel, productivity, and financial resources. One of the primary motivators of employee turnovers established by research is the issue of unfairness in the workplace. This study investigated the dimensions of unfairness related to being a lesbian, gay, bisexual, or transgender employee. Specifically, the issue of stereotype threat and its effect on job performance was explored. Using an on-line survey, members of LGBT labor union caucuses and LGBT employee resource groups were asked to complete a questionnaire that assessed demographic differences and responses to issues of self-monitoring, concern for appropriateness, and self-efficacy as they related to the employee\u27s experience of stereotype and job performance. Hierarchical regression analyses and structural equation modeling were used to ascertain the effect and systemic relationships between the variables. This study documented the presence of stereotype threat in the workplace. It was also found that self-efficacy completely mediates the effect of stereotype threat on job performance. Furthermore, more subtle indirect effects of stereotype threat were found. Additionally, mechanisms that affect how the employee adapts to his/her situation were explored. It was concluded that stereotyping of lesbian, gay, bisexual, and transgender employees can directly and indirectly affect the levels of job performance in the workplace. In short, when an employee feels unfairly treated the likelihood of employee turnovers increases