Technostress and its influence on employee information security policy compliance

PurposeThis study focuses on unintended negative consequences of IT, called technostress. Given that employees are recognized as a major information security threat, it makes sense to investigate how technostress resulting from employees' constant interaction with IT influences the likelihood of security incidents. Although past research studied the concept of security-related technostress, the effect of IT use itself on employees’ extra-role activities such as security-related behaviors is unanswered. Thus, this paper aims to provide an understanding of the negative impact of technostress on employee information security policy (ISP) compliance.Design/methodology/approachDrawing on technostress literature, this research develops a research model that investigates the effect of technostress on employee intention to violate ISPs. It also extends the dimensionality of technostress construct by adding a new dimension called “techno-unreliability” that shows promising results. The authors use online survey data from a sample of 356 employees who have technology-based professions. We apply the structural equation modeling technique to evaluate the proposed research model.FindingsFindings showed that IT use imposes high-level perceptions of a set of technostress creators, which makes users rationalize their ISP violations and engage in non-compliant behaviors. Further analysis of each dimension of technostress showed that techno-complexity, techno-invasion and techno-insecurity account for higher ISP non-compliant behaviors.Originality/valueThis study provides a new understanding of technostress to the context of information security and emphasizes on its negative impact on employee ISP compliance behaviors.

Download Full-text

Information security policy compliance: a higher education case study

Information and Computer Security ◽

10.1108/ics-09-2016-0073 ◽

2018 ◽

Vol 26 (1) ◽

pp. 91-108 ◽

Cited By ~ 12

Author(s):

Khaled A. Alshare ◽

Peggy L. Lane ◽

Michael R. Lane

Keyword(s):

Higher Education ◽

Information Security ◽

Security Policy ◽

Past Research ◽

Faculty Members ◽

Research Model ◽

Security Measures ◽

Timely Manner ◽

Content Type

Purpose The purpose of this case study is to examine the factors that impact higher education employees’ violations of information security policy by developing a research model based on grounded theories such as deterrence theory, neutralization theory and justice theory. Design/methodology/approach The research model was tested using 195 usable responses. After conducting model validation, the hypotheses were tested using multiple linear regression. Findings The results of the study revealed that procedural justice, distributive justice, severity and celerity of sanction, privacy, responsibility and organizational security culture were significant predictors of violations of information security measures. Only interactional justice was not significant. Research limitations/implications As with any exploratory case study, this research has limitations such as the self-reported information and the method of measuring the violation of information security measures. The method of measuring information security violations has been a challenge for researchers. Of course, the best method is to capture the actual behavior. Another limitation to this case study which might have affected the results is the significant number of faculty members in the respondent pool. The shared governance culture of faculty members on a US university campus might bias the results more than in a company environment. Caution should be applied when generalizing the results of this case study. Practical implications The findings validate past research and should encourage managers to ensure employees are involved with developing and implementing information security measures. Additionally, the information security measures should be applied consistently and in a timely manner. Past research has focused more on the certainty and severity of sanctions and not as much on the celerity or swiftness of applying sanctions. The results of this research indicate there is a need to be timely (swift) in applying sanctions. The importance of information security should be grounded in company culture. Employees should have a strong sense of treating company data as they would want their own data to be treated. Social implications Engaging employees in developing and implementing information security measures will reduce employees’ violations. Additionally, giving employees the assurance that all are given the same treatment when it comes to applying sanctions will reduce the violations. Originality/value Setting and enforcing in a timely manner a solid sanction system will help in preventing information security violations. Moreover, creating a culture that fosters information security will help in positively affecting the employees’ perceptions toward privacy and responsibility, which in turn, impacts information security violations. This case study applies some existing theories in the context of the US higher education environment. The results of this case study contributed to the extension of existing theories by including new factors, on one hand, and confirming previous findings, on the other hand.

Download Full-text

Predicting employee information security policy compliance on a daily basis: The interplay of security-related stress, emotions, and neutralization

Information & Management ◽

10.1016/j.im.2019.02.006 ◽

2019 ◽

Vol 56 (7) ◽

pp. 103151 ◽

Cited By ~ 6

Author(s):

John D’Arcy ◽

Pei-Lee Teh

Keyword(s):

Information Security ◽

Security Policy ◽

Daily Basis ◽

Policy Compliance ◽

Information Security Policy ◽

Employee Information ◽

Related Stress ◽

Information Security Policy Compliance ◽

Security Policy Compliance

Download Full-text

Exploring adaptive information sharing from the perspective of cognitive switching

Aslib Journal of Information Management ◽

10.1108/ajim-07-2018-0176 ◽

2019 ◽

Vol 71 (4) ◽

pp. 535-557 ◽

Cited By ~ 3

Author(s):

Xianjin Zha ◽

Haijuan Yang ◽

Yalan Yan ◽

Guanxiang Yan ◽

Chengsong Huang ◽

...

Keyword(s):

Information Sharing ◽

Structural Equation ◽

Information Technologies ◽

Equation Modeling ◽

Research Model ◽

It Use ◽

Content Type ◽

Technology System ◽

Use Behavior ◽

Cognitive Switching

Purpose Microblogging as one kind of social media application provides an important information sharing platform. Adaptive information sharing is the combination of adaptive information technologies (IT) use behavior and information sharing behavior and subsequently refers to adaptive use of IT oriented to information sharing. The purpose of this paper is to understand adaptive information sharing in the context of microblogging from the perspective of cognitive switching. Design/methodology/approach A research model was developed and survey data were collected. The partial least squares structural equation modeling was employed to verify the research model. Findings Adaptive information sharing is positively impacted by other people’s use, discrepancies and deliberate initiatives among which other people’s use is the key determinant. Meanwhile, task self-efficacy positively moderates the effect of other people’s use on adaptive information sharing. Practical implications Developers of microblogging should as far as possible create learning atmosphere and learning culture. With learning atmosphere and culture, more and more users could keep on learning from observing other people. Consequently, more and more users would be willing to try new features of microblogging to share information. Originality/value This study examines adaptive information sharing by extending adaptive IT use behavior from the levels of technology, system and feature to the information level, presenting a new lens for adaptive IT use and information sharing alike.

Download Full-text

The hunt for computerized support in information security policy management

Information and Computer Security ◽

10.1108/ics-07-2019-0079 ◽

2020 ◽

Vol 28 (2) ◽

pp. 215-259 ◽

Cited By ~ 1

Author(s):

Elham Rostami ◽

Fredrik Karlsson ◽

Ella Kolkowska

Keyword(s):

Information Security ◽

Research Methods ◽

Security Policy ◽

Critical Discussion ◽

Future Research ◽

Management Process ◽

Management Research ◽

Information Security Policy ◽

Content Type ◽

Literature Reviews

Purpose The purpose of this paper is to survey existing information security policy (ISP) management research to scrutinise the extent to which manual and computerised support has been suggested, and the way in which the suggested support has been brought about. Design/methodology/approach The results are based on a literature review of ISP management research published between 1990 and 2017. Findings Existing research has focused mostly on manual support for managing ISPs. Very few papers have considered computerised support. The entire complexity of the ISP management process has received little attention. Existing research has not focused much on the interaction between the different ISP management phases. Few research methods have been used extensively and intervention-oriented research is rare. Research limitations/implications Future research should to a larger extent address the interaction between the ISP management phases, apply more intervention research to develop computerised support for ISP management, investigate to what extent computerised support can enhance integration of ISP management phases and reduce the complexity of such a management process. Practical implications The limited focus on computerised support for ISP management affects the kind of advice and artefacts the research community can offer to practitioners. Originality/value Today, there are no literature reviews on to what extent computerised support the ISP management process. Findings on how the complexity of ISP management has been addressed and the research methods used extend beyond the existing knowledge base, allowing for a critical discussion of existing research and future research needs.

Download Full-text

Comparing the information security culture of employees who had read the information security policy and those who had not

Information and Computer Security ◽

10.1108/ics-12-2015-0048 ◽

2016 ◽

Vol 24 (2) ◽

pp. 139-151 ◽

Cited By ~ 20

Author(s):

Adéle Da Veiga

Keyword(s):

Information Security ◽

Security Policy ◽

Positive Influence ◽

Theoretical Research ◽

Information Security Policy ◽

Content Type ◽

Security Culture ◽

Targeted Interventions ◽

Information Security Culture ◽

Over Time

Purpose This study aims, firstly, to determine what influence the information security policy has on the information security culture by comparing the culture of employees who read the policy to those who do not, and, secondly, whether a stronger information security culture is embedded over time if more employees have read the information security policy. Design/methodology/approach An empirical study is conducted at four intervals over eight years across 12 countries using a validated information security culture assessment (ISCA) questionnaire. Findings The overall information security culture average scores as well as individual statements for all four survey assessments were significantly more positive for employees who had read the information security policy compared with employees who had not. The overall information security culture also improved from one assessment to the next. Research limitations/implications The information security culture should be measured and benchmarked over time to monitor change and identify and prioritise actions to improve the information security culture. If employees read the information security policy, it has a positive influence on the information security culture of an organisation. Practical implications Organisations should ensure that employees have read the information security policy to aid in minimising the human risk, related errors and incidents and, ultimately, to instil a stronger information security culture with a higher level of compliant behaviour. Originality/value This research confirms theoretical research indicating that the information security policy could influence the information security culture positively. It provides novel and statistical evidence illustrating that if employees read the information security policy, they have a stronger information security culture and that the culture can be improved through targeted interventions using an ISCA.

Download Full-text

Examining the Relationship between Information Security Effectiveness and Information Security Threats

International Journal of Business and Society ◽

10.33736/ijbs.3335.2020 ◽

2021 ◽

Vol 21 (3) ◽

pp. 1203-1214

Author(s):

Mohamad Noorman Masrek ◽

Tri Soesantari ◽

Asad Khan ◽

Aang Kisnu Dermawan

Keyword(s):

Information Security ◽

Security Policy ◽

Partial Least Square ◽

Least Square ◽

Equation Modeling ◽

Security Threats ◽

Policy Effectiveness ◽

Information Security Policy ◽

The Relationship ◽

Policy And Procedure

Information is the most critical asset of any organizations and business. It is considered as the lifeblood of the organization or business. Because of its importance, information needs to be protected and safeguarded from any forms of threats and this is termed as information security. Information security policy and procedure has been regarded as one of the most important controls and measures for information security. A well-developed information security policy and procedure will ensure that information is kept safe form any harms and threats. The aim of this study is to examine the relationship between information security policy effectiveness and information security threats. 292 federal government agencies were surveyed in terms of their and information security practices and the threats that they had experienced. Based on the collected, an analysis using partial least square structural equation modeling (PLS-SEM) was performed and the results showed that there is a significant relationship between information security policy effectiveness and information security threats. The finding provides empirical evidence on the importance of developing an effective information security policy and procedure.

Download Full-text

Building an awareness-centered information security policy compliance model

Industrial Management & Data Systems ◽

10.1108/imds-07-2019-0412 ◽

2019 ◽

Vol 120 (1) ◽

pp. 231-247 ◽

Cited By ~ 1

Author(s):

Alex Koohang ◽

Jonathan Anderson ◽

Jeretta Horn Nord ◽

Joanna Paliszkiewicz

Keyword(s):

Information Security ◽

Security Policy ◽

Path Modeling ◽

Information Security Policy ◽

Content Type ◽

Security Issues ◽

Compliance Model ◽

Security Compliance ◽

Trusting Beliefs ◽

Practical Implications

Purpose The purpose of this paper is to build an awareness-centered information security policy (ISP) compliance model, asserting that awareness is the key to ISP compliance and that awareness depends upon several variables that influence successful ISP compliance. Design/methodology/approach The authors built a model with seven constructs, i.e., leadership, trusting beliefs, information security issues awareness (ISIA), ISP awareness, understanding resource vulnerability, self-efficacy (SE) and intention to comply. Seven hypotheses were stated. A sample of 285 non-management employees was used from various organizations in the USA. The authors used path modeling to analyze the data. Findings The findings indicated that IS awareness depends on effective organizational leadership and elevated employees’ trusting beliefs. The understanding of resource vulnerability (URV) and SE are influenced by IS awareness resulting from effective leadership and elevated employees’ trusting beliefs which guide employees to comply with ISP requirements. Practical implications Practical implications were aimed at organizations embracing an awareness-centered information security compliance program to secure organizations’ assets against threats by implementing various security education and training awareness programs. Originality/value This paper asserts that awareness is central to ISP compliance. Leadership and trusting beliefs variables play significant roles in the information security awareness which in turn positively affect employees’ URV and SE variables leading employees to comply with the ISP requirements.

Download Full-text

Hospital Staff’s Adherence to Information Security Policy: A Quest for the Antecedents of Deterrence Variables

INQUIRY The Journal of Health Care Organization Provision and Financing ◽

10.1177/00469580211029599 ◽

2021 ◽

Vol 58 ◽

pp. 004695802110295

Author(s):

Kuang-Ming Kuo ◽

Paul C. Talley ◽

Dyi-Yih Michael Lin

Keyword(s):

Information Security ◽

Security Policy ◽

Structural Equation ◽

International Standards ◽

Equation Modeling ◽

Management Support ◽

Internal Auditing ◽

Information Security Policy ◽

Security Breaches ◽

Upper Echelon Theory

Information security has come to the forefront as an organizational priority since information systems are considered as some of the most important assets for achieving competitive advantages. Despite huge capital expenditures devoted to information security, the occurrence of security breaches is still very much on the rise. More studies are thus required to inform organizations with a better insight on how to adequately promote information security. To address this issue, this study investigates important factors influencing hospital staff’s adherence to Information Security Policy (ISP). Deterrence theory is adopted as the theoretical underpinning, in which punishment severity and punishment certainty are recognized as the most significant predictors of ISP adherence. Further, this study attempts to identify the antecedents of punishment severity and punishment certainty by drawing from upper echelon theory and well-acknowledged international standards of IS security practices. A survey approach was used to collect 299 valid responses from a large Taiwanese healthcare system, and hypotheses were tested by applying partial least squares-based structural equation modeling. Our empirical results show that Security Education, Training, and Awareness (SETA) programs, combined with internal auditing effectiveness are significant predictors of punishment severity and punishment certainty, while top management support is not. Further, punishment severity and punishment certainty are significant predictors of hospital staff’s ISP adherence intention. Our study highlights the importance of SETA programs and internal auditing for reinforcing hospital staff’s perceptions on punishment concerning ISP violation, hospitals can thus propose better internal strategies to improve their staff’s ISP compliance intention accordingly.

Download Full-text

Escalation of commitment as an antecedent to noncompliance with information security policy

Information and Computer Security ◽

10.1108/ics-09-2017-0066 ◽

2018 ◽

Vol 26 (2) ◽

pp. 171-193 ◽

Cited By ~ 6

Author(s):

Miranda Kajtazi ◽

Hasan Cavusoglu ◽

Izak Benbasat ◽

Darek Haftor

Keyword(s):

Information Security ◽

Risk Perceptions ◽

Security Policy ◽

Sunk Costs ◽

Survey Method ◽

Task Completion ◽

Escalation Of Commitment ◽

Value Conflicts ◽

Information Security Policy ◽

Content Type

PurposeThis study aims to identify antecedents to noncompliance behavior influenced by decision contexts where investments in time, effort and resources are devoted to a task – referred to as a task unlikely to be completed without violating the organization’s information security policy (ISP).Design/methodology/approachAn empirical test of the suggested relationships in the proposed model was conducted through a field study using the survey method for data collection. Pre-tests, pre-study, main study and a follow-up study compose the frame of our methodology where more than 500 respondents are involved across different organizations.FindingsThe results confirm that the antecedents that explain the escalation of commitment behavior in terms of the effect of lost assets, such as time, effort and other resources, give us a new lens to understand noncompliance behavior; employees seem to escalate their commitments to the completion of their tasks at the expense of becoming noncompliant with ISP.Research limitations/implicationsOne of the key areas that requires further attention from this study is to better understand the role of risk perceptions on employee behavior when dealing with value conflicts. Depending on how risk-averse or risk seeking an employee is, the model showed no significant support in either case to influence their noncompliance behavior. The authors therefore argue that employees' noncompliance may be influenced by more powerful beliefs, such as self-justification and sunk costs.Practical implicationsThe results show that when employees are caught in tasks undergoing difficulties, they are more likely to increase noncompliance behavior. By understanding better how project obstacles result in such tasks, security managers can define new mechanisms to counter employees’ shift from compliance to noncompliance.Social implicationsApart from encouraging compliance with enforcement mechanisms (using direct behavioral controls like sanctions or rewards), indirect behavior controls may also encourage compliance. The authors suggest that the ISPs should state that the organization would take positive actions toward task completion and help their employees to resolve their problems quickly.Originality/valueThis study is the first to tackle escalation of commitment theories and use antecedents that explain the effect of lost assets, such as time, effort and other resources can also explain noncompliance with ISP in terms of the value conflicts, where employees would often choose to forego compliance at the expense of finishing their tasks.

Download Full-text

Establishing information security policy compliance culture in organizations

Information and Computer Security ◽

10.1108/ics-09-2017-0063 ◽

2018 ◽

Vol 26 (4) ◽

pp. 420-436 ◽

Cited By ~ 8

Author(s):

Eric Amankwa ◽

Marianne Loock ◽

Elmarie Kritzinger

Keyword(s):

Information Security ◽

Security Policy ◽

User Involvement ◽

Research Model ◽

End User ◽

Policy Compliance ◽

Content Type ◽

Behavioural Intentions ◽

End User Involvement ◽

Security Policy Compliance

Purpose This paper aims to establish that employees’ non-compliance with information security policy (ISP) could be addressed by nurturing ISP compliance culture through the promotion of factors such as supportive organizational culture, end-user involvement and compliance leadership to influence employees’ attitudes and behaviour intentions towards ISP in organizations. This paper also aims to develop a testable research model that might be useful for future researchers in predicting employees’ behavioural intentions. Design/methodology/approach In view of the study’s aim, a research model to show how three key constructs can influence the attitudes and behaviours of employees towards the establishment of security policy compliance culture (ISPCC) was developed and validated in an empirical field survey. Findings The study found that factors such as supportive organizational culture and end-user involvement significantly influenced employees’ attitudes towards compliance with ISP. However, leadership showed the weakest influence on attitudes towards compliance. The overall results showed that employees’ attitudes and behavioural intentions towards ISP compliance together influenced the establishment of ISPCC for ISP compliance in organizations. Practical implications Organizations should influence employees’ attitudes towards compliance with ISP by providing effective ISP leadership, encouraging end-user involvement during the draft and update of ISP and nurturing a culture that is conducive for ISP compliance. Originality/value The study provides some insights on how to effectively address the problem of non-compliance with ISP in organizations through the establishment of ISPCC, which has not been considered in any past research.

Download Full-text