This study explores the role of norms in employees' compliance with an organizational information security policy (ISP). Drawing upon norm activation theory, social norms theory, and ethical climate ...literature, we propose a model to examine how ISP-related personal norms are developed and then activated to affect employees' ISP compliance behavior. We collected our data through Amazon Mechanical Turk for hypothesis testing. The results show that ISP-related personal norms lead to ISP compliance behavior, and the effect is strengthened by ISP-related ascription of personal responsibility. Social norms related to ISP (including injunctive and subjective norms), awareness of consequences, and ascription of personal responsibility shape personal norms. Social norms related to ISP are the product of principle ethical climate in an organization.
•This study explores the role of norms in employees' compliance with organizational information security policies (ISP).•ISP-related personal norms lead to ISP compliance behavior, and the effect is strengthened by ISP-related ascription of personal responsibility.•Social norms related to ISP, awareness of consequences, and ascription of personal responsibility shape personal norms.•Social norms related to ISP are the product of principle ethical climate in an organization.
Peers may help others avoid violating organisational information security policies (ISPs). This study explores how peer monitoring reduces employee ISP violation intention. We propose that peer ...monitoring discourages employees from violating ISP. Moreover, trust plays an important role. Trust not only facilitates peer monitoring, but also moderates the effect of peer monitoring on employee ISP violation intention. In addition, collective responsibility leads to peer monitoring. We test our research model with data from two waves of surveys of 254 employees in the United States conducted two weeks apart. We utilise four scenarios in the second wave of surveys capturing the dependent variable and measure all other constructs in the first wave of surveys. Our results suggest that peer monitoring decreases one's intention to violate ISPs. Furthermore, both collective responsibility and trust contribute to peer monitoring. Finally, trust amplifies the effect of peer monitoring on employees' intention to violate ISPs. We discuss the theoretical contributions and practical implications.
Past research suggests that the demands of information security policies (ISPs) cause stress upon employees, leading them to violate the policies. It emphasises the distress process but overlooks a ...possible positive process that may arise from the ISP demands (i.e., the eustress process) and motivate employees to reduce ISP violations. This study explores both the distress and eustress processes. It proposes that the challenge and hindrance aspects of ISP demands induce these processes and subsequently affect ISP violations. Besides, employees' ISP-related self-efficacy may facilitate or impede these processes. To test the research model, a survey was conducted on 375 employees in the U.S. The results show that the challenge aspect of ISP demands elicits a positive psychological response of employees, which in turn triggers their planful problem-solving to deal with these demands. In contrast, the hindrance aspect of ISP demands provokes a negative psychological response that triggers employees' wishful thinking about ISP demands. Meanwhile, employees' self-efficacy strengthens the effect of positive psychological response on planful problem-solving. Subsequently, planful problem-solving reduces employees' intention to violate the ISP, while wishful thinking increases their intention. This dual-process view sheds new light on the connection between ISP demands and ISP violation intention.
Information security in an organization largely depends on employee compliance with information security policy (ISP). Previous studies have mainly explored the effects of command‐and‐control and ...self‐regulatory approaches on employee ISP compliance. However, how social influence at both individual and organizational levels impacts the effectiveness of these two approaches has not been adequately explored. This study proposes a social contingency model in which a rules‐oriented ethical climate (employee perception of a rules‐adherence environment) at the organizational level and susceptibility to interpersonal influence (employees observing common practices via peer interactions) at the individual level interact with both command‐and‐control and self‐regulatory approaches to affect ISP compliance. Using employee survey data, we found that these two social influence factors weaken the effects of both command‐and‐control and self‐regulatory approaches on ISP compliance. Theoretical and practical implications are also discussed.
Studies on employee responses to the information security policy (ISP) demands to show that employees who experience stress over the demands would resort to emotion‐focused coping to alleviate the ...stress and subsequently violate the ISP. However, their intent to engage in problem‐focused coping to meet the ISP demands and possibly reduce ISP violations has yet to be analysed. We argue that both types of coping responses coexist in employee responses to ISP demands and they together influence ISP violation intention. Drawing upon the Transactional Model of Stress and Coping, we examine how security‐related stress (SRS) triggers inward and outward emotion‐focused coping, and problem‐focused coping to the ISP demands, which together influence employee ISP violations. We also examine how ISP‐related self‐efficacy and organisational support moderate the effects of SRS on coping responses. We surveyed 200 employees in the United States to test our model. The results indicate that SRS triggers all three coping responses, and ISP‐related self‐efficacy and organisational support reduce the effects of SRS on inward and outward emotion‐focused coping. Problem‐focused coping then decreases ISP violation intention, whereas inward and outward emotion‐focused coping increases it. The model was further verified with ISP compliance as the outcome construct, which yielded consistent results. Understanding various coping responses to SRS and the factors that facilitate or inhibit the responses can assist managers in effectively designing and implementing the ISP to reduce employee ISP violations.
This study explores ways to empower organisations to continuously improve their information security management (ISM). Drawing upon the dynamic capabilities approach, we investigated the mechanism ...wherein absorptive capacity has an effect. We found that absorptive capacity affects an organisation's continuous improvement of ISM, with its effect mediated through an organisation's adaptability to information security threats. In addition, the effect of absorptive capacity on adaptability is contingent upon the organisation's competitive pressure, which enhances the mediating effect of adaptability. We tested our research model using survey data collected from 130 US-based managers familiar with information security management in their organisations. Theoretical and practical implications of the study are discussed.
This study examines victims' responses to identity theft and antecedents to their responses. Drawing upon the victimization and coping literature, we recognize an emotional response called perceived ...distress and a portfolio of four behavioral responses including refraining from online transactions, refraining from information disclosure, emotional adjustment, and self-protection such as subscription to identity theft protection services. We conduct an empirical test on the antecedents to the responses. Based on a survey of 197 self-reported identity theft victims, we find that perceived victimization severity, which is determined by the magnitude of financial loss, the extent of misuse of personal information, and the amount of time spent resolving the issue, has a positive impact on perceived distress, and perceived distress has a positive impact on the behavioral responses. In addition, time elapsed since the incident negatively influences perceived distress, and past use of online services negatively influences the behavioral responses. This study highlights the central role of perceived distress in mediating the impact of perceived victimization severity on behavioral responses, calling for more attention to emotional responses of victims.
•Victims' responses to identity theft and antecedents to the responses are studied.•It shows that victimization severity has a direct impact on perceived distress.•Perceived distress drives behavioral responses of the victims.•Time elapsed since the incident, and habit, both weaken the responses.•The central role of distress in driving protective behaviors is highlighted.