From hindrance to challenge

Purpose This paper is to investigate how employees respond to information security policies (ISPs) when they view the policies as a challenge rather than a hindrance to work. Specifically, the authors examine the roles of challenge security demands (i.e. continuity and mandatory) and psychological resources (i.e. personal and job resources) in influencing employees’ ISP non-compliance. Design/methodology/approach Applying a hypothetical scenario-based survey method, the authors tested our proposed model in six typical ISPs violation scenarios. In sum, 347 responses were collected from a global company. The data were analyzed using partial least square-based structural equation model. Findings Findings indicated that continuity and mandatory demands increased employees’ level of perseverance of effort, which, in turn, decreased their ISPs non-compliance intention. In addition, job resources, such as the trust enhancement gained from co-workers and the opportunities for professional development, enhanced the perseverance of effort. Practical implications The findings offer implications to practice by suggesting that organizations should design training programs to persuade employees to understand the ISPs in a positive way. Meanwhile, organizations should encourage employees to invest more personal resources by creating a trusting atmosphere and providing them opportunities to learn security knowledge and skills. Originality/value This study is among the few to empirically explore how employees respond and behave when they view the security policies as challenge stressors. The paper also provides a novel understanding of how psychological resources contribute to buffering ISP non-compliance.

[1]  David F. Larcker,et al.  Structural Equation Models with Unobservable Variables and Measurement Error: Algebra and Statistics: , 1981 .

[2]  C. Fornell,et al.  Structural Equation Models with Unobservable Variables and Measurement Error: Algebra and Statistics , 1981 .

[3]  Shelley E. Taylor Adjustment to threatening events: A theory of cognitive adaptation. , 1983 .

[4]  William A. Kahn Psychological Conditions of Personal Engagement and Disengagement at Work , 1990 .

[5]  James Weber,et al.  Scenarios in Business Ethics Research: Review, Critical Assessment, and Recommendations , 1992, Business Ethics Quarterly.

[6]  D. Nagin,et al.  Enduring individual differences and rational choice theories of crime , 1993 .

[7]  Robert I. Sutton,et al.  Employee Positive Emotion and Favorable Outcomes at the Workplace , 1994 .

[8]  P. Baltes,et al.  On the incomplete architecture of human ontogeny. Selection, optimization, and compensation as foundation of developmental theory. , 1997, The American psychologist.

[9]  Paul B. Baltes,et al.  On the incomplete architecture of human ontogeny: Selection, optimization, and compensation as foundation of developmental theory , 1997 .

[10]  Wynne W. Chin Issues and Opinion on Structural Equation Modeling by , 2009 .

[11]  T. Das,et al.  Time and Entrepreneurial Risk Behavior , 1998 .

[12]  Shelley E. Taylor,et al.  Psychological resources, positive illusions, and health. , 2000, The American psychologist.

[13]  Marcie A. Cavanaugh,et al.  An empirical examination of self-reported work stress among U.S. managers. , 2000, The Journal of applied psychology.

[14]  S. Hobfoll The Influence of Culture, Community, and the Nested-Self in the Stress Process: Advancing Conservation of Resources Theory , 2001 .

[15]  Daniel S. Nagin,et al.  INTEGRATING CELERITY, IMPULSIVITY, AND EXTRALEGAL SANCTION THREATS INTO A MODEL OF GENERAL DETERRENCE: THEORY AND EVIDENCE* , 2001 .

[16]  A. Bakker,et al.  Burnout and engagement at work as a function of demands and control. , 2001, Scandinavian journal of work, environment & health.

[17]  Bradley L. Kirkman,et al.  The impact of cultural values on job satisfaction and organizational commitment in self-managing work teams: The mediating role of employee resistance. , 2001 .

[18]  David A. Harrison,et al.  Struggling for balance amid turbulence on international assignments: work–family conflict, support and commitment , 2001 .

[19]  A. Bakker,et al.  The job demands-resources model of burnout. , 2001, The Journal of applied psychology.

[20]  Detmar W. Straub,et al.  Validation in Information Systems Research: A State-of-the-Art Assessment , 2001, MIS Q..

[21]  S. Hobfoll Social and Psychological Resources and Adaptation , 2002 .

[22]  Wilmar B. Schaufeli,et al.  Job Demands and Job Resources as Predictors of Absence Duration and Frequency. , 2003 .

[23]  S. Hobfoll,et al.  Resource loss, resource gain, and emotional outcomes among inner city women. , 2003, Journal of personality and social psychology.

[24]  V. Savicki,et al.  Optimism and Coping as Moderators of the Relation Between Work Resources and Burnout in Information Service Workers. , 2003 .

[25]  Toon W. Taris,et al.  A multigroup analysis of the job demands-resources model in four home care organizations , 2003 .

[26]  Scott W. Lester,et al.  In the Eyes of the Beholder: The Relationship Between Subordinates' Felt Trustworthiness and their Work Attitudes and Behaviors , 2003 .

[27]  A. Bakker,et al.  Job demands, job resources, and their relationship with burnout and engagement: a multi‐sample study , 2004 .

[28]  Detmar W. Straub,et al.  A Practical Guide To Factorial Validity Using PLS-Graph: Tutorial And Annotated Example , 2005, Commun. Assoc. Inf. Syst..

[29]  Nathan P. Podsakoff,et al.  A Meta-Analytic Test of the Challenge Stressor–Hindrance Stressor Framework: An Explanation for Inconsistent Relationships Among Stressors and Performance , 2005 .

[30]  Qing Chang,et al.  How Low Should You Go? Low Response Rates and the Validity of Inference in IS Questionnaire Research , 2006, J. Assoc. Inf. Syst..

[31]  A. Bakker,et al.  The job demands-resources model : state of the art , 2007 .

[32]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[33]  Detmar W. Straub,et al.  Specifying Formative Constructs in Information Systems Research , 2007, MIS Q..

[34]  Angela L. Duckworth,et al.  Grit: perseverance and passion for long-term goals. , 2007, Journal of personality and social psychology.

[35]  A. Bakker,et al.  Job Resources Boost Work Engagement, Particularly When Job Demands Are High , 2007 .

[36]  B. Schneider,et al.  The Meaning of Employee Engagement , 2008, Industrial and Organizational Psychology.

[37]  Despoina Xanthopoulou,et al.  Working in the sky: a diary study on work engagement among flight attendants. , 2008, Journal of occupational health psychology.

[38]  Dennis F. Galletta,et al.  How Endogenous Motivations Influence User Intentions: Beyond the Dichotomy of Extrinsic and Intrinsic User Motivations , 2008, J. Manag. Inf. Syst..

[39]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[40]  Laurie J. Kirsch,et al.  If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security , 2009, Eur. J. Inf. Syst..

[41]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[42]  Gaby Odekerken-Schröder,et al.  Using PLS path modeling for assessing hierarchial construct models: guidelines and impirical illustration , 2009 .

[43]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[44]  Dina Guglielmi,et al.  Can an opportunity to learn at work reduce stress?: A revisitation of the job demand‐control model , 2010 .

[45]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[46]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[47]  Eean R. Crawford,et al.  Linking job demands and resources to employee engagement and burnout: a theoretical extension and meta-analytic test. , 2010, The Journal of applied psychology.

[48]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[49]  Nigel Melville,et al.  Information Systems Innovation for Environmental Sustainability , 2010, MIS Q..

[50]  Maxime A. Tremblay,et al.  The Job Demands-Resources Model: Further Evidence for the Buffering Effect of Personal Resources , 2011 .

[51]  Jennica R. Webster,et al.  Extending the challenge-hindrance model of occupational stress: The role of appraisal , 2011 .

[52]  Clay Posey,et al.  When Computer Monitoring Backfires: Invasion of Privacy and Organizational Injustice as Precursors to Computer Abuse , 2011 .

[53]  Keith H. Brigham,et al.  Long–Term Orientation and Intertemporal Choice in Family Firms , 2011 .

[54]  Mikko T. Siponen,et al.  Toward a New Meta-Theory for Designing Information Systems (IS) Security Training Approaches , 2011, J. Assoc. Inf. Syst..

[55]  Tejaswini Herath,et al.  A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings , 2011, Eur. J. Inf. Syst..

[56]  Leigh Thompson,et al.  Short Horizons and Tempting Situations: Lack of Continuity to Our Future Selves Leads to Unethical Decision Making and Behavior , 2012 .

[57]  Anat Hovav,et al.  Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the U.S. and South Korea , 2012, Inf. Manag..

[58]  René Riedl,et al.  Technostress from a Neurobiological Perspective , 2012, Business & Information Systems Engineering.

[59]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[60]  D. Straub,et al.  Editor's comments: a critical look at the use of PLS-SEM in MIS quarterly , 2012 .

[61]  Yajiong Xue,et al.  Ensuring Employees' IT Compliance: Carrot or Stick? , 2013, Inf. Syst. Res..

[62]  Kuang-Wei Wen,et al.  Organizations' Information Security Policy Compliance: Stick or Carrot Approach? , 2012, J. Manag. Inf. Syst..

[63]  James B. D. Joshi,et al.  An adaptive risk management and access control framework to mitigate insider threats , 2013, Comput. Secur..

[64]  Princely Ifinedo,et al.  Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition , 2014, Inf. Manag..

[65]  G. Tyge Payne,et al.  Researching Long-Term Orientation , 2014 .

[66]  Tejaswini Herath,et al.  Understanding Employee Responses to Stressful Information Security Requirements: A Coping Perspective , 2014, J. Manag. Inf. Syst..

[67]  Long W. Lam,et al.  Examining the effects of feeling trusted by supervisors in the workplace: A self-evaluative perspective , 2014 .

[68]  Jingguo Wang,et al.  Insider Threats in a Financial Institution: Analysis of Attack-Proneness of Information Systems Applications , 2015, MIS Q..

[69]  Paul Benjamin Lowry,et al.  The Role of Extra-Role Behaviors and Social Controls in Information Security Policy Effectiveness , 2015, Inf. Syst. Res..

[70]  Merrill Warkentin,et al.  An Enhanced Fear Appeal Rhetorical Framework: Leveraging Threats to the Human Asset Through Sanctioning Rhetoric , 2015, MIS Q..

[71]  Paul Benjamin Lowry,et al.  Proposing the control‐reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policies , 2015, Inf. Syst. J..

[72]  Paul Benjamin Lowry,et al.  Increasing Accountability Through User-Interface Design Artifacts: A New Approach to Addressing the Problem of Access-Policy Violations , 2015, MIS Q..

[73]  Joseph S. Valacich,et al.  The Behavioral Roots of Information Systems Security: Exploring Key Factors Related to Unethical IT Use , 2015, J. Manag. Inf. Syst..

[74]  Deborah J. Armstrong,et al.  Exhaustion from Information System Career Experience: Implications for Turn-Away Intention , 2015, MIS Q..

[75]  Ben J. Searle,et al.  The merits of measuring challenge and hindrance appraisals , 2015, Anxiety, stress, and coping.

[76]  Jordan Shropshire,et al.  Personality, attitudes, and intentions: Predicting initial adoption of information security behavior , 2015, Comput. Secur..

[77]  Mercedes Ventura,et al.  Professional Self-Efficacy as a Predictor of Burnout and Engagement: The Role of Challenge and Hindrance Demands , 2015, The Journal of psychology.

[78]  Todd A. Mooradian,et al.  Perspiration and inspiration: Grit and innovativeness as antecedents of entrepreneurial success , 2016 .

[79]  Chunghun Lee,et al.  Understanding information security stress: Focusing on the type of information security compliance activity , 2016, Comput. Secur..

[80]  Detmar W. Straub,et al.  Neural Correlates of Protection Motivation for Secure IT Behaviors: An fMRI Examination , 2016, J. Assoc. Inf. Syst..

[81]  Jamal El-Den,et al.  Stress-based security compliance model - an exploratory study , 2016, Inf. Comput. Secur..

[82]  Jai-Yeol Son,et al.  Procedural justice to enhance compliance with non-work-related computing (NWRC) rules: Its determinants and interaction with privacy concerns , 2016, Int. J. Inf. Manag..

[83]  Steven Furnell,et al.  Information security policy compliance model in organizations , 2016, Comput. Secur..

[84]  Lemuria Carter,et al.  Dispositional and situational factors: influences on information security policy violations , 2016, Eur. J. Inf. Syst..

[85]  Tom L. Roberts,et al.  Examining the Relationship of Organizational Insiders' Psychological Capital with Information Security Threat and Coping Appraisals , 2017, Comput. Hum. Behav..

[86]  A. Bakker,et al.  The Impact of Personal Resources and Job Crafting Interventions on Work Engagement and Performance , 2017 .

[87]  S. Grover,et al.  Mindfulness as a personal resource to reduce work stress in the job demands‐resources model , 2017, Stress and health : journal of the International Society for the Investigation of Stress.

[88]  Wu He,et al.  Gender difference and employees' cybersecurity behaviors , 2017, Comput. Hum. Behav..

[89]  K. Merriman Leadership and Perseverance , 2017 .

[90]  Daejin Kim,et al.  Why not comply with information security? An empirical approach for the causes of non-compliance , 2017, Online Inf. Rev..

[91]  Malcolm Robert Pattinson,et al.  Individual differences and Information Security Awareness , 2017, Comput. Hum. Behav..

[92]  Vince Bruno,et al.  Why employees share information security advice? Exploring the contributing factors and structural patterns of security advice sharing in the workplace , 2017, Comput. Hum. Behav..

[93]  Merrill Warkentin,et al.  Examining employee computer abuse intentions: insights from justice, deterrence and neutralization perspectives , 2018, Inf. Syst. J..

[94]  Merrill Warkentin,et al.  Secure Behavior over Time: Perspectives from the Theory of Process Memory , 2018, DATB.

[95]  Inho Hwang,et al.  Examining technostress creators and role stress as potential threats to employees' information security compliance , 2018, Comput. Hum. Behav..

[96]  Rathindra Sarathy,et al.  Self-control, organizational context, and rational choice in Internet abuses at work , 2017, Inf. Manag..

[97]  Young U. Ryu,et al.  Understanding mandatory IS use behavior: How outcome expectations affect conative IS use , 2018, Int. J. Inf. Manag..

[98]  Punit Ahluwalia,et al.  Examining the impact of deterrence factors and norms on resistance to Information Systems Security , 2019, Comput. Hum. Behav..

[99]  Wu He,et al.  Investigating the impact of cybersecurity policy awareness on employees' cybersecurity behavior , 2019, Int. J. Inf. Manag..