Information security burnout: Identification of sources and mitigating factors from security demands and resources

Abstract This study examines how information security burnout can develop from complying with organisational security demands, and whether security burnout can be reduced by engaging organisational and personal resources. The Job Demands-Resources model was extended to the IT security context, to develop and empirically test a security burnout model, using a sample of 443 participants in Vietnam. The results demonstrate that security task overload and difficult access to security requirements increased security burnout while dealing with challenging security requirements reduced burnout. Neither organisational resources nor user self-efficacy were effective in reducing burnout. Moreover, simple security tasks did not guarantee a burnout-free experience for users. The findings emphasise the significance of providing resources and designing security tasks as challenging and rewarding experiences, rather than simply reducing user involvement as a source of decreasing cyber security risks. The research establishes a theoretical basis for further studying the phenomenon of security burnout and its role in user security management.

[1]  Robert E. Crossler,et al.  The quest for complete security: An empirical analysis of users’ multi-layered protection from security threats , 2019, Inf. Syst. Frontiers.

[2]  Sebastian Möller,et al.  Psychological needs as motivators for security and privacy actions on smartphones , 2017, J. Inf. Secur. Appl..

[3]  Kuang-Wei Wen,et al.  Organizations' Information Security Policy Compliance: Stick or Carrot Approach? , 2012, J. Manag. Inf. Syst..

[4]  James C. Anderson,et al.  STRUCTURAL EQUATION MODELING IN PRACTICE: A REVIEW AND RECOMMENDED TWO-STEP APPROACH , 1988 .

[5]  James H. Steiger,et al.  Understanding the limitations of global fit assessment in structural equation modeling , 2007 .

[6]  Tejaswini Herath,et al.  Understanding Employee Responses to Stressful Information Security Requirements: A Coping Perspective , 2014, J. Manag. Inf. Syst..

[7]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[8]  Rossouw von Solms,et al.  From policies to culture , 2004, Comput. Secur..

[9]  Steven Furnell,et al.  Recognising and addressing ‘security fatigue’ , 2009 .

[10]  I. Ajzen The theory of planned behavior , 1991 .

[11]  Ron Henderson,et al.  Occupational differences in computer-related anxiety: implications for the implementation of a computerized patient management information system , 1995, Behav. Inf. Technol..

[12]  S. Hobfoll,et al.  Resource loss, resource gain, and emotional outcomes among inner city women. , 2003, Journal of personality and social psychology.

[13]  Young U. Ryu,et al.  Self-efficacy in information security: Its influence on end users' information security practice behavior , 2009, Comput. Secur..

[14]  S. Parker,et al.  The demands—control model of job strain: A more specific test , 1996 .

[15]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[16]  Laurie J. Kirsch,et al.  If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security , 2009, Eur. J. Inf. Syst..

[17]  A. Bakker,et al.  Job demands, job resources, and their relationship with burnout and engagement: a multi‐sample study , 2004 .

[18]  Yufei Yuan,et al.  The effects of multilevel sanctions on information security violations: A mediating model , 2012, Inf. Manag..

[19]  Paige L. Williams,et al.  Character strengths and wellbeing in adolescence: Structure and correlates of the Values in Action Inventory of Strengths for Children , 2012 .

[20]  Stephen Flowerday,et al.  Contemplating human-centred security & privacy research: Suggesting future directions , 2017, J. Inf. Secur. Appl..

[21]  Gary Klein,et al.  Learning demand and job autonomy of IT personnel: Impact on turnover intention , 2011, Comput. Hum. Behav..

[22]  P. Bentler,et al.  Cutoff criteria for fit indexes in covariance structure analysis : Conventional criteria versus new alternatives , 1999 .

[23]  Jacob Cohen Statistical Power Analysis for the Behavioral Sciences , 1969, The SAGE Encyclopedia of Research Design.

[24]  Debi Ashenden,et al.  Can we sell security like soap?: a new approach to behaviour change , 2013, NSPW '13.

[25]  Dothang Truong,et al.  Computer self-efficacy in an ongoing use context , 2004, Behav. Inf. Technol..

[26]  Joan Richardson,et al.  Information Security and People: A Conundrum for Compliance , 2017, Australas. J. Inf. Syst..

[27]  A. Bakker,et al.  The Role of Personal Resources in the Job Demands-Resources Model , 2007 .

[28]  Eean R. Crawford,et al.  Linking job demands and resources to employee engagement and burnout: a theoretical extension and meta-analytic test. , 2010, The Journal of applied psychology.

[29]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[30]  A. Bakker,et al.  The job demands-resources model : state of the art , 2007 .

[31]  Merrill Warkentin,et al.  Behavioral and policy issues in information systems security: the insider threat , 2009, Eur. J. Inf. Syst..

[32]  Chunghun Lee,et al.  Understanding information security stress: Focusing on the type of information security compliance activity , 2016, Comput. Secur..

[33]  Jamal El-Den,et al.  Stress-based security compliance model - an exploratory study , 2016, Inf. Comput. Secur..

[34]  Gurpreet Dhillon,et al.  Value‐focused assessment of information system security in organizations , 2006, Inf. Syst. J..

[35]  Con Stough,et al.  The role of personality in the job demands-resources model A study of Australian academic staff , 2010 .

[36]  Marisa Salanova,et al.  Computer training, frequency of usage and burnout: the moderating role of computer self-efficacy , 2000 .

[37]  Toon W. Taris,et al.  A Critical Review of the Job Demands-Resources Model: Implications for Improving Work and Health , 2014 .

[38]  Dennis F. Galletta,et al.  Lost in Cyberspace: The Impact of Information Scent and Time Constraints on Stress, Performance, and Attitudes Online , 2015, J. Manag. Inf. Syst..

[39]  Qiang Tu,et al.  The Impact of Computer Self-Efficacy and Technology Dependence on Computer-Related Technostress: A Social Cognitive Theory Perspective , 2011, Int. J. Hum. Comput. Interact..

[40]  Qing Hu,et al.  Does deterrence work in reducing information security policy abuse by employees? , 2011, Commun. ACM.

[41]  Steffen Torp,et al.  Work engagement and health among industrial workers , 2012 .

[42]  A. Bandura Self-Efficacy: The Exercise of Control , 1997, Journal of Cognitive Psychotherapy.

[43]  Jean-Pierre Bonin,et al.  Contribution of the Psychosocial Work Environment to Psychological Distress Among Health Care Professionals Before and During a Major Organizational Change , 2010, The health care manager.

[44]  Eirik Albrechtsen,et al.  The information security digital divide between information security managers and users , 2009, Comput. Secur..

[45]  Mikko T. Siponen,et al.  IS Security Policy Violations: A Rational Choice Perspective , 2012, J. Organ. End User Comput..

[46]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[47]  Robert W. Schrauf,et al.  Using Existing Tests and Scales in the Field , 2005 .

[48]  Y. Fried,et al.  A META-ANALYSIS OF WORK DEMAND STRESSORS AND JOB PERFORMANCE: EXAMINING MAIN AND MODERATING EFFECTS , 2008 .

[49]  K. Yuan Fit Indices Versus Test Statistics , 2005, Multivariate behavioral research.

[50]  Arla Day,et al.  Organisational change and employee burnout: The moderating effects of support and job control , 2017 .

[51]  Jordan Shropshire,et al.  The IT Security Adoption Conundrum: An Initial Step Toward Validation of Applicable Measures , 2007, AMCIS.

[52]  Laurie J. Kirsch,et al.  The Last Line of Defense: Motivating Employees to Follow Corporate Security Guidelines , 2007, ICIS.

[53]  Tom L. Roberts,et al.  The Impact of Organizational Commitment on Insiders’ Motivation to Protect Organizational Information Assets , 2015, J. Manag. Inf. Syst..

[54]  L. Fabrigar,et al.  Theory of Planned Behavior , 2017 .

[55]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[56]  M. Salanova,et al.  The dark side of technologies: technostress among users of information and communication technologies. , 2013, International journal of psychology : Journal international de psychologie.

[57]  Rathindra Sarathy,et al.  Exploring the effects of organizational justice, personal ethics and sanction on internet use policy compliance , 2014, Inf. Syst. J..

[58]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[59]  Paul E. Spector,et al.  The Relation between Work–Family Conflict and Job Satisfaction: A Finer-Grained Analysis , 2002 .

[60]  James Cox,et al.  Information systems user security: A structured model of the knowing-doing gap , 2012, Comput. Hum. Behav..

[61]  Mo Adam Mahmood,et al.  Employees' adherence to information security policies: An exploratory field study , 2014, Inf. Manag..

[62]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[63]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[64]  J. Hair Multivariate data analysis , 1972 .

[65]  R. W. Rogers,et al.  Protection motivation and self-efficacy: A revised theory of fear appeals and attitude change , 1983 .

[66]  A. Bakker,et al.  The job demands-resources model of burnout. , 2001, The Journal of applied psychology.

[67]  A. Bakker,et al.  Present but sick: a three‐wave study on job demands, presenteeism and burnout , 2009 .

[68]  Tom L. Roberts,et al.  Understanding the mindset of the abusive insider: An examination of insiders' causal reasoning following internal security changes , 2011, Comput. Secur..