Toward a stage theory of the development of employees' information security behavior

Abstract Existing behavioral information security research proposes continuum or non-stage models that focus on finding static determinants for information security behavior (ISB) that remains unchanged. Such models cannot explain a case where the reasons for ISB change. However, the underlying reasons and motives for users’ ISB are not static but may change over time. To understand the change in reasoning between different antecedents, we examine stage theorizing in other fields and develop the requirements for an emergent theory of the development of employees’ ISB: (1) the content of stages based on the stage elements and their stage-specific attributes; (2) the stage-independent element explaining the instability of ISB; and (3) the temporal order of stages based on developmental progression. To illustrate the stage theory requirements in an information security context, we suggest four stages: intuitive thinking, declarative thinking, agency-related thinking, and routine-related thinking. We propose that learning is a key driver of change between the stages. According to our theorizing, employees start with intuitive beliefs and later develop routine-related thinking. Furthermore, using interview data collected from employees in a multinational company, we illustrate the differences in the stages. For future information security research, we conceptualize ISB change in terms of stages and contribute a theoretical framework that can be empirically validated. In relation to practice, understanding the differences between the stages offers a foundation for identifying the stage-specific challenges that lead to non-compliance and the corresponding information security training aimed at tackling these challenges. Given that users’ ISB follows stages, although not in a specific order, identifying such stages can improve the effectiveness of information security training interventions within organizations.

[1]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[2]  John L. Thompson Strategic effectiveness and success: the learning challenge , 1996 .

[3]  Steven Furnell,et al.  Deterrence and Prevention-based Model to Mitigate Information Security Insider Threats in Organisations , 2019, Future Gener. Comput. Syst..

[4]  Mikko T. Siponen,et al.  Toward a New Meta-Theory for Designing Information Systems (IS) Security Training Approaches , 2011, J. Assoc. Inf. Syst..

[5]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[6]  Evangelos A. Kiountouzis,et al.  The insider threat to information systems and the effectiveness of ISO17799 , 2005, Comput. Secur..

[7]  R. M. Hare Freedom and reason , 1964 .

[8]  Gurpreet Dhillon,et al.  Organizational power and information security rule compliance , 2011, Comput. Secur..

[9]  Michael D. Myers,et al.  A Set of Principles for Conducting and Evaluating Interpretive Field Studies in Information Systems , 1999, MIS Q..

[10]  Indira R. Guzman,et al.  Examining the linkage between organizational commitment and information security , 2003, SMC'03 Conference Proceedings. 2003 IEEE International Conference on Systems, Man and Cybernetics. Conference Theme - System Security and Assurance (Cat. No.03CH37483).

[11]  Wayne F. Velicer,et al.  Stage and Non‐stage Theories of Behavior and Behavior Change: A Comment on Schwarzer , 2008 .

[12]  William B. Gudykunst Bridging differences: Effective intergroup communication, 3rd ed. , 1998 .

[13]  P. Hedström,et al.  Social Mechanisms: Social mechanisms: An introductory essay , 1998 .

[14]  Richard L. Nolan,et al.  Managing the computer resource , 1973, Commun. ACM.

[15]  Rathindra Sarathy,et al.  Understanding the Compliance with the INternet Use Policy from a Criminology Perspective , 2009, AMCIS.

[16]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[17]  Paul Benjamin Lowry,et al.  Proposing the control‐reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policies , 2015, Inf. Syst. J..

[18]  J. Prochaska,et al.  In Search of How People Change: Applications to Addictive Behaviors , 1992, The American psychologist.

[19]  P. Feyerabend Against Method: Outline of an Anarchistic Theory of Knowledge , 1976 .

[20]  Anat Hovav,et al.  Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the U.S. and South Korea , 2012, Inf. Manag..

[21]  Nader Sohrabi Safa,et al.  Human errors in the information security realm – and how to fix them , 2016 .

[22]  E. Deci,et al.  The support of autonomy and the control of behavior. , 1987, Journal of personality and social psychology.

[23]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[24]  Hennie A. Kruger,et al.  A prototype for assessing information security awareness , 2006, Comput. Secur..

[25]  Irene M. Y. Woon,et al.  Forthcoming: Journal of Information Privacy and Security , 2022 .

[26]  Steven Furnell,et al.  Identifying and predicting the factors affecting end-users' risk-taking behavior , 2018, Inf. Comput. Secur..

[27]  Izak Benbasat,et al.  Quality and Fairness of an Information Security Policy As Antecedents of Employees' Security Engagement in the Workplace: An Empirical Investigation , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[28]  G. Johnson The essential impact of context on organizational behavior , 2006 .

[29]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[30]  Steven Furnell,et al.  Aligning Security Practice with Policy: Guiding and Nudging towards Better Behavior , 2019, HICSS.

[31]  Rathindra Sarathy,et al.  Understanding compliance with internet use policy from the perspective of rational choice theory , 2010, Decis. Support Syst..

[32]  Paul Jen-Hwa Hu,et al.  Extending the two‐stage information systems continuance model: incorporating UTAUT predictors and the role of context , 2011, Inf. Syst. J..

[33]  L. Kohlberg Essays On Moral Development , 1981 .

[34]  KarydaMaria,et al.  Analyzing the role of cognitive and cultural biases in the internalization of information security policies , 2015 .

[35]  Qing Hu,et al.  The Centrality of Awareness in the Formation of User Behavioral Intention toward Protective Information Technologies , 2007, J. Assoc. Inf. Syst..

[36]  R. I. Sutton,et al.  Switching Cognitive Gears: From Habits of Mind to Active Thinking , 1991 .

[37]  A. Macintyre,et al.  FREEDOM AND REASON , 1963 .

[38]  Suprateek Sarker,et al.  Toward a Theory of Information Systems Security Behaviors of Organizational Employees: A Dialectical Process Perspective , 2019, Inf. Syst. Res..

[39]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[40]  A. Abram The Philosophy of Moral Development , 2007 .

[41]  Eirik Albrechtsen,et al.  A qualitative study of users' view on information security , 2007, Comput. Secur..

[42]  Mikko T. Siponen,et al.  Which Factors Explain Employees' Adherence to Information Security Policies? An Empirical Study , 2007, PACIS.

[43]  G. Johns The Essential Impact of Context on Organizational Behavior , 2006 .

[44]  Ralf Schwarzer,et al.  Some Burning Issues in Research on Health Behavior Change , 2008 .

[45]  Kuang-Wei Wen,et al.  Organizations' Information Security Policy Compliance: Stick or Carrot Approach? , 2012, J. Manag. Inf. Syst..

[46]  Teodor Sommestad,et al.  Variables influencing information security policy compliance: A systematic review of quantitative studies , 2014, Inf. Manag. Comput. Secur..

[47]  Jonathan P. Allen,et al.  Value conflicts for information security management , 2011, J. Strateg. Inf. Syst..

[48]  Sang M. Lee,et al.  An integrative model of computer abuse based on social control and general deterrence theories , 2004, Inf. Manag..

[49]  Steven Furnell,et al.  Information security policy compliance model in organizations , 2016, Comput. Secur..

[50]  E. Kübler-Ross,et al.  On Grief and Grieving: Finding the Meaning of Grief Through the Five Stages of Loss , 2005 .

[51]  William Smiley Howell,et al.  The Empathic Communicator , 1981 .

[52]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[53]  Michael Foth,et al.  Factors influencing the intention to comply with data protection regulations in hospitals: based on gender differences in behaviour and deterrence , 2016, Eur. J. Inf. Syst..

[54]  A. Mahmood,et al.  Factors Influencing Protection Motivation and IS Security Policy Compliance , 2006, 2006 Innovations in Information Technology.

[55]  Jordan Shropshire,et al.  Personality, attitudes, and intentions: Predicting initial adoption of information security behavior , 2015, Comput. Secur..

[56]  Mikko T. Siponen On the Role of Human Mortality in Information System Security: From the Problems of Descriptivism to Non-Descriptive Foundations , 2001, Inf. Resour. Manag. J..

[57]  Henrik Bresman Changing Routines: A Process Model of Vicarious Group Learning in Pharmaceutical R&D , 2013 .

[58]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[59]  J. Prochaska,et al.  Stages and processes of self-change of smoking: toward an integrative model of change. , 1983, Journal of consulting and clinical psychology.

[60]  Tero Vartiainen,et al.  What levels of moral reasoning and values explain adherence to information security rules? An empirical study , 2009, Eur. J. Inf. Syst..

[61]  Lawrence B. Mohr,et al.  Explaining organizational behavior , 1982 .

[62]  F. Kaiser,et al.  Ecological behavior's dependency on different forms of knowledge , 2003 .

[63]  Laurie J. Kirsch,et al.  If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security , 2009, Eur. J. Inf. Syst..

[64]  N. Hatton,et al.  Reflection in teacher education: Towards definition and implementation , 1995 .

[65]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[66]  Eirik Albrechtsen,et al.  Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study , 2010, Comput. Secur..

[67]  H. Reichenbach Experience and Prediction. An Analysis of the Foundations and the Structure of Knowledge , 1938 .

[68]  James Cox,et al.  Information systems user security: A structured model of the knowing-doing gap , 2012, Comput. Hum. Behav..

[69]  DAN,et al.  Intuitive and Reflective Beliefs , 2006 .

[70]  Suprateek Sarker,et al.  One Size Does Not Fit All: Different Cultures Require Different Information Systems Security Interventions , 2013, PACIS.

[71]  Atreyi Kankanhalli,et al.  Studying users' computer security behavior: A health belief perspective , 2009, Decis. Support Syst..

[72]  Princely Ifinedo,et al.  Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition , 2014, Inf. Manag..

[73]  Tim Watson,et al.  Motivation and opportunity based model to reduce information security insider threats in organisations , 2018, J. Inf. Secur. Appl..

[74]  Merrill Warkentin,et al.  An Enhanced Fear Appeal Rhetorical Framework: Leveraging Threats to the Human Asset Through Sanctioning Rhetoric , 2015, MIS Q..

[75]  France Bélanger,et al.  Religiosity and Information Security Policy Compliance , 2013, AMCIS.

[76]  Wendy Wood,et al.  Habit and intention in everyday life: The multiple processes by which past behavior predicts future behavior. , 1998 .

[77]  Anat Hovav,et al.  Deterring internal information systems misuse , 2007, CACM.

[78]  Young U. Ryu,et al.  Self-efficacy in information security: Its influence on end users' information security practice behavior , 2009, Comput. Secur..

[79]  Hsiu-Fang Hsieh,et al.  Three Approaches to Qualitative Content Analysis , 2005, Qualitative health research.

[80]  Mudge Insider Threat , 2003, login Usenix Mag..

[81]  Allen S. Lee Integrating Positivist and Interpretive Approaches to Organizational Research , 1991 .

[82]  Aggeliki Tsohou,et al.  Analyzing the role of cognitive and cultural biases in the internalization of information security policies: Recommendations for information security awareness programs , 2015, Comput. Secur..

[83]  Jordan Shropshire,et al.  The influence of the informal social learning environment on information privacy policy compliance efficacy and intention , 2011, Eur. J. Inf. Syst..

[84]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[85]  L. Tost,et al.  An Integrative Model of Legitimacy Judgments , 2011 .

[86]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[87]  Jai-Yeol Son,et al.  Out of fear or desire? Toward a better understanding of employees' motivation to follow IS security policies , 2011, Inf. Manag..

[88]  A. V. D. Ven SUGGESTIONS FOR STUDYING STRATEGY PROCESS: A RESEARCH NOTE , 1992 .

[89]  J. D'Arcy,et al.  Security culture and the employment relationship as drivers of employees' security compliance , 2014, Inf. Manag. Comput. Secur..

[90]  T. P. Thornberry,et al.  TOWARD AN INTERACTIONAL THEORY OF DELINQUENCY , 1987 .

[91]  Michel Avital,et al.  Designing interviews to generate rich data for information systems research , 2011, Inf. Organ..

[92]  Tom L. Roberts,et al.  Understanding the mindset of the abusive insider: An examination of insiders' causal reasoning following internal security changes , 2011, Comput. Secur..

[93]  M. Patton,et al.  Qualitative evaluation and research methods , 1992 .

[94]  Catherine E. Connelly,et al.  Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model , 2011, J. Manag. Inf. Syst..

[95]  Mo Adam Mahmood,et al.  Employees' adherence to information security policies: An exploratory field study , 2014, Inf. Manag..

[96]  Gurpreet Dhillon,et al.  Organizational power and information security rule compliance , 2013, Comput. Secur..

[97]  Alexander J. Rothman,et al.  Stage theories of health behavior: conceptual and methodological issues. , 1998, Health psychology : official journal of the Division of Health Psychology, American Psychological Association.

[98]  P. Hedström,et al.  Social mechanisms : an analytical approach to social theory , 1999 .

[99]  Dennis F. Galletta,et al.  What Do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear that Motivate Protective Security Behaviors , 2015, MIS Q..

[100]  Steven Furnell,et al.  Security literacy: the missing link in today's online society? , 2014 .

[101]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[102]  Jennifer A. Chatman,et al.  Organizational commitment and psychological attachment: The effects of compliance, identification, and internalization on prosocial behavior. , 1986 .

[103]  Mun Young Cho In Search of “the People” , 2013 .

[104]  Tamara Dinev,et al.  Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture , 2012, Decis. Sci..

[105]  Tejaswini Herath,et al.  A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings , 2011, Eur. J. Inf. Syst..

[106]  Ephraim R. McLean,et al.  Theoretical perspectives in IS research: from variance and process to conceptual latitude and conceptual fit , 2015, Eur. J. Inf. Syst..

[107]  Susan J. Harrington,et al.  The Effect of Codes of Ethics and Personal Denial of Responsibility on Computer Abuse Judgments and Intentions , 1996, MIS Q..

[108]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[109]  V. Lewis,et al.  Bridging the differences. , 2003, Nephrology news & issues.

[110]  Qing Hu,et al.  User behaviour towards protective information technologies: the role of national cultural differences , 2009, Inf. Syst. J..

[111]  Eve Fine,et al.  Promoting Institutional Change Through Bias Literacy. , 2012, Journal of diversity in higher education.

[112]  Rajiv Sabherwal,et al.  Reconciling Variance and Process Strategies for Studying Information System Development , 1995, Inf. Syst. Res..

[113]  J. Sayers Against Method , 2016 .

[114]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[115]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .