The Impact of Organizational Commitment on Insiders’ Motivation to Protect Organizational Information Assets

Abstract Insiders may act to sustain and improve organizational information security, yet our knowledge of what motivates them to do so remains limited. For example, most extant research relies on mere portions of protection motivation theory (PMT) and has focused on isolated behaviors, thus limiting the generalizability of findings to isolated issues, rather than addressing the global set of protective security behaviors. Here, we investigate the motivations surrounding this larger behavioral set by assessing maladaptive rewards, response costs, and fear alongside traditional PMT components. We extend PMT by showing that: (1) security education, training, and awareness (SETA) efforts help form appraisals; (2) PMT’s applicability to organizational rather than personal contexts depends on insiders’ organizational commitment levels; and (3) response costs provide the link between PMT’s appraisals. We show in detail how organizational commitment is the mechanism through which organizational security threats become personally relevant to insiders and how SETA efforts influence many PMT-based components.

[1]  Thomas E. Becker,et al.  Employee commitment and motivation: a conceptual analysis and integrative model. , 2004, The Journal of applied psychology.

[2]  Keven G. Ruby,et al.  The Insider Threat to Information Systems , 2022 .

[3]  Ranida B. Harris,et al.  Social Networking Websites and Posting Personal Information: An Evaluation of Protection Motivation Theory , 2011 .

[4]  Paul Benjamin Lowry,et al.  Using Accountability to Reduce Access Policy Violations in Information Systems , 2013, J. Manag. Inf. Syst..

[5]  Qing Hu,et al.  User behaviour towards protective information technologies: the role of national cultural differences , 2009, Inf. Syst. J..

[6]  Joseph S. Valacich,et al.  The Behavioral Roots of Information Systems Security: Exploring Key Factors Related to Unethical IT Use , 2015, J. Manag. Inf. Syst..

[7]  Marcia J. Simmering,et al.  A Tale of Three Perspectives , 2009 .

[8]  Paul Benjamin Lowry,et al.  Partial Least Squares (PLS) Structural Equation Modeling (SEM) for Building and Testing Behavioral Causal Theory: When to Choose It and How to Use It , 2014, IEEE Transactions on Professional Communication.

[9]  Irene Woon,et al.  A Protection Motivation Theory Approach to Home Wireless Security , 2005, ICIS.

[10]  Tejaswini Herath,et al.  Understanding Employee Responses to Stressful Information Security Requirements: A Coping Perspective , 2014, J. Manag. Inf. Syst..

[11]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[12]  John P. Meyer,et al.  Commitment to organizations and occupations: Extension and test of a three-component conceptualization. , 1993 .

[13]  Kregg Aytes,et al.  Computer Security and Risky Computing Practices: A Rational Choice Perspective , 2004, J. Organ. End User Comput..

[14]  K. Witte Putting the fear back into fear appeals: The extended parallel process model , 1992 .

[15]  Walter G. Stephan,et al.  Protection Motivation Theory: Prediction of Intentions to Engage in Anti‐Nuclear War Behaviors1 , 1986 .

[16]  Qing Hu,et al.  The Role of Self-Control in Information Security Violations: Insights from a Cognitive Neuroscience Perspective , 2015, J. Manag. Inf. Syst..

[17]  A. Bandura Self-efficacy: toward a unifying theory of behavioral change. , 1977, Psychological review.

[18]  Philip H. Mirvis,et al.  Assessing organizational change : a guide to methods, measures, and practices , 1984 .

[19]  L. J. Williams,et al.  Job Satisfaction and Organizational Commitment as Predictors of Organizational Citizenship and In-Role Behaviors , 1991 .

[20]  Theresa M. Welbourne,et al.  Improving Technology-Based Change Processes Through Measurement and Communication: A Case Study on Indus International , 1997 .

[21]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[22]  R. Bennett,et al.  Development of a measure of workplace deviance. , 2000, The Journal of applied psychology.

[23]  R. W. Rogers,et al.  Effects of components of protection-motivation theory on adaptive and maladaptive coping with a health threat. , 1987, Journal of personality and social psychology.

[24]  Lauren G. Block,et al.  When to Accentuate the Negative: The Effects of Perceived Efficacy and Message Framing on Intentions to Perform a Health-Related Behavior , 1995 .

[25]  Detmar W. Straub,et al.  Featured Talk: Measuring Secure Behavior: A Research Commentary , 2012 .

[26]  Tom L. Roberts,et al.  Multiple Indicators and Multiple Causes (MIMIC) Models as a Mixed-Modelling Technique: A Tutorial and an Annotated Example , 2014, Commun. Assoc. Inf. Syst..

[27]  Anat Hovav,et al.  Deterring internal information systems misuse , 2007, CACM.

[28]  P. Lachenbruch Statistical Power Analysis for the Behavioral Sciences (2nd ed.) , 1989 .

[29]  A. Mahmood,et al.  Factors Influencing Protection Motivation and IS Security Policy Compliance , 2006, 2006 Innovations in Information Technology.

[30]  Theresa M. Welbourne,et al.  Fear: A Misunderstood Component of Organizational Transformation , 1994 .

[31]  James B. Hunt,et al.  The Protection Motivation Model: A Normative Model of Fear Appeals: , 1991 .

[32]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[33]  Jin Nam Choi Change‐oriented organizational citizenship behavior: effects of work environment characteristics and intervening psychological processes , 2007 .

[34]  Ronald T. Cenfetelli,et al.  The analysis of formative measurement in IS research: choosing between component-and covariance-based techniques , 2013, DATB.

[35]  Dennis F. Galletta,et al.  The Drivers in the Use of Online Whistle-Blowing Reporting Systems , 2013, J. Manag. Inf. Syst..

[36]  Scott B. MacKenzie,et al.  Organizational Citizenship Behavior and the Quantity and Quality of Work Group Performance , 1997, The Journal of applied psychology.

[37]  Gina J. Medsker,et al.  RELATIONS BETWEEN WORK GROUP CHARACTERISTICS AND EFFECTIVENESS: IMPLICATIONS FOR DESIGNING EFFECTIVE WORK GROUPS , 1993 .

[38]  Paul Benjamin Lowry,et al.  Improving Password Cybersecurity Through Inexpensive and Minimally Invasive Means: Detecting and Deterring Password Reuse Through Keystroke-Dynamics Monitoring and Just-in-Time Fear Appeals , 2014, Inf. Technol. Dev..

[39]  Richard M. Steers,et al.  Organizational commitment, job satisfaction, and turnover among psychiatric technicians. , 1974 .

[40]  Rathindra Sarathy,et al.  Understanding compliance with internet use policy from the perspective of rational choice theory , 2010, Decis. Support Syst..

[41]  B. Byrne,et al.  Testing for the equivalence of factor covariance and mean structures: The issue of partial measurement invariance. , 1989 .

[42]  D. Organ,et al.  A META-ANALYTIC REVIEW OF ATTITUDINAL AND DISPOSITIONAL PREDICTORS OF ORGANIZATIONAL CITIZENSHIP BEHAVIOR , 1995 .

[43]  John P. Meyer,et al.  Testing the "Side-Bet Theory" of Organizational Commitment: Some Methodological Considerations , 1984 .

[44]  R. Mauborgne,et al.  Procedural justice, attitudes, and subsidiary top management compliance with multinationals' corporate strategic decisions. , 1993 .

[45]  L. Porter,et al.  The Measurement of Organizational Commitment. , 1979 .

[46]  Kuang-Wei Wen,et al.  Organizations' Information Security Policy Compliance: Stick or Carrot Approach? , 2012, J. Manag. Inf. Syst..

[47]  Steven Prentice-Dunn,et al.  The role of appearance concern in responses to intervention to reduce skin cancer risk , 2002 .

[48]  Neville Owen,et al.  Protection Motivation Theory and Adolescents' Perceptions of Exercise1 , 1992 .

[49]  Younghwa Lee,et al.  Threat or coping appraisal: determinants of SMB executives’ decision to adopt anti-malware software , 2009, Eur. J. Inf. Syst..

[50]  Charles L. Hulin,et al.  The importance of individuals' repertoires of behaviors: The scientific appropriateness of studying multiple behaviors and general attitudes. , 1998 .

[51]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[52]  Herbert J. Mattord,et al.  Principles of Information Security , 2004 .

[53]  Jeffrey D. Wall,et al.  Control-Related Motivations and Information Security Policy Compliance: The Role of Autonomy and Efficacy , 2013 .

[54]  Robert LaRose,et al.  Promoting personal responsibility for internet safety , 2008, CACM.

[55]  Kenneth H. Beck,et al.  The effects of risk probability, outcome severity, efficacy of protection and access to protection on decision making: A further test of protection motivation theory , 1984 .

[56]  Cortlandt Cammann,et al.  Assessing the attitudes and perceptions of organizational members , 1983 .

[57]  Steven Prentice-Dunn,et al.  Coping appraisal and parents' intentions to inform their children about sexual abuse: a protection motivation theory analysis , 1989 .

[58]  Mo Adam Mahmood,et al.  Compliance with Information Security Policies: An Empirical Investigation , 2010, Computer.

[59]  Tom L. Roberts,et al.  Proposing the online community self-disclosure model: the case of working professionals in France and the U.K. who use online communities , 2010, Eur. J. Inf. Syst..

[60]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[61]  Xianggui Qu,et al.  Multivariate Data Analysis , 2007, Technometrics.

[62]  John P. Meyer,et al.  A three-component conceptualization of organizational commitment , 1991 .

[63]  Jan H. P. Eloff,et al.  Information security: The moving target , 2009, Comput. Secur..

[64]  Adamantios Diamantopoulos,et al.  Incorporating Formative Measures into Covariance-Based Structural Equation Models , 2011, MIS Q..

[65]  Atreyi Kankanhalli,et al.  Studying users' computer security behavior: A health belief perspective , 2009, Decis. Support Syst..

[66]  R. Rogers Cognitive and physiological processes in fear appeals and attitude change: a revised theory of prote , 1983 .

[67]  Mikko T. Siponen,et al.  Which Factors Explain Employees' Adherence to Information Security Policies? An Empirical Study , 2007, PACIS.

[68]  Michael Workman,et al.  How perceptions of justice affect security attitudes: suggestions for practitioners and researchers , 2009, Inf. Manag. Comput. Secur..

[69]  Merrill Warkentin,et al.  Beyond Deterrence: An Expanded View of Employee Computer Abuse , 2013, MIS Q..

[70]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[71]  Effy Oz,et al.  Organizational Commitment and Ethical Behavior: An Empirical Study of Information System Professionals , 2001 .

[72]  Ike-Elechi Ogba,et al.  Commitment in the workplace: The impact of income and age on employee commitment in Nigerian banking sector , 2008 .

[73]  M. Goldberg,et al.  What to Convey in Antismoking Advertisements for Adolescents: The use of Protection Motivation Theory to Identify Effective Message Themes , 2003 .

[74]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[75]  John P. Meyer,et al.  Affective, Continuance, and Normative Commitment to the Organization: An Examination of Construct Validity , 1996, Journal of vocational behavior.

[76]  Andrea Everard,et al.  Privacy Concerns Versus Desire for Interpersonal Awareness in Driving the Use of Self-Disclosure Technologies: The Case of Instant Messaging in Two Cultures , 2011, J. Manag. Inf. Syst..

[77]  Jose C. Casal,et al.  Organizational Commitment and Whistle-Blowing , 1994 .

[78]  John P. Meyer,et al.  AFFECTIVE, CONTINUANCE, AND NORMATIVE COMMITMENT TO THE ORGANIZATION: A META-ANALYSIS OF ANTECEDENTS, CORRELATES, AND CONSEQUENCES , 2002 .

[79]  P. Sheeran,et al.  Prediction and Intervention in Health-Related Behavior: A Meta-Analytic Review of Protection Motivation Theory , 2000 .

[80]  R. W. Rogers,et al.  A meta-analysis of research on protection motivation theory. , 2000 .

[81]  H. Leventhal,et al.  Findings and Theory in the Study of Fear Communications , 1970 .

[82]  Dennis F. Galletta,et al.  What Do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear that Motivate Protective Security Behaviors , 2015, MIS Q..

[83]  Jan H. P. Eloff,et al.  A framework and assessment instrument for information security culture , 2010, Comput. Secur..

[84]  Xin Luo,et al.  Consumer motivations in taking action against spyware: an empirical investigation , 2009, Inf. Manag. Comput. Secur..

[85]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[86]  Ritu Agarwal,et al.  Practicing Safe Computing: A Multimedia Empirical Examination of Home Computer User Security Behavioral Intentions , 2010, MIS Q..

[87]  E. Seydel,et al.  Protection Motivation Theory , 2022 .

[88]  Fred B. Bryant,et al.  Principles and Practice of Scaled Difference Chi-Square Testing , 2012 .

[89]  Jan Guynes Clark,et al.  Why there aren't more information security research studies , 2004, Inf. Manag..

[90]  Younghwa Lee,et al.  An empirical investigation of anti-spyware software adoption: A multitheoretical perspective , 2008, Inf. Manag..

[91]  K Witte,et al.  Predicting risk behaviors: development and validation of a diagnostic scale. , 1996, Journal of health communication.

[92]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[93]  Sarv Devaraj,et al.  Employee Misuse of Information Technology Resources: Testing a Contemporary Deterrence Model , 2012, Decis. Sci..

[94]  R. W. Rogers,et al.  Protection motivation and self-efficacy: A revised theory of fear appeals and attitude change , 1983 .

[95]  Donna M. Randall,et al.  Perceived Organisational Support, Satisfaction with Rewards, and Employee Job Involvement and Organisational Commitment , 1999 .

[96]  Yajiong Xue,et al.  Avoidance of Information Technology Threats: A Theoretical Perspective , 2009, MIS Q..

[97]  Catherine E. Connelly,et al.  Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model , 2011, J. Manag. Inf. Syst..

[98]  Eirik Albrechtsen,et al.  The information security digital divide between information security managers and users , 2009, Comput. Secur..

[99]  C. Viswesvaran,et al.  Employee Proactivity in Organizations: A Comparative Meta-Analysis of Emergent Proactive Constructs , 2010 .

[100]  Mo Adam Mahmood,et al.  Technical opinionAre employees putting your company at risk by not following information security policies? , 2009, Commun. ACM.

[101]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[102]  Joseph A. Cote,et al.  Multicollinearity and Measurement Error in Structural Equation Models: Implications for Theory Testing , 2004 .

[103]  George R. Franke,et al.  Fear, Coping, and Information , 2003, Health marketing quarterly.

[104]  Jacob Cohen Statistical Power Analysis for the Behavioral Sciences , 1969, The SAGE Encyclopedia of Research Design.

[105]  Melvin R. Crask,et al.  Protection motivation theory : An extension of fear appeals theory in communication , 1989 .

[106]  Yajiong Xue,et al.  Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective , 2010, J. Assoc. Inf. Syst..

[107]  Tamara Dinev,et al.  Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture , 2012, Decis. Sci..

[108]  Indira R. Guzman,et al.  Examining the linkage between organizational commitment and information security , 2003, SMC'03 Conference Proceedings. 2003 IEEE International Conference on Systems, Man and Cybernetics. Conference Theme - System Security and Assurance (Cat. No.03CH37483).

[109]  Tom L. Roberts,et al.  Insiders' Protection of Organizational Information Assets: Development of a Systematics-Based Taxonomy and Theory of Diversity for Protection-Motivated Behaviors , 2013, MIS Q..