Security monitoring and information security assurance behaviour among employees

The purpose of this research is to explain the influence of information security monitoring and other social learning factors on employees’ security assurance behaviour. Security assurance behaviour represents employees’ intentional and effortful actions aimed towards protecting information systems. The behaviour is highly desired as it tackles the human factor within the information security framework. The authors posited that security assurance behaviour is a learned behaviour that can be enhanced by the implementation of information security monitoring.,Theoretical framework underlying this study with six constructs, namely, subjective norm, outcome expectation, information security monitoring, information security policy, self-efficacy and perceived inconvenience, were identified as significant in determining employees’ security assurance behaviour (SAB). The influence of these constructs on SAB could be explained by social cognitive theory and is empirically supported by past studies. An online questionnaire survey as the main research instrument is adopted to elicit information on the six constructs tested in this study. Opinion from industry and academic expert panels on the relevance and face validity of the questionnaire were obtained prior to the survey administration.,Findings from this research indicate that organisations will benefit from information security monitoring by encouraging security behaviours that extend beyond the security policy. This study also demonstrates that employees tend to abandon security behaviour when the behaviour is perceived as inconvenient. Hence, organisations must find ways to reduce the perceived inconvenience using various security automation methods and specialised security training. Reducing perceived inconvenience is a challenge to information security practitioners.,There are some limitations in the existing work that could be addressed in future studies. One of them is the possible social desirability bias due to the self-reported measure adopted in the study. Even though the authors have made every effort possible to collect representative responses via anonymous survey, it is still possible that the respondents may not reveal true behaviour as good conduct is generally desired. This may lead to a bias towards favourable behaviour.,In general, the present research provides a number of significant insights and valuable information related to security assurance behaviour among employees. The major findings could assist security experts and organisations to develop better strategies and policies for information security protection. Findings of this research also indicate that organisations will benefit from information security monitoring by encouraging security behaviours that extend beyond the security policy.,In this research, the social cognitive learning theory is used to explain the influence of information security monitoring and other social learning factors on employees’ security assurance behaviour; the finding implies that monitoring emphases expected behaviours and helps to reinforce organisational norms. Monitoring may also accelerate learning when employees become strongly mindful of their behaviours. Hence, it is important for organisations to communicate the monitoring practices implemented, even more imperative whenever security monitoring employed is unobtrusive in nature. Nonetheless, care must be taken in this communication to avoid resentment and mistrust among employees.,This study is significant in a number of ways. First, this study highlights significant antecedents of security assurance behaviour, which helps organisations to assess their current practices, which may nurture or suppress information security. Second, using users’ perspective, this study provides recommendations pertaining to monitoring as a form of information security measure. Third, this study provides theoretical contribution to the existing information security literature via the application of the social cognitive learning theory.

[1]  G. Lawrence Sanders,et al.  Exploring the influence of flow and psychological ownership on security education, training and awareness effectiveness and security compliance , 2018, Decis. Support Syst..

[2]  Edie Schmidt,et al.  Resistance or Acquiescence: Student Perception of Software Surveillance during a Team-Based Simulation , 2015 .

[3]  Mo Adam Mahmood,et al.  Employees' adherence to information security policies: An exploratory field study , 2014, Inf. Manag..

[4]  Dwight D. Frink,et al.  Emotional Intelligence as a Moderator of the Relationship between Conscientiousness and Performance , 2004 .

[5]  Wanli Ma,et al.  Impact of restrictive composition policy on user password choices , 2011, Behav. Inf. Technol..

[6]  Neil F. Doherty,et al.  The information security policy unpacked: A critical study of the content of university policies , 2009, Int. J. Inf. Manag..

[7]  Cheolho Yoon,et al.  Exploring Factors That Influence Students’ Behaviors in Information Security , 2013 .

[8]  Chieh-Peng Lin,et al.  Understanding innovation performance and its antecedents: A socio-cognitive model , 2012 .

[9]  Aggeliki Tsohou,et al.  Analyzing the role of cognitive and cultural biases in the internalization of information security policies: Recommendations for information security awareness programs , 2015, Comput. Secur..

[10]  Allison W. Harrison,et al.  Testing the self-efficacy-performance linkage of social-cognitive theory. , 1997, The Journal of social psychology.

[11]  Mark J. Martinko,et al.  Identifying Leader Social Cognitions: Integrating the Causal Reasoning Perspective into Social Cognitive Theory , 2004 .

[12]  Brian H. Kleiner,et al.  Electronic surveillance in the workplace , 2003 .

[13]  Geoff Watson E-mail surveillance in the UK workplace - a management consulting case study , 2002, Aslib Proc..

[14]  John Cordery,et al.  Self-Management Efficacy as a Mediator of the Relation Between Job Design and Employee Motivation , 2001 .

[15]  Yung-Hsiang Cheng,et al.  Evaluating bicycle-transit users’ perceptions of intermodal inconvenience , 2012 .

[16]  Sarah Elizabeth Kennedy The pathway to security - mitigating user negligence , 2016, Inf. Comput. Secur..

[17]  Princely Ifinedo,et al.  Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition , 2014, Inf. Manag..

[18]  Babajide Osatuyi,et al.  Personality Traits and Information Privacy Concern on Social Media Platforms , 2015, J. Comput. Inf. Syst..

[19]  Patrick Y. K. Chau,et al.  Explaining the Misuse of Information Systems Resources in the Workplace: A Dual-Process Approach , 2014, Journal of Business Ethics.

[20]  James H. Steiger,et al.  Understanding the limitations of global fit assessment in structural equation modeling , 2007 .

[21]  J. D'Arcy,et al.  Security culture and the employment relationship as drivers of employees' security compliance , 2014, Inf. Manag. Comput. Secur..

[22]  R. Woodman,et al.  Innovative Behavior in the Workplace: The Role of Performance and Image Outcome Expectations , 2010 .

[23]  José F. Domene Calling and Career Outcome Expectations , 2012 .

[24]  Michael Workman,et al.  A field study of corporate employee monitoring: Attitudes, absenteeism, and the moderating influences of procedural justice perceptions , 2009, Inf. Organ..

[25]  Salvatore Aurigemma,et al.  From the weakest link to the best defense : exploring the factors that affect employee intention to comply with information security policies , 2013 .

[26]  Patrick De Pelsmacker,et al.  Positive and Negative Antecedents of Purchasing Eco-friendly Products: A Comparison Between Green and Non-green Consumers , 2016 .

[27]  Jeffrey M. Stanton,et al.  Examining employee compliance with organizational surveillance and monitoring , 2006 .

[28]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[29]  Jingguo Wang,et al.  Employees' information security policy compliance: A norm activation perspective , 2016, Decis. Support Syst..

[30]  Alexandra Durcikova,et al.  Simplicity is Bliss: Controlling Extraneous Cognitive Load in Online Security Training to Promote Secure Behavior , 2013, J. Organ. End User Comput..

[31]  Mark Rowe,et al.  You've got mail... and the boss knows: A survey by the Center for Business Ethics of companies' email and Internet monitoring , 2003 .

[32]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[33]  Qiang Tu,et al.  The Impact of Computer Self-Efficacy and Technology Dependence on Computer-Related Technostress: A Social Cognitive Theory Perspective , 2011, Int. J. Hum. Comput. Interact..

[34]  Constantinos M. Kokkinos,et al.  Coping with bullying and victimisation among preadolescents: the moderating effects of self-efficacy , 2015 .

[35]  Kuang-Wei Wen,et al.  Impacts of Comprehensive Information Security Programs on Information Security Culture , 2015, J. Comput. Inf. Syst..

[36]  Tom L. Roberts,et al.  The Impact of Organizational Commitment on Insiders’ Motivation to Protect Organizational Information Assets , 2015, J. Manag. Inf. Syst..

[37]  Hilary Johnson,et al.  Rational security: Modelling everyday password use , 2012, Int. J. Hum. Comput. Stud..

[38]  Lingling Xu,et al.  Understanding the continuance use of social network sites: a computer self-efficacy perspective , 2015, Behav. Inf. Technol..

[39]  Effy Oz,et al.  Electronic workplace monitoring: What employees think , 1999 .

[40]  Nico Martins,et al.  Improving the information security culture through monitoring and implementation actions illustrated through a case study , 2015, Comput. Secur..

[41]  Dirk Holtbrügge,et al.  Personal Attributes, Organizational Conditions, and Ethical Attitudes: A Social Cognitive Approach , 2015 .

[42]  Muhammad Muazzem Hossain,et al.  Why do shoppers abandon shopping cart? Perceived waiting time, risk, and transaction inconvenience , 2009 .

[43]  Samira Sadaoui,et al.  A Multi-Attribute Auction Mechanism based on Conditional Constraints and Conditional Qualitative Preferences , 2016, J. Theor. Appl. Electron. Commer. Res..

[44]  Malcolm Robert Pattinson,et al.  The Human Aspects of Information Security Questionnaire (HAIS-Q): Two further validation studies , 2017, Comput. Secur..

[45]  Laura Borgogni,et al.  What makes employees engaged with their work? The role of self-efficacy and employee’s perceptions of social context over time , 2016 .

[46]  Pablo Zoghbi-Manrique-de-Lara,et al.  Predicting nonlinear effects of monitoring and punishment on employee deviance: The role of procedural justice , 2011 .

[47]  N. Anderson,et al.  Measuring climate for work group innovation: development and validation of the team climate inventory , 1998 .

[48]  A. Bandura Self-efficacy mechanism in human agency. , 1982 .

[49]  Areej AlHogail,et al.  Design and validation of information security culture framework , 2015, Comput. Hum. Behav..

[50]  Yehuda Baruch,et al.  International graduate students' perceptions and interest in international careers , 2015 .

[51]  Rebecca M. Chory,et al.  Organizational Surveillance of Computer-Mediated Workplace Communication: Employee Privacy Concerns and Responses , 2016 .

[52]  Sharon K. Gibson Social Learning (Cognitive) Theory and Implications for Human Resource Development , 2004 .

[53]  Jon M. Werner,et al.  The Impact of the Perceived Purpose of Electronic Performance Monitoring on an Array of Attitudinal Variables. , 2007 .

[54]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[55]  Mikko T. Siponen,et al.  Toward a Unified Model of Information Security Policy Compliance , 2018, MIS Q..

[56]  Bonnie Brinton Anderson,et al.  Using Measures of Risk Perception to Predict Information Security Behavior: Insights from Electroencephalography (EEG) , 2014, J. Assoc. Inf. Syst..

[57]  Jason L. Snyder E-Mail Privacy in the Workplace , 2010 .

[58]  Tamara Dinev,et al.  Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture , 2012, Decis. Sci..

[59]  Brian Cooper,et al.  Electronic monitoring and surveillance in the workplace: The effects on trust in management, and the moderating role of occupational type , 2015 .

[60]  France Bélanger,et al.  Determinants of early conformance with information security policies , 2017, Inf. Manag..

[61]  Robert E. Crossler,et al.  I'm Game, are You? Reducing Real-World Security Threats by Managing Employee Activity in Online Social Networks , 2014, J. Inf. Syst..

[62]  Zhenzhong Ma,et al.  Service quality and customer switching behavior in China's mobile phone service sector , 2013 .

[63]  Hao Chen,et al.  Mobile device users' privacy security assurance behavior: A technology threat avoidance perspective , 2017, Inf. Comput. Secur..

[64]  S. Grover,et al.  Does one good turn deserve another? coworker influences on employee citizenship , 2003 .

[65]  G. Stoney Alder,et al.  Employee Reactions to Internet Monitoring: The Moderating Role of Ethical Orientation , 2008 .

[66]  JinYoung Han,et al.  An integrative model of information security policy compliance with psychological contract: Examining a bilateral perspective , 2017, Comput. Secur..

[67]  H. P. Sims,et al.  Self-Management as a Substitute for Leadership: A Social Learning Theory Perspective , 1980 .

[68]  Yung-Shen Yen,et al.  Factors enhancing the posting of negative behavior in social media and its impact on venting negative emotions , 2016 .

[69]  Devasheesh P. Bhave The invisible eye? Electronic performance monitoring and employee job performance , 2013 .

[70]  I. Ajzen The theory of planned behavior , 1991 .

[71]  Dennis F. Galletta,et al.  What Do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear that Motivate Protective Security Behaviors , 2015, MIS Q..

[72]  Neil F. Doherty,et al.  The application of information security policies in large UK-based organizations: an exploratory investigation , 2003, Inf. Manag. Comput. Secur..

[73]  Ken H. Guo Security-related behavior in using information systems in the workplace: A review and synthesis , 2013, Comput. Secur..

[74]  William P. Smith,et al.  Monitoring Employee E-mails: Is There Any Room for Privacy? , 2009 .

[75]  James B. Schreiber,et al.  Reporting Structural Equation Modeling and Confirmatory Factor Analysis Results: A Review , 2006 .

[76]  G. Alder Employee reactions to electronic performance monitoring: A consequence of organizational culture , 2001 .

[77]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[78]  Catherine E. Connelly,et al.  Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model , 2011, J. Manag. Inf. Syst..

[79]  T. Kochan,et al.  COMPUTER-AIDED MONITORING: ITS INFLUENCE ON EMPLOYEE JOB SATISFACTION AND TURNOVER , 1989 .

[80]  Gayle Webb White,et al.  Controlling corporate e-mail, PC use and computer security , 2001, Inf. Manag. Comput. Secur..

[81]  Mehmet Palanci,et al.  Analysis of academic self-efficacy, self-esteem and coping with stress skills predictive power on academic procrastination , 2014 .

[82]  Joshua Cook,et al.  Improving password security and memorability to protect personal and organizational information , 2007, Int. J. Hum. Comput. Stud..

[83]  George V. Gushue,et al.  Latina/o College Students' Perceptions of Career Barriers: Influence of Ethnic Identity, Acculturation, and Self‐Efficacy , 2017 .

[84]  Malcolm Robert Pattinson,et al.  Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q) , 2014, Comput. Secur..

[85]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[86]  Ying Li,et al.  Understanding the violation of IS security policy in organizations: An integrated model based on social control and deterrence theory , 2013, Comput. Secur..

[87]  Kuang-Wei Wen,et al.  Organizations' Information Security Policy Compliance: Stick or Carrot Approach? , 2012, J. Manag. Inf. Syst..

[88]  Paul Benjamin Lowry,et al.  Proposing the control‐reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policies , 2015, Inf. Syst. J..

[89]  Lamar Pierce,et al.  Cleaning House: The Impact of Information Technology Monitoring on Employee Theft and Productivity , 2014, Manag. Sci..

[90]  Alecia M. Santuzzi,et al.  Monitoring What and How: Psychological Implications of Electronic Performance Monitoring , 2015 .

[91]  Chandana Gamage,et al.  Employee perception towards electronic monitoring at work place and its impact on job satisfaction of software professionals in Sri Lanka , 2012, Telematics Informatics.

[92]  Steven Furnell,et al.  Information security policy compliance model in organizations , 2016, Comput. Secur..

[93]  Gagandeep Kang,et al.  Analysis of human immune responses in quasi-experimental settings: tutorial in biostatistics , 2012, BMC Medical Research Methodology.