Stress-based security compliance model - an exploratory study

Purpose This paper aims to extend current information security compliance research by adapting “work-stress model” of the extended Job Demands-Resources model to explore how security compliance demands, organization and personal resources influence end-user security compliance. The paper proposes that security compliance burnout and security engagement as the mediating factors between security compliance demands, organizational and personal resources and individual security compliance. Design/methodology/approach The authors used a multi-case in-depth interview method to explore the relevance and significance of security demands, organizational resources and personal resources on security compliance at work. Seventeen participants in three organizations including a bank, a university and an oil distribution company in Vietnam were interviewed during a four-month period. Findings The study identified three security demands, three security resources and two aspects of personal resources that influence security compliance. The study demonstrates that the security environment factors such as security demands and resources affected compliance burden and security engagement. Personal resources could play an integral role in moderating the impact of security environment on security compliance. Research limitations/implications The findings presented are not generalizable to the wider population of end-users in Vietnam due to the small sample size used in the interviews. Further quantitative studies need to measure the extent of each predictor on security compliance. Originality/value The originality of the research stems from proposing not only stress-based but also motivating factors from the security environment on security compliance. By using qualitative approach, the study provides more insight to understand the impact of the security environments on security compliance.

[1]  Eean R. Crawford,et al.  Linking job demands and resources to employee engagement and burnout: a theoretical extension and meta-analytic test. , 2010, The Journal of applied psychology.

[2]  James Cox,et al.  Information systems user security: A structured model of the knowing-doing gap , 2012, Comput. Hum. Behav..

[3]  Toon W. Taris,et al.  A Critical Review of the Job Demands-Resources Model: Implications for Improving Work and Health , 2014 .

[4]  Ryan West,et al.  The psychology of security , 2008, CACM.

[5]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[6]  A. Bandura Self-Efficacy: The Exercise of Control , 1997, Journal of Cognitive Psychotherapy.

[7]  Wayne Binney,et al.  Fear, guilt, and shame appeals in social marketing , 2010 .

[8]  Mikko T. Siponen,et al.  IS Security Policy Violations: A Rational Choice Perspective , 2012, J. Organ. End User Comput..

[9]  Jordan Shropshire,et al.  The IT Security Adoption Conundrum: An Initial Step Toward Validation of Applicable Measures , 2007, AMCIS.

[10]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[11]  Yufei Yuan,et al.  The effects of multilevel sanctions on information security violations: A mediating model , 2012, Inf. Manag..

[12]  Paige L. Williams,et al.  Character strengths and wellbeing in adolescence: Structure and correlates of the Values in Action Inventory of Strengths for Children , 2012 .

[13]  K. Vohs,et al.  Self-regulation and the extended now: controlling the self alters the subjective experience of time. , 2003, Journal of personality and social psychology.

[14]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[15]  Hock-Hai Teo,et al.  An integrative study of information systems security effectiveness , 2003, Int. J. Inf. Manag..

[16]  S. Furnell,et al.  Understanding the influences on information security behaviour , 2012 .

[17]  R. W. Rogers,et al.  Protection motivation and self-efficacy: A revised theory of fear appeals and attitude change , 1983 .

[18]  A. Bakker,et al.  The job demands-resources model of burnout. , 2001, The Journal of applied psychology.

[19]  A. Bakker,et al.  Present but sick: a three‐wave study on job demands, presenteeism and burnout , 2009 .

[20]  David Lacey Understanding and transforming organizational security culture , 2010, Inf. Manag. Comput. Secur..

[21]  Carl Colwill,et al.  Human factors in information security: The insider threat - Who can you trust these days? , 2009, Inf. Secur. Tech. Rep..

[22]  Sang M. Lee,et al.  An integrative model of computer abuse based on social control and general deterrence theories , 2004, Inf. Manag..

[23]  A. Bakker,et al.  Job demands, job resources, and their relationship with burnout and engagement: a multi‐sample study , 2004 .

[24]  A. Bakker,et al.  The Role of Personal Resources in the Job Demands-Resources Model , 2007 .

[25]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[26]  Paul E. Spector,et al.  The Relation between Work–Family Conflict and Job Satisfaction: A Finer-Grained Analysis , 2002 .

[27]  Keshnee Padayachee,et al.  Taxonomy of compliant information security behavior , 2012, Comput. Secur..

[28]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[29]  Guy Paré,et al.  Investigating Information Systems with Positivist Case Research , 2004, Commun. Assoc. Inf. Syst..

[30]  A. Bakker,et al.  The job demands-resources model : state of the art , 2007 .

[31]  Marc Dussault,et al.  How do job characteristics contribute to burnout? Exploring the distinct mediating roles of perceived autonomy, competence, and relatedness , 2013 .

[32]  Merrill Warkentin,et al.  Behavioral and policy issues in information systems security: the insider threat , 2009, Eur. J. Inf. Syst..

[33]  A. Bakker,et al.  Dual processes at work in a call centre: An application of the job demands – resources model , 2003 .

[34]  Marcus A. Butavicius,et al.  Human Factors and Information Security: Individual, Culture and Security Environment , 2010 .

[35]  C. Abraham,et al.  From health beliefs to self-regulation: Theoretical advances in the psychology of action control , 1998 .

[36]  M. Angela Sasse,et al.  Pretty good persuasion: a first step towards effective password security in the real world , 2001, NSPW '01.

[37]  Tejaswini Herath,et al.  Understanding Employee Responses to Stressful Information Security Requirements: A Coping Perspective , 2014, J. Manag. Inf. Syst..

[38]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[39]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[40]  Bookauthor Research Methods , 1940, Teachers College Record: The Voice of Scholarship in Education.

[41]  Con Stough,et al.  The role of personality in the job demands-resources model A study of Australian academic staff , 2010 .

[42]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[43]  Jean Hartley,et al.  Case study research , 2004 .

[44]  Gurpreet Dhillon,et al.  Value‐focused assessment of information system security in organizations , 2006, Inf. Syst. J..

[45]  Qing Hu,et al.  Does deterrence work in reducing information security policy abuse by employees? , 2011, Commun. ACM.