Keeping customers' data secure: A cross-cultural study of cybersecurity compliance among the Gen-Mobile workforce

Abstract Employees are increasingly relying on mobile devices. In international organizations, more employees are using their personal smartphones for work purposes. Meanwhile, the number of data breaches is rising and affecting the security of customers' data. However, employees' cybersecurity compliance with cybersecurity policies is poorly understood. Researchers have called for a more holistic approach to information security. We propose an employee smartphone-security compliance (ESSC) model, which deepens understanding of employees' information-security behavior by considering influences on the national, organizational, technological (smartphone-specific), and personal levels. The research focuses on secure smartphone use in the workplace among Gen-Mobile (aged 18–35) employees in a cross-cultural context: the United Kingdom (UK), United States (US) and United Arab Emirates (UAE) where 1735 questionnaires were collected. Our findings suggest that those who wish to understand employees' smartphone-security behavior should consider national cybersecurity policies, cultural differences in different countries, and threats specific to smartphone use. In addition, our findings help companies to increase customers’ trust and maintain a positive reputation.

[1]  L. Willcocks,et al.  The emerging Cloud Dilemma: Balancing innovation with cross-border privacy and outsourcing regulations , 2019, Journal of Business Research.

[2]  J. D'Arcy,et al.  Security culture and the employment relationship as drivers of employees' security compliance , 2014, Inf. Manag. Comput. Secur..

[3]  Ben Choi,et al.  Understanding User Adaptation toward a New IT System in Organizations: A Social Network Perspective , 2017, J. Assoc. Inf. Syst..

[4]  I. Ajzen Attitudes, Personality and Behavior , 1988 .

[5]  Sally S. Simpson,et al.  Corporate Crime, Law, and Social Control , 2002 .

[6]  Steven Prentice-Dunn,et al.  Protection motivation theory. , 1997 .

[7]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[8]  R. Rogers Cognitive and physiological processes in fear appeals and attitude change: a revised theory of prote , 1983 .

[9]  Punit Ahluwalia,et al.  Examining the impact of deterrence factors and norms on resistance to Information Systems Security , 2019, Comput. Hum. Behav..

[10]  Anat Hovav,et al.  Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the U.S. and South Korea , 2012, Inf. Manag..

[11]  Scott B. MacKenzie,et al.  Common method biases in behavioral research: a critical review of the literature and recommended remedies. , 2003, The Journal of applied psychology.

[12]  Inho Hwang,et al.  Examining technostress creators and role stress as potential threats to employees' information security compliance , 2018, Comput. Hum. Behav..

[13]  Robert Willis,et al.  A generalized model for smartphone adoption and use in an Arab context: A cross-country comparison , 2018, Inf. Syst. Manag..

[14]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[15]  Siddhi Pittayachawan,et al.  Comparing intention to avoid malware across contexts in a BYOD-enabled Australian university: A Protection Motivation Theory approach , 2015, Comput. Secur..

[16]  Pamela Briggs,et al.  Using protection motivation theory in the design of nudges to improve online security behavior , 2019, Int. J. Hum. Comput. Stud..

[17]  Icek Ajzen,et al.  From Intentions to Actions: A Theory of Planned Behavior , 1985 .

[18]  J. Hamlin THE MISPLACED ROLE OF RATIONAL CHOICE IN NEUTRALIZATION THEORY , 1988 .

[19]  Paul Michael Di Gangi,et al.  It Takes a Village: Understanding the Collective Security Efficacy of Employee Groups , 2019, J. Assoc. Inf. Syst..

[20]  Yufei Yuan,et al.  Coping with BYOD Security Threat: From Management Perspective , 2015, AMCIS.

[21]  Yu Andy Wu,et al.  Impact of Users’ Security Awareness on Desktop Security Behavior: A Protection Motivation Theory Perspective , 2016, Inf. Syst. Manag..

[22]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[23]  I. Ajzen,et al.  Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research , 1977 .

[24]  Kelly O. Finnerty,et al.  Cyber Security Breaches Survey 2020 , 2019 .

[25]  N. Miller,et al.  Social Learning and Imitation , 1942 .

[26]  Xin Luo,et al.  Security Policy Opt-in Decisions in Bring-Your-Own-Device (BYOD) – A Persuasion and Cognitive Elaboration Perspective , 2019, J. Organ. Comput. Electron. Commer..

[27]  Deborah Compeau,et al.  Computer Self-Efficacy: Development of a Measure and Initial Test , 1995, MIS Q..

[28]  Silas Formunyuy Verkijika,et al.  Understanding smartphone security behaviors: An extension of the protection motivation theory with anticipated regret , 2018, Comput. Secur..

[29]  Rudolf R. Sinkovics,et al.  The Use of Partial Least Squares Path Modeling in International Marketing , 2009 .

[30]  Marn-Ling Shing,et al.  Smartphone Security Risks: Android , 2016 .

[31]  Linda Little,et al.  Unpacking Security Policy Compliance: The Motivators and Barriers of Employees' Security Behaviors , 2015, SOUPS.

[32]  I. Ajzen Perceived behavioral control, self-efficacy, locus of control, and the theory of planned behavior. , 2002 .

[33]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[34]  Sang hoon Kim,et al.  An Integrative Behavioral Model of Information Security Policy Compliance , 2014, TheScientificWorldJournal.

[35]  R. Willis,et al.  An Examination of the Role of National IT Development and Infrastructure in Models for Smartphone Adoption and Use: The Cases of Iraq, Jordan and the UAE , 2018 .

[36]  Thiraput Pitichat Smartphones in the workplace: Changing organizational behavior, transforming the future , 2013 .

[37]  D. Kasprzyk,et al.  Theory of reasoned action, theory of planned behavior, and the integrated behavioral model. , 2008 .

[38]  Richard Bellamy,et al.  Crimes and punishments. , 1963, The Hastings Center report.

[39]  Mikko T. Siponen,et al.  Toward a Unified Model of Information Security Policy Compliance , 2018, MIS Q..

[40]  Tamara Dinev,et al.  Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture , 2012, Decis. Sci..

[41]  E. Deci,et al.  Self‐determination theory and work motivation , 2005 .

[42]  A. Abdel-Wahab Modeling Students’ Intention to Adopt E‐learning: A Case from Egypt , 2008, Electron. J. Inf. Syst. Dev. Ctries..

[43]  Marko Sarstedt,et al.  Multigroup Analysis in Partial Least Squares (PLS) Path Modeling: Alternative Methods and Empirical Results , 2011 .

[44]  J. Doug Tygar,et al.  Managing Employee Security Behaviour in Organisations: The Role of Cultural Factors and Individual Values , 2014, SEC.

[45]  Dale T. Griffee,et al.  Research Methods in Applied Linguistics , 2007 .

[46]  Gaye Karacay,et al.  Role of Leaders as Agents of Negotiation for Counterbalancing Cultural Dissonance in the Middle East and North Africa Region , 2019 .

[47]  Mahmood Hussain Shah,et al.  Information security management needs more holistic approach: A literature review , 2016, Int. J. Inf. Manag..

[48]  Sanjay Goel,et al.  Shared Benefits and Information Privacy: What Determines Smart Meter Technology Adoption? , 2017, J. Assoc. Inf. Syst..

[49]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[50]  Mikko T. Siponen,et al.  Six Design Theories for IS Security Policies and Guidelines , 2006, J. Assoc. Inf. Syst..

[51]  Andrea Estefania Vaca Herrera,et al.  National cyber-security policies oriented to BYOD (bring your own device): Systematic review , 2017, 2017 12th Iberian Conference on Information Systems and Technologies (CISTI).

[52]  Marko Sarstedt,et al.  Advanced Issues in Partial Least Squares Structural Equation Modeling , 2017 .

[53]  Joseph Amankwah-Amoah,et al.  Opening Editorial: Contemporary Business Risks: An Overview and New Research Agenda , 2019, Journal of Business Research.

[54]  E. Ramsey,et al.  Trust considerations on attitudes towards online purchasing: The moderating effect of privacy and security concerns , 2010 .

[55]  Rex B. Kline,et al.  Principles and Practice of Structural Equation Modeling , 1998 .

[56]  Mohammad Hossein Jarrahi,et al.  Personal artifact ecologies in the context of mobile knowledge workers , 2017, Comput. Hum. Behav..

[57]  Young U. Ryu,et al.  Self-efficacy in information security: Its influence on end users' information security practice behavior , 2009, Comput. Secur..

[58]  Detmar W. Straub,et al.  Diffusing the Internet in the Arab world: the role of social norms and technological culturation , 2003, IEEE Trans. Engineering Management.

[59]  Wenli Li,et al.  Understanding personal use of the Internet at work: An integrated model of neutralization techniques and general deterrence theory , 2014, Comput. Hum. Behav..

[60]  Malcolm Robert Pattinson,et al.  Assessing information security attitudes: a comparison of two studies , 2016, Inf. Comput. Secur..

[61]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[62]  Norsaremah Salleh,et al.  Examining information disclosure behavior on social network sites using protection motivation theory, trust and risk , 2013 .

[63]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[64]  Michelle L. Kelley,et al.  Risky electronic communication behaviors and cyberbullying victimization: An application of Protection Motivation Theory , 2016, Comput. Hum. Behav..

[65]  Vincent Cho,et al.  A Study of BYOD adoption from the lens of threat and coping appraisal of its security policy , 2018, Enterp. Inf. Syst..

[66]  Jörg Henseler,et al.  Consistent Partial Least Squares Path Modeling , 2015, MIS Q..

[67]  M. Zedtwitz,et al.  Managing “forced” technology transfer in emerging markets: The case of China , 2019, Journal of International Management.

[68]  A. Graham Peace,et al.  Software Piracy in the Workplace: A Model and Empirical Test , 2003 .

[69]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[70]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[71]  Ilker Etikan,et al.  Comparison of Convenience Sampling and Purposive Sampling , 2016 .

[72]  Yajiong Xue,et al.  Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective , 2010, J. Assoc. Inf. Syst..

[73]  Robert LaRose,et al.  Understanding online safety behaviors: A protection motivation theory perspective , 2016, Comput. Secur..

[74]  R. Paternoster,et al.  Sanction threats and appeals to morality : Testing a rational choice model of corporate crime , 1996 .

[75]  Hsing K. Cheng,et al.  To Purchase or to Pirate Software: An Empirical Study , 1997, J. Manag. Inf. Syst..

[76]  Anat Hovav,et al.  Employees' Compliance with BYOD Security Policy: Insights from Reactance, Organizational Justice, and Protection Motivation Theory , 2014, ECIS.

[77]  Mohd Taufik Abdullah,et al.  A Review of Bring Your Own Device on Security Issues , 2015 .

[78]  Kelli D. Tomlinson An Examination of Deterrence Theory: Where Do We Stand? , 2016 .

[79]  Peter Dell,et al.  Impact of BYOD on organizational commitment: an empirical investigation , 2019, Inf. Technol. People.

[80]  Joni K. Adkins,et al.  Complying with BYOD Security Policies: A Moderation Model , 2018 .

[81]  SiponenMikko,et al.  Compliance with Information Security Policies , 2010 .

[82]  Marko Sarstedt,et al.  Partial least squares structural equation modeling (PLS-SEM): An emerging tool in business research , 2014 .

[83]  Nelson Oly Ndubisi,et al.  Factors of Online Learning Adoption: A Comparative Juxtaposition of the Theory of Planned Behaviour and the Technology Acceptance Model. , 2006 .

[84]  Ali Tarhini,et al.  Impact of individualism and collectivism over the individual's technology acceptance behaviour: A multi-group analysis between Pakistan and Turkey , 2015, J. Enterp. Inf. Manag..

[85]  U. Vignesh,et al.  Modifying Security Policies Towards BYOD , 2015 .

[86]  Gresham M. Sykes,et al.  Techniques of neutralization: A theory of delinquency. , 1957 .

[87]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[88]  Fredrik Karlsson,et al.  Inter-organisational information security: a systematic literature review , 2016, Inf. Comput. Secur..

[89]  W. Alec Cram,et al.  Organizational information security policies: a review and research framework , 2017, Eur. J. Inf. Syst..

[90]  I. Ajzen,et al.  Understanding Attitudes and Predicting Social Behavior , 1980 .

[91]  Juan Julián Merelo Guervós,et al.  Corporate security solutions for BYOD: A novel user-centric and self-adaptive system , 2015, Comput. Commun..

[92]  Pamela Baillette,et al.  Bring your own device in organizations: Extending the reversed IT adoption logic to security paradoxes for CEOs and end users , 2018, Int. J. Inf. Manag..

[93]  J. Gibbs Crime, punishment, and deterrence , 1975 .

[94]  Bin Yu,et al.  An instrument based on protection motivation theory to predict Chinese adolescents’ intention to engage in protective behaviors against schistosomiasis , 2016, Global Health Research and Policy.

[95]  Lynne M. Coventry,et al.  Costly but effective: Comparing the factors that influence employee anti-malware behaviours , 2018, Comput. Hum. Behav..

[96]  N. Kshetri Success of Crowd-Based Online Technology in Fundraising: An Institutional Perspective , 2015 .

[97]  Stephen Flowerday,et al.  Smartphone information security awareness: A victim of operational pressures , 2014, Comput. Secur..

[98]  Robert LaRose,et al.  Keeping our network safe: a model of online protection behaviour , 2008, Behav. Inf. Technol..

[99]  Rosalie L. Tung,et al.  Beyond Hofstede and GLOBE: Improving the quality of cross-cultural research , 2010 .

[100]  Patrícia Silva,et al.  THEORIES ABOUT TECHNOLOGY ACCEPENTACE: WHY THE USERS ACCEPT OR REJECT THE INFORMATION TECHNOLOGY? , 2008 .

[101]  Robert Willis,et al.  An examination of the gender gap in smartphone adoption and use in Arab countries: A cross-national study , 2018, Comput. Hum. Behav..

[102]  Maria Dolores C. Tongco,et al.  Purposive Sampling as a Tool for Informant Selection , 2007 .

[103]  Nima Zahadat,et al.  BYOD security engineering: A framework and its analysis , 2015, Comput. Secur..

[104]  A. Bandura Social Foundations of Thought and Action , 1986 .

[105]  Piyapong Janmaimool Application of Protection Motivation Theory to Investigate Sustainable Waste Management Behaviors , 2017 .

[106]  Riaan Rudman,et al.  Addressing the incremental risks associated with adopting Bring Your Own Device , 2018 .