Investigating Employee Engagement in Nonmalicious, End-user Computing and Information Security Deviant Behavior

Nonmalicious, end-user computing and information security deviant behavior (NECISDB) (e.g., pasting or sticking computer passwords on office desks, downloading unauthorized software onto work computer) are a major concern to organizations. This study used Social Cognitive Theory, in particular, a simplified version of its core the triadic reciprocal determinism to investigate effects of relevant socioorganizational and personal cognitive factors (e.g., organizational facilitators, observational learning/modeling, and self-efficacy) on employee engagement in NECISDB. Survey data was collected from 411 professionals in two European Union countries. Relevant hypotheses were formulated and tested. Results reveal that self-efficacy and its joint effect with self-regulation have negative effects on NECISDB engagement intentions. Although observational learning/modeling does not influence NECISDB intentions directly, it does have an indirect effect through self-efficacy. Organizational facilitators, e.g., awareness training and its joint effect with observational learning/modeling did not influence NECISDB intentions. Intentions are positively linked to self-reported engagement in NECISDB.

[1]  Princely Ifinedo,et al.  Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition , 2014, Inf. Manag..

[2]  Michel Tenenhaus,et al.  PLS path modeling , 2005, Comput. Stat. Data Anal..

[3]  Mikko T. Siponen,et al.  Using the theory of interpersonal behavior to explain non-work-related personal use of the Internet at work , 2013, Inf. Manag..

[4]  Houston H. Carr,et al.  Threats to Information Systems: Today's Reality, Yesterday's Understanding , 1992, MIS Q..

[5]  Catherine E. Connelly,et al.  Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model , 2011, J. Manag. Inf. Syst..

[6]  A. Bandura Social Foundations of Thought and Action: A Social Cognitive Theory , 1985 .

[7]  Kuang-Wei Wen,et al.  Organizations' Information Security Policy Compliance: Stick or Carrot Approach? , 2012, J. Manag. Inf. Syst..

[8]  Scott B. MacKenzie,et al.  Common method biases in behavioral research: a critical review of the literature and recommended remedies. , 2003, The Journal of applied psychology.

[9]  Princely Ifinedo,et al.  Roles of Organizational Climate, Social Bonds, and Perceptions of Security Threats on IS Security Policy Compliance Intentions , 2018, Inf. Resour. Manag. J..

[10]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[11]  N. Kock Common Method Bias in PLS-SEM: A Full Collinearity Assessment Approach , 2015, Int. J. e Collab..

[12]  Qing Hu,et al.  Does deterrence work in reducing information security policy abuse by employees? , 2011, Commun. ACM.

[13]  Princely Ifinedo,et al.  End user nonmalicious, counterproductive computer security behaviors: concept, development, and validation of an instrument , 2019, Secur. Priv..

[14]  Merrill Warkentin,et al.  Behavioral and policy issues in information systems security: the insider threat , 2009, Eur. J. Inf. Syst..

[15]  E. Deci,et al.  Motivational predictors of weight loss and weight-loss maintenance. , 1996, Journal of personality and social psychology.

[16]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[17]  Claudia van Oppen,et al.  USING PLS PATH MODELING FOR ASSESSING HIERARCHICAL CONSTRUCT MODELS : GUIDELINES AND EMPIRICAL , 2022 .

[18]  Patrick Y. K. Chau,et al.  Development and validation of instruments of information security deviant behavior , 2014, Decis. Support Syst..

[19]  Victor Corral-Verdugo,et al.  DUAL ‘REALITIES’ OF CONSERVATION BEHAVIOR: SELF-REPORTS VS OBSERVATIONS OF RE-USE AND RECYCLING BEHAVIOR , 1997 .

[20]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[21]  Marilyn E. Gist,et al.  Self-Efficacy: Implications for Organizational Behavior and Human Resource Management , 1987 .

[22]  A. Bandura Social cognitive theory of self-regulation☆ , 1991 .

[23]  Yufei Yuan,et al.  The effects of multilevel sanctions on information security violations: A mediating model , 2012, Inf. Manag..

[24]  Mark A. Griffin,et al.  Interaction Between Individuals and Situations: Using HLM Procedures to Estimate Reciprocal Relationships , 1997 .

[25]  Teodor Sommestad,et al.  Variables influencing information security policy compliance: A systematic review of quantitative studies , 2014, Inf. Manag. Comput. Secur..

[26]  Detmar W. Straub,et al.  Specifying Formative Constructs in Information Systems Research , 2007, MIS Q..

[27]  Fred D. Davis,et al.  Developing and Validating an Observational Learning Model of Computer Software Training and Skill Acquisition , 2003, Inf. Syst. Res..

[28]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[29]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[30]  Albert Bandura,et al.  SOCIAL COGNITIVE THEORY OF SELF-REGULATION ORGANIZATIONAL BEHAVIOR , 1997 .

[31]  P. Sheeran,et al.  Does changing behavioral intentions engender behavior change? A meta-analysis of the experimental evidence. , 2006, Psychological bulletin.

[32]  Andy Jones Catching the malicious insider , 2008, Inf. Secur. Tech. Rep..

[33]  B. Zimmerman,et al.  Influencing Children's Self-Efficacy and Self-Regulation of Reading and Writing Through Modeling , 2007 .