![Sample our Information Science journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5940/TOC-Subject-Sample-2021-Communication-Studies.jpg"})
Abstract
Insiders may act to sustain and improve organizational information security, yet our knowledge of what motivates them to do so remains limited. For example, most extant research relies on mere portions of protection motivation theory (PMT) and has focused on isolated behaviors, thus limiting the generalizability of findings to isolated issues, rather than addressing the global set of protective security behaviors. Here, we investigate the motivations surrounding this larger behavioral set by assessing maladaptive rewards, response costs, and fear alongside traditional PMT components. We extend PMT by showing that: (1) security education, training, and awareness (SETA) efforts help form appraisals; (2) PMT’s applicability to organizational rather than personal contexts depends on insiders’ organizational commitment levels; and (3) response costs provide the link between PMT’s appraisals. We show in detail how organizational commitment is the mechanism through which organizational security threats become personally relevant to insiders and how SETA efforts influence many PMT-based components.
Acknowledgment
The authors would like to express their sincere appreciation for the funding provided by the U.S. Department of Defense Personnel Security Research Center (PERSEREC) in Monterey, California, under BAA 04-01-MT-FH. The content of this manuscript does not necessarily reflect the position or the policy of any government, and no official endorsement should be inferred.
Supplemental File
Supplemental data for this article can be accessed on the publisher’s website at http://dx.doi.org/10.1080/07421222.2015.1138374
Notes
1. We note that other research exists on similar topics, such as identification and internalization; however, the three-component view of organizational commitment developed in [Citation62] is the most widely evaluated model of employees’ connections and personal affiliations with organizations [Citation2, Citation66].
2. Prior to the collection of data regarding perceptions of information security threats, potential responses, and other PMT-based constructs, respondents were asked to read a short statement about types of security threats and to reflect on their and others’ previous experiences with them in workplaces: “You will be asked a series of questions regarding information security threats in your organization. Organizations face many threats to information, including but not limited to spyware and malware, external hackers attempting to gain access to databases housing important data, and even coworkers who for one reason or another choose to use their access for malicious purposes. Accordingly, no organization is completely immune to these threats. We ask you to think about these threats as well as any previous experiences you or those around you have had with these dangers as you respond to the following set of questions.”
3. Because we used the MLR estimator in Mplus, the statistics listed (e.g., the scaling correction factors) allow us to assess differences in χ2 scores via the Bryant and Satorra [Citation10] approach.
4. Some research indicates that previously performed behaviors may be used as a substitute for behaviors, which would occur in the future; however, much research is needed to determine the validity of these arguments, and for this purpose in an organizational information security context, we provide Appendix 3 [online supplemental data].
Additional information
Notes on contributors
Clay Posey
Clay Posey (corresponding author; [email protected]) is an assistant professor of management information systems in the Culverhouse College of Commerce at the University of Alabama. He received his DBA from Louisiana Tech University. His research interests include behavioral information security, online self-disclosure, and research methods. His research has been presented at various conferences and has been published or is forthcoming in Journal of Management Information Systems, MIS Quarterly, European Journal of Information Systems, Information Systems Journal, and others. He is an associate editor of Information and Management.
Tom L. Roberts
Tom L. Roberts is professor of information systems and department chair for Computer Science at the College of Business and Technology at the University of Texas at Tyler. He received his MBA and Ph.D. in information systems from Auburn University. He has published over 40 refereed journal articles and book chapters and has delivered over 60 conference presentations. His work has been published in Journal of Management Information Systems, MIS Quarterly, Journal of the AIS, Information Systems Journal, European Journal of Information Systems, and other venues.
Paul Benjamin Lowry
Paul Benjamin Lowry is a full professor of information systems in the Department of Information Systems, City University of Hong Kong. He received his Ph.D. in management information systems from the University of Arizona and an MBA from the Marriott School of Management. His research interests include organizational and behavioral security/privacy issues; human–computer interaction and decision sciences; e-commerce and supply chains; and scientometrics. He has published over 80 journal papers in Information Systems Research, Journal of Management Information Systems, MIS Quarterly, Journal of the AIS, and many others. He is a senior editor of Decision Sciences Journal and AIS-Transactions on Human-Computer Interaction and serves as an AE at EJIS, I & M, and CAIS, as well as chairs security and privacy tracks at leading information systems conferences.