we use coping theory to explore an underlying relationship between employee stress caused by burdensome, complex, and ambiguous information security requirements (termed "security-related stress" or SrS) and deliberate information security policy (ISP) violations. results from a survey of 539 employee users suggest that SrS engenders an emotion-focused coping response in the form of moral disengagement from ISP violations, which in turn increases one's susceptibility to this behavior. Our multidimensional view of SrS-comprised of security-related overload, complexity, and uncertainty-offers a new perspective on the workplace environment factors that foster noncompliant user behavior and inspire cognitive rationalizations of such behavior. The study extends technostress research to the information systems security domain and provides a theoretical framework for the influence of SrS on user behavior. For practitioners, the results highlight the incidence of SrS in organizations and suggest potential mechanisms to counter the stressful effects of information security requirements.
Downloaded by [Northeastern University]AcADeMics AnD prAcTiTioners AliKe recognize eMployees as a major threat to organizational information security efforts [14,69]. To address this "insider" threat, organizations have devoted significant resources into behavioral security measures, such as policy development and education and training, in addition to continually updating their security technologies [54]. U.S. federal and state governments and certain industries have also introduced regulations and standards that mandate organizations' internal security measures [14]. Despite these initiatives, a class of employee security-related behaviors known as volitional (but not malicious) information security policy (ISP) violations [27, 71] (e.g., password sharing, failing to log off when leaving workstation) continue to plague organizations. At least some explanation for this predicament is that employees face a surfeit of rapidly expanding security requirements (i.e., policies, procedures, and technical controls), which they find to be constraining, inconvenient, and difficult to understand [51,53,69]. Evidence of this comes from a recent survey of over 2,800 employees [16] in which "too busy to think about policies" and "policies are inconvenient to follow" were reported as chief reasons for ISP violations. Some authors have suggested that security requirements can backfire and bring about security-diminishing behavior due to the demands (e.g., time, effort, frustration) they impose on employees [51,60,64]. Although there is preliminary evidence to support this notion [51], the information systems (IS) literature lacks a systematic, theorydriven investigation of the potential adverse effects of organizational information security requirements (hereafter security requirements) on user behavior. A goal of this paper is to address this gap.Against this backdrop, we offer a new avenue for understanding employees' ISP violations-namely, workplace ...
