Understanding Employee Responses to Stressful Information Security Requirements: A Coping Perspective

Journal of Management Information Systems

Volumn 31, Issue 2, 2014, Pages 285-318

  D'Arcy, John ^a   Herath, Tejaswini ^b   Shoss, Mindy K ^c  

^a UNIVERSITY OF DELAWARE   (United States)

^b BROCK UNIVERSITY   (Canada)

^c SAINT LOUIS UNIVERSITY   (United States)

Author keywords

coping theory; ethical orientation; information security; moral disengagement theory; sanctions; security compliance; security policies; security policy violation; social cognitive theory; technostress; workplace stress

Indexed keywords

BEHAVIORAL RESEARCH; CRYPTOGRAPHY; PERSONNEL; SECURITY OF DATA; SECURITY SYSTEMS;

COPING THEORY; MORAL DISENGAGEMENT THEORY; SANCTIONS; SECURITY COMPLIANCE; SECURITY POLICY; SOCIAL COGNITIVE THEORY; TECHNOSTRESS; WORKPLACE STRESS;

INTERACTIVE COMPUTER SYSTEMS;

EID: 84926419890     PISSN: 07421222     EISSN: 1557928X     Source Type: Journal    
DOI: 10.2753/MIS0742-1222310210     Document Type: Article

References (74)

1. Alge, B. J. Effects of computer surveillance on perceptions of privacy and procedural justice. Journal of Applied Psychology, 86, 4 (2001), 797-804.
2. Alnuaimi, O. A.; Robert, L. P.; and Maruping, L. M. Team size, dispersion, and social loafing in technology-supported teams: A perspective on the theory of moral disengagement. Journal of Management Information Systems, 27, 1 (Summer 2010), 203-230.
3. Anderson, C. L., and Agarwal, R. Practicing safe computing: A multimedia empirical examination of home computer user security behavioral intentions. MIS Quarterly, 34, 3, (2010), 613-643.
4. Ayyagari, R.; Grover, V.; and Purvis, R. Technostress: Technological antecedents and implications. MIS Quarterly, 35, 4 (2011), 831-858.
5. Bandura, A. Social Foundations of Thought and Action: A Social Cognitive Theory. Englewood Cliffs, NJ: Prentice Hall, 1986.
6. Bandura, A. Social cognitive theory of moral thought and action. In W. M. Kurtines and J. L. Gewitz (eds. ), Handbook of Moral Behavior and Development, vol. 1. Hillsdale, NJ: Lawrence Erlbaum, 1991, pp. 45-103.
7. Bandura, A.; Barbaranelli, C.; Caprara, G. V.; and Pastorelli, C. Mechanisms of moral disengagement in the exercise of moral agency. Journal of Personality and Social Psychology, 71, 2 (1996), 364-374.
8. Barnes, C. M.; Schaubroeck, J.; Huth, M.; and Ghumman, S. Lack of sleep and unethical conduct. Organizational Behavior and Human Decision Processes, 115, 2 (2011), 169-180.
9. Batson, C. D., and Thompson, E. R. Why don't people act morally? Motivational considerations. Current Directions in Psychological Science, 10, 2 (2001), 54-57.
10. Bazerman, M. H., and Tenbrunsel, A. E. Blind Spots: Why We Fail to Do What's Right and What to Do About It. Princeton: Princeton University Press, 2011.
11. Beaudry, A., and Pinsonneault, A. Understanding user responses to information technology: A coping model of user adaptation. MIS Quarterly, 29, 3 (2005), 493-524.
12. Beautement, A.; Sasse, M. A.; and Wonham, M. The compliance budget: Managing security behavior in organizations. In Proceedings of the 2008 Workshop on New Security Paradigms. New York: ACM Press, 2008, pp. 47-58.
13. Bulgurcu B.; Cavusoglu, H.; and Benbasat, I. Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34, 3 (2010), 523-548.
14. Chen, Y.; Ramamurthy, K.; and Wen, K.-W. Organizations' information security policy compliance: Stick or carrot approach? Journal of Management Information Systems, 29, 3 (Winter 2012-13), 157-188.
15. Christ, M. H.; Sedatole, K. L.; Towry, K. L.; and Thomas, M. A. When formal controls undermine trust and cooperation. Strategic Finance, 89, 7 (2010), 39-44.
16. Cisco Systems. 2011 Cisco connected world technology report. San Jose, CA, 2011.
17. Crawford, E. R.; LePine, J. A.; and Rich, B. L. Linking job demands and resources to employee engagement and burnout: A theoretical extension and meta-analytic test. Journal of Applied Psychology, 95, 5 (2010), 834-848.
18. Crossler, R. E.; Johnston, A. C.; Lowry, P. B.; Hu, Q.; Warkentin, M.; and Baskerville, R . Future directions for behavioral information security research. Computers & Security, 32, 1 (2013), 90-101.
19. D'Arcy, J., and Devaraj, S. Employee misuse of information technology resources: Testing a contemporary deterrence model. Decision Sciences, 43, 6 (2012), 1091-1124.
20. D'Arcy, J.; Hovav, A.; and Galletta, D. G. User awareness of security countermeasures and its impact on information systems misuse: A deterrence perspective. Information Systems Research, 20, 1 (2009), 79-98.
21. Detert, J. R.; Trevino, L. K.; and Sweitzer, V. L. Moral disengagement in ethical decision making: A study of antecedents and outcomes. Journal of Applied Psychology, 93, 2 (2008), 374-391.
22. Duffy, M. K.; Scott, K. L.; Shaw, J. D.; Tepper, B. J.; and Aquino, K. A social context model of envy and social undermining. Academy of Management Journal, 55, 3 (2012), 643-666.
23. Fadel, K. J., and Brown, S. A. Information systems appraisal and coping: The role of user perceptions. Communications of the Association for Information Systems, 26, 6 (2010), 107-126.
24. Forsyth, D. R. A taxonomy of ethical ideologies. Journal of Personality and Social Psychology, 39, 1 (1980), 175-184.
25. Gilboa, S.; Shirom, A.; Fried, Y.; and Cooper, G. A meta-analysis of work demand stressors and job performance: Examining main and moderating effects. Personnel Psychology, 61, 2 (2008), 227-271.
26. Goel, S., and Chengalur-Smith, I. N. Metrics for characterizing the form of security policies. Journal of Strategic Information Systems, 19, 4 (2010), 281-295.
27. Guo, K. H.; Yuan, Y.; Archer, N. P.; and Connelly, C. E. Understanding non-malicious security violations in the workplace: A composite behavior model. Journal of Management Information Systems, 28, 2 (Fall 2011), 203-236.
28. Hays, R. D.; Hayashi, T.; and Stewart, A. L. A five-item measure of socially desirable response set. Educational and Psychological Measurement, 49, 3 (1989), 629-637.
29. Herath, T., and Rao, H. R. Protection motivation and deterrence: A framework for security policy compliance in organisations. European Journal of Information Systems, 18, 2 (2009), 106-125.
30. Herath, T.; Chen, R.; Wang, J.; Banjara, K.; Wilbur, J.; and Rao. H. R. Security services as coping mechanisms: An investigation into user intention to adopt an email authentication service. Information Systems Journal, 24, 1 (2014), 61-84.
31. Hobfoll, S. E. Conservation of resources. American Psychologist, 44, 3 (1989), 513-524.
32. Hu, Q.; Dinev, T.; Hart, P.; and Cooke, D. Managing employee compliance with information security policies: The critical role of top management and organizational culture. Decision Sciences, 43, 4 (2012), 615-660.
33. Hu, Q.; Zhengchuan, X.; Dinev, T.; and Ling, H. Does deterrence work in reducing information security policy abuse by employees? Communications of the ACM, 54, 6 (2011), 54-60.
34. Jarvis, C. B.; MacKenzie, S. B.; and Podsakoff, P. M. A critical review of construct indicators and measurement model misspecification in marketing and consumer research. Journal of Consumer Research, 30, 2 (2003), 199-218.
35. Kish-Gephart, J. J.; Harrison, D. A.; and Trevino, L. K. Bad apples, bad cases, and bad barrels: Meta-analytic evidence about sources of unethical decisions at work. Journal of Applied Psychology, 95, 1 (2010), 1-31.
36. Kwon, J., and Johnson, M. E. Healthcare security strategies for information security and regulatory compliance. Journal of Management Information Systems, 30, 2 (Fall 2013), 41-66.
37. Lazarus, R. S. Psychological Stress and the Coping Process. New York: McGraw-Hill, 1966.
38. Lazarus, R. S., and Folkman, S. Stress, Appraisal, and Coping. New York: Springer, 1984.
39. LePine, J. A.; Podsakoff, N. P.; and LePine, M. A. A meta-analytic test of the challenge stressor-hindrance stressor framework: An explanation for inconsistent relationships among stressors and performance. Journal of Applied Psychology, 48, 5 (2005), 764-775.
40. Li, H.; Zhang, J.; and Sarathy, R. Understanding compliance with Internet use policy from the perspective of rational choice theory. Decision Support Systems, 48, 4 (2010), 635-645.
41. Liang, H., and Xue, Y. Avoidance of information technology threats: A theoretical perspective. MIS Quarterly, 33, 1 (2009), 71-90.
42. Lim, V. K. G. The IT way of loafing on the job: Cyberloafing, neutralizing, and organizational justice. Journal of Organizational Behavior, 23, 5 (2002), 675-694.
43. MacKenzie, S. B.; Podsakoff, P. M.; and Podsakoff, N. P. Construct measurement and validation procedures in MIS and behavioral research: Integrating new and existing techniques. MIS Quarterly, 35, 2 (2011), 293-334.
44. Moore, C.; Detert, J. R.; Trevino, L. K.; Baker, V. I.; and Mayer, D. M. Why employees do bad things: Moral disengagement and unethical organizational behavior. Personnel Psychology, 65, 1 (2012), 1-48.
45. Nelson, D., and Kletke, M. G. Individual adjustment during technological innovation: A research framework. Behavior and Information Technology, 9, 4 (1995), 257-271.
46. Paternoster, R., and Simpson, S. Sanction threats and appeals to morality: Testing a rational choice model of corporate crime. Law & Society Review, 30, 3 (1996), 549-584.
47. Pearsall, M. J.; Ellis, A. P. J.; and Steinm, J. H. Coping with challenge and hindrance stressors in teams: Behavioral, cognitive, and affective outcomes. Organizational Behavior and Human Decision Processes, 109, 1 (2009), 18-28.
48. Perrewe, P. L., and Zellars, K. L. An examination of attributions and emotions in the transactional approach to organizational stress process. Journal of Organizational Behavior, 20, 5 (1999), 739-752.
49. Podsakoff, N. P.; LePine, J. A.; and LePine, M. A. Differential challenge stressor-hindrance stressor relationships with job attitudes, turnover intentions, turnover, and withdrawal behavior: A meta-analysis. Journal of Applied Psychology, 92, 2 (2007), 438-454.
50. Podsakoff, P. M.; MacKenzie, S. B.; Lee, J. Y.; and Podsakoff, N. P. Common method biases in behavioral research: A critical review of the literature and recommended remedies. Journal of Applied Psychology, 88, 5 (2003), 879-903.
51. Posey, C.; Bennett, R. J.; and Roberts, T. L. Understanding the mindset of the abusive insider: An examination of insiders' causal reasoning following internal security changes. Computers & Security, 30, 6 (2011), 486-497.
52. Posey, C.; Bennett, R. J.; Roberts, T. L.; and Lowry, P. B. When computer monitoring backfires: Privacy invasions and organizational injustice as precursors to computer abuse. Journal of Information Systems Security, 7, 1 (2011), 24-47.
53. Post, G. V., and Kagan, A. Evaluating information security tradeoffs: Restricting access can interfere with user tasks. Computers & Security, 26, 3 (2007), 229-237.
54. PricewaterhouseCoopers. Global State of Information Security survey 2013. New York, 2013.
55. Puhakainen, P., and Siponen, M. Improving employees' compliance through information systems security training: An action research study. MIS Quarterly, 34, 4 (2010), 757-778.
56. Ragu-Nathan, T. S.; Tarafdar, M.; and Ragu-Nathan, B. S. The consequences of technostress for end users in organizations: Conceptual development and empirical validation. Information Systems Research, 19, 4 (2008), 417-433.
57. Rodell, J. B., and Judge, T. A. Can "good" stressors spark "bad" behaviors? The mediating role of emotions in links of challenge and hindrance stressors with citizenship and counterproductive behaviors. Journal of Applied Psychology, 94, 6 (2009), 1438-1451.
58. Shalvi, S.; Eldar, O.; and Bereby-Meyer, Y. Honesty requires time (and lack of justifications). Psychological Science, 23, 10 (2012), 1264-1270.
59. Shu, L. L.; Gino, F.; and Bazerman, M. H. Dishonest deed, clear conscience: When cheating leads to moral disengagement and motivated forgetting. Personality and Social Psychology Bulletin, 37, 3 (2011), 330-349.
60. Siponen, M. Critical analysis of different approaches to minimizing user-related faults in information systems security: Implications for research and practice. Information Management & Computer Security, 8, 5 (2000), 197-209.
61. Siponen, M., and Vance, A. Neutralization: New insights into the problem of employee information systems security policy violations. MIS Quarterly, 34, 3 (2010), 487-502.
62. Siponen, M., and Vance, A. Guidelines for improving the contextual relevance of field surveys: The case of information security policy violations. European Journal of Information Systems, 23, 3 (2014), 289-305.
63. Spears, J. L., and Barki, H. User participation in information systems security risk management. MIS Quarterly, 34, 3, (2010), 503-522.
64. Stanton, J. M., and Stam, K. R. The Visible Employee: Using Workplace Monitoring and Surveillance to Protect Information Assets-Without Compromising Employee Privacy or Trust. Medford, NJ: Information Today, 2006.
65. Suter, R. S., and Hertwig, R. Time and moral judgment. Cognition, 119, 3 (2011), 454-458.
66. Sykes, G., and Matza, D. Techniques of neutralization: A theory of delinquency. American Sociological Review, 22, 6 (1957), 664-670.
67. Tarafdar, M.; Tu, Q.; and Ragu-Nathan, T. S. Impact of technostress on end-user satisfaction and performance. Journal of Management Information Systems, 27, 3 (Winter 2010-11), 303-334.
68. von Hirsch, A.; Bottoms, A. E.; Burney, E.; and Wikstromm P.-O. Criminal Deterrence and Sentence Severity: An Analysis of Recent Research. Oxford: Hart, 1999.
69. Wall, D. S. Organizational security and the insider threat: Malicious, negligent, and wellmeaning insiders. Symantec Research Report, Mountain View, CA, 2011.
70. Warkentin, M.; Johnston, A. C.; and Shropshire, J. The influence of the informal social learning environment on information privacy policy compliance efficacy and intention. European Journal of Information Systems, 20, 3 (2011), 267-284.
71. Willison, R., and Warkentin, M. Beyond deterrence: An expanded view of employee computer abuse. MIS Quarterly, 37, 1 (2013), 1-20.
72. Wright, R. T.; Campbell, D. E.; Thatcher, J. B.; and Roberts, N. Operationalizing multidimensional constructs in structural equation modeling: Recommendations for IS research. Communications of the Association for Information Systems, 30, 23 (2012), 367-412.
73. Young, R.; Zhang, L.; and Prybutok, V. R. Hacking into the minds of hackers. Information Systems Management, 24, 4 (2007), 281-287.
74. Zhao, X.; Xue, L.; and Whinston, A. Managing interdependent information security risks: Cyberinsurance, managed security services, and risk pooling arrangements. Journal of Management Information Systems, 30, 1 (Summer 2013), 123-152.