Article Preview
TopIntroduction
The behavior of insiders is regarded as an important source of information security emergencies (Willison & Warkentin, 2013). The International Business Machines Corporation (IBM) X-Force Threat Intelligence Index (2018) found that most information security incidents result from misconfigurations, phishing victimization, use of weak passwords, unsecured personal devices, and storage of authentication credentials in open repositories (International Business Machines Corporation, 2018). The Ernst & Young Global Information Security Survey 2017–18 reported that 77% of the respondents were worried about poor user awareness and behaviors that might expose them to risk via a mobile device (Ernst & Young, 2017).
Information security policy is considered to be “employees’ roles and responsibilities in complying with standards for using the information and technology resources of their organizations” (Han et al., 2017, p. 53). It is formulated by an organization to restrict the information security behavior of insiders. Whether the policies are effective in alleviating information security problems depends on the information security policy compliance (ISPC) of employees. Deterrence theory (D’arcy et al., 2009; Siponen & Vance, 2010), the theory of planned behavior (Hong & Furnell, 2019; Sommestad et al., 2017); protection motivation theory (Thompson et al., 2017; Tsai et al., 2016; Warkentinet al., 2016;), neutralization theory (Siponen & Vance, 2010), the health belief model (Ng et al., 2009), and the theory of reasoned action (Bulgurcu et al., 2010), etc., have been used to explain the formation mechanism of employees’ ISPC (Moody et al., 2018).
However, many existing studies are based on exploring the effect of fear appeals that impact ISPC (Orazi et al., 2019). Studies that consider positive factors as predictors of ISPC are limited, except those using efficacy, which are included in theories such as the theory of planned behavior and protection motivation theory. Positive psychology was considered to promote positive organizational behaviors and better job performance (Baron & Bronfen, 1994; Organ & Ryan, 1995; Williams & Shiaw, 1999). It is an important complement to the research of information security (Burns et al., 2017), such that D’Arcy and Lowry (2019) found that positive affection can impact the decision-making process of compliance behavior. Burns et al. (2017) found that psychological capital (hope, optimism, resilience, and self-efficacy) can promote protective motivation for information security. Job satisfaction is one such type of positive psychology.