Article Preview
TopIntroduction
The numbers of information system (IS) security incidents continue to rise as do the recovery costs (Ponemon, 2017; Vormetric, 2016). The employee is known to be the weakest link in the efforts to protect organizational data assets. Although practitioners and academic researchers are focusing their attention to strengthen that link (Kolkowska, Karlsson, & Hedström, 2017; Moody, Siponen, & Pahnila, 2018; Sharp, 2017; Sophos, 2017), employees continue to be the most commonly identified offender of security incidents (PwC, 2014). Ernst and Young (EY) reported that 73% of all organizations are concerned that their employees possess poor security awareness (EY, 2016), and that 57% of all attacks against an organization’s data assets were perpetrated by employees. Interestingly, the underlying causes of 38% of those attacks were due to employee mistakes or poor understanding of protective behaviors (EY, 2014).
In the workplace, controls restrict employee behaviors, guiding them and at times forcing them to perform secure actions. However, as many as 43% of individuals working in the U.S. spend some of their time working remotely (Chokshi, 2017). During such times, individuals often have discretionary control regarding decisions about security. These individuals must make their own choices about whether or not to use antivirus software, whether or not to regularly back up data, which websites to visit, which emails to open, whether or not to patch (update) their software, and so on. Further, because work systems are often being accessed from an employee’s home, using their personally owned and controlled devices, the choices they make may pose serious risks to the organization. Many organizations are implementing bring your own device (BYOD) programs, allowing employees to use their personal mobile devices for work purposes (Lee, Warkentin, Crossler, & Otondo, 2016). Those personal devices will likely hold organizational data but may be used anywhere and will be primarily managed by the employee. Last, as much as 20% of U.S. workforce is made of contract employees (Noguchi, 2018), and the perceptions held by these individuals about information security compliance may differ due to their non-full-time employee status (Sharma & Warkentin, 2018). Regardless, in all such cases – individuals engage in choices regarding workplace information security. For this reason, there is an important need for researchers and security professionals to examine and understand individual secure behaviors (Anderson & Agarwal, 2010; Hanus & Wu, 2016; Liang & Xue, 2010; Talib, Clarke, & Furnell, 2010; Tsai et al., 2016).