Clay Posey

• Doctor of Business Administration
• Professor (Associate) at Brigham Young University

Whether malicious or not, employees’ actions can have significant and detrimental outcomes for their organizations. Such is the case in organizational cybersecurity, as many issues stem from trusted individuals who have access to sensitive data, information, and systems. We explore the phenomenon of employees’ security violations in the context of...

Reports indicate that employees are willing to share sensitive information under certain circumstances, and one-third to half of security breaches are tied to insiders. These statistics reveal that organizational security efforts, which most often rely on deterrence-based sanctions to address the insider threats to information security, are insuffi...

Despite widespread agreement among practitioners and academicians that organizational insiders are a significant threat to organizational information systems security, insider computer abuse (ICA)-unauthorized and deliberate misuse of organizational information resources by organizational insiders-remains a serious issue. Recent studies have shown...

Cybersecurity is an ever-present problem for organizations, but organizational science has barely begun to enter the arena of cybersecurity research. As a result, the “human factor” in cybersecurity research is much less studied than its technological counterpart. The current manuscript serves as an introduction and invitation to cybersecurity rese...

To better understand employees’ reporting behaviors in relation to phishing emails, we gamified the phishing security awareness training process by creating and conducting a month-long “Phish Derby” competition at a large university in the U.S. The university’s Information Security Office challenged employees to prove they could detect phishing ema...

PURPOSE – The purpose of this study was to investigate the impact of two-way, computer-mediated communication on investigator perceptions of whistleblower credibility. DESIGN/METHODOLOGY/APPROACH – Investigators were recruited to participate in an online experiment that tasked subjects with evaluating simulated two-way, computer-mediated communicat...

The protection of organizational information and information systems (IS) is a socio-technical issue and requires insiders take on a more proactive set of security roles. Accordingly, we contend that insiders' abilities to enact these diverse information security roles can be explained by behavioral complexity theory. Adapted to the security contex...

Organizational cybersecurity efforts depend largely on the employees who reside within organizational walls. These individuals are central to the effectiveness of organizational actions to protect sensitive assets, and research has shown that they can be detrimental (e.g., sabotage and computer abuse) as well as beneficial (e.g., protective motivat...

Within the field of organizational cybersecurity, much attention has been given to insider compliance and non-compliance with the information security policies (ISPs) set forth by their organizations. Most of these efforts apply theoretical foundations based on self-interest, personal incentive, and cost-benefit calculations to explain compliance a...

It is well recognized that individuals within organizations represent a significant threat to information security as they are both common targets of external attackers and can be sources of malicious behavior themselves. Notwithstanding these facts, one additional aspect of human influence in the security domain is largely overlooked: the role of...

It is well recognized that individuals within organizations represent a significant threat to information security as they are both common targets of external attackers and can be sources of malicious behavior themselves. Notwithstanding these facts, one additional aspect of human influence in the security domain is largely overlooked: the role of...

Protecting organizational information is a top priority for most firms. This reality, coupled with the fact that organizational insiders control much of their organizations' valuable information, has led both researchers and practitioners to acknowledge the importance of insiders' behavior for information security (InfoSec). Until recently, researc...

In contemporary organizations, the protection of an organization's information assets is reliant on the behavior of those entrusted with access to organizational information and information systems (IS). Because of this reliance, organizations increasingly prioritize the training and education of employees through security education, training, and...

Many organisations create, store, or purchase information that links individuals’ identities to other data. Termed personally identifiable information (PII), this information has become the lifeblood of many firms across the globe. As organisations accumulate their constituencies’ PII (e.g. customers’, students’, patients’, and employees’ data), in...

Despite individuals’ and organizations’ best efforts, many significant information security threats exist. To alleviate these threats, researchers and policy makers have proposed new digital environments called identity ecosystems. These ecosystems would provide protection against attackers in that a third party intermediary would need to authentic...

The management of information security can be conceptualized as a complex adaptive system because the actions of both insiders and outsiders co-evolve with the organizational environment, thereby leading to the emergence of overall security of informational assets within an organization. Thus, the interactions among individuals and their environmen...

Practitioners and researchers alike recognize the positive influence insiders’ behavior can have on information systems (IS) security. This awareness has resulted in a research stream focused on the performance of protective behaviors. We contribute to this research stream by extending an oft-cited theory in the information security literature—prot...

For human resource (HR) departments, screening job applicants is an integral role in acquiring talent. Many HR departments have begun to turn to social networks to better understand job candidates’ character. Using social networks as a screening tool might provide insights not readily available from resumes or initial interviews. However, requiring...

Insiders may act to sustain and improve organizational information security, yet our knowledge of what motivates them to do so remains limited. For example, most extant research relies on mere portions of protection motivation theory (PMT) and has focused on isolated behaviors, thus limiting the generalizability of findings to isolated issues, rath...

Insiders may act to sustain and improve organizational information security, yet our knowledge of what motivates them to do so remains limited. For example, most extant research use portions of protection motivation theory (PMT) and have relied on isolated behaviors thus limiting the generalizability of findings to single artifacts rather than the...

Research shows that organisational efforts to protect their information assets from employee security threats do not always reach their full potential and may actually encourage the behaviours they attempt to thwart, such as reactive computer abuse (CA). To better understand this dilemma, we use fairness theory (FT) and reactance theory (RT) to exp...

Organizational success in the digital age is largely dependent upon the ability to collect, manage, and transfer proprietary information. Given this knowledge economy, it is no exaggeration to say that the protection of sensitive information is a top priority for most firms. However, achieving information security is complicated by the increased ac...

information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted without the explicit permission of the copyright holder. This version of the referenced work is the post-print version of the article—it is NOT the final published version nor the corrected proofs. If yo...

Organizational insiders have considerable influence on the effectiveness of information security efforts. However, most research conducted in this area fails to examine what these individuals believe about organizational security efforts. To help bridge this gap, this study assesses the mindset of insiders regarding their relationship with informat...

Protecting information from a variety of security threats is a daunting organizational activity. Organizational managers must recognize the roles that organizational insiders have in protecting information resources rather than solely relying upon technology to provide this protection. Unfortunately, compared to negative insider behaviors, the exta...

Formative measurement is a valuable alternative to reflective measurement when developing indicators of latent variables in structural equation models (SEM). Our goal is to further guide IS research in the application of formative measures by comparing the two dominant analysis techniques: component-(e.g., partial least squares -PLS) and covariance...

Computer abuse (CA) by employees is a critical concern for managers. Misuse of an organization’s information assets leads to costly damage to an organization’s reputation, decreases in sales, and impositions of fines. We use this opportunity to introduce and expand the theoretical framework proffered by Thong and Yap (1998) to better understand the...

Employees can have a profound, detrimental influence on information security that costs organizations billions of U.S. dollars annually. As a result, organizations implement stringent security controls, which can inadvertently foster the behaviors that they are designed to deter. This research attempts to understand this phenomenon of increased int...

This research investigates the factors that motivate employees to protect their organizations from information security threats via protection-motivated behaviors (PMBs). A model founded on Protection Motivation Theory (PMT) and several rival explanations is assessed using data from 380 employees from a wide variety of industries in the U.S. Severa...

Practically all supply chains operate under conditions of uncertainty. To mitigate this uncertainty and increase performance, organizations within chains exchange information to achieve operational cohesion. However, as some researchers have noted, some supply chains benefit more from increased levels of information sharing than others (e.g. Cachon...

This manuscript examines the unintended consequences that organizational computer monitoring can foster within the firm. We apply justice and reactance theories to explain why monitoring can actually increase the occurrence of detrimental organizational behaviors. Our model suggests monitoring activities that invade employees’ privacy lead to perce...

Protecting information from a wide variety of security threats is an important and sometimes daunting organizational activity. Instead of relying solely on technological advancements to help solve human problems, managers within firms must recognize and understand the roles that organizational insiders have in the protection of information (Choobin...

The global use of online communities has exploded to involve hundreds of millions of users. Despite the tremendous social impact and business opportunities afforded by these communities, little information systems (IS) research has addressed them - especially in a cross-cultural context. Our research proposes an online community self-disclosure mod...

Supply chains operate under conditions of uncertainty, and chain members exchange information as a means to mitigate such uncertainty within the chain. While these exchanges have largely been viewed as a positive method of achieving operational cohesion, some supply chains appear to benefit more from increased levels of information sharing than oth...

Practically all supply chains operate under conditions of uncertainty. To mitigate this uncertainty and increase performance, organizations within chains exchange information to achieve operational cohesion. However, as some researchers have noted, some supply chains benefit more from increased levels of information sharing than others (e.g. Cachon...

Despite the increased use of new learning technologies, there is still much to be learned about the role of learner characteristics in online learning. The purpose of this study was to examine how subjects' characteristics normally associated with effective training (i.e., initial motivation to learn and self-efficacy) related to learning in a self...

Practically all supply chains operate under conditions of uncertainty. To mitigate this uncertainty and increase performance, organizations within chains exchange information to achieve operational cohesion. However, as some researchers have noted, some supply chains benefit more from increased levels of information sharing than others (e.g. Cachon...

In their seminal work, Compeau and Higgins (1995) provided the IS research community with a measure of computer selfefficacy (CSE) based on Bandura’s (1986) Social Cognitive Theory. The use of this CSE measure has since flourished within various academic literatures. Recent research interest (Marakas, Johnson, & Clay, 2007; Thatcher, Zimmer, Gundla...

Electronic communities are at the forefront of many individuals' personal lives. Social networking communities such as Facebook.com and MySpace.com afford personal communication to either the entire world or a specified group of individuals. Little research, however, has examined the underlying factors which may play a role in an individual's contr...