Conference PaperPDF Available

How to Mitigate Security-Related Stress: The Role of Psychological Capital

Authors:

Figures

Content may be subject to copyright.
How to Mitigate Security-Related Stress: The Role of Psychological Capital
Muriel Frank
Goethe University Frankfurt
frank@wiwi.uni-frankfurt.de
Vanessa Kohn
Goethe University Frankfurt
kohn@its.uni-frankfurt.de
Abstract
In an organizational context, individuals are
prone to feel stressed by overwhelming and
complicated security requirements, which can result
in noncompliance with security policies and
guidelines. While previous research has mainly
focused on identifying distinct dimensions of security-
related stress (SRS) and their behavioral impact, this
paper is the first to examine factors for mitigating
SRS. A study with 150 participants reveals that
psychological capital (PsyCap) here comprising of
domain-specific self-efficacy and resilience may
work as such a means as it significantly reduces
perceived SRS. However, the positive effect of
PsyCap diminishes when becoming a victim of
cybercriminals. Said differently: victims displaying
high or low PsyCap tend to feel more stress
compared to non-victims. Our findings imply that
organizations should invest in measures that help
their employees to develop positive mental
capabilities before experiencing an information
security incident.
1. Introduction
Over the last decade, both the quantity and
severity of information security breaches have
increased tremendously [34]. Cybercriminals
continuously find new ways to compromise, steal, or
manipulate sensitive data confronting organizations
with massive financial losses [54]. In many cases,
such attacks are successful because they take
advantage of the weakest link, the human factor [24].
To counteract these security risks, organizations have
started to employ different kinds of measures, such as
specific security guidelines and policies [1]. These
measures are designed to provide employees with the
necessary knowledge to reduce the probability of
becoming victims of malicious hackers.
Concurrently, employees often perceive those
measures as overwhelming and difficult to
understand [17]. Besides, seeing their information
security behavior to be monitored and, consequently,
their privacy invaded also puts stress on individuals
[1]. Therefore, it is not surprising that security-related
stressors negatively relate to information security
compliance intentions [1, 17].
In order to achieve secure information systems, it
seems necessary to help individuals to face security-
related stress and still evince sound information
security behavior. So far, researchers have only
focused on dimensions or the outcome of security-
related stress (SRS) [1, 17], leaving room for
investigations on potential stress mitigators.
We argue that employees need to develop a
positive mental state, also known as psychological
capital (PsyCap), to counter the harmful effects of
security-related stress. PsyCap is positively related to
desirable employee attitudes, behaviors, and
performance measures while it decreases undesirable
attitudes such as cynicism, turnover intentions, and
deviant employee behavior [3]. Yet, the impact of
PsyCap in information security remains unexplored,
though we see promising research findings
concerning the two PsyCap subdimensions resilience
and self-efficacy. For instance, Bulgurcu et al. [8]
confirm a significantly positive relationship between
self-efficacy and compliance with security policies.
McCormac et al. [45] recently explored how job
stress relates to resilience and information security
awareness. They find that resilience effectively
mediates the relationship between job stress and
awareness, meaning that even when faced with lots of
stress at work, resilient employees still report higher
levels of security awareness. By investigating the role
of PsyCap in mitigating security-related stressors,
this study aims at closing this research gap.
Accordingly, the main research question is:
Does psychological capital work as a means to
mitigate employees’ information security stress?
To the best of our knowledge, we are the first to
test whether PsyCap works as a mitigator with regard
to SRS. By doing so, we can gain essential insights
into employees security behavior and understand
what factors contribute to the extent people
Proceedings of the 54th Hawaii International Conference on System Sciences | 2021
Page 4538
URI: https://hdl.handle.net/10125/71167
978-0-9981331-4-0
(CC BY-NC-ND 4.0)
experience security-related stress. Our findings are of
high practical relevance as managers in charge learn
how individual characteristics and mental capabilities
affect their employees security-related stress levels
and, consequently, may adjust their strategies.
The paper is organized as follows. First, we
describe the studys primary constructs, namely
PsyCap and security-related stress. The next section
entails information on the research method as well as
the data collection procedure, sample characteristics,
as well as the applied measures. This is followed by
the analysis. Afterward, we discuss theoretical as
well as practical implications and finalize the section
by looking at future research endeavors.
2. Theoretical context
The purpose of this study is to gain a better
understanding of whether a positive psychological
state can reduce the unwanted outcomes of security-
related stress. In the following, we give a brief
overview of the constructs our research model
consists of, including current research findings. The
final subsection presents the model (see Figure 1) as
well as our hypotheses.
Figure 1. Research model
2.1. Psychological capital
The concept of psychological capital emerged in
the late 1990s as part of the positive psychology
movement [9], which aims at focusing on strengths,
motives, and capacities of human beings rather than
their errors and weaknesses [11, 58]. It comprises,
amongst others, the two components self-efficacy and
resilience [39], which are necessary to successfully
reach a goal [11] and already played a significant role
when examined as individual components in
information security [8, 45].
Self-efficacy draws on Social Cognitive Theory
[16] and is defined as ones confidence in his or her
ability to mobilize the motivation, cognitive
resources, and courses of action necessary to execute
a specific course of action within a given context
[40:158]. It is essential to distinguish self-efficacy
from the general term confidence. Confidence
describes the strength of a belief without specifying
to what the certainty refers. For instance, one can be
highly confident to fail at a task. In contrast, self-
efficacy refers to a persons belief in their capability
to follow a course of action leading to the attainment
of given objectives [5]. While confidence is a general
characteristic of a person, self-efficacy is a domain-
specific construct containing both the affirmation of
ones ability and the strength of belief [48]. Drawing
on the difference between the terms, confidence
rather works as a dependent variable in the
information security context, whereas self-efficacy
can be characterized as an independent variable that
may be targeted for interventions and utilized as an
antecedent of change [16].
A significant number of studies proves the
positive relationship of self-efficacy on behavioral
outcomes in different settings [62]. People who are
confident about being able to cope with any situation
tend to carry on higher risks [4]. The concept of self-
efficacy has also been transferred to the field of
information security. Several studies reveal the
positive relationship self-efficacy has on information
security policy compliance [8, 27, 31, 32, 60] and
information security knowledge sharing intentions
[63]. The more individuals believe in having the
skills and capabilities to follow the information
security rules or to have the necessary security
knowledge, the higher their intention to comply or
share.
In the literature devoted to psychology, resilience
is seen as a phenomenon of competence despite
adversity [42:554] and good outcomes in spite of
serious threats to adaptation or development
[44:228]. These definitions suggest that individuals
are capable of adapting well even under challenging
life conditions such as adversity, trauma, or stress [2,
67]. Findings show that resilience is also associated
with self-efficacy [44]. In an organizational context,
resilience describes the ability of employees to use
existing resources to overcome challenging situations
and to bounce back in the workplace [49]. It is
characterized by three underlying factors:
adaptability, networking, and learning [35]. Research
therefore suggests that resilience can be specifically
developed and promoted through organizational
Page 4539
measures [65]. The concept of resilience has only
recently found its way into the field of information
security. Ole Johnsen [50], for instance, explored
how to increase resilience to mitigate unwanted
intrusion into networks. More recently, [34] links
employees resilience to improved information
security behavior in terms of proactive awareness,
password generation, as well as device securement
and updating. Additionally, [45] analyze how job
stress connects to resilience and security awareness.
The authors find that resilient individuals have more
security knowledge and are more aware of potential
security issues. The same applies to those who
reported being less stressed at work.
2.2. Security-related stress
At least since organizations know about the
potential threat of abusive insiders, they require their
employees to abide by strict security rules and
regulations [55]. For instance, workers are not
allowed to share their passwords with colleagues,
send sensitive data unencrypted, or read confidential
data [66]. However, when being confronted with
complex and obscure security practices, most
employees feel stressed, which has a negative impact
on their intention to comply [1, 36]. Puhakainen and
Siponen [56], for instance, demonstrate employees’
stressful reactions to such requirements. And Posey
et al. [55] find employees who are confronted with
constantly changing security environments to be
prone to computer abuse.
Early work in the realm of security-related stress
also proves that information security requirements
may create stress. D’Arcy et al. [17], for instance,
transfer the concept of technostress to information
security. Drawing on coping theory as well as prior
technostress research, they explore the three factors
security-related overload, security-related
uncertainty, and security-related complexity. They
find these stressors to negatively affect an
individual’s willingness to comply with security
policies. Ament and Haag [1] approach the topic
from a different perspective. They expect security-
related stress to be a multidimensional construct,
spanning not only employees’ work but also their
personal and social environment. With the help of
165 participants, they identify three additional
stressors, namely privacy invasion, conflict, and
news, which all have a significant impact on
information security awareness.
Recent research approaches examine other stress-
related antecedents of security policy compliance.
Hwang and Chao [30] demonstrate that security-
related role stress as well as security-related
technostress creators, such as complexity, overload,
and uncertainty, decrease one’s organizational
commitment, which indirectly affects one’s
compliance with security policies. Building on
protection motivation theory, [12] find that stress
significantly influences coping strategies and, thus,
security policy compliance.
2.3. Hypotheses
Today’s organizations often have security
requirements, rules, and policies in place, which may
have an opposing effect (though). Instead of
promoting information security, employees often feel
overwhelmed and stressed, making them less willing
to follow the rules [17]. As highlighted in the
previous section, information security researchers
have identified several stressors that negatively
impact one’s compliance intention, including
complexity, uncertainty, and overload [1, 17].
Individuals do not have the resources to invest
heavily in understanding changing or overwhelming
policies.
Previous findings have already confirmed the
important relationship of PsyCap with positive
organizational outcomes, like job satisfaction [3] and
reduced turnover [53]. Directly relevant to the
present study, Baron et al. [6] find psychological
capital to be a sufficient buffer against stress.
Additional findings from McCormac et al. [45]
confirm that more resilient people tend to report
lower stress levels. As PsyCap reflects how people
cope with stressful or disastrous events [39], we
assume this positive mental state to play a significant
role in the security context as well. Those who feel
confident to cope with information security incidents
should report significantly lower stress levels. This
notion is backed up by findings which show that the
concepts of stress and self-efficacy are closely related
[69], suggesting that people who feel self-confident
are more likely to assess a given situation as rather
challenging than threatening [13]. Based on the
above evidence, we assume employees with higher
psychological capabilities such as self-efficacy and
resilience to experience less security-related stress
and thus hypothesize:
H1: PsyCap is negatively related to security-
related stress.
Research shows that traumatic incidents are often
followed by stress [37]. For instance, employees who
experienced workplace bullying commonly report a
loss of confidence and increased stress levels [64].
Stressors can be classified into four categories: major
Page 4540
life events, catastrophes, daily hassles, and conflict
[52]. Major life events are good or bad life changes
(e.g., a divorce or a jail term) that require an
individual to adjust. Catastrophes encompass natural
disasters and wars, whereas daily hassles (e.g.,
concerns about money or discrimination) add up over
time. Crises require individuals to choose between
multiple demands, needs, or desires.
Depending on the severity and consequences,
being the victim of an information security incident
at work can be classified as a daily hassle, conflict, or
even a life event if an employee loses their job and
reputation over the incident. To the best of our
knowledge, no prior research has analyzed the post-
incident stress levels of employees who experienced
information security incidents. Based on the above
classification and evidence from other contexts, we
assume employees who were already once tricked by
cybercriminals to perceive higher levels of security-
related stress, as they realize their blatant
incompetence to behave securely.
H2: Previous exposure to information security
incidents is positively related to security-related
stress.
To further investigate the relationship between
PsyCap and SRS, we focus on interaction effects
between both constructs. As stated above, we assume
psychological capital and security-related stress to be
negatively related. But while we expect a stress-
reducing impact of self-efficacy and resilience for all
employees, we assume that the strength of this impact
differs for those who already experienced
information security incidents either in their private
or in their professional lives (see Figure 1). Drawing
on findings from the psychological sphere [48, 59],
we expect former victims of cybercriminals to feel
more stressed by complex security requirements
compared to individuals with no incident experience
and, therefore, less confident about coping with
future information security incidents. That may be
because employees who already experienced a
security incident may realize that they failed to fully
understand all security requirements or to act
accordingly. In other words: Prior incident
experience may work as a stress trigger showing
those affected their incompetence to abide by security
guidelines. A positive mental state is then less
effective. Employees with no incident experience,
however, may still be confident to handle security
practices and, hence, feel less stressed.
Correspondingly, we hypothesize the following:
H3: The relationship between PsyCap and
security-related stress is moderated by previous
exposure to information security incidents.
3. Methodology
In the ensuing section, we present details on the
scale development, the demographic characteristics
of the data sample, and the collection procedure. To
investigate whether psychological capital relates to
security-related stress, we collected data from 150
employees through an online survey and then applied
structural equation modeling in Amos 27.
3.1. Scale development & measures
The Psychological Capital Questionnaire (PCQ)
is considered to be the standard scale to measure
PsyCap in an organizational setting [38]. Its 24 items
revolve around the workplace (e.g., If I should find
myself in a jam at work, I could think of many ways
to get out of it), but do not capture security-specific
situations. As a result, a more targeted PsyCap scale
in the context of information security is needed,
which has been recently highlighted by Burns et al.
[9], who established a connection between PsyCap in
general and all components of protection motivation
theory. As no prior research has transferred the
concept of PsyCap to the context of information
security, we followed the approach of Morgado et al.
[47] for item generation. This implied a literature
review, expert sessions, and psychometric analysis.
We developed items for self-efficacy based on
Luthans et al. [39] and Klesel et al. [33]. The
resilience items are adapted from the Employee
Resilience Scale [34, 49]. For instance, the item I
effectively collaborate with others to handle
unexpected challenges at work was modified to I
effectively collaborate with others to handle
unexpected security challenges. All items were
checked by three experts in terms of coherency and
comprehensibility.
In order to measure participants’ positive mental
capabilities, we asked them to read a short scenario
of an information security incident and subsequently
evaluate their agreement with the items presented in
Table 1. Using scenarios to measure behavior is well
established in the field of information security [see
i.e. 33]. Based on the contextual information
provided, participants tend to answer the questions
honestly [22]. Here, participants were asked to
imagine that they have accidentally downloaded a
virus on their work computer. By specifying the
nature and consequences of the security incident and
Page 4541
giving examples for security guidelines, we align
participants’ answers irrespective of external factors
such as the presence of certain security policies in the
participants workplace.
We drew on established items to measure
security-related stress [17]. We further asked
participants to indicate whether they have previously
been a victim of any security incident affecting either
their private or professional life.
Table 1. Final PsyCap survey items
Item
Self-Efficacy
I feel confident that I can adapt to new
security requirements.
I am willing to put in effort to understand new
security policies.
I re-evaluate my security performance and
continually improve the way I do my work.
I make a plan to integrate new regulations in
my work routines.
Resilience
I effectively collaborate with others to handle
unexpected security challenges.
I seek assistance when I need specific
information security resources.
I approach managers when I need their
support regarding information security.
I learn from my mistakes and improve the way
I follow security guidelines.
I effectively respond to feedback about my
security behavior, even criticism.
I use this change at work as an opportunity for
growth.
With the collected survey data, we first performed
an exploratory factor analysis to confirm that all
newly developed items load together as
psychological capital. In the course of this, the items
for hope had to be excluded due to cross-loadings.
Afterward, we conducted a confirmatory factor
analysis to specify whether to use a first-order or a
second-order construct. For optimism, however, we
found issues regarding its internal consistency, so we
decided to drop it from further analysis. Results
suggested proceeding with the better-performing
second-order construct of PsyCap, containing the
individual components self-efficacy and resilience,
which is in line with prior research [9, 39]. The
internal consistency of PsyCap is 0.954.
3.2. Sample data
We collected 150 data sets by distributing an
online questionnaire over crowdsourcing marketplace
Amazon MTurk, which is no longer an exception in
scientific research [51]. Data collected via online
labor markets are externally and internally valid [7].
We required participants to live in the United States
to avoid cultural biases in our sample. To further
guarantee high data quality, we controlled for
incomplete data sets and low participation times.
Besides, the survey included control questions, and
we eliminated data sets of participants who failed to
give the right answers. In total, 13 data sets had to be
removed. The remaining 137 data sets were used for
further analysis, such as exploratory and
confirmatory factor analysis and structural equation
modeling in Amos 27.
The majority of participants are males (62.8 %).
The average respondent is 36.0 years old and has a
working experience of 13.65 years. Participants
spread almost evenly over all industries, with a
majority working in Software & IT Services (25.5%)
and Retail, Wholesale & Distribution (13.1%).
Furthermore, participants reported a relatively high
educational level, with more than 52% of them
having a Bachelors degree. The majority of the
respondents work in companies with more than 100
employees.
3.3. Analysis
A KMO value of 0.924 and a significant Bartlett
spherical value indicate that our data is suitable for
factor analysis. Initially, we included all four sub-
constructs of PsyCap in our exploratory factor
analysis.
All items in the confirmatory factor analysis show
loadings above 0.6. Reliability and validity values are
well above the recommended thresholds [23], with all
three factors having an average variance extracted of
0.8 or more and composite reliability of above 0.9.
Following Fornell and Larcker (1981), we also
checked discriminant validity and compared the
square root of the AVE with the correlations between
constructs. All values confirmed validity. Comparing
the fit indices against the acceptable thresholds [23],
we find the model to have excellent goodness of fit.
CFI and TLI amount to 0.972 and 0.929,
respectively, SRMR and RMSEA to 0.052 and 0.041.
4. Results
As displayed in Figure 2, the path between
PsyCap and security-related stress is significantly
negative (-0.256). Hence, the model confirms our
expectation that employees with high PsyCap
experience less stress when being exposed to
complex, overwhelming, and uncertain security
requirements (hypothesis 1).
Page 4542
As expected, employees who previously
experienced an information security incident
displayed significantly higher levels of security-
related stress (.277). This finding supports our second
hypothesis.
Figure 2. Research results
In line with hypothesis 3, we detect a moderating
effect (.144) of previous exposure to security
incidents on the relationship between PsyCap and
security-related stress. This implies that the negative
impact of PsyCap on security-related stress is
dampened when an employee has already become the
victim of an information security incident. Figure 3
illustrates this interaction effect.
We also find victims to be more stressed
compared to employees who have no incident
experience (3.420 vs. 2.686). These differences are
statistical significant (Z=-4.217, p<0.000).
Furthermore, the latter reported higher PsyCap levels
compared to those who already had to deal with a
security incident in the past (4.368 vs. 3.996). Again,
these group differences are significant (Z=-2.757,
p<0.006).
Figure 3. Interaction effect
When controlling for gender, we found no
significant effect. However, age has a small positive
effect on PsyCap (.174*), indicating that older
employees show a slightly higher positive mental
state.
5. Discussion
In this paper, we introduced the concept of
security-specific PsyCap and demonstrated its impact
on security-related stress. In the following section,
we will discuss the practical and academic
implications of our findings. We conclude by making
suggestions for future work while accounting for the
limitations of the current study.
5.1. Contributions and implications
To the best of our knowledge, we are the first to
develop and validate a scale measuring psychological
capital specific to the information security context.
By doing so, we contribute to the emerging body of
PsyCap research in general [6] as well as to more
recent findings with regard to information security
[9]. Our PsyCap scale comprises ten items divided
into the two components resilience and self-efficacy.
Yet, it is noteworthy that these constructs of PsyCap
may not be seen as an exclusive taxonomy of what
constitutes the determining factors for an employee’s
security-related stress level. Instead, we suggest them
to play an essential role in contributing to a better
understanding of whether individuals experience
security-related stress and abide by security rules and
regulations. As this is the first empirical study to
apply our new scale, further validation is needed.
Hence, we highly encourage future researchers to
draw on our scale when investigating psychological
and behavioral influences in the field of information
security.
Moreover, we are the first to discover that PsyCap
can work as a mitigator on security-related stress,
which is a new and important finding. People scoring
high on PsyCap are less prone to stress. This finding
is in line with previous studies from other disciplines.
Baron et al. [6], for instance, confirm that PsyCap
leads to improved well-being. Our result underlines
the importance of investing in employees PsyCap to
reduce their perceived stress levels. By doing so, the
overall compliance with security requirements can
increase [1, 36]. In other words: If organizations want
their employees to follow security guidelines, they
should write them in a clear language and
communicate them through high-level managers [60].
Page 4543
Our results also advise managers in charge to
focus their efforts on strengthening their employees
PsyCap through targeted training measures [53].
Intervention strategies could encompass including
employees in the process of developing security goals
and breaking them down into small achievable tasks
as well as encouraging employees to perceive
security threats as opportunities to protect the
organization rather than potential points of failure
[9]. PsyCap thus represents a powerful lever for
reducing a workforces security-related stress and
thereby improving their compliance with security
policies. Prior research has also shown that the
compliance behavior of employees positively affects
the security behavior of their peers [25]. We therefore
assume that employees with high PsyCap are
contributing to a higher security level in their
organizations not only by being less stressed about
security requirements and more careful in following
security policies but also by inspiring their colleagues
to do the same.
Literature confirms higher levels of stress
amongst those who experienced traumatic situations
such as being the victim of a crime or going through
emotionally intense experiences [52]. We were the
first to study the influence of exposure to information
security incidents on employees security-related
stress levels. In line with research results from other
fields, victims of cybercrime reported significantly
higher security-related stress. We advise practitioners
to foster a proactive workplace culture in which
employees feel safe to make mistakes and share their
failures [19]. When promoting proactive
communication, organizations can decrease or even
prevent their employees from experiencing security-
related stress and making mistakes in the future [15,
29, 43]. That is because scholars have already proven
a positive relationship between learning from
mistakes and resilience [10]. Employees who are able
to cope with setbacks better generally also perform
better and show greater commitment because they are
aware of challenging situations and expect failure
[28]. As a result, they will develop a stronger sense
of responsibility and a higher intrinsic motivation for
dealing with and correcting mistakes [21], which is
what we find here. Those scoring high on
psychological capital perceived less security-related
stress compared to employees with low PsyCap.
Noteworthy is the moderating effect of exposure
to information security incidents. If employees had
become a victim of cybercriminals, the negative
effect of PsyCap on SRS was less strong, meaning
that the positive impact diminishes. This finding
implies that companies should already focus on
building PsyCap capabilities amongst their
employees prior to the occurrence of information
security incidents. According to our results,
prevention rather than reaction strategies maximize
the stress-reducing benefits of PsyCap in the
workplace. Following the immediate occurrence of
information security incidents, it is recommended to
debrief the affected employees within the first 72
hours. During a critical incident stress debriefing, the
victims are encouraged to express their feelings
regarding the incident, receive confirmation for these
feelings to be normal in such situations and that they
are supported in assimilating the experience.
Providing immediate assistance to the victims can
disrupt or prevent the onset of more severe issues
[37]. This could reduce the security-related stress
employees build up after having become victims of
cybercrime. We recommend organizations to
supplement these acute debriefs with long-term
PsyCap training to effectively mitigate SRS amongst
their workforce.
While most previous studies found no significant
effect of gender and age on PsyCap [41, 46, 59], we
found older employees to demonstrate a slightly
higher PsyCap. Since one’s life experience increases
with age, it is more likely that older employees had to
overcome more challenges in their lives, allowing
them to develop a more positive mental state.
5.2. Limitations and future work
As indicated in the analysis section, we had to
eliminate two of the four sub-constructs of PsyCap
during the factor analysis. To be able to study all
aspects of PsyCap in the future, it is necessary to
revise the respective items. Rephrasing them to
distinguish their unique characteristics while
maintaining their role within the overall PsyCap
construct can increase the validity.
Future work can help identify other factors not
considered in the current study that impinge the
relationship between PsyCap and SRS. For instance,
cultural factors [14], organizational commitment, and
social influence [26] have been linked to improving
employees security behavior, so it remains to be
tested to which extent these factors affect the
security-related stress levels of employees as well.
To the best of our knowledge, no classification of
security-related stressors with regard to their stress
impact in the information security context exists.
Future work can fill this research gap, which will
benefit the investigation of SRS in the future
tremendously.
According to D’Arcy and Teh [18], employees
respond to security-related stress with adverse
emotional reactions which, in turn, increase
Page 4544
neutralization of security policy violations and
thereby decrease compliance behavior. Sommer et al.
[61] link negative emotions to decreases in resilience,
whereas positive emotions strengthen resilience. This
can be explained by the supporting role positive
emotions play in the recovery process from negative
experiences. It has been shown that strong positive
emotions can even replace negative ones [20]. It thus
remains interesting to identify whether psychological
capital creates positive emotions that are strong
enough to suppress negative emotions associated
with experiencing security incidents and dealing with
strict security rules.
More importantly, changes over time represent an
important factor not considered in our study. By
applying a longitudinal approach, future work can
investigate how PsyCap impacts individuals stress-
levels over time. We especially recommend focusing
on causality when examining the relationship
between these constructs. As reported by McCormac
et al. [45], high stress levels do not necessarily
translate to lower security awareness as resilience
mediates this relationship. Future work can test
whether PsyCap represents a similarly strong
mediator.
As with any empirical study relying on self-
reported data, our results are subject to response bias
and social desirability bias. We attempted to counter
these effects by carefully designing the questionnaire
and ensuring anonymity and confidentiality.
Moreover, we applied statistical techniques to
identify dishonest reporting (e.g., we included control
items to check if participants carefully read the
instructions) and checked the validity and reliability
of our results. Nevertheless, future work can further
explore the concept of PsyCap following an
experimental or a mixed-methods approach. For
instance, Zhu et al. [70] created scenarios of
encounters in a work environment to test the
influence of humble leadership on employees’
resilience.
Reichard et al. [57] placed PsyCap into the
context of cross-cultural interactions, and Wernsing
[68] applied a PsyCap measurement in twelve
different national cultures while highlighting the
importance of testing measurement invariances
across cultures. Since all our participants are
Americans, it remains unclarified how the construct
of PsyCap performs in other cultures. The cultural
context of our study thus represents a final limitation.
6. Conclusion
In contrast to existing psychological capital
scales, the newly developed PsyCap items are
explicitly targeted to psychological capabilities
relevant to information security. This encompasses
not only confidence in their abilities but also their
ability to bounce back from challenges after
information security incidents.
Building on previous research that associates
PsyCap with multiple positive organizational
outcomes, this study confirms desirable
organizational security outcomes for the adapted
PsyCap construct as well. Specifically, organizations
can expect reductions in security-related stress when
investing in building their employees PsyCap. This
provides a competitive advantage for organizations in
a digitalized world, in which the frequency and
severity of information security attacks continuously
rise.
7. References
[1] Ament, C., and S. Haag, “How Information Security
Requirements Stress Employees”, Proceedings of the 37th
International Conference on Information Systems, (2016),
36733689.
[2] American Psychological Association, “The Road to
Resilience.”, 2020. https://www.apa.org/helpcenter/road-
resilience.
[3] Avey, J.B., R.J. Reichard, F. Luthans, and K.H. Mhatre,
“Meta-Analysis of the Impact of Positive Psychological
Capital on Employee Attitudes, Behaviors, and
Performance”, Human Resource Development Quarterly
22(2), 2011, pp. 127152.
[4] Bandura, A., “Self-Efficacy Conception of Anxiety”,
Anxiety Research 1(2), 1988, pp. 7798.
[5] Bandura, A., Self-efficacy: The exercise of control,
Freeman, New York, 1997.
[6] Baron, R.A., R.J. Franklin, and K.M. Hmieleski, “Why
Entrepreneurs Often Experience Low, Not High, Levels of
Stress: The Joint Effects of Selection and Psychological
Capital”, Journal of Management 42(3), 2016, pp. 742
768.
[7] Berinsky, A.J., G.A. Huber, and G.S. Lenz, “Evaluating
Online Labor Markets for Experimental Research:
Amazon.com’s Mechanical Turk”, Political Analysis 20(3),
2012, pp. 351368.
[8] Bulgurcu, B., H. Cavusoglu, and I. Benbasat,
“Information security policy compliance: An empirical
study of rationality-based beliefs and information security
awareness”, MIS Quarterly 34(3), 2010, pp. 523548.
[9] Burns, A.J., T.L. Roberts, C. Posey, and P.B. Lowry,
“Examining the Relationship of Organizational Insiders’
Psychological Capital with Information Security Threat and
Coping Appraisals”, Computers in Human Behavior 68,
2017, pp. 190209.
[10] Canils, M.C.J., and S.M.J. Baaten, “How a Learning-
Oriented Organizational Climate is Linked to Different
Proactive Behaviors: The Role of Employee Resilience”,
Page 4545
Social Indicators Research 143(2), 2019, pp. 561577.
[11] avu, M.F., and A. Goken, “Psychological Capital:
Definition, Components and Effects”, British Journal of
Education, Society & Behavioural Science, 2015, pp. 244
255.
[12] Chang, S.-H., H.-M. Hsu, Y. Li, and J.S.-C. Hsu, “The
Influence of Information Security Stress on Security Policy
Compliance: A Protection Motivation Theory Perspective”,
Proceedings of the 22nd Pacific Asia Conference on
Information Systems, (2018).
[13] Chemers, M.M., L. -t. Hu, and B.F. Garcia,
“Academic Self-Efficacy and First-Year College Student
Performance and Adjustment”, Journal of Educational
Psychology 93(1), 2001, pp. 5564.
[14] Connolly, L.Y., M. Lang, J. Gathegi, and D.J. Tygar,
“Organisational Culture, Procedural Countermeasures, and
Employee Security Behaviour: A Qualitative Study”,
Information & Computer Security 25(2), 2017, pp. 118
136.
[15] Cooper, C.L., and S. Cartwright, “Healthy Mind;
Healthy Organization A Proactive Approach to
Occupational Stress”, Human Relations 47(4), 1994, pp.
455471.
[16] Cramer, R.J., T.M.S. Neal, and S.L. Brodsky, “Self-
efficacy and confidence: Theoretical distinctions and
implications for trial consultation”, Consulting Psychology
Journal 61(4), 2009, pp. 319334.
[17] D’Arcy, J., T. Herath, and M.K. Shoss,
“Understanding Employee Responses to Stressful
Information Security Requirements: A Coping
Perspective”, Journal of Management Information Systems
31(2), 2014, pp. 285318.
[18] D’Arcy, J., and P.-L. Teh, “Predicting employee
information security policy compliance on a daily basis:
The interplay of security-related stress, emotions, and
neutralization”, Information & Management 56(7), 2019,
pp. 103151.
[19] Frank, M., “Sharing Information Security Failure: The
Role of Social Context and Social Environment”,
Proceedings of the 24th Pacific Asia Conference on
Information System, (2020), 202.
[20] Fredrickson, B.L., and R.W. Levenson, “Positive
Emotions Speed Recovery from the Cardiovascular
Sequelae of Negative Emotions”, Cognition & Emotion
12(2), 1998, pp. 191220.
[21] Frese, M., and N. Keith, “Action Errors, Error
Management, and Learning in Organizations”, Annual
Review of Psychology 66, 2015, pp. 661687.
[22] Guo, K.H., and Y. Yuan, “The effects of multilevel
sanctions on information security violations: A mediating
model”, Information and Management 49(6), 2012, pp.
320326.
[23] Hair, J.F., B.J. Babin, R.E. Anderson, and W.C. Black,
Multivariate Data Analysis, Pearson Education Limited,
Harlow, Essex, 2014.
[24] Heartfield, R., and G. Loukas, “Detecting semantic
social engineering attacks with the weakest link:
Implementation and empirical evaluation of a human-as-a-
security-sensor framework”, Computers and Security 76,
2018, pp. 101127.
[25] Herath, T., and H.R. Rao, “Encouraging Information
Security Behaviors in Organizations: Role of Penalties,
Pressures and Perceived Effectiveness”, Decision Support
Systems 47(2), 2009, pp. 154165.
[26] Herath, T., and H.R. Rao, “Protection motivation and
deterrence: a framework for security policy compliance in
organisations”, European Journal of Information Systems
18(2), 2009, pp. 106125.
[27] Huang, H.-W., N. Parolia, and K.-T. Cheng,
“Willingness and Ability to Perform Information Security
Compliance Behavior: Psychological Ownership and Self-
Efficacy Perspective”, Proceedings of the 20th Pacific Asia
Conference on Information System, 2016.
[28] Huang, L., and F. Luthans, “Toward Better
Understanding of the Learning Goal Orientation- Creativity
Relationship: The Role of Positive Psychological Capital”,
Applied Psychology 64(2), 2014, pp. 444472.
[29] Hung, W.H., K. Chen, and C.P. Lin, “Does the
proactive personality mitigate the adverse effect of
technostress on productivity in the mobile environment?”,
Telematics and Informatics 32(1), 2015, pp. 143157.
[30] Hwang, I., and O. Chao, “Examining technostress
creators and role stress as potential threats to employees’
information security compliance”, Computers in Human
Behavior 81, 2018, pp. 282293.
[31] Ifinedo, P., “Understanding information systems
security policy compliance: An integration of the theory of
planned behavior and the protection motivation theory”,
Computers and Security, (2012), 8395.
[32] Johnston, A.C., and M. Warkentin, “Fear Appeals and
Information Security Behaviors: An Empirical Study”, MIS
Quarterly 34(3), 2010, pp. 549566.
[33] Klesel, M., N. Narjes, and B. Niehaves,
“Conceptualizing IT Resilience: An Explorative
Approach”, Multikonferenz Wirtschaftsinformatik, (2018),
10081019.
[34] Kohn, V., “How Employees’ Digital Resilience Makes
Organizations More Secure”, Proceedings of the 24th
Pacific Asia Conference on Information System, (2020),
190.
[35] Kuntz, J., P. Connell, and K. Nswall, “Workplace
resources and employee resilience: the role of regulatory
profiles”, Career Development International 22(4), 2017,
pp. 419435.
[36] Lee, C., C.C. Lee, and S. Kim, “Understanding
information security stress: Focusing on the type of
information security compliance activity”, Computers &
Security 59, 2016, pp. 6070.
[37] Leonard, R., and L. Alison, “Critical incident stress
debriefing and its effects on coping strategies and anger in
a sample of Australian police officers involved in shooting
incidents”, Work and Stress 13(2), 1999, pp. 144161.
[38] Lorenz, T., C. Beer, J. Ptz, and K. Heinitz,
“Measuring Psychological Capital: Construction and
Validation of the Compound PsyCap Scale (CPC-12)”,
PloS ONE 11(4), 2016, pp. 117.
[39] Luthans, F., B.J. Avolio, J.B. Avey, and S.M. Norman,
“Positive psychological capital: Measurement and
relationship with performance and satisfaction”, Personnel
Psychology 60(3), 2007, pp. 541572.
[40] Luthans, F., and C.M. Youssef, “Human, Social, and
Now Positive Psychological Capital Management”,
Page 4546
Organizational Dynamics 33(2), 2004, pp. 143160.
[41] Luthans, F., C.M. Youssef, D.S. Sweetman, and P.D.
Harms, “Meeting the Leadership Challenge of Employee
Well-Being Through Relationship PsyCap and Health
PsyCap”, Journal of Leadership & Organizational Studies
20(1), 2013, pp. 118133.
[42] Luthar, S.S., D. Cicchetti, and B. Becker, “he
Construct of Resilience: A Critical Evaluation and
Guidelines for Future Work”, Child Development 71(3),
2000, pp. 543562.
[43] Malik, P., and P. Garg, “The relationship between
learning culture, inquiry and dialogue, knowledge sharing
structure and affective commitment to change”, Journal of
Organizational Change Management 30(4), 2017, pp.
610631.
[44] Masten, A.S., “Ordinary magic: Resilience processes
in development”, American Psychologist 56(3), 2001, pp.
227238.
[45] McCormac, A., D. Calic, K. Parsons, M. Butavicius,
M. Pattinson, and M. Lillie, “The effect of resilience and
job stress on information security awareness”, Information
and Computer Security 26(3), 2018, pp. 277289.
[46] McMurray, A.J., A. Pirola-Merlo, J.C. Sarros, and
M.M. Islam, “Leadership, climate, psychological capital,
commitment, and wellbeing in a non-profit organization”,
Leadership and Organization Development Journal 31(5),
2010, pp. 436457.
[47] Morgado, F.F.R., J.F.F. Meireles, C.M. Neves, A.C.S.
Amaral, and M.E.C. Ferreira, “Scale development: Ten
main limitations and recommendations to improve future
research practices”, Psicologia: Reflexao e Critica 30(1),
2017, pp. 120.
[48] Morony, S., S. Kleitman, Y.P. Lee, and L. Stankov,
“Predicting achievement: Confidence vs self-efficacy,
anxiety, and self-concept in Confucian and European
countries”, International Journal of Educational Research
58, 2013, pp. 7996.
[49] Näswall, K., J. Kuntz, and S. Malinen, Employee
Resilience Scale (EmpRes): Technical Report, 2015.
[50] Ole Johnsen, S., “Resilience at interfaces:
Improvement of safety and security in distributed control
systems by web of influence”, Information Management &
Computer Security 20(2), 2012, pp. 7187.
[51] Owens, J., and E.M. Hawkins, “Using Online Labor
Market Participants for Nonprofessional Investor Research:
A Comparison of MTurk and Qualtrics Samples”, Journal
of Information Systems 33(1), 2019, pp. 113128.
[52] Pastorino, E.E., and S.M. Doyle-Portillo, What is
psychology?: Foundations, Applications, and Integration,
Thompson Higher Education, Belmont, CA, 2009.
[53] Peterson, S.J., F. Luthans, B.J. Avolio, F.O. Walumba,
and Z. Zhang, “Psychological Capital and Employee
Performance: A Latent Growth Modeling Approach”,
Personnel Psychology 46(2), 2011, pp. 427450.
[54] Ponemon Institute, “IBM: Cost of a Data Breach
Report 2019”, Computer Fraud & Security 2019(8), 2019,
pp. 4.
[55] Posey, C., R.J. Bennett, T.L. Roberts, and P.B. Lowry,
“When Computer Monitoring Backfires: Invasion of
Privacy and Organizational Injustice as Precursors to
Computer Abuse”, Journal of Information System Security
7(1), 2011, pp. 2447.
[56] Puhakainen, P., and M. Siponen, “Improving
employees’ compliance through information systems
security training: An action research study”, MIS Quarterly
34(4), 2010, pp. 757778.
[57] Reichard, R.J., M. Dollwet, and J. Louw-Potgieter,
“Development of Cross-Cultural Psychological Capital and
Its Relationship With Cultural Intelligence and
Ethnocentrism”, Journal of Leadership & Organizational
Studies 21(2), 2014, pp. 150164.
[58] Sheldon, K.M., and L. King, “Why Positive
Psychology Is Necessary”, American Psychologist 56(3),
2001, pp. 216217.
[59] Singhal, H., and R. Rastogi, “Psychological capital
and career commitment: the mediating effect of subjective
well-being”, Management Decision 56(2), 2018, pp. 458
473.
[60] Siponen, M., M. Adam Mahmood, and S. Pahnila,
“Employees’ adherence to information security policies:
An exploratory field study”, Information & Management
51(2), 2014, pp. 217224.
[61] Sommer, S.A., J.M. Howell, and C.N. Hadley,
“Keeping Positive and Building Strength”, Group &
Organization Management 41(2), 2016, pp. 172202.
[62] Stajkovic, A.D., and F. Luthans, “Self-Efficacy and
Work-Related Performance: A Meta- Analysis”,
Psychological Bulletin 124(2), 1998, pp. 240261.
[63] Tamjidyamcholo, A., M.S. Bin Baba, H. Tamjid, and
R. Gholipour, “Information security Professional
perceptions of knowledge-sharing intention under self-
efficacy, trust, reciprocity, and shared-language”,
Computers & Education 68, 2013, pp. 223232.
[64] Thomas, M., “Bullying among support staff in a higher
education institution”, Health Education 105(4), 2005, pp.
273288.
[65] Tonkin, K., S. Malinen, K. Näswall, and J.C. Kuntz,
“Building employee resilience through wellbeing in
organizations”, Human Resource Development Quarterly
29(2), 2018, pp. 107124.
[66] Vance, A., M. Siponen, and S. Pahnila, “Motivating IS
security compliance: Insights from Habit and Protection
Motivation Theory”, Information & Management 49(3),
2012, pp. 190198.
[67] Vogus, T.J., and K.M. Sutcliffe, “Organizational
Resilience: Towards a Theory and Research Agenda”,
International Conference on Systems, Man and Cybernetic,
(2007), 34183422.
[68] Wernsing, T., “Psychological Capital: A Test of
Measurement Invariance Across 12 National Cultures”,
Journal of Leadership & Organizational Studies 21(2),
2014, pp. 179190.
[69] Zajacova, A., S.M. Lynch, and T.J. Espenshade, “Self-
Efficacy, Stress, and Academic Success in College”,
Research in Higher Education 46(6), 2005, pp. 677706.
[70] Zhu, Y., S. Zhang, and Y. Shen, “Humble Leadership
and Employee Resilience: Exploring the Mediating
Mechanism of Work-Related Promotion Focus and
Perceived Insider Identity”, Frontiers in Psychology
10(673), 2019.
Page 4547
... PsyCap is a psychological resource in the form of a positive psychological state in the process of individual growth and development, which incorporates several important elements of positive psychology: hope, resilience, optimism and self-efficacy (Luthans et al., 2007a). Hope is a positive motivational state characterized by perseverance toward goals (Luthans and Youssef, 2007); resilience describes the ability to use existing resources to overcome challenging situations and to bounce back (Frank and Kohn, 2021); optimism is a characteristic of individuals who "expect things to go their way, and generally believe that good rather than bad things will happen to them" (Scheier and Carver, 1985, p. 219); and selfefficacy means "having the confidence to take on and put in the necessary effort to succeed at challenging tasks" (Luthans et al., 2007b, p. 3). ...
... Based on Chen et al. (2021a), information security fatigue is a reflective second-order sub-construct composed of emotional exhaustion and cynicism, and the measurement scale of each firstorder construct included three items. Following Burns et al. (2017) and Frank and Kohn (2021), we characterized PsyCap as a reflective second-order sub-construct consisting of hope, resilience, self-efficacy and optimism, and the measurement scale for each first-order construct was composed of three items. ISP compliance intention was measured with three items adapted from Chen et al. (2021b). ...
... We also verified that information security fatigue is a full mediator in the relationship between SRS and ISP compliance intention. We also confirmed that PsyCap can mitigate SRS, as reported by Frank and Kohn (2021). We further found that PsyCap decreases the SRS by-product of information security fatigue and promotes employees' ISP compliance intention. ...
Article
Full-text available
Purpose This study aims to explore the emotion-based mediator of information security fatigue in the relationship between employees’ information security–related stress (SRS) and information security policy (ISP) compliance intention and the effects of psychological capital (PsyCap) on relieving SRS and promoting compliance. Design/methodology/approach The authors tested a series of hypotheses by applying partial least squares–based structural equation modeling to survey data from 488 employees in Chinese enterprises. Findings The results suggest that the relationship between SRS and ISP compliance intention is fully mediated by information security fatigue. Employees’ SRS promotes their information security fatigue, which reduces their intention to follow ISPs. In addition, employees with high PsyCap may experience low levels of SRS and information security fatigue, which promotes their willingness to comply with ISPs. Originality/value This study extends knowledge by introducing information security fatigue and PsyCap to the field of information security management, and it calls attention to the effects on information security behaviors of employee emotions and positive psychological resources in an organization. The authors reveal the emotion-based mediating effect of information security fatigue and the positive influence of PsyCap in information security management.
... For example, researchers could study how the introduction of passwordless authentication affects technology adoption and user security behavior. With regard to the latter, they could investigate whether digital wallets mitigate security-related stress -a phenomenon that employees often experience when complex security measures are involved (Frank and Kohn 2021). ...
Article
Full-text available
Digital identity and access management (IAM) poses significant challenges for companies. Cyberattacks and resulting data breaches frequently have their root cause in enterprises’ IAM systems. During the COVID-19 pandemic, issues with the remote authentication of employees working from home highlighted the need for better IAM solutions. Using a design science research approach, the paper reviews the requirements for IAM systems from an enterprise perspective and identifies the potential benefits of self-sovereign identity (SSI) – an emerging, passwordless paradigm in identity management that provides end users with cryptographic attestations stored in digital wallet apps. To do so, this paper first conducts a systematic literature review followed by an interview study and categorizes IAM system requirements according to security and compliance, operability, technology, and user aspects. In a second step, it presents an SSI-based prototype for IAM, whose suitability for addressing IAM challenges was assessed by twelve domain experts. The results suggest that the SSI-based authentication of employees can address requirements in each of the four IAM requirement categories. SSI can specifically improve manageability and usability aspects and help implement acknowledged best practices such as the principle of least privilege. Nonetheless, the findings also reveal that SSI is not a silver bullet for all of the challenges that today’s complex IAM systems face.
... byBermes et al. (2021) andKisekka et al. (2015) • Organizational resilience scale(Park et al., 2015) adapted byChatterjee et al. (2021) • Employee resilience scale(Näswall et al., 2015) adapted byFrank & Kohn (2021) and Kohn (2020) • IT resilience scale(Klesel et al., 2018) adapted byBermes et al. (2021) • Supply chain resilience scale (Brandon-Jones et al., 2014) adapted by Mandal (2016) • Connor-Davidson resilience scale (Connor & Davidson, 2003) used by Westmattelmann et al. (2021) • Resilience scale(Stephens et al., 2013) used byWang et al. (2019) ...
Conference Paper
Building a digital resilience (i.e., capabilities to design, deploy and use information systems (IS) to adjust to changes caused by external shocks) may prepare individuals, organizations and other institutions for future disruptions caused by global crises. To be able to monitor the emergence and development of digital resilience, one needs to be able to measure it. Currently, there is no consensus in IS literature on how to conceptualize or operationalize resilience. By conducting a systematic literature review, we identify traditional and innovative operationalization approaches. We find scale-based quantitative methods to be most prominent, followed by qualitative analyses of resilience indicators through interviews and case studies. We identify advantages and limitations of each approach and encourage authors to move beyond the boundaries of traditional methods and incorporate innovative approaches – some of which we present in this paper – to operationalize digital resilience in a tailored, context-specific way. Challenges and opportunities are discussed.
... Many employees today feel overloaded with expectations about how they should behave to secure corporate IT and data [12,35]. The bigger an organization grows, the larger the risk that different departments have their own very specific requirements for employees: CISOs might try to implement the latest fancy tooling, without consolidating those who need to adapt to it [8]. ...
Conference Paper
Full-text available
Security awareness is big business-virtually every organization in the Western world provides some form of awareness or training, mostly bought from external vendors. However, studies and industry reports show that these programs have little to no effect in terms of changing the security behavior of employees. We explain the conditions that enable behavior change, and identify one significant blocker in the implementation phase: not disabling existing (inse-cure) routines-failure to take out the trash-prevents embedding of new (secure) routines. Organizational Psychology offers the paradigm Intentional Forgetting (IF) and associated tools for replacing old (insecure) behaviors with new (secure) ones by identifying and eliminating different cues (sensoric, routine-based, time and space based as well as situational strength cues) that trigger old behavior. We introduce the underlying theory, examples of successful application in safety contexts, and show how its application leads to effective behavior change by reducing the information that needs to be transmitted to employees, and suppressing obsolete routines. CCS Concepts
Article
Purpose With increased remote working, employers are concerned with employees’ commitment and compliance with security procedures. Through the lens of psychological capital, this study aims to investigate whether strong organizational values can improve employees’ commitment to the organization and security behaviors. Design/methodology/approach Using Qualtrics platform, the authors conducted an online survey. The survey participants are college-educated, full-time employees. The authors used structural equation modeling to analyze 289 responses. Findings The results indicate perceived importance of organizational values is associated with increased organizational commitment and information security behavior. The authors find that psychological capital partially mediates these relations suggesting that employees’ psychological capital effectively directs employees toward an affinity for the organization and information security behavior. The results highlight the importance of organizational values for improving security behavior and organizational commitment. Second, the results suggest that psychological capital is an effective mechanism for this influence. Finally, the authors find that individual differences (gender, organizational level and education) are boundary conditions on their findings, providing a nuanced view of their results and offering opportunities for further investigation. Originality/value To the best of the authors’ knowledge, this study is the first to explore organizational values in relation to information security behaviors. In addition, this study investigates the underlying mechanism of this relationship by showing psychological capital’s mediating role in this relationship. Therefore, the authors suggest organizations create a supportive environment that appreciates innovation, quality services, diversity and collaboration. Furthermore, organizations should communicate the importance of these values to their employees to motivate them to have a stronger affective commitment and a more careful set of security behaviors.
Chapter
With the rapid expansion of the Internet alongside the adoption of Digital Transformation (DX), the number of information security incidents has increased and diversified. Incidents of information leakage and loss have particularly increased, and internal fraud and inattention (i.e., human psychological risk) are attracting attention as causes of these incidents. In this paper, we focus on the psychological aspects of internal fraud and propose the appropriate risk countermeasures. We first extracted 50 security incidents involving internal fraud over the past ten years and then identified the “factors behind” them using “five whys”. We then classified these factors on the basis of the fraud triangle theory and other factors and came up with 12 common factors. Finally, we proposed various risk countermeasures such as “mutual inter-checking” and investigated their effectiveness through qualitative evaluation. Our findings contribute to the reduction of information security incidents caused by psychological factors.
Conference Paper
Full-text available
Resilient employees thrive in challenging situations and adapt well to changing environmental demands. Founded in theories of positive psychology, the concept of resilience has never been adapted to the information security context. We are the first to develop and test a security-specific resilience construct. We contribute to the existing literature on information security behavior by analyzing its relationship with ego-resilience and proposing digital security resilience as a mediator. Results of a first empirical study (n=137) show that employees with high digital security resilience perform significantly better in securing and updating devices, generating passwords, and demonstrating a proactive awareness. Ego-resilience only impacts security behavior when mediated by digital security resilience. Our findings underline the importance of taking a differentiated look at resilience in information security and incorporating resilience training in organizations. Theoretical and managerial implications are discussed and future work is suggested.
Article
Full-text available
Although the topic of employee resilience has recently received increased attention, existing research has largely failed to explore its situational triggers. Drawing on social information processing theory, the current study integrates the literature of humility and resilience to theorize the underlying mechanism through which humble leadership facilitates employee resilience. This research proposes a potential heterogeneous effect that humble leadership catalyzes employee resilience through multiple pathways. Field (N = 434) and experimental studies (N = 104) conducted in Mainland China support hypotheses that humble leadership enhances employee resilience through simultaneous increases in work-related promotion focus and perceived insider identity. Research implications are discussed, and directions for future research are offered.
Conference Paper
Full-text available
Modern technologies such as mobile phones and wearables are in-creasingly embedded in our daily life which makes detachment almost impossi-ble. Therefore, understanding personal characteristics that allow individuals to buffer negative effects is an important tool to reduce negative consequences of technology use. Extant literature on technostress provides initial insights into how individuals are able to handle stressors. However, important constructs have not yet been investigated. We contribute to existing literature on technostress by proposing IT resilience as a new construct that can be considered a coping mech-anism for technostress. We present the results of an explorative factor analysis (n=80), which suggest that IT resilience is a multi-dimensional construct with three sub dimensions: bounce back, self-efficacy, and coping. We conclude with a discussion on how to include IT resilience in theory development and human centric design.
Article
Full-text available
The notion that the human user is the weakest link in information security has been strongly, and, we argue, rightly contested in recent years. Here, we take a step further showing that the human user can, in fact, be the strongest link for detecting attacks that involve deception, such as application masquerading, spearphishing, WiFi evil twin and other types of semantic social engineering. Towards this direction, we have developed a human-as-a-security-sensor framework and a practical implementation in the form of Cogni-Sense, a Microsoft Windows prototype application, designed to allow and encourage users to actively detect and report semantic social engineering attacks against them. Experimental evaluation with 26 users of different profiles running Cogni-Sense on their personal computers for a period of 45 days has shown that human sensors can consistently outperform technical security systems. Making use of a machine learning based approach, we also show that the reliability of each report, and consequently the performance of each human sensor, can be predicted in a meaningful and practical manner. In an organisation that employs a human-as-a-security-sensor implementation, such as Cogni-Sense, an attack is considered to have been detected if at least one user has reported it. In our evaluation, a small organisation consisting only of the 26 participants of the experiment would have exhibited a missed detection rate below 10%, down from 81% if only technical security systems had been used. The results strongly point towards the need to actively involve the user not only in prevention through cyber hygiene and user-centric security design, but also in active cyber threat detection and reporting.
Article
Full-text available
Purpose The purpose of this paper is to discover the role of psychological capital (PsyCap) as a predictor of subjective well-being (SWB) and career commitment (CC). Further, it aims to analyze the mediating role of SWB in the relationship between PsyCap and CC in the Indian manufacturing sector. Design/methodology/approach A quantitative survey-based research design employing data from 300 employees in the National Capital Region (NCR) of India was used in the present research. Findings The results demonstrated that PsyCap acted as a predictor for SWB and CC. Additionally, SWB partially mediated the relationship between PsyCap and CC. Research limitations/implications The limitations of the present research would have to do with the purposive sample set chosen during the data collection. The sample consisted of middle- and upper-middle-class Indian employees working in the NCR having knowledge of English language and computer skills. Perhaps, future research works should take into account a wider sample in terms of the regions across India and not only the NCR. Although the findings showed that SWB reduced the relationship between PsyCap and CC, still that relationship was significant statistically. Further research studies might also explore various moderators while simultaneously studying SWB. In the research, SWB acted as a significant mediator of the relation between PsyCap and CC, yet at the same time, it may be the scenario that employees who are committed toward their career would be more inclined to espouse a greater sense of SWB (i.e. mediator is caused by the outcome). Hence, the authors duly recognize the need to test this substitute model. Since, SWB places chief emphasis on respondent’s own experiences and perspectives; it does not denote a consummate understanding of their mental health as people may have psychological disorders even if they experience happiness. Hence, the use of other measures in addition to SWB in comprehending a person’s psychological health is desirable (Diener et al., 1997). Practical implications This study suggests that in order for organizations to have a workforce committed to their career and hence, their profession, the supervisors will need to train the employees having a higher incidence of PsyCap to increase their SWB. Consequently, the supervisors will, in turn, need to recruit employees already having the four dimensions of PsyCap, i.e. hope, efficacy, resilience and optimism at the workplace in order for them to have a higher life satisfaction, positive affect, reduced negative affect (three components of SWB) and increased CC. Social implications Employees who develop within themselves a state of being hopeful, efficacious, resilient and optimistic will also be strongly oriented toward having greater life satisfaction, positive affect and lower levels of negative affect. This, in part, would help them achieve the required commitment toward their career and hence, help them in sticking with their jobs. Originality/value The present study advances the existing work on positive organizational behavior by exhibiting the noteworthy role of PsyCap in predicting SWB and CC. Further, it helps in demonstrating the inevitable role of SWB in partially mediating the relationship between PsyCap and CC.
Article
We conceptualized security-related stress (SRS) and proposed a theoretical model linking SRS, discrete emotions, coping response, and information security policy (ISP) compliance. We used an experience sampling design, wherein 138 professionals completed surveys. We observed that SRS had a positive association with frustration and fatigue, and these negative emotions were associated with neutralization of ISP violations. Additionally, frustration and fatigue make employees more likely to follow through on their rationalizations of ISP violations by decreased ISP compliance. Our findings provide evidence that neutralization is not a completely stable phenomenon but can vary within individuals from one time point to another.
Article
Purpose The aim of this study was to investigate the relationship between resilience, job stress and Information Security Awareness (ISA). The study examined the effect of resilience and job stress on the three components that comprise ISA, namely; knowledge, attitude and behaviour. Design/methodology/approach A total of 1,048 working Australians completed an online questionnaire. ISA was measured with the Human Aspects of Information Security Questionnaire (HAIS-Q). Participants also completed the Brief Resilience Scale and the Job Stress Scale. Findings It was found that participants with greater resilience also had higher ISA and experienced lower levels of job stress. More specifically, individuals who reported higher levels of resilience had significantly better knowledge, attitude and behaviour. Similarly, participants who reported lower levels of job stress also reported significantly better knowledge, attitude and behaviour. Resilience plays an important mediating role in the relationship between job stress and ISA. This means that even if people have high levels of job stress, if they are better able to cope with or adapt to stress (i.e., have higher resilience) they are less likely to have lower ISA. Results of this study add to the body of literature emphasising the positive effects of resilience, and suggest that resilience is associated with improved ISA and therefore, more secure behaviour. Research limitations/implications Future research should focus on assessing the influence of resilience training in the workplace. Originality/value Given the constructive findings, it may be valuable to focus on the effect of organisational culture, and organisational security culture, on resilience, job stress and ISA.
Article
This study examined whether employees' security-related stress, i.e., technostress and role stress, in an organizational setting could affect their compliance intention regarding information security. In a survey of 346 employees, it was found that security-related technostress creators in organizations negatively affected employees' organizational commitment, both directly and indirectly through role stress, and further lowered compliance intention regarding information security. In addition, it was found that employees' regulatory focus, i.e., promotion focus, moderated the relationship between technostress creators and role stress. Employees with a high level of promotion focus were more resistant to the adverse effect of technostress creators and thus experienced less role stress. These results suggest directions for organizational strategies to manage and enhance employees' information security compliance.
Article
Recently, researchers have begun using online labor markets to recruit participants for experimental studies examining the judgments and decisions of nonprofessional investors. This study investigates the quality and generalizability of data collected from these sources by replicating an experimental task from Elliott, Hodge, Kennedy, and Pronk (2007) using nonprofessional investor participants from two popular online labor markets—Amazon's Mechanical Turk (MTurk) and Qualtrics Online Sample (Qualtrics). Compared to Qualtrics participants, we find that MTurk participants pay greater attention to the experimental materials and better acquire and recall information. Further, the MTurk sample more closely replicates EHKP's investment club member results on measures of information integration than does the Qualtrics sample. These results provide some evidence that many interesting research questions can be satisfactorily answered using nonprofessional investor participants from MTurk. We believe further investigation is needed before Qualtrics can be endorsed as a high-quality source of nonprofessional investor participants.
Article
The resilience of employees has been recently identified as essential to organizational adaptability in uncertain and dynamic business environments. Yet little is known about how the resilience of employees can be developed. The present study investigated the effect of a wellbeing intervention on two forms of individual resilience: employees' stress-coping ability (personal resilience) and resilient workplace behaviors (employee resilience). All participants (n = 209) completed an online wellbeing and resilience survey, and a subset of 145 participants took part in a workplace wellbeing intervention for a period of one month, followed by a second survey. The results indicated that personal and employee resilience are two related, but distinct, constructs. Further, following the wellbeing intervention, personal resilience remained stable, but small increases were noted in levels of employee resilience and aspects of wellbeing. Theoretical and practical implications of this research to employee resilience development are discussed.