Understanding employee non-malicious intentional and unintentional information security misbehaviors

Abstract

Digitization has given rise to information system security (ISS) risks since the adoption of new technologies (e.g., IoT and multi-cloud environments) has increased vulnerabilities to ISS threats. The behavioral ISS literature depicts employees within organizations (insiders) as a major information security threat. Previous research extensively investigated insiders' intentional ISS misbehaviors. However, a growing number of security incidents by non-malicious insiders implies that potential factors influencing employees' non-compliance behaviors with information security policies (ISPs) are yet to be addressed. To this end, we conduct four (four essays) to understand why employees violate ISPs. Two studies investigate factors that lead to non-malicious intentional ISP violations. The other two studies explore how and why non-malicious unintentional ISP violations occur. Drawing on the person-technology fit model, essay 1 investigates how employees' interaction with information technology (IT) increases ISS vulnerabilities. This essay sheds light on the impact of one understudied aspect of IT use- technostress, on employees' non-malicious ISP violation intentions. Essay 2 relies on organizational role theory and explains stress resulting from role expectations, including intra-role activities (e.g., job tasks) and extra-role activities (e.g., ISS requirements) could cause ISP non-compliance behaviors. To distinguish non-malicious intentional insiders from unintentional insiders, Essay 3 employs the dual-system theory to describe the mechanism of employees' decision-making process to comply (or not comply) with ISPs and aims to investigate the impact of some personality traits like risk-taking behaviors, impulsivity, and curiosity on employees' ISS misbehaviors. Finally, to explore unknown factors influencing non-compliance behaviors with ISPs (e.g., individual, organizational), essay 4 proposes an in-depth qualitative approach to distinguish non-malicious intentional and unintentional ISS misbehaviors and identify potential causes rooted in each type of misbehavior. Overall, the dissertation highlights the importance of individual differences in perceptions of technostress, role stress, and personality traits. Moreover, it differentiates the nature of ISP violations based on the intents of employees and challenges the existing knowledge and theoretical frameworks regarding insiders' information security behaviors at the workplace. In doing so, proposed theoretical models are assessed empirically by utilizing data (both interviews and online surveys) from a sample of employees from different organizations.