Security monitoring and information security assurance behaviour among employees: An empirical analysis

Zauwiyah Ahmad (Faculty of Business, Multimedia University, Melaka, Malaysia)
Thian Song Ong (Faculty of Information Science and Technology, Multimedia University, Melaka, Malaysia)
Tze Hui Liew (Faculty of Information Science and Technology, Multimedia University, Melaka, Malaysia)
Mariati Norhashim (Faculty of Management, Multimedia University, Cyberjaya, Malaysia)

Information and Computer Security

ISSN: 2056-4961

Publication date: 12 June 2019

Abstract

Purpose

The purpose of this research is to explain the influence of information security monitoring and other social learning factors on employees’ security assurance behaviour. Security assurance behaviour represents employees’ intentional and effortful actions aimed towards protecting information systems. The behaviour is highly desired as it tackles the human factor within the information security framework. The authors posited that security assurance behaviour is a learned behaviour that can be enhanced by the implementation of information security monitoring.

Design/methodology/approach

Theoretical framework underlying this study with six constructs, namely, subjective norm, outcome expectation, information security monitoring, information security policy, self-efficacy and perceived inconvenience, were identified as significant in determining employees’ security assurance behaviour (SAB). The influence of these constructs on SAB could be explained by social cognitive theory and is empirically supported by past studies. An online questionnaire survey as the main research instrument is adopted to elicit information on the six constructs tested in this study. Opinion from industry and academic expert panels on the relevance and face validity of the questionnaire were obtained prior to the survey administration.

Findings

Findings from this research indicate that organisations will benefit from information security monitoring by encouraging security behaviours that extend beyond the security policy. This study also demonstrates that employees tend to abandon security behaviour when the behaviour is perceived as inconvenient. Hence, organisations must find ways to reduce the perceived inconvenience using various security automation methods and specialised security training. Reducing perceived inconvenience is a challenge to information security practitioners.

Research limitations/implications

There are some limitations in the existing work that could be addressed in future studies. One of them is the possible social desirability bias due to the self-reported measure adopted in the study. Even though the authors have made every effort possible to collect representative responses via anonymous survey, it is still possible that the respondents may not reveal true behaviour as good conduct is generally desired. This may lead to a bias towards favourable behaviour.

Practical implications

In general, the present research provides a number of significant insights and valuable information related to security assurance behaviour among employees. The major findings could assist security experts and organisations to develop better strategies and policies for information security protection. Findings of this research also indicate that organisations will benefit from information security monitoring by encouraging security behaviours that extend beyond the security policy.

Social implications

In this research, the social cognitive learning theory is used to explain the influence of information security monitoring and other social learning factors on employees’ security assurance behaviour; the finding implies that monitoring emphases expected behaviours and helps to reinforce organisational norms. Monitoring may also accelerate learning when employees become strongly mindful of their behaviours. Hence, it is important for organisations to communicate the monitoring practices implemented, even more imperative whenever security monitoring employed is unobtrusive in nature. Nonetheless, care must be taken in this communication to avoid resentment and mistrust among employees.

Originality/value

This study is significant in a number of ways. First, this study highlights significant antecedents of security assurance behaviour, which helps organisations to assess their current practices, which may nurture or suppress information security. Second, using users’ perspective, this study provides recommendations pertaining to monitoring as a form of information security measure. Third, this study provides theoretical contribution to the existing information security literature via the application of the social cognitive learning theory.

Keywords

Citation

Ahmad, Z., Ong, T.S., Liew, T.H. and Norhashim, M. (2019), "Security monitoring and information security assurance behaviour among employees: An empirical analysis", Information and Computer Security, Vol. 27 No. 2, pp. 165-188. https://doi.org/10.1108/ICS-10-2017-0073

Publisher

:

Emerald Publishing Limited

Copyright © 2019, Emerald Publishing Limited


1. Introduction

Information security is a prevalent issue among security experts and organisations. As much as a technological issue, information security is also a behavioural one. Past studies have reported that almost half of security incidents occurred from within the organisation, rather than caused by external hackers (Crossler et al., 2013; D’Arcy and Greene, 2014). PricewaterhouseCoopers (2017) reported that current employees remain as the top source of security incidents with 30 per cent of such incidents were caused by current employees. Another report revealed that 64 per cent of data breaches were due to employees’ behaviour and system glitches (Kennedy, 2016). A survey by Kaspersky Lab (2017) showed that 59 per cent of information security incidents were caused by careless or uninformed employee actions. These findings indicate that the behavioural aspect of information security should be given more attention by organisations and researchers.

Guo (2013) conceptualised four categories of security-related behaviours, namely, security assurance behaviour (SAB), security compliant behaviour, security risk-taking behaviour and security damaging behaviour. The author described SAB as “… the most desirable behaviour from the IS security management perspective (p. 248)”. SAB represents employees’ intentional and effortful actions that are aimed towards protecting information systems, for instance, using strong passwords for computer access, performing data back-up regularly and checking the recipients list prior sending out emails. Chen and Li (2017) relate assurance behaviour to actions that protect or defend information security. In Parsons et al. (2014) and Parsons et al. (2017), the behaviour was referred to as security aware behaviour. In Boss et al. (2015), the term protective security behaviour was used. Earlier studies, specifically Yoon et al. (2012) and Vance et al. (2014), used a more general term of information security behaviour. As the contents of information security policies often varies and may be inadequate (Doherty et al., 2009), SAB extends beyond those specified in organisations’ information security policy. We chose the term SAB in order to differentiate this study from other studies that examine employees’ compliance with information security policies (ISPs) implemented by organisations. The term is also in-line with the categorisation by Guo (2013). As such, we theorised that SAB is a learned behaviour that can be improved if the human factor is properly addressed by organisations.

The human factor within the information security framework is mostly concerned with user behaviours. Alhogail (2015) highlighted four domains of the human factor in relation to information security, namely:

  1. preparedness (awareness and competency aspects);

  2. responsibility (monitoring and control aspects);

  3. management (policies and practices aspects); and

  4. society and regulation (social, cultural and regulation aspects).

Past studies have examined the preparedness domain in terms of security awareness and training (D’Arcy et al., 2009; Jenkins et al., 2013; da Veiga and Martins, 2014), and the management domain in terms of information system security policy compliance (Guo et al., 2011; Aurigemma, 2013; Cheng et al., 2013; Siponen et al., 2014; Ifinedo, 2014). The responsibility domain and society and regulation domain received lesser attention among researchers. While the society and regulation domain is significant, we focus this study on the responsibility domain since the aspects within this domain are closer and more controllable by organisations.

Within the responsibility domain, past studies have examined sanctions (Hu et al., 2012; Cheng et al., 2013) and rewards (Hu et al., 2012; Posey et al., 2015) as a means of controlling employees’ behaviour pertaining to information security and ensuring policy compliance. The monitoring aspect, thus far, has escaped researchers’ scrutiny. Existing literatures on monitoring, in general, are more concentrated on the issue of employees’ privacy (Oz et al., 1999; Snyder, 2010; Chory et al., 2016), attitudinal reaction and perceptions (Alder, 2001; Spitzmüller and Stanton, 2006; Alder et al., 2008; Workman, 2009; Paczkowski and Kuruzovich, 2016); theft and productivity (Lamar et al., 2013); and job satisfaction (Chalykoff and Kochan, 1989; Samaranayake and Gamage, 2012). These studies have documented that monitoring could be detrimental as much as it is beneficial to organisations.

The literature on behavioural studies are more concentrated on employees’ compliance of information security policies implemented by organisations, with the aim to determine factors that would boost employees’ compliance with organisations’ information security policies such as rewards and punishment (Moody et al., 2018; Chen et al., 2012; Herath and Rao, 2009), information security policy awareness, compliance cost and benefits (Bulgurcu et al., 2010), awareness (Chul et al., 2018; Bélanger et al., 2017; Tsohou et al., 2015), culture (da Veiga and Martins, 2015), attitude (Safa et al., 2016) and norms (Yazdanmehr and Wang, 2016). Thus far, research on the influence of information security monitoring on employees’ information security behaviour is still lacking. Limited studies have linked information security and employee monitoring. Thus far, three studies have examined the impact of employee monitoring on information system misuse (D’Arcy et al., 2009; Trinkle et al., 2014; Deranek et al., 2015), indicating the need for more studies in this area.

Paired with other social learning factors within the organisation, we postulated that information security monitoring enhances SAB among employees. Security monitoring, in the context of this study, refers to the measures taken by organisations to observe employees’ behaviours when using information facilities of the organisation. This study therefore aims to enrich the information security literature by examining the influence of information security monitoring on employees’ SAB. This study is significant in a number of ways. First, this study highlights significant antecedents of SAB, which helps organisations to assess their current practices which may nurture or suppress information security. Second, using users’ perspective, this study provides recommendations pertaining to monitoring as a form of information security measure. Third, this study provides theoretical contribution to the existing information security literature via the application of the social cognitive learning theory (SCT). By focusing on employees’ perceptions and behaviours, we aim to extend prior works and provide new insights on the impact of security measures on employees who are the end-users in general. The next section deliberates on employee monitoring as a control measure, followed by a discussion on the theoretical foundation underlying this study. This paper also presents the research methodology, data validation and analysis, and finally discussions and conclusions.

2. Literature review

Information security monitoring is implemented primarily to protect information, guard against theft, and maintain corporate records (Hoffman et al., 2003; Samaranayake and Gamage, 2012). Such monitoring is also employed by organisations for compliance purposes, and to detect information system misuse (D’Arcy et al., 2009). Examples of information security monitoring include logging network activities, tracing employees’ internet use, performing security audit and reviewing employees’ email contents. Although the management felt that monitoring employees was their right, advocates of civil rights and labour leaders argued that the practice impaired employees’ dignity and privacy (Oz et al., 1999) and hence may discourage positive behaviours.

The trend of information security monitoring at the workplace is increasing. In the early 21st century, security monitoring was already in place although not widespread. In the USA, White and Pearson (2001) reported less than 40 per cent of companies surveyed monitored their employees’ computer activities such as monitoring downloads of pirated software (38 per cent), non-work-related surfing and downloads (17 per cent) and emails (21 per cent). In the UK, Watson (2002) conveyed that less than 65 per cent of consulting firms surveyed monitored their employees’ emails, out of which, only 28.6 per cent examined email contents. According to Hoffman et al. (2003), 90 per cent of companies surveyed monitored their employees’ online activities at work. Information security monitoring has significantly increased in terms prevalence and methods of monitoring, mainly due to technological sophistication (Workman, 2009).

Despite the widespread security monitoring among employers in recent times, employees seemed unaware of the practice. In 2016, only 8 per cent of the employees surveyed by ObserveIT (2016) reported that they are aware of some form of information security monitoring was implemented by their organisations. The implementation of security monitoring, if any, was ad hoc in nature using manual or home-grown systems, with focus on privileged users. Hence, the employees believed that security monitoring was unable to detect risky user behaviours. The unawareness among employees could be due to technological advancements that allow monitoring devices and applications to blend into workplace environment and become unobtrusive (Workman, 2009). Electronic monitoring is one of the unobtrusive monitoring methods (Wells et al., 2007), making it one of the more researched theme in the context of employees’ monitoring.

Empirical research on security monitoring appears to expand at a slower rate than the relevant technological advancement. These studies could be categorised into two main streams. The first stream of research is concerned with examining employees’ attitude towards security monitoring, with the main aim of finding ways to enhance employees’ acceptance. Empirical studies have shown that employees were inclined to resist security monitoring (Spitzmüller and Stanton, 2006). Oz et al. (1999) found that employees who were not used to being monitored objected to the practice more than those who were used to being monitored. In Holland et al. (2015), it was found that 50 per cent of Australian employees surveyed were against e-mail monitoring, 60 per cent against telephone monitoring, and 56 per cent against video surveillance. The authors concluded that extensive monitoring can generate negativity between employees and the management due to diminished trust between both parties.

Those who opposed security monitoring argued that monitoring could impair morale and increase mistrust among employees (Watson, 2002), cause tension between managers and workers (Oz et al., 1999; Lee and Kleiner, 2003; Smith and Tabak, 2009; Snyder, 2010), increase stress and reduce productivity (Alder, 2001; Lee and Kleiner, 2003; Smith and Tabak, 2009). These studies indicate that security monitoring could be detrimental to organisations, especially when employees were resentful towards the practice and mistrust the organisation. Nonetheless, it has also been reported that supporters believed monitoring could improve quality of service and encourage objective performance appraisal and feedback (Alder, 2001). Security monitoring was also viewed as a protection from litigation and prevents unauthorised distribution of sensitive materials (Watson, 2002). The general conclusion derived from these studies is that employees’ acceptance of security monitoring could be enhanced via proper communication about the purpose of security monitoring and management’s assurance of employees’ privacy.

As security monitoring became more prevalent, especially via electronic means, studies on the impact of monitoring on work-related variables gradually emerged. These studies form the second stream of security monitoring research. Wells et al. (2007) and Samaranayake and Gamage (2012) found that employees’ job satisfaction was influenced by their attitude towards security monitoring, whenever monitoring was implemented. Positive attitude towards monitoring seemed to increase job satisfaction. Dissatisfaction occurred when monitoring was linked to negative outcomes such as increased work complexity. In another study, it has been found that awareness of security monitoring contributed positively to organisation’s security culture (Yan et al., 2015).

Studies that investigate the effectiveness of security monitoring in modifying behaviours and ensuring information protection are still very scarce. Existing studies include D’Arcy et al. (2009), Zoghbi-Manrique-de-Lara (2011), Trinkle et al. (2014), Bhave (2014), Deranek et al. (2015), and Pierce et al. (2015). D’Arcy et al. (2009) found that monitoring deterred information system misuse. The authors argued that monitoring prevented misbehaviour by increasing employees’ perception that misbehaviour will be detected. Similarly, Zoghbi-Manrique-de-Lara (2011) found that monitoring could influence employees’ deviance by increasing perceptions of procedural justice. In 2014, Trinkle et al. found that monitoring practices reduced employees’ likelihood of playing online social networking games on office computers, especially in the absence of a social networking policy. This result was obtained from an experimental study involving a sample of white-collar employees. Comparable results were also found in Deranek et al. (2015), although the sample used was undergraduate students. Monitoring has also been found to reduce theft and improved productivity in Pierce et al. (2015). Nonetheless, Bhave (2014) found that monitoring did not reduce misbehaviour although the practice seemed to improve employees’ good behaviour and performance.

The literature review has uncovered that studies focusing on information security monitoring and its influence on employees’ behaviour is still in infancy although the supporting technology has become more sophisticated. This forms the main gap within the existing literature. Past studies did not specifically examine the influence of monitoring on employees’ SAB. Instead, the focus is more towards general information system misuse (D’Arcy et al., 2009; Trinkle et al., 2014; Deranek et al., 2015), performance (Bhave, 2014) and theft and productivity (Pierce et al., 2015). These studies also did not extensively discuss the proposed relationships from the theoretical perspective. In this research, we believe that security monitoring could be an effective mechanism to promote SAB, as much as a means to deter misbehaviour. Effective user monitoring would lessen the risk of over-reliance on the existing security mechanism such as a password system. The next section deliberates the underlying theory, with an attempt to identify the determinants of SAB and the influence of security monitoring.

3. Theoretical framework and hypothesis formulation

The main interest of this study is SAB, a desired behaviour whereby employees consciously take the necessary efforts to protect information systems (Guo, 2013). We posited that SAB is a learned behaviour, conditioned by the workplace environment. This environment is shaped by various factors, including information security monitoring. The learning process that takes place in organisations is well explained by the SCT. SCT suggests that individuals’ behaviour is influenced by environmental conditions as well as personal attributes (Bandura, 1977; Manz and Sims, 1980; Bandura, 1986; Holtbrügge et al., 2015). According to the theory, learning occurs as individuals directly experience association and reinforcement with the environment. Behaviour is influenced by the interaction between three main determinants, namely, behavioural factor, cognition factor and environment factor. The theory has been widely accepted for predicting behaviour and identifying methods of modifying or changing behaviours, even within the information system research (Qin et al., 2011). Wang and Lin (2012) opined that SCT has proven helpful for understanding people’s use of computer technologies, other than explaining academic and work performance.

We have constructed the theoretical framework underlying this study as depicted in Figure 1. Six constructs were identified as significant in determining employees’ SAB, according to the elements within SCT, specifically, behaviour (self-efficacy), cognition (outcome expectation, perceived inconvenience) and environment (subjective norms, information security monitoring, information security policy). The next subsections deliberate on these constructs and the available supports.

3.1 Subjective norm

Within a shared environment, such as the workplace, vicarious learning takes place when an individual observes significant others’ behaviour and the consequences resulting from the behaviour (Bandura, 1986; Bommer et al., 2003). The significant others within the environment are the role models of acceptable behaviours. The work environment determines the standards of behaviour that each employee must follow in order to be part of the work unit. Deviations from the norms will result in misfits and cast offs. Within the work environment, SCT explains the socialisation of employees whereby employees learn the acceptable behaviours through observation and experience.

Significant members of the work unit form a referent group who creates the social pressures for or against one’s behaviour. The perception of this social pressure is termed as subjective norm (Ajzen, 1991). Fogarty and Dirsmith (2001) asserted that members of the work unit behave in accordance of the norms to fit with the unit and the organisation and finally to advance in their careers. Previous researchers have argued that subjective norm significantly affects information security-related behaviours, including information systems security policy compliance (Hu et al., 2012; Ifinedo, 2014) and violations (Cheng et al., 2013), information security care behaviour (Safa et al., 2015), misuse of information systems resources (Chu et al., 2015), and social networking security setting (Foltz et al., 2016), among others. In view of these findings, the following hypothesis was thus constructed:

H1.

Subjective norm has significant influence on SAB.

3.2 Outcome expectation

Within the work environment, employees evaluate the significant others’ behaviour and the consequences of the behaviour using their own personal standards. Based on this observation, employees form an expectation relevant to the behaviour (Bandura, 1986; Gibson, 2004). We termed this expectation as the outcome expectation. Outcome expectation, an important element of SCT, functions as the expectation that a given outcome is caused by a particular behaviour (McAlister et al., 2008). Outcome expectation has been used to predict a wide range of behaviours, including posting in social media (Yen, 2016), career choice (Domene, 2012), and innovative behaviour (Yuan and Woodman, 2010; Jose and Babu, 2012), among others.

Subjective norm shapes the outcome expectation (Bandura, 1986; Bommer et al., 2003). The value placed on SAB by the significant others affects individual’s assessment of the consequences of the behaviour. Conformance with the norm is linked with positive outcome expectation such as social acceptance and deviations will result in negative consequences such as condemnation and disapproval. SCT posits that people are more likely to adopt a behaviour that is perceived to result in positive outcomes (Bandura, 1986; Gibson, 2004). It is therefore postulated that outcome expectation exudes similar impact on SAB. The hypotheses relevant to outcome expectation are as follows:

H2.

Subjective norm has significant influence on outcome expectation.

H3.

Outcome expectation has significant influence on SAB.

3.3 Information security monitoring

SCT suggests that environmental conditions influence employees’ behaviour (Bandura, 1977; Manz and Sims, 1980; Bandura, 1986; Holtbrügge et al., 2015). One of the elements that determine environmental conditions in organisations is information security monitoring. In general, monitoring restricts employees’ actions and the information they can access (Jeske and Santuzzi, 2015) and consequently, influences behaviour. Existing studies have shown positive influence of security monitoring on employees’ behaviour, including deterring information system misuse (D’Arcy et al., 2009) and influencing deviant behaviours (Zoghbi-Manrique-de-Lara, 2011; Trinkle et al., 2014; Pierce et al., 2015). Based on these findings, it is expected that information security monitoring will affect SAB. We postulated that employees who are being monitored would be more conscious and exhibit higher care behaviour in order to avoid possible negative consequences or to portray themselves in a good light. Moreover, information security monitoring helps to clarify management’s expectations in terms information security behaviour and indicates the importance placed on ensuring information security. The following hypothesis was thus constructed:

H4.

Information security monitoring has significant influence on SAB.

3.4 Self-efficacy

Past studies have deliberated self-efficacy in relation to social cognition and behaviour (Harrison et al., 1997; McCormick and Martinko, 2004; Wang et al., 2015). Self-efficacy is one’s judgement on his/her ability to perform certain behaviour or task (Bandura, 1997, 1982, 1986) and has been found to influence various information security-related behaviours (Qin et al., 2011). Burr and Cordery (2001) noted numerous studies that have shown positive relationship between high levels of self-efficacy and performance across various settings and occupations. Individuals tend to regulate their behaviour, efforts and persistence according to the perceived self-efficacy. Self-efficacy increases the probability of employees selecting adaptive behaviours in the face of information security threats (Cheolho et al., 2012) and significantly determines their coping behaviour (Kandemir et al., 2014; Kokkinos et al., 2015). We thus posited that employees’ information security self-efficacy elicits proactive behaviour in protecting organisation’s information assets, which is reflected in the SAB. The following hypothesis was constructed accordingly:

H5.

Information security self-efficacy has significant influence on SAB.

3.5 Information security policy

Policies influence organisational environment (Anderson and West, 1998) and assist employee adaptation. Organisations mainly depend on security policies and guidelines to guide and control employees’ behaviours (Bulgurcu et al., 2010; Chen et al., 2012; Lowry and Moody, 2015). Several studies have found significant influence of information security policy on employees’ attitude and perceptions, including Bulgurcu et al. (2010), Guo et al. (2011) and Han et al. (2017), among others.

We postulated that information security policy influences employees’ information security self-efficacy and the outcome expectation. The influence is believed to stem from two aspects. First, information security policy spells out the rules and policies related to the access, use, and responsibilities related to organisation’s information assets (Yazdanmehr and Wang, 2016). Thus, a properly communicated information security policy is expected to enhance employees’ information security self-efficacy. Employees who are well aware of the policy should have the self-confidence (self-efficacy) in dealing with information security incidents. Second, information security policy signals management’s expectations and consequences of employees’ behaviour. The consequences of policy violations are typically specified in the policy (Yazdanmehr and Wang, 2016). This helps employees to assess the effects of their behaviour and form the outcome expectation. The relevant hypotheses are as below:

H6.

Information security policy has significant influence on information security self-efficacy.

H7.

Information security policy has significant influence on outcome expectation.

3.6 Perceived inconvenience

Within the SCT framework, researchers have linked behaviours to individual’s perceptions (Wright, 2001; McCormick and Martinko, 2004; Bozionelos et al., 2015; Consiglio et al., 2016; Mejia-Smith and Gushue, 2017). We predicted that the perceived inconvenience of ensuring information security significantly affects outcome expectation as well as SAB. SAB involves additional steps taken by employees in ensuring information security. These steps may slow down their work and thus pose an inconvenience to the employees. Past studies have shown that people tend to abandon their efforts or change their behaviour when faced with inconveniences (Rajamma et al., 2009; Cheng and Liu, 2012; Liang et al., 2013; Barbarossa and Pelsmacker, 2016). Therefore, we postulated that perceived inconvenience significantly influence SAB and outcome expectation. Employees who view SAB as inconvenient are more likely to abandon the efforts. Similarly, whenever perceived inconvenience is high, the outcome expectation linked to SAB is most likely negative due to the anticipated inefficiency and reduced productivity. The relevant hypotheses are as below:

H8.

Perceived inconvenience has significant influence on outcome expectation.

H9.

Perceived inconvenience has significant influence on SAB.

4. Research methods

This study adopted a quantitative approach using an online questionnaire survey as the main research instrument. The questionnaire elicited information on the seven constructs tested in this study. The following subsections deliberate on the sample, measurements and data analysis.

4.1 Sample

We invited employees from telecommunication companies to participate in this study due to the significance of these companies in managing communication and information infrastructure. Invitees were informed that participation was voluntary and data will be kept confidential and will be used for research purposes only. Typically, these companies handle high volume of data and information traffic, putting critical needs for information security. In total, 626 employees of telecommunication companies have responded to the survey, out of which 151 were from the information technology department. We discarded the responses from this respondent group because the focus of this study is the end-users. After excluding this group, a total of 525 respondents remained in the sample. The demographic characteristics are summarised in Table I.

The sample consists of respondents who are in their 20s (25 per cent), 30s (39 per cent), 40s (24 per cent) and 50s (15 per cent). The gender distribution in the sample is almost equal with, 59 per cent are female and 41 per cent male. The majority of the respondents hold a bachelor degree qualification (59 per cent), and are in the sales and marketing area (45 per cent), followed by the operations, production and project management (34 per cent) and accounting and finance (19 per cent).

4.2 Measurements

To finalise the measurements, a focus group discussion was conducted, involving two representatives of Cybersecurity Malaysia, one representative from a telecommunication company and two academic experts in information system. The industry representatives are involved with security management in their organisations while the academic experts are specialised in information security. During the discussion, the panels discussed the appropriateness and significance of the proposed measurements. The focus group discussion helped to assess and ascertain the validity of the measures. Following the focus group discussion, a pilot test was conducted to assess the reliability of the instruments. We also conducted a factor analysis on the pilot data to gauge the internal structure of the measurements. The questionnaire was then further improved and finalised.

Seven items were used as the measure for SABs, which cover password security, email security and safekeeping of data. Table II shows the seven items for the assessment of SAB. The expert panels agreed that these behaviours contributed significantly to information security practices. Three password security issues were addressed in this study, which specifically focus on password change, password selection, and password recycling. Although password security is usually addressed in security policy, Campbell et al. (2011) have determined that password policy did not reduce password reuse or the use of meaningful personal information in passwords. Imposing password restrictions do not necessarily lead to more secure passwords (Vu et al., 2007; Duggan et al., 2012). Moreover, password-based systems are the main method of user authentication and password security is usually compromised by inadequate password composition and management practices (Campbell et al., 2011). We also included security measures related to encryption, shutting down computers at the end of the day and data backup. These issues were less likely to be covered in information security policy (Fulford and Doherty, 2003; Doherty et al., 2009). These behaviours were deemed as desirable in ensuring information security and may extend beyond policy requirements. Respondents were requested to rate the frequency of executing each behaviour on a Likert-type scale, ranging from 1, never, to 6, very frequent.

In order to gauge outcome expectation (OE), respondents were asked the possible outcome if the seven behaviours were practiced at work. Responses ranged from 1, very negative, to 6, very positive. These behaviours were also used to measure perceived inconvenience (PIC). Respondents were asked to indicate how their works would be affected by each of the seven behaviours, with options ranging from 1, very easy, to 10, very troublesome. The responses obtained were summed up to form the composite constructs for SAB, OE and PIC. The scores for each construct ranged from 7 at the minimum point to 42 at the highest point for SAB and OE. For PIC, the minimum point was 10 and the maximum point was 70.

Subjective norm (SN) was assessed based on the emphasis placed on information security by the significant others, as perceived by the respondents. The upper management, immediate supervisors and co-workers were the significant others believed to exert influence on respondents’ behaviour. Four statements were developed to gauge respondents’ information security self-efficacy (SE), namely, perceived knowledge of information security violation, persons to contact and the standard operating procedures related to private and confidential information. We used the four statements to measure information security policy (ISP). These items measured organisational policy on the use of e-mails and computer resources, as well as the standard operating procedures that underline information security. A six-point rating scale, ranging from 1, strongly disagree, to 6, strongly agree, were used to obtain responses for SN, SE and ISP.

Information security monitoring (ISM) was assessed based on the implementation of four monitoring activities by the employing organisations. These include monitoring of data modification or alteration, computing activities, computer logs, and email messages. These practices were gathered from the feedback received from the expert panels. The similar methods of information security monitoring were also highlighted in the literatures (White and Pearson, 2001; Watson, 2002 and Hoffman et al., 2003). Respondents were required to rate each activity based on a six-point scale, ranging from 1, never, to 6, very frequent. The items used to measure ISM, ISP, SM and SE could be found in Table III.

4.3 Descriptive statistics

Descriptive analysis was performed to observe patterns in the data and to determine data normality and outliers. The standard deviation, skewness and kurtosis statistics exhibited the data to be normally distributed and were suitable for further investigation. Table II presents the descriptive statistics of SAB, the main interest of this study. With the aim to understand SAB better, we have categorised the responses into three behavioural levels, namely low (responses of 1, never, and 2, seldom), moderate (responses of 3, sometimes, and 4, quite frequent), and high (responses of 5, frequent, and 6, very frequent). The most common behaviour was shutting down computer after work (mean = 5.41), with more than 85 per cent of the responses were in the high category. The least performed behaviour was protecting sensitive documents that are sent via email (mean = 2.98), with 40.2 per cent responses were in the low category. Respondents were also found to be less diligent in using different passwords for different computer access (mean = 3.41), and performing data back-up (mean = 3.91).

4.4 Validation of the measurement model

The structural equation modelling (SEM) technique (AMOS ver. 23) was utilised to test the research hypotheses and the proposed model. We first conducted a confirmatory factor analysis (CFA) with maximum likelihood estimation in order to test the reliability of the observed variables (indicators) in explaining the constructs and to examine the extent of interrelationships and covariation among the constructs (Schreiber et al., 2006). Four indices were referred as indicators of absolute fit indices, namely:

Incremental fit indices were also taken into consideration, based on recommendations by Hooper et al. (2008) and Smith and McMillan (2001). Incremental fit indices include the normed fit index (NFI), Tucker-Lewis index (TLI) and comparative fit index (CFI). A good fit is indicated by an index value of 0.90 or greater for these indices (Smith and McMillan, 2001).

We have used the observed variables (summed values of the scores) for three constructs, namely, SAB, OE and PIC. The measurements for these constructs represent a range of behaviours that cover several facets of information security, and thus it was not possible to fit these behaviours into one all-encompassing dimension for each SAB, OE and PIC. Moreover, the use of observed variables is similar to the use of single-item constructs, which encourages a close coordination between the theoretical foundation and the model (Hayduk and Littvay, 2012). The other variables, namely, SE, ISM, ISP and SN, were represented by latent constructs, measured by multiple observed variables or indicators. Hayduk and Littvay (2012) recommended the use of a few best indicators for each latent construct. Thus, we capped the number of indicators for each latent construct to a maximum of four, following the recommendation by Kenny (1979).

Although the initial measurement model was found not to adequately fit the data (X2/df = 2.557; RMSEA = 0.055; other fit values [GFI, AGFI, NFI, TLI and CFI] are above 0.90), we noticed that the model fit could be further improved by deleting the indicator SE1 from the model. The item was deleted because the standardised regression weight of the item differed from other indicators of SE. The deletion of this indicator has resulted in better model fit (X2/df = 2.125; RMSEA = 0.046; other fit values [GFI, AGFI, NFI, TLI and CFI] are close to 0.95). Values of X2/df that are closer to 2.0 is more preferable as is show better fit (Tabachnick and Fidell, 2007). The deletion of the indicator has also increased the Average Variance Extracted from 0.654 to 0.719. The statistics for the measurement model are shown in Table III. Average variance extracted (AVE) and composite reliability statistics were satisfactory (Fornell and Larcker, 1981). The final measurement model is illustrated in Figure 2. Following the CFA, we tested the interrelationships among the constructs for the purpose of hypothesis and model testing.

5. Results of hypothesis and model testing

The SEM results, as presented in Table IV, show support for all hypotheses, except H1. Eight of the nine hypothesised paths were significant at p ≤ 0.01 level. We concluded that H2-H9 are supported by the data.

The final structural model was derived by deleting the non-significant path (SN → SAB). Figure 3 shows the standardised solution to the final structural model. Fit indices for the model were satisfactory with X2 of 261.707 and df equals to 108 (Chi-Square/df = 2.423; RMSEA = 0.052). Both goodness of fit indices (GFI and AGFI) recorded the values of more than 0.90. Hence, the model fit was supported. Other incremental fit indices also showed acceptable values of above 0.90. The model predicted 31 per cent variation in SAB (R2 = 0.31), with PIC as the strongest determinant (β = −0.25). It was also found that ISP determined 27 per cent variation of SE. OE was significantly influenced by ISP, SN and PIC, with R2 of 0.23. Each hypothesised path is significant at p ≤ 0.001.

6. Discussion and conclusion

Information security monitoring is crucially important in organisations, mainly to ensure compliance and to avoid negligence. In this study, we examined the influence of information security monitoring and other social learning factors on employees’ SAB. Empirical findings of this study lend further support to the SCT as the underlying theory. According to SCT, learning is the result of observation. Role models are thus important in supporting the learning process. Although capabilities are often thought to be enhanced through training, lack of repeated practice will soon lose gains in knowledge and competence of the required behaviour. Therefore, both champions and monitoring mechanisms need to be in place which reinforce the required behaviour through encouragement, in addition to curbing misbehaviour via penalties and sanctions. Learning comes at a cost, whereby the ability to learn varies from one individual to another. Individuals who are already at a stable point in their career would find it more difficult to respond to change (Ellefsen, 2013). Thus any changes must be supported and rewarded for it to be feasible in practice.

There are four key findings with practical implications derived from the study. First, subjective norms do not directly influence SAB (H1), indicating that general emphasis on information security does not necessarily ensure such specified behaviour. Instead, the influence of subjective norms is significant on the outcome expectation (H2) and outcome expectation is positively influence to SAB (H3). The results indicated that subjective norms helps employees form opinion about the impact of security measures. Positive opinion about the impact will lead to higher SAB. It is recommended that organisations promote specific information security behaviours rather than merely requesting employees to follow the standard operating procedures. It may be beneficial if organisations also accentuate behaviours that go beyond these standards.

Second, the results indicate that employees’ awareness of security monitoring practices enhances SAB (H4). In the context of social learning, the finding implies that monitoring emphasis expected behaviours and helps reinforce organisational norms. Monitoring may also accelerate learning when employees become strongly mindful of their behaviours. Hence, it is important for organisations to communicate the monitoring practices implemented, even more imperative whenever security monitoring employed is unobtrusive in nature. Nonetheless, care must be taken in this communication to avoid resentment and mistrust among employees.

The third implication is related to self-efficacy. Employees who believe in their capability in handling security incidents and have high expectation towards SAB tend to engage more in such behaviour (H5). Therefore, it is essential for organisations to enhance these attributes among the employees. The significant influence of information security policy on self-efficacy (H6) indicates that organisations can achieve this via proper implementation and communication of the information security policy. Besides, information security policy has also been found to be significantly related to outcome expectation (H7), and thus further emphasising the need for such measure. Policies and norms form the information security culture within the organisation, directly affect employees’ perception, and eventually influence their information security behaviours.

The fourth implication concerns the influence of perceived inconvenience. Perceived inconvenience is a new determinant of this study and its influence on SAB is significantly negative (H9). Perceived inconvenience is also found to negatively influence the expected outcome (H8). SAB requires additional efforts from the employees which may obstruct or delay the achievement of their assigned tasks. As indicated by the results, perceived inconvenience causes employees to abandon security efforts. Perceived inconvenience thus creates a significant internal barrier in achieving information security, especially when the human factor within the information security setting is high. In view of this, we recommend that information security is recognised as one of the work objectives, apart from effectiveness and efficiency. Proper training and automation could also help employees to reduce their efforts at security behaviours, and hence reduce the perceived inconvenience.

In general, it is evident that improvements are needed in terms of SAB among telecommunication employees. Protection of sensitive documents sent via email is weak which presents serious threats to organisations. The practice of sending password-protected or encrypted document files via email is a way to safeguard sensitive information. Organisations would benefit by applications that automatically encrypt all documents transmitted via emails. The practice of using different passwords for different access also seemed to be lacking, perhaps due to difficulties in remembering passwords. Organisations could set up identity management mechanisms to manage password-based systems. Instead of using different passwords for various accesses, such a system enables single user sign on to the resources of multiple information systems. In addition, the results of this study indicate that organisations should invest in automatic online backup system or cloud storage in order to avoid data loss or corruption due to hard disk failure. When left to the employees, they are less likely to perform data backup.

7. Limitations and future studies

In general, the present research provides a number of significant insights and valuable information related to SAB among employees. The major findings could assist security experts and organisations to develop better strategies and policies for information security protection. However, there are some limitations in the existing work that could be addressed in future studies. One of them is the possible social desirability bias due to the self-reported measure adopted in the study. Even though we have made every effort possible to collect representative responses via anonymous survey, it is still possible that the respondents may not reveal true behaviour as good conduct is generally desired. This may lead to a bias towards favourable behaviour. In addition, the current study is confined to the telecommunication industry which limits the generalisability of the findings.

For future works, responses from other industries are required for further empirical investigation to generalise the findings. Specifically, the investigation shall be made available to other types of organisations having high requirements for regulation and policy compliance such as government agencies, health care organisations and financial institutions to capture different notions of security behaviour of the users. Besides, different demographic groups based on age, education qualification or individual competence should be delineated as these factors may have significant impact on the users’ behaviour. Hence, exploration beyond individual perception could be conducted to identify the different group factors towards user adoption of information security practice (Sim et al., 2011).

As perceived inconvenience is an interesting area of study, further research to cogitate strategies of reducing perceived inconvenience of information security behaviours could be performed in the future. Perceived inconvenience may be one of the reasons behind employees’ failure to comply with information security policies implemented in organisations – which is commendable for further investigation. It is also worth to analyse the trade-off between perceived inconvenience and outcome expectation, as well as the factors contributing to perceived inconvenience.

Figures

Theoretical framework

Figure 1.

Theoretical framework

Final measurement model

Figure 2.

Final measurement model

Final structural model

Figure 3.

Final structural model

Respondents’ demographics

Demographics N (’)
Age (in years)
Below 30 131 25
31-40 202 38.5
41-50 125 23.8
51-60 67 12.8
Gender
Male 214 59.2
Female 310 40.8
Academic qualification
Secondary school/certificate 58 11.1
Diploma 90 17.2
Bachelor degree 310 59.4
Post-graduate 64 12.3
Job function
Sales and Marketing 237 45.1
Accounting and Finance 102 19.4
Operations, production, and project management 186 35.4
Note:

Variance in N is due to missing values

Descriptive statistics of SAB

Measurement items Mean Low(%) Moderate(%) High(%)
Change passwords for work-related access 4.20 6.3 51.0 42.7
Protect sensitive documents with passwords or encryption before sending them via emails 2.98 40.2 24.2 29.7
Use a combination of alphabets, numeric and symbols for work-related passwords 4.98 3.4 23.0 73.6
Double-check the list of recipients before sending out emails 4.98 1.9 22.3 75.8
Use different passwords for different computer access 3.41 29.7 41.0 29.3
Back-up data contained in computer 3.91 15.1 45.9 39.1
Shut down computer before leaving home for the day 5.41 4.3 10.3 85.3
Notes:

Respondents were requested to respond to the questions “How frequent do you perform the following tasks?” by rating each of the above behaviour on a six-point scale ranging from 1, “Never” to 6, “Very frequent”

Final measurement model

Construct Indicators Loadings SE CR AVE Compositereliability
ISM SM1 Monitors any modification or altering of computerised data by employees 0.805 0.030 27.000 0.773 0.931
SM2 Monitors employee computing activities 0.941
SM3 Reviews logs of employee computing activities 0.949 0.026 38.089
SM4 Monitors the content of employees’ e‑mail messages 0.811 0.033 27.326
ISP SP1 Your organisation has specific guidelines that describe acceptable use of e‑mail 0.871 0.810 0.944
SP2 Your organisation has established rules of behaviours for use of computer resources 0.941 0.031 32.482
SP3 Your organisation has specific guidelines that govern what employees are allowed to do with their computers 0.918 0.033 30.898
SP4 Your organisation’s standard operating procedures emphasise information security 0.867 0.035 27.380
SN SN1 The upper management insists that information security’s standard operating procedure is to be complied with 0.846 0.801 0.923
SN2 Your immediate superior insists that information security’s standard operating procedure is to be complied with 0.956 0.040 29.180
SN3 Your co-workers insist that information security’s standard operating procedure is to be complied with 0.879 0.042 26.198
SE SE1 You know the incidents that are classified as information security violation item deleted 0.719 0.884
SE2 You know what to do in the event of information security breach 0.869
SE3 You know who to contact in the event of information security breach  0.888 0.045 24.516
SE4 You know the standard operating procedures in handling private and confidential information 0.783 0.044 21.133
Measure of fit indices:
X2/df 2.125 GFI 0.954 NFI 0.969 CFI 0.983
RMSEA 0.046 AGFI 0.931 TLI 0.977

Path coefficients

Hypothesised paths β S.E. C.R. Std. β
H1: SN → SAB 0.273 0.286 0.955 0.041
H2: SN → OE 1.304 0.301 4.329* 0.203
H3: OE → SAB 0.228 0.043 5.265* 0.219
H4: ISM → SAB 0.647 0.149 4.340* 0.171
H5: SE → SAB 1.158 0.214 5.424* 0.220
H6: ISP → SE 0.547 0.048 11.401* 0.514
H7: ISP → OE 0.563 0.247 2.276* 0.105
H8: PIC → OE −0.139 0.016 −8.433* −0.335
H9: PIC → SAB −0.107 0.017 −6.111* −0.246
Note:

*Path is significant at 0.01 level

References

Ajzen, I. (1991), “The theory of planned behavior”, Organizational Behavior and Human Decision Processes, Vol. 50 No. 2, pp. 179-211.

Alder, G.S. (2001), “Employee reactions to electronic performance monitoring: a consequence of organizational culture”, The Journal of High Technology Management Research, Vol. 12 No. 2, pp. 323-342.

Alder, G., Schminke, M., Noel, T. and Kuenzi, M. (2008), “Employee reactions to internet monitoring: the moderating role of ethical orientation”, Journal of Business Ethics, Vol. 80 No. 3, pp. 481-498.

Alhogail, A. (2015), “Design and validation of information security culture framework”, Computers in Human Behavior, Vol. 49 No. 2015, pp. 567-575.

Anderson, N.R. and West, M.A. (1998), “Measuring climate for work group innovation: development and validation of the team climate inventory”, Journal of Organizational Behavior, Vol. 19 No. 3, pp. 235-258.

Aurigemma, S. (2013), “From the weakest link to the best defense: exploring the factors that affect employee intention to comply with information security policies”, ProQuest LLC. PhD. Dissertation, University of Hawai’i at Manoa.

Bandura, A. (1977), Social Learning Theory, Prentice Hall, Englewood Cliffs, NJ.

Bandura, A. (1982), “Self-efficacy mechanism in human agency”, American Psychologist, Vol. 37 No. 2, pp. 122-147.

Bandura, A. (1986), Social Foundations of Thought and Action: A Social Cognitive Theory, SAGE, Englewood Cliffs, NJ.

Bandura, A. (1997), Self-efficacy: The Exercise of Control, Freeman, New York, NY.

Barbarossa, C. and Pelsmacker, P. (2016), “Positive and negative antecedents of purchasing eco-friendly products: a comparison between green and non-green consumers”, Journal of Business Ethics, Vol. 134 No. 2, pp. 229-247.

Bélanger, F., Collignon, S., Enget, K. and Negangard, E. (2017), “Determinants of early conformance with information security policies”, Information and Management, Vol. 54 No. 7, Pages, pp. 887-901.

Bhave, D., P. (2014), “The invisible eye? Electronic performance monitoring and employee job performance”, Personnel Psychology, Vol. 67 No. 3, pp. 605-635.

Bommer, W.H., Miles, E., W. and Grover, S.L. (2003), “Does one good turn deserve another? Co-worker influences on employee citizenship”, Journal of Organizational Behavior, Vol. 24 No. 2, pp. 181-196.

Boss, S.R., Galletta, D.F., Benjamin Lowry, P., Moody, G., D. and Polak, P. (2015), “What do systems users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors”, MIS Quarterly, Vol. 39 No. 4, pp. 837-864.

Bozionelos, N., Bozionelos, G., Kostopoulos, K., Shyong, C., Baruch, Y. and Zhou, W. (2015), “International graduate students’ perceptions and interest in international careers”, International Journal of Human Resource Management, Vol. 26 No. 11, pp. 1428-1451.

Bulgurcu, B., Cavusoglu, H. and Benbasat, I. (2010), “Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness”, MIS Quarterly, Vol. 34 No. 3, pp. 523-548.

Burr, R. and Cordery, J.L. (2001), “Self-management efficacy as a mediator of the relation between job design and employee motivation”, Human Performance, Vol. 14 No. 1, pp. 27-44.

Campbell, J., Ma, W. and Kleeman, D. (2011), “Impact of restrictive composition policy on user password choices”, Behaviour and Information Technology, Vol. 30 No. 3, pp. 379-388.

Chalykoff, J. and Kochan, T.A. (1989), “Computer-aided monitoring: its influence on employee job satisfaction and turnover”, Personnel Psychology, Vol. 42 No. 4, pp. 807-834.

Cheng, L., Li, Y., Li, W., Holm, E. and Zhai, Q. (2013), “Understanding the violation of IS security policy in organizations: an integrated model based on social control and deterrence theory”, Computers and Security, Vol. 39, pp. 447-459.

Cheng, Y. and Liu, K. (2012), “Evaluating bicycle-transit users’ perceptions of intermodal inconvenience”, Transportation Research Part A: Policy and Practice, Vol. 46 No. 10, pp. 1690-1706.

Chen, H. and Li, W. (2017), “Mobile device users’ privacy security assurance behavior: a technology threat avoidance perspective”, Information and Computer Security, Vol. 25 No. 3, pp. 330-344.

Chen, Y., Ramamurthy, K. and Wen, K. (2012), “Organizations’ information security policy compliance: stick or carrot approach?”, Journal of Management Information Systems, Vol. 29 No. 3, pp. 157-188.

Cheolho, Y., Jae-Won, H. and Kim, R. (2012), “Exploring factors that influence students’ behaviors in information security”, Journal of Information Systems Education, Vol. 23 No. 4, pp. 407-415.

Chory, R., Vela, L. and Avtgis, T. (2016), “Organizational surveillance of computer-mediated workplace communication: employee privacy concerns and responses”, Employee Responsibilities and Rights Journal, Vol. 28 No. 1, pp. 23-43.

Chu, A., Chau, P. and So, M. (2015), “Explaining the misuse of information systems resources in the workplace: a dual-process approach”, Journal of Business Ethics, Vol. 131 No. 1, pp. 209-225.

Chul, W.Y., Sanders, G.L. and Cerveny, R.P. (2018), “Exploring the influence of flow and psychological ownership on security education, training and awareness effectiveness and security compliance”, Decision Support Systems, Vol. 108, pp. 107-118.

Consiglio, C., Borgogni, L., Di Tecco, C. and Schaufeli, W., B. (2016), “What makes employees engaged with their work? The role of self-efficacy and employee’s perceptions of social context over time”, Career Development International, Vol. 21 No. 2, pp. 125-143.

Crossler, R.E., Johnston, A.C., Lowry, P.B., Hu, Q., Warketin, M. and Baskerville, R. (2013), “Future directions for behavioural information security research”, Computers and Security, Vol. 32, pp. 90-101.

D’Arcy, J. and Greene, G. (2014), “Security culture and the employment relationship as drivers of employee’s security compliance”, Information Management and Computer Security, Vol. 22 No. 5, pp. 474-489.

D’Arcy, J., Hovav, A. and Galletta, D. (2009), “User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach”, Information Systems Research, Vol. 20 No. 1, pp. 79-98.

Da Veiga, A. and Martins, N. (2014), “Information security culture: a comparative analysis of four assessments”, Proceedings of The European Conference on Information Management and Evaluation, pp. 49-57.

Da Veiga, A. and Martins, N. (2015), “Improving the information security culture through monitoring and implementation actions illustrated through a case study”, Computers and Security, Vol. 49, pp. 162-176.

Deranek, K., Richards, G., Tworoger, T. and Schmidt, E. (2015), “Resistance or acquiescence: student perception of software surveillance during a team-based simulation”, Journal of Legal, Ethical and Regulatory Issues, Vol. 18 No. 3, pp. 15-29.

Doherty, N.F., Anastasakis, L. and Fulford, H. (2009), “The information security policy unpacked: a critical study of the content of university policies”, International Journal of Information Management, Vol. 29 No. 6, pp. 449-457.

Domene, J.F. (2012), “Calling and career outcome expectations: the mediating role of self-efficacy”, Journal of Career Assessment, Vol. 20 No. 3, pp. 281-292.

Duggan, G.B., Johnson, H. and Grawemeyer, B. (2012), “Rational security: modelling everyday password use”, International Journal of Human-Computer Studies, Vol. 70 No. 6, pp. 415-431.

Ellefsen, K.O. (2013), “Balancing the costs and benefits of learning ability: advances in artificial life, ECAL”, Proceedings of the Twelfth European Conference on the Synthesis and Simulation of Living Systems, pp. 292-299.

Fogarty, T.J. and Dirsmith, M.W. (2001), “Organizational socialization: an extended institutional theory perspective”, Human Resource Development Quarterly, Vol. 12 No. 3, pp. 47-266.

Foltz, C.B., Newkirk, H.E. and Schwager, P., H. (2016), “An empirical investigation of factors that influence individual behavior toward changing social networking security settings”, Journal of Theoretical and Applied Electronic Commerce Research, Vol. 11 No. 2, pp. 1-15.

Fornell, C. and Larcker, D.F. (1981), “Evaluating structural equation models with unobservable variables and measurement error”, Journal of Marketing Research, Vol. 18 No. 1, pp. 39-50.

Fulford, H. and Doherty, N., F. (2003), “The application of information security policies in large UK-based organizations: an exploratory investigation”, Information Management and Computer Security, Vol. 11 No. 3, pp. 106-114.

Gibson, S.K. (2004), “Social learning (cognitive) theory and implications for human resource development”, Advances in Developing Human Resources, Vol. 6 No. 2, pp. 193-210.

Guo, K.H. (2013), “Security-related behavior in using information systems in the workplace: a review and synthesis”, Computers and Security, Vol. 32, pp. 242-251.

Guo, K.H., Yuan, Y., Archer, N.P. and Connelly, C., E. (2011), “Understanding non-malicious security violations in the workplace: a composite behavior model”, Journal of Management Information Systems, Vol. 28 No. 2, pp. 203-236.

Han, J., Kim, Y.J. and Kim, H. (2017), “An integrative model of information security policy compliance with psychological contract: examining a bilateral perspective”, Computers and Security, Vol. 66 No. 2017, pp. 52-65.

Harrison, A.W., Rainer, J.R.K., Hochwarter, W.A. and Thompson, K.R. (1997), “Testing the self-efficacy-performance-linkage of social-cognitive theory”, Journal of Social Psychology, Vol. 137 No. 1, pp. 79-87.

Hayduk, L.A. and Littvay, L. (2012), “Should researchers use single indicators, best indicators, or multiple indicators in structural equation models?”, BMC Medical Research Methodology, Vol. 12 No. 159, pp. 1-17.

Herath, T. and Rao, H.R. (2009), “Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness”, Decision Support Systems, Vol. 47 No. 2, pp. 154-165.

Hoffman, W.M., Hartman, L., P., Rowe, M. (2003), “You’ve got mail … and the boss knows: a survey by the center for business ethics of companies’ email and internet monitoring”, Business and Society Review, Vol. 108 No. 3, p. 285.

Holland, P.J., Cooper, B. and Hecker, R. (2015), “Electronic monitoring and surveillance in the workplace”, Personnel Review, Vol. 44 No. 1, pp. 161-175.

Holtbrügge, D., Baron, A. and Friedmann, C.B. (2015), “Personal attributes, organizational conditions, and ethical attitudes: a social cognitive approach”, Business Ethics: A European Review, Vol. 24 No. 3, pp. 264 -281.

Hooper, D., Coughlan, J. and Mullen, M., R. (2008), “Structural equation modeling: guidelines for determining model fit”, The Electronic Journal of Business Research Methods, Vol. 6 No. 1, pp. 53-60.

Hu, Q., Dinev, T., Hart, P. and Cooke, D. (2012), “Managing employee compliance with information security policies: the critical role of top management and organizational culture”, Decision Sciences, Vol. 43 No. 4, pp. 615-660.

Ifinedo, P. (2014), “Information systems security policy compliance: an empirical study of the effects of socialisation, influence, and cognition”, Information and Management, Vol. 51 No. 1, pp. 69-79.

Jenkins, J.L., Durcikova, A. and Burns, M.B. (2013), “Simplicity is bliss: controlling extraneous cognitive load in online security training to promote secure behavior”, Journal of Organizational and End User Computing, Vol. 25 No. 3, pp. 52-66.

Jeske, D. and Santuzzi, A., M. (2015), “Monitoring what and how: psychological implications of electronic performance monitoring”, New Technology, Work and Employment, Vol. 30 No. 1, pp. 62-78.

Jose, S. and Babu, D. (2012), “A study on the role of performance and image outcome expectations on innovative behaviour in the workplace”, Proceedings of ISPIM Conferences, Vol. 23, p. 1-33.

Kandemir, M., Ilhan, T., Ozpolat, A.R. and Palanci, M. (2014), “Analysis of academic self-efficacy, self-esteem and coping with stress skills predictive power on academic procrastination”, Educational Research and Reviews, Vol. 9 No. 5, pp. 146-152.

Kandemir, M., Ilhan, T., Ozpolat, A.R. and Palanci, M. (2014), “Analysis of academic self-efficacy, self-esteem and coping with stress skills predictive power on academic procrastination”, Educational Research and Reviews, Vol. 9 No. 5, pp. 146-152.

Kaspersky Lab (2017), Employees Are One of the Biggest Cyberthreats to Businesses in North America. Business Wire (English), Kaspersky Lab, Moscow.

Kennedy, S.E. (2016), “The pathway to security - mitigating user negligence”, Information and Computer Security, Vol. 24 No. 3, pp. 255-264.

Kenny, D.A. (1979), Correlation and Causality, Wiley, New York, NY.

Kokkinos, C.M., Panagopoulou, P., Tsolakidou, I. and Tzeliou, E. (2015), “Coping with bullying and victimisation among preadolescents: the moderating effects of self-efficacy”, Emotional and Behavioural Difficulties, Vol. 20 No. 2, pp. 205-222.

Lamar, P., Snow, D. and McAfee, A. (2013), “Cleaning house: the impact of information technology monitoring on employee theft and productivity”, MIT Sloan Research Paper Number 5029-13, November 2013.

Lee, S. and Kleiner, B.H. (2003), “Electronic surveillance in the workplace”, Management Research News, Vol. 26 Nos 2/3/4, pp. 72-81.

Liang, D., Ma, Z. and Qi, L. (2013), “Service quality and customer switching behavior in China’s mobile phone service sector”, Journal of Business Research, Vol. 66 No. 8, pp. 1161-1167.

Lowry, P.B. and Moody, G.D. (2015), “Proposing the control-reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policies”, Information Systems Journal, Vol. 25 No. 5, pp. 433-463.

McAlister, A.L., Perry, C.L. and Parcel, G.S. (2008), “How individuals, environments, and health behaviors interact: social cognitive theory”, in Glanz, K., Rimmer, B.K. and Viswanath, K. (Eds), Health Behavior and Health Education: Theory, Research, and Practice, 4th ed., Jossey-Bass, San Francisco, pp. 169-188.

McCormick, M.J. and Martinko, M.J. (2004), “Identifying leader social cognitions: integrating the causal reasoning perspective into social cognitive theory”, Journal of Leadership and Organizational Studies, Vol. 10 No. 4, pp. 2-11.

Manz, C.C. and Sims, H., P. Jr (1980), “Self-management as a substitute for leadership: a social learning theory perspective”, Academy of Management Review, Vol. 5 No. 3, pp. 361-367.

Mejia-Smith, B. and Gushue, G., V. (2017), “Latina/o college students’ perceptions of career barriers: influence of ethnic identity, acculturation, and self-efficacy”, Journal of Counseling and Development, Vol. 95 No. 2, pp. 145-155.

Moody, G.D., Siponen, M. and Pahnila, S. (2018), “Toward a unified model of information security policy compliance”, MIS Quarterly, Vol. 42 No. 1, pp. 285-A22.

ObserveIT (2016), Study Finds Major Enterprise Security Gap with Monitoring Application Access and Usage, Business Wire: Regional Business News, Ipswich, MA.

Oz, E., Glass, R. and Behling, R. (1999), “Electronic workplace monitoring: what employees think?”, Omega, Vol. 27 No. 2, pp. 167-177.

Paczkowski, W.F. and Kuruzovich, J. (2016), “Checking email in the bathroom: monitoring email responsiveness behavior in the workplace”, American Journal of Management, Vol. 16 No. 2, pp. 23-39.

Parsons, K., McCormac, A., Butavicius, M., Pattinson, M. and Jerram, C. (2014), “Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q)”, Computers & Security, Vol. 42 No. 2014, pp. 165-176.

Parsons, K., Calic, D., Pattinson, M., Butavicius, M., McCormac, A. and Zwaan, T. (2017), “The human aspects of information security questionnaire (HAIS-Q): two further validation studies”, Computers & Security, Vol. 66 No. 2017, pp. 40-51.

Pierce, L., Snow, D. and McAfee, A. (2015), “Cleaning house: the impact of information technology monitoring on employee theft and productivity”, Management Science, Vol. 61 No. 10, pp. 2299-2319.

Posey, C., Roberts, T.L. and Lowry, P.B. (2015), “The impact of organizational commitment on insiders’ motivation to protect organizational information assets”, Journal of Management Information Systems, Vol. 32 No. 4, pp. 179-214.

PricewaterhouseCoopers (2017), “The global state of information security survey, 2018”, available at: www.pwc.com/us/en/cybersecurity/information-security-survey.html (accessed December 2017).

Qin, S., Qiang, T. and Kanliang, W. (2011), “The impact of computer self-efficacy and technology dependence on computer-related technostress: a social cognitive theory perspective”, International Journal of Human-Computer Interaction, Vol. 27 No. 10, pp. 923-939.

Rajamma, R.K., Paswasn, A.K. and Hossain, M., M. (2009), “Why do shoppers abandon shopping cart? Perceived waiting time, risk, and transaction inconvenience”, Journal of Product and Brand Management, Vol. 18 No. 3, pp. 188-197.

Safa, N.S., Solms, R.V. and Furnell, S. (2016), “Information security policy compliance model in organizations”, Computers and Security, Vol. 56, pp. 70-82.

Safa, N.S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N., A. and Herawan, T. (2015), “Information security conscious care behaviour formation in organizations”, Computers and Security, Vol. 53 No. 2015, pp. 5365-5378.

Samaranayake, V. and Gamage, C. (2012), “Employee perception towards electronic monitoring at work place and its impact on job satisfaction of software professionals in Sri Lanka”, Telematics and Informatics, Vol. 29 No. 2, pp. 233-244.

Schreiber, J.B., Stage, F.K., King, J., Nora, A. and Barlow, E.A. (2006), “Reporting structural equation modelling and confirmatory factor analysis results: a review”, The Journal of Educational Research, Vol. 99 No. 6, pp. 323-337.

Sim, J.J., Tan, G.W.H., Ooi, K.B. and Lee, V.H. (2011), “Exploring the individual characteristics on the adoption of broadband: an empirical analysis”, International Journal of Network and Mobile Technologies, Vol. 2 No. 1, pp. 1-14.

Siponen, M., Adam Mahmood, M. and Pahnila, S. (2014), “Employees’ adherence to information security policies: an exploratory field study”, Information and Management, Vol. 51 No. 2, pp. 217-224.

Smith, W.P. and Tabak, F. (2009), “Monitoring employee e-mails: is there any room for privacy?”, Academy of Management Perspectives, Vol. 23 No. 4, pp. 33-48.

Smith, T.D. and McMillan, B.F. (2001), “A primer of model fit indices in structural equation modelling”, Annual Meeting of the Southwest Educational Research Association (ED449231), Retrieved January 18, 2006, from ERIC database.

Snyder, J.L. (2010), “E-mail privacy in the workplace: a boundary regulation perspective”, Journal of Business Communication, Vol. 47 No. 3, pp. 266-294.

Spitzmüller, C. and Stanton, J., M. (2006), “Examining employee compliance with organizational surveillance and monitoring”, Journal of Occupational and Organizational Psychology, Vol. 79 No. 2, pp. 245-272.

Steiger, J.H. (2007), “Understanding the limitations of global fit in structural equation modelling”, Personality and Individual Difference, Vol. 42 No. 5, pp. 893-898.

Tabachnick, B.G. and Fidell, L.S. (2007), Using Multivariate Statistics, 5th ed., Allyn and Bacon, New York, NY.

Trinkle, B.S., Crossler, R., E. and Warkentin, M. (2014), “I’m game, are you? Reducing real-world security threats by managing employee activity in online social networks”, Journal of Information Systems, Vol. 28 No. 2, pp. 307-327.

Tsohou, A., Karyda, M. and Kokolakis, S. (2015), “Analyzing the role of cognitive and cultural biases in the internalization of information security policies: recommendations for information security awareness programs”, Computers and Security, Vol. 52, pp. 128-141.

Vance, A., Brinton Anderson, B., Brock Kirwan, C. and Eargle, D. (2014), “Using measures of risk perception to predict information security behavior: insights from electroencephalography (EEG)”, Journal of the Association for Information Systems, Vol. 15 No. 10, pp. 679-722.

Vu, K.L., Proctor, R.W., Bhargav-Spantzel, A., Tai, B., Cook, J. and Schultz, E., E. (2007), “Improving password security and memorability to protect personal and organizational information”, International Journal of Human-Computer Studies, Vol. 65 No. 8, pp. 744-757.

Wang, R. and Lin, C. (2012), “Understanding innovation performance and its antecedents: a socio-cognitive model”, Journal of Engineering and Technology Management, Vol. 29 No. 2, pp. 210-225.

Wang, D., Xu, L. and Chan, H., C. (2015), “Understanding the continuance use of social network sites: a computer self-efficacy perspective”, Behaviour and Information Technology, Vol. 34 No. 2, pp. 204-216.

Watson, G. (2002), “E‐mail surveillance in the UK workplace – a management consulting case study”, Aslib Proceedings, Vol. 54 No. 1, pp. 23-40.

Wells, D.L., Moorman, R.H. and Werner, J.M. (2007), “The impact of the perceived purpose of electronic performance monitoring on an array of attitudinal variables”, Human Resource Development Quarterly, Vol. 18 No. 1, pp. 121-138.

White, G.W. and Pearson, S., J. (2001), “Controlling corporate e‐mail, PC use and computer security”, Information Management and Computer Security, Vol. 9 No. 2, pp. 88-92.

Workman, M. (2009), “A field study of corporate employee monitoring: attitudes, absenteeism, and the moderating influences of procedural justice perceptions”, Information and Organization, Vol. 19 No. 4, pp. 218-232.

Wright, B.E. (2001), “Work motivation in the public sector: an application of goal and social cognitive theories”, Academy of Management Proceedings and Proceedings, Vol. 2001, pp. D1-D6.

Yan, C., Ramamurthy, K. and Kuang-Wei, W. (2015), “Impacts of comprehensive information security programs on information security culture”, Journal of Computer Information Systems, Vol. 55 No. 3, pp. 11-19.

Yazdanmehr, A. and Wang, J. (2016), “Employees’ information security policy compliance: a norm activation perspective”, Decision Support Systems, Vol. 92 No. 2016, pp. 36-46.

Yen, Y. (2016), “Factors enhancing the posting of negative behavior in social media and its impact on venting negative emotions”, Management Decision, Vol. 54 No. 10, pp. 2462-2484.

Yoon, C., Hwang, J. and Kim, R. (2012), “Exploring factors that influence students’ behaviors in information security”, Journal of Information Systems Education, Vol. 23 No. 4, pp. 407-415.

Yuan, F. and Woodman, R., W. (2010), “Innovative behavior in the workplace: the role of performance and image outcome expectations”, Academy of Management Journal, Vol. 53 No. 2, pp. 323-342.

Zoghbi-Manrique-de-Lara, P. (2011), “Predicting nonlinear effects of monitoring and punishment on employee deviance: the role of procedural justice”, European Management Journal, Vol. 29 No. 4, pp. 272-282.

Further reading

Lee, C., Lee, C.C. and Kim, S. (2016), “Understanding information security stress: focusing on the type of information security compliance activity”, Computers and Security, Vol. 59 No. 2016, pp. 5960-5970.

Acknowledgements

This study was supported by the Ministry of Higher Education, Malaysia, under the Fundamental Research Grant Scheme (FRGS/2/2013/SS05/MMU/02/12).

Corresponding author

Thian Song Ong can be contacted at: tsong@mmu.edu.my

About the authors

Zauwiyah Ahmad started off her academic career as a tutor at Multimedia University in 1998, after completing Bachelor of Accounting programme at Universiti Utara Malaysia. Since then, she has completed her Master of Philosophy degree in 2001 and Doctor of Philosophy in 2010. Her interest mainly lies in behavioural research, especially in areas related to accounting, ethics, personal finance and information security. Thus far, she has obtained a number of internal and external research grants. Outcomes of her research have been published in several tiered journals, including Accounting Education: an International Journal, Managerial Auditing Journal, International Journal of Business Studies and Asia Pacific Journal of Education. She also has presented a number of papers in international conferences. Dr Zauwiyah teaches accounting courses for the bachelor degree level, specifically accounting information systems, integrated case study, financial accounting and managerial accounting. Apart from holding a permanent position as a Senior Lecturer in accounting, Dr Zauwiyah is also involved in the Faculty of Business Administration as the Dean, Faculty of Business. She also has previously served as the Deputy Dean, Academic and Quality Assurance and the Head of Accounting Department at the Faculty of Business.

Thian Song Ong works in Faculty of Information Sciences and Technology, Multimedia University. His research interests include machine learning and information security. He completed MSc in 2001 from University of Sunderland, UK, and PhD in 2008 from Multimedia University, Malaysia. He has published more than 50 international refereed journals and conference articles. He is a senior member of IEEE and member of the ACM. He has also served on the editorial board for IEEE Biometric Council Newsletter from 2013 to 2015. He was a general chair of Fifth International Conference on Information and Communication Technology (ICoICT 2017) and currently serves as general Co-Chair of ICoICT 2018.

Tze Hui Liew is a Lecturer at Multimedia University attached to Faculty of Information Science and Technology. Mr Liew’s research and publications have focussed on human computer interaction, user centred design, technology acceptance model based on multitouch interactive technology and ICT risk management. He completed BPM and MSc from University Utara Malaysia.

Mariati Norhashim is a Senior Lecturer with the Faculty of Management, Multimedia University. She has been teaching since 1998 in the fields of accountancy and case studies. Her research interests include accounting education, entrepreneurship development, personal finance and economic well-being. Her passion is in developing students’ critical thinking and resilience. She has written numerous articles for journals and conference proceedings and has been a part for several research grant projects. She welcomes opportunities to engage the industry to assist in talent development particularly in finance.