Employees are not the weakest link: an occupational safety view of information security

Purpose – IadapttheIntegratedModelofWorkplaceSafety(Christian etal. ,2009)toinformationsecurityand highlight the need to understand additional factors that influence security compliance and additional security outcomes that need to be studied (i.e. security participation). Research limitations/implications – This model argues that distal factors in four major categories (employee characteristics, job characteristics, workgroup characteristics and organizational characteristics) influence two proximal factors (security motivation and security knowledge) and the security event itself, which together influence two important outcomes (security compliance and security participation). Practical implications – Safety is a systems design issue, not an employee compliance issue. When employees make poor safety decisions, it is not the employee who is at fault; instead, the system is at fault because it induced the employee to make a poor decision and enabled the decision to have negative consequences. Social implications – Security compliance is as much a workgroup issue as an individual issue. Originality/value – I believe that by reframing information security from a compliance issue to a systems design issue, we can dramatically improve security.


Introduction
Information security remains a critical issue facing information systems managers (Cram et al., 2020;Kappelman et al., 2022), with losses from security breaches continuing to increase (EY, 2020;PWC, 2022).Several industry studies have concluded that employee behavior is the largest single root cause of security breaches, and most often, it is not deliberate malfeasance that causes breaches but rather a failure to comply with security policies without malicious intent (EY, 2020;PWC, 2022).It is often said that employees are the weakest link in information security (Bernard, 2023;Chalico, 2022;Harbert, 2021).
In this paper, I argue that one reason information security remains a critical issue is because we view employees as the weakest link.To make major improvements in information security, we need to make major changes in how we view the root cause of information security problems.In the early 20th century, one measure of the success of construction projects was the number of employees killed or injured; employees were viewed as the source of industrial accidents and it was expected that many would be killed or injured on major construction projects because they failed to comply with good safety practices (P erezgonz alez, 2005).Today, we understand that occupational safety is a systems design issue, not an employee compliance issue (Manuele, 2008;Michaels, 2018;P erezgonz alez, 2005).When an employee makes an unsafe choice and is injured, it is not the employee who is at fault; instead, the system is at fault because it induced the employee to make a poor decision and enabled the decision to have negative consequences.This shift in understanding has led to profound improvements in safety in many countries and industries (P erezgonz alez, 2005).
I argue that we need to make this same shift in our approach to information security.I argue that we need to stop viewing information security as an employee compliance problem and instead view security as a systems problem.This means adopting a security by design perspective (cf.Manuele, 2008), in which security is viewed as a system design issue so that the system inhibits employees from making poor decisions that have negative consequences.I adapt the Integrated Model of Workplace Safety (IMWS) (Christian et al., 2009) to information security and highlight the need to understand additional factors that influence security and additional security outcomes that need to be studied.I also present several implications for security practice.

Information security as a safety practice
Information security research has used a variety of different theoretical lenses, including theories from public health, criminology and psychology (Moody et al., 2018).Many of these theories are based on extrinsic motivation using threats, sanctions and negative consequences in an attempt to deter undesirable behaviors (Moody et al., 2018), although some research has begun to consider more positive approaches (Jensen et al., 2020;Silic and Lowry, 2020).In this paper, I use the lens of occupational safety to develop theoretical and practical implications for information security.
There are many parallels between safety and security.Like safety (Dov, 2008;Humphrey et al., 2004;Michaels, 2018;Zohar, 2003), information security is an additional job responsibility requiring specific knowledge that must be prioritized among a host of responsibilities competing for employees' time (Beautement et al., 2014;D'Arcy et al., 2014).Employees often deal with competing operational demands.For example, in manufacturing, production speed often competes with safety so managers have to balance these competing priorities (Humphrey et al., 2004).Job pressure is a key factor influencing safety compliance (Christian et al., 2009), so it may also influence security compliance because security is similar to safety compliance-an additional responsibility that must be balanced and prioritized among a host of responsibilities competing for the employee's time and attention (Beautement et al., 2014;D'Arcy et al., 2014).Security tasks can interfere with job responsibilities (Bulgurcu et al., 2010), so employees balance them against job priorities.
Like safety (Basahel, 2021;Cornelissen et al., 2014;Ford and Tetrick, 2008;Griffin and Neal, 2000;Neal et al., 2000;Saari, 1990), security success is achieved through the nonoccurrence of incidents.Unlike other job tasks where success is visible through some accomplishment (e.g.winning a contract, or launching a product), security success has few visible accomplishments.For example, preventing an intrusion by setting strong passwords or installing software updates will not be noticed by users.
Safety research and advice to safety practitioners have long viewed safety compliance as a function of knowledge and motivation (Basahel, 2021;Cornelissen et al., 2014;Ford and Tetrick, 2008;Griffin and Neal, 2000;Neal et al., 2000;Saari, 1990).Information security researchers have also begun to recognize the importance of security knowledge and security motivation (Crossler and B elanger, 2019).Knowledge is necessary, because security requires the knowledge to act (Chen et al., 2018;Cram et al., 2019;Ifinedo, 2022;Silic and Lowry, 2020).Motivation is important because knowledge alone is not sufficient to actually perform the tasks (Lebek et al., 2014;Lowry et al., 2015;Menard et al., 2017).Education and training providing security knowledge is widespread in organizations (EY, 2020;PWC, 2022), and extensive research shows that it has a modest effect on security compliance (Cram et al., 2019).In contrast, less organizational effort and research attention have addressed security motivation (Boss et al., 2009;Lebek et al., 2014;Menard et al., 2017).Research in occupational safety indicates that safety compliance depends as much on motivation as knowledge and that motivation is central to the acquisition of knowledge (Basahel, 2021;Christian et al., 2009;Cornelissen et al., 2014;Neal et al., 2000;Saari, 1990).
Information security behavior is a function of multiple factors, including individual differences and the situational context (Cram et al., 2019).Research on workplace safety has long focused on the effects of two fundamental individual differences: safety knowledge and safety motivation (Basahel, 2021;Cornelissen et al., 2014;Neal et al., 2000;Saari, 1990).The IMWS is based on the theoretical safety model of Neal et al. (2000) and uses a meta-analysis of prior occupational safety research to identify the key factors (Christian et al., 2009).The IMWS concludes that safety compliance is primarily influenced by these two proximal factors (motivation and knowledge) and that these two factors are influenced by a set of distal factors such as individual traits and organizational factors (e.g.policies, leadership, social influence and job pressure).A meta-analysis using IMWS shows that motivation and knowledge have similar-sized effects on safety compliance (Christian et al., 2009).Motivation and knowledge tend to have stronger effects than the several dozen distal factors investigated, although some distal factors also have large effects (Christian et al., 2009).
Figure 1 presents an adaptation of the IMWS for the study of information security.This model argues that four distal factors (e.g. the person, the job, the workgroup and the organization) influence the proximal factors of security motivation and security knowledge, which, combined with the security event, influence security compliance and security participation, which lead to breaches and losses.Many of these factors are well-known in security research (Cram et al., 2019), which shows that the IMWS and its central constructs fit comfortably into the information security context.Some constructs are relatively new to information security research.

Security performance and outcomes
The central outcome of much information security research is security compliance (Cram et al., 2019).Similarly, safety research has a central focus on compliance (Christian et al., 2009).
But safety research has an equally important second central focus: safety participation (Christian et al., 2009;Griffin and Neal, 2000;Neal et al., 2000)."Safety participation involves helping coworkers, promoting the safety program within the workplace, demonstrating initiative, and putting effort into improving safety in the workplace" (Neal et al., 2000, p. 101).Safety participation (Christian et al., 2009;Griffin and Neal, 2000;Neal et al., 2000) is similar to the advocacy component of the consumer loyalty construct (Oliver, 1999).In addition to complying with safety policies, safety participation is the advocacy of safety behaviors, similar to the advocacy of a product by loyal users (Chow and Holden, 1997;Galletta et al., 2006;Kim et al., 2002;Nordstrom and Swan, 1976;Oliver, 1999;Saga and Zmud, 1994;Tucker, 1964).Thus, I argue that we need to add information security participation to the constructs we routinely study in the area of information security.I define information security participation as the advocacy of information security to others, a construct that is separate and distinct from security compliance.A loyal security employee is someone who both complies with security policies and advocates for security.Such employees are "supporting users" in the terms of van Offenbeek et al. (2013), they both comply with security policies and advocate for them.In contrast, a "resisting user" (one who complies with policies but does not value them) (van Offenbeek et al., 2013) is not an employee loyal to information security, despite even extensive routine compliance; mandatory compliance does not constitute loyal compliance, as is compelled behavior, not loyal behavior.
There has been some security research on security breaches and the losses they have caused (e.g.Cavusoglu et al., 2004;Furnell et al., 2020;Gordon et al., 2011;Reshmi, 2021).In general, these two outcomes have received less research attention than compliance (Cram et al., 2019).Safety research suggests that motivation is at least as important as knowledgeif not more importantin reducing accidents and losses (Christian et al., 2009).This suggests that we need more research on how security motivation and knowledge and security compliance and participation are linked to security breaches and losses.

Proximal factors
Security knowledge, like safety knowledge (Christian et al., 2009), is a key factor in security compliance (Cram et al., 2019) and companies spend millions of dollars every year on security education, training and awareness (SETA) programs to provide knowledge (EY, 2020;PWC, 2022).However, knowledge is only a modest predictor of security compliance (Cram et al., 2019).From a theoretical perspective, knowledge is necessary because employees need to know what security behaviors are important and how to implement them (Cram et al., 2019;Ifinedo, 2022;Silic and Lowry, 2020).Without knowledge, employees are unable to act (Cram et al., 2019).SETA is an important antecedent to employee compliance with ISPs (Cram et al., 2019) because it provides both security knowledge and knowledge about the ISP.Research shows that greater security knowledge increases security compliance (Al-Omari et al., 2012, 2018;Bulgurcu et al., 2010;Dinev and Hu, 2007;Ifinedo, 2022).
Safety motivation is a strong predictor of safety compliance and safety participation (Christian et al., 2009).Information security is not an intrinsically motivating task so most users do not have a strong desire to perform it (D'Arcy et al., 2014).Like safety, security is a task that competes with other tasks (Beautement et al., 2014;Bulgurcu et al., 2010;D'Arcy et al., 2014).Individuals need to manage their limited resources so that they can focus on what they perceive to be the most important (Bulgurcu et al., 2010).Information security researchers have begun to recognize the importance of motivation (Crossler and B elanger, 2019), but research is sparse (Boss et al., 2009;Lebek et al., 2014;Lowry et al., 2015;Menard et al., 2017).
Both knowledge and motivation should be important to compliance (Christian et al., 2009;Neal et al., 2000).An individual must understand security and have the knowledge to perform security tasks.Interestingly, safety research shows that motivation is a key predictor in the acquisition of knowledge (Christian et al., 2009), so to understand security knowledge, we need to begin with research on security motivation.Motivation should play a much stronger role in security participation than security knowledge because advocating for security does not require specific security knowledge, just a general understanding of the principles and practices, and participatory activities are voluntary, whereas compliance is generally mandated (Neal et al., 2000).
One construct that is lacking in IMWS but past security research shows is important are characteristics of the security event itself (Cram et al., 2019).For example, threat vulnerability and severity and response cost and efficacy from Protection Motivation Theory (Haag et al., 2021).As a result, I include them in the model in Figure 1.What matters is how the individual employee understands the characteristics of the security event, which are influenced by its actual characteristics, but different individuals may have very different understandings and interpretations of the event.Individuals act on their understandings, not on the actual event characteristics that a putative "objective" third-party observer might see (James et al., 1978;Pondy, 1967), so what matters are employee perceptions of the security event.

Distal factors
The IMSW argues that a set of distal factors act over time to influence the two proximal factors of safety motivation and knowledge (Christian et al., 2009).I group these distal factors into four major categories: person, job, workgroup and organization.
Person.Individual differences are known to be a primary factor influencing information security decisions (Cram et al., 2019).Personality is an important individual difference that can affect security decisions (Johnston et al., 2016).The most commonly used model of personality is the Five Factor Model (FFM), which has five main factors: agreeableness, conscientiousness, extraversion, neuroticism (also called emotional stability) and openness to new experience (Costa and McCrae, 1992;McCrae and Costa, 1987).Safety research shows that conscientiousness matters, but other personality traits are less important (Christian et al., 2009).
Safety research suggests two other personality traits are also important to safety compliance and thus are likely to be important for information security.The first is the locus of control, the extent to which people believe that they personally control the events in their lives as opposed to those events being beyond their control (Christian et al., 2009).The second is a propensity for risk-takingthe extent to which people are impulsive sensation seekers (Christian et al., 2009).Both had stronger effects than conscientiousness on safety performance (Christian et al., 2009)  Job.Individuals hold different job roles over their careers and different jobs influence safety motivation and knowledge (Christian et al., 2009).Thus, the employee's job may also influence the motivation and knowledge of security.Different jobs present different security decisions to employees, depending on the data and information they have access to and the tasks they perform.Some job roles are critical and are widely targeted by hackers (e.g. senior managers and their direct reports), whereas other roles are not.Likewise, the technology available to employees can change their motivation to comply with security policies.For example, has the organization deployed single sign-on or cloud storage with automated backups?
One important job factor from safety that also applies to information security is job pressure (Christian et al., 2009), the pressure to complete work-related tasks that are the primary responsibility of the employees, rather than associated tasks like safety and information security.When workloads are low, employees have the capacity to perform both their primary job tasks and security tasks; there are few competing priorities between job duties and security tasks.But, as the demands from primary responsibilities become stronger, competing priorities become significant and employees need to choose between tasksand the choice becomes more difficult, especially when compliance poses a noticeable impediment to primary job productivity (Goel and Chengalur-Smith, 2010;Posey et al., 2011).Practitioner surveys note that one major reason why employees report not complying with ISP is that they are too busy with other tasks (D'Arcy et al., 2014).
Workgroup.The workgroups in which employees spend much of their work lives have important effects on safety behavior (Christian et al., 2009).These workgroups create norms and work practices that guide how their members think about and practice safety.Information security researchers are also beginning to understand the importance of workgroup norms and practices in influencing security behaviors (Herath and Rao, 2009;Wang et al., 2023;Yoo et al., 2020).When attitudes are shared among individuals in a workgroup, there are social pressures to conform to the prevailing norms and adopt the work practices of other group members (Christian et al., 2009).Membership in the workgroup can also be an important source of identity, so conforming to norms and practices becomes identity display behaviors (Christian et al., 2009).
Organization.Security research has long studied organizational security policies and security training activities (Barlow et al., 2018;Cram et al., 2019;D'Arcy et al., 2009;EY, 2020;Kirova and Baum€ ol, 2018;PWC, 2022;Straub and Nance, 1990).These are some of the few obvious direct actions that organizations can take to manage security.Research shows that they have a modest effect on security compliance, not strong effects (Cram et al., 2019).
Two other important ways organizations can influence security are through the actions of the organization's leadership and the climate that organizational leaders create (Christian et al., 2009).Information security should be a top concern of organizational leadership (Alassaf and Alkhalifah, 2021), but this is not always the case.Leaders motivate employees and help develop and maintain the organizational culture, which may or may not include prioritizing information security (Alassaf and Alkhalifah, 2021).
Information security climate (also called information security culture (Kessler et al., 2020)) has significant effects on security compliance (Chan et al., 2005;Goo et al., 2014;Kessler et al., 2020;Orehek and Petri c, 2021).The security climate is established by the organization's leaders and managers and influences behavior by helping to establish what is accepted and meaningful practices within the organization (Chan et al., 2005).Security climate can have direct effects on compliance or may be an important distal factor that is mediated by more proximal factors (Goo et al., 2014;Kessler et al., 2020).Safety climate influences safety participation more than safety compliance, because of the voluntary nature of participation.

Discussion
Information security research has used theoretical lenses from public health, criminology and psychology (Moody et al., 2018).In this paper, I argue that information security research can benefit by adapting theory and research from occupational safety (Basahel, 2021;Cornelissen et al., 2014;Ford and Tetrick, 2008;Griffin and Neal, 2000;Neal et al., 2000;Saari, 1990).The IMWS (Christian et al., 2009) is likely to be particularly useful because it is based on a metaanalysis of prior safety research.
Implications for theory and research I see four important theoretical implications from occupational safety that have the potential to reshape how we think about information security theory, research and practice.First, it suggests a new important outcome variable: security participation (the advocacy of information security behaviors).Much security research has focused on compliance (Cram et al., 2019), which is also an important outcome, but the addition of security participation is important as it offers a broader understanding of information security performance; security is not just about the immediate act of compliance but also includes internalization and advocacy of security, like consumer loyalty (Oliver, 1999).A security loyalist not only complies but also advocates; someone who complies reluctantly is not a security loyalist.
Second, safety research separates the constructs that influence performance into two categories; proximal and distal.Motivation and knowledge are the two key proximal factors that influence the in-the-moment decisions of employees, with a host of other distal factors shaping these two factors.The separation of constructs into proximal and distal factors can help us sharpen information security theory (and practical actions by organizations and managers).We can focus more on how the distal factors influence security motivation and knowledge and then how motivation and knowledge influence specific security decisions.
Third, the IMWS includes four distinct sets of distal factors.The person (e.g.individual differences such as personality) and the organization (e.g.policies) have long been studied in information security (Cram et al., 2019).One interesting aspect from the IMWS that has received less research attention in security research is the role of senior leadership; organizations say security is important, but how many CEOs truly provide security leadership?The other two categories have received less research attention in the security area.Security researchers are beginning to study the effects of the employee's workgroup(s) on security performance (Herath and Rao, 2009;Wang et al., 2023;Yoo et al., 2020), but more research is needed to better understand how workgroups develop social norms and work practices around security.Perhaps more important, is the nature of the employee's job; little research has examined job characteristics and job pressure as factors influencing security decisions.
Finally, one of the interesting differences between safety research and security research has been the focus on specific aspects of compliance/violation. Security research has focused extensively on specific security threats (Cram et al., 2019), and several theories include beliefs about specific threats (e.g.threat severity and threat likelihood (Haag et al., 2021)).In contrast, threat-specific factors are absent from the IMWS.This rather starkly highlights the different philosophical stances of the two streams of research: security focusing on the individual actor responding to the influence of the moment and safety research focusing more holistically on an individual within a larger ecosystem.This suggests opportunities for both research areas by reconsidering their implicit assumptions.

Implications for practice
The research model adapted from IMWS in Figure 1 offers value to practice by highlighting a larger set of factors that managers can use to influence security compliance (e.g.job and workgroup).Most organizations are focused on SETA training to provide security Organizational Cybersecurity Journal: Practice, Process and People knowledge as the primary means to improve the security behavior of their employees.
Figure 1 shows that security motivation drives the acquisition of security knowledge, so influencing employee motivation is essential and comes before providing knowledge.Figure 1 also highlights the importance of security participation as an important practical aspect that organizations can measure and track over time.
Perhaps the most important implication for security practice that we can take from occupational safety is not clearly highlighted in Figure 1.Information security takes employee time and can be an impediment to work practices (Bulgurcu et al., 2010) forcing employees to choose between security compliance and other job responsibilities (D'Arcy et al., 2014).This trade-off between work and safety has long played out in manufacturing, where safety often competes with production efficiency, requiring employees to balance the two (Humphrey et al., 2004;Michaels, 2018;Zohar, 2003).
Safety managers no longer see poor employee decisions as the source of safety problems, but rather as the consequences of poor safety processes (Michaels, 2018).When an employee makes a poor safety decision, the employee is not at fault (except for egregious cases).Instead, the primary cause of the safety violation is a poorly designed workplace ecosystem that induced an employee to make a poor decision and permitted that decision to have consequences (Manuele, 2008;Michaels, 2018;P erezgonz alez, 2005).This shift in understanding and the move to design safety in workplace ecosystems (Manuele, 2008) has dramatically improved safety (P erezgonz alez, 2005).
We need to stop thinking of employees as a source of security problems and instead recognize that employee behavior is a consequence of the ecosystem in which they work (e.g. business processes, technology, social systems).When a security breach occurs, it is likely a result of a poorly designed workplace ecosystem that induced an employee to make a poor security decision and permitted that decision to have consequences.When an individual fails to comply with security policy, it is not an individual failure; it is a system failure and indicates that the system needs to be redesigned, not that the employee needs to be disciplined.We need to redesign workplace business processes and information systems to design security into the systems and procedures to prevent employees from making poor decisions and prevent those decisions from having consequences.
For example, phishing has been a major source of security breaches; we know that employees will click on phishing links.Therefore, we need to change the ecosystem so that clicking on phishing links has few security consequences.For example, we can change Web browser technology so that if an employee visits a fake Web site masquerading as an organizational website (or their bank), the browser can recognize this because the employee has never logged into the Web site before.Password managers (both third-party and those integrated into web browsers) routinely save and track websites where the user has previously logged in, so it would be simple to extend this functionality to vividly display warning information when an employee attempts to login to a website they have never visited before (thereby warning employees this is not their normal site).Microsoft recently implemented a new feature in Outlook that flags emails from users you do not commonly receive emails from in an attempt to help users separate phishing emails from emails from firms they deal with regularly (e.g.their bank).The intent and explanation of this is not clear, but it is a good first step to building phishing security into the technology.Likewise, many firms are beginning to change their websites to eliminate passwords by emailing users links to login, so phishing has no consequences.

Conclusion
In summary, I argue that occupational safety is a useful reference discipline for information security research.By adapting theory and research from safety into our security research, we can OCJ develop better theories of information security.We can also improve security practices by adapting the perspective from the safety that individual employees are not the source of information security breaches, but rather the real culprit is workplace ecosystems that induce employees to make poor security decisions and permit those decisions to have negative consequences.
Figure 1.Research model adapted from IMWS (Christian et al., 2009) much research attention in information security, suggesting two promising avenues for future research.Safety research has found two other person-specific factors to have important effects on safety compliance.The first is general job attitudes, such as job satisfaction and organizational commitment; more positive attitudes might lead to greater motivation to behave safely(Christian et al., 2009).The second is safety attitudes, individual perceptions of policies, practices and procedures pertaining to safety(Christian et al., 2009).Job attitudes and security attitudes have received only a little research in information security, suggesting two promising avenues for future research.