[en] Extra-role security behaviors (ERSBs) – spontaneous security behaviors that are not prescribed in organizational security policies – are seen as a useful addition to securing informational assets in organizations. However, this exploratory study, based on findings obtained through 29 in-depth-interviews, challenges this positive perspective and shows that extra-role security behaviors cut both ways: They are either helpful or harmful. In addition, our results suggest that (1) ERSB contributes to varying degrees to the effectiveness of information security compliance, (2) the self-determination theory contributes to understanding the motivators for ERSB, and (3) the construal level theory of psychological distance explains the differential risk evaluation of ERSB. We discuss implications for researchers and practitioners – particularly in terms of promoting the beneficial nature of extra-role security behaviors – and suggest compelling avenues for future research.
Disciplines :
Gestion des systèmes d’information
Auteur, co-auteur :
FRANK, Muriel-Larissa ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > FINATRAX
Kohn, Vanessa; Goethe University Frankfurt
Co-auteurs externes :
yes
Langue du document :
Anglais
Titre :
Understanding extra-role security behaviors: An integration of self-determination theory and construal level theory
Aggarwal, R., Kryscynski, D., Midha, V., Singh, H., Early to adopt and early to discontinue: the impact of self-perceived and actual IT-knowledge on technology use behaviors of end users. Inf. Syst. Res. 26:1 (2015), 127–144.
Ament, C., The ubiquitous security expert: overconfidence in information security. Proceedings of the 38th International Conference of Information on Information Systems, 2017, 1–18.
Ament, C., Haag, S., How information security requirements stress employees. Proceedings of the 37th International Conference on Information Systems (ICIS), 2016, 1–17.
Al Awawdeh, S., Tubaishat, A, An information security awareness program to address common security concerns in IT unit. Proceedings of the International Conference on Information Technology: New Generations, 2014, 273–278.
Barriball, K.L., While, A., Collecting data using a semi-structured interview: a discussion paper. J. Adv. Nurs. 19:2 (1994), 328–335.
Bénabou, R., Tirole, J., Intrinsic and extrinsic motivation. Rev. Econ. Stud. 70:3 (2003), 489–520.
Bulgurcu, B., Cavusoglu, H., Benbasat, I., Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Q. 34 (2010), 523–548.
Castilla, E.J., Ranganathan, A., The production of merit: how managers understand and apply merit in the workplace. Organ. Sci. 31:4 (2020), 909–935.
Chen, B., Vansteenkiste, M., Beyers, W., Boone, L., Deci, E.L., Van der Kaap-Deeder, J., Duriez, B., et al. Basic psychological need satisfaction, need frustration, and need strength across four cultures. Motiv. Emot. 39:2 (2015), 216–236.
Chen, H., Li, W., Understanding commitment and apathy in IS security extra-role behavior from a person-organization fit perspective. Behav. Inf. Technol. 38:5 (2019), 454–468.
Cram, W.A., D'Arcy, J., Proudfoot, J.G., Seeing the forest and the trees: a meta-analysis of the antecedents to information security policy compliance. MIS Q. 43:2 (2019), 525–554.
Cram, W.A., Proudfoot, J.G., D'Arcy, J., Organizational information security policies: a review and research framework. Eur. J. Inf. Syst. 26:6 (2017), 605–641 Palgrave Macmillan UK,.
Creswell, J.W., Miller, D.L., Determining validity in qualitative inquiry. Theory Pract. 39:3 (2000), 124–130.
D'Arcy, J., Herath, T., Shoss, M.K., Understanding employee responses to stressful information security requirements: a coping perspective. J. Manag. Inf. Syst. 31:2 (2014), 285–318.
D'Arcy, J., Hovav, A., Galletta, D., User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Inf. Syst. Res. 20:1 (2009), 79–98.
D'Arcy, J., Lowry, P.B., Cognitive-affective drivers of employees’ daily compliance with information security policies: a multilevel, longitudinal study. Inf. Syst. J. 29:1 (2019), 43–69.
Deci, E.L., Effects of externally mediated rewards on intrinsic motivation. J. Personal. Soc. Psychol. 18:1 (1971), 105–115.
Deci, E.L., Koestner, R., Ryan, R.M., A meta-analytic review of experiments examining the effects of extrinsic rewards on intrinsic motivation. Psychol. Bull. 125:6 (1999), 627–668.
Deci, E.L., Ryan, R.M., Intrinsic Motivation and Self-Determination in Human Behavior. 1985, Springer Science & Business Media, Berlin.
Deci, E.L., Ryan, R.M., The support of autonomy and the control of behavior. J. Personal. Soc. Psychol. 53:6 (1987), 1024–1037.
Van Dyne, L., Cummings, L.L., McLean Parks, J., Extra-role behaviors: in pursuit of construct and definitional clarity (a bridge over muddied waters)”. Res. Organ. Behav. 17 (1995), 215–285.
Van Dyne, L., Graham, J.W., Dienesch, R.M., Organizational citizenship behavior: construct redefinition, measurement, and validation. Acad. Manag. J. 37:4 (1994), 765–802.
Van Dyne, L., LePine, J.A., Helping and voice extra-role behaviors: evidence of construct and predictive validity. Acad. Manag. J. 41:1 (1998), 108–119.
Eyal, T., Liberman, N., Trope, Y., Judging near and distant virtue and vice. J. Exp. Soc. Psychol. 44 (2008), 1204–1209.
Fiedler, K., Construal level theory as an integrative framework for behavioral decision-making research and consumer psychology. J. Consum. Psychol. 17:2 (2007), 101–106.
Frank, M., Sharing information security failure: the role of social context and social environment. Proceedings of the 23rd Pacific Asia Conference on Information Systems, 2020, 1–14.
Frank, M., Combatting the neutralization of security policy violations: insights from the healthcare sector. Proceedings of the ECIS, 2021 available at https://aisel.aisnet.org/ecis2021_rp/109.
Frank, M., Ament, C., How motivation shapes the sharing of information security incident experience. Proceedings of the Annual Hawaii International Conference on System Sciences, 2021, 4528–4537.
Frank, M., Jaeger, L., Ranft, L.M., Using contextual factors to predict information security overconfidence: a machine learning approach”. Comput. Secur., 125, 2023, 103046 Elsevier Ltd.
Frank, M., Ranft, L.M., Using machine learning to explore extra-role security behavior. Proceedings of the 42nd International Conference on Information Systems, 2021, 1–17.
Gagné, M., Deci, E.L., Self-determination theory and work motivation. J. Organ. Behav. 26:4 (2005), 331–362.
George, J.M., Brief, A.P., Feeling good-doing good: a conceptual analysis of the mood at work-organizational spontaneity relationship. Psychol. Bull. 112:2 (1992), 310–329.
Guan, B., Hsu, C., Investigating employees’ proactive extra-role information security behaviors through security mindfulness. Proceedings of the ICIS, 2022, 0–9.
Guhr, N., Lebek, B., Breitner, M.H., The impact of leadership on employees’ intended information security behaviour: an examination of the full-range leadership theory. Inf. Syst. J. 29:2 (2019), 340–362.
Guo, K.H., Security-related behavior in using information systems in the workplace: a review and synthesis. Comput. Secur. 32:1 (2013), 242–251 Elsevier Ltd.
Harry, B., Sturges, K.M., Klingner, J.K., Mapping the process: an exemplar of process and challenge in grounded theory analysis. Educ. Res. 34:2 (2015), 3–13.
Herath, T., Rao, H.R., Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness. Decis. Support Syst. 47:2 (2009), 154–165 Elsevier B.V.
Hewitt, B., White, G.L., Optimistic bias and exposure affect security incidents on home computer. J. Comput. Inf. Syst., 2020, 1–11 Taylor & Francis.
Howah, K., Chugh, R., Do we trust the internet? Ignorance and overconfidence in downloading and installing potentially spyware-infected software. J. Glob. Inf. Manag. 27:3 (2019), 87–100.
Hsu, J.S.C., Shih, S.P., Hung, Y.W., Lowry, P.B., The role of extra-role behaviors and social controls in information security policy effectiveness. Inf. Syst. Res. 26:2 (2015), 282–300.
Hu, S., Hsu, C., Zhou, Z., The impact of SETA event attributes on employees’ security-related Intentions: an event system theory perspective. Comput. Secur., 109, 2021, 102404.
Jaeger, L., Ament, C., Eckhardt, A., The closer you get the more aware you become – a case study about psychological distance to information security incidents. Proceedings of the ICIS, 2017, 0–18.
Jaeger, L., Eckhardt, A., When colleagues fail: examining the role of information security awareness on extra-role security behaviors. Proceedings of the 26th European Conference on Information Systems (ECIS), 2018, 2018 2015.
Jia, S., Xu, F., When extra-role behavior leads to employee security deviance: a moral licensing view. Proceedings of the Annual Americas Conference on Information Systems, AMCIS, 2021, 0–5.
Kaleta, J.P., Lee, J.S., Yoo, S., Nudging with construal level theory to improve online password use and intended password choice: a security-usability tradeoff perspective. Inf. Technol. People 32:4 (2019), 993–1020.
Katz, D., The motivational basis of organizational behavior. Behav. Sci. 9:2 (1964), 131–146.
Kelle, U., Computer-Aided Qualitative Data Analysis: Theory, Methods and Practice. 1995, Sage Publications, London.
Kim, B., Lee, D.Y., Kim, B., Deterrent effects of punishment and training on insider security threats: a field experiment on phishing attacks. Behav. Inf. Technol. 39:11 (2020), 1156–1175 Taylor & Francis.
Kim, S.S., Malhotra, N.K., A longitudinal model of continued IS use: an integrative view of four mechanisms underlying postadoption phenomena. Manag. Sci. 51:5 (2005), 741–755.
Klein, H.K., Myers, M.D., A set of principles for conducting and evaluating interpretive field studies in information systems. MIS Q. 23:1 (1999), 67–94.
Kohn, A., Punished by Rewards: The Trouble with Gold Stars, Incentive Plans, A's, Praise and Other Bribes. 1993, Houghton Mifflin Company, Boston.
Kwak, Y., Lee, S., Damiano, A., Vishwanath, A., Why do users not report spear phishing emails?. Telemat. Inform., 48, 2020, 101343 January.
Lebek, B., Uffen, J., Neumann, M., Hohler, B., Breitner, M.H., Information security awareness and behavior: a theory-based literature review. Manag. Res. Rev. 37:4 (2014), 1049–1092.
Lee, A.S., Baskerville, R.L., Generalizing generalizability in information systems research. Inf. Syst. Res. 14:3 (2003), 221–243.
LePine, J.A., Erez, A., Johnson, D.E., The nature and dimensionality of organizational citizenship behavior: a critical review and meta-analysis. J. Appl. Psychol. 87:1 (2002), 52–65.
Li, Y., Fuller, B., Stafford, T., Ellis, S., Beyond compliance: empowering employees’ extra-role security behaviors in dynamic environments. Proceedings of the 23rd Americas Conference on Information Systems, 2017, 1–5.
Li, Y., Stafford, T., Ellis, S., Fuller, B., Beyond extra-role security behaviors in large corporate settings: the case of ‘tribal security. SSRN Electron. J., 2021, 10.2139/ssrn.3870574 available at.
Liberman, N., Trope, Y., Stephan, E., Psychological distance. Kruglanski, A.W., Higgins, E.T., (eds.) Social Psychology, 2nd ed., 2007, The Guilford Press, New York, 353–381.
Maglio, S.J., Trope, Y., Liberman, N., The common currency of psychological distance. Curr. Dir. Psychol. Sci. 22:4 (2013), 278–282.
Moorman, R.H., The influence of cognitive and affective based job satisfaction measures on the relationship between satisfaction and organizational citizenship behavior. Hum. Relat. 46:6 (1993), 759–776.
Moorman, R.H., Blakely, G.L., Individualism-collectivism as an individual difference predictor of organizational citizenship behavior. J. Organ. Behav. 16 (1995), 127–142.
Morrison, E.W., Role definitions and organizational citizenship behavior: the importance of the employee's perspective. Acad. Manag. J. 37:6 (1994), 1543–1567.
Nehme, A., Marler, L.E., Buying in and feeling responsible: a model of extra-role security behavior. Proceedings of the Annual Hawaii International Conference on System Sciences, 2023, 4131–4138.
Newman, A., Miao, Q., Hofman, P.S., Zhu, C.J., The impact of socially responsible human resource management on employees’ organizational citizenship behaviour: the mediating role of organizational identification. Int. J. Hum. Resour. Manag. 27:4 (2016), 440–455.
Niemiec, C.P., Ryan, R.M., Autonomy, competence, and relatedness in the classroom: applying self-determination theory to educational practice. Theory Res. Educ. 7:2 (2009), 133–144.
Ogbanufe, O., Ge, L., A comparative evaluation of behavioral security motives: protection, intrinsic, and identity motivations. Comput. Secur., 128, 2023, 103136 Elsevier Ltd.
Orazi, D.C., Johnston, A.C., Warkentin, M., Integrating construal-level theory in designing fear appeals in IS security research. Commun. Assoc. Inf. Syst. 45:1 (2019), 397–410.
Padayachee, K., Taxonomy of compliant information security behavior. Comput. Secur. 31:5 (2012), 673–680.
Pham, H.C., Pham, D.D., Brennan, L., Richardson, J., Information security and people: a conundrum for compliance. Australas. J. Inf. Syst. 21 (2017), 1–16.
Podsakoff, P.M., MacKenzie, S.B., Organizational citizenship behaviors and sales unit effectiveness. J. Mark. Res. 31:3 (1994), 351–363.
Podsakoff, P.M., MacKenzie, S.B., Lee, J.Y., Podsakoff, N.P., Common method biases in behavioral research: a critical review of the literature and recommended remedies. J. Appl. Psychol. 88:5 (2003), 879–903.
Podsakoff, P.M., Mackenzie, S.B., Paine, J.B., Bachrach, D.G., Organizational citizenship behaviors: a critical review of the theoretical and future research. J. Manag. 26:3 (2000), 513–563.
Posey, C., Roberts, T.L., Lowry, P.B., Bennett, R.J., Courtney, J.F., Insiders’ protection of organizational information assets: development of a systematics-based taxonomy and theory of diversity for protection-motivated behaviors. MIS Q. 37:4 (2013), 1189–1210.
Qiao, D., Lee, S.Y., Whinston, A.B., Wei, Q., Financial incentives dampen altruism in online prosocial contributions: a study of online reviews. Inf. Syst. Res. 31:4 (2020), 1361–1375.
Rioux, S.M., Penner, L.A., The causes of organizational citizenship behavior: a motivational analysis. J. Appl. Psychol. 86:6 (2001), 1306–1314.
Rogers, R.W., A protection motivation theory of fear appeals and attitude change. J. Psychol. 91:1 (1975), 93–114.
Ryan, R.M., Deci, E.L., Self-determination theory and the facilitation of intrinsic motivation, social development, and well-being. Am. Psychol. 55:1 (2000), 68–78.
Saldaña, J., The Coding Manual for Qualitative Researchers. 2013, SAGE Publications, London, 10.1108/qrom-08-2016-1408 available at.
Schmidt, G., Tanner, M., Hayes, T., Computer security threats: student confidence in their knowledge of common threats. J. Bus. Leadersh. 3 No:1 (2007), 211–215.
Smith, C.A., Organ, D.W., Near, J.P., Organizational citizenship behavior: its nature and antecedents. J. Appl. Psychol. 68:4 (1983), 653–663.
Sommestad, T., Hallberg, J., Lundholm, K., Bengtsson, J., Variables influencing information security policy compliance: a systematic review of quantitative studies. Inf. Manag. Comput. Secur. 22:1 (2014), 42–75.
Straub, D.W., Welke, R.J., Coping with systems risk: security planning models for management decision making. MIS Q. 22:4 (1998), 441–469.
Tatu, T., Ament, C., Jaeger, L., Lessons learned from an information security incident: a practical recommendation to involve employees in information security. Proceedings of the 49th Hawaii International Conference on System Sciences, 2018, 3736–3745.
Trope, Y., Liberman, N., Construal-level theory of psychological distance Yaacov. Psychol. Rev. 117:2 (2010), 440–463.
Vallerand, R.J., Toward a hierarchical model of intrinsic and extrinsic motivation. Adv. Exp. Soc. Psychol. 29 (1997), 271–360.
Venkatesh, V., Davis, F.D., Theoretical extension of the technology acceptance model: four longitudinal field studies. Manag. Sci. 46:2 (2000), 186–204.
Vey, M.A., Campbell, J.P., In-role or extra-role organizational citizenship behavior: which are we measuring?. Hum. Perform. 17:1 (2004), 119–135.
Visser, C. (2017), “The motivation continuum: self-determination theory in one picture”, available at: http://www.progressfocused.com/2017/12/the-motivation-continuum-self.html.
Wakslak, C.J., Trope, Y., Liberman, N., Alony, R., Seeing the forest when entry is unlikely: probability and the mental representation of events. J. Exp. Psychol. Gen. 135:4 (2006), 641–653.
Wang, C., Liu, C., Yao, J., Li, L., Research on influencing factors of extra-role information security policy compliance behaviour based on structural equation model. Proceedings of the 2nd International Conference on Education, Information Management and Service Science (EIMSS), 2022, Atlantis Press International BV, 547–556.
Wang, J., Li, Y., Rao, H.R., Overconfidence in phishing email detection. J. Assoc. Inf. Syst. 17:11 (2016), 759–783.
Whitman, M.E., Enemy at the gate: threats to information security. Commun. ACM 46:8 (2003), 91–95.
Wollan, M.L., Sully de Luque, M.F., Grünhagen, M., Motives for helping: exploring cultural influences on extra-role behavior. Multinatl. Bus. Rev. 17:1 (2009), 99–119.
Zimmermann, V., Renaud, K., Moving from a ‘human-as-problem” to a ‘human-as-solution” cybersecurity mindset. Int. J. Hum. Comput. Stud. 131 (2019), 169–187 Elsevier LtdJanuary.
