Are your employees committed to information security? Let’s hope.

Sal Aurigemma, Assistant Professor of Management Information Systems
Lori Leonard, Collins Professor of Management Information Systems

Practitioners and management researchers have long considered the magnitude of an employee’s emotional commitment to their organization as an important factor affecting work performance. Organizational commitment is generally defined as an employee’s identification with, involvement in and emotional attachment to an organization associated with the perceived costs of supporting organizational goals and interests Higher levels of employee organizational commitment result in lower negative work performance (such as absenteeism) and higher positive work-related behaviors (such as higher retention, work performance, and employee well-being).

In the case of employee organizational commitment, more is clearly better.

What has not been examined previously, however, is precisely how differences in employee organizational commitment levels potentially impact their information security behaviors while at work.

Employees are organizational insiders who represent potential major security risks primarily because they have legitimate access to corporate information resources and reside inside the perimeter defenses of corporate firewalls and other security mechanisms. Most employees are considered non-malicious; they may take unsafe security actions for a variety of reasons, but do not purposefully intend to harm their organizations. Sometimes, however, employees can unintentionally do serious harm to an organization’s security posture.

Many advanced cyber attacks, for example, begin when an insider improperly opens a malicious e-mail attachment, giving attackers an initial foothold on the corporate network. For example, the widely publicized Target Stores data breach in November 2013 is believed to have started when an organizational insider fell victim to a phishing e-mail and had their account credentials stolen. Target is not alone: The majority of known data breaches in 2015 were caused or facilitated by improper employee security actions.

In order to evaluate the impact of employee organizational commitment on security behaviors, we studied employees of a large U.S. government agency with a robust and well-trained set of information security policies. As with many of the most widely accepted models of human behavior, we embraced the assumption that employees are generally rational in their actions. As rational beings, employees complete a mental calculation of the potential benefits and costs before deciding whether to comply (or not) with their designated security policies.

Fundamentally, the rational security behavior calculus is composed of three components: perceived benefit of compliance, representing the favorable consequences of following the security rules; perceived cost of compliance, representing the unfavorable consequences of complying with the rules; and perceived cost of noncompliance, representing the expected unfavorable consequences resulting from noncompliance with the security rules.

The results of this study extended the context of previous organizational commitment findings to the information security behavior domain and also were the first to confirm the importance of organizational commitment on the formation of attitudes toward security actions. The study showed that employees valued the perceived benefits of security behavioral compliance much more so than for the cost-related factors (cost of compliance and noncompliance).

From a practical perspective, it could be seen as a positive outcome that employees are focused more on the benefits of following security policies. Ideally, however, all organizations would like their employees to understand and appreciate the potential negative impact of not complying with the security policies (beyond the threats of sanctions if caught violating the requirements) and use that knowledge to bolster their attitudes toward behavioral compliance intent. Likewise, reducing the perceived cost of complying with the policies should also bolster compliance intent. Training specifically on these cost-related factors should improve employee attitudes toward security requirements.

In general practice, an organization should maintain awareness of events that occur that may impact their employees’ affective commitment toward the organization as this may directly affect employee security behaviors and attitudes. For example, energy industry employees fearing job cuts due to low oil and gas prices may experience a decline in morale and, with it, reduced organizational commitment. As an unintended or unexpected consequence, security may suffer. For events such as these, not only is it in the interest of the organization to improve the conditions that lead to the decline in organizational commitment, but also focus efforts on monitoring security behaviors and take necessary actions to improve compliance.

A complete version of this research was recently published in the Journal of Information System Security.