Acad emics and practitioners alike

Acad emics and practitioners alike recognize employees as a major threat to organizational
information security efforts [14, 69]. To address this “insider” threat, organizations
have devoted significant resources into behavioral security measures, such as
policy development and education and training, in addition to continually updating their
security technologies [54]. U.S. federal and state governments and certain industries
have also introduced regulations and standards that mandate organizations’ internal
security measures [14]. Despite these initiatives, a class of employee security–related
behaviors known as volitional (but not malicious) information security policy (ISP)
violations [27, 71] (e.g., password sharing, failing to log off when leaving workstation)
continue to plague organizations. At least some explanation for this predicament is
that employees face a surfeit of rapidly expanding security requirements (i.e., policies,
procedures, and technical controls), which they find to be constraining, inconvenient,
and difficult to understand [51, 53, 69]. Evidence of this comes from a recent survey
of over 2,800 employees [16] in which “too busy to think about policies” and “policies
are inconvenient to follow” were reported as chief reasons for ISP violations.
Some authors have suggested that security requirements can backfire and bring about
security-diminishing behavior due to the demands (e.g., time, effort, frustration) they
impose on employees [51, 60, 64]. Although there is preliminary evidence to support
this notion [51], the information systems (IS) literature lacks a systematic, theorydriven
investigation of the potential adverse effects of organizational information
security requirements (hereafter security requirements) on user behavior. A goal of
this paper is to address this gap.
Against this backdrop, we offer a new avenue for understanding employees’ ISP
violations—namely, workplace stress due to security requirements and its coping
response. The topic of stress has a long history in the organizational and psychology
literatures and empirical results have shown that negative work stressors1 predict a
variety of undesirable employee behaviors (e.g., [25, 57]). Within the IS literature,
research indicates that employee stress–related to the use information technology
(IT) (i.e., technostress) influences a number of IT and non-IT-related cognitions
and behaviors [56, 67]. In the present study, we extend the technostress concept to
the domain of IS security and explain three conditions—overload, complexity, and
uncertainty—in which security requirements can create stress in employees. We
theorize that this form of employee stress, termed security-related stress (SRS), is a
contributor to ISP violations.
Using coping theory as a foundation [38], we develop and empirically test a model
of ISP violation intention which predicts that employees engage in emotion-focused
coping in response to SRS. We explicate this emotion-focused coping in the form of