Security demands, organisational and personal resources: a stress-based security compliance model

Pham, H 2016, Security demands, organisational and personal resources: a stress-based security compliance model, Doctor of Philosophy (PhD), Business IT and Logistics, RMIT University.

Document type: Thesis
Collection: Theses

Attached Files
Name Description MIMEType Size
Pham.pdf Thesis Click to show the corresponding preview/stream application/pdf;... 3.85MB
Title Security demands, organisational and personal resources: a stress-based security compliance model
Author(s) Pham, H
Year 2016
Abstract This thesis examines the impact of information security demands and organisational and personal resources on Information Technology (IT) users’ security compliance behaviour in different organisations in Vietnam. IT users’ security compliance is essential to the overall effectiveness of information security programs and policies in organisations. Users’ failure to comply with security policies and/or procedures results in cyber risks and compromises the security of the organisation’s information systems. By employing an exploratory sequential design of the mixed methods approach, this PhD research proposes and tests a theoretical model of stress-based security compliance. Specifically, the research demonstrates that security engagement mediates the impact of security demands and organisational and personal resources on employees’ security compliance. Existing research to date has not yet focused on mediating factors between security demands, organisational and personal resources and users’ security compliance.

The developed research model interrogated the extended Job Demands-Resources (JD-R) model, which is usually used to assess individuals’ work stress or burnout caused by fulfilling job demands, to explain security compliance. This research proposes that fulfilling security demands leads to compliance burnout, which consequently reduces security compliance. Adequate organisational and personal resources would not only reduce employees’ compliance burnout but also promote security engagement (i.e. the energy and enthusiasm in performing security tasks), which motivates user security compliance.

The extended JD-R model has not been applied to ascertain determinants of security behaviour, therefore some qualitative research is required to check that the theory still applies. The first stage of the research (Study One) involved a qualitative study using in-depth interviews with 17 participants in three organisations to explore the ability of using characteristics of security requirements, types of organisational and personal resources to explain security compliance. In particular, Study One identified three characteristics of security demands (security overload, access to security policies, and security skill requirements), four types of organisational resources (security communication efficacy, skill use and development, rewards and sanctions) and two personal resources (self-efficacy and security exposure) that affected the participants’ security compliance. Findings from Study One helped further refine the studied theoretical model, as well as develop the survey instrument to test the model in the second stage of the research (Study Two).

Study Two involved a quantitative study using a survey to empirically test the theoretical model developed from literature review and Study One. Four hundred and forty three (443) participants from different organisations in Vietnam took part in the survey. The study employed several procedural remedies during data collection to control the common method bias. The data collected from the survey was analysed using structural equation modelling and the results of the analysis supported the theoretical model with some exceptions. Study Two found that factors drawn from the JD-R model, such as organisational resources, self-efficacy, and security engagement, have a much stronger impact on security compliance than security demands and compliance burnout do. In particular, security engagement partially and positively moderates the impact of organisational resources on security compliance and fully moderates the impact of security self-efficacy, security exposure, and security skill requirements on compliance. Study Two also demonstrated that security compliance burnout has little impact on security compliance if users receive effective organisational security resources and possess security self-efficacy.

The findings of the research offer a number of theoretical and practical implications for advancing behavioural security research and for the organisations to develop effective security compliance programs respectively. By extending the extended JD-R model, this research offers a theoretical explanation and empirical support for the mediating effects of security compliance burnout and engagement on security compliance. For security practitioners, the results showed that specific implementations and operations of IT security systems can have negative impacts on users’ burnout and engagement, which to some extent influence compliance with security policies. Security practitioner should focus on providing adequate resources to promote engagement and compliance.
Degree Doctor of Philosophy (PhD)
Institution RMIT University
School, Department or Centre Business IT and Logistics
Subjects Information Systems Management
Information Systems Theory
Information Systems not elsewhere classified
Keyword(s) Security compliance
Organisational security resources
Security demands
Compliance burnout
Security engagement
Security self-efficacy
Version Filter Type
Access Statistics: 230 Abstract Views, 343 File Downloads  -  Detailed Statistics
Created: Fri, 24 Jun 2016, 15:19:43 EST by Denise Paciocco
© 2014 RMIT Research Repository • Powered by Fez SoftwareContact us