Although prior information security research predominantly focuses on organizational in-role security behaviors (e.g., information security policy (ISP) compliance), the role of extra-role security behaviors – secure actions unspecified in ISPs but beneficial to organizations – has not seen nearly as much attention. At the same time, employees’ awareness manifests itself as prerequisite for security behavior but without research having really understood all of its potential impacts. Therefore this study ex-amines the role of information security awareness (ISA) in enhancing extra-role security behaviors in addition to in-role security behaviors. In particular, we propose that general ISA enhances promotive extra-role security behaviors (i.e., helping and voice) and ISP awareness fosters prohibitive extra-role security behaviors (i.e., stewardship and whistle-blowing). Data was collected from a field study, where employees responded to incoming emails from co-workers and supervisors asking for password sharing, unsafe data sharing via private emails, as well as the use of private cloud services and unau-thorized software. Our findings show that general ISA and ISP awareness are indeed driving both in-role and extra-role security behaviors. We discuss our implications for theory and practice, and con-clude with interesting avenues for further research.
Jaeger, Lennart and Eckhardt, Andreas, "When Colleagues Fail: Examining the Role of Information Security Awareness on Extra-Role Security Behaviors" (2018). Research Papers. 124.