Paper Number



Information security attacks typically exploit the weakest link in the chain, which is in most cases is the IT end user at the workplace. While great strides have been made in understanding and explaining information security behavior, little is known about how such behavior is acquired by individuals in the first place. This research approaches the phenomenon through the lens of social learning theory. We argue that a new employee's behavior is initially learned through differential associations within the social network, rather than through knowledge of formal policies and associated sanctions. We used a scenario-based experimental approach and collected data from new employees with five years or less of work experience. Our results show that employee’s behavior changes over time. Reinforcement through sanctions becomes more important in the maintenance phase, while imitation of others becomes less relevant.



When commenting on articles, please be friendly, welcoming, respectful and abide by the AIS eLibrary Discussion Thread Code of Conduct posted here.