Paper ID

1842

Paper Type

short

Description

Employees are exposed to a great number of security requirements such as information security policies (ISPs) or technical controls. Motivated by prior research indicating that such requirements can also have adverse effects, we introduce the concept of security-related cynicism. Based on organizational literature on employee cynicism, we conceptualize security-related cynicism as a negative attitude with cognitive, affective, and behavioral components directed towards key targets of an organization’s information security ecosystem, i.e. the people responsible for information security, the employed security technologies, and ISPs in use. We present our initial development of security-related cynicism and integrate it in a model including psychological contract violation and in- and extra-role security behaviors (ISP compliance and voice). In doing so, we propose that cynical employees, though unwilling to follow ISPs unquestioningly, could also be the devil’s advocate and challenge ineffective ISPs by raising their voice, making security-related cynicism a double-edged sword for organizations.

Share

COinS
 

Security-Related Cynicism: A Double-Edged Sword?

Employees are exposed to a great number of security requirements such as information security policies (ISPs) or technical controls. Motivated by prior research indicating that such requirements can also have adverse effects, we introduce the concept of security-related cynicism. Based on organizational literature on employee cynicism, we conceptualize security-related cynicism as a negative attitude with cognitive, affective, and behavioral components directed towards key targets of an organization’s information security ecosystem, i.e. the people responsible for information security, the employed security technologies, and ISPs in use. We present our initial development of security-related cynicism and integrate it in a model including psychological contract violation and in- and extra-role security behaviors (ISP compliance and voice). In doing so, we propose that cynical employees, though unwilling to follow ISPs unquestioningly, could also be the devil’s advocate and challenge ineffective ISPs by raising their voice, making security-related cynicism a double-edged sword for organizations.