Paper ID

2411

Paper Type

short

Description

One of the ultimate goals for InfoSec research is to reduce employees' violations with Information Security Policies. Since insider threat remains the biggest issue in this area, preventing employees' noncompliant behaviors is still important. At the same time, we should not neglect or ignore research questions on how to encourage employees' compliant behaviors. There is a shortage of research that addresses positive outcomes and rewards in the context of InfoSec. The proposed study will import operant conditioning theory and use token economy as the behavioral management mechanism promoting employees' behaviors with Information Security Policies (ISP). We think that the gain frames and rewards will give employees a different reason to comply with ISP rather than eliminating fear or avoiding sanctions. Moreover, the inclusion of individual risk preferences can provide us possible explanations of why rewards and sanctions do not work consistently under the context of InfoSec. We believe that emphasizing on the positive outcomes and rewards can encourage more employees' compliant behaviors with ISP while reducing employees' noncompliant behaviors.

Share

COinS
 

The Application of Operant Conditioning Theory in Employees’ IS Security Behavioral Management

One of the ultimate goals for InfoSec research is to reduce employees' violations with Information Security Policies. Since insider threat remains the biggest issue in this area, preventing employees' noncompliant behaviors is still important. At the same time, we should not neglect or ignore research questions on how to encourage employees' compliant behaviors. There is a shortage of research that addresses positive outcomes and rewards in the context of InfoSec. The proposed study will import operant conditioning theory and use token economy as the behavioral management mechanism promoting employees' behaviors with Information Security Policies (ISP). We think that the gain frames and rewards will give employees a different reason to comply with ISP rather than eliminating fear or avoiding sanctions. Moreover, the inclusion of individual risk preferences can provide us possible explanations of why rewards and sanctions do not work consistently under the context of InfoSec. We believe that emphasizing on the positive outcomes and rewards can encourage more employees' compliant behaviors with ISP while reducing employees' noncompliant behaviors.