Abstract
IT security remains high on the agenda of CIOs, with employees’ adoption of security behaviors—behaviors that employees adopt to protect organizational IT assets—being a top concern. To explain when employees adopt security behaviors, the information systems security (ISec) literature mainly employs deductive studies that draw on theory-based assumptions about goals—mostly from behavioral theories used in criminology and public health (e.g., avoiding sanctions, avoiding harm from threats, avoiding disapproval and blame). However, as these theories typically do not theorize about employees’ goals specific to the workplace, they offer limited insights into the goals that employees pursue at work; subsequently, not much is known about how the goals that motivate employees’ security behaviors at work. Against this backdrop, this research provides a complementary, inductive-first inquiry into the work-related goals that drive employees’ security behaviors. Using a qualitative-quantitative mixed methods research design, we identify four goals (Study 1) and evaluate their importance for predicting employee security behaviors (Study 2). Overall, we find evidence that employees’ work performance and blame avoidance goals are the most salient predictors of security behaviors; as a result, our findings suggest that employees engage in security behaviors primarily because they believe it will help them meet supervisors’ expectations—a key goal that has been largely ignored in the previous ISec literature.
DOI
10.17705/1jais.00950
Recommended Citation
Schuetz, Sebastian; Gewald, Heiko; Johnston, Allen; and Thatcher, Jason Bennett, "What Goals Drive Employees’ Security Behaviors? A Mixed Methods Study of Employees’ Goals in the Workplace" (2024). JAIS Preprints (Forthcoming). 195.
DOI: 10.17705/1jais.00950
Available at:
https://aisel.aisnet.org/jais_preprints/195