The widespread belief that employees are the weakest link in organizational information security leads to exposing them to a myriad of security requirements (i.e., policies and technical controls). Motivated by prior research indicating that such requirements can also have adverse effects, we introduce the concept of security-related cynicism. Based on organizational literature on employee cynicism, we develop a multidimensional construct including three key targets of employees’ security-related cynicism – the people responsible for information security, the employed security technologies, and the information security policies in use. We present our initial development of security-related cynicism by conceptualizing the construct, generating items from literature, and assessing the items’ content validity. By conducting a pretest and a main study, we plan to empirically validate a construct that helps researchers and practitioners alike to measure employees’ cynical attitudes towards information security.

Abstract Only