ABSTRACT

Employee behaviour is fundamental to corporate information security (InfoSec) capabilities across the phases of prevention, detection, and response. Unfortunately, despite over a decade of research on the topic, the human aspect of security remains the most vulnerable in many companies today, often rooted in employee disinterest. Two traditions within the InfoSec research that may contribute to this disconnect are 1) emphasis on extrinsic manipulation of behaviour versus cultivation of internalised commitment to organisational InfoSec and 2) emphasis on isolated activities over more integrated perspectives of security behaviour. Addressing these gaps, the current study examines end user InfoSec behaviour through a distinct internal motivational lens. Rooted in Self-Determination Theory, a research model is introduced that highlights workplace factors which drive end users’ internalised commitment to organisational InfoSec by fulfiling fundamental psychological needs (autonomy, competence, and relatedness) within this context. Commitment, which captures internally regulated motivation to contribute to organisational InfoSec performance, is then positioned as a driver of intention to engage in various security behaviours. Overall, the results support the study’s hypotheses and underscore the important roles perceived behavioural control, IT competence, and user-IS department relations have on commitment to organisational InfoSec and resultant behavioural outcomes.

摘要

员工行为是跨预防、检测和响应阶段的企业信息安全 (InfoSec) 功能的基础。不幸的是，尽管对这个话题进行了十多年的研究，但在当今许多公司中，安全的人为因素仍然是最脆弱的，这往往源于员工的不感兴趣。InfoSec 研究中可能导致这种脱节的两个传统是 1) 强调行为的外在操纵与培养对组织 InfoSec 的内部化承诺，以及 2) 强调孤立的活动而不是更综合的安全行为观点。为了解决这些差距，当前的研究通过一个独特的内部激励镜头来检查最终用户的 InfoSec 行为。植根于自决理论，引入了一个研究模型，强调工作场所因素，这些因素通过在此背景下满足基本心理需求（自主性、能力和相关性）来推动最终用户对组织信息安全的内化承诺。承诺捕获内部监管的动机以促进组织信息安全绩效，然后被定位为参与各种安全行为的意图的驱动因素。总体而言，结果支持该研究的假设，并强调了感知行为控制、IT 能力和用户-IS 部门关系对组织 InfoSec 的承诺和由此产生的行为结果的重要作用。和相关性）在此上下文中。承诺捕获内部监管的动机以促进组织信息安全绩效，然后被定位为参与各种安全行为的意图的驱动因素。总体而言，结果支持该研究的假设，并强调了感知行为控制、IT 能力和用户-IS 部门关系对组织 InfoSec 的承诺和由此产生的行为结果的重要作用。和相关性）在此上下文中。承诺捕获内部监管的动机以促进组织信息安全绩效，然后被定位为参与各种安全行为的意图的驱动因素。总体而言，结果支持该研究的假设，并强调了感知行为控制、IT 能力和用户-IS 部门关系对组织 InfoSec 的承诺和由此产生的行为结果的重要作用。