Research On Influence Factors And Mechanisms Of Employee's Information Security Behavior From The Control And Fit Perspective

Information security incidents lead to an enormous financial loss and reputation damage.The internal threats caused by inside employees had gone exceeded the external threats as to be the primary cause of information security incidents.Information security needs not only the support of security technology and the perfection of legal system,but also the consideration of human factors at the management level.Behavioral information security is also an important part and key link of enterprise information security management.This study aims to bulit the employee's information security behavior model and analysis its formation or governance mechanism in the context of the enterprise information security management,thus provide theoretical basis and practice guidance for the formulation and implementation of information security management strategies,as well as establish and maintain the enterprise's information assets security.In the enterprise practice,employees not only need to engage in the in-role behaviors according to the information security policy,also they are recommended to participate in the extra-role behaviors-actions that may seem to go beyond requirements and limitations of security policies-can provide input into forming suitable and feasible security policies that provide insights against the emerging threats in the operating environment.Enterprises should take measures with control constraints to promote employees' in-role behaviors,more in details,ensuring that employees meet the organization's expectations to comply with ISPs,while avioding such actions that violate such ISPs.Employees have autonomy to take part in the extra-role behaviors,through a person-organization fit in informaiton security at the value cognition and demand-supply levels would help to guide employees to voluntarily participate in the extra-role behaviors.This study focused on employee's informaiton security in-role behaviors(ISP compliance behavior and violation behavior)and extra-role behavior,and try to explore the key factors and their mechanisms that influence the behaviors above from the control and fit persepctives.The contents and the main contributions of this paper are focused on the following aspects.First,We integrate face orientation theory and organizational control framework to develop our research model,which is helpful to delineate the influence of perceived reward and perceived punishment as the formal control mechanism and the role of Chinese employee's face orientation as the informal control mechanism on promoting employee's compliance with ISP.The results indicate that reward and punishment both have a positively constrain effect on ISP compliance intention.Besides,face orientation also plays a very important role on effectively promoting employee's ISPs compliance intention.What's more,this study confirms that protective face orientation and acquisitive face orientation both negatively moderate the relationship between formal control variables and ISPs compliance intention.The main contribution and innovation of this part of research lie in introducing face management to explore the positive role of Confucian culture context factors in enterprise information security management in China.Research conclusion reveals the implicit constraint function of face orientation for employee's ISPs compliance behavior.It is also the complement and improvement of the formal control mechanism.Second,The second task is try to understand employees' ISP violation behavior from the fail of personal moral self-regulation constrain,and valuate the effectiveness of the appropriate organizational measures.We integrate moral disengagement theory and organizational ethical climate theory to bulid a research model.Our empirical results highlight that the moral disengagement has a significant effect on employees' intention to violate ISPs.We also find that the organizational ethical climate has a moderator role on the relationship between moral disengagement and ISP violation intention.To be specific,the law-and-rule-oriented organizational ethical climate negatively moderates the relationship between moral disengagement and violation intention;the instrumentalism-oriented organizational ethical climate positively moderates the path between moral disengagement and violation intention.The contribution and innovation of this part is that organizational ethic climate is newly integrated into information security management behavior researches,in order to explore the constrain mechanisms from the perspective of cultural ethics.The research has positive practical guiding significance to the organizational ethics training and the climate construction of information security ethics.Third,we built a research model based on the person-organization fit theory to discuss the key factors that motivate employees to paly a positive role and pariticpate in information security extra-role behavior.It analysed the key paths and influence of the complementary fit and complementary fit in security commitment and apathy to motivate the extra-role behavior.The results illustrate that complementary fit(perceived demand-ability fit and perceived need-supply fit)has a directly positive effect on extra-role behavior.The supplementary fit(perceived value fit)has an indirectly impact on extra-role behavior by encouraging security commitment and eliminating apathy.The contribution and innovation of this part lies in the discussion of the fit mechanism in the research of behavioral information security to encourage enterprises to pay more attention to and call on employees to participate in the extra-role behaviors.The fit mechanism views employees and organization as an equal exchange relationship,and provides three kinds of fit paths to cultivate security commitment and eliminate apathy,thus promoting employee's voluntary participation in extra-role behavior.In conclusion,this study focused on the enterprise information security management from the behavioral perspective.Research conclusions provide reference for the enterprise practices in information security management,especially helpful in building information security ethics climate,developing ethics training,and desiging control mechanisms to constrain employee's negative behaviors.Besides,this dissertation calls for the attentions to the positive role of employees in information security management.Employees will better participate in the extra-role behavior of information security under the guidance of fit mechanisms in organization.