Asia pacific journal of information systems

The Korea Society of Management Information Systems (한국경영정보학회)
권호 표지
DOI QR코드

DOI QR Code

Investigate the Roles of Sanctions, Psychological Capital, and Organizational Security Resources Factors in Information Security Policy Violation

  • Ayman Hasan Asfoor (Department of Information Technology, Faculty of Computer Science, Jubail Industrial College) ;
  • Hairoladenan kasim (Department of Informatics, Faculty of Computer and Information Technology, Tanga Nasional University) ;
  • Aliza Binti Abdul Latif (Department of Informatics, Faculty of Computer and Information Technology, Tanga Nasional University) ;
  • Fiza Binti Abdul Rahim (Penyelaras Program, Fakulti Teknologi and Informatik Raza, Universiti Teknologi Malaysia)
  • Received : 2023.01.28
  • Accepted : 2023.08.16
  • Published : 2023.12.31
Download PDF
⟨ Previous Next ⟩

Abstract

Previous studies have shown that insiders pose risks to the security of organisations' secret information. Information security policy (ISP) intentional violation can jeopardise organisations. For years, ISP violations persist despite organisations' best attempts to tackle the problem through security, education, training and awareness (SETA) programs and technology solutions. Stopping hacking attempts e.g., phishing relies on personnel's behaviour. Therefore, it is crucial to consider employee behaviour when designing strategies to protect sensitive data. In this case, organisations should also focus on improving employee behaviour on security and creating positive security perceptions. This paper investigates the role of psychological capital (PsyCap), punishment and organisational security resources in influencing employee behaviour and ultimately reducing ISP violations. The model of the proposed study has been modified to investigate the connection between self-efficacy, resilience, optimism, hope, perceived sanction severity, perceived sanction certainty, security response effectiveness, security competence and ISP violation. The sample of the study includes 364 bank employees in Jordan who participated in a survey using a self-administered questionnaire. The findings show that the proposed approach acquired an acceptable fit with the data and 17 of 25 hypotheses were confirmed to be correct. Furthermore, the variables self-efficacy, resilience, security response efficacy, and protection motivation directly influence ISP violations, while perceived sanction severity and optimism indirectly influence ISP violations through protection motivation. Additionally, hope, perceived sanction certainty, and security skills have no effect on ISP infractions that are statistically significant. Finally, self-efficacy, resiliency, optimism, hope, perceived severity of sanctions, perceived certainty of sanctions, perceived effectiveness of security responses, and security competence have a substantial influence on protection motivation.

Keywords

References

  1. Ajzen, I. (1991). The theory of planned behavior. Organizational Behavior and Human Decision Processes, 50(2), 179-211. https://doi.org/10.1016/0749-5978(91)90020-T. 
  2. Akter, S., Uddin, M. R., Sajib, S., Lee, W. J. T., Michael, K., and Hossain, M. A. (2022). Reconceptualizing cybersecurity awareness capability in the data-driven digital economy. Annals of Operations Research. https://doi.org/10.1007/s10479-022-04844-8. 
  3. Alavizadeh, H., Jang-Jaccard, J., Enoch, S. Y., Al-Sahaf, H., Welch, I., Camtepe, S. A., and Kim, D. D. (2022). A Survey on Cyber Situation-Awareness Systems: Framework, Techniques, and Insights. ACM Computing Surveys, 55(5), 1-35. https://doi.org/10.1145/3530809. 
  4. Aldawood, H., and Skinner, G. (2020). Evaluating contemporary digital awareness programs for future application within the cyber security social engineering domain. International Journal of Computer Applications, 177(31), 57-61. https://doi.org/10.5120/ijca2020919793 
  5. Alfons, A., Ates, N. Y., and Groenen, P. J. F. (2022). A robust bootstrap test for mediation analysis. Organizational Research Methods, 25(3), 591-617. https://doi.org/10.1177/1094428121999096 
  6. Alohali, M., Clarke, N., Li, F., and Furnell, S. (2018). Identifying and predicting the factors affecting end-users' risk-taking behavior. Information and Computer Security, 26(3), 306-326. https://doi.org/10.1108/ICS-03-2018-0037 
  7. Al-Omari, A., El-Gayar, O., and Deokar, A. (2012). Information security policy compliance: The role of information security awareness. 18th Americas Conference on Information Systems 2012, AMCIS 2012, 2(January), 1633-1640. 
  8. Alotaibi, M. (2017). A Model for Monitoring End-User Security Policy Compliance. Plymouth University. 
  9. Alshare, K., Lane, P. L., and Lane, M. R. (2018). Information security policy compliance: A higher education case study. Information and Computer Security, 26(1), 91-108. https://doi.org/10.1108/ICS-09-2016-0073 
  10. Altahat, S. M., and Atan, T. (2018). Role of healthy work environments in sustainability of goal achievement; ethical leadership, intention to sabotage, and psychological capital in Jordanian universities. Sustainability (Switzerland), 10(10). https://doi.org/10.3390/su10103559. 
  11. Anye, E. (2019). Factors affecting employee intentions to comply with password policies. 
  12. Aurigemma, S., and Mattson, T. (2014). Do it OR ELSE! exploring the effectiveness of deterrence on employee compliance with information security policies. In 20th Americas Conference on Information Systems, AMCIS 2014 (pp. 1-12). 
  13. Aurigemma, S., and Mattson, T. (2017a). Deterrence and punishment experience impacts on ISP compliance attitudes. Information and Computer Security, 25(4), 421-436. https://doi.org/10.1108/ICS-11-2016-0089 
  14. Aurigemma, S., and Mattson, T. (2017b). Privilege or procedure: Evaluating the effect of employee status on intent to comply with socially interactive information security threats and controls. Computers and Security, 66, 218-234. https://doi.org/10.1016/j.cose.2017.02.006 
  15. Avey, J. B., Luthans, F., Smith, R. M., and Palmer, N. F. (2010). Impact of positive psychological capital on employee well-being over time. Journal of Occupational Health Psychology, 15, 17-28.  https://doi.org/10.1037/a0016998
  16. Avey, J. B., Wernsing, T. S., and Luthans, F. (2008). Can positive employees help positive organizational change? Impact of psychological capital and emotions on relevant attitudes and behaviors. The journal of applied behavioral science, 44(1), 48-70.  https://doi.org/10.1177/0021886307311470
  17. Bandura, D. (1977). Control Document Cont rolled Documt. November 1997. 
  18. Bansal, G., Muzatko, S., and Shin, S. I. (2020). Information system security policy noncompliance: The role of situation-specific ethical orientation. Information Technology and People, 30(1), 1350-1917. https://doi.org/10.1108/ITP-03-2019-0109 
  19. Beccaria. (1963). On crimes and punishments / trans. with an introduction, by Henry Paolucci. In Indianapolis, IN: Bobbs-Merrill. (Original work published 1764). 
  20. Belanger, F., Collignon, S., Enget, K., and Negangard, E. (2017). Determinants of early conformance with information security policies. Information and Management, 54(7), 887-901. https://doi.org/10.1016/j.im.2017.01.003 
  21. Bennett, R. J., and Robinson, S. L. (2000). Development of a measure of workplace deviance. Journal of Applied Psychology, 85(3), 349-360. https://doi.org/10.1037/0021-9010.85.3.349 
  22. Bhaharin, S. H., Mokhtar, U. A., Sulaiman, R., and Yusof, M. M. (2019). Issues and trends in information security policy compliance. International Conference on Research and Innovation in Information Systems, ICRIIS, December-2. https://doi.org/10.1109/ICRIIS48246.2019.9073645 
  23. Bhowmik, D., and Sahai, A. (2018). Optimism Promotes Organizational Commitment. The International Journal of Indian Psychology, 6(3), 35-50. https://doi.org/10.25215/0603.044. 
  24. Boss, S. R., Galletta, D. F., Lowry, P. B., Moody, G. D., and Polak, P. (2015). What do systems users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors. MIS Quarterly: Management Information Systems, 39(4), 837-864. https://doi.org/10.25300/MISQ/2015/39.4.5 
  25. Bougaardt, G., and Kyobe, M. (2011). Investigating the factors inhibiting SMEs from recognizing and measuring losses from cyber crime in South Africa. The Electronic Journal Information Systems Evaluation, 14(2), 167-178. 
  26. Boulhna, O. (2020). Applying psychological reactance theory to intercultural communication in the workplace: Dealing with technological change and tolerance for ambiguity. ProQuest Dissertations and Theses, 138. Retrieved from https://search.proquest.com/dissertations-theses/applying-psychological-reactance-theory/docview/2457967884/se-2?accountid=49069 
  27. Boutilier, R. (2020). Personality differences in hope and optimism on consideration of future consequences and goal motivation. PsyArXiv Preprints, 2(September), 1-20. https://doi.org/10.13140/RG.2.2.30907.03365 
  28. Bradley, K. T., and Westlund, N. K. (2017). Risk perceptions and health behavior Rebecca. J Neruosci Res, 95(6), 1336-1356. https://doi.org/10.1016/j.copsyc.2015.03.012.Risk 
  29. Bulgurcu, B., Cavusoglu, H., and Benbasat, I. (2010). Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523-548.  https://doi.org/10.2307/25750690
  30. Burns, A. J. (2021). Protecting organizational information assets: Exploring the influence of regulatory focus on rational choices. In Proceedings of the Annual Hawaii International Conference on System Sciences, 2020-Janua, (pp. 5228-5237). https://doi.org/10.24251/hicss.2021.637 
  31. Burns, A. J., Johnson, M. E., and Caputo, D. D. (2019). Spear phishing in a barrel: Insights from a targeted phishing campaign. Journal of Organizational Computing and Electronic Commerce, 29(1), 24-39. https://doi.org/10.1080/10919392.2019.1552745 
  32. Burns, A. J., Posey, C., Roberts, T. L., and Benjamin Lowry, P. (2017). Examining the relationship of organizational insiders' psychological capital with information security threat and coping appraisals. Computers in Human Behavior, 68, 190-209. https://doi.org/10.1016/j.chb.2016.11.018 
  33. Burns, A. J., Roberts, T. L., Posey, C., Bennett, R. J., and Courtney, J. F. (2018). Intentions to Comply Versus Intentions to Protect: A VIE Theory Approach to Understanding the Influence of Insiders' Awareness of Organizational SETA Efforts. Decision Sciences, 49(6), 1187-1228. https://doi.org/10.1111/deci.12304. 
  34. Burns, A. J., Roberts, T. L., Posey, C., Bennett, R. J., and Courtney, J. F. (2018). Intentions to comply versus intentions to protect: A VIE theory approach to understanding the influence of insiders' awareness of organizational SETA efforts. Decision Sciences, 49(6), 1187-1228. https://doi.org/10.1111/deci.12304 
  35. Burns, S., and Roberts, L. (2013). Applying the theory of planned behaviour to predicting online safety behaviour. Crime Prevention and Community Safety, 15(1), 48-64. https://doi.org/10.1057/cpcs.2012.13 
  36. Burns, T., and Roszkowska, E. (2016). Rational choice theory: Toward a psychological, social, and material contextualization of human choice behavior. Theoretical Economics Letters, 6(02), 195-207. https://doi.org/10.4236/tel.2016.62022 
  37. Byrne, B. M. (2001). Structural equation modeling with AMOS, EQS, and LISREL: Comparative approaches to testing for the factorial validity of a measuring instrument. International Journal of Testing, 1(1), 55-86. https://doi.org/10.1207/s15327574ijt0101_4 
  38. Cavus, M., and Gokcen, A. (2015). Psychological Capital: Definition, Components and Effects. British Journal of Education, Society and Behavioural Science, 5(3), 244-255. https://doi.org/10.9734/bjesbs/2015/12574 
  39. Chen, L., Zhen, J., Dong, K., and Xie, Z. (2020). Effects of sanction on the mentality of information security policy compliance. Revista Argentina de Clinica Psicologica, 29(1), 39-49. https://doi.org/10.24205/03276716.2020.6 
  40. Chen, X., Wu, D., Chen, L., and Teng, J. K. L. (2018). Sanction severity and employees' information security policy compliance: Investigating mediating, moderating, and control variables. Information and Management, 55(8), 1049-1060. https://doi.org/10.1016/j.im.2018.05.011 
  41. Chin, W. W. (1998). The partial least squares approach to structural equation modelling. In G. A. Marcoulides (Ed.), Modern Methods for Business Research, 295(2), 295-336. 
  42. Choi, M., Levy, Y., and Anat, H. (2013). The role of user computer self-efficacy, cybersecurity countermeasures awareness, and cybersecurity skills influence on computer misuse. In Proceedings of the Pre-International Conference of Information Systems (ICIS) SIGSEC - Workshop on Information Security and Privacy (WISP) 2013, December (pp. 1-19). Retrieved from https://www.researchgate.net/publication/318710121%0Ahttps://nsuworks.nova.edu/gscis_facpres/98 
  43. Choi, Y., and Lee, D. (2014). Psychological capital, Big Five traits, and employee outcomes. Journal of Managerial Psychology, 29(2), 122-140. https://doi.org/10.1108/JMP-06-2012-0193 
  44. Clubb, A. C., and Hinkle, J. C. (2015). Protection motivation theory as a theoretical framework for understanding the use of protective measures. Criminal Justice Studies, 28(3), 336-355. https://doi.org/10.1080/1478601X.2015.1050590 
  45. Cronbach, L. J. (1951). Coefficient alpha and the internal structure of tests. Psychometrika, 16(3), 297-334.  https://doi.org/10.1007/BF02310555
  46. Cross, C., and Kelly, M. (2016). The problem of 'white noise': Examining current prevention approaches to online fraud. Journal of Financial Crime, 23(4), 806-818. https://doi.org/10.1108/JFC-12-2015-0069 
  47. D'Arcy, J., and Herath, T. (2011). A review and analysis of deterrence theory in the IS security literature: Making sense of the disparate findings. European Journal of Information Systems, 20(6), 643-658. https://doi.org/10.1057/ejis.2011.23 
  48. D'Arcy, J., and Teh, P. L. (2019). Predicting employee information security policy compliance on a daily basis: The interplay of security-related stress, emotions, and neutralization. Information and Management, 56(7). https://doi.org/10.1016/j.im.2019.02.006. 
  49. D'Arcy, J., and Lowry, P. B. (2019). Cognitive-affective drivers of employees' daily compliance with information security policies: A multilevel, longitudinal study. Information Systems Journal, 29(1), 43-69. https://doi.org/10.1111/isj.12173 
  50. D'Arcy, J., Hovav, A., and Galletta, D. (2009). User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research, 20(1), 79-98. https://doi.org/10.1287/isre.1070.0160 
  51. Dhillon, G. (2001). Violation of safeguards by trusted personnel and understanding related information security concerns. Computers and Security, 20(2), 165-172. https://doi.org/10.1016/S0167-4048(01)00209-7 
  52. Dora, M., and Azim, A. (2019). Organizational Justice and Workplace Deviance Behavior: Psychological Capital as Mediator. American International Journal of Humanities and Social Science, 5(2), 2415-1424. www.cgrd.org. 
  53. Duong, B. (2022). Security counterproductive behaviors employees' security counterproductive. Louisiana Tech University. 
  54. Evans, M., He, Y., Maglaras, L., and Janicke, H. (2019). HEART-IS: A novel technique for evaluating human error-related information security incidents. Computers and Security, 80(May 2018), 74-89. https://doi.org/10.1016/j.cose.2018.09.002 
  55. Farshadkhah, S., Van Slyke, C., and Fuller, B. (2021). Onlooker effect and affective responses in information security violation mitigation. Computers and Security, 100, 102082. https://doi.org/10.1016/j.cose.2020.102082 
  56. Ferrer, R. A., Klein, W. M. P., Avishai, A., Jones, K., Villegas, M., and Sheeran, P. (2018). When does risk perception predict protection motivation for health threats? A person-by-situation analysis. PLoS ONE, 13(3), 1-15. https://doi.org/10.1371/journal.pone.0191994. 
  57. Fitzgerald, K. (2020). Walden University. 
  58. Fornell, C., and Larcker, D. (1981). Evaluating structural equation models with unobservable variables and measurement error. Journal of Marketing Research., 18(1), 39-50.  https://doi.org/10.1177/002224378101800104
  59. Frank, M., and Kohn, V. (2021). How to mitigate security-related stress: The role of psychological capital. In Proceedings of the Annual Hawaii International Conference on System Sciences, 2020-January (pp. 4538-4547). https://doi.org/10.24251/hicss.2021.550 
  60. Garver, M.S and Mentzer, J.T (1999). Logistics research methods: employing structural equation modeling to test for construct validity. Journal of business logistics, 20(1), 33. 
  61. Ghazvini, A., and Shukur, Z. (2016). Awareness training transfer and information security content development for healthcare industry. International Journal of Advanced Computer Science and Applications, 7(5), 361-370. https://doi.org/10.14569/ijacsa.2016.070549 
  62. Goode, S., Lin, C., Tsai, J. C., and Jiang, J. J. (2015). Rethinking the role of security in client satisfaction with Software-as-a-Service (SaaS) providers. Decision Support Systems, 70, 73-85. https://doi.org/10.1016/j.dss.2014.12.005 
  63. Guo, K. H., and Yuan, Y. (2012). Information & Management The effects of multilevel sanctions on information security violations : A mediating model. Information & Management, 49(6), 320-326. https://doi.org/10.1016/j.im.2012.08.001. 
  64. Gurung, A., Luo, X., and Liao, Q. (2009). Consumer motivations in taking action against spyware: An empirical investigation. Information Management and Computer Security, 17(3), 276-289. https://doi.org/10.1108/09685220910978112 
  65. Gwebu, K. L., Wang, J., and Hu, M. Y. (2020). Information security policy noncompliance: An integrative social influence model. Information Systems Journal, 30(2), 220-269. https://doi.org/10.1111/isj.12257 
  66. Hadlington, L. (2017). Human factors in cybersecurity: Examining the link between Internet addiction, impulsivity, attitudes towards cybersecurity, and risky cybersecurity behaviours. Heliyon, June, e00346. https://doi.org/10.1016/j.heliyon.2017.e00346 
  67. Hair, J. J. F., Hult, G. T. M., Ringle, C. M., and Sarstedt, M. (2014). A Primer on Partial Least Squares Structural Equation Modeling (PLS-SEM). Thousand Oaks, california: SAGE Publications. http://fortune.com/2016/06/20/employees-computer-security/
  68. Hanus, B., and Wu, Y. "Andy." (2016). Impact of users' security awareness on desktop security behavior: A protection motivation theory perspective. Information Systems Management, 33(1), 2-16. https://doi.org/10.1080/10580530.2015.1117842 
  69. Hayes, A. F. (2009). Beyond Baron and Kenny: Statistical mediation analysis in the new millennium. Communication Monographs, 76(4), 408-420. https://doi.org/10.1080/03637750903310360 
  70. Herath, T., and Rao, H. R. (2009). Protection motivation and deterrence: A framework for security policy compliance in organisations. European Journal of Information Systems, 18(2), 106-125. https://doi.org/10.1057/ejis.2009.6 
  71. Higgins, G. E., and Lauterbach, C. (2004). Control balance theory and exploitation: an examination of contingencies. Criminal Justice Studies, 17(3), 291-310. https://doi.org/10.1080/1478601042000281123 
  72. Hina, S., Panneer Selvam, D. D. D., and Lowry, P. B. (2019). Institutional governance and protection motivation: Theoretical insights into shaping employees' security compliance behavior in higher education institutions in the developing world. Computers and Security, 87, 101594. https://doi.org/10.1016/j.cose.2019.101594 
  73. Hirtenlehner, H., and Schulz, S. (2021). Deterrence and the moral context: Is the impact of perceived sanction risk dependent on best friends' moral beliefs? Criminal Justice Review, 46(1), 53-79. https://doi.org/10.1177/0734016820949641 
  74. Hone, K., and Eloff, J. H. P. (2002). Information security policy: What do international information security standards say? Computers and Security, 21(5), 402-409. https://doi.org/10.1016/S0167-4048(02)00504-7 
  75. Hong, J. (2012). The state of phishing attacks. Communications of the ACM, 55(1), 74-81. https://doi.org/10.1145/2063176.2063197 
  76. Hsu, J. S. C., Shih, S. P., Hung, Y. W., and Lowry, P. B. (2015). The role of extra-role behaviors and social controls in information security policy effectiveness. Information Systems Research, 26(2), 282-300. https://doi.org/10.1287/isre.2015.0569 
  77. Hu, Q., Dinev, T., Hart, P., and Cooke, D. (2012). Managing Employee Compliance with Information Security Policies : The Critical Role of Top Management and Organizational Culture. Decis. Sci, 43, 615-660.  https://doi.org/10.1111/j.1540-5915.2012.00361.x
  78. Hwang, I., and Cha, O. (2018). Examining technostress creators and role stress as potential threats to employees' information security compliance. Computers in Human Behavior, 81, 282-293. https://doi.org/10.1016/j.chb.2017.12.022 
  79. Hwang, I., Kim, K. T., and Kim, S. (2017). Why not comply with information security? An empirical approach for the causes of non-compliance. Online Inf. Rev, 41(1), 1-18.  https://doi.org/10.1108/OIR-11-2015-0358
  80. Iacobucci, D. (2010). Structural equations modeling: Fit Indices, sample size, and advanced topics. Journal of Consumer Psychology, 20(1), 90-98. https://doi.org/10.1016/j.jcps.2009.09.003 
  81. Ifinedo, P. (2012). Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Computers and Security, 31(1), 83-95. https://doi.org/10.1016/j.cose.2011.10.007 
  82. Ifinedo, P. (2014). Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition. Information and Management, 51(1), 69-79. https://doi.org/10.1016/j.im.2013.10.001 
  83. Inuwa, I., and Ononiwu, C. (2020). Motivations and prevention of malicious and criminal misuse of information systems in organizations: A systematic review. In Proceedings of the 24th Pacific Asia Conference on Information Systems: Information Systems (IS) for the Future, PACIS 2020. 
  84. Jaakko, J. (2019). Is Human The Weakest Link In Information Security: A Systematic Literature Review. In Information security, Master's thesis (Vol. 204, Issue 1). http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=28111529&site=ehost-live. 
  85. Jacobs, B. A. (2010). Deterrence and deterrability. Criminology: An Interdisciplinary Journal, 48(2), 417-441.  https://doi.org/10.1111/j.1745-9125.2010.00191.x
  86. Jakobsson, M. (2016). Understanding social engineering based scams. In springer.com (Vol. 49, Issue 0). https://doi.org/10.1007/978-1-4939-6457-4 
  87. Jalali, M. S., Bruckes, M., Westmattelmann, D., and Schewe, G. (2020). Why employees (still) click on phishing links: Investigation in hospitals. Journal of Medical Internet Research, 22(1), 1-16. https://doi.org/10.2196/16775 
  88. Janis, I. L. (1967). Effects of fear arousal on attitude change: Recent developments in theory and experimental research. Advances in experimental social psychology, 3, 166-224.  https://doi.org/10.1016/S0065-2601(08)60344-5
  89. Janis, I. L., and Feshbach, S. (1953). Effects of fear-arousing communications. The Journal of Abnormal and Social Psychology, 48(1), 78-92. https://doi.org/10.1037/h0060732 
  90. Jansen, J., and van Schaik, P. (2019). The design and evaluation of a theory-based intervention to promote security behaviour against phishing. International Journal of Human Computer Studies, 123(January 2018), 40-55. https://doi.org/10.1016/j.ijhcs.2018.10.004 
  91. Jeon, S., and Hovav, A. (2015). Empowerment or control: Reconsidering employee security policy compliance in terms of authorization. In Proceedings of the Annual Hawaii International Conference on System Sciences, 2015-March (pp. 3473-3482). https://doi.org/10.1109/HICSS.2015.418 
  92. John, F. R. (2021). Influence of Psychological Capital on Employee Engagement and Explored the Mediating Role of Organizational Commitment. European Journal of Molecular & Clinical Medicine, 8(3), 3222-3231. 
  93. Johnson, D. P., and Johnson, D. (2017). How Attitude Toward the Behavior, Subjective Norm, and Perceived Behavioral Control Affects Information Security Behavior Intention. Walden Dissertations and Doctoral Studies, 4454. 
  94. Johnston, A. C., Warkentin, M., and Siponen, M. (2015). An enhanced fear appeal rhetorical framework: Leveraging threats to the human asset through sanctioning rhetoric. MIS Quarterly: Management Information Systems, 39(1), 113-134. https://doi.org/10.25300/MISQ/2015/39.1.06 
  95. Johnston, A. C., Warkentin, M., McBride, M., and Carter, L. (2016). Dispositional and situational factors: Influences on information security policy violations. European Journal of Information Systems, 25(3), 231-251. https://doi.org/10.1057/ejis.2015.15 
  96. Junglas, I. A., Johnson, N. A., and Spitzmuller, C. (2008). Personality traits and concern for privacy: An empirical study in the context of location-based services. European Journal of Information Systems, 17(4), 387-402. https://doi.org/10.1057/ejis.2008.29 
  97. Kajtazi, M., Cavusoglu, H., Benbasat, I., and Haftor, D. (2018). Escalation of commitment as an antecedent to noncompliance with information security policy. Information and Computer Security, 26(2), 39-57. https://doi.org/10.1108/ICS-09-2017-0066 
  98. Khando, K., Gao, S., Islam, S. M., and Salman, A. (2021). Enhancing employees information security awareness in private and public organisations: A systematic literature review. Computers and Security, 106, 102267. https://doi.org/10.1016/j.cose.2021.102267. 
  99. Kim, B., Lee, D. Y., and Kim, B. (2020). Deterrent effects of punishment and training on insider security threats: A field experiment on phishing attacks. Behaviour and Information Technology, 39(11), 1156-1175. https://doi.org/10.1080/0144929X.2019.1653992 
  100. Kim, M., Kim, A. C. H., Newman, J. I., Ferris, G. R., and Perrewe, P. L. (2019). The antecedents and consequences of positive organizational behavior: The role of psychological capital for promoting employee well-being in sport or ganizations. Sport Management Review, 22(1), 108-125. https://doi.org/10.1016/j.smr.2018.04.003 
  101. Kimolo, K. (2013). The relationship between employee empowerment practices and employee perfromance in regional development authorities in Kenya. In Kimanzi Kimolo a Research Project Submitted in Partial Fulfillment of the Requirement for Degree of Masters of Business Admini (Issue October). 
  102. Kline, R. B. (2005). Principles and practice of structural equation modeling. New York, USA: The Guilford Press. https://doi.org/10.1038/156278a0. 
  103. Kolkowska, E., and Dhillon, G. (2013). Organizational power and information security rule compliance. Computers and Security, 33, 3-11. https://doi.org/10.1016/j.cose.2012.07.001 
  104. Kolkowska, E., Karlsson, F., and Hedstrom, K. (2017). Escalation of commitment as an antecedent to noncompliance with information security policy. Information and Computer Security, 26(2), 39-57. https://doi.org/10.1108/ICS-09-2017-0066 
  105. Koohang, A., Nord, J. H., Sandoval, Z. V., and Paliszkiewicz, J. (2020). Reliability, validity, and strength of a unified model for information security policy compliance. Journal of Computer Information Systems, 61(2), 99-107. https://doi.org/10.1080/08874417.2020.1779151 
  106. Krazit, T. (2016). Employees are the weakest link in computer security. 
  107. Kuhalampi, M. (2017). Impact of Deterrence Theory Methods on Employees' Information Security Behavior. PhD Thesis. 
  108. Kulyk, O., and Volkamer, M. (2018). Usability is not enough: Lessons learned from "human factors in security" research for verifiability. In Third International Joint Conference on Electronic Voting (E-Vote-ID 2018) (pp. 66-79). 
  109. Kumar. (2022). Cyber Security Issues and Challenges - A Review. International Journal of Scientific Research in Computer Science, Engineering and Information Technology, 8(11), 269-273. https://doi.org/10.32628/cseit228379 
  110. Lankton, N. K., Stivason, C., and Gurung, A. (2019). Information protection behaviors: morality and organizational criticality. Information and Computer Security, 27(3), 468-488. https://doi.org/10.1108/ICS-07-2018-0092 
  111. Lebek, B., Uffen, J., Neumann, M., Hohler, B., and Breitner, M. H. (2014). Information security awareness and behavior: A theory-based literature review. Management Research Review, 37(12), 1049-1092. https://doi.org/10.1108/MRR-04-2013-0085 
  112. Li, Y., Zhang, N., and Pan, T. (2018). Understanding the roles of challenge security demands, psychological resources in information security policy noncompliance. Proceedings of the 22nd Pacific Asia Conference on Information Systems - Opportunities and Challenges for the Digitized Society: Are We Ready?, PACIS 2018. 
  113. Liang, H., Xue, Y., and Wu, L. (2012). Ensuring employees' IT compliance: Carrot or stick? Information System Resrach, June 24(2), 201-497. https://doi.org/10.1287/isre.1120.0427 
  114. Liu, C., Wang, N., and Liang, H. (2020). Motivating information security policy compliance: The critical role of supervisor-subordinate guanxi and organizational commitment. International Journal of Information Management, 54(28), 102152. https://doi.org/10.1016/j.ijinfomgt.2020.102152 
  115. Lowry, P. B., and Moody, G. D. (2015). Proposing the control-reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policies. Information Systems Journal, 25(5), 433-463. https://doi.org/10.1111/isj.12043 
  116. Lowry, P. B., Moody, G. D., and Chatterjee, S. (2017). Using the control balance theory to explain online social media deviance. In Proceedings of the Annual Hawaii International Conference on System Sciences, 2017-Janua (pp. 2253-2262). https://doi.org/10.24251/hicss.2017.272 
  117. Lowry, P. B., Posey, C., Bennett, R. (Becky) J., and Roberts, T. L. (2015). Leveraging fairness and reactance theories to deter reactive computer abuse following enhanced organisational information security policies: An empirical study of the influence of counterfactual reasoning and organisational trust. Information Systems Journal, 25(3), 193-273. https://doi.org/10.1111/isj.12063 
  118. Lu, Y. (2018). Cybersecurity Research: A Review of Current Research Topics. Journal of Industrial Integration and Management, 03(04), 1850014. https://doi.org/10.1142/s2424862218500148. 
  119. Luo, X. R., and Zhdanov, D. (2016). Special issue introduction: A comprehensive perspective on information systems security - technical advances and behavioral issues. Decision Support Systems, 92, 1-2. https://doi.org/10.1016/j.dss.2016.10.003 
  120. Ma, X. (2021). IS professionals' information security behaviors in Chinese IT organizations for information security protection. Information Processing and Management, 59(1), 1-14. https://doi.org/10.1016/j.ipm.2021.102744 
  121. MacKenzie, S. B., Podsakoff, P. M., and Ahearne, M. (1998). Some possible antecedents and consequences of in-role and extra-role salesperson performance. Journal of Marketing, 62(3), 87-98. https://doi.org/10.2307/1251745 
  122. Maddux, J.E., and Rogers, R.W. (1983). Protection motivation and self-efficacy: A revised theory of fear appeals and attitude change. Journal of Experimental Social Psychology, 19(5), 469-479. https://doi.org/10.1016/0022-1031(83)90023-9 
  123. Malik, A. (2013). Efficacy, hope, optimism and resilience at workplace-positive organizational behavior. International Journal of Scientific and Research Publications, 3(10), 1-4. 
  124. Marlina, L., Setyoningrum, N. G., Mulyani, Y. S., Permana, T. E., and Sumarni, R. (2021). Improving employees working discipline with punishment, reward, and implementation of standard operational procedures 1Lina. Perwira International Journal of Economics and Business, 1(1). 
  125. Mathieu, J., and Taylor, S. (2006). Clarifying conditions and decision points for mediational type inferences in Organizational Behavior. Journal of Organizational Behavior, 27, 1031-1056. https://doi.org/10.1002/job.406. 
  126. Menard, P., Warkentin, M., and Lowry, P. B. (2018). The impact of collectivism and psychological ownership on protection motivation: A cross-cultural examination. Computers and Security, 75, 147-166. https://doi.org/10.1016/j.cose.2018.01.020 
  127. Merhi, M. I., and Ahluwalia, P. (2014). The role of punishment and task dissonance in information security policies compliance. In 20th Americas Conference on Information Systems, AMCIS 2014, Straub 1990 (pp. 1-10). 
  128. Merhi, M. I., and Ahluwalia, P. (2015). Top management can lower resistance toward information security compliance. In 2015 International Conference on Information Systems: Exploring the Information Frontier, ICIS 2015, December 2015. 
  129. Merhi, M. I., and Ahluwalia, P. (2019). Examining the impact of deterrence factors and norms on resistance to Information Systems Security. Computers in Human Behavior, 92, 37-46. https://doi.org/10.1016/j.chb.2018.10.031 
  130. Merhi, M. I., and Midha, V. (2012). The impact of training and social norms on information security compliance: A pilot study. International Conference on Information Systems (ICIS) (pp. 4183-4193). 
  131. Mishra, A., Alzoubi, Y. I., Gill, A. Q., and Anwar, M. J. (2022). Cybersecurity Enterprises Policies: A Comparative Study. Sensors, 22(2), 1-35. https://doi.org/10.3390/s22020538 
  132. Moody, G. D., Siponen, M., and Pahnila, S. (2018). Toward a Unified Model of Information Security Policy Compliance. MIS Quarterly, 42(1), 285-311. https://doi.org/10.25300/MISQ/2018/138532018R. 
  133. Moody, G., Siponen, M., and Pahnila, S. (2018). Toward a unified model of information security policy compliance. Mis Quarterly, 42, 285-302. https://eds.a.ebscohost.com/eds/pdfviewer/pdfviewer?vid=0&sid=056bcc95-624f-437e-a25e-2f1b41f0bedf%40sdc-v-sessmgr03  https://doi.org/10.25300/MISQ/2018/13853
  134. Moquin, R., and Wakefield, R. L. (2016). The roles of awareness, sanctions, and ethics in software compliance. Journal of Computer Information Systems, 56(3), 261-270. https://doi.org/10.1080/08874417.2016.1153922. 
  135. Myyry, L., Siponen, M., Pahnila, S., Vartiainen, T., and Vance, A. (2009). What levels of moral reasoning and values explain adherence to information security rules? An empirical study. European Journal of Information Systems, 18(2), 126-139. https://doi.org/10.1057/ejis.2009.10 
  136. Ncubukezit, T. (2022). Human Errors: A Cybersecurity Concern and the Weakest Link to Small Businesses. International Conference on Cyber Warfare and Security, 17(1), 395-403. https://doi.org/10.34190/iccws.17.1.51. 
  137. Ng, B. Y., and Rahim, M. A. (2005). A socio-behavioral study of home computer users' intention to practice security. 9th Pacific Asia Conference on Information Systems: I.T. and Value Creation, PACIS 2005, 234-247. 
  138. Nguyen, H. M., and Ngo, T. T. (2020). Psychological Capital, Organizational Commitment and Job Performance : A Case in Vietnam. The Journal of Asian Finance, Economics and Busines, 7(5), 269-278. https://doi.org/10.13106/jafeb.2020.vol7.no5.269. 
  139. Nolzen, N. (2018). The concept of psychological capital: A comprehensive review. Management Review Quarterly, 68(3), 237-277. https://doi.org/10.1007/s11301-018-0138-6 
  140. Nunnally, J., and Bernstein, I. (1994). Book Review: Psychometric theory. Journal of Psychoeducational Assessment, 275-280. 
  141. Pahnila, S., Siponen, M., and Mahmood, A. (2007). Which Factors Explain Employees' Adherence to Information Security Policies? An Empirical Study. PACIS 2007 Proceedings. 
  142. Paliszkiewicz, J. (2019). Information security policy compliance: Leadership and trust. Journal of Computer Information Systems, 59(3), 211-217. https://doi.org/10.1080/08874417.2019.1571459 
  143. Paolillo, A., Platania, S., Magnano, P., and Ramaci, T. (2015). Organizational Justice, Optimism and Commitment to Change. Procedia - Social and Behavioral Sciences, 191, 1697-1701. https://doi.org/10.1016/j.sbspro.2015.04.479. 
  144. Paternoster, R., and Simpson, S. (1993). A Rational Choice Theory of Corporate Crime. In R. V. Clarke, & M. Felson (Eds.), Routine Activities and Rational Choice Theory (pp. 37-51). NJ: New Brunswick Transaction. 
  145. Pham, H. C. (2019). Information security burnout: Identification of sources and mitigating factors from security demands and resources. Journal of Information Security and Applications, 46, 96-107. https://doi.org/10.1016/j.jisa.2019.03.012 
  146. Pham, H. C., Brennan, L., and Richardson, J. (2017). Review of behavioural theories in security compliance and research challenges. In Proceedings of the Informing Science and Information Technology Education Conference (pp. 65-76). 
  147. Pham, H. C., El-Den, J., and Richardson, J. (2016). Stress-based security compliance model - An exploratory study. Information and Computer Security, 24(4), 326-347. https://doi.org/10.1108/ICS-10-2014-0067 
  148. Plamenova Djourova, N. (2018). Psychological capital: Underlying mechanisms, antecedents, and outcomes in the workplace. Doctoral thesis. 
  149. Ponemon Institute. (2016). Sixth annual benchmark study on privacy & security of healthcare data. Ponemon Institute, 1-52. 
  150. Ponemon Institute. (2017). 2016 Cost of cyber crime study and the risk of business innovation. Ponemon Institute, 1-36. 
  151. Ponemon Institute. (2020). 2020 Cost of Insider Threats. Retrieved from https://www.observeit.com/wp-content/uploads/2020/04/2020-Global-Cost-of-Insider-Threats-Ponemon-Report_UTD.pdf 
  152. Posey, C., Bennett, B., and Roberts, T. (2011). When computer monitoring backfires: Invasion of privacy and organizational injustice as precursors to computer abuse. Journal of Information System Security, 10(1), 21-45. 
  153. Posey, C., Roberts, T. L., and Lowry, P. B. (2015). The impact of organizational commitment on insiders motivation to protect organizational information assets. Journal of Management Information Systems, 32(4), 179-214. https://doi.org/10.1080/07421222.2015.1138374 
  154. Posey, C., Roberts, T. L., Lowry, P. B., Bennett, R. J., and Courtney, J. F. (2013). Insiders' protection of organizational information assets: Development of a systematics-based taxonomy and theory of diversity for protection-motivated behaviors. MIS Quarterly: Management Information Systems, 37(4), 1189-1210. https://doi.org/10.25300/MISQ/2013/37.4.09 
  155. Pratt, T. C., Cullen, F. T., Blevins, K. R., Daigle, L. E., and Madensen, T. D. (2006). The Empirical Status of Deterrence Theory: A Meta-Analysis. Taking Stock: The Status of Criminological Theory: Advances in Criminological Theory: Volume 15, 15(January), 367-396. https://doi.org/10.4324/9781315130620-14. 
  156. PwC. (2017). UK organisations still failing to prepare effectively for cyber attacks. UK Organisations Still Failing to Prepare Effectively for Cyber Attacks. PWC: Cambridge, UK. 
  157. Rabenu, E., and Yaniv, E. (2017). Psychological resources and strategies to cope with stress at work. International Journal of Psychological Research, 10(2), 8-15. https://doi.org/10.21500/20112084.2698 
  158. Raza, M. H., Abid, M., Yan, T., Ali Naqvi, S. A., Akhtar, S., and Faisal, M. (2019). Understanding farmers' intentions to adopt sustainable crop residue management practices: A structural equation modeling approach. In Journal of Cleaner Production (Vol. 227). Elsevier B.V. https://doi.org/10.1016/j.jclepro.2019.04.244. 
  159. Ritzman, M., and Kahle-Piasecki, L. (2016). What works: a systems approach to employee performance in strengthening information security. Performance Improvement, 55(8), 17-22. https://doi.org/10.1002/pfi.21614 
  160. Rogers, R. W. (1975). A protection motivation theory of fear appeals and attitude change1. The Journal of Psychology, 91(1), 93-114. https://doi.org/10.1080/00223980.1975.9915803 
  161. Safa, N. S., and Von Solms, R. (2016). An information security knowledge sharing model in organizations. Computers in Human Behavior, 57, 442-451. https://doi.org/10.1016/j.chb.2015.12.037 
  162. Safa, N. S., Solms, R. Von, and Futcher, L. (2016). Human aspects of information security in organisations. Computer Fraud and Security, 2016(2), 15-18. https://doi.org/10.1016/S1361-3723(16)30017-3 
  163. Sahoo, B. C., Sia, S. K., Sahu, N., and Appu, A. V. (2015). Psychological Capital and Work Attitudes: A Conceptual Analysis. Journal of Organization and Human Behaviour, 4(2and3), 10-21. https://doi.org/10.21863/johb/2015.4.2and3.008. 
  164. SANS. (2014). Information Security Policy Templates. Retrieved from http://www.sans.org/security-resources/policies/general 
  165. Saridakis, G., Benson, V., Ezingeard, J. N., and Tennakoon, H. (2016). Individual information security, user behaviour and cyber victimisation: An empirical study of social networking users. Technological Forecasting and Social Change, 102, 320-330. https://doi.org/10.1016/j.techfore.2015.08.012 
  166. Sarkar, A., and Garg, N. (2020). "Peaceful workplace" only a myth?: Examining the mediating role of psychological capital on spirituality and nonviolence behaviour at the workplace. International Journal of Conflict Management, 31(5), 709-728. https://doi.org/10.1108/IJCMA-11-2019-0217. 
  167. Sawyer, B. D., Finomore, V. S., Funke, G. J., Matthews, G., Mancuso, V., Funke, M., Warm, J. S., and Hancock, P. A. (2016). Report date (dd-mm-yy) 2. report type 3. dates covered (from-to) cyber vigilance: The human factor 5a. contract number. 298(0704). 
  168. Saxena, N., Hayes, E., Bertino, E., Ojo, P., Choo, K. K. R., and Burnap, P. (2020). Impact and key challenges of insider threats on organizations and critical businesses. Electronics (Switzerland), 9(9), 1-29. https://doi.org/10.3390/electronics9091460 
  169. Seligman, M. E., and Csikszentmihalyi, M. (2000). Positive psychology. An introduction. The American Psychologist, 55(1), 5-14. https://doi.org/10.1037/0003-066X.55.1.5 
  170. Senarak, C. (2021). Cybersecurity knowledge and skills for port facility security officers of international seaports: Perspectives of IT and security personnel. Asian Journal of Shipping and Logistics, 37(4), 345-360. https://doi.org/10.1016/j.ajsl.2021.10.002 
  171. Shahbaznezhad, H., Kolini, F., and Rashidirad, M. (2020). Employees' behavior in phishing attacks: What individual, organizational, and technological factors matter? Journal of Computer Information Systems, 1-12. https://doi.org/10.1080/08874417.2020.1812134 
  172. Siddiqi, M. A., Pak, W., and Siddiqi, M. A. (2022). A Study on the Psychology of Social Engineering-Based Cyberattacks and Existing Countermeasures. Applied Sciences (Switzerland), 12(12). https://doi.org/10.3390/app12126042 
  173. Siponen, M., Adam Mahmood, M., and Pahnila, S. (2014). Employees' adherence to information security policies: An exploratory field study. Information and Management, 51(2), 217-224. https://doi.org/10.1016/j.im.2013.08.006 
  174. Siponen, M., Soliman, W., and Vance, A. (2022). Common misunderstandings of deterrence theory in information systems research and future research directions. Data Base for Advances in Information Systems, 53(1), 25-60. https://doi.org/10.1145/3514097.3514101 
  175. Sommestad, T., and Hallberg, J. (2013). A review of the theory of planned behaviour in the context of information security policy compliance. IFIP Advances in Information and Communication Technology, 405, 257-271. https://doi.org/10.1007/978-3-642-39218-4_20 
  176. Sommestad, T., Hallberg, J., Lundholm, K., and Bengtsson, J. (2014). Variables influencing information security policy compliance: A systematic review of quantitative studies. Information Management and Computer Security, 22(1), 42-75. https://doi.org/10.1108/IMCS-08-2012-0045 
  177. Sommestad, T., Karlzen, H., and Hallberg, J. (2015). The sufficiency of the theory of planned behavior for explaining information security policy compliance. Information and Computer Security. https://doi.org/10.1108/ICS-04-2014-0025 
  178. Sprissler, E., Yan, Z., Robertson, T., Bordoff, S., Chen, Q., Yan, R., and Park, S. Y. (2018). Finding the weakest links in the weakest link: How well do undergraduate students make cybersecurity judgment? Computers in Human Behavior, 84, 375-382. https://doi.org/10.1016/j.chb.2018.02.019. 
  179. Stahl, B. C., Doherty, N. F., and Shaw, M. (2012). Information security policies in the UK healthcare sector: A critical evaluation. Information Systems Journal, 22(1), 77-94. https://doi.org/10.1111/j.1365-2575.2011.00378.x 
  180. Straub, D. W. (1990). Effective IS security: An empirical study. Information Systems Research, 1(3), 255-276.  https://doi.org/10.1287/isre.1.3.255
  181. Straub, D. W., and Welke, R. J. (1998). Coping with systems risk: Security planning models for management decision making. MIS Quarterly: Management Information Systems, 22(4), 441-464. https://doi.org/10.2307/249551 
  182. Straub, D., and Gefen, D. (2004). Validation guidelines for is positivist research. Communications of the Association for Information Systems, 13. https://doi.org/10.17705/1cais.01324 
  183. Talib, Y. Y. A., and Dhillon, G. (2015). Employee ISP compliance intentions: An empirical test of empowerment. In 2015 International Conference on Information Systems: Exploring the Information Frontier, ICIS 2015, December 2015. 
  184. Tannenbaum, M. B., Hepler, J., Zimmerman, R. S., Saul, L., and Jacobs, S. (2018). Appealing to fear: A meta-analysis of fear appeal effectiveness and. Psychol Bull., 141(6), 1178-1204. https://doi.org/10.1037/a0039729. Appealing 
  185. Tavakoli, M. (2010). A positive approach to stress, resistance, and organizational change. Procedia - Social and Behavioral Sciences, 5, 1794-1798. https://doi.org/10.1016/j.sbspro.2010.07.366 
  186. Teo, T., Zhou, M., and Noyes, J. (2016). Teachers and technology: Development of an extended theory of planned behavior. Educational Technology Research and Development, 64(6), 1033-1052. https://doi.org/10.1007/s11423-016-9446-5 
  187. Tittle, C. R. (1995). Control Balance: Toward a General Theory of Deviance. New York: ImprintRoutledge. 
  188. Trang, S., and Brendel, B. (2019). A meta-analysis of deterrence theory in information security policy compliance research. Information Systems Frontiers, 21(6), 1265-1284. https://doi.org/10.1007/s10796-019-09956-4 
  189. Tsohou, A., and Holtkamp, P. (2018). Are users competent to comply with information security policies? An analysis of professional competence models. Information Technology & People, 31(5), 1047-1068.  https://doi.org/10.1108/ITP-02-2017-0052
  190. Valasvuo, S. (2022). Cybersecurity development and business continuity plan for car dealership. 
  191. Vance, A., and Siponen, M. (2012). IS security policy violations: A rational choice perspective. Journal of Organizational and End User Computing, 24(1), 21-41. https://doi.org/10.4018/joeuc.2012010102. 
  192. Vance, A., Fellow, S., and Siponen, M. (2020). Effects of sanctions, moral beliefs, and neutralization on information security policy violations across cultures. Science of the Total Environment, 136126. https://doi.org/10.1016/j.scitotenv.2019.136126 
  193. Velazquez, Lucia. (2020). Examining Information Security Policy Violations, Rationalization of Deviant Behaviors, and Preventive Strategies Dissertation Manuscript Submitted to Northcentral University School of Business in Partial Fulfillment of the Requirements for the Degree o (Issue July). 
  194. Venkatesh, V., and Davis, F. D. (2000). Theoretical extension of the Technology Acceptance Model: Four longitudinal field studies. Management Science, 46(2), 186-204. https://doi.org/10.1287/mnsc.46.2.186.11926 
  195. Verkijika, S. F. (2018). Understanding smartphone security behaviors: An extension of the protection motivation theory with anticipated regret. Computers and Security, 77, 860-870. https://doi.org/10.1016/j.cose.2018.03.008. 
  196. Wahda, Mursalim, Fauziah, and Asty. (2020). Extra-role behavior improvement model: Organizational learning culture, organizational trust, and organizational justice approach. International Journal of Engineering Business Management, 12, 1-12. https://doi.org/10.1177/1847979020963774 
  197. Wang, J., Li, Y., and Rao, H. R. (2017). Coping responses in phishing detection: An investigation of antecedents and consequences. Information Systems Research, 28(2), 378-396. https://doi.org/10.1287/isre.2016.0680 
  198. Wang, J., Liu-Lastres, B., Ritchie, B. W., and Mills, D. J. (2019). Travellers' self-protections against health risks: An application of the full protection motivation theory. Annals of Tourism Research. 
  199. Wang, X., and Xu, J. (2021). Deterrence and leadership factors: Which are important for information security policy compliance in the hotel industry. Tourism Management, 84. https://doi.org/10.1016/j.tourman.2021.104282 
  200. Warkentin, M., Willison, R., Johnston, A. C., Warkentin, M., Willison, R., and Johnston, A. C. (2011). The role of perceptions of organizational injustice and techniques of neutralization in forming computer abuse intentions. In Proceedings of the Seventeenth Americas Conference on Information Systems, Detroit, Michigan. 
  201. Warrington, C. (2017). A study of personality traits to explain employees' information security behavior among generational cohorts. Journal of Organizational Psychology, 22(3). https://doi.org/10.33423/jop.v22i3.5647 
  202. Wetzels, M., Odekerken-Schroder, G., and Van Oppen, C. (2009). Using PLS path modeling for assessing hierarchical construct models: Guidelines and empirical illustration. MIS Quarterly: Management Information Systems, 33(1), 177-196. https://doi.org/10.2307/20650284 
  203. Williams, E. J., Hinds, J., and Joinson, A. N. (2018). Exploring susceptibility to phishing in the workplace. International Journal of Human Computer Studies, 120, 1-13. https://doi.org/10.1016/j.ijhcs.2018.06.004 
  204. Witte, K. (1992). Putting the fear back into fear appeals: The extended parallel process model. Communications Monographs, 59(4), 329-349.  https://doi.org/10.1080/03637759209376276
  205. Woon, I., Tan, G. W., and Low. (2005). A protection motivation theory approach to home wireless security. In International Conference on Information Systems (ICIS). Retrieved from http://aisel.aisnet.org/icis2005 
  206. Workman, M., Bommer, W. H., and Straub, D. (2008). Security lapses and the omission of information security measures: A threat control model and empirical test. Computers in Human Behavior, 24(6), 2799-2816. https://doi.org/10.1016/j.chb.2008.04.005 
  207. Wortley, R., and Sidebottom, A. (2017). Deterrence and rational choice theory. The Encyclopedia of Juvenile Delinquency and Justice, 1-6. https://doi.org/10.1002/9781118524275.ejdj0131 
  208. Xu, F., Hsu, C., Luo, X., and Warkentin, M. (2021). Reactions to abusive supervision: Neutralization and IS misuse. Journal of Computer Information Systems, 1-10. https://doi.org/10.1080/08874417.2021.1887776 November, 36. 
  209. Xu, J., Qureshi, A. R., Mohamed, Y., Dabagh, A., Kin, C. L., and Khan, R. (2021). Effective virtual interventions to enhance psychological capital: A mixed-methods systematic review. https://doi.org/10.31234/osf.io/dpjuy 
  210. Xu, Z., and Guo, K. (2017). Organizational Citizenship Behavior regarding Information Security (OCB-S): Leadership Approach Perspective organizational citizenship behavior regarding security (OCB-S): leadership approach perspective. Journal of Computer Information Systems. 
  211. Yan, Z., Robertson, T., Yan, R., Park, S. Y., Bordoff, S., Chen, Q., and Sprissler, E. (2018). Finding the weakest links in the weakest link: How well do undergraduate students make cybersecurity judgment?, Computers in Human Behavior, 84, 375-382. https://doi.org/10.1016/j.chb.2018.02.019 
  212. Yazdanmehr, A., and Wang, J. (2016). Employees' information security policy compliance: A norm activation perspective. Decision Support Systems, 92, 36-46. https://doi.org/10.1016/j.dss.2016.09.009 
  213. Yeo, L. H., and Banfield, J. (2022). Human Factors in Electronic Health Records Cybersecurity Breach: An Exploratory Analysis. Perspectives in Health Information Management, 19(Spring). 
  214. Young, and Ernst. (2011). Into the cloud, out of the fog; Global Information Security Survey. Into the Cloud, out of the Fog: Global Information Security Survey. Retrieved from https://www.Techzim.Co.Zw/Wp-Content/Uploads/Ey-Global-formationsecurity-Survey-Zimbabwe-Report-6-December-2011.Pdf 
  215. Zhang, X., Liu, S., Wang, L., Zhang, Y., and Wang, J. (2019). Mobile health service adoption in China: Integration of theory of planned behavior, protection motivation theory and personal health differences. Online Information Review, 44(1), 1-23. https://doi.org/10.1108/OIR-11-2016-0339 
  216. Zhao, L., Yin, J., and Song, Y. (2016). An exploration of rumor combating behavior on social media in the context of social crises. Computers in Human Behavior, 58, 25-36. https://doi.org/10.1016/j.chb.2015.11.054 
  217. Zhen, J., Xie, Z., Dong, K., and Chen, L. (2021). Impact of negative emotions on violations of information security policy and possible mitigations. Behaviour and Information Technology, 41, 2342-2354. https://doi.org/10.1080/0144929X.2021.1921029