Insiders’ Adaptations to Security-Based Demands in the Workplace: An Examination of Security Behavioral Complexity

  • A. J. BurnsEmail author
  • Clay Posey
  • Tom L. Roberts


The protection of organizational information and information systems (IS) is a socio-technical issue and requires insiders take on a more proactive set of security roles. Accordingly, we contend that insiders’ abilities to enact these diverse information security roles can be explained by behavioral complexity theory. Adapted to the security context, behavioral complexity theory stipulates that insider’s ability to take appropriate precautions against organizational security threats is explained by their (1) repertoire of security roles and associated behaviors (i.e., security behavioral repertoire) and their (2) ability to switch from role to role (i.e., security behavioral differentiation). However, beyond behavioral complexity, protecting against complex security-related threats in the workplace requires significant psychological resources of insiders. Thus, to examine the influence of behavioral complexity on insiders’ protection motivation, we develop and examine an extended model of behavioral complexity including insiders’ workplace resilience—a significant work-related psychological resource Our results fully support the extended security behavioral complexity model’s role in driving an insider’s protection motivation.


Behavioral complexity Behavioral repertoire Behavioral differentiation Workplace resilience Information security 



  1. Anderson, C. L., & Agarwal, R. (2010). Practicing safe computing: A multimedia empirical examination of home computer user security behavioral intentions. MIS Quarterly, 34(3), 613–643.CrossRefGoogle Scholar
  2. August, T., & Tunca, T. I. (2006). Network software security and user incentives. Management Science, 52(11), 1703–1720.CrossRefGoogle Scholar
  3. Aurigemma, S., & Mattson, T. (2017). Privilege or procedure: Evaluating the effect of employee status on intent to comply with socially interactive information security threats and controls. Computers & Security, 66218–66234.Google Scholar
  4. Avey, J. B., Reichard, R. J., Luthans, F., & Mhatre, K. H. (2011). Meta analysis of the impact of positive psychological capital on employee attitudes, behaviors, and performance. Human Resource Development Quarterly, 22(2), 127–152.CrossRefGoogle Scholar
  5. Ayyagari, R., Grover, V., & Purvis, R. (2011). Technostress: Technological antecedents and implications. MIS Quarterly, 35(4), 831–858.CrossRefGoogle Scholar
  6. Bagozzi, R. P. (2011). Measurement and meaning in information systems and organizational research: Methodological and philosophical foundations. MIS Quarterly, 35(2), 261–292.CrossRefGoogle Scholar
  7. Bande, B., Fernández-Ferrín, P., Varela, J. A., & Jaramillo, F. (2015). Emotions and salesperson propensity to leave: The effects of emotional intelligence and resilience. Industrial Marketing Management, 44142–44153.Google Scholar
  8. Bapna R, Goes P, Gupta A, Jin Y (2004) User heterogeneity and its impact on electronic auction market design: An empirical exploration. MIS Quarterly21-43.Google Scholar
  9. Barrett, F. J. (1998). Coda—Creativity and improvisation in jazz and organizations: Implications for organizational learning. Organization Science, 9(5), 605–622.CrossRefGoogle Scholar
  10. Baskerville, R., Spagnoletti, P., & Kim, J. (2014). Incident-centered information security: Managing a strategic balance between prevention and response. Information & Management, 51(1), 138–151.CrossRefGoogle Scholar
  11. Bateman, T. S., & Organ, D. W. (1983). Job satisfaction and the good soldier: The relationship between affect and employee "citizenship". Academy of Management Journal, 26(4), 587–595.Google Scholar
  12. Bollen, K. A. (2011). Evaluating effect, composite, and causal indicators in structural equation models. MIS Quarterly, 35(2), 359–372.CrossRefGoogle Scholar
  13. Boss S, Kirsch L (2007) The last line of defense: Motivating employees to follow corporate security guidelines. Proceedings of the 28th International Conference on Information Systems, Montreal) paper 103.Google Scholar
  14. Boss, S. R., Kirsch, L. J., Angermeier, I., Shingler, R. A., & Boss, R. W. (2009). If someone is watching, I'll do what I'm asked: Mandatoriness, control, and information security. European Journal of Information Systems, 18(2), 151–164.CrossRefGoogle Scholar
  15. Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(4), 523–548.CrossRefGoogle Scholar
  16. Burns, A. J., Posey, C., Courtney, J. F., Roberts, T. L., & Nanayakkara, P. (2017a). Organizational information security as a complex adaptive system: Insights from three agent-based models. Information Systems Frontiers, 19(3), 509–524.CrossRefGoogle Scholar
  17. Burns AJ, Posey C, Roberts TL, Lowry PB (2017b) Examining the relationship of organizational insiders' psychological capital with information security threat and coping appraisals. Computers in Human Behavior(68):190-209.Google Scholar
  18. Burns, A. J., Roberts, T. L., Posey, C., Bennett, R. J., & Courtney, J. F. (2018). Intentions to comply versus intentions to protect: A VIE theory approach to understanding the influence of insiders’ awareness of organizational SETA efforts. Decision Sciences, 49(6), 1187–1228.CrossRefGoogle Scholar
  19. Burns AJ, Roberts TL, Posey C, Lowry PB (2019) The adaptive roles of positive and negative emotions in organizational insiders’ security-based precaution taking. Information systems Research forthcoming.Google Scholar
  20. Cenfetelli, R. T., & Bassellier, G. (2009). Interpretation of formative measurement in information systems research. MIS Quarterly, 33(4), 689–707.CrossRefGoogle Scholar
  21. Chen, G., Gully, S. M., Whiteman, J.-A., & Kilcullen, R. N. (2000). Examination of relationships among trait-like individual differences, state-like individual differences, and learning performance. Journal of Applied Psychology, 85(6), 835–847.CrossRefGoogle Scholar
  22. Chin WW (2010) How to write up and report PLS analyses. VE Vinzi, WW Chin, J Henseler, H Wang, eds. Handbook of Partial Least Squares (springer, New York, New York) 655-690.Google Scholar
  23. D'Arcy, J., & Devaraj, S. (2012). Employee misuse of information technology resources: Testing a contemporary deterrence model. Decision Sciences, 43(6), 1091–1124.CrossRefGoogle Scholar
  24. D'Arcy, J., & Herath, T. (2011). A review and analysis of deterrence theory in the IS security literature: Making sense of the disparate findings. European Journal of Information Systems, 20(6), 643–658.CrossRefGoogle Scholar
  25. D'Arcy, J., & Hovav, A. (2007). Deterring internal information systems misuse. Communications of the ACM, 50(10), 113–117.CrossRefGoogle Scholar
  26. D'Arcy, J., Hovav, A., & Galletta, D. (2009). User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research, 20(1), 79–98.CrossRefGoogle Scholar
  27. Denison, D. R., Hooijberg, R., & Quinn, R. E. (1995). Paradox and performance: Toward a theory of behavioral complexity in managerial leadership. Organization Science, 6(5), 524–540.CrossRefGoogle Scholar
  28. Diamantopoulos, A. (2011). Incorporating formative measures into covariance-based structural equation models. MIS Quarterly, 35(2), 335–358.CrossRefGoogle Scholar
  29. Diamantopoulos, A., & Winklhofer, H. M. (2001). Index construction with formative indicators: An alternative to scale development. Journal of Marketing Research, 38(2), 269–277.CrossRefGoogle Scholar
  30. Dlamini, M., Eloff, J. H., & Eloff, M. M. (2009). Information security: The moving target. Computers & Security, 28(3), 189–198.CrossRefGoogle Scholar
  31. Drucker PF (2011) The New Realities, (Routledge: Taylor and Francis. Kindle Edition, New York, New York).Google Scholar
  32. Eckhardt, A., Laumer, S., & Weitzel, T. (2009). Who influences whom? Analyzing workplace referents' social influence on IT adoption and non-adoption. Journal of Information Technology, 24(1), 11–24.CrossRefGoogle Scholar
  33. Esposito Vinzi, V., Chin, W. W., Henseler, J., & Wang, H. (Eds.). (2010). Handbook of partial least squares: Concepts, methods and applications. New York, NY: Springer.Google Scholar
  34. Hair, J. F., Hult, G. T. M., Ringle, C. M., & Sarstedt, M. (2014). A primer on partial least squares structural equations modeling (PLS-SEM). Los Angeles, California: Sage.Google Scholar
  35. Henseler, J., Dijkstra, T. K., Sarstedt, M., Ringle, C. M., Diamantopoulos, A., Straub, D. W., Ketchen, D. J., Hair, J. F., Hult, G. T. M., & Calantone, R. J. (2014). Common beliefs and reality about PLS: Comments on Rönkkö and Evermann (2013). Organizational Research Methods, 17(2), 182–209.CrossRefGoogle Scholar
  36. Herath, T., & Rao, H. R. (2009). Protection motivation and deterrence: A framework for security policy compliance in organisations. European Journal of Information Systems, 18(2), 106–125.CrossRefGoogle Scholar
  37. Hobfoll, S. E. (1989). Conservation of resources: A new attempt at conceptualizing stress. American Psychologist, 44(3), 513–524.CrossRefGoogle Scholar
  38. Hobfoll, S. E. (2002). Social and psychological resources and adaptation. Review of General Psychology, 6(4), 307–324.CrossRefGoogle Scholar
  39. Hooijberg, R. (1996). A multidirectional approach toward leadership: An extension of the concept of behavioral complexity. Human Relations, 49(7), 917–946.CrossRefGoogle Scholar
  40. Jarvis, C. B., MacKenzie, S. B., & Podsakoff, P. M. (2003). A critical review of construct indicators and measurement model misspecification in marketing and consumer research. Journal of Consumer Research, 30(2), 199–218.CrossRefGoogle Scholar
  41. Johnston, A. C., & Warkentin, M. (2010). Fear appeals and information security behaviors: An empirical study. MIS Quarterly, 34(3), 549–566.CrossRefGoogle Scholar
  42. Kays, K., Gathercoal, K., & Buhrow, W. (2012). Does survey format influence self-disclosure on sensitive question items? Computers in Human Behavior, 28(1), 251–256.CrossRefGoogle Scholar
  43. Kumar, R. L., Park, S., & Subramaniam, C. (2008). Understanding the value of countermeasure portfolios in information systems security. Journal of Management Information Systems, 25(2), 241–280.CrossRefGoogle Scholar
  44. Lawrence, K. A., Lenk, P., & Quinn, R. E. (2009). Behavioral complexity in leadership: The psychometric properties of a new instrument to measure behavioral repertoire. The Leadership Quarterly, 20(2), 87–102.CrossRefGoogle Scholar
  45. Lee, J., & Lee, Y. (2002). A holistic model of computer abuse within organizations. Information Management & Computer Security, 10(2), 57–63.CrossRefGoogle Scholar
  46. Lee, Y., & Kozar, K. A. (2005). Investigating factors affecting the adoption of anti-spyware systems. Communications of the ACM, 48(8), 72–77.CrossRefGoogle Scholar
  47. Lee, Y., & Larsen, K. R. (2009). Threat or coping appraisal: Determinants of SMB executives’ decision to adopt anti-malware software. European Journal of Information Systems, 18(2), 177–187.CrossRefGoogle Scholar
  48. Lowry, P. B., D’Arcy, J., Hammer, B., & Moody, G. D. (2016). “Cargo cult” science in traditional organization and information systems survey research: A case for using nontraditional methods of data collection, including mechanical Turk and online panels. The Journal of Strategic Information Systems, 25(3), 232–240.CrossRefGoogle Scholar
  49. Lowry, P. B., & Gaskin, J. (2014). Partial least squares (PLS) structural equation modeling (SEM) for building and testing behavioral causal theory: When to choose it and how to use it. IEEE Transactions on Professional Communication, 57(2), 123–146.CrossRefGoogle Scholar
  50. Lowry, P. B., Moody, G., Vance, A., Jensen, M., Jenkins, J., & Wells, T. (2012). Using an elaboration likelihood approach to better understand the persuasiveness of website privacy assurance cues for online consumers. Journal of the American Society for Information Science and Technology, 63(4), 755–776.CrossRefGoogle Scholar
  51. Lowry, P. B., & Moody, G. D. (2015). Proposing the control-reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policies. Information Systems Journal, 25(5), 433–463.CrossRefGoogle Scholar
  52. Luthans, F. (2002). The need for and meaning of positive organizational behavior. Journal of Organizational Behavior, 23(6), 695–706.CrossRefGoogle Scholar
  53. Luthans, F., Avolio, B. J., Avey, J. B., & Norman, S. M. (2007a). Positive psychological capital: Measurement and relationship with performance and satisfaction. Personnel Psychology, 60(3), 541–572.CrossRefGoogle Scholar
  54. Luthans, F., Vogelgesang, G. R., & Lester, P. B. (2006). Developing the psychological capital of resiliency. Human Resource Development Review, 5(1), 25–44.CrossRefGoogle Scholar
  55. Luthans, F., & Youssef, C. M. (2007). Emerging positive organizational behavior. Journal of Management, 33(3), 321–349.CrossRefGoogle Scholar
  56. Luthans, F., Youssef, C. M., & Avolio, B. J. (2007b). Psychological capital: Developing the human competitive edge. New York, New York: Oxford University Press. Kindle Edtion.Google Scholar
  57. MacKenzie, S. B., Podsakoff, P. M., & Jarvis, C. B. (2005). The problem of measurement model misspecification in behavioral and organizational research and some recommended solutions. Journal of Applied Psychology, 90(4), 710–730.CrossRefGoogle Scholar
  58. Maddux, J. E., & Rogers, R. W. (1983). Protection motivation and self-efficacy: A revised theory of fear appeals and attitude change. Journal of Experimental Social Psychology, 19(5), 469–479.CrossRefGoogle Scholar
  59. Masten, A. S. (2001). Ordinary magic: Resilience processes in development. American Psychologist, 56(3), 227–238.CrossRefGoogle Scholar
  60. Messerschmidt, C. M., & Hinz, O. (2013). Explaining the adoption of grid computing: An integrated institutional theory and organizational capability approach. The Journal of Strategic Information Systems, 22(2), 137–156.CrossRefGoogle Scholar
  61. Njenga, K., & Brown, I. (2012). Conceptualising improvisation in information systems security. European Journal of Information Systems, 21(6), 592–607.CrossRefGoogle Scholar
  62. Pahnila S, Siponen M, Mahmood A (2007) Employees' behavior towards IS security policy compliance. Proceedings of the 40th Annual Hawaii International Conference on System Sciences, Waikoloa, Hawaii) 156-166.Google Scholar
  63. Perols, J., Zimmermann, C., & Kortmann, S. (2013). On the relationship between supplier integration and time-to-market. Journal of Operations Management, 31(3), 153–167.CrossRefGoogle Scholar
  64. Petter, S., Straub, D. W., & Rai, A. (2007). Specifying formative constructs in information systems research. MIS Quarterly, 31(4), 623–656.CrossRefGoogle Scholar
  65. Podsakoff, P. M., MacKenzie, S. B., Lee, J. Y., & Podsakoff, N. P. (2003). Common method biases in behavioral research: A critical review of the literature and recommended remedies. Journal of Applied Psychology, 88(5), 879–903.CrossRefGoogle Scholar
  66. Posey, C., Roberts, T. L., & Lowry, P. B. (2015). The impact of organizational commitment on insiders’ motivation to protect organizational information assets. Journal of Management Information Systems, 32(4), 179–214.CrossRefGoogle Scholar
  67. Posey, C., Roberts, T. L., Lowry, P. B., Bennett, R. J., & Courtney, J. F. (2013). Insiders’ protection of organizational information assets: Development of a systematics-based taxonomy and theory of diversity for protection-motivated behaviors. MIS Quarterly, 37(4), 1189–1210.CrossRefGoogle Scholar
  68. Ringle CM, Wende S, Will A (2005) SmartPLS, release 2.0 (beta). SmartPLS, Hamburg, Germany URL
  69. Rönkkö M, Ylitalo J (2011) PLS marker variable approach to diagnosing and controlling for method variance. International Conference on Information Systems (AIS, Shanghai, China) paper 8.Google Scholar
  70. Seligman, M., & Csikszentmihalyi, M. (2000). Positive psychology: An introduction. American Psychologist, 55(1), 5–14.CrossRefGoogle Scholar
  71. Siponen, M., Mahmood, M. A., & Pahnila, S. (2014). Employees’ adherence to information security policies: An exploratory field study. Information & Management, 51(2), 217–224.CrossRefGoogle Scholar
  72. Siponen M, Pahnila S, Mahmood A (2006) Factors influencing protection motivation and IS security policy compliance. Innovations in Information Technology (IEEE, Dubai) 1-5.Google Scholar
  73. Siponen, M., & Vance, A. (2010). Neutralization: New insights into the problem of employee information systems security policy violations. MIS Quarterly, 34(3), 487–502.CrossRefGoogle Scholar
  74. Smith, W. K., & Lewis, M. W. (2011). Toward a theory of paradox: A dynamic equilibrium model of organizing. Academy of Management Review, 36(2), 381–403.Google Scholar
  75. Stanton, J. M., Stam, K. R., Mastrangelo, P., & Jolton, J. (2005). Analysis of end user security behaviors. Computers & Security, 24(2), 124–133.CrossRefGoogle Scholar
  76. Straub, D. W. (1989). Validating instruments in MIS research. MIS Quarterly, 13(2), 147–169.CrossRefGoogle Scholar
  77. Straub, D. W., & Nance, W. (1990). Discovering and disciplining computer abuse in organizations: A field study. MIS Quarterly, 14(1), 45–60.CrossRefGoogle Scholar
  78. Sutcliffe KM, Vogus TJ (2003) Organizing for resilience. K Cameron, JE Dutton, RE Quinn, eds. Positive Organizational Scholarship (Berrett-Koehler, San Francisco, CA) 94-110.Google Scholar
  79. Tugade, M. M., Fredrickson, B. L., & Feldman Barrett, L. (2004). Psychological resilience and positive emotional granularity: Examining the benefits of positive emotions on coping and health. Journal of Personality, 72(6), 1161–1190.CrossRefGoogle Scholar
  80. Vroom, C., & von Solms, R. (2004). Towards information security behavioural compliance. Computers & Security, 23(3), 191–198.CrossRefGoogle Scholar
  81. Wagnild, G. (2009). A review of the resilience scale. Journal of Nursing Measurement, 17(2), 105–113.CrossRefGoogle Scholar
  82. Wanberg, C. R., & Banas, J. T. (2000). Predictors and outcomes of openness to changes in a reorganizing workplace. Journal of Applied Psychology, 85(1), 132–142.CrossRefGoogle Scholar
  83. Williams, L. J., & Anderson, S. E. (1991). Job satisfaction and organizational commitment as predictors of organizational citizenship and in-role behaviors. Journal of Management, 17(3), 601–617.CrossRefGoogle Scholar
  84. Woon IMY, Low RT, Tan GW (2005) A protection motivation theory approach to home wireless security. Proceedings of the 26th International Conference on Information Systems, Las Vegas, NV, USA) paper 31.Google Scholar
  85. Workman, M., Bommer, W. H., & Straub, D. W. (2008). Security lapses and the omission of information security measures: A threat control model and empirical test. Computers in Human Behavior, 24(6), 2799–2816.CrossRefGoogle Scholar
  86. Wu, Z., Steward, M. D., & Hartley, J. L. (2010). Wearing many hats: Supply managers' behavioral complexity and its impact on supplier relationships. Journal of Business Research, 63(8), 817–823.CrossRefGoogle Scholar
  87. Zafar, H., & Clark, J. G. (2009). Current state of information security research in IS. Communications of the Association for Information Systems, 24(1), 557–596.Google Scholar

Copyright information

© Springer Science+Business Media, LLC, part of Springer Nature 2019

Authors and Affiliations

  1. 1.Department of Information Systems, Hankamer School of BusinessBaylor UniversityWacoUSA
  2. 2.Department of Management, College of Business, Cybersecurity and Privacy Cluster, Institute for Simulation & TrainingUniversity of Central FloridaOrlandoUSA
  3. 3.Department of Computer Science, College of Business and TechnologyThe University of Texas at TylerTylerUSA

Personalised recommendations