The Impact of Challenge Information Security Stress on Information Security Policy Compliance: The Mediating Roles of Emotions

Lin Chen; Zongxiao Xie; Jie Zhen; Kunxiang Dong

doi:10.2147/PRBM.S359277

Back to Journals » Psychology Research and Behavior Management » Volume 15

Original Research

The Impact of Challenge Information Security Stress on Information Security Policy Compliance: The Mediating Roles of Emotions

Authors Chen L , Xie Z , Zhen J, Dong K

Received 26 January 2022

Accepted for publication 23 April 2022

Published 11 May 2022 Volume 2022:15 Pages 1177—1191

DOI https://doi.org/10.2147/PRBM.S359277

Checked for plagiarism Yes

Review by Single anonymous peer review

Peer reviewer comments 4

Editor who approved publication: Dr Igor Elman

Download Article [PDF]

Lin Chen,¹ Zongxiao Xie,² Jie Zhen,³ Kunxiang Dong⁴

¹College of Humanities and Law, Shandong University of Science and Technology, Qingdao, 266590, People’s Republic of China; ²China Financial Certification Authority, Beijing, 100054, People’s Republic of China; ³School of Management Science and Engineering, Chongqing Technology and Business University, Chongqing, 400067, People’s Republic of China; ⁴School of Management Science and Engineering, Shandong University of Finance and Economics, Jinan, 250014, People’s Republic of China

Correspondence: Zongxiao Xie, China Financial Certification Authority, 20-3, South Street of Caishikou, Xicheng District, Beijing, 100054, People’s Republic of China, Tel +86 18901086108, Email [email protected]

Introduction: Information security policy (ISP) compliance of employees has a profound impact on organization. In the context of information technology innovation and information systems upgrade, employees’ information security behavior is one of the most crucial elements in the information security management of organizations. Based on the two-dimensional model of challenge−hindrance stressor theory and affective events theory, this study explores the mediating effects of emotions on the relationship between challenge information security stress and ISP compliance.
Methods: A field quasi-experimental method was used in this study. Materials include the Challenge Information Security Stress Scale, Information System Security Policy Compliance Scale, and Emotions Scale, which were used to form the two-stage questionnaire surveys. Data of 217 employees from three Chinese companies in Shanghai and Beijing that had passed certifications for information security management system (GB/t22080-2008/ISO/IEC 27001:2005) were collected. Bootstrapping method for multiple mediation models and the Process 3.0 plug-in of SPSS 20.0 were used for data analysis.
Results: The findings indicate that challenge information security stress has a positive effect on ISP compliance. Challenge information security stress has a positive effect on positive emotions and a negative effect on negative emotions. Positive emotions have mediating effect between challenge information security stress and ISP compliance, but negative emotions have no mediating effect.
Conclusion: The research results expand the research scope of challenging stress in the two-dimensional model of challenge−hindrance stressor theory in the context of organizational information security. The findings reveal the mediating effect of positive emotions in challenge information security stress and ISP compliance relationship, which provides empirical support for the application of positive psychology in the field of management.

Keywords: challenge information security stress, information security policy compliance, positive emotions, negative emotions

Introduction

Organizations increasingly use information technology, which has become the key resource for an organization. An organization needs to ensure that information is not disclosed or inadvertently modified.^1,2 In addition to technical means, the most basic way to protect the information resources of an organization is to formulate an ISP to regulate the information security behaviors of employees. In the past 30 years, most information system researchers have focused on ISP violations.^3–5 Recently, an increasing number of researches have explored the influence mechanism of ISP compliance,^6–8 and with the continuous improvement of enterprise information security, the growing attention given to information security has brought stress to employees. In particular, when the security requirements of ISP exceed employees’ working ability, it will cause employees to feel information security stress.^9,10 According to challenge-hindrance stressor theory,^11,12 the positive components of information security stress are shown as challenge information security stress, which refers to the stress caused by work requirements that can bring individual growth opportunities or benefits to employees in the information security workflow. However, not much work has been done to explore the relationship between employees’ challenge information security stress and their ISP compliance. Thus, this study aims to explore how challenge information security stress influence ISP compliance.

Collectively, most prior studies are based on deterrence theory, protection motivation theory, rational choice theory, and theory of planned behavior to explore the influencing factors that lead to information security compliance and violation. However, limited research is available on its moderation effect and mediation effect.¹³ It would limit our understanding of the influence mechanism of employee compliance with ISP compliance. In addition, while past research has discussed employee compliance with ISP from the perspective of rationality, limited research has examined if and how emotion-related factors are associated with ISP compliance.¹⁴ This scarcity may be because of the complexity of the state of emotion itself. Studies have shown that emotions can be divided into two relatively independent basic dimensions: positive and negative emotions.^15,16 In this study, we explore the direct effect of positive and negative emotions on ISP compliance, and further study the multiple mediating effects of positive and negative emotions in the relationship between challenge information security stress and ISP compliance.

The goal of our research is to address the two theoretical gaps. First, the current study operates positive and negative emotions as employees’ information security-related variables in the research model drawing from prior studies.^15,16 We then examine the direct impact of positive and negative emotions on ISP compliance. In so doing, we can test and compare their respective effects on ISP compliance, thereby extending our understanding of ISP compliance related factors. Second, we explore the multiple mediating roles of positive and negative emotions on the relationship between challenge information security stress and ISP compliance by building a comprehensive research model. Based on the above literature insights on ISP compliance, emotion, and challenge-hindrance stressor theory, this study proposes the following questions: (1) Does positive and negative emotions have a direct effect on ISP compliance? (2) What is the role of positive and negative emotions in the relationship between challenge information security stress and ISP compliance?

This study contributes to the information security literature in the following three respects. First, we test the direct effect of positive and negative emotions on ISP compliance. The inclusion of such irrational factors into the ISP compliance research framework expands the application boundary of the theory deterrence theory and protection motivation theory. Second, we identify and investigate the mediating roles of positive and negative emotions in the relationship between challenge information security stress and ISP compliance. Given the positive effects of challenge stress found in many previous studies, this study has expanded from previous literature by focusing only on the challenge stress to test the different effect mechanism on ISP compliance in the context of information security management. Third, this study contributes to the HRM literature. Organizational performance can be improved focusing on employees’ information security pressure and emotion, because HRM has direct significant effects on organizational performance.^17,18

Theoretical Background and Hypothesis Development

Challenge-Hindrance Stressor Theory

Stress is an adaptive response of individuals to physical or psychological stressors. Selye divided stress into eustress and distress.¹⁹ The two-dimensional model was later proposed by Cavanaugh et al.¹² Stressors are distinguished into challenge and hindrance stress according to the source of stress.¹² Challenge stress is defined as job requirements that provide opportunities for personal growth or rewarding work experience, such as complexity and time constraints. Hindrance stress is defined as work requirements that hinder individual growth and goal achievement, such as role conflict and bureaucratic processes.

Challenge-hindrance stressor has become a significant theory in the field of organizational management and HRM.²⁰ Three well-known meta-analyses have provided support for the categorization of job stressors by Cavanaugh et al, but found that relationships between both stressors and work-related outcomes have opposite research results.^21–23 Earlier studies found that challenge stressors were positively related to performance. However, the findings of recent studies of the challenge–hindrance model have not supported the positive effects of challenge stressors, some studies have reported that challenge stressors were positively related to emotional exhaustion and negative health behaviors.^24,25 However, to the best of our knowledge, not many studies on the behavioral information security management domain have explored the relationship between challenge stressors and employees’ behaviors. At the same time, few studies have focused on the different effects of challenging stressors. Therefore, this study explores the direct effect of challenge stressors on employees’ ISP compliance and the multiple mediating roles of positive and negative emotions on the relationship between challenge information security stress and ISP compliance. Thus, the different effects of challenge stress should be tested.

Challenge stress is generally considered a type of positive pressure, because once individuals overcome challenge stress, they will achieve growth and gain benefits. In contrast, hindrance stress is a type of negative stress, because this type of stress hinders an individual from achieving work goals, and even if the stress is relieved, the individual will not gain any benefit. The distinction between these two types of stressors has been gradually recognized by researchers that focus on the workplace, and a large number of empirical studies have been conducted to verify their different influences on performance, job satisfaction, creativity, and turnover.²² In recent years, although research on information security stress has received extensive attention,¹⁰ few studies have clearly distinguished the different impact mechanisms of these two types of stressors.

Affective Events Theory

Affective events theory (AET) explains the relationship between employees and their emotional reaction to events that occur at work.²⁶ An affective event refers to “an incident that stimulates appraisal of and emotional reaction to a transitory or ongoing job-related agent, object, or occurrence”.²⁷ The theory takes stress as an emotional event that can arouse specific emotions and emotional reactions from individuals, and trigger different behavioral reactions among individuals.¹⁶ According to this theory, the same work event, individual cognitive differences or other factors will arouse positive and negative emotions and ultimately affect work performance.

AET is not only used to explain work-related emotions, but also has expanded to many areas of research in recent years, such as affect mediating the relationship between micro-daily events and well-being,²⁸ job satisfaction and job insecurity mediating the relationship between incivility and intrapreneurial behavior.²⁹ Hence, AET has become a significant theory in the field of organizational behavior and HRM, the motivation of researchers increased to test how employees’ behavior is affected by various events and emotions. Based on AET, in the context of information security management, information security stress, as an event, will affect employees’ emotions and information security behavior.

AET provides a framework for exploring work events and their emotional responses. Recently, AET has been applied to information security studies.^30,31 Accordingly, when an employee is in a situation in which they need to decide whether to comply with a security policy to complete work tasks, different characteristics of the organizational setting may result in experiencing positive and negative emotions, which may lead to changes in their behavior.³² AET posits that features of the work environment may affect work events which, in turn, may influence affective responses. In the context of our study, we consider challenge information security stress to be an aspect of the work environment. This study considers positive and negative emotions as possible affective responses that a security policy compliance employee may experience.

Hypothesis Development

Challenge Information Security Stress and ISP Compliance

Challenge information security stress comes from the study of stress. Stress is an enduring theme in the workplace, and information security stress refers to the individual cognitive and psychological experience arising from employees’ direct or indirect contact, learning, and use of information technology and information system to ensure that operational behaviors meet compliance and work requirements.³³ Information security stress can be divided into challenge information security stress and hindrance information security stress based on the two-dimensional model of challenge-hindrance stressor theory. This study defines challenge information security stress as the stress that brings growth opportunities or rewarding work demand for individuals in the information security work process. The job requirement includes improving set-up rules for the regulation elements of the information security system, strengthening the injunctive norm in norm elements, and strengthening the construction of information security culture in cultural elements.

ISP compliance refers to the compliance of employees with information security policies, procedures, or guidelines. The specific name of the policy and the number of normative documents may vary from organization to organization.⁴ Enterprise ISP is a type of system design. A perfect ISP should not only meet external compliance but also have the function of regulating and restricting the behavior of employees.³⁴ Recent research on information security behavior attempt to identify the factors that can encourage employees to comply with information security policies.^35,36 Effective research on these factors can help organizations manage employees to encourage them to comply with information security policies. Information security research has focused more on compliance than noncompliance behaviors and security-related stress provided significant evidence of noncompliance.³⁷ ISP compliance has been enhanced through the factors of organizational climate.³⁸ However, not many studies have distinguished the types of stressors and its effect on ISP compliance.

Many studies analyze the influence of certainty, severity, timeliness, fairness, and appropriateness of organizational punishment on employees’ ISP compliance by referring to deterrence theory in criminology research.^2,39 Furthermore, based on the theory of social norms, theory of planned behavior, and theory of normative activation, some studies have explored the influence of different normative forms, such as prescriptive, exemplary, subjective, and self-norms, and face orientation on employees’ compliance with information security policies.⁴⁰ The penalty regulations and all kinds of norms discussed in the above research involve challenging information security pressure. However, no further study has been conducted on it. However, some studies explore technical stress and the role of stress in the information security of the organization, which affect ISP compliance.⁹ According to the analysis of the two-dimensional model of challenge-hindrance stressor theory, technical stress and the role of stress, embodied in challenging information security stress, is a form of positive stress. Such positive stress will lead to growth opportunities and benefits for employees, which make them likely to comply with information security policies. Therefore, this study proposes the following hypothesis:

H1: Challenge information security stress has a significant positive effect on ISP compliance.

Challenge Information Security Stress and Emotions

Morrison and Robinson pointed out that understanding the psychological processes of employees within the organizational structure is important to reduce the abuse of computers by employees.⁴¹ Computer abuse behavior has a complex relationship with the psychological attributes of violators and the organizational environment.⁴² Most existing studies on violations are based on the control function of deterrence theory or the cognitive response of the cognitive model. However, ISP violations may involve emotional factors.^41,43 In addition, case studies have pointed out that emotion is a key psychological factor in computer abuse.⁴⁴ Therefore, the influence of emotions should be considered in the framework of information security behavior research.^45,46 Moreover, in the field of information security study, the theory of fear appeal and protection motivation theory involve the negative emotion of fear.

Based on AET, challenge information security stress, as an emotional event, can induce certain emotions in individuals and affect their behaviors. When talking of the positive emotion of concentration, Watson and Tellegen pointed out that in the workplace, the higher an individual employee’s concentration, the more fun he/she would feel, and the more interest and work commitment he/she would have.⁴⁷ In fact, challenge information security stress is a form of positive stress, and once employees in the workplace can control and deal with challenge information security stress, they will achieve personal growth, skill improvement, and good performance. Hence, an individual under challenge information security stress will produce positive emotions, such as higher levels of focus, excitement, self-assurance, and other positive emotions. Cavanaugh et al also found a positive effect on positive emotions in the study of managers’ challenge stress.¹² Based on the above analysis, this study proposes the following hypothesis:

H2: Challenge information security stress has a significant positive impact on positive emotions.

Challenge information security stress can induce positive and negative emotions. Emotions by themselves are characterized by concreteness and diversity if emotions are divided into positive and negative emotions in terms of the structure of emotions, which is a continuous whole. That is, emotions are aroused in an individual in the face of an induced event, and this arousal is not a single emotional state but a mixture of positive and negative emotions; hence, the term “mixed emotions.” This reason explains why research on emotions has always been complex and difficult to measure. Therefore, challenge information security stress, as a stressful event, will not only trigger positive emotions such as individual focus, excitement, and self-assurance, but also cause certain negative emotions, such as tension, anxiety, and even fear. This finding was also verified by Rodell and Judge, who determined that challenge stress has a significant effect on concentration and anxiety.⁴⁸

Moreover, studies have found that constant stress can lead to increased tension.⁴⁹ Positive stressors such as challenging information security stress also induce tension, anxiety, and other negative emotions. However, once an individual becomes conscious that this stress can be controlled or addressed, the individual can gain benefits, which will reduce the degree of tension and anxiety. Thus, employees’ negative emotions decrease as challenge information security stress increases, based on the above analysis, the following hypothesis is proposed:

H3: Challenge information security stress has a significant negative effect on negative emotions.

Emotions and ISP Compliance

Emotion is intrinsically action-oriented, that is, after emotional arousal; emotions will guide an individual’s subsequent behavioral response. At present, several relevant studies on emotions in the workplace have found that emotions can affect job performance and satisfaction, such as organizational citizenship behavior, organizational commitment, turnover intention, and workplace deviance.¹⁵ Furthermore, based on AET, challenge information security stress, as a work event, will further affect related work behavior performance after arousing the positive and negative emotions of individuals, that is, ISP compliance. Moreover, recent research has found a relationship between emotional reactions and coping responses of the IT security team.⁵⁰ Therefore, in the field of ISP research, emotions are an important variable, which can explain the information security behavior of employees.

Isen and Patrick found that if individuals are in a positive emotional state, they are more likely to avoid risks.⁵¹ Therefore, researchers have proposed the Mood Maintenance Hypothesis, which posits that if emotions are positive, we should maintain the positive state and not do things that will bring negative emotions. Hermans et al further verified this hypothesis.⁵² Therefore, based on the Mood Maintenance Hypothesis, if ISP violation is regarded as a risk behavior, in the context of challenge information security stress, once individuals are in a positive emotional state, they will do their best to avoid this risk and will do more behaviors that are considered ISP compliant. Specifically, if challenge information security stress evokes more positive emotions in individual employees, they experience more positive emotions, such as focus, fun, and self-assurance at their workplace. Moreover, they will avoid taking risks and will do their best to engage in ISP compliance, which is consistent with the orientation of positive psychology. Based on the above analysis, this study proposes the following hypothesis:

H4: Positive emotions have a significant positive effect on ISP compliance.

If individuals are in a negative emotional state, they are more likely to take risks according to the Mood Maintenance Hypothesis.⁵¹ This hypothesis is similar to the principles of “if unhappy, bet on the big one.” Based on the Mood Maintenance Hypothesis, if ISP violations become a form of risky behavior in the context of challenge information security stress, once an individual has aroused a negative emotional state, the individual will try to do such risks that are violations. Thus, ISP compliance becomes relatively lower. Under the challenging information security stress, if individual employees experience more negative emotions, such as tension, anxiety, and even fear, they will take more illegal risks. Correspondingly, information security compliance will be reduced. Conversely, ISP compliance increases if the level of their negative emotions decreases. Therefore, this study proposes the following hypothesis:

H5: Negative emotions have a significant negative effect on ISP compliance.

In summary, challenge information security stress positively affects ISP compliance. Specifically, challenge information security stress has a positive influence on ISP compliance by stimulating positive emotions. Moreover, challenge information security stress has a positive effect on ISP compliance by suppressing negative emotions. Based on this analysis, the following hypotheses are further proposed.

H6: Positive emotions play a mediating role in the relationship between challenge information security stress and ISP compliance.

H7: Negative emotions play a mediating role in the relationship between challenge information security stress and ISP compliance.

Figure 1 shows the overall research model of this study. This research model has two innovations as compared with the existing research. First, in the context of information security management, the two-dimensional model of challenge-hindrance stressor theory highlights that the key factor influencing employee ISP compliance is challenge information security stress. Second, the multiple mediating effects of positive and negative emotions are identified, which means the internal mechanism of challenge information security stress that affects ISP compliance needs to be explored. Moreover, a theoretical explanation is given from the perspective of emotions. These two innovations are of great significance for enterprises to reasonably utilize the positive dimension of stress in the process of information security management. These innovations are valuable for conducting emotion management and guidance from the perspective of employees to improve the information security management of enterprises. In addition, information security is more of a challenge stressor in the context of digital transformation.⁵³ Hence this research model can expand the theoretical understanding of challenge-hindrance stressor theory by focusing only on the challenge stressor, and at the same time extend the AET by focusing on both the positive emotions and the negative emotions.

Figure 1 Research model.

Methodology

Sample and Data Collection

In this study, the data were collected using the field quasi-experimental method through a two-stage questionnaire survey. The field quasi-experimental method was used in this study for two reasons. First, information security stress is a kind of stress related closely to the work scene.⁵⁴ Second, it is more effective to use an experimental method to arouse and measure employees’ emotions.⁵⁵ The researchers used simple random sampling to select three Chinese companies in Shanghai and Beijing that had passed certifications for information security management system (GB/t22080-2008/ISO/IEC 27001:2005) as research objects. Specific samples were for management and professional technicians involved in the information security work behavior of these three companies through systematic sampling. There are two reasons for sampling in this way. First, the quasi-experimental research method of samples from the same Chinese social background was used in this study, which controls the influence of social culture. Second, the sampling ensured that the professional background of the samples was reasonable. The purpose of data collection from three companies was to reduce common method bias. The sample size of 217 employees from the three companies was sufficient for data analysis.⁵⁶

This study considers the Chinese sample as an answer to calls for more research on information security behavior in China.⁵⁴ This study contributed to a greater understanding of the employees’ information security behavior in China, which has become a major user of advanced information technology in the context of today’s global economy digital transformation, and which have introduced many government policies in recent years. Before the formal study, specific research procedures were discussed, modified and demonstrated repeatedly by relevant experts and enterprise managers.⁵⁶ Finally the specific methods and procedures are determined as follows.

Procedures

The procedures of the field quasi-experimental method have two stages. In the first stage, the field quasi-experimental research method was used to carry out situational control of challenge information security stress based on the actual work of the companies.⁵⁶ The specific methods are as follows. Through the information security work meeting, further upgrade requirements were released for information security related to the company. Specific requirements in the information security system included improvements to the regulatory elements in the rule setting, reinforcement of the prescriptive norms in normative elements, and strengthening of the cultural elements in the information security cultural atmosphere construction. Thus, a challenge information security stress situation was created. In the meeting, after the completion of work requirements, the researchers distributed questionnaires on the challenge information security stress and emotions, and on-site recovery. This method is used because emotion is a strong affect, which directly points to someone or something, lasts a short time, and will be generalized into the state of mood over time.

An emotional response is a dynamic process with multiple and timeliness. After arousing emotions under corresponding situations, individuals are asked to report their emotional state in real-time. The self-report method is adapted to measure current emotions.⁵⁵ The total number of participants in the meeting was 298, and 296 questionnaires were collected, representing a recovery rate of 99.33%. A total of 263 questionnaires were valid, with an effective rate of 88.85%. Questionnaires were filled in anonymously and were returned according to the seat number. After the questionnaires were collected, the company’s manager assisted the researchers confirming the respondents of each questionnaire through on-site photos.

The second phase took place a week after the conference. All participants received an ISP compliance questionnaire via email. Participants were tasked to evaluate their ISP compliance in the past week and return completed questionnaires via email within three days. Using email addresses provided by participants, data matching was performed between the data in the first stage and second stage of the questionnaire to remove invalid or missing data in the second stage of the questionnaire. Finally, 217 valid questionnaires were obtained, and the overall questionnaire effective rate was 72.82%. Table 1 shows the descriptive statistics of employees who participated in the study.

Table 1 Descriptive Statistics of Samples (N = 217)

Measures

The variable measurement of this study is based on existing related domestic and foreign maturity scales. First, the researchers asked two experts and scholars in this field to translate the English scale into Chinese and back-translate it into English to ensure accurate translation. Second, according to the definition of this study, the researcher determined the literal expression of items in the scale through discussion to ensure the construct validity of the questionnaire survey. Table 2 shows the measurement of each construct and specific items.

Table 2 Survey Items of Variables

Challenge Information Security Stress

The situation was set on the current challenge information security stress with a total of six items based on the challenge stress scale of Cavanaugh et al¹² and referring to the information security stress scale of Ayyagari et al⁵⁷ and Lee et al.¹⁰ Employees were asked to evaluate the degree of stress caused by the content described in the item according to their current feelings. A seven-point Likert scale was adopted, with 1 meaning “no pressure” and 7 meaning “super pressure.” In this study, Cronbach’s α for the scale was 0.775.

ISP Compliance

This was measured according to the ISP compliance attitude scale of Ifinedo,⁶ and referring to the ISP compliance scale of Tyler and Blader⁵⁸ and Yazdanmehr and Wang.⁴⁰ Employees were asked to evaluate their performance in the past week. A seven-point Likert scale was adopted, with 1 representing “none at all,” and 7 representing “many.” The Cronbach’s α for the scale was 0.833.

Emotions

The scale is based on the positive and negative emotions scale of Watson et al⁵⁹ and refers to the emotions scale of Rodell and Judge,⁴⁸ which contains seven words related to positive emotions and eight words related to negative emotions. Employees rated their feelings based on the emotional vocabulary provided. A seven-point Likert scale was used, with 1 meaning “very slight or no,” and 7 meaning “very strong.” Cronbach’s α were 0.761 and 0.878 in the positive and negative emotions scale respectively of the present study.

Data Analyses and Results

Common Method Biases Analysis

The common method biases were avoided to some extent in terms of the research method design given that the survey designed in this study was collected in a two-stage method and a one-week interval. Nonetheless, the variable data come from the self-report survey samples. A common method bias test is still necessary to avoid the reduction of construct validity. The research adopts the Harman single factor test,⁶⁰ and the test results show that the first-factor variance explained 29.933%, which is less than 40%. Hence, common method bias does not exist.

Descriptive Statistics and Correlation Analysis

Table 3 shows the mean, standard deviation, and correlation coefficient of the four variables of challenge information security stress (X), positive emotions (M1), negative emotions (M2), and ISP compliance (Y). Challenge information security stress was significantly and positively correlated with positive emotions (r = 0.319, p < 0.01). Challenge information security stress was negatively correlated with negative emotions (r = − 0.613, p < 0.01). Positive and negative emotions were significantly and negatively correlated (r = − 0.146, p < 0.05). A significant positive correlation was found between challenge information security stress and ISP compliance (r = 0.398, p < 0.01). Positive emotions were significantly and positively correlated with ISP compliance (r = 0.704, p < 0.01). Negative emotions were significantly and negatively correlated with ISP compliance (r = −0.181, p < 0.01). The correlation coefficients of the four variables all reached the significance level, indicating that the data were suitable for the multi-mediation model test. Moreover, the correlation between the four variables was consistent with the theoretical expectation, which provided preliminary evidence for the subsequent test of the research hypothesis.

Table 3 Descriptive Statistics, Correlation, Reliability, and Validity of Variables (N = 217)

Reliability and Validity

In this study, combined reliability (CR) and Cronbach’s α reliability test were used. Discriminant validity was verified by determining whether the square root of the AVE of variables is greater than the correlation value between variables. Table 3 shows the indicators. Cronbach’s α reliability of the four variables of challenge information security stress, positive emotions, negative emotions, and ISP compliance are 0.775, 0.761, 0.878, and 0.833, respectively. The CR was 0.840, 0.838 0.906, and 0.897, respectively. Each reliability value is greater than 0.7, which is within the acceptable range, which indicates that the measurement reliability of the variable scale is high. Moreover, the square root of AVE ranges between 0.647 and 0.802 (see Table 3), which are greater than the correlation between the different variables (except for the correlation coefficient between positive emotions and ISP compliance [r = 0.704] is slightly greater than the AVE square root). Thus, variable measurement has good validity.

Hypotheses Testing

This study tested the multi-mediator model by using the bootstrapping method recommended by Preacher and Hayes.⁶¹ According to the research hypothesis, challenge information security stress is the independent variable, ISP compliance is the dependent variable, and the two mediators are positive and negative emotions. The sample size set is 5000, with a 95% confidence interval.⁶² This study used the Process 3.0 plug-in of SPSS 20.0 to check the following significance of the regression coefficients in the multi-mediator equation. c, a₁, a₂, b₁, b₂, and c’ are the regression coefficients of the equation. ε₁, ε₂, ε₃, and ε₄ are the residual error of each equation. Tables 4 and 5 show the specific results.

(1)

(2)

(3)

(4)

Table 4 Results of Regression Equation (N = 217)

Table 5 Bootstrapping Analysis Results of Multiple Mediating Effects (N = 217)

Table 4 shows that the regression coefficient in equation (1), c = 0.434 (p < 0.001), indicates that challenge information security stress significantly and positively influences ISP compliance. Hence, Hypothesis 1 is supported. This result is the basis for subsequent tests of multiple mediating effects.

The regression coefficients in equations (2) and (3), a₁ = 0.283 (p < 0.001), a_{2 =} − 0.561 (p < 0.001), indicate that challenge information security stress has a significant positive effect on positive emotions, and a significant negative effect on negative emotions. Thus, Hypothesis 2 and 3 are supported.

In equation (4), the regression coefficient c’ = 0.245 (p < 0.001), b₁ = 0.785 (p < 0.001), b₂ = 0.060 (p = 0.399 > 0.1) indicates that positive emotions have a significant positive effect on ISP compliance, whereas negative emotions do not have a significant effect on ISP compliance. Therefore, Hypothesis 4 is supported, but Hypothesis 5 is not.

In the inspection index of the overall model, R² = 0.531, which shows that the ISP compliance of 53.1% can be explained by the model, and the fitting of the model is good. F = 80.390, p = 0.000 shows that the effect of the independent variable challenge information security stress on ISP compliance is significant by the multi-mediating of positive emotions and negative emotions.

The bootstrapping method was used to test the multiple mediator model and not only the overall indirect effect but also the single mediator. The mediating effects were compared. The above effect can be made with the 95% confidence interval, that is, if the 95% confidence interval does not contain 0, then the mediating effect is significant.

Table 5 shows the overall indirect effect of challenge information security stress a₁*b₁ + a₂*b₂ = 0.190. In addition, 95% of the bootstrap confidence interval is {0.064, 0.313}. The completely standardized 95% of the bootstrap confidence interval is {0.061, 0.275}, and the confidence interval does not include 0. Therefore, the null hypothesis that the total indirect effect is zero is rejected, indicating that the total indirect effect is significant.

Table 5 also shows the mediating effect value is as follows. Through positive emotion: a₁*b₁ = 0.222, the 95% CI of the bootstrap is {0.134, 0.324}. The 95% CI of the completely standardized is {0.129, 0.280}, all of which do not include 0. Therefore, the mediating effect of positive emotions is significant, which supports Hypothesis 6. Through negative emotions: a₂*b₂ = − 0.034, the 95% CI of the bootstrap is {− 0.124, 0.050}. The 95% CI of completely standardized is {− 0.116, 0.045}, all including 0. Thus, the mediating effect of negative emotions is not significant and Hypothesis 7 has not been verified.

In addition, two mediating effects were compared. a₁*b₁ − a₂*b₂ = 0.256, 95% CI of the bootstrap is {0.131, 0.387}. The 95% CI of the completely standardized bootstrap is {0.124, 0.347}, all of which did not include 0. Therefore, the difference between the two mediating effects was significant, which also verified the above results. Thus, Hypothesis 6 is true, whereas Hypothesis 7 is not. Figure 2 shows the model results of this study.

Figure 2 Results of the model.

Discussion

This study adopted a two-stage survey with the field quasi-experimental method based on the two-dimensional model of challenge-hindrance stressor theory and AET. Employees of Chinese enterprises certified by the information security management system (GB/T22080-2008/ISO/IEC 27001:2005) were taken as research objects to explore the mechanism between challenge information security stress and ISP compliance. This study verified the positive effect of challenge stressors and the mediating effect of positive emotions using the different distinguishing effects of challenge stressors. Therefore, the challenge-hindrance stressor theory and AET is further developed in the field of information security behavior research.

Relationship Between Challenge Information Security Stress and ISP Compliance

The present study found that challenge information security stress has a significantly positive influence on ISP compliance, which indicates the positive significance of challenge information security stress. The higher the level of challenge information security stress, the more inclined employees are to follow information security policies. This finding is consistent with the conclusions of Hwang and Cha⁹ and Zhen et al.⁵⁴ The result also verifies the theory of challenge stressor in the two-dimensional model of stressors in the context of organizational information security.

The implications of the finding for enterprises in the practice of information security management are to emphasize challenge information security stress in organizations. For example, adopting new technologies or upgrading systems in the information security work process should be prioritized to provide individual employees with growth opportunities. In specific work requirements such as rule setting, norms and cultural elements, the benefits brought to employees through work experience are emphasized. Challenge information security stress encourages staff to comply with information security policies.

Different Effects of Challenge Information Security Stress on Emotions

The present study found that challenge information security stress has a significant positive effect on positive emotion and a significant negative effect on negative emotions. The conclusion further verifies the positive significance of information security stress from the perspective of the psychological process of employees. This finding is consistent with the conclusions of Farshadkhah et al.³² Moreover, the conclusion also responds to Siponen and Vance,⁴⁶ who proposed considering emotions in the framework of information security behavior research. The conclusion supports AET in the field of information security behavior research.

The implications of this finding for enterprises in the practice of information security management are as follows. Emotion management of information security work process should be given more attention. This study increases practitioner awareness of the importance of an organization’s challenge stress particularly in departments wherein employees deal with information security. However, the psychological state of employees should not be ignored. The content of information security work itself is complex, which has a high effect and demand on the psychological state of employees. Our findings highlight the importance of controlling and monitoring employee affect, which is a critical element in the protection of organizational information and assets.

Mediating Role of Positive Emotions

The present study found that positive emotions have a mediating effect on the relationship between challenge information security stress and ISP compliance. This finding reveals that challenge information security stress has a positive effect on ISP compliance only by inducing positive emotions, whereas negative emotions have no mediating effect. Thus, while challenge information security stress can be explained by the mediating mechanism of emotions, but only positive emotions play a role. The reduction of negative emotions does not lead to more ISP compliance. This research conclusion challenges Isen and Patrick’s Mood Maintenance Hypothesis.⁵¹ To some extent, this finding supports the Affective Generalization Hypothesis.⁶³ At the same time, this finding also provides empirical support for the application of positive psychology in the field of management.

This finding offers valuable insights to the organization, which suggests that changes in challenge information security stress factors might influence ISP compliance through positive emotion. In the process of emotion management, enterprises should not focus too much attention to negative emotions during stressful situations. Negative emotions are only a natural reaction under the challenge information security stress situation, which does not have a significant effect on ISP compliance. Instead, companies should focus on encouraging and guiding positive emotions in their employees. Ultimately, such human resource management will improve organizational performance.¹⁷

Limitations and Future Research

This study has three limitations that can guide future research. First, the evaluation of employee emotions is conducted using a self-reported survey, which ignores some objective state characteristics of emotional reactions. Hence, future research can examine the relationship between emotions and ISP compliance using physiological index measurement or behavioral observation method. Second, the factors affecting ISP compliance are relatively complex, which is consistent with the significant finding that 53.1% of ISP compliance can be explained by the model in the overall model test. Thus, future research can explore the influence of more independent and moderating variables by adding organization and group-level factors, such as organizational culture and leader-member exchange. It may also be interesting to investigate situations on employee ISP compliance, perhaps as a following behavior, when leaders are compliant with ISP. In these cases, the emotions and commitment may serve to promote compliance. Finally, because this study focuses on samples only in China, future research can examine the relationship between challenge information security stress, positive emotions, negative emotions, and ISP compliance through cross-cultural comparative studies. Multicultural research is required to understand how challenge information security stress influence ISP compliance in diverse contexts because the perception and expression of stressors and emotions are related to socio-culture.²⁵

Conclusion

Based on the challenge-hindrance stressor theory and AET, we developed and tested a theoretical model that linked challenge information security stress, positive emotions, negative emotions, and ISP compliance. The empirical results supported some research hypotheses, and the findings increase knowledge on studies in the field of behavioral information security management. First, challenge information security stress has a significantly positive influence on positive emotions and a significantly negative influence on negative emotions. In addition, challenge information security stress has a significantly positive influence on ISP compliance. Second, positive emotions have a significantly positive influence on ISP compliance. Third, positive emotions play mediating roles in the relationship between challenge information security stress and ISP compliance. The results are consistent with the difference in the effect of challenge stressors found in previous studies.^24,25 The findings of this study addressed the research gap on the limited number of studies that have focused on emotion-related factors that influence ISP compliance.

Acknowledgments

The authors thank the samples who participated in the study.

Author Contributions

All authors made significant contributions to the conception and design, collection and analysis of data, and drafting or revising of the article. They gave their final approval of the version to be published and have agreed on the journal to which the article has been submitted. They also agree to be accountable for all aspects of the work.

Ethics Statement

All study procedures were approved by the Academic the Committee of College of Humanities and Law, Shandong University of Science and Technology, and informed consent of the participation was implied through survey completion. Moreover, it was conducted in accordance with the Declaration of Helsinki.

Funding

This study was supported by the Natural Science Foundation of Shandong Province, China (ZR2020MG024), the Natural Science Foundation of Chongqing, China (cstc2020jcyj-msxmX0820) and the National Social Science Found of China (21CGL017).

Disclosure

The authors report no conflicts of interest in this work.

References

1. Willison R, Warkentin M. Beyond deterrence: an expanded view of employee computer abuse. MIS Q. 2013;37(1):1–20. doi:10.25300/MISQ/2013/37.1.01

2. Cram WA, Proudfoot JG, D’Arcy J. Organizational information security policies: a review and research framework. Eur J Inform Syst. 2017;26(6):605–641. doi:10.1057/s41303-017-0059-9

3. D’Arcy J, Herath T. A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings. Eur J Inform Syst. 2011;20(6):643–658. doi:10.1057/ejis.2011.23

4. Guan BW, Hsu CR. The role of abusive supervision and organizational commitment on employees’ information security policy noncompliance intention. Internet Res. 2020;30(5):1383–1405. doi:10.1108/INTR-06-2019-0260

5. Zhen J, Xie ZX, Dong KX, Chen L. Impact of negative emotions on violations of information security policy and possible mitigations. Behav Inform Technol. 2021;1921029. doi:10.1080/0144929X.2021.1921029

6. Ifinedo P. Information systems security policy compliance: an empirical study of the effects of socialisation, influence, and cognition. Inform Manag. 2014;51(1):69–79. doi:10.1016/j.im.2013.10.001

7. Moody GD, Siponen M, Pahnila S. Toward a unified model of information security policy compliance. MIS Q. 2018;42(1):285–311. doi:10.25300/MISQ/2018/13853

8. Pham H-C, El-den J, Richardson J. Stress-based security compliance model – an exploratory study. Inform Comput Secur. 2016;24(4):326–347. doi:10.1108/ICS-10-2014-0067

9. Hwang I, Cha O. Examining technostress creators and role stress as potential threats to employees’ information security compliance. Comput Hum Behav. 2018;81:282–293. doi:10.1016/j.chb.2017.12.022

10. Lee C, Lee CC, Kim S. Understanding information security stress: focusing on the type of information security compliance activity. Comput Secur. 2016;59:60–70. doi:10.1016/j.cose.2016.02.004

11. Burns AJ, Posey C, Roberts TL, Lowry PB. Examining the relationship of organizational insiders’ psychological capital with information security threat and coping appraisals. Comput Hum Behav. 2017;68:190–209. doi:10.1016/j.chb.2016.11.018

12. Cavanaugh MA, Boswell WR, Roehling MV, Boudreau JW. An empirical examination of self-reported work stress among U.S. managers. J Appl Psychol. 2000;85(1):65–74. doi:10.1037/0021-9010.85.1.65

13. Chen XF, Wu DZ, Chen LQ, Teng JKL. Sanction severity and employees’ information security policy compliance: investigating mediating, moderating, and control variables. Inform Manag. 2018;55(8):1049–1060. doi:10.1016/j.im.2018.05.011

14. Boss SR, Galletta DF, Lowry PB, Moody GD, Polak P. What do systems users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors. MIS Q. 2015;39(4):837–864. doi:10.25300/MISQ/2015/39.4.5

15. Ashkanasy NM, Catherine SD. Emotion in the workplace: the new challenge for managers. Acad Manag Exec. 2002;16(1):76–86. doi:10.5465/AME.2002.6640191

16. Weiss HM, Cropanzano R. Affective events theory: a theoretical discussion of the structure, causes and consequences of affective experiences at work. In: Research in Organizational Behavior: An Annual Series of Analytical Essays and Critical Reviews. Vol. 18. US: Elsevier Science/JAI Press; 1996:1–74.

17. Haque A. Strategic HRM and organisational performance: does turnover intention matter? Int J Organ Anal. 2021;29(3):656–681. doi:10.1108/IJOA-09-2019-1877

18. Sobhani FA, Haque A, Rahman S. Socially responsible HRM, employee attitude, and bank reputation: the rise of CSR in Bangladesh. Sustainability. 2021;13(5):2753. doi:10.3390/su13052753

19. Selye H. History and present status of the stress concept. In: Alan M, Richard SL, editors. Stress and Coping: An Anthology. Columbia University Press; 1991:21–35. doi:10.7312/mona92982-007

20. Jannesari MT, Sullivan SE. Leaving on a jet plane? The effect of challenge–hindrance stressors, emotional resilience and cultural novelty on self-initiated expatriates’ decision to exit China. Pers Rev. 2021;51(1):118–136. doi:10.1108/pr-05-2020-0362

21. Podsakoff NP, LePine JA, LePine MA. Differential challenge stressor-hindrance stressor relationships with job attitudes, turnover intentions, turnover, and withdrawal behavior: a meta-analysis. J Appl Psychol. 2007;92(2):438–454. doi:10.1037/0021-9010.92.2.438

22. Lepine JA, Podsakoff NP, Lepine MA. A meta-analytic test of the challenge stressor–hindrance stressor framework: an explanation for inconsistent relationships among stressors and performance. Acad Manag J. 2005;48(5):764–775. doi:10.5465/AMJ.2005.18803921

23. Mazzola JJ, Disselhorst R. Should we be “challenging” employees?: a critical review and meta‐analysis of the challenge‐hindrance model of stress. J Organ Behav. 2019;40(8):949–961. doi:10.1002/job.2412

24. Kern M, Heissler C, Zapf D. Social job stressors can foster employee well-being: introducing the concept of social challenge stressors. J Bus Psychol. 2020;36(5):771–792. doi:10.1007/s10869-020-09702-7

25. French KA, Allen TD, Henderson TG. Challenge and hindrance stressors and metabolic risk factors. J Occup Health Psychol. 2019;24(3):307–321. doi:10.1037/ocp0000138

26. Luo MM, Chea S. Cognitive appraisal of incident handling, affects, and post-adoption behaviors: a test of affective events theory. Int J Inform Manage. 2018;40:120–131. doi:10.1016/j.ijinfomgt.2018.01.014

27. Basch J, Fisher C. Affective events–emotions matrix: a classification of work events and associated emotions. Sch Bus Discuss Pap. 1998;65:36–48.

28. Junça-Silva A, Pombeira C, Caetano A. Testing the affective events theory: the mediating role of affect and the moderating role of mindfulness. Appl Cognit Psychol. 2021;35(4):1075–1081. doi:10.1002/acp.3843

29. Itzkovich Y, Heilbrunn S, Dolev N. Drivers of intrapreneurship: an affective events theory viewpoint. Pers Rev. 2021. doi:10.1108/PR-09-2019-0483

30. D’Arcy J, Teh PL. Predicting employee information security policy compliance on a daily basis: the interplay of security-related stress, emotions, and neutralization. Inform Manag. 2019;56(7):103151. doi:10.1016/j.im.2019.02.006

31. Ormond D, Warkentin M, Crossler RE. Integrating cognition with an affective lens to better understand information security policy compliance. J Assoc Inf Syst. 2019;20(12):1794–1843. doi:10.17705/1jais.00586

32. Farshadkhah S, Van Slyke C, Fuller B. Onlooker effect and affective responses in information security violation mitigation. Comput Secur. 2021;100:102082. doi:10.1016/j.cose.2020.102082

33. Tarafdar M, Cooper CL, Stich JF. The technostress trifecta-techno eustress, techno distress and design: theoretical directions and an agenda for research. Inform Syst J. 2019;29(1):6–42. doi:10.1111/isj.12169

34. Niemimaa E, Niemimaa M. Information systems security policy implementation in practice: from best practices to situated practices. Eur J Inform Syst. 2017;26(1):1–20. doi:10.1057/s41303-016-0025-y

35. Furnell S, Clarke N. Power to the people? The evolving recognition of human aspects of security. Comput Secur. 2012;31(8):983–988. doi:10.1016/j.cose.2012.08.004

36. Safa NS, Sookhak M, Von Solms R, Furnell S, Ghani NA, Herawan T. Information security conscious care behaviour formation in organizations. Comput Secur. 2015;53:65–78. doi:10.1016/j.cose.2015.05.012

37. Ali RF, Dominic PDD, Ali SEA, Rehman M, Sohail A. Information security behavior and information security policy compliance: a systematic literature review for identifying the transformation process from noncompliance to compliance. Appl Sci. 2021;11(8):3383. doi:10.3390/app11083383

38. Dong K, Ali RF, Dominic PDD, Ali SEA. The effect of organizational information security climate on information security policy compliance: the mediating effect of social bonding towards healthcare nurses. Sustainability. 2021;13(5):2800. doi:10.3390/su13052800

39. Son JY, Park J. Procedural justice to enhance compliance with non-work-related computing (NWRC) rules: its determinants and interaction with privacy concerns. Int J Inform Manage. 2016;36(3):309–321. doi:10.1016/j.ijinfomgt.2015.12.005

40. Yazdanmehr A, Wang JG. Employees’ information security policy compliance: a norm activation perspective. Decis Support Syst. 2016;92:36–46. doi:10.1016/j.dss.2016.09.009

41. Morrison EW, Robinson SL. When employees feel betrayed: a model of how psychological contract violation develops. Acad Manag Rev. 1997;22(1):226–256. doi:10.2307/259230

42. Lee Y, Kozar KA. An empirical investigation of anti-spyware software adoption: a multitheoretical perspective. Inform Manage. 2008;45(2):109–119. doi:10.1016/j.im.2008.01.002

43. Spector PE, Fox S. An emotion-centered model of voluntary work behavior: some parallels between counterproductive work behavior and organizational citizenship behavior. Hum Resour Manag Rev. 2002;12(2):269–292. doi:10.1016/S1053-4822(02)00049-9

44. Baskerville R, Hee Park E, Kim J. An emote opportunity model of computer abuse. Inform Technol People. 2014;27(2):155–181. doi:10.1108/ITP-11-2011-0068

45. Kim J, Park EH, Baskerville RL. A model of emotion and computer abuse. Inform Manag. 2016;53(1):91–108. doi:10.1016/j.im.2015.09.003

46. Siponen M, Vance A. Neutralization: new insights into the problem of employee information systems security policy violations. MIS Q. 2010;34(3):487–502. doi:10.2307/25750688

47. Watson D, Tellegen A. Toward a consensual structure of mood. Psychol Bull. 1985;98(2):219–235. doi:10.1037/0033-2909.98.2.219

48. Rodell JB, Judge TA. Can “good” stressors spark “bad” behaviors? The mediating role of emotions in links of challenge and hindrance stressors with citizenship and counterproductive behaviors. J Appl Psychol. 2009;94(6):1438–1451. doi:10.1037/a0016752

49. Fuller JA, Stanton JM, Fisher GG, Spitzmüller C, Russell SS, Smith PC. A lengthy look at the daily grind: time series analysis of events, mood, stress, and satisfaction. J Appl Psychol. 2003;88(6):1019–1033. doi:10.1037/0021-9010.88.6.1019

50. Stacey P, Taylor R, Olowosule O, Spanaki K. Emotional reactions and coping responses of employees to a cyber-attack: a case study. Int J Inform Manag. 2021;58:102298. doi:10.1016/j.ijinfomgt.2020.102298

51. Isen AM, Patrick R. The effect of positive feelings on risk taking: when the chips are down. Organ Behav Hum Perform. 1983;31(2):194–202. doi:10.1016/0030-5073(83)90120-4

52. Hermans D, De Houwer J, Eelen P. A time course analysis of the affective priming effect. Cognit Emotion. 2001;15(2):143–165. doi:10.1080/0269993004200033

53. Mendhurwar S, Mishra R. Integration of social and IoT technologies: architectural framework for digital transformation and cyber security challenges. Enterp Inform Syst. 2021;15(4):565–584. doi:10.1080/17517575.2019.1600041

54. Zhen J, Xie ZX, Dong KX. Positive emotions and employees’ protection-motivated behaviours: a moderated mediation model. J Bus Econ Manag. 2020;21(5):1466–1485. doi:10.3846/jbem.2020.13169

55. Robinson MD, Clore GL. Episodic and semantic knowledge in emotional self-report: evidence for two judgment processes. J Pers Soc Psychol. 2002;83(1):198–215. doi:10.1037/0022-3514.83.1.198

56. Greenberg J, Tomlinson EC. Situated experiments in organizations: transplanting the lab to the field. J Manag. 2004;30(5):703–724. doi:10.1016/j.jm.2003.11.001

57. Ayyagari R, Grover V, Purvis R. Technostress: technological antecedents and implications. MIS Q. 2011;35(4):831–858. doi:10.2307/41409963

58. Tyler TR, Blader SL. Can businesses effectively regulate employee conduct? The antecedents of rule following in work settings. Acad Manag J. 2005;48(6):1143–1158. doi:10.5465/AMJ.2005.19573114

59. Watson D, Clark LA, Tellegen A. Development and validation of brief measures of positive and negative affect: the PANAS scales. J Pers Soc Psychol. 1988;54(6):1063–1070. doi:10.1037/0022-3514.54.6.1063

60. Podsakoff PM, MacKenzie SB, Lee JY, Podsakoff NP. Common method biases in behavioral research: a critical review of the literature and recommended remedies. J Appl Psychol. 2003;88(5):879–903. doi:10.1037/0021-9010.88.5.879

61. Preacher KJ, Hayes AF. Asymptotic and resampling strategies for assessing and comparing indirect effects in multiple mediator models. Behav Res Methods. 2008;40(3):879–891. doi:10.3758/BRM.40.3.879

62. Preacher KJ, Hayes AF. SPSS and SAS procedures for estimating indirect effects in simple mediation models. Behav Res Methods Instrum Comput. 2004;36(4):717–731. doi:10.3758/bf03206553

63. Johnson EJ, Tversky A. Affect, generalization, and the perception of risk. J Pers Soc Psychol. 1983;45(1):20–31. doi:10.1037/0022-3514.45.1.20

Creative Commons License © 2022 The Author(s). This work is published and licensed by Dove Medical Press Limited. The full terms of this license are available at https://www.dovepress.com/terms.php and incorporate the Creative Commons Attribution - Non Commercial (unported, v3.0) License. By accessing the work you hereby accept the Terms. Non-commercial uses of the work are permitted without any further permission from Dove Medical Press Limited, provided the work is properly attributed. For permission for commercial use of this work, please see paragraphs 4.2 and 5 of our Terms.

Download Article [PDF]