Share:


Positive emotions and employees’ protection-motivated behaviours: a moderated mediation model

    Jie Zhen Affiliation
    ; Zongxiao Xie Affiliation
    ; Kunxiang Dong Affiliation

Abstract

This study explores the relationship between positive emotions and protection-motivated behaviours by focusing on the mediating role of self-efficacy and the moderating role of information security awareness. Based on a sample of 215 full-time employees from various organizations in China, the results of hierarchical regression and moderated path analysis indicate that positive emotions positively influence protection-motivated behaviours, and self-efficacy partially mediates this relationship. In addition, information security awareness has a positive moderating effect on the relationships between positive emotions and self-efficacy and between self-efficacy and protectionmotivated behaviours. Furthermore, the findings show that information security awareness has a positive moderating effect on the mediating effect of self-efficacy between positive emotions and protection-motivated behaviours. The theoretical and practical implications of these results, as well as directions for future research, are discussed.

Keyword : protection-motivated behaviours, positive emotions, information security awareness, self-efficacy, protection motivation theory, broaden-and-build theory

How to Cite
Zhen, J. ., Xie, Z. ., & Dong, K. . (2020). Positive emotions and employees’ protection-motivated behaviours: a moderated mediation model. Journal of Business Economics and Management, 21(5), 1466-1485. https://doi.org/10.3846/jbem.2020.13169
Published in Issue
Sep 11, 2020
Abstract Views
1680
PDF Downloads
1310
Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

References

Ahlan, A. R., Lubis, M., & Lubis, A. R. (2015). Information security awareness at the knowledge-based institution: Its antecedents and measures. Procedia Computer Science, 72, 361–373. https://doi.org/10.1016/j.procs.2015.12.151

Anderson, C., Baskervill, R. L., & Kaul, M. (2017). Information security control theory: Achieving a sustainable reconciliation between sharing and protecting the privacy of information. Journal of Management Information Systems, 34(3), 1082–1112. https://doi.org/10.1080/07421222.2017.1394063

Bagozzi, R. P., Yi, Y., & Phillips, L. W. (1991). Assessing construct validity in organizational research. Administrative Science Quarterly, 36(3), 421–458. https://doi.org/10.2307/2393203

Beaudry, A., & Pinsonneault, A. (2010). The other side of acceptance: Studying the direct and indirect effects of emotions on information technology use. MIS Quarterly, 34(4), 689–710. https://doi.org/10.2307/25750701

Belanger, F., Collignon, S., Enget, K., & Negangard, E. (2017). Determinants of early conformance with information security policies. Information & Management, 54(7), 887–901. https://doi.org/10.1016/j.im.2017.01.003

Bhattacherjee, A. (2001). Understanding information systems continuance: An expectation-confirmation model. MIS Quarterly, 25(3), 351–370. https://doi.org/10.2307/3250921

Bledow, R., Rosing, K., & Frese, M. (2013). A dynamic perspective on affect and creativity. Academy of Management Journal, 56(2), 432–450. https://doi.org/10.5465/amj.2010.0894

Boss, S. R., Galletta, D. F., Lowry, P. B., Moody, G. D., & Polak, P. (2015). What do systems users have to fear? Using fear appeals to engender threats and fear that motivate protective behaviors. MIS Quarterly, 39(4), 837–864. https://doi.org/10.25300/MISQ/2015/39.4.5

Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523–548. https://www.jstor.org/stable/25750690

Burns, A. J., Posey, C., Roberts, T. L., & Lowry, P. B. (2017). Examining the relationship of organizational insiders’ psychological capital with information security threat and coping appraisals. Computers in Human Behavior, 68, 190–209. https://doi.org/10.1016/j.chb.2016.11.018

Burns, A. J., Roberts, T. L., Posey, C., & Lowry, P. B. (2019). The adaptive roles of positive and negative emotions in organizational insiders’ engagement in security-based precaution taking. Information Systems Research, 30(4), 1228–1247. https://doi.org/10.1287/isre.2019.0860

Chatterjee, D., & Ravichandran, T. (2013). Governance of interorganizational information systems: A resource dependence perspective. Information Systems Research, 24(2), 261–278. https://doi.org/10.1287/isre.1120.0432

Chen, X., Wu, D., Chen, L., & Teng, J. K. L. (2018). Sanction severity and employees’ information security policy compliance: Investigating mediating, moderating, and control variables. Information & Management, 55(8), 1409–1060. https://doi.org/10.1016/j.im.2018.05.011

Chen, Y., Wang, Y., Nevo, S., Jin, J., Wang, L., & Chow, W. S. (2014). IT capability and organizational performance: the roles of business process agility and environmental factors. European Journal of Information Systems, 23(3), 326–342. https://doi.org/10.1057/ejis.2013.4

Cheng, L., Li, Y., Li, W., & Holm, E. (2013). Understanding the violation of IS security policy in organizations: An integrated model based on social control and deterrence theory. Computers & Security, 39, 447–459. https://doi.org/10.1016/j.cose.2013.09.009

Cram, W. A., D’Arcy, J., & Proudfoot, J. (2019). Seeing the forest and the trees: A meta-analysis of the antecedents to information security policy compliance. MIS Quarterly, 43(2), 525–554. https://doi.org/10.25300/MISQ/2019/15117

Cram, W. A., Proudfoot, J. G., & D’Arcy, J. (2017). Organizational information security policies: A review and research framework. European Journal of Information Systems, 26(6), 605–641. https://doi.org/10.1057/s41303-017-0059-9

Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M., & Baskerville, R. (2013). Future directions for behavioural information security research. Computers & Security, 32, 90–101. https://doi.org/10.1016/j.cose.2012.09.010

D’Arcy, J., Herath, T., & Shoss, M. K. (2014). Understanding employee response to stressful information security requirement: A coping perspective. Journal of Management Information Systems, 31(2), 285–318. https://doi.org/10.2753/MIS0742-1222310210

D’Arcy, Y. J., Hovav, A., & Galletta, D. (2009). User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research, 20(1), 79–88. https://doi.org/10.1287/isre.1070.0160

Dinev, T., & Hu, Q. (2007). The centrality of awareness in the formation of user behavioral intention toward protective information technologies. Journal of the Association for Information Systems, 8(7), 386–408. https://aisel.aisnet.org/jais/vol8/iss7/23

Edwards, J. R., & Lambert, L. S. (2007). Methods for integrating moderation and mediation: A general analytical framework using moderated path analysis. Psychological Methods, 12(1), 1–22. https://doi.org/10.1037/1082-989X.12.1.1

Fredrickson, B. L. (2001). The role of positive emotions in positive psychology: The broaden-and-built theory of positive emotions. American Psychologist, 56(3), 218–226. https://doi.org/10.1037/0003-066X.56.3.218

George, J. M., & Zhou, J. (2007). Dual tuning in a supportive context: Joint contributions of positive mood, negative mood, and supervisory behaviors to employee creativity. Academy of Management Journal, 50(3), 605–622. https://doi.org/10.5465/amj.2007.25525934

Gulenko, I. (2014). Improving passwords: Influence of emotions on security behaviour. Information Management & Computer Security, 22(2), 167–178. https://doi.org/10.1108/IMCS-09-2013-0068

Hooge, I. E., Nelissen, R. M., Breugelmans, S. M., & Zeelenberg, M. (2011). What is moral about guilt? Acting “prosaically” at the disadvantage of others. Journal of Personality and Social Psychology, 100(3), 462–473. https://doi.org/10.1037/a0021459

Hwang, I., & Cha, O. (2018). Examining technostress creators and role stress as potential threats to employees’ information security compliance. Computers in Human Behavior, 81, 282–293. https://doi.org/10.1016/j.chb.2017.12.022

Ifinedo, P. (2012). Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Computers & Security, 31(1), 83–95. https://doi.org/10.1016/j.cose.2011.10.007

Ifinedo, P. (2014). Information systems security policy compliance: An empirical study of the effects of socialization, influence, and cognition. Information & Management, 51(1), 69–79. https://doi.org/10.1016/j.im.2013.10.001

Izard, C. E. (2002). Translating emotion theory and research into preventive interventions. Psychological Bulletin, 128(5), 796–824. https://doi.org/10.1037/0033-2909.128.5.796

Johnston, A. C., & Warkentin, M. (2010). Fear appeals and information security behaviors: An empirical study. MIS Quarterly, 34(3), 549–566. https://misq.org/catalog/product/view/id/1394

Johnston, A. C., Warkentin, M., & Siponen, M. (2015). An enhanced fear appeal rhetorical framework: Leveraging threats to the human asset through sanction rhetoric. MIS Quarterly, 39(1), 113–134. https://doi.org/10.25300/MISQ/2015/39.1.06

Johnston, A. C., Warkentin, M., Mcbride, M., & Carter, L. (2016). Dispositional and situational factors: Influences on information security policy violations. European Journal of Information Systems, 25(3), 231–251. https://doi.org/10.1057/ejis.2015.15

Kaplan, S., LaPort, K., & Waller, M. J. (2013). The role of positive affectivity in team effectiveness during crises. Journal of Organizational Behavior, 34(4), 473–491. https://doi.org/10.1002/job.1817

Karjalainen, M., Sarker, S., & Siponen, M. (2019). Toward a theory of information systems security behaviors of organizational employees: A dialectical process perspective. Information Systems Research, 30(2), 687–704. https://doi.org/10.1287/isre.2018.0827

Khan, B., Alghathbar, K. S., Nabi, S. I., & Khan, K. (2011). Effectiveness of information security awareness methods based on psychological theories. African Journal of Business Management, 5(5), 10862–10868. https://doi.org/10.5897/ajbm11.067

Khan, H. U., & AlShare, K. A. (2019). Violators versus non-violators of information security measures in organizations – A study of distinguishing factors. Journal of Organizational Computing and Electronic Commerce, 29(1), 4–23. https://doi.org/10.1080/10919392.2019.1552743

Larose, R., Rifon, N. J., & Enbody, R. (2008). Promoting personal responsibility for internet safety. Communications of the ACM, 51(3), 71–76. https://doi.org/10.1145/1325555.1325569

Lazarus, R. S. (1991). Progress on a cognitive-motivational-relational theory of emotion. American Psychologist, 46(8), 819–834. https://doi.org/10.1037/0003-066X.46.8.819

Lee, C., Lee, C. G., & Kim, S. (2016). Understanding information security stress: Focusing on the type of information security compliance activity. Computers & Security, 59, 60–70. https://doi.org/10.1016/j.cose.2016.02.004

Moody, G. D., Siponen, M., & Pahnila, S. (2018). Toward a unified model of information security policy compliance. MIS Quarterly, 42(1), 285–311. https://doi.org/10.25300/MISQ/2018/13853

Niemimaa, E., & Niemimaa, M. (2017). Information systems security policy implementation in practice: From best practices to situated practices. European Journal of Information Systems, 26(1), 1–20. https://doi.org/10.1057/s41303-016-0025-y

Parsons, K., McCormac, A., Butavicious, M., Pattinson, M., & Jerram, C. (2014). Determining employee awareness using the human aspects of information security questionnaire. Computers & Security, 42, 165–176. https://doi.org/10.1016/j.cose.2013.12.003

Pham, N. T., Tuckova, Z., & Pham, Q. P. T. (2019). Greening human resource management and employee commitment towards the environment: An interaction model. Journal of Business Economics and Management, 20(3), 446–465. https://doi.org/10.3846/jbem.2019.9659

Posey, C., Roberts, T. L., & Lowry, P. B. (2015). The impact of organizational commitment on insiders’ motivation to protect organizational information assets. Journal of Management Information Systems, 32(4), 179–214. https://doi.org/10.1080/07421222.2015.1138374

Posey, C., Roberts, T. L., Lowry, P. B., & Bennett, R. (2013). Insiders’ protection of organization of organizational information assets: Developing of a systematic-based taxonomy and theory of diversity for protection-motivated behaviors. MIS Quarterly, 37(4), 1189–1210. https://doi.org/10.25300/MISQ/2013/37.4.09

Posey, C., Roberts, T. L., Lowry, P. B., & Hightower, R. T. (2014). Bridging the divide: A qualitative comparison of information security thought patterns between information security professionals and ordinary organization insiders. Information & Management, 51(5), 551–567. https://doi.org/10.1016/j.im.2014.03.009

Puhakainen, P., & Siponen, M. (2010). Improving employees’ compliance through information systems security training: An action research study. MIS Quarterly, 34(4), 757–778. https://doi.org/10.2307/25750704

Rai, A., & Tang, X. (2010). Leveraging IT capabilities and competitive process capabilities for the management of interorganizational relationship portfolios. Information Systems Research, 21(3), 516–542. https://doi.org/10.1287/isre.1100.0299

Rezgui, Y., & Marks, A. (2008). Information security awareness in higher education: An exploratory study. Computers & Security, 27(7–8), 241–253. https://doi.org/10.1016/j.cose.2008.07.008

Shaw, R. S., Chen, C. C., Harris, A. L., & Huang, H. (2009). The impact of information richness on information security awareness training effectiveness. Computers & Education, 52(1), 92–100. https://doi.org/10.1016/j.compedu.2008.06.011

Shih, T., & Yang, C. (2019). Generating intangible resources and international performance: Insights into enterprises organizational behaviour and capability at trade shows. Journal of Business Economics and Management, 20(6), 1022–1044. https://doi.org/10.3846/jbem.2019.10513

Siponen, M., & Vance, A. (2010). Neutralization: New insights into the problem of employee information systems security policy violations. MIS Quarterly, 34(3), 487–502. https://doi.org/10.2307/25750688

Siponen, M., Adam, M. A., & Pahnila, S. (2014). Employees’ adherence to information security policies: An exploratory field study. Information & Management, 51(2), 217–224. https://doi.org/10.1016/j.im.2013.08.006

Smith, S., Winchester, D., Bunker, D., & Jamieson, R. (2010). Circuits of power: A study of mandated compliance to an information systems security de jure standard in a government organization. MIS Quarterly, 34(3), 463–486. https://doi.org/10.2307/25750687

Tsohou, A., Karyda, M., Kokolakis, S., & Kiountouzis, E. (2013). Managing the introduction of information security awareness programs in organizations. European Journal of Information Systems, 24(1), 38–58. https://doi.org/10.1057/ejis.2013.27

Vance, A., Siponen, M., & Pahnila, M. (2012). Motivating IS security compliance: Insights from habit and protection motivation theory. Information & Management, 49(3–4), 190–198. https://doi.org/10.1016/j.im.2012.04.002

Willson, R., & Warkentin, M. (2013). Beyond deterrence: An expanded view of employee computer abuse. MIS Quarterly, 37(1), 1–20. https://doi.org/10.25300/MISQ/2013/37.1.01