Understanding Employee Responses to Stressful Information Security Requirements: A Coping Perspective

We use coping theory to explore an underlying relationship between employee stress caused by burdensome, complex, and ambiguous information security requirements (termed security-related stress or SRS) and deliberate information security policy (ISP) violations. Results from a survey of 539 employee users suggest that SRS engenders an emotion-focused coping response in the form of moral disengagement from ISP violations, which in turn increases one's susceptibility to this behavior. Our multidimensional view of SRS-comprised of security-related overload, complexity, and uncertainty-offers a new perspective on the workplace environment factors that foster noncompliant user behavior and inspire cognitive rationalizations of such behavior. The study extends technostress research to the information systems security domain and provides a theoretical framework for the influence of SRS on user behavior. For practitioners, the results highlight the incidence of SRS in organizations and suggest potential mechanisms to counter the stressful effects of information security requirements.