Next Article in Journal
FIRN: A Novel Fish Individual Recognition Method with Accurate Detection and Attention Mechanism
Previous Article in Journal
Brain Tumor Classification and Detection Using Hybrid Deep Tumor Network
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Electronics
Volume 11
Issue 21
10.3390/electronics11213458
electronics-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles thumb_up
...
Endorse textsms
...
Comment
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Factors Influencing Employees’ Information Security Awareness in the Telework Environment

by
Jie Zhen
1,*,
Kunxiang Dong
2,*,
Zongxiao Xie
3 and
Lin Chen
4
1
School of Management Science and Engineering, Chongqing Technology and Business University, Chongqing 400067, China
2
School of Management Science and Engineering, Shandong University of Finance and Economics, Jinan 250014, China
3
China Financial Certification Authority, Beijing 100054, China
4
College of Humanity and Law, Shandong University of Science and Technology, Qingdao 266590, China
*
Authors to whom correspondence should be addressed.
Electronics 2022, 11(21), 3458; https://doi.org/10.3390/electronics11213458
Submission received: 21 September 2022 / Revised: 24 October 2022 / Accepted: 24 October 2022 / Published: 25 October 2022
(This article belongs to the Section Computer Science & Engineering)
Browse Figure
Versions Notes

Abstract

:
This study aims to identify and examine factors influencing employees’ information security awareness (ISA) in the telework environment. Specifically, the authors identify and examine the influence factors rooted in the knowledge-attitude-behavior (KAB) model (i.e., knowledge, attitude, and behavior) and knowledge inertia theory (i.e., experience and learning inertia). This study uses online survey data from 305 employees who have telework experience. We apply the structural equation modeling technique to assess the proposed research model. This research is among the pioneering studies that identify and examine the factors influencing employees’ ISA in the telework environment. Our study is also one of the first to investigate antecedents to employees’ ISA rooted in the KAB model and knowledge inertia theory in a telework environment. Results show that employees’ ISA in the telework environment is significantly influenced by their knowledge, behavior toward following security guidelines, and learning inertia, whereas attitude and experience inertia have no significant effect on employees’ ISA.

1. Introduction

With the extensive application of online meetings, instant messaging, and document collaboration in organizations, remote work (also known as telework) could become more productive. The number of teleworkers is drastically increasing across various industries [1], especially during the COVID-19 pandemic [2,3]. Telework is a work style in which employees remotely undertake their tasks without commuting to their organization’s office [4]. Empirical studies on information security have indicated that employees’ misbehaviors are often perceived as the direct and/or indirect cause of the majority of organizational information security incidents including both intentional and unintentional [5,6,7,8]. Thus, organizations create information security policies (ISPs) to provide employees with guidelines on ensuring information security in their jobs [9]. Telework inevitably increases information security risks because of out-of-sight and distributed controls of the organization [10]. For example, employees who choose to work from home cannot ensure that the home environment is equipped to adhere to basic security requirements. Furthermore, some organizations do not develop a telework security policy that defines teleworkers’ standards, boundaries, and responsibilities to prevent and respond to security incidents. These situations could put organizations at an increased risk from network security threats. Therefore, understanding what factors motivate teleworkers to plan their security behaviors deliberately and being aware of the security risks are central to help information security managers solve behavioral issues in information security management.
In the information security literature, prior studies have suggested that organizations capable of effectively improving their employees’ information security awareness (ISA) have successfully reduced security risks led by employees’ improper behaviors [11,12,13,14]. An increasing number of organizations invest heavily in information security training programs to foster and improve their employees’ ISA [8]. Compared with office work, ISA plays a more critical role in shaping employees’ information security behaviors in a telework environment for three reasons. First, the ISPs of some organizations do not or vaguely describe how to ensure information security in a telework environment, which increases the possibility of risks caused by teleworkers’ improper behaviors. Second, some employees’ information security knowledge is relatively deficient, resulting in their lack of ability to identify the security risks associated with telework. Third, home-based telework may bring some unique security risks to the organization. For example, important customer data may be intercepted during transmission between the organization and the teleworker’s smart device. However, not much work has been performed in exploring the factors facilitating ISA in the telework environment. Therefore, handling telework security risks by improving employees’ ISA is a thorny issue for many organizations during the COVID-19 pandemic.
Recent empirical studies have identified and examined some factors that influence employees’ ISA in the traditional workplace. For example, individual difference variables, such as age, gender, education, personality, risk-taking propensity, learning style, and habits of internet usage are associated with employees’ ISA [15,16,17]. Furthermore, organizational variables, such as leadership, organizational trust, organizational culture, management participation, and ISA programs have remarkable effects on employees’ ISA [12,18,19]. These studies have confirmed that these individual and organizational factors influence employees’ ISA in organizational ISP scenarios (i.e., employees undertake their work tasks in an office environment). Past research has explored some individual and organizational factors that influence employees’ ISA in the office. However, limited research has examined factors that may affect employees’ ISA in a telework environment, a different way of working.
Following the analysis above, this study aims to explore the factors related to employees’ ISA in the telework environment based on the knowledge-attitude-behavior (KAB) model and knowledge inertia theory. This line of enquiry fills critical gaps in the literature. First, the KAB model is usually used to explore whether these three factors are related to individuals’ information security beliefs in recent years [16]. Compared with other theories, such as the theory of planned behavior (TPB), the KAB model factors are directly related to what employees think, know, or do about information security issues [20,21]. Additionally, TPB is often used to study the effects of three kinds of beliefs (including behavioral beliefs, normative beliefs, and control beliefs) on human behaviors rather than on the ISA [11]. Therefore, we argue that the KAB model provides a more solid theoretical framework than TPB for examining the variables affecting employees’ ISA in a telework context. However, whether these factors influence employees’ ISA in the telework environment remains under-researched. Thus, verification of the KAB model as applied in this way is still necessary. Second, models that consider individual inertia factors to better understand employees’ ISA in a paradigm swing must be developed and tested from the normal way of working to teleworking. The reason is that switching from the traditional way of working to teleworking influences employees’ technical and social knowledge [22]. Therefore, drawing on the KAB model and knowledge inertia theory, this study postulates that an employee’s ISA is influenced by knowledge, attitude, behavior, experience, and learning inertia. The influence factor “behavior” in the current study refers to the expected employees’ behaviors described in the telework security guidelines by the organization.
The structure of this paper is as follows. The next section reviews the relevant literature and theoretical background. Section 3 presents the research model and hypotheses. Section 4 introduces the methodology. Section 5 presents the findings. Section 6 demonstrates the critical discussion and conclusions for the implications, limitations, and future research directions.

2. Theoretical Background

The logic for our theoretical model is influenced by the paradigm swing from the usual way of work to telework. The overall rationale for the model is that the improvement of ISA needs the support of employees’ perceptions from the aspects of knowledge, attitude, and behaviors. When facing information security issues, employees generally resort to prior knowledge and experience for solutions. Thus, our study aims to explore the factors influencing employees’ ISA in the telework environment rooted in the KAB model and knowledge inertia theory. A lack of a clear conceptual definition can harm constructs’ original meanings and increase the risk of different interpretations [23]. Thus, we describe the elements of our theoretical model in the following section.

2.1. Information Security Awareness (ISA)

Information security researchers have defined ISA from different perspectives. For example, ISA can be defined as the extent to which employees understand the significance of their organizations’ information security policies, rules, and guidelines, and the extent to which they behave following these policies, rules, and guidelines [14,24]. In addition, ISA refers to the focus of employees’ intentions in security to recognize security concerns and respond appropriately [8].
Our interest lies in examining employees’ ISA in a telework environment. Considering that many organizations’ ISPs do not thoroughly describe telework requirements at this stage, this study combines these two definitions and defines ISA as employees’ attention on security, seeking to understand the importance of information security to recognize security concerns and respond appropriately in the telework environment.

2.2. KAB Model

The KAB model includes three basic components, i.e., knowledge, attitude, and behavior. It has been widely applied to studies on information security to explain employees’ ISA change [14,25,26]. In the KAB model, knowledge focuses on what an employee knows, attitude focuses on what an employee thinks, and behavior is about what an employee does [20,26,27]. Prior empirical studies have indicated that the KAB model helps predict employees’ perceptions of information security.
In the context of information security management, knowledge reflects employees’ cognition of information security, attitude reflects how employees view information security, and behavior reflects the actions employees should take when facing information security risks. Considering that many employees have not experimented with teleworking before, taking into account the instructions concerning the potential information security challenges of teleworking is necessary. Based on this description, we argue that attitude, knowledge, and behavior influence employees’ ISA in the telework environment.

2.3. Knowledge Inertia

The term inertia comes from physics, which means objects continue in a state of reset or uniform motion unless interrupted by outside forces [28]. In recent years, inertia is often used to describe to individuals how to tackle their work tasks or issues in a hyperdynamic environment [29,30]. The phenomenon of inertia in individual cognition, namely, knowledge inertia, refers to the systematic problem-solving strategy using past knowledge and experience until the situation is no longer feasible [28]. Furthermore, employees must actively acquire new knowledge and methods to solve their work problems, breaking the inertia [31].
Although previous studies have distinguished different forms of inertia within the knowledge inertia [29,31], our analysis of knowledge inertia focuses on the working environment change from workplace to telework. We thus divide knowledge inertia into experience and learning inertia, according to Xie et al. [31], given the dynamic environment. Specifically, experience inertia refers to resorting to prior experience and knowledge when facing situations in telework. In contrast, learning inertia refers to acquiring new knowledge and methods to solve telework problems and thus breaking the inertia of thinking in terms of working in the office.

3. Research Model and Hypothesis Development

Building on the theoretical background literature discussed above, we propose our research model and hypotheses, as shown in Figure 1. The research model illustrates the relationship between knowledge, attitude, behavior, experience inertia, learning inertia, and employees’ ISA. Furthermore, this model presents gender, age, and education as control variables. In the following sections, we detail the relationships among different factors and ISA.

3.1. KAB Model and ISA

As mentioned above, knowledge reflects an employee’s cognition toward information security. It interacts with the organization’s systems and conducts relevant procedures and daily work tasks [14]. Prior studies have shown that information security knowledge profoundly impacts employees’ behavioral intentions and decisions, which are very important for reducing information security risks [32,33,34]. With their employees unexpectedly performing tasks outside of the workplace, many organizations feel overwhelmed with telework security. In such a case, an overlooked training or education program about information security may lead to a lack of knowledge among employees [17,35], resulting in their poor judgment and handling risks associated with telework. Organizations could establish formal and informal communication channels to provide support to improve employees’ knowledge of telework security. Once employees have information security knowledge, they will be equipped with ISA and thus meet the security needs for work and can identify the potential risks on the device they use to telework. Thus, we hypothesize the following:
H1. 
Knowledge is positively associated with employees’ ISA.
Within the information security field, attitude reflects what an employee thinks about the organization’s information security management [26,36]. Employees’ wrong attitude toward information security leads to their incorrect perception of information security risks [37]. Conversely, once employees understand the consequences of information security risks, their attitude toward information security changes [38]. In such a situation, employees promote a security-conscious attitude and remain alert when faced with information security risks. This feature has been demonstrated using an analysis of Internet-of-things usage behaviors and security awareness in users [39]. In the context of this study, employees who hold a positive attitude toward telework security are likely to embody a high level of ISA. Thus, the following hypothesis is proposed:
H2. 
Attitude is positively associated with employees’ ISA.
In this study, behavior refers to what an employee should do according to the organization’s information security guidelines concerning telework. Prior studies on IS have indicated that rules and guidelines for the appropriate use of information security resources within the organization are crucial in cultivating employees’ ISA [8,40]. Several organizations developed comprehensive training workshops to arm their employees with the skills and tips during telework, including information security precautions. Many employees have been trained on handling information risks, thereby raising their awareness of the consequences of their inappropriate actions. For example, employees informed to perform a particular secure practice (e.g., password protection) may become aware of their security role in protecting the organization’s other information resources [15,41,42]. Similarly, improving employees’ ISA by clearly informing employees of the secure usage behavior of devices and systems is beneficial in the telework scenario. Thus, the following hypothesis is proposed:
H3. 
Behavior toward following guidelines is positively associated with employees’ ISA.

3.2. Knowledge Inertia and ISA

Knowledge inertia includes experience and learning inertia [31]. On the one hand, employees’ experience inertia relies on their existing knowledge structure, experience, and sources, which help them identify and handle telework security risks. For example, the organization has rules or policies concerning personal smart devices for work in the office space. These rules or guidelines are applicable in the use of employees’ own devices to work remotely. Therefore, employees with strong experience inertia refrain from breaking any rules and think twice before committing any unauthorized work behaviors in a telework environment. On the other hand, employees’ learning inertia depends on exploring and acquiring new ideas, knowledge, and methods to solve problems they meet in a telework setting. Thus, employees with strong learning inertia tend to seek new knowledge and methods to improve their telework skills and capability. Overall, employees with considerable experience and learning inertia can seek sources of knowledge and attempt to seek ways of maintaining their telework security. Hence, the study presents the following hypotheses:
H4. 
Experience inertia is positively associated with employees’ ISA.
H5. 
Learning inertia is positively associated with employees’ ISA.

4. Research Methodology

4.1. Sample and Data Collection

Data used to test the research model were collected through an online survey method. Given our focus on the impact of factors on employees’ ISA in a telework environment, ensuring that these participants have experience working remotely is important. Therefore, this study’s survey was conducted with support from a certification authority offering IT-related services in Beijing, China. We distributed online questionnaires to employees who worked from home during the COVID-19 pandemic. The participants are full-time employees from various organizations in China. Temporary workers and retirees are not considered in the sample by setting a filter question to ensure that selected respondents had sufficient experience in telework. Participation in the survey was voluntary and anonymous, and no bonus incentive was provided for participants.
The respondents filled out the questionnaire based on their home-based telework experience. From an initial sampling of 420 employees, 373 responses were received. We excluded 68 responses due to missing values. Finally, 305 valid responses were collected with a reasonable response rate of 72.6%. A possible nonresponse bias was needed to be addressed. We compared the first 25% and the last 25% of respondents’ data using a chi-squared test of the critical measurement items. No significant differences were found between the two groups. Thus, we concluded that nonresponse bias was not an issue in this study. Table 1 presents the demographic characteristics.

4.2. Measurement Items

The measurement items for the variables were adapted from prior studies and some terms were fine-tuned to suit the research context of telework. We increased content validity and assessed the clarity of the questions by verifying the measurement items using a two-step procedure. First, we invited four academic domain experts in information security management to assess the content validity of the items. After refining the items according to their suggestions, we distributed the questionnaire to three managers familiar with information security to further validate the items. All measures used a five-point Likert-type scale (1= strongly disagree, 3 = neutral, and 5 = strongly agree).
Knowledge was measured using the three-item scale adapted from Kaur and Mustafa [26]. Attitude was measured using the three-item scale adapted from Ahlan et al. [21]. A three-item scale for behavior was adapted from both Ahlan et al. [21] and Kaur and Mustafa [26]. Knowledge inertia was divided into two dimensions, namely, experience and learning inertia. Experience and learning inertia were measured using three indicators drawing on the findings of Xie et al. [31]. Employees’ ISA was measured using the four-item scale adapted from Bulgurcu et al. [24] and Sillic [29]. Finally, gender, age, and education were identified as control variables. Appendix A provides the measurement items for each construct.

5. Data Analysis and Results

In this study, we analyzed the research model and tested the hypotheses by using the partial least squares (PLS) technique for three reasons. First, the PLS method can specify and test path models with latent constructs. Second, the PLS method can be used to address a small sample size [43]. Finally, this study employed the PLS method because it is suitable for predictive applications and theory building [44,45]. In particular, we used SmartPLS version 2.0 for model validation and analyses.

5.1. Measurement Model

We tested the quality of the measurement model for reliability, convergent validity, and discriminant validity [46]. Table 2 shows that Cronbach’s alpha values for all constructs were higher than the general criteria of 0.7, indicating that the items are reliable measures for their perspective constructs. That is, the instruments have good internal consistency reliability. All factor loadings are above 0.8, suggesting positive individual item reliability. These values indicated positive reliability for all constructs.
Furthermore, confirmatory factor analysis was used to evaluate convergent and discriminant validity. Table 2 shows that the composite reliability (CR) for all constructs exceeded 0.8, which was more than the recommended score of 0.7. The average variance extracted (AVE) for all constructs are above 0.5, indicating high reliability and adequate convergent validity. As shown in Table 3, the correlation between the construct and other constructs is lower than the square root of AVE for each construct, suggesting good discriminant validity of the measurement model. Based on these results, our measurement model has sound reliability and validity.

5.2. Common Method Variance (CMV)

This study used a single questionnaire survey to collect data for all latent constructs at one point in time, which may lead to CMV. This study took two steps to detect the CMV problem. First, we used Harman’s one-factor test to conduct an exploratory factor analysis. The results indicated that the first factor only accounted for 45.036% of the total variance. Second, following Podsakoff et al. [47] and Liang et al. [48], we assessed CMV in PLS. Table 4 shows the result, which indicates that the proportion of variance in each observed indicator explained by its focal construct exceeded the variance explained by the method factor. Furthermore, the average substantively explained variance of the indicators was 51.2% versus 2.4% for the method constructs, suggesting that CMV was not a major concern in this study.

5.3. Correlations and Multicollinearity

Table 2 indicates that the correlation values of the five inner constructs are above 0.6. Thus, we needed to compute the variance inflation factor (VIF) to eliminate any potential threat of multicollinearity. The results revealed that the highest VIF score was 4.57 (see Table 5), below 5.0 [49]. Therefore, multicollinearity was not a major concern in this study.

5.4. Hypothesis Testing

After confirming that all the measurement items have positive reliability, convergent validity, and discriminant validity, we tested the hypotheses in the research model using structural equation modeling with SmartPLS version 2.0. The results indicated that the model could explain 79.6% of the variance of employees’ ISA. Table 6 summarizes the results of the hypothesis tests.
The results indicated the following findings. Knowledge was positively related to ISA, thus supporting H1 (β = 0.184, p < 0.01). Attitude has no significant effect on employees’ ISA, thus rejecting H2 (β = 0.038, p > 0.05). Behavior was positively related to ISA, thus supporting H3 (β = 0.264, p < 0.05).
The results also indicated that experience inertia has no significant effect on employees’ ISA, rejecting H4 (β = 0.070, p > 0.05), and that learning inertia was positively related to employees’ ISA, supporting H5 (β = 0.416, p < 0.001).
Three control variables exist in the research model: gender, age, and education. Considering that the number of control variables exceeded one, we conducted three tests following Liang et al. [48]. Specifically, each test only involved one control variable as an independent variable. When three control variables were included in the research model for testing, the results showed that the coefficients of the three control variables were insignificant (t values were 0.461, 0.996, and 1.235). Therefore, three control variables had no statistically significant effect on employees’ ISA.

6. Discussion and Implications

Drawing on factors from the KAB model and knowledge inertia theory, this study investigates the impact of knowledge, attitude, behavior, experience inertia, and learning inertia on employees’ ISA in the telework environment. We tested the research model with the data of 305 full-time teleworkers from various organizations in China. The key findings of this study are threefold. First, knowledge, behavior, and learning inertia positively influence employees’ ISA in the telework environment. The findings revealed that employees’ ISA in the telework environment can be predicted by their telework security knowledge, behavior, and learning inertia. The inclusion of two domain factors (i.e., knowledge and behavior) in the KAB model were supported. The findings also indicated that learning inertia is a factor influencing employees’ ISA, emphasizing the significance of learning new telework knowledge and procedures. Second, attitude and experience inertia have no significant impact on employees’ ISA in the telework environment. These results did not match our theoretical expectations, which may be related to the probability that the influence of attitude and experience inertia could not be evident in the short term telework during the COVID-19 pandemic. Another possible explanation is that employees in the early stages of telework, employees were not fully informed about telework security. Third, learning inertia plays the most crucial role in motivating employees’ ISA in the telework environment. This is in line with the notion that employees with greater learning inertia can seek new ways to solve problems in a new environment [31]. These findings offer insight into the factors facilitating employees’ ISA in the telework environment. They also answer the call of Ogutcu et al. [15], Tsohou et al. [50], and Van de Schyff and Flowerday [51] to apply various theories and constructs in the IS research to explore factors influencing employees’ ISA in different contexts.

6.1. Theoretical Implications

Our study makes important contributions to the emerging body of knowledge about information security’s behavioral and organizational issues, including employees’ ISA, the KAB model, and knowledge inertia. First, the extant literature has investigated factors rooted in individual differences and organizational management to explain employees’ ISA in the usual way of work. To the best of our knowledge, the present study is one of the first to examine factors that influence employees’ ISA in a telework environment. The results offer a theoretical explanation and empirical support for the positive impact of knowledge, behavior, and knowledge inertia on employees’ ISA in the telework environment. Our results provide an opportunity for information security studies to develop information security training for other flexible ways of work, such as telework.
Second, although the KAB model has been extensively applied in the prior information security literature, the role of knowledge in prompting employees’ ISA has been neglected. Ahlan et al. [21] provided some preliminary empirical evidence that knowledge can significantly prompt ISA. However, few studies have explored whether knowledge influences employees’ ISA in a telework environment. The nature of some occupations makes performing away from the standard worksite possible. Thus, exploring the impact of knowledge on employees’ ISA in the telework environment is necessary. In this study, the empirical results reveal the positive relationship between knowledge and ISA in the telework environment. This finding confirms the vital role of knowledge in improving employees’ ISA in a telework environment, which extends the application of the KAB model to a telework environment.
Third, our study contributes to the knowledge inertia literature. Today’s hyper-competitive environment drives employees to pursue constant training on new IT knowledge, such as cloud computing and big data. However, few studies have explored individual learning inertia in the information security literature [29]. By applying the knowledge inertia framework of Xie et al. [31], we proved that learning inertia is positively associated with employees’ ISA. This finding highlights the critical role of learning inertia in shaping employees’ awareness and behaviors, extending the IS literature from knowledge inertia. Thus, lengthening the organizational learning literature by establishing connections between employees’ ISA with learning factors from knowledge inertia theory is possible.

6.2. Practical Implications

This study also has some significant practical implications for organizations to handle telework security risks. Our study shows that knowledge is an important antecedent to employee’s ISA. Organizations may need to establish formal and informal communication channels for teleworkers to help them increase knowledge on information security or answer their questions during their telework. For example, suppose employees see unusual activity on the device they use in teleworking. They will know how to handle this problem and report it to the security operations center. Furthermore, organizations previously familiar with telecommuting and those that have not tried it before need to update their existing policies with practical recommendations.
Our study also confirms the positive role of behavior toward following the organization’s telework security guidelines in improving employees’ ISA. For organizations with a high demand for information security, required employee information security behaviors in different positions should be described thoroughly in telework. Furthermore, organizations must emphasize the importance of complying with rules or policies regarding telework. For example, employees should be informed how to access and secure important customer data using their own devices. Therefore, we suggest that organizations design appropriate security education, training, and awareness (SETA) programs to improve employees’ ISA in the telework environment.
An interesting finding of this study is that learning inertia is positively associated with ISA, whereas experience inertia has no significant effect on ISA. This finding implies that employees’ previous experience with information security inside the office space does not work in a telework environment. To enhance the impact of learning inertia, organizations may need to help their employees acquire new knowledge, methods, and skills around handling telework security risks. Furthermore, organizations must encourage employees to establish a dynamic learning mechanism to expand their knowledge sources and scope relevant to telework. Therefore, we believe that information security managers need to reassess old working habits and learn new skills to manage the situation better and prevent information security threats in the telework environment.

6.3. Limitations and Future Research Directions

Similar to most other empirical studies, this study suffers from a few limitations that offer opportunities for future research. First is the narrow set of constructs used to explain employees’ ISA. Our adherence to the KAB model and knowledge inertia theory as the theoretical lens restricted the choice of constructs. Many other predictors exist as opportunities for future research with various theoretical perspectives. For example, whether the positive or negative emotions experienced by employees working remotely affect their ISA. Therefore, future studies can address this limitation using various theories. Second, the sample population for our data originated from various organizations in China. Thus, a cross-culture study could be conducted to investigate the research model further. For example, employees from a culture that emphasizes individualism may opt to place personal interests first, whereas the opposite is true for employees with a collectivist mindset [45]. Therefore, future studies can address this limitation by collecting data from different cultural backgrounds. Third, the control variables in this study (i.e., gender, age, and education) are crucial and may interact with other factors to influence employees’ ISA in the telework environment. Future research could study the control variables in-depth such as the industry type of the sample, which may provide further implications. Finally, the items we used to measure the influence factor of “behavior” are those specified in the organization’s telework security guidelines, not actual employee behavior. While the factorial survey design enables us to overcome some of the weaknesses of survey-based research, future studies should examine employees’ actual telework security behaviors. Additionally, future research may reduce the time required to complete the questionnaire. By doing this, we may exclude non-serious responses, which could change the results.

7. Conclusions

The question of how to effectively improve employees’ ISA has received increasing attention from academics and practitioners in recent years. This study provides knowledge about factors that influence employees’ ISA in the telework environment. On the basis of the KAB model and knowledge inertia theory, we developed and empirically tested a theoretical model that linked knowledge, attitude, behavior, experience inertia, learning inertia, and ISA. Using the PLS method with data collected from 305 employees from various organizations in China; knowledge and behavior were found to be positively associated with ISA, whereas attitude had no significant effect on ISA in the telework environment. Furthermore, learning inertia is positively associated with ISA, whereas experience inertia has no considerable impact on ISA in the telework environment. These findings add cumulative knowledge to the research in the field of individuals’ ISA and telework security. They also provide organizations with practical implications for improving information security management by implementing information security awareness programs for their teleworkers.

Author Contributions

Conceptualization, J.Z. and K.D.; methodology, Z.X.; formal analysis, Z.X. and L.C.; investigation, J.Z. and Z.X.; data curation, J.Z. and L.C.; writing—original draft preparation, J.Z.; writing—review and editing, K.D.; visualization, J.Z.; supervision, Z.X.; project administration, J.Z.; funding acquisition, J.Z., K.D. and L.C. All authors have read and agreed to the published version of the manuscript.

Funding

This research was funded by National Natural Science Foundation of China, grant number 72102025, National Social Science Fund of China, grant number 21CGL017, Natural Science Foundation of Chongqing of China, grant number cstc2020jcyjmsxmX0820, Natural Science Foundation of Shandong Province of China, grant number ZR2020MG024, Shandong Social Science Planning Fund Program, grant number 21DGLJ08, Project of Humanities and Social Science Research of Chongqing Municipal Education Commission of China, grant number 21SKGH123.

Data Availability Statement

Not applicable.

Acknowledgments

The authors would like to thank the four anonymous referees for their comments and suggestions.

Conflicts of Interest

The authors declare no conflict of interest.

Appendix A

Table
Table A1. Measurement items.
Table A1. Measurement items.
ConstructItems
KnowledgeI know the information security risks associated with telework.
I have the necessary knowledge to handle information security in my working situation.
Internet access on the organization’s system is a corporate resource and should be used for business purposes only.
AttitudeIn my view, using a strong password to protect the device is wise.
The thought of using an antivirus program is appealing to me.
Using the Firewall system at telework is a good idea.
BehaviorBefore reading an email, it is necessary first check if the subject and the sender make sense.
It is necessary to pay attention to anti-virus updates before using a personal computer to work.
Sharing your password for the organization’s systems is not allowed.
Experience inertiaI will use past knowledge and experience to solve new problems.
I rely heavily on past knowledge or experience in my work.
I often learn from past experience.
Learning inertiaI generally resort to the same source for new knowledge.
My organization offers me opportunities to learn new concepts and methods.
I am scared of new knowledge and ideas that I do not understand.
Information security awarenessOverall, I am aware of the potential security threats and their negative consequences.
I have sufficient knowledge about the cost of potential security problems.
I understand the concerns regarding information security and the risks they pose in general.
I know my responsibilities as detailed in the rules/policies/guidelines to enhance the telework security of my organization.

References

  1. Dima, A.M.; Țuclea, C.E.; Vrânceanu, D.M.; Țigu, G. Sustainable social and individual implications of telework: A new insight into the Romanian labor market. Sustainability 2019, 11, 3506. [Google Scholar] [CrossRef] [Green Version]
  2. Piroșcă, G.I.; Șerban-Oprescu, G.L.; Badea, L.; Stanef-Puică, M.; Valdebenito, C.R. Digitalization and labor market-A perspective within the framework of pandemic crisis. J. Theor. Appl. Electron. Commer. Res. 2021, 16, 2843–2857. [Google Scholar] [CrossRef]
  3. Karacsony, P.; Krupánszki, K.; Antalík, I. Analysis of the Impact of the COVID-19 Crisis on the Hungarian Employees. Sustainability 2022, 14, 1990. [Google Scholar] [CrossRef]
  4. Gohoungodji, P.; N’Dri, A.B.; Matos, A.L.B. What makes telework work? Evidence of success factors across two decades of empirical research: A systematic and critical review. Int. J. Hum. Resour. Man 2022, in press. [Google Scholar] [CrossRef]
  5. Cram, W.A.; Proudfoot, J.G.; D’Arcy, J. Organizational information security policies: A review and research framework. Eur. J. Inf. Syst. 2017, 26, 605–641. [Google Scholar] [CrossRef]
  6. Li, Y.; Zhang, N.; Siponen, M. Keeping secure to the end: A long-term perspective to understand employees’ consequence-delayed information security violation. Behav. Inform. Technol. 2019, 38, 435–453. [Google Scholar] [CrossRef]
  7. Paliszkiewicz, J. Information security policy compliance: Leadership and trust. J. Comput. Inform. Syst. 2019, 59, 211–217. [Google Scholar] [CrossRef]
  8. Hwang, I.; Wakefield, R.; Kim, S.; Kim, T. Security awareness: The first step in information security compliance behavior. J. Comput. Inform. Syst. 2021, 61, 345–356. [Google Scholar] [CrossRef]
  9. Zhen, J.; Xie, Z.; Dong, K. Impact of IT governance mechanisms on organizational agility and the role of top management support and IT ambidexterity. Int. J. Account. Inf. Syst. 2021, 40, 100501. [Google Scholar] [CrossRef]
  10. Ansong, E.; Boateng, R. Organizational adoption of telecommuting: Evidence from a developing country. Electr. J. Inf. Sys. Dev. 2018, 84, 1–15. [Google Scholar]
  11. Chen, X.; Chen, L.; Wu, D. Factors that influence employees’ security policy compliance: An awareness-motivation-capability perspective. J. Comput. Inform. Syst. 2018, 58, 1–13. [Google Scholar] [CrossRef]
  12. Bauer, S.; Bernroider, E.W.N.; Chudzikowski, K. Prevention is better than cure! Designing information security awareness programs to overcome users’ non-compliance with information security policies in banks. Comput. Secur. 2017, 68, 145–159. [Google Scholar] [CrossRef] [Green Version]
  13. Ki-Aries, D.; Faily, S. Persona-centered information security awareness. Comput. Secur. 2017, 70, 663–674. [Google Scholar] [CrossRef]
  14. Wiley, A.; McCormac, A.; Calic, D. More than the individual: Examining the relationship between culture and information security awareness. Comput. Secur. 2020, 88, 1–8. [Google Scholar] [CrossRef]
  15. Ogutcu, G.; Testik, O.M.; Chouseinoglou, O. Analysis of personal information security behavior and awareness. Comput. Secur. 2016, 56, 83–93. [Google Scholar] [CrossRef]
  16. McCormac, A.; Zwaans, T.; Parsons, K.; Calic, D.; Butavicius, M.; Pattinson, M. Individual differences and information security awareness. Comput. Hum. Behav. 2017, 69, 151–156. [Google Scholar] [CrossRef]
  17. Pattinson, M.; Butavicius, M.; Lillie, M.; Ciccarello, B.; Parsona, K.; Calic, D.; McMormac, A. Matching training to individual learning styles improves information security awareness. Inf. Comput. Secur. 2020, 28, 1–14. [Google Scholar] [CrossRef]
  18. Flores, W.R.; Ekstedt, M. Shaping intention to resist social engineering through transformational leadership, information security culture and awareness. Comput. Secur. 2016, 59, 26–44. [Google Scholar] [CrossRef]
  19. Koohang, A.; Anderson, J.; Nord, J.H.; Paliszkiewicz, J. Building an awareness-centered information security policy compliance model. Ind. Manage. Data. Syst. 2020, 120, 231–247. [Google Scholar] [CrossRef]
  20. Parsons, K.; McCormac, A.; Butavicius, M.; Pattinson, M.; Jerram, C. Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q). Comput. Secur. 2014, 42, 165–176. [Google Scholar] [CrossRef]
  21. Ahlan, A.R.; Lubis, M.; Lubis, A.R. Information security awareness at the knowledge-based institution: Its antecedents and measures. Procedia Comput. Sci. 2015, 72, 361–373. [Google Scholar] [CrossRef]
  22. Taskin, L.; Bridoux, F. Telework: A challenge to knowledge transfer in organizations. Int. J. Hum. Resour. Man. 2010, 21, 2503–2520. [Google Scholar] [CrossRef]
  23. Rivard, S. Editor’s comments: The ions of theory construction. MIS Quart. 2014, 38, iii–xiv. [Google Scholar]
  24. Bulgurcu, B.; Cavusoglu, H.; Benbasat, I. Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quart. 2010, 34, 523–548. [Google Scholar] [CrossRef] [Green Version]
  25. Kruger, H.; Kearney, W. A prototype for assessing information security awareness. Comput. Secur. 2006, 25, 289–296. [Google Scholar] [CrossRef]
  26. Kaur, J.; Mustafa, N. Examining the effects of knowledge, attitude and behaviour on information security awareness: A case on SME. In Proceedings of the International Conference on Research and Innovation in Information Systems, Kuala Lumpur, Malaysia, 27–28 November 2013. [Google Scholar]
  27. Parsons, K.; Calic, D.; Pattinson, M.; Butavicius, M.; McCormac, A.; Zwaans, T. The human aspects of information security questionnaire (HAIS-Q): Two further validation studies. Comput. Secur. 2017, 66, 40–51. [Google Scholar] [CrossRef]
  28. Liao, S.; Fei, W.; Liu, C. Relationships between knowledge inertia, organizational learning and organization innovation. Technovation 2008, 28, 183–195. [Google Scholar] [CrossRef]
  29. Sillic, M. Critical impact of organizational and individual inertia in explaining non-compliant security behavior in the shadow IT context. Comput. Secur. 2019, 80, 108–119. [Google Scholar] [CrossRef]
  30. Tsai, S.; Wu, W.; Ma, S.; Wu, C.; Zhou, B. Benchmarking, knowledge inertia, and knowledge performance in different network structures. Enterp. Inf. Syst. 2020, 14, 641–660. [Google Scholar] [CrossRef]
  31. Xie, X.; Fang, L.; Zeng, S.; Huo, J. How does knowledge inertia affect firms product innovation? J. Bus. Res. 2016, 69, 1615–1620. [Google Scholar] [CrossRef]
  32. Hu, Q.; Dinev, T.; Paul, H.; Cooke, D. Managing employee compliance with information security policies: The critical role of top management and organization culture. Decision Sci. 2012, 43, 615–660. [Google Scholar] [CrossRef]
  33. Sommestad, T.; Karlzen, H.; Hallberg, J. The theory of planned behavior and information security policy compliance. J. Comput. Inform. Syst. 2019, 59, 344–353. [Google Scholar] [CrossRef]
  34. Zwilling, M.; Klien, G.; Lesjak, D.; Wiechetek, L.; Cetin, F.; Basim, H.N. Cyber security awareness, knowledge and behavior: A comparative study. J. Comput. Inform. Syst. 2022, 62, 82–97. [Google Scholar] [CrossRef]
  35. Hewitt, B.; White, G.L. Optimistic Bias and Exposure Affect Security Incidents on Home Computer. J. Comput. Inform. Syst. 2022, 62, 50–60. [Google Scholar] [CrossRef]
  36. Shropshire, J.; Warkentin, M.; Sharma, S. Personality, attitudes, and intentions: Predicting initial adoption of information security behavior. Comput. Secur. 2015, 49, 177–191. [Google Scholar] [CrossRef]
  37. Posey, C.; Roberts, T.L.; Lowry, P.B.; Hightower, R.T. Bridge the divide: A qualitative comparison security thought patterns between information security professionals and ordinary organizational insiders. Inform. Manag. 2014, 51, 551–567. [Google Scholar] [CrossRef]
  38. Taneja, A.; Vitrano, J.; Gengo, N.J. Rationality-based beliefs affecting individual’s attitude and intention to use privacy controls on Facebook: An empirical investigation. Comput. Hum. Behav. 2014, 38, 159–173. [Google Scholar] [CrossRef]
  39. Park, M.; Oh, H.; Lee, K. Security risk measurement for information leakage in IoT-based smart homes from a situational awareness perspective. Sensors 2019, 19, 2148. [Google Scholar] [CrossRef] [Green Version]
  40. Pham, H.C. Information security burnout: Identification of sources and mitigating factors from security demands and resources. J. Inf. Secur. Appl. 2019, 46, 96–107. [Google Scholar] [CrossRef]
  41. Kajzer, M.; D’Arcy, J.; Crowell, C.C.; Striegel, A.; Bruggen, D.V. An exploratory investigation of message-person congruence in information security awareness campaigns. Comput. Secur. 2014, 43, 64–76. [Google Scholar] [CrossRef]
  42. Hong, Y.; Furnell, S. Motivating information security policy compliance: Insights from perceived organizational formalization. J. Comput. Inform. Syst. 2022, 62, 19–28. [Google Scholar] [CrossRef]
  43. Gefen, D.; Straub, D.; Boudreau, M. Structural equation modelling and regression: Guidelines for research practice. Commun. Assoc. Inf. Syst. 2000, 4, 1–78. [Google Scholar]
  44. Shao, Z.; Feng, Y.; Hu, Q. Effectiveness of top management support in enterprise systems success: A contingency perspective of fit between leadership style and system life-cycle. Eur. J. Inform. Syst. 2016, 25, 131–153. [Google Scholar] [CrossRef]
  45. Zhen, J.; Xie, Z.; Dong, K.; Chen, L. Impact of negative emotions on violations of information security policy and possible mitigations. Behav. Inform. Technol. 2022, 41, 2342–2354. [Google Scholar] [CrossRef]
  46. Guan, B.; Hsu, C. The role of abusive supervision and organizational commitment on employees’ information security policy noncompliance intention. Internet Res. 2020, 30, 1383–1405. [Google Scholar] [CrossRef]
  47. Podsakoff, P.M.; MacKenzie, S.B.; Lee, J.Y.; Podsakoff, N.P. Common method biases in behavioral research: A critical review of the literature and recommended remedies. J. Appl. Psychol. 2003, 88, 879–903. [Google Scholar] [CrossRef]
  48. Liang, H.; Saraf, N.; Hu, Q.; Xue, Y. Assimilation of enterprise systems: The effect of institutional pressures and the mediating role of top management. MIS Quart. 2007, 31, 59–87. [Google Scholar] [CrossRef]
  49. House, D.; Raja, M.K. Phishing: Message appraisal and the exploration of fear and self-confidence. Behav. Inform. Technol. 2020, 39, 1204–1224. [Google Scholar] [CrossRef]
  50. Tsohou, A.; Karyda, M.; Kokolakis, S. Analyzing the role of cognitive and cultural biases in the internalization of information security policies: Recommendations for information security awareness programs. Comput. Secur. 2015, 52, 128–141. [Google Scholar] [CrossRef]
  51. Van der Schyff, K.; Flowerday, S. Mediating effects of information security awareness. Comput. Secur. 2021, 106, 102313. [Google Scholar] [CrossRef]
Electronics 11 03458 g001 550
Figure 1. Research model.
Figure 1. Research model.
Electronics 11 03458 g001
Table
Table 1. Demographic characteristics.
Table 1. Demographic characteristics.
CategoryNumber (N = 305)Percentage
Gender
Male19262.9%
Female11337.1%
Age
18–3019664.3%
31–407725.2%
>403210.5%
Education
Polytechnic and below6721.9%
Bachelor14948.9%
Master and PhD8929.2%
Table
Table 2. Construct reliability and validity.
Table 2. Construct reliability and validity.
ConstructItemsFactor LoadingsAVECRCronbach’s Alpha
Knowledge
(K)		K10.8850.8360.9380.902
K20.929
K30.825
Attitude
(A)		A10.8940.8560.9470.915
A20.945
A30.935
Behavior
(B)		B10.9030.7890.9180.866
B20.861
B30.901
Experience inertia
(EI)		EI10.9580.8920.9610.939
EI20.934
EI30.942
Learning inertia
(LI)		LI10.9210.8840.9580.934
LI20.954
LI30.946
Information security awareness (ISA)ISA10.9410.8630.9620.947
ISA20.938
ISA30.911
ISA40.925
Table
Table 3. Correlation analysis of latent variables.
Table 3. Correlation analysis of latent variables.
ConstructMeanStd.KABEILIISA
K3.5510.7710.914
A3.6910.8090.7110.925
B3.5680.7500.7520.8060.888
EI3.5840.7820.7730.7490.8150.944
LI3.6070.7570.7230.6900.8020.8280.940
ISA3.5970.7720.7640.7210.8280.8190.8450.929
Table
Table 4. CMV detection.
Table 4. CMV detection.
ConstructIndicatorSubstantive Factor Loading (R1)R12Method Factor Loading (R2)R22
KnowledgeK10.732 **0.5360.261 *0.068
K20.508 **0.2580.1060.011
K30.643 **0.4130.1390.019
AttitudeA10.773 **0.5980.268 *0.072
A20.631 **0.3980.0930.008
A30.512 **0.2620.1260.016
BehaviorB10.819 **0.6710.225 *0.051
B20.754 **0.5690.229 *0.052
B30.676 **0.4570.1560.024
Experience inertiaEI10.867 **0.7520.0280.000
EI20.827 **0.6840.1450.021
EI30.653 **0.4260.1260.016
Learning inertiaLI10.635 **0.4030.1610.026
LI20.696 **0.4840.0590.003
LI30.589 **0.3470.0970.009
Information security awarenessISA10.876 **0.7670.1040.011
ISA20.741 **0.5490.1000.010
ISA30.825 **0.6810.1550.024
ISA40.687 **0.4720.1380.019
Average 0.7080.5120.1430.024
Note: ** p < 0.01; * p < 0.05.
Table
Table 5. Results of collinearity assessment.
Table 5. Results of collinearity assessment.
ConstructKnowledgeAttitudeBehaviorExperience InertiaLearning Inertia
VIF2.863.034.574.303.61
Table
Table 6. Summary of hypotheses and results.
Table 6. Summary of hypotheses and results.
HypothesisRelationsPredicted SignSupported?
H1Knowledge → ISA+Yes
H2Attitude → ISA+No
H3Behavior → ISA+Yes
H4Experience inertia → ISA+No
H5Learning inertia → ISA+Yes
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Share and Cite

MDPI and ACS Style

Zhen, J.; Dong, K.; Xie, Z.; Chen, L. Factors Influencing Employees’ Information Security Awareness in the Telework Environment. Electronics 2022, 11, 3458. https://doi.org/10.3390/electronics11213458

AMA Style

Zhen J, Dong K, Xie Z, Chen L. Factors Influencing Employees’ Information Security Awareness in the Telework Environment. Electronics. 2022; 11(21):3458. https://doi.org/10.3390/electronics11213458

Chicago/Turabian Style

Zhen, Jie, Kunxiang Dong, Zongxiao Xie, and Lin Chen. 2022. "Factors Influencing Employees’ Information Security Awareness in the Telework Environment" Electronics 11, no. 21: 3458. https://doi.org/10.3390/electronics11213458

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop