An Adversarial Dance: Toward an Understanding of Insiders’ Responses to Organizational Information Security Measures

Abstract

Despite the increased focus on organizational security policies and programs, some employees continue to engage in maladaptive responses to security measures (i.e., behaviors other than those recommended, intended, or prescribed). To help shed light on insiders’ adaptive and maladaptive responses to IS security measures, we conducted a case study of an organization at the forefront of security policy initiatives. Drawing on the beliefs-actions-outcomes (BAO) model to analyze our case data, we uncover a potentially nonvirtuous cycle consisting of security-related beliefs, actions, and outcomes, which we refer to as an “adversarial dance.” Explaining our results, we describe a novel belief framework that identifies four security belief profiles and uncovers an underexplored outcome of IS security: insiders’ lived security experiences. We find that individuals’ unfavorable lived security experiences produce counterproductive security-related beliefs that, in turn, lead to maladaptive behaviors. Maladaptive behaviors create new potential for security risk, leading to increased organizational security measures to counter them. Thus, the adversarial dance continues, as the new security measures have the potential to reinforce counterproductive security-related beliefs about the importance and risk of IS security and lead to new maladaptive behaviors. To help situate our findings within the current security literature, we integrate the results with prior research based on extant theories. While this paper is not the first to suggest that security measures can elicit maladaptive behaviors, the emergent belief framework and expanded BAO model of IS security constitute an important contribution to the behavioral IS security literature.