Computers in Human Behavior 57 (2016) 442e451
Contents lists available at ScienceDirect
Computers in Human Behavior journal homepage: www.elsevier.com/locate/comphumbeh
Full length article
An information security knowledge sharing model in organizations Nader Sohrabi Safa*, Rossouw Von Solms Centre for Research in Information and Cyber Security, School of ICT, Nelson Mandela Metropolitan University, Port Elizabeth, South Africa
a r t i c l e i n f o
a b s t r a c t
Article history: Received 20 August 2015 Received in revised form 12 November 2015 Accepted 16 December 2015 Available online xxx
Knowledge sharing plays an important role in the domain of information security, due to its positive effect on employees' information security awareness. It is acknowledged that security awareness is the most important factor that mitigates the risk of information security breaches in organizations. In this research, a model has been presented that shows how information security knowledge sharing (ISKS) forms and decreases the risk of information security incidents. The Motivation Theory and Theory of Planned Behavior besides Triandis model were applied as the theoretical backbone of the conceptual framework. The results of the data analysis showed that earning a reputation, and gaining promotion as an extrinsic motivation and curiosity satisfaction as an intrinsic motivation have positive effects on employees' attitude toward ISKS. However, self-worth satisfaction does not influence ISKS attitude. In addition, the findings revealed that attitude, perceived behavioral control, and subjective norms have positive effects on ISKS intention and ISKS intention affects ISKS behavior. The outcomes also showed that organizational support influences ISKS behavior more than trust. The results of this research should be of interest to academics and practitioners in the domain of information security. © 2015 Elsevier Ltd. All rights reserved.
Keywords: Information security Knowledge sharing Motivation Behavior Organization
1. Introduction As the Internet has become an integral commodity in human life, organizational activities rely on the web-based technologies widely. However, information security is still a controversial issue for both users and organizations. Information security refers to defending information from unauthorized access, disclosure, use, modification, disruption, inspection, and perusal. In other words, confidentiality, integrity and reliability of information are important in information security (Von Solms and Van Niekerk, 2013). Information security awareness plays a vital role in mitigating the risk of information security breaches (Parsons, McCormac, Butavicius, Pattinson, & Jerram, 2014). The Internet is a vast environment with a great potential of information security breaches. Hackers use new and ingenious methods to hack the others' computers or systems in line with their own benefits (Choo, 2011; Safa, Ghani, & Ismail, 2014). Recently, online attackers developed a bogus website and asked users to download free anti-virus software. Many of these people downloaded their fake anti-virus and they lost their private information. Different social engineering methods
* Corresponding author. E-mail addresses: n.sohrabisafa@gmail.com (N.S. Safa), Rossouw.VonSolms@ nmmu.ac.zab (R. Von Solms). http://dx.doi.org/10.1016/j.chb.2015.12.037 0747-5632/© 2015 Elsevier Ltd. All rights reserved.
and phishing are other examples of users' mistakes in the domain of information security behavior (Islam and Abawajy, 2013). In this dynamic environment, information security knowledge sharing not only increases the level of awareness as an effective approach, but also reduces the cost of information security in organizations. Information security knowledge sharing refers to collaboration with others by sharing our experiences, ideas and knowledge in order to safeguard information assets in organizations (Rocha Flores et al., 2014). Experts face similar problems in this domain and they should provide proper solutions for them. Preventing the development of the same solutions for similar problems by way of sharing knowledge leads to the avoidance of time-wasting and extra costs (Feledi, Fenz, & Lechner, 2013). This time and funding could be better spent by improving the quality of solutions, instead of reinventing the security wheel. However, the previous study showed that the motivation for knowledge sharing among employees is the important challenge in this realm. Sharing previous relevant experiences in the domain of information security is a valuable resource in information security awareness (Rhee, Kim, & Ryu, 2009; Safa, Sookhak, et al., 2015; Safa, VonSolms, Furnell, 2015). Tamjidyamcholo, Bin Baba, Shuib, and Rohani (2014) investigated the effect of information security knowledge sharing in the virtual community, and its effect on reducing the risks. They also mentioned the low level of willingness of members to share
N.S. Safa, R. Von Solms / Computers in Human Behavior 57 (2016) 442e451
knowledge with each other as an important barrier in the information security knowledge sharing. Confidence in one's knowledge ownership, the danger of losing one's job, the perceived cost, unfamiliarity with the subject, one's individual attitude and distrust have been already mentioned as obstacles to knowledge sharing (Amayah, 2013). In this research, a conceptual framework has been presented that shows how intrinsic and extrinsic motivations, attitude toward information security knowledge sharing, perceived behavioral control, and subjective norms influence information security knowledge sharing intention. In addition, organizational support and trust speed up information security knowledge sharing, as facilitating conditions based on the Triandis model. The remainder of the paper is organized as follows: The theoretical background comprises Motivation Theory and the Theory of Planned Behavior besides the Triandis' model is described in section two. A research model and the various hypotheses are depicted in section three. The research methodology, data collection and the demography of the participants are discussed in section four. The results of the measurement model, the structural model, as well as statistical tests are presented in section five. Contributions to, and implementation of the research are explained in section six. The conclusion, limitations and future work are all described in section seven. 2. The theoretical background We have conceptualized information security knowledge sharing under two fundamental theories e the Theory of Motivation and Theory of Planned Behavior. On the other hand, Triandis' model has helped us to improve the model, by considering the facilitating conditions in organizations. Motivation encourages individuals to act in a certain way, and to develop a specific behavior. Knowledge sharing is more likely to occur when individuals are motivated (Chang and Chuang, 2011). The Theory of Planned Behavior explains how attitude, perceived behavioral control, and subjective norms affect individuals' intention toward particular behavior. In this regard, facilitating conditions play an important role in the formation of such behavior. More explanations about the theories and the Triandis model will be presented in the following parts.
443
Theory of Planned Behavior (Cox, 2012; Ifinedo, 2014). In other studies, the Theory of Planned Behavior was used to explain knowledge sharing behavior based on attitude, subjective norms and perceived behavioral control (Suhwan Jeon, Kim, & Koh, 2011; Pi, Chou, & Liao, 2013). In this research, the Theory of Planned Behavior has been used to describe how employees engage in information security knowledge sharing in order to mitigate the risk of information security breaches in organizations.
2.2. The Motivation Theory Previous studies have revealed that the motivations associated with individuals' needs and expectations can encourage people to engage in a specific behavior (Ryan, Lynch, Vansteenkiste, & Deci, 2010). Motivation represents the reasons for people's actions, needs, and desires. Motivation defines the direction and the reasons for a particular behavioral pattern. A motive prompts one to behave in a specific manner. The lack of motivation has been mentioned as an important obstacle for knowledge sharing behavior, regardless of the type of knowledge to be shared (Hung, Durcikova, Lai, & Lin, 2011). Intrinsic and extrinsic motivations play important roles in the domain of knowledge sharing in organizations (Cabrera, Collins, & Salgado, 2006; Hau, Kim, Lee, & Kim, 2013). In this research, intrinsic and extrinsic motivations have been considered as important factors that affect employees' attitude towards information security knowledge sharing in organizations.
2.3. Triandis' model Triandis (1980) asserted that facilitating conditions are effective factors which besides the other factors drive a particular behavior. Despite strong intentions, a behavior cannot materialize when there is an obstacle against such a behavior (Su-Hwan Jeon Kim, & Koh, 2011). Facilitating conditions are factors that make an act easy to do. In the context of this research, the facilitating conditions include organizational support and trust among the employees in order to share their knowledge in the domain of information security. Fig. 1 depicts the integrated theoretical background of the research model in a concise format.
2.1. The Theory of Planned Behavior Individuals' thoughts, feelings, actions and behavior are all influenced by their interaction with other persons. The Theory of Planned Behavior was developed from the Theory of Reasoned Action (TRA); and it describes the changes in human behavior based on the perspective of social influence. In simple words, if people evaluate a behavior as positive (attitude), or they think that significant others want them to perform the behavior (subjective norms); then these should lead to higher intentions; and they would be more likely to do so (Fishbein and Ajzen, 1981). However, there were some arguments against the relationship between intention and actual behavior. Some studies showed that intention cannot be the exclusive determinant of behavior, where an individual's control over his/her behavior is incomplete. Ajzen (1991) developed the Theory of Planned Behavior by considering perceived behavioral control. In this way, the Theory of Planned Behavior can cover non-volitional behavior for predicting behavioral intention and actual behavior. The Theory of Planned Behavior has been widely applied in the domain of the information system and security in recent years. Several studies have discussed how complying with information security organizational policies forms in organizations based on the
3. Research model and hypotheses The presented study investigates the relationships between intrinsic and extrinsic motivations with attitude on the one hand, and information security knowledge sharing attitudes, perceived behavioral control, and subjective norms with information security knowledge sharing intention, on the other hand. In addition, the research model shows the relationships between information security knowledge sharing intention and facilitating conditions with actual information security knowledge sharing behavior. The structure of the conceptual framework is based on the Motivation Theory, the Theory of Planned Behavior and Triandis' model. The first four hypotheses correspond with the motivational variables that influence employees' attitude. Extrinsic and intrinsic motivations are two main elements of the Motivation Theory. The next three hypotheses are based on the Theory of Planned Behavior that shows the effect of attitude, subjective norms and perceived behavioral control on information security knowledge sharing intention. Finally, the last three hypotheses depict the effects of ISKS intention on ISKS behavior, trust among employees and organizational support as facilitating conditions in ISKS behavior.
444
N.S. Safa, R. Von Solms / Computers in Human Behavior 57 (2016) 442e451
Fig. 1. Theoretical background of research model.
3.1. Extrinsic motivations Extrinsic motivation refers to the results of a particular behavior in line with attaining a desired outcome. Extrinsic motivation is influence from outside the individual. The different forms of reward commonly are extrinsic motivations (Lai & Chen, 2014). Extrinsic motivations come from employees' benefits derived from knowledge sharing. These benefits could be in the shape of reputation (Chang and Chuang, 2011; Park, Gu, Leung, & Konana, 2014) or promotion (Wang and Noe, 2010, Wang and Hou, 2015) in firms. These kinds of motivation are usually given to the knowledge provider as a kind of external stimulus, based on the exchange relationship between employees and employers in organizations. Reputation refers to the general judgment or opinions about a person. Reputation is the state and situation of being held in high esteem and can be a widespread description of a trait or characteristic in a person. In this research, this trait or characteristic is information security employee's knowledge that the others attribute to a person (reputation). Promotion relates to the employee's efforts to safeguard organization's information assets, which are considered as the employee's reward. This promotion stems from management's positive appraisal of safeguarded information. Therefore, we postulate that earning reputation and gaining promotion as external motivation have significant effects on one's attitude towards ISKS intention. H1. Earning reputation has a positive effect on employees' attitude toward ISKS intention. H2. Gaining promotion has a positive effect on employees' attitude toward ISKS intention.
3.2. Intrinsic motivations Intrinsic motivation is derived from an interest or enjoyment in the task that is not based on a desire for reward or from any external pressure. Intrinsic motivation can be self-sustaining and long-lasting, due to its satisfaction (Shibchurn and Yan, 2015). Intrinsic motivations are influenced by the pleasure and satisfaction in the knowledge sharing process (Hau et al., 2013). This pleasure can come from curiosity satisfaction (Liu, Ji, & Mookerjee, 2011; Wang and Hou, 2015) and self-worth (KwangWook and Ravichandran, 2011). In this research, curiosity refers to employees' desire to know more about information security. A sense of self-worth is formed when employees realize that their contributions positively influence the performance of the organization via the knowledge sharing action (Pi et al., 2013). The sense of self-worth satisfaction motivates individuals to information security knowledge sharing.
Hence, the following hypotheses are proposed: H3. Curiosity satisfaction has a positive effect on employees' attitude towards ISKS intention. H4. Self-worth satisfaction has a positive effect on employees' attitude towards ISKS intention.
3.3. Attitude, subjective norms and perceived behavioral control An attitude forms on the basis of a person's past and present experiences; and it refers to favour or disfavor towards an object. The object can be anything in our environment, such as a place, person, an idea or an event (Shropshire, Warkentin, & Sharma, 2015). In other words, one's attitude portrays one's evaluation of an object, ranging from extremely good to extremely bad. Attitude also refers to an individual's positive or negative view towards engaging in a particular behavior. Hepler (2015) defined attitude as a psychological tendency that extends from an extremely negative to an extremely positive. Attitude has attracted the attention of many experts in the different domain, because of its potential to describe an individual's behavior. The set of beliefs that a person has about an object influences his/her attitude towards the behavior and the attitude affects his/her behavioral intention. The studies of Siponen, Adam, and Pahnila (2014) revealed that attitude towards complying with information security organizational policies positively; and this attitude significantly influences employees' intention to comply with the policies. The research of Suhwan Jeon et al. (2011) showed that attitude has a positive effect on an individual's intention towards knowledge sharing. In this research, we have hypothesized that attitude towards information security knowledge sharing has a positive effect on employees' intention towards information security knowledge sharing behavior: H5. Attitude toward ISKS has a positive effect on employees' intention towards ISKS. Subjective norms are the effect of people's opinions about a particular behavior. In other words, subjective norms refer to what people, who are important to them, think about a given behavioral pattern (Li, Zhang, & Sarathy, 2010). Subjective norms show the social pressure on employees to perform, or to not perform, a particular behavior (Lijiao Cheng et al., 2013). This pressure comes from departmental heads, supervisors, managers, or even colleagues, who perceive information security knowledge sharing as an effective and useful approach that increases information security awareness and mitigates the risk of information security breaches. Consequently, we hypotheses that: H6. Subjective norms towards ISKS have a positive effect on
N.S. Safa, R. Von Solms / Computers in Human Behavior 57 (2016) 442e451
employees' intention towards ISKS. Perceived behavioral control relates to the individuals' ability to perform a given behavior (Ajzen & Madden, 1986). Perceived behavioral control is a perception of the ease or difficulty in performing the behavior; a person may, or may not, have the ability to perform the intended behavior; and this impacts on the person's beliefs about their intentions and actions (Cox, 2012). Park et al. (2014) mentioned in the results of their studies that willingness and ability to share are two important factors that affect knowledge sharing behavior. Hence, the following hypothesis is proposed: H7. Perceived behavioral control towards ISKS has a positive effect on employees' intention towards ISKS.
3.4. Intention In a simple view, psychology describes human behavior as being based on the beliefs, desires and intentions of an individual. Intention is a mental state that shows a commitment to execute a particular action now, or in the future. Intention involves planning and mental activity to achieve a goal (Lee, 2014). Intention is one of the important factors in the Theory of Planned Behavior that has been used in many studies in the domain of information security behavior. The intention to comply with information security organizational policies (Ifinedo, 2014; Siponen et al., 2014; Vance, Siponen, & Pahnila, 2012), and the intention to adopt information security behavior (Shropshire et al., 2015), as well as IT ethical behavioral intentions (Leonard, Cronan, Paul, & Kreie, 2004), intention to information security knowledge sharing (Suhwan Jeon et al., 2011; Park et al., 2014; Tamjidyamcholo et al., 2014) are all examples of studies that used intention as a main factor in their research models. In this study, we postulate that the intention to information security knowledge sharing has a significant effect on employees' information security knowledge sharing behavior based on the Theory of Planned Behavior: H8. The intention to ISKS has a positive effect on employees' ISKS behavior.
445
a facilitator in information security knowledge sharing behavior. We postulate that: H9. Trust among employees facilitates actual employees' ISKS behavior.
3.6. Organizational support Organizational support refers to employees; global beliefs about the extent to which an organization acknowledges and values the staff's contribution, and pays attention to their wellbeing (Shropshire et al., 2015). Organizational support relates to employees' affective commitment. Organizational support also has been mentioned as an important factor in the adoption and use of information technology (Reid, Riemenschneider, Allen, & Armstrong, 2008). Cavusoglu, Cavusoglu, Son, and Benbasat (2015) emphasise the importance of organizational support on the users' decision to comply with information security policies. King and Marks (2008) investigated the effect of motivational approach on knowledge sharing behavior in organizations. The results of this study revealed that employees tend to share their knowledge with those whom they believe would most benefit the organization. A high level of perceived organizational support leads to a feeling of obligation in the staff, whereby the employees would feel obliged to support organizational goals. The other studies showed that employees who perceive the need for organizational support, consider it as an organizational commitment towards the staff, and reciprocate via commitment towards the organization; while focusing on organizational goals and policies (Pi-Yueh Cheng et al., 2013). This commitment can safeguard the organizational information assets by way of information security knowledge sharing tools. Based on the aforementioned explanations we postulate that: H10. Organizational support facilitates actual employees' ISKS behavior. Fig. 2 shows an integrated model of information security knowledge sharing formation in organizations. Table 1 shows the definitions of the constructs in the research framework.
3.5. Trust 4. Research methodology Trust is a belief that someone or something is honest, reliable, good, and effective. Trust is also defined as a perception of the desire to depend on someone or something for security (Safa and Ismail, 2013). Trust can be attributed to a relationship between people; and it is one of the important factors in a social system. Trust influences relationships between and within social groups, such as friends, families, organizations, communities, companies and nations. Trust is the determination to play a critical role in the development of relationships that facilitate knowledge sharing among individuals (Chen, Lin, & Yen, 2014). Yang and Farn (2009) perceived knowledge sharing as a kind of collaboration in the business organizations, together with the conviction that this collaboration does not materialize unless trust exists among different parties. In another study, Bryce and Fraser, 2014 asserted the important role of trust in the disclosure of personal information and knowledge sharing among young people in online interactions. Information security administrations do not share information; because this information can be used by attacker; in this situation, trust plays a vital role in the information security knowledge sharing realm (Werlinger, Hawkey, Botta, & Beznosov, 2009). In this research, trust among employees has been considered as
This research seeks to augment and diversify research on information security on the one hand, and knowledge sharing as an effective and efficient approach to mitigate the risk of information security breaches on the other. The Motivation Theory, Theory of Planned Behavior and Triandi's model helped us to conceptualise ISKS in organizations. Quantitative and qualitative approaches were applied in the course of the framework development. In order to understand how knowledge sharing is manifested in the information security context, the effective factors in information security knowledge sharing were collected from a review of the literature; and then, the initial model was developed. Interviews with the experts in this domain, besides applying the Delphi method, improved the conceptual framework. Finally, the research model was developed. The data were collected by means of a questionnaire and a Likert scale. Confirmatory Factor Analysis (CFA) was applied to ascertain whether the measurement model is compatible with our understanding of the constructs or factors. In other words, whether the data would confirm our hypotheses. Structural equation modeling has been mentioned as an appropriate approach to examine the relationships between independents, dependents and the
446
N.S. Safa, R. Von Solms / Computers in Human Behavior 57 (2016) 442e451
Fig. 2. Information security knowledge sharing integrated model.
Table 1 Definitions of the constructs. Constructs
Definitions in this research
Reputation Promotion
Individuals' perception of earning respect or enhancing their status through participation in ISKS activities. 4 The act of moving an employee to a higher position due to his/her efforts in ISKS that mitigate the risk of information security 4 breaches. The employee's desire to know or learn about information security. 5 Employee's emotional self-evaluation about ISKS that influence the organizational information security. 5 The degree of positive feelings about ISKS behavior in organizations. 4 The perception of an individual's ability to perform ISKS. Having the perception of ease as regards ISKS. 4
Curiosity Self-worth Attitude Perceived Behavioral Control Subjective norms Intention Trust Organization Support ISKS behavior
Number of items
It refers to the others' opinions about ISKS in an organization. The degree to which an employee thinks he or she would probably engage in ISKS. The employee's plan to involve ISKS. A belief that someone is reliable and honest in regard to ISKS. The extent to which an organization acknowledges and values ISKS. Knowledge sharing about information security that increases information security awareness and mitigates the risk of information security incidents.
4 4 5 4 5
mediating variables in a such model (Bagozzi and Yi, 2011. In this way, the measurement model and structural model were assessed by IBM Amos 20, using the maximum likelihood method. In addition, the Chi-square with degrees of freedom, the goodness of fit index (GFI), the adjusted goodness of fit index (AGFI), the comparative fit index (CFI), and the root mean square error of approximation (RMSEA) were applied, in order to investigate the testing of the hypotheses (Hair, Black, Babin, & Anderson, 2010).
hesitations and descriptions that the respondents requested on the items. Based on their feedback, we revised and rephrased some of the words or sentences to increase their comprehension of the questions. The final version of the questionnaire included forty eight questions, in which, every construct was measured by various items. Table 3 shows the relevant items with the respective constructs.
4.1. Data collection
4.2. Demography
The data were collected from the employees of several Malaysian organizations whose main activities were in the domain of banking, insurance, e-Commerce and education. Participants in the education section were employees of a government and reputable university in Malaysia. These organizations have established organizational information security policies and procedures; all employees should follow these policies and procedures. The participants are familiar with the importance of information security. Data gathering was conducted from first of March to end of June 2015. A questionnaire was developed, based on the structure of the research framework; and the items (questions) were adopted from previous studies in this domain. The answers of the questions were based on a Likert scale, ranging: from 1) strongly disagree to 5) strongly agree. We described the purpose of the research to the participants, and then asked them to reply to the questionnaire based on their experience and knowledge. Their consent was important for the research group. After an indication of their consent to participate in this study, the questionnaire was presented to them. We clarified that the data would be kept confidential and only used for academic purposes. To be sure about comprehension, applicability and the unique interpretation of the questions by the participants, the questionnaire was pilot-tested with 38 participants. During the pilot test, we observed their emotions, their
To speed up the process of data collection, two approaches were
Table 2 Respondents' characteristics. Measure
Items
Frequency
Percent
Gender
Male Female 21 to 30 31 to 40 41 to 50 Above 50 Employee Chief employee Management 1 to 2 years 3 to 5 years Above 5 years Diploma Bachelor Master PhD Banking Insurance e-Commerce Education
336 146 160 195 85 42 438 32 12 128 248 106 38 306 114 24 1 2 1 1
69.7 30.3 33.2 40.46 17.63 8.71 90.8 6.7 2.5 26.65 51.25 22.1 7.9 63.75 23.35 5 20 40 20 20
Age
Position
Work experience
Education
Type of organizations
N.S. Safa, R. Von Solms / Computers in Human Behavior 57 (2016) 442e451
447
Table 3 The constructs, the items, and their descriptive statistics. Construct
Items
Earning Reputation
ER1 ER2 ER3 ER4
Gaining Promotion
GP1 GP2 GP3 GP4 CS1 CS2 CS3 CS4 CS5 SS1 SS2 SS3 SS4 SS5 AT1 AT2 AT3 AT4 PBC1 PBC2
Curiosity Satisfaction
Self-worth Satisfaction
Attitude
Perceived Behavioral Control
Subjective Norms
Intention to ISKS
Trust
PBC3 PBC4 SN1 SN2 SN3 SN4 IN1 IN2 IN3 IN4 TR1 TR2 TR3 TR4 TR5
Organizational Support
ISKS Behavior
OS1 OS2 OS3 OS4 ISKS1 ISKS2 ISKS3 ISKS4 ISKS5
My colleagues respect me when I share my information security knowledge. The others have a positive opinion when I share my information security knowledge. The management asked me to help others in terms of information security. Employees have a positive image about me due to their evaluation of my information security knowledge. ISKS shows my efforts for information to be safeguarded; and that leads to getting a better position. ISKS assesses positively and increases my salary. ISKS increases my ranking in the organization. ISKS helps to heighten my organizational position ISKS satisfies my desire for acquiring information security skills. ISKS satisfies my sense of curiosity. I enjoy it when I gain knowledge about information security through knowledge sharing. I feel pleasure when I share my knowledge about information security. I am interested in ISKS. My efforts in ISKS help to ensure a safe environment for information assets. My ISKS increases employees' knowledge about information security that mitigates the risks. My ISKS decreases the cost of information security investment. My ISKS decreases the cost of information security damages. My ISKS is an efficient approach to safeguarding information assets in an organization. I think ISKS behavior is a valuable asset in the organization. I believe ISKS is a useful behavioral tool to safeguard the organization's information assets. My ISKS has a positive effect on mitigating the risk of information security breaches. ISKS is a wise behavior that decreases the risk of information security incidents. I have the necessary knowledge about information security to share with the other staff. I have the ability to share information security knowledge to mitigate the risk of information security breaches. ISKS is an easy and enjoyable task for me. I have the useful resources to share ISKS with the other employees. My colleagues think that we should share our information security knowledge. The head of department thinks that ISKS is a value culture. The senior staff in my company have a positive view on ISKS. My friends in my office encourage me to share my information of ISKS. I am willing to share my information security knowledge because of its potential to reduce the risks. I will share my information security experiences with my colleagues to increase their awareness. I will inform the other staff about new methods and software that can reduce the risk of information security. I will share the report on information security incidents with others, in order to reduce the risk. I believe that my colleague's information security knowledge is reliable. I believe that my colleague's information security knowledge is effective. I believe that my colleague's information security knowledge mitigates the risk of information security breaches. I believe that my colleague's information security knowledge is useful. I believe that my colleagues would not take advantage of my information security knowledge that we share. ISKS is of value in my organization. The management appreciates employees for their ISKS. The management awards employees for their ISKS. The management encourages employees to utilise ISKS. I frequently share my experience about information security with my colleagues. I share my information security knowledge with my colleagues. I frequently share my information security documents with my colleagues. I frequently share my expertise from my information security training with my colleagues. I frequently talk with others about information security incidents and their solutions in our meetings.
Mean Std Dev
CFA Composite Loading Reliability
4.21 4.11 3.95 3.56
0.751 0.794 0.797 0.802
0.651 0.582 0.685 0.695
0.784
4.25 4.31 4.11 3.79 4.05 4.03 3.93 3.58 3.84 3.91 4.07 3.67 4.41 4.01 3.92 3.65 4.41 3.68 4.18 3.86
0.859 0.795 0.864 0.793 0.761 0.719 0.861 0.762 0.805 0.705 0.874 0.816 0.924 0.953 0.949 0.915 0.848 0.868 0.759 0.858
0.710 0.527 0.742 0.774 0.756 0.805 0.851 Dropped 0.806 0.721 0.601 0.772 0.823 Dropped 0.685 0.754 0.799 0.683 0.851 0.762
0.804
3.74 4.13 3.65 3.87 4.17 4.13 3.94 4.01 4.23
0.708 0.894 0.816 0.880 0.922 0.739 0.683 0.542 0.742
0.676 0.901 0.864 0.812 0.609 0.714 0.923 0.754 0.699
3.69 3.85 3.56 4.11
0.865 0.915 0.972 0.753
0.783 0.821 0.762 0.658
0.753
0.829
0.767
0.862
0.720
0.805
0.756
3.98 0.832 Dropped 4.07 0.806 0.706 3.65 3.58 4.05 3.87 4.51 4.81 3.95 4.78
0.815 0.712 0.653 0.723 0.819 0.616 0.639 0.802
0.821 0.762 0.658 0.752 0.712 0.629 0.598 0.706
0.865
0.752
Factor loading from confirmatory factor analysis. t-value is significant at p < 0.05.
applied in parallel e data collection by a paper-based questionnaire and an electronic questionnaire (facilities in Google Drive). Five hundred and twenty three participants answered the questionnaire, in which, one hundred and seventy one were through the paper-based questionnaire and three hundred and fifty two were through Google Drive. In the paper-based questionnaire, to decrease the number of incomplete questionnaires, we reviewed immediately the responses and kindly asked the participants to reply the neglected questions. Nevertheless, thirteen questionnaires (7.6%) were discarded, because of their incomplete answers, or because of the same response were given to all of the items. The facilities in Google Drive efficiently helped with the data gathering in this research. We emailed an electronic questionnaire
through the Google Drive to those participants whose emails were accessible. Among three hundred and fifty two electronic questionnaires, twenty eight questionnaires were rejected from the dataset due to the incomplete responses, or because of the same responses to all the questions. Finally, four hundred and eighty two questionnaires were considered for the data analysis. Table 2 shows the demography of the participants in a concise form. 5. Results The variables in the research are usually unobservable (latent) or unquantifiable variables, such as reputation, promotion, curiosity, self-worth, and so forth. The measurement model and the
448
N.S. Safa, R. Von Solms / Computers in Human Behavior 57 (2016) 442e451
structural model were developed on the basis of the observable and unobservable variables in the research model. Measurement and structural models are two important parts of any data analysis. The measurement model shows the relationships between the measured variables with latent variables. The reliability and validity of the indicators (observed variables) were explored before the measurement model was fitted to the data. The relationships between the latent variables were tested in the structural model. Structural equation modelling (SEM) is the most suitable approach for this kind of research (Hair et al., 2010). 5.1. Measurement model SEM is the most appropriate avenue for exploring relationships among the variables, and the overall data fit to the hypotheses. SEM isolates the error, when it measures the latent variables with several observed variables and estimated regression among the latent variables. The normality of the data distribution was tested by using standard skewness and kurtosis in the first step. The outcomes were between 2 and þ2, which shows a normal distribution (Habibpor and Safari, 2008). The research model was formed on the basis of the previous studies in this domain, and two fundamental theories. Confirmatory factor analysis (CFA) has been acknowledge as a suitable approach to investigate whether the measured variables are consistent with our understanding of the nature of the constructs or the factors (Ho, 2006). Factor loading of the measurement variables shows the convergent validity. Factor loadings greater than 0.5 show an acceptable convergent validity (Hair et al., 2010). Hence, the items that they had in the factor loading with items of less than 0.5 were ignored from the model. CS4 in the curiosity satisfaction, SS5 in the self-worth satisfaction and TR4 in the trust were dropped from the model. Due to their lower factor loading on the related constructs. Cronbach's Alpha shows the internal consistency. Internal consistency relates to the correlations among the items that can measure a factor. The measure of Cronbach's Alpha for all constructs exceeded the threshold of 0.7, which indicates the composite reliability of the constructs (Arbuckle, 2007). Table 3 shows the results of the statistical measures in a concise form. Although the unidimensional grouping shows convergent and discriminant validity, as the constructs are independent and unique, in order to explore the convergent and the discriminant validity of the instruments, we linked constructs to one another. Convergent validity was tested to indicate whether it is evident in the relationships between two related constructs, based on the research model. Correlations between theoretically different measures should be low. Discriminant validity shows the absence of any relationships between those constructs that should not relate to each other, based on the conceptual framework (Hair et al., 2010).
Table 4 shows the correlation matrices between the pairs of constructs in a concise form. 5.2. Testing the structural model Structural equation modeling (SEM) encompasses a family of statistical methods to test a conceptual or theoretical model. SEM is widely applied in the different research areas, due to its ability to isolate observational errors from the measurement of latent variables. SEM explores the relationships among the dependent, independent, mediating and moderating variables. SEM considers reliable measurements, when it estimates the relationships among the variables and examines the overall data fit to the conceptual model. IBM Amos version 20 was used to calculate the models' parameters. Confirmatory and exploratory factor analyses are two approaches in this domain. In this research, the conceptual framework stems from a review of the literature and two fundamental theories. This is why we applied confirmatory factor analysis (CFA). Comparative fit measures and global fit measures are two methods that were applied to explore the fit indices. The Chi-square test (c2) with degrees of freedom is commonly used as the global fit criterion. Chi-square/df also indicates the extent to which the data are compatible with the hypotheses. A model with better fit with the data would indicate a small Chi-square measure, and a Chi-square/ df ratio of 2 or less (Arbuckle, 2007). The hypotheses of the research may be rejected due to inappropriate sample size. The Chi-square is sensitive to sample size. Fortunately, the results show an adequate sample size for this test. The fit between the actual or observed data and the predicted values from the proposed model were examined by the Goodness of Fit Index (GFI). The Adjusted Goodness of Fit Index (AGFI) is another measure that is GFI when considering the degree of freedom. To test the data against the null model, the Comparative Fit Index (CFI) was calculated. A GFI, AGFI, CFI with measures greater than 0.9 is recommended by the experts (Byrne, 1994). To evaluate the model on the basis of the discrepancy and the degree of freedom, the Incremental Fit Index (IFI) is a useful complementary measure. IFI measures close to 1 show a very good Fit. To investigate the minimum discrepancy of the baseline model with the data, the Normed Fit Index (NFI) was computed (Bagozzi et al., 2011). If the data fit with the model perfectly, the measure of the NFI would be equal to 1. To answer the question of “how well does the model fit the population covariance matrix?” the Root Mean Square Error of Approximation (RMSEA) is another method that can be applied in the data analysis. An RMSEA measure with a value of less than 0.08 is considered good (Schumacker and Lomax, 2010). Table 5 shows the model fit indices in a concise format. The results of the data analysis are presented in Table 6. The
Table 4 Correlation between different constructs.
1 2 3 4 5 6 7 8 9 10 11
ER GP CS SS AT PBC SN IN TU OS ISKS
Mean
SD
1
2
3
4
5
6
7
8
9
10
11
3.95 4.11 4.01 4.00 3.91 3.97 3.99 4.16 3.96 4.07 3.91
1.13 0.57 0.85 1.11 1.02 1.03 0.88 1.06 1.23 0.69 1.32
0.818 0.502 0.301 0.509 0.689 0.186 0.234 0.302 0.198 0.238 0.326
0.858 0.612 0.386 0.704 0.265 0.521 0.421 0.230 0.352 0.316
0.796 0.412 0.670 0.268 0.442 0.411 0.196 0.403 0.267
0.789 0.265 0.267 0.236 0.361 0.267 0.238 0.196
0.888 0.208 0.419 0.649 0.203 0.366 0.197
0.872 0.669 0.336 0.295 0.403 0.246
0.818 0.625 0.375 0.298 0.261
0.885 0.402 0.358 0.603
0.799 0.379 0.323
0.889 0.556
0.823
N.S. Safa, R. Von Solms / Computers in Human Behavior 57 (2016) 442e451 Table 5 Model fit indices. Fit indices
Model value
Acceptable standard
c2 c2/Df
1006.89 1.81 0.964 0.936 0.921 0.914 0.938 0.071
e <2 >0.9 >0.9 >0.9 >0.9 >0.9 <0.08
GFI AGFI CFI IFI NFI RMSEA
449
actions, needs, and desires. A motive is what prompts the person to behave in a particular way or direction. The results of the data analysis showed that earning a reputation and gaining promotion, as extrinsic motivational factors; and curiosity satisfaction as and intrinsic motivation have significant effects on employees' attitude toward ISKS intention. However, self-worth satisfaction does not have any significant effect on ISKS attitude. One plausible explanation for this finding might be that self-worth refers to the perception of employees’ satisfaction in terms of their contribution; and it influences the performance of the organization. Although,
Table 6 The results of the hypotheses testing. Path ER GP CS SS AT PBC SN IN TR OS
/ / / / / / / / / /
At AT AT AT IN IN IN ISKS ISKS ISKS
Standardized estimate
p-Value
Results
0.701 0.679 0.602 0.402 0.703 0.698 0.724 0.695 0.521 0.761
0.014 0.006 0.011 0.071 0.007 0.014 0.002 0.009 0.019 0.001
Support Support Support Not-Supported Support Support Support Support Support Support
outcomes showed that the path from earning reputation (b ¼ 0.701, p ¼ 0.014), gaining promotion (b ¼ 0.679, p ¼ 0.006), curiosity satisfaction (b ¼ 0.602, p ¼ 0.011) towards ISKS attitude were significant. However, the effect of self-worth satisfaction towards attitude was not significant. Therefore, H4 is rejected. The findings also revealed that attitude (b ¼ 0.703, p ¼ 0.007), perceived behavioral control (b ¼ 0.698, p ¼ 0.014), and subjective norms (b ¼ 0.724, p ¼ 0.002) towards intention to ISKS were significant. Finally, the results showed that the intention to ISKS (b ¼ 0.695, p ¼ 0.009), trust (b ¼ 0.521, p ¼ 0.019), and organizational support (b ¼ 0.761, p ¼ 0.001) had significant effects on the ISKS behavior in organizations.
6. Contribution and implementation Human aspects of information security play a vital role in this domain. Various approaches, such as complying with organizational information security policies (Lijiao Cheng et al., 2013; Ifinedo, 2014; Safa, Sookhak, et al., 2015; Safa, VonSolms, et al., 2015), information security conscious care behavior (Rhee et al., 2009; Vroom and von Solms, 2004), information security intervention-different training methods (Abawajy, 2014; Caputo, Pfleeger, Freeman, & Johnson, 2014; Von Solms and Van Niekerk, 2013), and information security collaboration and knowledge sharing (Koriat and Gelbard, 2014; Tamjidyamcholo, Bin Baba, Tamjid, & Gholipour, 2013) were discussed in the previous studies. However, there is a paucity of research on information security knowledge sharing in organizations as an effective and efficient approach that mitigates the risk of security incidents. A knowledge sharing culture is a value in organizations (Wang and Noe, 2010). This not only heightens information security awareness; but it also lessens the cost of information security in firms. Experts believe that the Internet is a vast environment, in which hackers use different approaches and methods to change the availability, confidentiality and integrity of information in line with their own benefits. That is why we should consider all the conceivable approaches to thwart information security threats. Motivation explains the reasons for individuals' manners,
information security and knowledge sharing both influence the performance of an organization, however, this contribution is not direct and tangible by the employees. The findings also revealed that attitude, perceived behavioral control, and subjective norms have a significant effect on ISKS intention; and ISKS intention positively influences ISKS behavior. In addition, the outcomes showed that organizational support influences ISKS behavior more than does trust. One conceivable explanation for this finding might be that perceived support from the organization is taken as a commitment of the organization towards them; and they pay for it through commitment towards the organization, such as focusing on the organizational goals and policies of their employees. This study furthers our understanding of the important of ISKS in organizations and conceptualized ISKS behavior by integration of three fundamental theories: Motivation, TPB and Triandis model. This research also evaluated the entire process of ISKS phenomena from the perspective of sociopsychological motivators, linking attitude, intention and behavior. To the best of our knowledge, this is one of the first studies that discusses information security knowledge sharing as a great potential and resource in organizations that decreases the risk of information security breaches. This potential is released when employees with different levels of awareness and knowledge collaborate with each other to safeguard the information assets. Another implication of this research relates to the important role of motivational factors that positively affect information security knowledge sharing. Therefore, the satisfaction of sociological motivations is essential for the success of an ISKS. For managers intending to improve ISKS as a value in their organizations, supporting the motivational factors, such as employees’ promotion, reputation and curiosity satisfaction can be a guideline to cultivate ISKS behavior. Managements need to know intrinsic and extrinsic motivations, and then to indicate ways to stimulate those motivations. Information security experts, besides staff with reliable information security knowledge and awareness play important roles in this realm. The recognition of employees’ abilities and capabilities is imperative to having any effective ISKS activities in organizations.
450
N.S. Safa, R. Von Solms / Computers in Human Behavior 57 (2016) 442e451
Thus, these qualities and skills should be taken into consideration by their managers. 7. Conclusion This study has indicated confirmatory relationships by integrating several theoretical methods on human behavior, in order to clarify ISKS development in organizations. The conceptual model covers the entire process of ISKS (attitude, intention, and behavior). ISKS is a valuable phenomenon; companies should establish an appropriate environment, in which to cultivate this culture due to its advantages. Another major finding of this research refers to the effect of motivational factors on one's attitude towards information security knowledge sharing behavior. In particular, extrinsic motivational factors were found to have a more profound effect on attitude. On the other hand, ISKS is a useful activity between more than one employee in an organization; the shared goal in this collaboration is information security. Managements have the role of team or community leaders. Their plans heighten the level of this collaboration; and subsequently, they reduce the risk of information security breaches. Now we can say that information security knowledge sharing, information security collaboration, and complying with information security organizational policies and procedures are organizational aspects of information security that should be taken into the consideration by both academics and practitioners. 8. Limitation and future work We had some limitations in this research. The data were collected from several Malaysian organizations. Generalization of the findings could be improved by considering a larger sample size. The data were collected by applying two approaches, in order to speed up the data collection e a paper-based questionnaire and an electronic questionnaire (Google Drive). Another limitation of this study stems from the inability to control double responses by participants who fill out the electronic questionnaires through Google Drive. This limitation can be removed by controlling the participants’ IP address. In this vein, we can recognise those participants with two or more answers. This research has conceptualised information security knowledge sharing that other experts could further develop. More investigation can be conducted to clarify the effects of gender, education, and job style on ISKS behavior in organizations. ISKS requires a particular collaboration with the intention to achieve a shared goal e information security. There is scant research on information security collaboration in organizations. Collaboration increases the chance of problem solving, improving productivity and performance. Information security collaboration thwarts information security threats. This could also be a new clue for future research. Appendix A. Supplementary data Supplementary data related to this article can be found at http:// dx.doi.org/10.1016/j.chb.2015.12.037. References Abawajy, J. (2014). User preference of cyber security awareness delivery methods. Behaviour and Information Technology, 33(3), 236e247. http://dx.doi.org/ 10.1080/0144929X.2012.708787. Ajzen, I. (1991). The theory of planned behavior. Organizational Behavior and Human Decision Processes, 50(2), 179e211. http://dx.doi.org/10.1016/0749-5978(91) 90020-T. Ajzen, I., & Madden, T. J. (1986). Prediction of goal-directed behavior: attitudes,
intentions, and perceived behavioral control. Journal of Experimental Social Psychology, 22(5), 453e474. http://dx.doi.org/10.1016/0022-1031(86)90045-4. http://dx.doi.org/10.1016/0022-1031(86. Amayah, A. T. (2013). Determinants of knowledge sharing in a public sector organization. Journal of Knowledge Management, 17(3), 454e471. http://dx.doi.org/ 10.1108/JKM-11-2012-0369. Arbuckle, J. L. (2007). Amos 16.0 User's guide. Chicago, IL, U.S.A.: SPSS, Inc, 60606e66307. Bagozzi, R. P., & Yi, Y. (2011). Specification, evaluation, and interpretation of structural equation models. Academy of Marketing Science, 40, 8e34. http:// dx.doi.org/10.1007/s11747-011-0278-x. Bryce, J., & Fraser, J. (2014). The role of disclosure of personal information in the evaluation of risk and trust in young peoples' online interactions. Computers in Human Behavior, 30, 299e306. http://dx.doi.org/10.1016/j.chb.2013.09.012. Byrne, B. M. (1994). Structural equation modeling with EQS and EQS-Windows: basic concepts, applications, and programming. Thousand Oaks, CA, USA: Sage Publications, Inc. Collins, W. C., & Salgado, J. F. (2006). Determinants of individual Cabrera, A., engagement in knowledge sharing. The International Journal of Human Resource Management, 17(2), 245e264. http://dx.doi.org/10.1080/09585190500404614. Caputo, D. D., Pfleeger, S. L., Freeman, J. D., & Johnson, M. E. (2014). Going spear phishing: exploring embedded training and awareness. IEEE Security and Privacy, 12(1), 28e38. http://dx.doi.org/10.1109/MSP.2013.106. Cavusoglu, H., Cavusoglu, H., Son, J.-Y., & Benbasat, I. (2015). Institutional pressures in security management: direct and indirect influences on organizational investment in information security control resources. Information & Management, 0. http://dx.doi.org/10.1016/j.im.2014.12.004. Chang, H. H., & Chuang, S.-S. (2011). Social capital and individual motivations on knowledge sharing: participant involvement as a moderator. Information & Management, 48(1), 9e18. http://dx.doi.org/10.1016/j.im.2010.11.001. Chen, Y.-H., Lin, T.-P., & Yen, D. C. (2014). How to facilitate inter-organizational knowledge sharing: the impact of trust. Information & Management, 568e578. http://dx.doi.org/10.1016/j.im.2014.03.007. Cheng, L., Li, Y., Li, W., Holm, E., & Zhai, Q. (2013). Understanding the violation of IS security policy in organizations: an integrated model based on social control and deterrence theory. Computers & Security, 39 Part B(0), 447e459. http:// dx.doi.org/10.1016/j.cose.2013.09.009. Cheng, Pi-Y., Yang, J.-T., Wan, C.-S., & Chu, M.-C. (2013). Ethical contexts and employee job responses in the hotel industry: the roles of work values and perceived organizational support. International Journal of Hospitality Management, 34(0), 108e115. http://dx.doi.org/10.1016/j.ijhm.2013.03.007. Choo, K.-K. R. (2011). The cyber threat landscape: challenges and future research directions. Computers & Security, 30(8), 719e731. http://dx.doi.org/10.1016/ j.cose.2011.08.004. Cox, J. (2012). Information systems user security: a structured model of the knowingedoing gap. Computers in Human Behavior, 28(5), 1849e1858. http:// dx.doi.org/10.1016/j.chb.2012.05.003. Feledi, D., Fenz, S., & Lechner, L. (2013). Toward web-based information security knowledge sharing. Information Security Technical Report, 17(4), 199e209. http://dx.doi.org/10.1016/j.istr.2013.03.004. Fishbein, M., & Ajzen, I. (1981). On construct validity: a critique of Miniard and Cohen's paper. Journal of Experimental Social Psychology, 17(3), 340e350. http:// dx.doi.org/10.1016/0022-1031(81)90032-9. http://dx.doi.org/10.1016/00221031(81. Habibpor, K., & Safari, R. (2008). Comprehensive guide for using SPSS software and data analysis. Hair, J. F., Black, W. C., Babin, B. J., & Anderson, R. E. (2010). Multivariate data analysis (7th ed.). Hau, Y. S., Kim, B., Lee, H., & Kim, Y.-G. (2013). The effects of individual motivations and social capital on employees' tacit and explicit knowledge sharing intentions. International Journal of Information Management, 33(2), 356e366. http://dx.doi.org/10.1016/j.ijinfomgt.2012.10.009. Hepler, J. (2015). A good thing isn't always a good thing: dispositional attitudes predict non-normative judgments. Personality and Individual Differences, 75(0), 59e63. http://dx.doi.org/10.1016/j.paid.2014.11.016. Ho, R. (2006). Handbook of univariate and multivariate data analysis and interpretation with SPSS. Boca Raton: Taylor & Francis Group. Hung, S.-Y., Durcikova, A., Lai, H.-M., & Lin, W.-M. (2011). The influence of intrinsic and extrinsic motivation on individuals' knowledge sharing behavior. International Journal of Human-Computer Studies, 69(6), 415e427. http://dx.doi.org/ 10.1016/j.ijhcs.2011.02.004. Ifinedo, P. (2014). Information systems security policy compliance: an empirical study of the effects of socialisation, influence, and cognition. Information & Management, 51(1), 69e79. http://dx.doi.org/10.1016/j.im.2013.10.001. Islam, R., & Abawajy, J. (2013). A multi-tier phishing detection and filtering approach. Journal of Network and Computer Applications, 36(1), 324e335. http:// dx.doi.org/10.1016/j.jnca.2012.05.009. Jeon, Su-H., Kim, Y.-G., & Koh, J. (2011). Individual, social, and organizational contexts for active knowledge sharing in communities of practice. Expert Systems with Applications, 38(10), 12423e12431. http://dx.doi.org/10.1016/ j.eswa.2011.04.023. Jeon, S., Kim, Y.-G., & Koh, J. (2011). An integrative model for knowledge sharing in communities-of-practice. Journal of Knowledge Management, 15(2), 251e269. http://dx.doi.org/10.1108/13673271111119682. King, W. R., & Marks, Peter V., Jr. (2008). Motivating knowledge sharing through a
N.S. Safa, R. Von Solms / Computers in Human Behavior 57 (2016) 442e451 knowledge management system. Omega, 36(1), 131e146. http://dx.doi.org/ 10.1016/j.omega.2005.10.006. Koriat, N., & Gelbard, R. (2014). Knowledge sharing motivation among IT personnel: Integrated model and implications of employment contracts. International Journal of Information Management, 34(5), 577e591. http://dx.doi.org/10.1016/ j.ijinfomgt.2014.04.009. KwangWook, G., & Ravichandran, T. (Jan. 2011). Accessing external Knowledge: Intention of knowledge exchange in virtual community of practice. In , 2011. Paper presented at the system sciences (HICSS), 2011 44th Hawaii international conference on (pp. 4e7). Lai, H.-M., & Chen, T. T. (2014). Knowledge sharing in interest online communities: a comparison of posters and lurkers. Computers in Human Behavior, 35(0), 295e306. http://dx.doi.org/10.1016/j.chb.2014.02.004. Lee, W.-K. (2014). The temporal relationships among habit, intention and IS uses. Computers in Human Behavior, 32(0), 54e60. http://dx.doi.org/10.1016/ j.chb.2013.11.010. Leonard, L. N. K., Cronan, T. Paul, & Kreie, J. (2004). What influences IT ethical behavior intentionsdplanned behavior, reasoned action, perceived importance, or individual characteristics? Information & Management, 42(1), 143e158. http://dx.doi.org/10.1016/j.im.2003.12.008. Liu, D., Ji, Y., & Mookerjee, V. (2011). Knowledge sharing and investment decisions in information security. Decision Support Systems, 52(1), 95e107. http://dx.doi.org/ 10.1016/j.dss.2011.05.007. Li, H., Zhang, J., & Sarathy, R. (2010). Understanding compliance with internet use policy from the perspective of rational choice theory. Decision Support Systems, 48(4), 635e645. http://dx.doi.org/10.1016/j.dss.2009.12.005. Park, J. H., Gu, B., Leung, A. C. M., & Konana, P. (2014). An investigation of information sharing and seeking behaviors in online investment communities. Computers in Human Behavior, 31(0), 1e12. http://dx.doi.org/10.1016/ j.chb.2013.10.002. Parsons, K., McCormac, A., Butavicius, M., Pattinson, M., & Jerram, C. (2014). Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q). Computers & Security, 0. http://dx.doi.org/ 10.1016/j.cose.2013.12.003. Pi, S.-M., Chou, C.-H., & Liao, H.-L. (2013). A study of Facebook groups members' knowledge sharing. Computers in Human Behavior, 29(5), 1971e1979. http:// dx.doi.org/10.1016/j.chb.2013.04.019. Reid, M. F., Riemenschneider, C. K., Allen, M. W., & Armstrong, D. J. (2008). Information technology employees in state government: a study of affective organizational commitment, job involvement, and job satisfaction. The American Review of Public Administration, 38(1), 41e61. http://dx.doi.org/10.1177/ 0275074007303136. Rhee, H.-S., Kim, C., & Ryu, Y. U. (2009). Self-efficacy in information security: Its influence on end users' information security practice behavior. Computers & Security, 28(8), 816e826. http://dx.doi.org/10.1016/j.cose.2009.05.008. Rocha Flores, W., Antonsen, E., & Ekstedt, M. (2014). Information security knowledge sharing in organizations: Investigating the effect of behavioral information security governance and national culture. Computers & Security, 43(0), 90e110. http://dx.doi.org/10.1016/j.cose.2014.03.004. Ryan, R. M., Lynch, M. F., Vansteenkiste, M., & Deci, E. L. (2010). Motivation and autonomy in counseling, psychotherapy, and behavior change: a look at theory and practice. The Counseling Psychologist. http://dx.doi.org/10.1177/ 0011000009359313. Safa, N. S., Ghani, N. A., & Ismail, M. A. (2014). An artificial neural network classification approach for improving accuracy of customer identification in e-
451
commerce. Malaysian Journal of Computer Science, 27(3), 171e185. Safa, N. S., & Ismail, M. A. (2013). A customer loyalty formation model in electronic commerce. Economic Modelling, 35(0), 559e564. http://dx.doi.org/10.1016/ j.econmod.2013.08.011. Safa, N. S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N. A., & Herawan, T. (2015). Information security conscious care behaviour formation in organizations. Computers & Security, 53(0), 65e78. http://dx.doi.org/10.1016/ j.cose.2015.05.012. Safa, N. S., Von Solms, R., & Furnell, S. (2015). Information security policy compliance model in organizations. Computers & Security. http://dx.doi.org/10.1016/ j.cose.2015.10.006. Schumacker, R. E., & Lomax, R. G. (2010). A Beginner's guide to structural equation modeling (3rd ed.). New York: Taylor & Francis Group. Shibchurn, J., & Yan, X. (2015). Information disclosure on social networking sites: an intrinsiceextrinsic motivation perspective. Computers in Human Behavior, 44(0), 103e117. http://dx.doi.org/10.1016/j.chb.2014.10.059. Shropshire, J., Warkentin, M., & Sharma, S. (2015). Personality, attitudes, and intentions: predicting initial adoption of information security behavior. Computers & Security, 49(0), 177e191. http://dx.doi.org/10.1016/j.cose.2015.01.002. Siponen, M., Adam, M. M., & Pahnila, S. (2014). Employees' adherence to information security policies: an exploratory field study. Information & Management, 51(2), 217e224. http://dx.doi.org/10.1016/j.im.2013.08.006. Tamjidyamcholo, A., Bin Baba, M. S., Tamjid, H., & Gholipour, R. (2013). Information security e professional perceptions of knowledge-sharing intention under selfefficacy, trust, reciprocity, and shared-language. Computers & Education, 68(0), 223e232. http://dx.doi.org/10.1016/j.compedu.2013.05.010. Tamjidyamcholo, A., Bin Baba, M. S., Shuib, N. L. M., & Rohani, V. A. (2014). Evaluation model for knowledge sharing in information security professional virtual community. Computers & Security, 43(0), 19e34. http://dx.doi.org/10.1016/ j.cose.2014.02.010. Triandis, H. (1980). Values, attitudes, and interpersonal behavior. In Paper presented at the Nebraska symposium on motivation, Nebraska. Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating IS security compliance: insights from habit and protection motivation theory. Information & Management, 49(3e4), 190e198. http://dx.doi.org/10.1016/j.im.2012.04.002. Von Solms, R., & Van Niekerk, J. (2013). From information security to cyber security. Computers & Security, 38(0), 97e102. http://dx.doi.org/10.1016/ j.cose.2013.04.004. Vroom, C., & von Solms, R. (2004). Towards information security behavioural compliance. Computers & Security, 23(3), 191e198. http://dx.doi.org/10.1016/ j.cose.2004.01.012. Wang, S., & Noe, R. A. (2010). Knowledge sharing: a review and directions for future research. Human Resource Management Review, 20(2), 115e131. http:// dx.doi.org/10.1016/j.hrmr.2009.10.001. Wang, W.-T., & Hou, Ya-P. (2015). Motivations of employees' knowledge sharing behaviors: a self-determination perspective. Information and Organization, 25(1), 1e26. http://dx.doi.org/10.1016/j.infoandorg.2014.11.001. Werlinger, R., Hawkey, K., Botta, D., & Beznosov, K. (2009). Security practitioners in context: their activities and interactions with other stakeholders within organizations. International Journal of Human-Computer Studies, 67(7), 584e606. http://dx.doi.org/10.1016/j.ijhcs.2009.03.002. Yang, S.-C., & Farn, C.-K. (2009). Social capital, behavioural control, and tacit knowledge sharingdA multi-informant design. International Journal of Information Management, 29(3), 210e218. http://dx.doi.org/10.1016/ j.ijinfomgt.2008.09.002.