Toward a Theory of Information Systems Security Behaviors of Organizational Employees: A Dialectical Process Perspective

Published Online:

The various guidelines, procedures, and policies referred to as information systems security procedures (ISSPs) underlie information systems security behaviors (ISSBs) of many employees in organizations. Understanding the reasons for ISSBs—that is, why employees do or do not comply with ISSPs—is an imperative in today’s organizations, given that information is a valuable asset. In our study, we observed that employees’ reasons for engaging in ISSBs, such as selecting a password, locking a computer, and using a USB memory device, changed over time. Noting that the dynamic nature of ISSBs has not yet received sufficient consideration in information systems security (ISS) research, we use a predominantly inductive approach to develop a theoretical understanding of the ISSB change process, sensitized by ideas from dialectics. Our dialectical process view suggests that explanations for engaging in different ISSBs are not static but change over time as individuals seek to deal with, or balance, tensions or contradictory demands. Furthermore, our view suggests that “change triggers” (e.g., new experiences and external events) initiate a process of reevaluating tensions that can, in turn, lead to changes in ISSBs. A number of implications for future research and practice emerge from this dialectical understanding of the ISSB change process.

The online appendix is available at

INFORMS site uses cookies to store information on your computer. Some are essential to make our site work; Others help us improve the user experience. By using this site, you consent to the placement of these cookies. Please read our Privacy Statement to learn more.