IS professionals' information security behaviors in Chinese IT organizations for information security protection

Continued integration of technology for the purpose of connecting and exchanging data with other devices and systems over the Internet exposes information security (IS) to growing risks. Organizations can thus achieve a strategic advantage by securing IS as a pivotal information and intelligence asset. This study examined ways of motivating IS professionals to protect information security from potential risks, drawing on the theoretical frameworks of protection motivation theory (PMT) and the theory of planned behavior (TPB) as well as work-related organizational antecedents (e.g., organizational commitment and job satisfaction). This paper proposes structural equation modeling (SEM) in R as a framework for exploring relationships among the variables and determining the overall data fit to the hypotheses. SEM is a multivariate technique which simultaneously executes both factor analysis and aspects of multiple regression in order to estimate interrelated relationships while also allowing path analytic modeling to be performed with latent, unobserved variables. Using 804 questionnaires with SEM analysis, we find support for the following predictors' associations: (a) information security attitudes and subjective norms, as constituents of TPB, significantly influenced information security protective behaviors; (b) the coping appraisals (self-efficacy and response cost) and threat appraisals (threat susceptibility and threat severity) of PMT were significantly predictive of information security protective behaviors; and (c) organizational commitment positively impacted information security protective behaviors. However, job satisfaction and perceived behavioral control as a construct of TPB were not associated with information security behaviors. The main theoretical contribution of this research is that the addition of organizational commitment allows the behavioral science model to offer a novel understanding of IS professionals' protection motivation and actual behaviors in the Chinese context. This study has several practical implications for organizations. In order to encourage IS professionals to follow protective security behaviors, organizations should set up the belief that a close relationship with subordinates plays a vital role in ensuring information security, improve IS employees' perception and cognition of their importance to the organization, constantly highlight the importance of information security protection, and emphasize the severe consequences of information security threats during trainings.