This study examined whether employees’ security-related stress, i.e., technostress and role stress, in an organizational setting could affect their compliance intention regarding information security. In a survey of 346 employees, it was found that security-related technostress creators in organizations negatively affected employees’ organizational commitment, both directly and indirectly through role stress, and further lowered compliance intention regarding information security. In addition, it was found that employees’ regulatory focus, i.e., promotion focus, moderated the relationship between technostress creators and role stress. Employees with a high level of promotion focus were more resistant to the adverse effect of technostress creators and thus experienced less role stress. These results suggest directions for organizational strategies to manage and enhance employees’ information security compliance.

Introduction

Organizations are increasing investment in information security technology to battle various security threats. The worldwide revenues for security-related hardware, software, and services are expected to grow from $73.7 billion US dollars in 2016 to $101.6 billion US dollars by 2020 (IDC, 2016). In addition, information security systems are adopting more complex and specialized technology to respond to the diversified threats to information security (Guo, 2013; Hwang, Kim, Kim, & Kim, 2017). These technologies include device control technology (e.g., personal PC, USB, and other personal devices), network firewall technology (e.g., detecting critical information leaks via web mail, messenger, web hardware), network monitoring technology (e.g., based on protocols such as HTTP, FTP, and SMTP), document security technology (e.g., encryption technology for important documents, control technology for document access) and security management technology (e.g., management of passwords, vaccines and O/S programs), to name a few. Being equipped with up-to-date and advanced information security technology and systems is helpful for fighting various security threats, and it is not surprising that it has become the utmost concern for most organizations. However, there is something largely ignored in the picture: people who are affected by the system and who have to deal with the technology on a daily basis. If not properly managed, employees may struggle to adapt to complex and unfamiliar technology of the security system and to deal with additional workload and uncertain procedures imposed by the security protocol, which can lead to an increased level of stress on the job (D’Arcy, Herath, & Shoss, 2014). This stress due to technology use (or “technostress”) can induce various negative organizational outcomes. For example, Tarafdar, Tu, Ragu-Nathan, and Ragu-Nathan (2007) have suggested that conditions that create technostress are associated with adverse psychological outcomes such as an increased level of role stress, reduced job satisfaction and reduced organizational commitment, as well as with adverse information system (IS) outcomes such as decreased innovation in employees’ tasks while using the IS, reduced productivity when using the IS and dissatisfaction with the IS. This line of thought poses a question: is it possible that employees’ stress due to technological aspects of information security itself negatively affects their compliance toward information security?