Understanding computer security behavioral intention in the workplace An empirical study of Korean firms

Purpose - In organizations today, protecting information and computer assets from attacks or disaster has become one of the top managerial issues. The purpose of this paper is to propose and empirically test a comprehensive model of computer security behaviors of individuals in the workplace. Design/methodology/approach - The model was developed based on the reference disciplines of the theory of reasoned action, moral obligation, protection motivation theory (PMT), and organizational context factors. The measurements for the variables in the model, including computer security behavioral intention were adapted from prior studies, and their reliability and validity were verified by a confirmatory factor analysis. The model was empirically analyzed by structural equation modeling with respect to data from 162 employees in a number of organizations in Korea. Findings - The results indicate that moral obligation and organizational norms along with attitude toward computer security behavior have significant impacts on employees' behavioral intentions of computer security. In addition, perceived threat severity, response efficacy, and self-efficacy, which are drawn from the PMT, have significant impacts on employee attitude, whereas security policy has significant impacts on the organizational norms. Originality/value - The paper provides a useful model for analyzing employees' computer security behaviors in the workplace. Also, the paper reveals that moral obligation as well as attitude toward computer security behavior was a significant predictor of an individual employee's intention to practice computer security behavior.