Whose risk is it anyway: How do risk perception and organisational commitment affect employee information security awareness?

Since information security (InfoSec) incidents often involve human error, businesses are investing greater resources into improving staff awareness and compliance with best-practice InfoSec behaviours. This research examined whether employees who feel that they may be personally affected by workplace InfoSec incidents are more likely to behave in accordance with those best-practice behaviours. To further understand this, we also examined organisational commitment and risk perception. Data collection involved an online questionnaire measuring these constructs in relation to three workplace cyber threats: phishing, malware, and mobile devices. The questionnaire was completed by 269 employed Australians. Participants who felt more personally affected by attacks associated with mobile devices were more likely to report following best-practice behaviours in that context at work. This was not the case for phishing and malware attacks. Other variables, including age, gender, employment level and InfoSec training, were also found to predict reported compliance with best-practice behaviours, and employees with more frequent training self-reported poorer compliance. Theoretical and practical implications are discussed.