How senior management and workplace norms influence information security attitudes and self-efficacy

Prior information security research establishes the need to investigate the informal factors that influence employee attitudes and self-efficacy beliefs about information security. Two informal workplace dynamics that are particularly important for how employees think about information security comprise senior management support and workplace norms. However, there are limitations to empirical research to date on these constructs, including conflicting evidence on the relationship between senior management support and information security attitudes and a lack of research on how norms impact self-efficacy beliefs. Also, although some studies suggest that norms might play a mediating role between information security attitudes, self-efficacy beliefs and their (informal and formal) antecedents, empirical research is yet to investigate these possibilities. Consequently, this study considers the relationships between senior management support, norms, formal controls and information security attitudes and self-efficacy beliefs. It comprises a cross-sectional survey of employees at a law enforcement organisation. Results indicate the central role that norms have on employee information security attitudes and self-efficacy beliefs including their direct and mediating role. In addition, the study highlights the important role that senior management support has on employees’ thinking about information security.