Understanding employees' responses to information security management practices: a person-environment fit perspective

This study tests the person-environment fit theory in information security (ISec), which describes situations in which the extent of ISec management is linked to positive or negative employee outcomes. We hypothesise that employees appraise their organisational ISec depending on the mismatch or match perception between their needs and organisational supplies. We define a mismatch as ISec misfit and a match as ISec fit and develop hypotheses framing the relationship between ISec fit (vs. misfit), employees' emotional reactions (anxiety and attentiveness), and, subsequently, ISec behaviours (ISec in-role, extra-role, and violation behaviours). We conduct quadratic polynomial regressions and apply response surface methodology to test our hypotheses and obtain two findings. First, ISec management are proactively needed by employees instead of prior enforcement perspective. The results show that ISec management practices are appraised negatively when they either exceed or fail to meet employees' preferences. Second, in expounding on a theoretical construction and empirical test of ISec fit and misfit and their relationships with employee outcomes, we find that attentiveness is greater with ISec fit, whereas anxiety is higher and attentiveness is lesser with ISec misfit. We also find that emotion mediates employees' ISec behaviours, while only anxiety does not mediate extra-role behaviour.