Cyber SecurityResearch

What role does job control play in adherence to Cyber Security?

'Exploring the Role of Work Identity and Work Locus of Control in Information Security Awareness'.

Extracts and summary of the research by: Dr Lee Hadlington, Dr Masa Popovac, Prof. Helge Janicke, Dr Iryna Yevseyeva, Dr Kevin Jones (2019)

In her summary of the work, Dr Popovac describes the research as exploring ‘the adherence to organisational information security and the role of work-related and individual factors such as individuals’ perceived control within the workplace, their commitment to current work identity, and the extent to which they are reconsidering commitment to work.’

Key quotes from the research:

  • ‘Cyber security is not just about technology. Almost all successful cyber attaches have a contributing human factor’ (a direct extract from the UK National Cybersecurity Strategy 2016-2021 p. 38)
  • ‘for the most part, technology cannot be the only solution to issues related to organisational cybersecurity…employee[s] (the human factor), can present a paradoxical element into the fight’
  • ‘On the one hand, employees can be a critical asset in the fight against cybersecurity breaches, and can act to deny malicious attempts to access sensitive company data. On the other hand, employees can be the ‘weakest link’…in the cybersecurity system; they are not logical, prone to misunderstanding and confusion, act on impulse and want to get their jobs done’

Summary of the research: 

This research focuses on what factors, outside of personality type, play into employee engagement in cyber security engagement in the workplace. The main aim of the research was to understand:

  • to what extent the ability to control job function has in the taking of responsibility for cyber security
  • if the identification with the workplace plays any role in improving cyber security amongst workers

The researchers point out that:

  • there is a difference between knowledge of the company’s information security policies and the ability of the employee to understand them.
  • there is also a potential gap in how individual attitudes and behaviour aligns with these policies. 

Previous research done in the area of cyber security has found that those more likely to be cyber-security conscious were: 

In contrast, those who engage in cyberloafing (engaging in non-work tech use during working hours) or have higher levels of internet addiction were less likely to be cyber-security conscious. The assumption was that these workers believed the higher levels of company security mitigated online risk when accessing specific materials and activities. Another assumption is that those who have little regard for the company they work for, or who feel they have limited control over their job, are also more likely to have a lower interest in adhering to internet security protocols.

Employees who have a higher internal locus of control are more likely to have lower stress levels, feel more in control of their work and have greater job satisfaction. Those who are higher in external locus of control feel they have little control over work, higher levels of stress and lower job/company commitment – therefore more likely to engage in counter-productive work behaviours, often to rekindle a sense of self-control over their work or potentially as an active attempt to harm the company.  

Those who feel less committed to their work may be less prone or may not see the value in engaging in cyber security behaviour.

The findings of the research are: 

  • Those with a higher internal locus of control are more likely to see their actions as a way to protect both themselves and the company from cyber attacks
  • Workers with a higher external locus of control perceive themselves to have a minimal amount of control over their work and workplace, assumed that both they and the company were vulnerable to attacks whatever action they did or didn’t take, so saw little value in following processes relating to information security.  
  • Those who have a strong work identity, and experience a sense of belonging in their workplace, are more adherent to cyber security policies
  • In contrast, those with a lower level of work identity and/or looking for a new role are less compliant. 
  • Being older and being female were also found to be more likely to engage in higher levels of information security compliance – confirming previous research. 
  • Those who have a clear understanding of the formal company rules around information security are more likely to follow them. 


Locus of control: ‘an individual’s expectancy related to how rewards or aspects of life outcomes are controlled on the basis of the actions of the individual (internally) or as a result of forces outside the control of the individual (externality)’.

Organisational commitment: ‘the level of attachment an employee has with their workplace’.

Work identity: ‘the strength of an individual’s identification with their work, and not directly their workplace or organisation’.

This is not an open-source document and will need purchasing to read the full original article.