Examining the Boundary Effect of Information Systems Security Behavior under Different Usage Purposes

Abstract

The purpose of information systems (IS) security behavior, represented by the difference between work and personal purpose, has been neglected in the research of user's IS security behavior. This is especially important for the organizations that allow or inevitably allow their employees to do personal tasks during work hours, because it may bring big threats to an organization's IS. Unfortunately, few empirical studies have examined if different behavioral purpose, typically, work/personal purpose, affects users' IS security behavior decision. Based on boundary theory and the idea of multidimensional rationality, we argue that people demarcate a psychological boundary for work and personal usages of IS and thus apply different rationalities to make IS security-related decisions. Our empirical investigation indicates that in a work usage context, people apply rule-based rationality and therefore are more influenced by mandatoriness and facilitating conditions. Whereas in a personal usage context, people apply outcome-based rationality and therefore are more concerned with task benefits and costs. The findings imply that organizations and vendors may devise different measures to ensure users' IS security behavior in different contexts.