Social Cognitive Theory: Information Security Awareness and Practice

In this paper, the authors discuss employees’ beliefs about their abilities to competently use computer information security tools in the determination of effective information security practices within organizations. In the first section the authors present a background about information security practices at work. Then, the authors present a research approach based on social cognitive theory applied in the information security context within organizations to address the individual and environmental factors that explain information security behavior of end users. The objective of the literature review is to describe the definition and operationalization of constructs such as information security awareness and information security practice as the mediating and dependent variables, and the independent variables of support within the organization, encouragement by others, others’ use as environmental factors in the information security context; and finally, self-efficacy and outcome expectations as the individual factors. A research model with a set of propositions is presented to improve the understanding of the personal and environmental factors that influence the effective security practices of organizational employees.