Understanding extra-role security behaviors: An integration of self-determination theory and construal level theory

Abstract

Extra-role security behaviors (ERSBs) – spontaneous security behaviors that are not prescribed in organizational security policies – are seen as a useful addition to securing informational assets in organizations. However, this exploratory study, based on findings obtained through 29 in-depth-interviews, challenges this positive perspective and shows that extra-role security behaviors cut both ways: They are either helpful or harmful. In addition, our results suggest that (1) ERSB contributes to varying degrees to the effectiveness of information security compliance, (2) the self-determination theory contributes to understanding the motivators for ERSB, and (3) the construal level theory of psychological distance explains the differential risk evaluation of ERSB. We discuss implications for researchers and practitioners – particularly in terms of promoting the beneficial nature of extra-role security behaviors – and suggest compelling avenues for future research.