Researchers and practitioners have increasingly recognized that employees play a significant role in organizational cybersecurity efforts (Chatterjee et al., 2015; Crossler et al., 2013; Pfleeger & Caputo, 2012). During “normal” times, research has found that while employees can be protective stewards of sensitive organizational assets, they also can cause significant harm due to a wide variety of issues (Canham et al., 2021; Posey et al., 2013). For example, employees may make mistakes that leave their employers more vulnerable to cyberattacks (Im & Baskerville, 2005; Stanton et al., 2005) or they may choose to go around cyber protocols not to create harm but to fulfill their daily work tasks without the constraints placed on them by the protocols (Balozian & Leidner, 2017; Guo et al., 2011). Finally, some employees may actively choose to harm their organization through technological means and calculated maliciousness (Liang et al., 2016; Warkentin & Willison, 2009). Accordingly, organizational insiders (i.e., employees and contractors) are often viewed as the weakest link in organizational cybersecurity (Green & Dorey, 2016; Warkentin & Willison, 2009; Yan et al., 2018).

In times of significant change such as that caused by the COVID-19 pandemic, there is an increased possibility for employee-related security issues. Not only have external attackers used this time of heightened uncertainty to increase and improve their social engineering (i.e., the manipulation of employees usually through deception and for fraudulent reasons) efforts on remote employees (Smith, 2022), but as popular press articles have reported, the shift from traditional office spaces to work-from-home (WFH) environments might have provided a perfect storm where the confluence of several factors emerged that affected employees’ engagement in behaviors directly related to security efforts. First, many organizations—some reports state at least one-third of companies (Hein, 2020)—were not adequately prepared to handle so many physically distributed employees in an almost-overnight fashion, and leaders often resorted to “hastily assembled” policies for remote work (Syed, 2020). This number is not surprising given that prior to the pandemic, only 6% of all employees worked primarily from home, and about 75% of all employees had never worked from home (Coate, 2021). Accompanying these pieced-together remote work policies were information technologies and surveillance capabilities adopted and installed without full examination of their repercussions. This situation is reflected in workers’ unions’ calls for additional regulations on organizations due to increased surveillance and employee-privacy concerns (Finnegan, 2022). We argue that these factors, combined with overall job and health concerns as well as WFH environments not necessarily conducive and resourced to support work like the traditional office, created stressors that influenced whether employees would follow their organizations’ security policies and standards—often seen by employees as additional constraints and workflow impediments themselves (Bulgurcu et al., 2010; D’Arcy et al., 2014)—in their daily tasks.

Given the urgent need for research to understand the human side of security risks and their antecedents, especially from a longitudinal perspective that allows researchers the ability to go beyond the limitations of cross-sectional and experimental designs to investigate the “‘little experiences’ of everyday life that fill most of [employees’] working time and occupy the vast majority of [employees’] conscious attention” (Wheeler & Reis, 1991, p. 340), we examine how several stressors related to employees’ (mis)use of information technologies while working remotely during the COVID-19 pandemic. More specifically, we integrate the Industrial-Organizational (I/O) Psychology and Information Systems literatures to assess how stressors in one’s (1) work environment related to the work-family interface, (2) job expectations, and (3) technology-enabled workflows—changes accelerated if not exacerbated by the pandemic—related to employees’ security violations, which are defined as “any act by an employee using computers that is against the established rules and policies of an organization regardless of the motives” (Hu et al., 2015, p. 7). Our daily examination of over 300 WFH employees for two work weeks considers how components in these stressor categories are directly associated with daily security violation incidents. We further explore whether and how individual differences and situational characteristics of the WFH environment moderate these stressors’ relationships with daily security violations. Our findings are significant to researchers’ understanding of the daily ebb and flow of employees’ security violations and to practitioners who must manage a scattered workforce during times of mass hardship.

Employees’ Security-Related Behaviors

Due to their negative influence on organizational security initiatives, employees’ security-related actions have received a significant degree of attention in the information systems literature. Initial efforts explored the concept of internal computer abuse and the factors surrounding such detrimental behavior (Harrington, 1996; Straub, 1990; Straub & Nance, 1990; Straub & Welke, 1998). Since then, efforts to understand and explain computer abuse have continued (Kim et al., 2016; Willison & Lowry, 2018; Willison et al., 2018), and the literature has expanded its investigations to include non-malicious security violations (Guo, 2013; Guo et al., 2011) and information security policy (non)compliance (Barlow et al., 2018; Cram et al., 2019; Vance et al., 2012), among others.

In general, employees’ detrimental security-related behaviors fall under one of three broad categories according to their intentionality and motives (Willison & Warkentin, 2013). First, employees can expose their organizations to greater security risk through unintentional actions (e.g., human error, accidents, oversights). These behaviors are termed passive, non-volitional noncompliance. Second, employees can be a detriment by knowingly going against accepted organizational standards, protocols, policies, etc. without having an intent to do harm (i.e., volitional but not malicious noncompliance). Finally, when employees choose to perform behaviors that are meant to cause harm, they have engaged in intentional and malicious computer abuse (Willison & Warkentin, 2013).

For this research, we focus on overall security violations. This phenomenon captures intentional acts but leaves the door open to both non-malicious and malicious motives for going against organizational security protocol. While both actions expose organizations to increased harm and risk, many of their behavioral manifestations are the same, whether they be using a co-worker’s login credentials, accessing sensitive documents that the employee does not have authorization to view, or failing to log off a workstation when leaving the work area, among a plethora of others. Rather than limit our research to one ‘flavor’ of motives for security violations, we desired to be more expansive and focus on the overall phenomenon of security violations generally, as have others (Hu et al., 2015). Such an approach should be familiar to readers in the organizational sciences given that the analogous, but broader construct of counterproductive work behaviors (CWBs) focuses on intentional acts with the potential to harm but recognizes that these acts might be motivated by a variety of aims (Sackett, 2002; Shoss et al., 2016). Indeed, the CWB literature typically organizes workplace misdeeds not by motivation, but instead by the specific behavior (Spector et al., 2006). Common categories of CWB include theft, withdrawal, production deviance, sabotage, and abuse of others (Spector et al., 2006). While security violations fit within the construct of CWB because such acts may be harmful to the organization and have some commonalities with both production deviance and sabotage dimensions, these behaviors also seem to be qualitatively different from existing conceptualizations of CWB. For example, in a scale development project aimed to assess CWB among teleworkers, no items directly asked about cybersecurity violations (Holland et al., 2016). Thus, it remains unclear how much of the CWB literature can apply to cybersecurity violations (Dalal et al., 2022).

We argue that security violations are worthy of independent study for at least three reasons. First, research demonstrates how technology and associated policies can create new avenues for employee stress. For example, the number of interruptions employees receive due to technology use is of significant concern for the overall effective utilization of organization technologies (Chen & Karahanna, 2018; Tams et al., 2020). Likewise, managers’ ability to create, update, and adopt ‘approved technology behavior’ policies—artifacts that influence employees’ work routines—in a quick, and sometimes haphazard manner, has a direct bearing on technology-related behaviors (Lowry et al., 2015). Second, because technology itself changes so rapidly, employees will likely continue to face a barrage of new devices and ways of working at an increasing pace. For individuals who experience technological anxiety or technophobia (Agogo & Hess, 2018; Khasawneh, 2018), advancements in technology likely lead to troubling work situations. Finally, the speed and ease with which an employee can create harm to an organization is significantly increased via technology. Moreover, it is likely that many violations-related behaviors can often go unnoticed by managers, as they can appear to look like “regular” employee actions as they become lost in a deluge of other logged behaviors created by many employees’ actions across numerous systems.

The extant literature on behavioral information security generally presupposes a professionally managed organizational environment wherein centralized systems are set-up, maintained, monitored, and evaluated by IT personnel. However, while this might have characterized much of organizational-related computer use in the past, this configuration is not the only one. Organizations currently debate the value of remote work and whether to allow employees to bring their own devices (e.g., BYOD) when they do use traditional facilities, all while determining which emergent security threats deserve significant attention. What is largely missing from the extant literature then is an examination of employees’ security-related behaviors at one of the boundary conditions that organizations can face—that is, an entirely remote one. Moreover, given that employees fail to comply with their organizations’ security demands for numerous reasons when in more traditional environments (Cram et al., 2019; Kuo et al., 2020; Trang & Brendel, 2019) and have been shown to engage in more misuse of their organizations’ technical resources when away from the traditional office (D'Arcy & Devaraj, 2012), it is likely that the massive, sudden shift to home-based work environments during the COVID-19 pandemic presented new constraints and stressors not normally experienced at other times. Our purpose is to explore these factors and how they relate to employees’ security behaviors to better understand the predictor space of employees’ security violations and how those violations vary daily. Accordingly, the overarching question driving this research was: How did the stressors present among WFH employees affect security violations during the COVID-19 pandemic?

The Pandemic-Related Characteristics of the Work Environment

The COVID-19 pandemic forced both organizations and employees into uncharted territory. For organizations, what (i.e., teleworking/telecommuting) has been explored and implemented as a way to attract highly skilled workers (Suomi & Pekkola, 1998), enable greater participation of disabled employees (Hesse, 1996), reduce fixed costs (Pérez et al., 2002), and achieve greater employee productivity (Shin et al., 2000) through organizational flexibility (Pérez et al., 2002) turned into the main, oftentimes the only, way for the organization to remain in operation. For employees, the hypothetical increase in autonomy, decreased work-family conflict (Gajendran & Harrison, 2007), and the ability to erase long commuting times (Pérez et al., 2002) that are frequently discussed as accompaniments to remote work were met with new demands as the pandemic shifted most everyone to home-based environments. While telework has been hailed as a way for knowledge workers to find peace and quiet away from distractions (Boell et al., 2016), the need to care for self and others along with children’s learning activities also taking place in the home proved otherwise. Managers’ perceived loss of control (Bailey & Kurland, 2002) was curtailed with significant increases in keystroke tracking, screenshotting, and facial recognition utilization (Abril & Harwell, 2021)—tactics at the root of workers’ unions’ call for additional regulations on employer surveillance initiatives (Finnegan, 2022).

Hypothesis Development

While the behavioral security research has incorporated concepts from I/O Psychology and Organizational Behavior literatures (e.g., personality, training, motivations, organizational justice and fairness, deviance, extra-role behaviors) in attempts to better understand employees’ security-related behaviors, the interconnectedness between work and home as well as the general uncertainty spotlighted by the pandemic could mean that people’s security violations are even more a function of their experiences with technology and other unexplored experiences related to their jobs and work. For this reason, we create a base model from predictors in three different stress categories that were prominent during, and frequently exacerbated by, the COVID-19 crisis: (a) three predictors situated in technology-related workflows, including daily security expectations that cause conflicting demands, and daily perceptions of privacy invasion and monitoring; (b) a predictor related to people’s roles in organizations (i.e., daily job insecurity); and (c) a two predictors related to the work and family interface during the pandemic (i.e., daily family-to-work and work-to-family conflicts). We then extend our base model by assessing the moderating impact of an individual difference (i.e., stress-related growth) and a situational consideration (i.e., digital device sharing in the home).

Conceptually, we build from arguments that organizational technology is both a resource and something that requires the investment of resources to operate securely (D'Arcy et al., 2014). This digital technology is a resource in that it enables connection to the Internet—which was needed by both WFH employees as well as their work/study-from-home family members. Computer technology, however, demands time, attention, and effort if one is to abide by cybersecurity protocols and policies (Aurigemma, 2013; Zhang et al., 2009). There is demonstrated fatigue in complying with security regulations (Cram et al., 2021), and such regulations themselves may become stressful aspects of the job. Exacerbated stressors associated with the family-to-work boundary, job insecurity, and technology workflows likely challenge cognitive resources that people may be able (or willing) to devote towards behaving in a secure manner (Burns et al., 2021; Gwebu et al., 2020; Posey et al., 2011). Moreover, they create situations in which bypassing security protocols could potentially enable workers to free up available cognitive and emotional resources, for example, by enabling the quicker completion of work tasks (Posey & Canham, 2018) or assisting a fellow team member complete an objective (Posey & Shoss, 2022). How these factors influence employees’ security violations on a day-to-day basis is the focus of this research effort.

Figure 1 displays our conceptual model and is designed to illustrate the variables that we examine on a day-to-day basis over time versus those that we incorporate as potential between-person moderators. We ultimately test our hypothesized model via multi-level modeling. We also assessed our model using a random intercept cross-lagged panel model (RI-CLPM; (Hamaker et al., 2015), which results are provided in an online supplement.

Fig. 1
figure 1

Conceptual model capturing within-person (level 1) and between-person (level 2) sources of variability in predictors of daily security violations. This figure conceptually illustrates the hypotheses tested. Absent from the figure are cross-lagged paths from the previous day’s stressors and security violations, autoregressive paths, and random-intercept between-person variance

Competing Security Demands

Despite significant organizational investment in security technology and initiatives, organizational security efforts themselves can create employee compliance issues. When an organization devises and implements security policies without fully considering how they will alter employees’ work processes, they can engender the very behaviors that were supposed to curb. From a rational choice theory perspective, this “friction” between security and productivity equates to a response cost that could outweigh any perceived benefits for following the policy, thereby leading to non-malicious noncompliance activities (Canham et al., 2020). From a cost perspective, security demands often get in the way of people getting work done—impediments to workflow (Bulgurcu et al., 2010), requirements simply too cumbersome (Balozian & Leidner, 2017). Thus, many employees orchestrate work arounds to security policies that enable them to accomplish their daily tasks though they do not intend to harm their organization (Posey & Shoss, 2022).

Further, the amount of additional work resulting from security demands is a significant stressor for modern employees (Lee et al., 2016). This security-related stress often leads to frustration and fatigue, which ultimately drive violations of information security policies (D’Arcy & Teh, 2019). This link between security-related stressors and constraints and security violations has been noted in several studies (e.g., D'Arcy et al., 2014, 2018; Guo et al., 2011; Ormond et al., 2019). Accordingly, we hypothesize:

  • Hypothesis 1. Daily competing demands due to security issues will have a positive and longitudinal relationship with daily security violations.

Organizational Monitoring and Privacy Invasion

To help promote desirable and/or decrease undesirable employee behaviors, organizations often rely on employee monitoring technologies (Douthitt & Aiello, 2001; Griffith, 1993). These employee monitoring technologies are “the systems in which electronic technologies are used to collect, store, analyze, and report the actions or performance of individuals or groups on the job” (Alge, 2001, p. 797). We note, however, that along with the positives of company resource misuse prevention and protection of intellectual property, among others (Ariss, 2002), numerous negatives and discrepancies have been.

identified as well, especially in the Industrial-Organizational Psychology literature (Martin & Freeman, 2003; White et al., 2020). For example, electronic monitoring has been associated with negative workplace attitudes and perceptions of unfairness, and its impact on employee performance seems to vary across job and work conditions (Ravid et al., 2020; White et al., 2020). Recently, Siegel et al. (2022) reported a small positive meta-analytic correlation between electronic monitoring and counterproductive work behavior, which is akin in several ways to cybersecurity violations (Dalal et al., 2022). Such a finding might reflect that monitoring builds distrust, damages the employee-employer relationship, and creates psychological reactance (Siegel et al., 2022; Yost et al., 2019).

In the information security literature, similar variation exists regarding the effect of monitoring and surveillance on technology users’ behaviors. For example, monitoring practices reduce employees’.

likelihood of introducing security threats via playing games in online social networks (Trinkle et al., 2014), improve users’ security behaviors (Yaokumah et al., 2019), and reduce instances of unauthorized modification of system data (D’Arcy & Hovav, 2009). Monitoring also plays a direct role in forming an overall organizational security culture (Chen et al., 2015; D'Arcy & Greene, 2014; Greene & D’Arcy, 2010). From a deterrence theory perspective—a criminological theory focused on deterring individuals’ criminal behaviors via perceptions of sanctions or punishments—monitoring is closely linked to sanction perceptions, especially certainty of sanction. In other words, a sanction or punishment cannot be enforced if the behavior fails to come to light. In this sense, monitoring activities are precursors to enabling sanctions, which would reduce employee misbehavior (D'Arcy et al., 2009; Herath et al., 2018).

On the other hand, research has shown how organizational monitoring practices can increase employees’ detrimental security behaviors. Specifically, Posey et al. (2011) argued that computer monitoring was an evidence for organizations’ attempts to control employees, and the resulting loss of control could be met with employees reasserting their control via computer abuse behaviors. Subsequent results supported that notion as a positive relationship between monitoring and computer abuse was discovered (Posey et al., 2011). Yet, it is important to note that the perspectives on monitoring in the IS discipline—whether positively or negatively reinforcing (mis)behaviors—are not based on the daily variation in people’s perceptions of being monitored.

Similar to monitoring, research has shown how employees’ privacy invasion perceptions, which we define as a threat perceived by employees regarding their “claim…to determine for themselves when, how, and to what extent their information is communicated to others” (Westin, 1967), can drive detrimental security actions (Willison & Lowry, 2018). Like the ‘friction’ between security and productivity mentioned in earlier, activities such as digital monitoring can arouse invasions of personal privacy, which then lead to reactive computer abuse incidents (Posey et al., 2011). Invasion of privacy is a key stressor that threatens people’s sense of control and invokes fear (Lee et al., 2016), which can lead to a state of psychological reactance wherein people engage in the exact behaviors that these privacy violations were intended to curb (Alge et al., 2010; Brehm, 1966). In the case of the pandemic, it might be the case that individuals are much more sensitive to privacy concerns in a home-based environment. As Ravid et al., (2020, p. 120) describe,

“Employees have typically been assumed to have minimal rights to privacy because they were using organizational equipment, operating within organizational space, and conducting business for organizational purposes (Kidwell & Sprague, 2009). However, as work increasingly shifts outside of the workplace, and involves personal equipment and property (e.g., home offices, personally owned phones), questions arise about where the lines of acceptable monitoring are drawn.”

The COVID-19 pandemic, particularly WFH during the pandemic, presented a unique scenario wherein electronic monitoring was taking place in the context of people’s homes. Context matters when people interpret policy and organizational signals (c.f., Johns, 2006). This type of boundary over-reach, marked by a daily (i.e., within-person) increase in perceptions of monitoring and privacy invasion, might be seen as particularly intrusive and as a violation of trust, which has been found to be associated with greater cybersecurity breaches (Lowry et al., 2015). Thus, although there is some mixed evidence in the literature, we hypothesize a positive relationship between increases in monitoring and privacy invasion and security violations:

  • Hypotheses 2 & 3.Daily perceptions of (H2) monitoring and (H3) privacy invasion will have a positive and longitudinal relationship with daily security violations.

Job Insecurity

In addition to the potential technology-rooted stressors, many employees worried about their future role within their organizations. The pandemic was accompanied by a large, uncertain, and dynamic economic impact—including worldwide shut-downs, supply chain issues, massive job losses, and employee absence due to illness. As such, it served and continues to serve as an external shock that imbued uncertainty into many organizational operations. Large proportions of the working population expressed concern over job security (Jones, 2021), defined as people’s concerns about their ability to maintain employment in their current role (Shoss, 2017). Job insecurity is a stressor that creates significant psychological distress, distracts attention from tasks at hand, and has been associated with acts of counterproductive work behavior (Roll et al., 2019; Shoss et al., 2022; Vander Elst et al., 2014a, 2014b). Moreover, when people experience proximal threats to their jobs, job insecurity may promote pressure to achieve highly visible and rewarded tasks (Shoss et al., 2022), which typically do not include adherence to cybersecurity behaviors. Thus, due to a combination of stress, reactance, and need to get things done, we anticipated a positive link between daily job insecurity and daily security violations.

  • Hypothesis 4. Daily job insecurity will have a positive and longitudinal relationship with daily security violations.

Work and Family

The work-family interface reflects the intersection between work and family roles. Our research examined both family-to-work conflict, defined as “a form of interrole conflict in which the role demands from families make it more difficult for individuals to perform work roles,” and work-to-family conflict, which captures difficulties that work demands create for fulfilling a family role (Ng & Feldman, 2012, pp. 1234–1235). Both are perceptual variables that capture how individuals perceive flows of conflict between work and family domains (Allen et al., 2015). Though previous research on telework indicates that home-based environments help employees balance conflicts between work and family (Duxbury et al., 1998), during times such as the COVID-19 pandemic, there is often little time away from others in the household. A growing number of articles documents the struggles of workers to manage work and family during the COVID-19 pandemic (e.g., Allen et al., 2021; Leroy et al., 2021; Mandeville et al., 2022; Shockley et al., 2021; Vaziri et al., 2020). For example, Rudolph et al. (2021) described how the additional caregiving/schooling responsibilities faced by parents during the lockdowns were likely to create more time and strain-based conflict because family responsibilities were intruding into what was traditionally viewed as working time. In the case of the COVID-19 pandemic, work and family domains literally collapsed into each other as workers were expected to do both work and family demands at the same time and, in many cases, with the same resources (e.g., using one’s computer for one’s work while also using it for a child’s schooling).

These findings point to added demands associated with the pandemic and suggests that family/work boundary violations detrimentally affected workers’ well-being and exhaustion and, consequently, their job performance (Leroy et al., 2021; Mandeville et al., 2022). Moreover, conflict in the work-family interface may threaten employees’ cognitive resources to follow security protocols. These boundary conflicts might perhaps even motivate employees to violate protocols to get work done and free up more time and cognitive resources to meet the competing demands of both roles. Accordingly, we anticipated that both family-to-work and work-to family conflict will be positively related to employees’ security violations.

  • Hypotheses 5 & 6. Daily family-to-work conflict (H5) and work-to-family conflict (H6) will have a positive and longitudinal relationship with security violations.

Extensions to Base Model

In a shared environment such as the home, employees often compete with others for access to finite resources, which are required to complete daily tasks. These resources can include Internet bandwidth, especially in rural areas, where the cost for broadband connections, if available, were prohibitive and a major concern during the pandemic (McClain et al., 2021). Other resources include shared physical spaces for employees and children vying for a distraction-free environment where work and learning can occur, respectively. As Denning et al., (2013) explain, the “home technology space…[is] a new problem space: (1) an extremely personal, asset-filled environment where there is (2) no dedicated, professional administrator to maintain a (3) heterogeneous collection of consumer technologies that (4) are increasingly cyber-physical and sensor-rich.”

Despite being prohibited by many organizations, the sharing of credentials and devices among employees often occurs. In fact, even managers—those who should demonstrate support for and leadership in organizational cyber efforts—are not immune to such actions (Fadilpašić, 2021). However, in the home-based environment, technology access appropriateness and ownership lines become even more blurred (Gruning & Lindley, 2016; Meng et al., 2021), and both intentional and unintentional forms of sharing occur (Jacobs et al., 2016). Prior to the pandemic, taxonomic work identified six distinct forms of device sharing that were often enabled due to the sharer’s trust in the sharee, convenience, and limited resources (Matthews et al., 2016). Individuals who use the same devices as the employee would have the potential to create unique accounts, visit websites that could lead to device malware infections, and possibly access improperly protected systems that the sharer’s organization deems critical.

In particular, our interest is in examining whether device sharing could exacerbate the relationship between daily stressors and the enactment of purposeful security violations. Through “borrowing” and “mutual use” sharing, the lack of device availability could add additional time constraints on the employee, leading to security workarounds to get work accomplished when it is due (Posey & Shoss, 2022; Woltjer, 2017). For example, children might need to borrow devices for schooling, or a spouse may need to utilize one’s Internet connection to download something for their own work (Posey & Shoss, 2022). Moreover, an employee who believes that the organization is being too personally intrusive through actions like monitoring and invasions of privacy might react even stronger if they believe those intrusions will extend to those with whom the devices are shared. In essence, device sharing may enhance negative reactions to workplace stressors leading to a disregard for security protocols while at the same time creating a situation wherein protocol violations may be necessary to accomplish work on days where the pandemic-induced stressors are particularly prevalent and threaten the accomplishment of work. Accordingly, we argue that digital device sharing in the WFH environment has the possibility to strengthen the daily relationships between the stressors described above and security violations:

  • Hypothesis 7. Digital device sharing will moderate (i.e., strengthen) the longitudinal relationship between daily stressors and daily security violations.

Stress-Related Growth

Thus far, we have viewed the pandemic as creating demands (family-to-work/work-to-family interruptions, job insecurity, technology-related workflow challenges, privacy invasions) that drain employees’ cognitive resources and provoke reactance and a lowered willingness to comply with regulations. However, we recognize that not everyone might view the pandemic through this light. Large-scale surveys have revealed that some viewed the pandemic as an opportunity for growth, developing out of this stressful experience a sense of positive beliefs about the world and connection with others (Vazquez et al., 2021). Doing so would enhance a person’s personal resource capabilities to function in light of day-to-day fluctuations in work stressors. As the final extension to our base model, we hypothesize that the relationships between the daily stressors and cybersecurity violations might be tempered among individuals who report higher stress-related growth.

Stress-related growth reflects the ways in which people cope in a positive manner with stressful events, allowing them to not only reframe the events but also to achieve long-term benefits including a sense of wisdom, master, and perspective (Aldwin & Levenson, 2004; Aldwin et al., 1996). Cognitive coping mechanisms are implicated in the process of attaining stress-related growth, particularly problem-focused coping, support, and mindfulness (Ord et al., 2020). Although a link between stress-related growth and security violations is tentative, one might expect that those individuals who saw the pandemic as contributing to personal growth might be able to restrict the draining impact of stressors and approach computer tasks from a more mindful perspective of the risks involved.

  • Hypothesis 8. Stress-related growth will moderate (i.e., weaken) the longitudinal relationship between daily stressors and daily security violations.

Methods

Participants and Procedures

We hired professional panel provider ROI Rocket to assist with our data collection. Like other online panel providers, ROI Rocket provides access to verified participants for both academic and commercial research efforts and engaged in almost 3000 major research projects in 2021. Previous research utilizing this panel provider can be found in the psychology (Liu et al., 2020; Locklear et al., 2021; Rubenstein et al., 2022; Stollberger et al., 2021) and management (Derfler-Rozin & Pitesa, 2020; Dorison & Minson, 2022; Soll et al., 2022) literatures, among others. Further, use of online panels for time-lagged and other longitudinal designs can also be found in the academic literature (D’Arcy & Teh, 2019; D'Arcy & Lowry, 2019; Fehr et al., 2020; Takeuchi et al., 2021).

Given the sensitivity of the ultimate phenomenon of interest (i.e., employees’ security violations), it was imperative that the research team offered respondents complete anonymity to limit socially desirable responses, and this was possible through the panel provider. All respondents were working professionals who were employed full time and who worked from home due to the COVID-19 pandemic. Respondents received $40 for their participation if they completed the initial survey at time 0 and at least eight daily surveys. We chose eight daily surveys as the cut-off point as it represents the median number of daily survey responses in similar, two-week longitudinal designs (D'Arcy & Lowry, 2019).

To help determine any biases this decision might have introduced in our study, we assessed the percentage of respondents who completed n daily surveys. Most of the respondents (i.e., 72%) completed at least eight daily surveys with 31% completing all ten. A simple means comparison for substantive variables across respondent groups who completed three, five, and eight daily surveys indicated no meaningful differences. Therefore, we were satisfied that our cut-off decision did not harm our analyses while providing an ample window within which we would be able to capture intraindividual variability. Interested readers may contact the first author for more complete information about this analysis.

We issued a total of 11 surveys—one initial survey at time 0 (the week prior to the daily surveys) and 10 daily surveys Monday through Friday for the next 2 weeks. The data were collected in early-to-mid November 2020. In total, 333 working professionals completed the initial survey and at least eight out of ten of the daily surveys without failing embedded attention checks. Our sample exhibited the following characteristics: 61.4% were 40 years or older, 53.4% were female, 58.2% held managerial positions, 26.1% were in IS/IT careers, 75.5% held at least a 4-year college degree, and were employed in numerous industries including finance and insurance, public administration, utilities, healthcare, construction, educational services, information, real estate, manufacturing, among others. Respondents indicated that they worked from home an average of 94.0% of the time during the pandemic and only 31.0% of the time before the pandemic.

Measures

All our substantive variables were captured daily using a 7-point Likert scale unless otherwise noted. To limit respondent fatigue during completion of the daily surveys, we used a small subset of the highest-loading items from each of the constructs’ measurement instruments (Fisher & To, 2012).

Digital device sharing was measured at time 0 on a 5-point frequency scale (Never–Always) with the item “Regarding the digital devices used to complete work-related tasks, with what frequency do other individuals in your home also use those digital devices? (These other individuals include children and refer to those who are not also employed by your organization).”

Stress-related growth was also measured at time 0 with the 15 item Stress-Related Growth Scale-Revised (SRGS_R) (Boals & Schuler, 2018). Participants were instructed to indicate how much change they experienced, if any change at all, as a result of the COVID-19 pandemic on a scale ranging from “A very negative change (1)” to “A very positive change (7).” Boals & Schuler, (2018) found that including both negative and positive impacts reduced response patterns that might indicate illusory growth. An example item reads “I experienced a change in the extent to which I work through problems and not just give up” (α = 0.95).

Daily Family-to-Work and Work-to-Family Conflict. We used the items from the family-to-work and work-to-family conflict instruments (Frone et al., 1992) in our daily surveys. The items for family-to-work conflict were “Today, my homelife interfered with my responsibilities at work, such as starting work on time, accomplishing daily tasks, or working overtime” and “Today, my homelife kept me from spending the amount of time I would like to have spent on my job or career-related activities.” The items for work-to-family conflict were “Today, my job or career kept me from spending the amount of time I would like to have spent with my family” and “Today, my job or career interfered with my responsibilities at home, such as yard work, cooking, cleaning, repairs, shopping, paying bills, or child care.” The alphas were 0.91 and 0.89 for family-to-work and work-to-family conflicts, respectively.

Daily Job Insecurity

Job insecurity was assessed using the top two highest-loading items from the four-item Job Insecurity Scale (Vander Elst et al., 2014a). The items were: “Chances are, I will soon lose my job” and “I think I might lose my job in the future” (α = 0.93).

Daily Competing Demands Due to Security

To measure competing demands due to security, we created two items based on the research of Gwebu et al., (2020): “Today, following my organization’s information security requirements required me to handle conflicting work demands” and “Today, following my organization’s information security requirements meant dealing with competing work demands” (α = 0.84).

Daily Privacy Invasion Perceptions and Computer Monitoring

Privacy invasion perceptions were measured by two items adapted from the five-item measure in Posey et al., (2011): “Today, the way that my organization monitored me made me feel uneasy” and “Today, I felt personally invaded by the methods used by my organization to monitor me.” We additionally included two of the four items designed to assess perceptions of computer monitoring: “Today, I was constantly being checked by my organization for computer-rule violations,” “Today, I felt that I was constantly being watched by my organization to see that I obeyed all computer rules pertaining to my job.” These two measures were so closely correlated (r = 0.81), which makes sense given our reasoning above that monitoring in the home environment might be considered a privacy invasion, that we combined them into the 4-item scale capturing perceptions of privacy and monitoring (α = 0.92).

Daily security violations”” were operationalized via three adapted items from Posey et al., (2011) 10-item measure for internal computer abuse. These items were chosen as they were among the highest loading items in the instrument, and they closely aligned with the definition of security violations (i.e., intention is known but the motive is not). These items included “Today, I covered up mistakes in the computer system,” “Today, I intentionally made errors in the computer system,” and “Today, I accessed files or viewed data in the computer system without being given authorization to do so” (α = 0.76).

Control Variables

In addition to various demographics, we collected data for other controls that might be related to our substantive constructs as indicated in our hypotheses. While the mass transition to WFH environments was instigated by the pandemic, some employees might have preferred to work from their home, thereby not causing as much change-induced stress on those employees versus others who preferred their traditional office. To account for this possibility, we controlled for WFH preference and measured it with the following item: “I prefer to work from home over the traditional work environment” (X̅ = 5.43, σ = 1.68) at time 0. Likewise, some individuals might engage in different behaviors depending on their perceptions of how secure their WFH environment is. Accordingly, we assessed this perception with the item “Working from my home environment is more cyber secure than working from my traditional, organizational environment” (X̅ = 4.13, σ = 1.60) at time 0. Both items were captured on a 7-point Likert scale. Relatedly, we controlled for the degree to which participants worked from home prior to and during the pandemic.

Because previous research has found significant relationships between employees’ security attitude and the presence of security education, training, and awareness (SETA) programs with security-related behaviors (e.g., Burns et al., 2018; Cram et al., 2019), we included these two constructs as additional controls. To account for employees’ daily perceptions of organizational security overall and to what extent their organizations instructed them on the importance of security efforts, we collected data on these two controls by relying on Bulgurcu et al., (2010) attitude toward security policy compliance four-item measure (sample items: “Following my organization’s information security requirements is important” and “Following my organization’s information security requirements is necessary”) and D’Arcy & Hovav, (2007) 5-item SETA measure (sample item: “My organization provides training to help employees improve their awareness of computer and information security issues”), respectively. The alpha for attitude toward security was 0.84, and the alpha for SETA was 0.91. Like researchers examining how age and/or gender relate to other negative behaviors such as CWBs (Ng et al., 2016; Welbourne & Sariol, 2017) and crime (Sampson & Laub, 1992; Tittle et al., 2003), we controlled for participants’ age and sex (female = 1, male = 2). We also controlled for managerial status, whether participants work in an IT or IS career, and perceived computer skill. Additionally, we controlled for who owned the digital devices on which work was completed in the WFH environment by creating dummy variables. We coded employee-owned devices as our referent category with organization-owned and ownership mixture (i.e., some employee owned and others organization owned) as categories 2 and 3, respectively. Finally, given that an employee’s security violation behavior on day d could be related to their behavior on the previous day (d-1), we controlled for this possibility by including a one-workday lagged violation variable.

Analytical Strategy

Multi-level modeling analysis was performed in Stata/SE Version 17.0 and followed the recommendations of Bolger & Laurenceau, (2013).Footnote 1 This involved creating separate within-person (i.e., person-centered) and between-person variables for the measures assessed daily to obtain unconfounded estimates of daily change in the variables of interest. We present the control-only model first, the base model with controls second, and then the extended models with our moderators last. Our within-person variables were modeled with random slopes, estimating an independent co-variance matrix of random effect parameters and autocorrelation, as well as fixed estimates.

Results

Bolger & Laurenceau, (2013) suggest that researchers visually explore the variability of the phenomenon of interest. If little variation exists within persons over time, then it makes little sense to perform a longitudinal analysis. Therefore, we first produced Fig. 2, which demonstrates that fluctuations in employees’ security violation behaviors occur over time in a random sample of our participants. We also created random panel plots (available as an online supplemental file) to help display any trends between our suggested stressors and security violations. From these panel plots, we determined, at least for some participants, that the plots of daily stressors moved in a similar direction to the plots of daily security violations. Accordingly, we continued with a formal longitudinal assessment.

Fig. 2
figure 2

Spaghetti plot of daily security violations. This figure illustrates day-to-day variation in security violations for a randomly selected 20% of the participants

Descriptive statistics and correlations are displayed in Table 1, and Table 2 shows the amounts of between- and within-person variance for our daily variables. Because of the high correlation between perceived privacy invasion and computer monitoring (r = 0.81), we combined the two measures into one. From the controls-only model (see Table 3), age (b =  − 0.114, se = 0.024, p < 0.001), sex (b = 0.125, se = 0.062, p = 0.044), and day (− 0.043, se = 0.022, p = 0.050) were significant at the 0.05 level of significance, indicating that males were more likely than females to engage in daily security violations, and younger employees were more likely than older employees to report committing violations. Security attitude (b = -0.055, se = 0.031, p = 0.080) and the percentage of time that the employee worked from home during the pandemic (b =  − 0.004, se = 0.002, p = 0.087) exhibited marginal significance (i.e., p = 0.10). We chose to keep these controls and remove all others for our remaining analyses.

Table 1 Descriptive statistics and variable intercorrelations
Table 2 Percentage of within-person and between-person variance observed in each daily variable
Table 3 Results from fixed-effects model with controls only explaining daily security violations

From our base model, we examined the influence of both the between (b) and within (w) components for each of our predictors on our dependent variable (Table 4). However, because our hypotheses are based on how daily factors influence daily security violations, our efforts are focused on the within components of our predictors. Two of our five hypotheses were significant at the 0.05 level of significance. Specifically, competing demands related to security (w) (b = 0.051, se = 0.016, p = 0.002; H1 supported) was positively associated with daily security violations, and family-to-work conflict (w) (b = 0.033, se = 0.016, p = 0.041; H5 supported) also exhibited a positive relationship with daily violations. The hypothesized relationship between privacy invasion/monitoring perceptions (w) (b = 0.064, se = 0.037, p = 0.087; H2/H3) and daily security violations was partially supported at p < 0.10. Job insecurity (w) (b = 0.028, se = 0.038, p = 0.453; H4 not supported) and work-to-family conflict (w) (b = 0.006, se = 0.015, p = 0.667; H5 not supported) failed to reach statistical significance. We also see that the random slopes identifies significant between-person variation across the coefficients for all our independent variables except for our two conflict variables, though family-to-work conflict exhibited a p-value of 0.105, close to marginal significance. Additionally, as shown in Table 4, there were significant between-person relationships between competing demands (b = 0.130, se = 0.027, p < 0.001), privacy invasion/monitoring (b = 0.172, se = 0.035, p < 0.001), family-to-work conflict (b = 0.063, se = 0.028, p = 0.024), and work-to-family conflict (b =  − 0.087, se = 0.028, p = 0.002) and security violations.

Table 4 Results from base model explaining daily security violations

From our two extensions, we see that one of our moderators influences one of the relationships between our hypothesized independent variables at the within level and daily security violations. Digital device sharing significantly moderated the relationship between privacy invasion/monitoring perceptions (w) (b =  − 0.077, se = 0.033, p = 0.019) and security violations at the 0.05 level of significance (see Table 5). Figure 3 graphically depicts this interaction. Table 6 shows that stress-related growth was close to but failed to reach statistical significance in assessing its moderating influence on the relationship between family-to-work conflict (w) and security violations (b =  − 0.028, se = 0.017, p = 0.103).

Table 5 Results from base model with digital device sharing moderator explaining daily security violations
Fig. 3
figure 3

Simple slopes interaction plot

Table 6 Results from base model with stress-related growth moderator explaining daily security violations

Discussion

The current research offers one of the few longitudinal studies in behavioral information security research. In doing so, we sought to expand the predictor space of security violations to understand the types of factors that contribute to employees’ variation in detrimental security behaviors daily. Across over 3000 datapoints, our findings suggest several important dynamics. In particular, our findings relate daily security violations to immediate competing demands created by security as well as to privacy/monitoring concerns. We also discovered an important relationship between family-to-work conflict and security violations. That significant predictors of daily violations emerged from different stressor categories—work-family interface and tech-enabled workflows—suggests that many aspects are important in understanding the role that employees have in their organizations’ security initiatives. Moreover, it demonstrates the importance of the integration of multiple disciplines to understand organizational phenomena more fully.

The haphazard handling of COVID-19 was widespread, as only 12% of organizations were estimated to have been very prepared to handle its associated difficulties (Gartner, 2020). However, the way that organizational policies and practices are enacted is a key factor in the success of telework (Golden, 2009). We found that perceptions of computer monitoring could not be disentangled from privacy invasion perceptions (r = 0.81), and the combined construct was strongly associated with violations among participants. It might be that employees view cybersecurity protocols in a WFH environment differently than protocols in a more traditional business environment. In the home environment and/or in crisis situations, cyber protocols might be seen as particularly intrusive and unjust. Such a finding supports a reactance perspective on cyber violations (Lowry et al., 2015; Posey et al., 2011). Interestingly, these findings also align with research on counterproductive behaviors, which has found mixed results for monitoring and deterrence (e.g., Fine et al., 2010; Jensen et al., 2010). Thus, given the loss of control that comes with privacy invasions and monitoring, employees might intentionally choose to go around security protocols as a result.

Our findings also are among the first to provide quantitative evidence that competing demands due to security initiatives are an important predictor of daily security violations. Kerr, (1975) long warned that tradeoffs in organizations—in this case, productivity versus security—would be resolved in favor of the behaviors that get rewarded. Particularly in a WFH environment where employees had to adapt their tasks and manage changing organizational and performance priorities, accomplishing work seems to have won out.

To further explore technology’s influence on security violations, we found that digital device sharing in the household—itself exhibiting a positive, direct relationship with security violations—unexpectedly seems to have reduced the chances of subsequent violations for those reporting higher privacy and monitoring concerns. At the same time, we failed to find support for WFH employees that exhibit higher levels of stress-related growth being less likely to violate policies when experiencing stressors than individuals having low levels of stress-related growth. While we believe additional research is needed to examine how stress-related growth and other related individual-level differences might enable employees to better cope with stressors and avoid more negative responses as a consequence, we believe the finding that digital device sharing in the household resulted in fewer daily security violations due to privacy and monitoring perceptions is rather intriguing. It is possible that WFH employees who believe that their organizations monitor their actions to such a degree to warrant breaches of privacy are cognizant of potentially exposing other individuals in their household (e.g., roommates, parents, children) to such invasions. And, rather than reacting in a deviant manner that could bring additional oversight to themselves and the other users of the technology, WFH employees who share devices with others are less reactionary to the already-present monitoring levels. In a sense, these individuals might have engaged in additional levels of violations resulting from the privacy concerns but felt the need to pull themselves back because of their need to protect the privacy of others.

A surprising result was that positive deviations in FTW conflict were positively associated with subsequent deviations in security violations yet WTF conflict failed to exhibit a meaningful relationship with daily violations. This finding underscores the importance of directionality in conflict that arises in the work-family interface as it relates to security violations. Further, we believe it is in line with our conceptual rationale that following cybersecurity protocols requires resources (e.g., time, attention) that may be threatened by employees’ daily demands. In the case of the WFH environments during the pandemic, it appears that family duties that interfered with work tasks (rather than the other way around), was an essential contributor to daily security violations. These effects deserve future research exploration especially in more traditional work environments to see if such directionality holds. We suspect that these effects also point to potential under-studied business ramifications of a loss of institutional support for family that occurred during the pandemic. Given continued disruption in the childcare industry (Miller et al., 2023), businesses should be aware of how FTW conflict can present cybersecurity risks.

Though not part of our core model, several significant relationships between our controls and security violations emerged. Younger WFH employees engaged in more daily security violations than older ones, and males reported engaging in more violation behaviors than females. We also found that the amount of time an employee worked from home during the pandemic was positively associated with violation frequency and that employees’ positive attitudes towards security initiatives resulted in lower levels of daily violations. As one might anticipate, one’s security violations were very strongly linked to the violation behaviors of the previous day (i.e., lagged violations), thereby indicating that violations could very well be a multi-day occurrence or become a habit over time.

From a theoretical perspective, we argued that whereas computer technology is a resource for helping individuals achieve work demands, it frequently requires the investment of time and energy to operate securely. Our findings provide support for this idea and suggest that purposeful (whether malicious or not) security violations can be thought of as occurring in the complex intersection between organizational behavior and security. These findings indicate that information security research would benefit from considering other elements of the psychosocial and physical work environment in theories of security violations. At the same time, research on workplace stressors and organizational behavior would benefit from including security violations as an outcome of interest as they represent an important facet of CWBs in the age of ever-increasing technological capabilities and expectations among modern employees. As such, we echo the call from Dalal et al., (2022) to better understand the overlaps and distinctiveness between security violations and other organizational misdeeds, particularly in terms of employee motives and daily triggers. Moreover, research on both types of harmful behaviors might benefit from a closer examination of the temporal dynamics and rhythms of security violations and daily workplace stressors (see, e.g., Pindek et al., 2021).

Finally, although events surrounding the COVID-19 pandemic framed our data collection, we believe that we can generalize our findings to other forms of disasters, epidemics, catastrophes, etc., where a significant number of workers are pushed into ad-hoc, temporary offices. Such extreme events and contexts are forecasted to emerge with increasing frequency in the future (Hällgren et al., 2018). Therefore, there is a need for research to learn from these crises events to develop more effective solutions for the future.

Practical Implications

Our findings also have practical implications for I/O Psychology and information technology (IT) security practitioners because they speak to the connection between work stressors and cybersecurity. Concerns regarding competing demands imposed by information security procedures might emerge from employee satisfaction surveys, focus groups related to security education, training, and awareness programs, or other work with organizations. Recognizing the connection to security violations might help with the “business case” for addressing work stress.

In addition, should managers desire to use enhanced employee-monitoring capabilities, we wish to remind them that we discovered considerable similarities between monitoring and privacy invasion in our context. In other words, WFH employees in our sample were not able to separate the monitoring practices of their organizations from perceptions of privacy invasion. Because many supervisors were faced with managing their subordinates in an unexpected and completely remote fashion due to the pandemic, they likely felt the need to employ numerous surveillance techniques to ensure that employees were being productive. Unfortunately, because the respondents’ work environments were their homes, employees could have been increasingly sensitized to organizational monitoring activities, even if those techniques were used in the traditional work environment before the pandemic. We strongly encourage practitioners to assess the need for monitoring, and when those techniques are employed, provide meaningful feedback to reduce negative employee reactions (Alder & Ambrose, 2005; Chalykoff & Kochan, 1989). Moreover, we believe our findings further show that organizations must consider that increases in security are often met with negative trade-offs in other areas (e.g., employee retention, productivity).

Limitations and Future Research Directions

Despite the resulting contributions, there are a few limitations to our work. First, due to our focus on overall security violations, we are not able to infer the malicious or non-malicious nature of employees’ security actions. From a risk perspective, both sets of actions can put organizations in harm’s way; however, we note that they likely differ in some of their antecedents (Balozian & Leidner, 2017; Willison & Lowry, 2018). Accordingly, future research should compare these facets in more detail as they exist on a daily basis. Additionally, although our study occurred when employees were forced to work from home due to the COVID-19 pandemic, the workplace context is likely to change as hybrid schedules become more commonplace as opposed to purely traditional or purely remote situations. Thus, our findings might be viewed as the boundary conditions of stressors and conflicts on employees’ security violations in purely remote circumstances during times of calamity, epidemics, and other widespread hardship.

Another limitation is that we did not assess exactly which monitoring procedures and techniques were implemented by our respondents’ organizations to result in such a high shared variance with perceived privacy invasions. We also do not know whether these monitoring procedures existed in the organization prior to the pandemic and were simply shifted into the WFH environment or whether these monitoring techniques were completely new for the employees. A wide spectrum of computer monitoring has long been around (George, 1996), and with the increase in technological capabilities, employee monitoring has grown to include keystroke, mouse-tracking, and website-traffic analyses (Pearce, 2009) along with physical movement tracking, email monitoring, and even surveillance via employee webcams (Finnegan, 2022). It will be interesting to see which monitoring procedures evoke the most reactance, and whether those levels are the same in the traditional office versus WFH environments. Moreover, for employees who share their homes with others, especially children, gauging reactions by employees to overreaching organizational monitoring when devices are shared and the protection of others’ privacy arises will prove to be an intriguing effort.

Despite the strengths of our design (i.e., 10 day, large sample), our research is subject to the limitations associated with self-report data including potential social desirability and memory bias. Several aspects of our design, however, may assuage some of these concerns. In particular, our sample was anonymous, and data was collected on a daily basis. Despite our ability to demonstrate acceptable Cronbach’s alphas for our multi-item survey instruments, our choice to use two or three items per substantive construct in our daily surveys could have limited our ability to capture the entire concept space of those variables. Although recent research suggests that many constructs can be captured with few (even a single) number of items (Matthews et al., 2022), we suggest that researchers explore whether more extensive survey data collections are warranted. Additionally, although studies have supported the use of self-report data for psychosocial stressors (e.g., Conway & Lance, 2010), and research suggests there might be limited cause for concern about common method bias in IS research (Malhotra et al., 2006), a self-report measure of security violations serves as a limitation. The use of this measure means that we are only able to capture the security violations of which people are aware. If possible, future research might repeat this study with electronic behavioral indicators to alleviate the concerns listed here, keeping in mind however our findings that that monitoring might enhance violations.

Conclusion

We engaged in this research to help answer the following question: How did the various stressors present among WFH employees result in security violation behaviors during the COVID-19 pandemic? The global pandemic forced organizations and employees to deal with many unexpected issues. As organizations largely relied on employees working from home-based environments to remain in operation, new stressors surrounded workers—many who never worked remotely before March 2020. We have demonstrated how, during times of widespread uncertainty, a variety of stressors can influence employees’ security-related behaviors. As organizations attempt to establish pre-pandemic work environments by encouraging or even requiring employees to return to their traditional office spaces (Abril, 2022; Tabahriti, 2022), our research provides guidance for items of significance to consider and monitor during the next external event that forces mass displacement of employees to temporary, remote workspaces.