Keeping secure to the end: a long-term perspective to understand employees’ consequence-delayed information security violation

Employees’ violation of information security policies is a major threat to an organisation. Some violations such as using an easy-to-guess password or storing confidential data on personal unencrypted flash drives usually do not cause immediate harm; instead, these actions create security flaws that can be attacked in the future and cause delayed consequences. We call such behaviour consequence-delayed information security violation (CDISV). The ignorance or denial of the possible delayed consequences is the main reason employees engage in such insecure behaviour. Due to the delay between the action and the consequence, a long-term mindset could play an important role in employees’ current decision-making. Specifically, in this study, we propose that long-term orientation is an influential factor in decreasing CDISV. The long-term orientation includes three dimensions: continuity, futurity, and perseverance. In addition, based on the stewardship theory and the needs theory, we further propose that value identification and the fulfilment of higher-order needs (trusted relationship and growth) are important drivers for employees to have a long-term orientation. We collected survey data using the 170 responses we received from a global company’s employees. The empirical results support our arguments. Our findings provide implications to organisations to encourage employees’ information security behaviours.