1. Introduction
Smart work environment has been brought through the popularization of developed electronic devices such as smart phones or tablets and the high-speed internet (Abiodun et al., 2023). Various organizations endeavor to adopt remote work, shared offices, etc (Lee & Seol, 2021). In particular, BYOD practice was inevitable in workplaces since maintaining the operations by connecting with employees remotely in social distancing situations has been emphasized during the COVID-19 pandemic (Lee et al., 2022; Seo et al., 2022). As time passes, an influx of young and new workers who have grown up with developed technologies and demand to use what they utilize in their daily lives also tend to increase progressively (Jarrahi et al., 2017).
As the trend continues, BYOD was introduced as a revolutionary work system which encourages employees to shift away from the traditional use of shared devices, with the goal of streamlining work processes and fostering corporate innovation. This system involves individuals bringing and using personal smart devices at work or in learning environments (Palanisamy et al., 2022; Singh, 2012). With the growth of smart work practices, the BYOD industry gained significant traction, estimating a $367 billion market size by 2022 compared to $30 billion in 2014 (Bullock, 2019).
The advantages of BYOD can be listed as follows. On the individual level, the use of personal devices enables employees to overcome time limitations and manage their schedules more flexibly. Employees can reduce spatial and temporal constraints by engaging in practices like remote work and flexible seating arrangements (Eslahi et al., 2014). On the organizational side, BYOD allows companies to save on the costs and time involved in purchasing and managing devices, ultimately contributing to the goal of improving productivity (Eslahi et al., 2014).
However, BYOD also presents security risks, such as data breaches, since personal devices have direct access to corporate networks. The loss or theft of these devices can lead to the exposure of sensitive company data and personal information, which could negatively impact organizational efficiency (Lee Jr et al., 2017). To mitigate such risks, previous BYOD studies have primarily focused on enhancing security technologies to support the secure implementation of BYOD while minimizing corporate security threats (Cho & Ip, 2018). However, prior research has increasingly indicated that most security issues stem from employee behavior. For instance, Pahnila et al. (2007) highlighted the need to consider non-technical factors, such as employee motivation, alongside technical solutions, emphasizing the role of employee attitudes toward compliance with security policies. Moreover, Timms (2017) observed that while many organizations implement security policies to counter BYOD-related threats, employees often disregard these measures, with many security breaches traced back to negligent employee behavior. Consequently, several studies have argued that addressing BYOD security vulnerabilities should focus more on human factors than solely on technological advancements.
To ensure security while expanding BYOD use within companies, it is essential to raise awareness and encourage adherence to security policies among employees (Caballero, 2017). There remains a necessity to understand what drives employees to follow BYOD security policies utilizing conceptual theory reflecting social factors, since past studies have primarily used TTAT (Technology Threat Avoidance Theory) and PMT (Protection Motivation Theory) as conceptual research model to explain employee behavior without taking environmental factors into account (Crossler et al., 2014; Yim, 2021; Siponen et al., 2006). In addition, there is little quantitative research analyzing the direct impact of organizational support on employees' BYOD security policy compliance intention. Therefore, it is necessary to study employees’ security policy compliance intention considering the surrounding environment since BYOD is a system which is utilized within working environments and all employees are required to follow the policies established by the organization.
This study seeks to examine the factors that influence employees' intention to comply with BYOD security policies in companies that have adopted BYOD. The analysis will be based on Social Cognitive Theory from the organizational perspective and propose managerial strategies to improve employees’ security policy compliance. The findings of this study could inform the development of information security strategies that promote policy compliance among employees in organizations that have already adopted or are planning to adopt BYOD.
2. Conceptual background and Literature Review
2.1 BYOD Security Policy Compliance Research
As organizations transition towards fostering a smart work culture, many companies have adopted BYOD as a strategic approach. This change has sparked a wide range of research on BYOD from multiple viewpoints. Specifically, some studies have focused on exploring user behavioral intentions concerning adherence to BYOD security policies. These studies span various education or work settings, including corporate businesses and public institutions.
For example, Crossler et al. (2014) investigated the factors that shape students' and employees' intentions to comply with BYOD policies using PMT. They found that self-efficacy and response efficacy were key determinants of users' intentions to adhere to security guidelines. Putri and Hovav (2014) analyzed employees’ intention to comply with BYOD security policy with a research model incorporating reactance, protection motivation and organizational justice theories. They argued that perceived response efficacy and justice have a positive impact on employees’ intention, perceived freedom threat negatively affects employees’ intentions to comply with security policy, and suggested the importance of organizational support team. In the public sector, Palanisamy et al. (2024) examined the influence of perceived mandatoriness, self-efficacy, and psychological ownership on employees' compliance intentions in public institutions, employing a model that integrated OCT, Security Culture, and SCT.
Although research on user behavior regarding BYOD security compliance has been extensive, there are very few studies that have analyzed employees' BYOD security policy compliance intentions from social factors. Since BYOD is a practice used in organizations, it is necessary to consider that the BYOD security policy compliance behavior of employees is influenced by their surroundings. Thus it can play a critical role to improve employees’ security practices.
2.2 Social Cognitive Theory (SCT)
To highlight how human behavior and cognitive processes are shaped by the interplay between personal attributes, the environment, and actions, Bandura (1986) proposed Social Cognitive Theory (SCT). SCT suggests that learning takes place through actions and thoughts, which are influenced by environmental and situational factors, emphasizing the critical role of motivation and expected performance in encouraging positive behavior. Consequently, SCT has become a foundational theory in various fields studying behavioral factors within organizations.
For example, Borah et al. (2024) examined the factors influencing recommended COVID-19 health behaviors within the framework of SCT. They argued that self-efficacy played a major role in shaping these health behaviors, while outcome expectancies also significantly influenced adherence to COVID-19 guidelines. Similarly, Al-Dokhny et al. (2021) conducted an empirical study on students' intentions to use remote education platforms by integrating the Technology Acceptance Model (TAM) with SCT. Their findings demonstrated that self-efficacy had a strong influence on perceived usefulness and practicality, both of which affected the students' intentions to use the platforms. Furthermore, Boateng et al. (2016) explored the factors that affect users’ internet banking adoption intention by applying a research model grounded in SCT. They found that social features of websites which enable customers to communicate with other user, trust from using internet banking platform, compatibility with lifestyle significantly impacts customers' intentions for internet banking adoption.
Regarding Social Cognitive Theory that the social environment plays a crucial role in shaping individual behavior, there is an increasing demand for research with SCT analyzing employees’ behavior considering the surrounding environment. Therefore, this study seeks to analyze the factors that influence employees' intentions to comply with BYOD security policies by Social Cognitive Theory which explores behavior as influenced by the surrounding environment, and empirically identify the direct effect between instrumental support and security policy compliance intention.
3. Methodology
3.1 Research Model
This study aims to identify the social cognitive factors influencing employees' intentions to comply with BYOD security policies based on SCT. Accordingly, we constructed the following research model which is developed from SCT grounded in relevant past studies Figure 1.
3.2 Research Hypothesis
As outlined by Social Cognitive Theory (SCT), individuals engage in reciprocal interactions with others to acquire new knowledge and behaviors by observing their environment. Specifically, people who are influenced by external factors such as social pressure or encouragement by others which can be defined as the degree of persuasion from other employees to comply with BYOD security policies tend to perceive these influences and adjust their behavior accordingly through self-efficacy and performance expectations (Compeau & Higgins, 1995). Furthermore, Keyvani & Mozafari (2009) suggested that encouragement enhances an individual’s ability to boost self-esteem and resilience. Similarly, Hsu et al. (2021) found that students' awareness of faculty encouragement positively influences their self-efficacy. Based on the prior studies, we hypothesize that the encouragement from colleagues and superiors to adhere to BYOD security policies will positively affect employees' outcome expectations and self-efficacy regarding compliance with these policies.
H1-a: The encouragement by others to comply with BYOD security policies positively impacts outcome expectations in information security.
H1-b: The encouragement by others to comply with BYOD security policies positively impacts self-efficacy in information security.
Instrumental support, such as security training programs and the involvement of experts, can be defined as the extent of organizational assistance to encourage BYOD security policies compliance (Galvez et al., 2015). It is expected to help individuals recognize the benefits of their environment and achieve positive outcomes through their actions. Compeau and Higgins (1995) argued that computer users experience improvements in their abilities and self-efficacy when they perceive organizational support, such as assistance from security experts. Additionally, Galvez et al. (2015) noted that systematic support for employees reduces the risk of safety incidents within organizations. Therefore, organizational efforts to enhance compliance with BYOD security policies, through support initiatives, are likely to have a positive impact on employees’ outcome expectations and self-efficacy in organizations that have adopted BYOD.
H2-a: Instrumental support to comply with BYOD security policies positively impacts outcome expectations in information security.
H2-b: Instrumental support to comply with BYOD security policies positively impacts self-efficacy in information security.
Individuals learn new information and select behaviors by observing others (Bandura, 1986). For example, Galvez et al. (2015) argued that within management information systems, observing the security practices of others increases individual self-efficacy and performance expectations, which in turn encourages them to engage in these practices themselves. Similarly, Kwon et al. (2022) found that in sports competitions, observational learning enhances athletes’ self-efficacy their performance. Based on prior research, it is evident that information security practices by others which can be defined as observational learning from other employees complying with BYOD security policies impacts self-efficacy and performance expectations. Therefore, we hypothesize that observing others' information security practices will positively affect employees' performance expectations and self-efficacy in complying with BYOD security policies.
H3-a: Information security practices by others positively impacts outcome expectations in information security.
H3-b: Information security practices by others positively impacts self-efficacy in information security.
Self-efficacy refers to an individual's belief in their ability to successfully carry out a specific task (Ajzen, 2005). Higher levels of self-efficacy motivate individuals to participate more actively in tasks, thereby leading to enhanced performance expectations (Galvez et al., 2015). For instance, Domenech et al. (2017) demonstrated that students with greater self-efficacy have higher expectations for academic success. Similarly, in this study, it is anticipated that employees who possess high self-efficacy regarding BYOD security practices will achieve superior work performance.
H4: Self-efficacy in information security positively impacts outcome expectations in information security.
Organizational support is a kind of managerial solutions to spurring employees’ behavioral improvement. Organizations can implement instrumental aid programs, such as SETA (Security Education, Training, Awareness). It targets users in an organization to help them to be aware of appropriate information security practices. Then, employees make efforts to develop their security skills understand how to perform their work securely (Caballero, 2017). In accordance with employees’ endeavor, they will be more conscious of security behavior (Ng et al., 2009). Therefore, we hypothesize that instrumental support will positively influence employees' BYOD security policies compliance intention.
H5: Instrumental Support positively impacts the intention to comply with BYOD security policy.
Performance expectations serve as crucial predictors of whether individuals will carry out specific behaviors (Galvez et al., 2015). When people believe that their desired outcomes are attainable, they are more motivated to engage in those behaviors (Lin & Chang, 2018). As performance expectations increase, so does the intention to act, as heightened motivation often drives the behavior (Chao, 2019). Based on this, it is anticipated in this study that employees with higher performance expectations are more likely to lead to compliance with BYOD security policies.
H6: Outcome expectations in information security positively impacts the intention to comply with BYOD security policy.
As users build self-efficacy through various experiences and by overcoming obstacles, their motivation to believe in their capabilities and act increases (Liu et al., 2022). Specifically, users with high self-efficacy in security-related activities are more inclined to adopt security innovations and take proactive measures (Hameed & Arachchilage, 2021). Conversely, lower motivation often results in self-doubt and a reluctance to engage in certain behavior (Pákozdy et al., 2024). Thus, we hypothesize that self-efficacy related to following BYOD security policies will positively influence users' intentions to comply with these policies.
H7: Self-efficacy in information security positively impacts the intention to comply with BYOD security policy.
4. Results
4.1 Data Collection
To select and ensure an appropriate sample, it is necessary to confirm whether respondents are working at a company that has adopted BYOD and to minimize survey limitations, such as respondent bias. So, we specified the definition of BYOD in the questionnaire and participants were asked to answer a screening question, “Do you use your own devices for work in your work environment?” before participating in the survey. All responses were measured on a 5-point Likert scale, and survey items were developed items were developed from prior SCT studies. A pilot test was conducted with 50 participants to refine the survey process and clarify vague measurement items. Afterward, we developed the final questionnaire as shown in Table 1.
After refining the survey, 282 responses were collected from June 10 to June 17, 2024, using Amazon mTurk. After eliminating 14 insincere responses, 268 responses were analyzed in this study. Detailed demographic characteristics of the respondents are presented in Table 2.
4.2 Research Method
The research model in this study was analyzed using Partial Least Squares Structural Equation Modeling (PLS-SEM). PLS-SEM offers distinct advantages in analyzing complex research models by measuring relationships and explanatory power between variables through both measurement and path analysis (Hair et al., 2017). It is particularly beneficial for estimating parameters efficiently and evaluating structural models when working with relatively small sample sizes, as it provides higher statistical power compared to Covariance-Based SEM (CB-SEM) (Hair et al., 2019). For these reasons, this study employed SmartPLS 4.0 software to conduct the PLS-SEM-based analysis, ensuring efficient validation of the complex research model, which includes various variables and a limited sample size.
4.3 Results of Analysis
We validated the proposed structural model and hypotheses in this study by thoroughly analyzing the reliability and validity of the measurement items. For reflective measurement models, the factor loading values must exceed 0.7 to confirm the reliability of each item. Additionally, Composite Reliability (CR) and Cronbach’s alpha values should be greater than 0.7 to establish internal consistency reliability. Convergent validity is then assessed by examining the average variance extracted (AVE) values, where the AVE for each construct must surpass 0.5 (Fornell & Larcker, 1981).
As presented in Table 3, the results of the reliability analysis, internal consistency reliability, and convergent validity for each measurement item in this study meet all of the specified evaluation criteria, confirming the robustness of the measurement model.
Discriminant validity refers to the extent to which latent variables are distinct from one another. In this study, the Fornell-Larcker criterion was employed. In Table 4, the diagonal values represent the square root of the AVE, which must exceed the highest correlation between the latent variables to demonstrate discriminant validity (Fornell & Larcker, 1981). As indicated in Table 4, the discriminant validity results meet the required criteria.
As confirmed in Table 3 and Table 4, the reliability and validity of the research model have been successfully established, allowing us to proceed with testing the research hypotheses through an evaluation of the structural model. The structural model evaluation will consider multicollinearity (VIF), the coefficient of determination (R²), effect size, and the significance and relevance of the path coefficients. First, multicollinearity is assessed by examining the inner VIF values among latent variables, with values below 5 indicating no multicollinearity issues (Hair et al., 2017). As shown in Table 5, none of the variables exhibit multicollinearity.
Next, the coefficient of determination (R²) measures the explanatory power of the structural model, ranging from 0 to 1, with values closer to 1 indicating greater predictive accuracy. Generally, an R² of 0.25 is considered weak, 0.5 is moderate, and 0.75 or higher is considered strong (Hair et al., 2017). In this study, the adjusted R² values for OE, SE, and ICSP were 0.684, 0.585, and 0.546, respectively, all exceeding 0.5, which indicates a moderate explanatory power.
The results of the path analysis are presented below in Table 6. The hypotheses were tested using a bootstrapping procedure.
EO was found to have a positive effect on OE (β = 0.171, p = 0.011) and SE (β = 0.238, p = 0.003), thus supporting both H1-a and H1-b. IS also showed a positive impact on OE (β = 0.155, p = 0.029) and SE (β = 0.439, p = 0.000), which accept H2-a and H2-b. ISP positively affected OE (β = 0.255, p = 0.000) and SE (β = 0.159, p = 0.047), thus supporting H3-a and H3-b. Also, SE was found to have a substantial effect on OE (β = 0.354, p = 0.000), thereby validating H4.
In addition, IS, OE and SE were found to directly influence the ICSP (β = 0.290, p = 0.000; β = 0.241, p = 0.002; β = 0.286, p = 0.000), leading to the acceptance of H5, H6 and H7. Regarding overall results, among the factors that directly influence BYOD security policy compliance, IS showed higher impact than other variables.
Moreover, from the classification by Cohen (2013), the effect size(f²) is considered weak if it is greater than 0.02 and moderate if it exceeds 0.15.
5. Conclusion
This study aimed to explore the social cognitive factors influencing employees’ BYOD security policy compliance. The findings revealed that EO, IS and ISP significantly influence OE and SE in relation to BYOD security policy compliance. These results align with existing studies which emphasize the impacts of social cognitive factors on performance expectation and self-efficacy (Compeau & Higgins, 1995; Galvez & Guzman, 2009; Galvez et al., 2015).
Also, it was observed that SE has a positive effect on OE. This finding is consistent with the study of Galvez et al. (2015), which indicated that higher levels of self-efficacy lead to higher performance expectations. Additionally, IS, OE and SE were found to influence employees' BYOD security policy compliance intention. This aligns with previous research showing that organizational efforts such as security education and security training show a positive influence on employees’ behavior improvement (Ng et al., 2009), individuals’ outcome expectations regarding information security positively affect compliance with security rules (Galvez et al., 2015), and self-efficacy concerning security policy compliance positively influences employees' intent to follow BYOD security policies (Ifinedo, 2014; Siponen et al., 2014). Therefore, all hypotheses are verified and supported through empirical approach.
5.1 Theoretical Implication
Our study identified the factors that influence employees’ intention to comply with BYOD security policies from an organizational perspective, emphasizing the impact of the surrounding environment. However, there is a scarcity of studies utilizing Social Cognitive Theory, which takes into account encouragement, support from others, and observational learning. Previous research in this field includes Crossler et al. (2014), who analyzed employees’ BYOD policy compliance behavior through the lens of PMT, and Hovav and Putri (2016), who combined PMT, Reactance Theory, and Organizational Justice Theory (OJT) to study effective technical approaches for addressing BYOD security policy compliance. Given that BYOD is increasingly adopted within organizations alongside advancements in information security technologies, this study applied Social Cognitive Theory, which considers the influence of organizational environments on individual behavior. We believe the research model proposed in this study offers a valuable framework for analyzing user security behavior.
Secondly, to the best of our knowledge, this is the first study to directly examine the relationship between instrumental support and employees' intention to comply with BYOD security policies, while also suggesting managerial strategies for establishing effective support programs. Previous studies primarily showed that organizational support influences outcome expectations or self-efficacy, which in turn affects compliance intention (Hovav & Putri, 2016; Palanisamy et al., 2024). However, since this study empirically verified the direct influence of instrumental support on BYOD security policy compliance intentions, it can serve as a foundation for future analyses of security behavior. Moreover, it provides insights for developing organizational strategies, such as security education, training programs, and awareness initiatives that highlight the importance of organizational support.
5.2 Practical Implication
The BYOD market continues to grow due to advancements in information security technologies and shifts in work and educational environments with employees’ needs. On account of increasing interest for BYOD from the adoption of the revolutionary work environment such as hot-desking, the BYOD industry is expected to expand to a market size of $430 billion dollars by 2025 (Velzian, 2021). However, while these innovative work settings and technologies offer flexibility, they also pose significant risks to a company’s information security systems. Therefore, it is crucial for organizations to take proactive measures to address these challenges (Ponemon, 2016). To ensure the sustainable implementation and operation of BYOD, companies should consider the following managerial strategies to encourage employees to develop more positive attitudes toward information security policies.
According to the findings of our study, instrumental support emerged as the most influential social factor affecting compliance intention. Based on these results, we emphasize the importance of robust organizational efforts to foster and reinforce BYOD security policy compliance intentions. Previous research has also indicated that organizational support is a key strategy for improving the practicality of security policy compliance (Hwang et al., 2017). Companies should take into account employees' personal relevance and level of knowledge to maximize the effectiveness of support activities when designing appropriate policy compliance training programs (Alshaikh et al., 2020; Puhakainen & Siponen, 2010). Therefore, to promote BYOD security policy compliance, companies should offer differentiated support activities tailored to various employee groups, based on job position, experience, and other factors. In conclusion, organizations need to implement more dynamic and customized support initiatives, as tailored instrumental support can greatly enhance employees' self-efficacy and, consequently their intentions to comply with BYOD security policies.
Secondly, considering the study by Seneviratne & Hewakuruppuge (2023), user-generated content like case studies promotes a culture of shared expertise and knowledge among employees. Applying these findings to our research, organizations can motivate compliance by sharing success stories or failure precedents related to BYOD policy adherence or non-compliance. When employees can foresee the potential outcomes of their actions, they are more likely to follow the rules (Tai, 2006). Therefore, companies should cultivate a corporate education culture that raises awareness of the importance of security policy compliance, taking into account the varying backgrounds of employees. These insights can be pivotal in shaping organizational support strategies that enhance BYOD security policy compliance across the organization.
In light of the above, organizations can offer tailored security support programs that take into account employees' roles, departments, and specific security challenges they might encounter. Such a program could include sharing actual cases of security breaches relevant to each position or department. For instance, employees in sales roles, who frequently exchange data with external parties, could benefit from training focused on data leakage prevention and secure communication practices. Meanwhile, those in R&D might receive targeted guidance on safeguarding intellectual property. This approach promotes engagement and mutual understanding among employees, enhancing compliance by encouraging feedback on security practices. By collecting and integrating this interaction, organizations can continuously refine security policies, thereby fostering a culture of proactive security awareness and policy adherence .
5.3 Limitations and Future Research Recommendations
While this study offers valuable theoretical and managerial implications by identifying the factors influencing employees' policy compliance intentions, there are some limitations that must be addressed. We would like to suggest directions for future research to overcome these limitations.
First, although this study provides insights into the factors that influence employees' behavioral intentions, it does not investigate whether these intentions lead to actual compliance behavior. Future research should explore employees' real compliance behaviors to better understand the gap, if any, between intention and action. It could help in assessing the effectiveness of the strategies aimed at fostering compliance intentions and the scope of the research can be expanded to propose advanced managerial strategies based on the analysis of actual compliance behaviors.
Second, as BYOD has recently emerged alongside advancements in security technologies, certain users may avoid BYOD adoption due to perceived threats. To address this issue, it is essential to consider individual intentions to avoid technology. We propose that future research integrate TTAT to examine users’ intentions to avoid technological threats, which can provide a more comprehensive understanding of resistance to BYOD adoption.
Despite these limitations, our study highlights the significant influence of social environments on employees' compliance behavior with BYOD security policies. It also emphasizes the importance of strategic organizational support in encouraging policy adherence. Given these contributions, our research can serve as a strong foundation for future studies in this area.