Why employees share information security advice? Exploring the contributing factors and structural patterns of security advice sharing in the workplace

As modern organisations are dealing with a growing amount of data and strategic information systems, the need to protect these vital assets becomes paramount. An emerging topic in behavioural security field is security advice sharing, which plays a crucial role in helping organisations develop people-centric security workplaces whereby the employees' information security awareness and personal accountability for security are fostered. This research employs social network analysis methods to explore why the employees are willing to share information security advice, as well as examines the structural patterns of this sharing network. We found favourable security attitude and engagement in daily activities have positive impacts on security advice sharing, whereas perceiving too much social pressure makes the employees deliberately refuse to share security advice. We also found security advice sharing is transitive and non-reciprocal, and there are a few dominant employees who control the flow of security advice. Practical recommendations about strategies to increase security advice sharing within the workplace are discussed, and by conducting this research we demonstrate the empirical adoption of social network analysis techniques in the behavioural security field.