Expressing opinions about information security in an organization: the spiral of silence theory perspective Open Access

Accumulating evidence suggests that most information security (IS) attacks exploit human weaknesses (ENISA, 2023; Verizon, 2023), prompting extensive studies over the past decade examining employee behaviors in the workplace. A recent systematic review (Alassaf and Alkhalifah, 2021) identified nearly 90 papers offering diverse social science theories that uncover a plethora of factors influencing the extent to which employees engage in compliant behaviors. These studies underpin the development of security education, training and awareness (SETA) programs aimed at behavioral change, transforming employees from the weakest link in the organizational information security (OIS) to its strongest fortress. However, many of these programs remain inefficient (Alshaikh, 2020; Barlow et al., 2018; He and Zhang, 2019; Hu et al., 2022) and human-related IS incidents do not seem to be decreasing (Alassaf and Alkhalifah, 2021).

For a more comprehensive understanding of the human aspect of OIS, this paper proposes considering the somewhat overlooked sociological perspective in the IS field, which considers employees as individuals with potential agency and not solely as compliance targets. In line with the constructivist sociological paradigm (Berger and Luckmann, 1967) it is argued that employees should be acknowledged as individuals who may have the power and opportunities to express their views and have a voice regarding OIS. Recently the emergence of such perspective can be witnessed. Practitioners for example warn that the pressure to comply can lead to a “culture of silence”, which can be detrimental to organizational resilience, emphasizing the need for employees to have confidence and opportunities to speak up about OIS issues they notice in their work process (Carpenter, 2019; Duran, 2022). Organizational silence inhibits the expression of ideas and opinions by perpetuating the fear of negative repercussions, even when such opinions might highlight critical issues in OIS (Morrison and Milliken, 2000). Concurrently, research indicates that employees complain about the handling of work and security priorities (Chen et al., 2022), they express stress (D’Arcy et al., 2009) and fatigue when dealing with the OIS (Reeves et al., 2021). This is not without effect, as employees who are frequently voicing their opinions about IS influence how other employees think and behave regarding IS (Dang-Pham et al., 2022).

As IS policies are often cumbersome, difficult to follow and can lead to ambiguities if they are not clearly written, employees need to have opportunities to voice their opinions about these experiences (Dang-Pham et al., 2022; Siponen et al., 2010). There are also calls to pay more attention to employees’ opinions when designing SETA trainings (Alshaikh, 2020; Carpenter, 2019; Dahabiyeh, 2021). Employees’ feedback on these is crucial for improving IS management and security mechanisms (Barlow et al., 2018; Chen et al., 2022; Hu et al., 2022; Parkin and Epili, 2015). If nobody speaks out, then the educational programs and IS might be perceived as provisionally efficient despite being unsatisfactory in reality (Carpenter and Roer, 2022). This situation will ultimately lead to the insecure use of organizational IT devices or even insider threat. Voicing one’s opinion on OIS among coworkers and superiors is thus an important component of a healthy IS culture (Flores and Ekstedt, 2016).

There is at least indirect empirical evidence that expressing opinions about OIS is important for organizational resilience to incidents and attacks. Long recognized in the safety research field, employee expression about safety failures is essential for ensuring organizational safety (Hirschman, 1970) as it enhances the organization’s adaptability to challenges and threats in ever-changing environment (Bowen and Blackmon, 2003; Kim et al., 2010; Vakola and Bouradas, 2005). Conversely, the situation of employees withholding their opinions about organizational issues can hinder organizational change and innovation (Bowen and Blackmon, 2003; Morrison and Milliken, 2000; Premeaux and Bedeian, 2003). Furthermore, business management literature argues that organizational silence can be devastating to the business (Clark, 2023), advocating for the freedom to speak honestly about organizational processes, concerns, bad work habits, management missteps, etc. (Mixfield, 2016; Perlow and Williams, 2003).

With the focus on employee voice, several pertinent questions arise. The crucial one is how an organizational culture, where employees freely express opinions about IS, can help fortify organizational resilience to attacks and incidents. Before being able to explore this question, however, it is necessary – and this is the main intention of this paper – to conceptualize the expression of opinions on IS matters and answer the following research questions:

Thus, the main research objective of this study is to foreground the expressing of opinions about IS by employees and empirically test a proposed explanatory model that accounts for the main mechanisms driving employees to voice their opinions about IS or remain silent. For this purpose, a well-known spiral of silence theory (Noelle‐Neumann, 1974, 1991) and its extensions (Bowen and Blackmon, 2003; Matthes et al., 2017; Scheufele and Moy, 2000) are employed, as this is the most known and applied research tradition in investigating factors of expressing opinions on different topics.

This study builds upon the ontological assumptions of classical sociological thought that emerged as a critical counterpoint to the assumptions of the positivist paradigm (i.e. Blumer, 1980; Berger and Luckmann, 1967). While positivism, with its inclination toward objectivism, portrays humans as largely passive subjects, the constructivist paradigm, in contrast, sees humans as individuals with the possibility for agency to co-create reality (Berger and Luckmann, 1967). In studying social science aspects of OIS the most frequently used theories – such as general deterrence theory, the theory of planned behavior and protection motivation theory (Alassaf and Alkhalifah, 2021) – at least implicitly presuppose employees are objects, whose behaviors are determined by internal and external forces, to which they respond in a stimulus-response manner (Goo et al., 2014; Hu et al., 2022). According to constructivist sociological paradigm employees are recognized as complex beings, who are not only objects of persuasion and behavioral change but also as individuals with complex socio-communicative nature (Jones, 2013). Further, this perspective acknowledges that employees, as communicative agents, may discuss OIS issues among peers and superiors (Flores and Ekstedt, 2016) and emphasizes the necessity of their agency in shaping IS policies, trainings and other IS-related processes. Such engagement can catalyze improvements and bolster organizational resilience against IS incidents and attacks (Reeves et al., 2021). The central concepts that capture this communicative agency of employees are the employee’s voice and employee’s willingness to express opinion on OIS matters.

Employee’s voice and expressing opinion are overlapping, but not identical concepts. The concept of employee voice refers to the communication of ideas, suggestions and concerns about work-related issues (Dundon et al., 2004; Hirschman, 1970) and is an analytical contribution aimed at solving organizational problems (Van Dyne et al., 2003). Although undoubtedly relevant, we argue that research on expressing opinion in the OIS is even more important, although it might be perceived as more troublesome by the management (Vakola and Bouradas, 2005). Opinion expression encompasses a wider range of informal, spontaneous and authentic communication that might not fit into the more structured and formal framework of employee voice (Van Dyne et al., 2003). It pertains to personal viewpoints, can be less articulate and does not necessary carry an explicit intent toward organizational improvement (Bowen and Blackmon, 2003). The defining characteristic of expressing opinions is the possibility to speak out in a free and honest way, particularly when opinions may not align with management’s preferences (Bowen and Blackmon, 2003). In other words, expressing opinions can be disruptive, troublesome and focused on negative evaluations of IS; however, the sincerity of these opinions is what’s paramount, even if they challenge or criticize the established IS policies and procedures.

To formalize, we concur that expressing opinions about OIS can be defined as employees’ speech acts that are communicative reactions to uncertainties, organizational policies, processes and procedures regarding OIS. These are enabled or constrained by social perception mechanisms and at least implicitly affect the IS of the organization. These are not private speech acts but occur in public or semipublic situations, where the audience of the speech acts can be other employees, coworkers or management. To illustrate the concept, opinion expression on organizational IS involves talking to coworkers and/or supervisors about difficulties in managing work-related and IS priorities or in understanding and following IS policies within mostly informal settings like halls, organizational events and social gatherings.

To address the main research question of the crucial factors that influence opinion expressing the theory of spiral of silence was applied. This theory delineates willingness to express opinion as a key dependent variable, and a concept that is the most frequently studied concept in the tradition of the spiral of silence research (Matthes et al., 2017). The spiral of silence theory is one of the most extensively tested theories within communication sciences (see Glynn et al., 1997; Matthes et al., 2017; Scheufele and Moy, 2000; Shanahan et al., 2007 for meta-analyses and reviews). It states that an individual’s willingness to express an opinion on some topic is mostly determined by social perception mechanisms. People continuously monitor their social environment, or the “climate of opinion”, to detect prevalent opinions and adjust their behavior accordingly (Noelle‐Neumann, 1991). When people realize that their opinion is not shared by the majority, they will choose to remain silent or will adjust how they publicly express that opinion, mainly driven by a fear of isolation.

When applied in organizational contexts (Bowen and Blackmon, 2003), it is claimed that employees will speak out about organizational issues when they estimate that their opinion toward an issue is shared by other coworkers, and they will remain silent if their opinion is not supported by the others. In such situations they might even express dishonest opinions (Bowen and Blackmon, 2003). This can have very important consequences for OIS. Consider the following hypothetical situation in an organization depicted in Figure 1. At time t₀, the majority of employees hold IS-supportive opinions, but they believe the majority of employees do not support IS (perhaps due to a few vocal cynics). Such situations, where seemingly widely held opinions are in reality not as popular, are not uncommon (Glynn et al., 1997). However, they are very problematic as loud individuals, who are actually a minority, may promote risky IS opinions (e.g. that IS is irrelevant), appearing dominant while suppressing the opinions of those who have pro-OIS opinions. According to the spiral of silence theory, employees who want to express supportive opinions about the OIS become silent due to fear of social sanctions (e.g. being ostracized, ignored, mocked). Over time, a self-reinforcing spiral is created where loud opinions strengthen and eventually become true majority opinion (Gonzenbach et al., 1999), silencing and marginalizing the supporters of OIS. If such situations are unchecked by the management, they can expose the organization to human-induced IS risks.

Conversely, reversed hypothetical situation can be beneficial for resilience of OIS. Namely, if the majority of employees initially hold negative opinions about the importance of OIS, but a vocal minority advocates for IS, the prevalent climate will be perceived as supportive of OIS.

In this case, employees may refrain from expressing negative opinions due to fear of isolation, and over time, expressed positive opinions about OIS can become prevalent, where majority of employees will indeed hold positive attitudes toward OIS. This paper does not comprehensively study such dynamics, as it would demand a complex longitudinal design. The focus is on cross-sectional investigation of the crucial mechanism that fuels the spiral of silence.

Explanatory model is based on the application of the theory of the spiral of silence, along with its revisions and extensions in the rich tradition following its introduction (see Figure 2). It is important to clarify that the intention is not to comprehensively explain willingness to express opinion but to investigate whether the core mechanisms of the spiral of silence indeed operate in the context of discussing OIS-related matters.

The perceived climate of opinion has been consistently reported as an important predictor of willingness to speak. When faced with an unsupportive climate of opinion, people are unwilling to express their true opinions, regardless of the social context of the situation (Liu and Fahmy, 2011). Moreover, numerous studies suggest that local climates of opinion that can pertain either to friends, families and colleagues (Moy et al., 2001) or organizational settings (Bowen and Blackmon, 2003) are more important than perceptions of the general climate of opinion. In organizational settings employees tend to be less willing to express their own opinions in unsupportive climate due to fear of being seen as bad team players, receiving backlash from coworkers and facing social isolation in general. In fact, the fear of social isolation might translate into fear of informal sanctions that can impact their professional and personal lives (Vakola and Bouradas, 2005). In OIS context the perceived IS climate of opinion pertains to employee’s perception of how the majority of coworkers perceive IS policies, rules, procedures and issues related to them. On the basis of above discussion, the following hypothesis is proposed:

The spiral of silence research tradition typically does not consider one’s actual opinion on some matter as a relevant predictor variable; it is only considered for computing the congruence with the perceived climate of opinion. This is not surprising as the theory contends that one’s opinion is not relevant on its own and always functions in relation to social perception (Glynn et al., 1997; Petrič and Pinter, 2002). However, the consideration of the characteristics of one’s opinion in the spiral of silence model has been recently called for (Stoycheff, 2016). In the OIS context it is especially important to consider the nature of one’s opinion, as organizational security is one of key managerial goals nowadays, often promoted as an organizational value (Da Veiga et al., 2020). Thus, when one’s opinion is in favor of OIS, it is aligned with the management viewpoint and consequently receive, at least, some moral support for its voicing. Accordingly:

In addition, it is important to consider the interaction between one’s own opinion and congruence of one’s opinion with the perceived climate of opinion. Namely, the mechanism behind the second hypothesis will be attenuated under a supportive climate of opinion as employees who privately support IS will gain even more confidence to speak out when their position is shared by other employees. That willingness to speak out depends on the interaction between the direction of one’s opinion and the perceived climate of opinion has already been demonstrated in a study on speaking out about surveillance (Stoycheff, 2016). The study found that individuals with positive attitudes toward surveillance and a supportive climate of opinion are more likely to voice their opinion than those who have a negative attitude toward surveillance and a supportive climate of opinion (Stoycheff, 2016). Thus, the following hypothesis is proposed:

Fear of social isolation is the main mechanism that compels people to observe the social environment around them and adapt their public behavior, which then sets the spiraling process in motion (Noelle‐Neumann, 1991). The tradition of spiral of silence research considers fear of social isolation as a situational component (Neuwirth, 2000; Moy et al., 2001) that predicts one’s willingness to express opinion. Applied to the organizational context, the fear of social isolation from coworkers can result in perceiving someone as a troublemaker when they go against the way how things are done (Premeaux and Bedeian, 2003). This is in line with recent research on the role of norms in IS compliant behavior (Yazdanmehr and Wang, 2016), wherein certain behaviors and opinions are seen as prevalent and preferred in an organization, grasped by the concepts of descriptive and injunctive norms (Yazdanmehr and Wang, 2016). Employees who might act against them will be exposed to informal sanctions, such as ignorance and avoidance. Consequently:

Critical evaluations and extensions of the spiral of silence theory have highlighted numerous predictors of the public expression of opinion (Matthes et al., 2017; Scheufele and Moy, 2000). Among these it is important to consider knowledge as a factor that is especially relevant in the context of IS. Organizational research in general demonstrates the propensity of knowledgeable employees to contribute ideas and feedback on organizational processes (Van Dyne et al., 2003). Moreover, knowledge and related constructs, such as awareness, have been consistently identified as predictors of compliance with IS policies (Bulgurcu et al., 2010; Lebek et al., 2014). Consequently, incorporating IS knowledge in the model is necessary not only for its direct influence on opinion expression but also to reduce the probability that the expected associations in other hypotheses are spurious. Thus:

This study was conducted with the cooperation of the IS department of the University of Ljubljana, Slovenia. The study population comprised all the employees of the university, across 27 different member institutions (23 faculties, 3 academies and the rectorate), totaling to 6,608 employees in 2022. Data collection was conducted between September 6 and September 30, 2022, via an online survey using the 1KA tool (1KA, 2022). All the individuals employed at the university at that time were invited to participate. The invitation letter and one reminded for the survey were sent by the rectorate to the institutional e-mail addresses of the employees. Ethical approval for the research was obtained from the Research Ethics Committee of the University of Ljubljana (granted June 15, 2022).

From the contacted employees, 961 agreed to participate in the study, out of which 10 were ineligible. Analyses were performed using the complete case analysis, resulting in a total sample size of 504 employees. The return rate was 14.7%, the response rate was 7.6% and the completion rate was 54.3%, which is expected in such data collection procedures (Callegaro et al., 2015). In the final sample (see Table 1), 60.3% of respondents were female (n = 304), and 37.5% male (n = 189). The average age of the participants was 43.7 years (SD = 11.4) and ranged from 22 to 83 years. Most of the respondents held pedagogical positions (43.8%), followed by research positions (23.6%). The majority of the respondents had a doctoral degree (45.4%).

To test the hypotheses, we used ordinary least squares regression analysis. The variables that are included in the interaction term were first centered. The models were checked for multicollinearity, and an inspection of variance inflation factors and condition indices showed that no such issue persisted.

The questionnaire was designed in line with recommendations relevant to online surveys (Callegaro et al., 2015). Five experts from the fields of social informatics, social methodology and psychology assessed the questionnaire. Additionally, it was pilot-tested with 43 employees working in the sectors of banking, IT, education and healthcare. The results of the pilot survey were used to optimize the measurement instruments.

Generally, the dependent variable in the spiral of silence research tradition has been operationalized with a single item that measures respondents’ willingness to express their opinions in a hypothetical situation (Scheufele and Moy, 2000). Some researchers have used more items, depending on the “publicness” of the hypothetical situations, ranging from group of friends, strangers on the train, publishing a comment on social media to commenting on news story websites (see Matthes et al., 2017 for review). In our study we aimed to use more than one item in order to assess the internal consistency of the instrument.

In the beginning of the questionnaire, the term “information security” was explained to the respondents in a value-neutral way. Later, the respondents were instructed to focus on hypothetical situations in the organization involving conversations with coworkers and supervisors about IS and asked how likely they were to join the discussion on a scale from 1 (unlikely) to 4 (very likely) (Example item: “How likely are you to join a discussion about the content, use, and meaningfulness of information security policies in your organization?”). The confirmatory factor analysis (CFA) demonstrated bad fit to the data (RMSEA = 0.178, SRMR = 0.07, CFI = 0.89). Consequently, exploratory factor analysis was conducted, which suggested two factors. Although there are only two items per each factor, the two-dimensional latent structure is meaningful as one factor pertains to willingness to express opinion to other employees (horizontal opinion expressing), while the other factor pertains to willingness to express opinion to management and supervisors (vertical opinion expressing). CFA with two-dimensional latent structure was reran, resulting in a good fit (RMSEA = 0.001, SRMR = 0.003, CFI = 0.99). The Cronbach’s alpha value for the horizontal willingness to express opinion was 0.91, demonstrating very good internal consistency, while for vertical opinion expressing was 0.66, which is an acceptable level of internal consistency given only two items in the scale (Loewenthal and Lewis, 2015). Since the data suggested two dimensions of the dependent variable, two models were tested: one for horizontal and one for vertical opinion expressing.

In the spiral of silence research tradition, one’s opinion is measured as one’s position on a somewhat controversial topic that polarizes people into two camps (Noelle‐Neumann, 1974, 1991). On the basis of research on attitudes toward IS (i.e. Parsons et al., 2014), the following item was developed, to be rated on 1–5 agreement scale: “Communicating about information security is quite annoying in trying to get the work done efficiently”. In the analyses, this item was reversed so that it reflected a positive opinion about IS in the organization. This was done for the sake of clarity and consistency and also for computing congruence with the climate of opinion.

In the spiral of silence research tradition, congruence with perceived climate of opinion is calculated as the absolute difference between one’s opinion and the perceived climate of opinion (Matthes et al., 2017). The latter was measured as what other coworkers think about the issue at present (Example item: “My coworkers find it important to communicate (i.e. share knowledge and experiences) about information security”). Since zero represents full congruence and four is maximum incongruence, the variable is termed as incongruence of one’s opinion with the climate of opinion.

A situationally specific measure was used that has been typically applied in the later adaptations of the spiral of silence to different contexts, mostly online groups (i.e. Ho and McLeod, 2008; Kim et al., 2014). The items were adopted in order to fit the topic of IS and reflect the potential sanctions imposed by coworkers. As in the spiral of silence research, informal sanctions refer to fear of mockery, ignorance, losing trust and respect and being excluded from the group (Noelle‐Neumann, 1991). The scale consisted of four items (Example item: “My colleagues would condemn me if I told the superiors that someone from the staff lost a USB key with sensitive organizational data.”), where CFA demonstrated good fit to the data (RMSEA = 0.001, SRMR = 0.001, CFI = 0.99). Cronbach’s alpha demonstrated somewhat marginal but still acceptable internal consistency (alpha = 0.70) given the small number of items and the novel instrument adapted to IS context.

Following criticism of self-report measures of knowledge in the IS field (e.g. Lebek et al., 2014; Lee and Kim, 2014), knowledge was measured objectively with quiz-style items on different topics of IS. The final score was computed as the sum of correct responses. Nine items were used that pertain to different dimensions of IS knowledge, and the resulting scale thus consisted of scores from 0 to 9. Since it is formative construct, factor analytical procedures and computation of internal consistency is not meaningful.

The analysis of the variables included in the hypotheses (see Table 2) shows that employees at the studied university in general report positive opinions toward IS (M = 3.89, SD = 0.95), and they are quite likely to express their opinions among both coworkers (M = 2.71, SD = 0.86) and the management (M = 2.89, SD = 0.72). Congruence of employees’ own opinions with the perceived opinion of other coworkers is somewhat moderate. Notably, 35.9% employees see their opinions as completely aligned with the opinion of their coworkers. Fear of social isolation due to risky IS behavior is moderately present among the employees, with the majority of them not expressing strong anxiety (M = 2.83, SD = 0.92). Finally, the sample of employees has limited understanding of IS.

The correlation matrix (see Table 3) between all the variables in the hypotheses shows that opinion expression toward coworkers and toward the management are statistically significantly correlated (r = 0.50, p < 0.001). Both types of willingness are also significantly correlated to one’s opinion (r = 0.177, p < 0.001; r = 0.168; p < 0.001). Willingness to express opinion horizontally is also statistically significantly correlated with fear of social isolation (r = 0.124, p = 0.005) and IS knowledge (r = 0.189, p < 0.001).

The hypotheses were tested with two separate ordinary least squares regressions: one for horizontal opinion expression and one for vertical opinion expression. Both models are equivalent in their specification and independent variables. In the regression equation, all independent variables were entered, one interaction term pertaining to the predictor in hypothesis H3 and the socio-demographic control variables.

Results show (see Table 4) that for both the dependent variables, the models exhibited a statistically significant fit with the data (F = 13.20, p < 0.001; F = 9.37, p < 0.001) with R²_adj values of 0.179 and 0.130, respectively. In other words, our model explains 17.9% of the variability in willingness to express opinion horizontally and 13.0% variability in willingness to express opinion vertically.

Among the predictors, employees’ opinion on IS has largest, statistically significant effect on willingness to express opinion (see Table 3), suggesting that employees with a more positive opinion about IS will be more willing to voice their opinion among both their colleagues (β = 0.473, p < 0.001) and the management (β = 0.358, p < 0.001). Fear of social isolation has a weak and positive statistically significant effect on willingness to express opinion horizontally (β = 0.107, p = 0.010) but not on vertical opinion expression (β = 0.022, p = 0.604). Support from the climate of opinion is not statistically significantly associated with willingness to express opinion either horizontally or vertically (β = 0.057, p = 0.170; β = 0.051, p = 0.231), but it interacts statistically significantly with an individual’s own opinion. If employees have positive opinions about IS but feel that others do not share these opinions, they will be much less likely to share their opinion with the coworkers (β = −0.406, p < 0.001). This effect is similar but somewhat weaker (β = −0.284) in the case of vertical opinion expression.

IS knowledge has statistically significant, yet weak influence on horizontal opinion expression (β = 0.120, p = 0.005). Among the sociodemographic variables, the result show that older employees are statistically significantly more likely to express their opinions about IS to the management (β = 0.310, p < 0.001), while employees with longer tenure at the organization are more likely to express opinion to other coworkers (β = 0.170, p = 0.008) than supervisors.

The main aims of this paper were to introduce the concept of employee’s opinion expressing about OIS and to empirically validate its antecedents by applying the spiral of silence theory. To answer the first research question the study shows that employees – at least in the higher education context – are quite willing to voice their opinions about IS. They are slightly more ready to share their views on IS with management than with coworkers. This is because speaking with superiors may have more tangible effects in terms of impact on decision-making, whereas the effect of speaking with other coworkers is less functional and more social in nature (Morrison and Milliken, 2000). While the mechanisms behind horizontal and vertical opinion expressing are to large extent similar, as also implied by the theory of spiral of silence (Morrison and Milliken, 2000; Noelle‐Neumann, 1974), the consequences can be very different. For example, when an employee complains about the painful password system (see Reeves et al., 2021) to coworkers, this might result in a collective search for shortcuts and problems for OIS. On the other hand, when employee complains about such nuisance to management, this can initiate response and improvement of IS processes.

To answer the second research question, a research model was developed and empirical test suggests to confirm three out of five hypotheses. Hypothesis H1 was rejected, demonstrating that the perception of what other coworkers think about IS does not directly influence the willingness to express one’s opinion. Hypothesis H2 was confirmed, indicating that employees with positive opinions toward IS are more likely to display them in front of other employees and supervisors. Confirmation of H3 points to a more complex social perception mechanism depicted by a significant interaction between one’s opinion and perception of the climate of opinion. Namely, H2 on one hand suggests that employees with pro-IS opinions will more likely express them than those with contra-IS opinions; however, when such employees realize that the climate of opinion is hostile toward them, they will lose confidence and become silent. In other words, when pro-IS employees discover that the majority of coworkers do not share their opinion, they will become silent or worse, adapt to the majority and show coworkers that they, too, do not care about IS. This sort of organizational paradox in which the majority of employees know the truth about certain security-related issues and problems within an organization but do not have the perceived support to speak up, is recently noticed in the professional literature and identified as the “culture of silence” (Carpenter, 2019). The findings of our study also align with the recent research on the role of IS norms in security-compliant behavior. If an employee’s peers have negative attitudes toward compliance with IS policies, then the employee, too, behaves in ways that are in violation of IS policies (Yazdanmehr and Wang, 2016). The presented study additionally suggests that even if employees privately hold positive opinions toward IS policies and IS in general, they will succumb to the prevalent norm of indifference toward IS. This can have important implications for further research on IS norms: in addition to injunctive, subjective and descriptive norms, the interactions between these norms with one’s personal opinion toward IS also need to be considered.

The testing of hypothesis H4 does not provide a conclusive answer regarding the role of fear of isolation in opinion expressing about OIS. The influence of fear of social isolation is weak and, in fact, positive, thus rejecting hypothesis H4. Those who think that they will be socially sanctioned by their peers if they work against IS norms are actually more willing to share their opinion with their coworkers. This could be a consequence of the specific organizational culture of universities, which often promotes values of individualism, freedom and autonomy (Lăcătuş, 2013). It can be speculated accordingly that if employees feel that they are being mocked and neglected because of some unwritten rules, instead of succumbing to such informal sanctions, they will be willing to speak up about them.

The hypothesis H5 can be partially confirmed as knowledge about IS gives employees some confidence to speak out in front of peers, but not in front of superiors. Recent findings indicate that the security culture in educational sector is relatively low (KnowBe4, 2021), highlighting issues such as underfunding, the absence of comprehensive policies and inadequate staffing. In such circumstances, IS-knowledgeable employees might feel discouraged to speak up about OIS due to awareness of structural barriers impeding IS improvements and perceiving their contributions as futile.

Three findings involving sociodemographic factors are relevant. First, level of education is not associated with willingness to voice one’s opinion, which is in line with previous findings (Scheufele and Moy, 2000). However, given this study’s highly educated sample and the university context, this result may be due to the lack of variation in attained education. Second, employees who are older in age are more willing to voice their opinions about IS with the management but not with other coworkers. Third, the longer a person is employed at the university, the more likely they are to share their opinions with their peers. To some extent, these findings are congruent with a recent study, which suggests that age and length of employment are typical demographic characteristics of IS opinion leaders in the organization (Dang-Pham et al., 2022).

The findings have some important practical considerations for managing IS in organizations and development and optimization of SETA programs. One clear implication for IS management is to have a healthy security culture, in which communication opportunities and situations where employees are confident to express their honest feedback on IS are provided. The management needs to ensure that employees are heard and considered, as this will lead to more practical and accepted security measures. The management also needs to establish a positive spiral of outspokenness (Bowen and Blackmon, 2003), as being able to speak out is an important predictor of employee empowerment and satisfaction and important to the effectiveness, culture and security of the organization as a whole (Engemann and Scott, 2020; Premeaux and Bedeian, 2003; Vakola and Bouradas, 2005). Given that employees are quite willing to share their opinions on IS with management it is surprising that not many products exist that would allow for systematic collection and analysis of employee’s opinions (Parkin and Epili, 2015).

Another important implication of this study pertains to the influence of the opinion leaders on IS. While these leaders do not occupy formal organizational roles, they exert a profound influence over shaping opinion climates at the workplace (Dang-Pham et al., 2022). The spiral of silence research affirms that opinion leaders can play a decisive role in establishing positive climates of opinion and influencing the perceptions and behavior of others (Lee and Kim, 2014; Sohn, 2019). In fact, establishing a base of security champions or ambassadors is now regarded as a key strategy for improving organizational IS (Alshaikh, 2020; Carpenter and Roer, 2022). Opinion leaders can deeply impact how other employees think about IS and to what extent they engage in secure IS behavior. Thus, it is important to target interventions involving such key individuals. They can provide strong, vocal support to make opinions appear dominant and ensure that the spiraling process operates positively. At the same time, in the absence of a prudent approach, subtlety, guidance or training, loud employees may also express opinions that promote non-compliant behavior, establishing an unwanted spiral of opinions that works against IS. The management should have mechanisms at hand to identify such “security cynics” before they result in tangible consequences for organizational security.

Recent review (Hu et al., 2022) indicates that majority of SETA programs consider communication mostly as a persuasive mechanism to ensure compliance, while the findings of this study clearly call for consideration of other types of communication, such as peer-to-peer and bottom-up. SETA trainings should consider including at least three elements:

1. Collecting employees’ opinions on the mode and content of trainings during and after conduct of such trainings;

2. Collecting employee’s opinions on the security protocols, security policies and particularly on elements that cause tension (such as clarity of policies, interference with job priorities) at least annually or when changes are planned; and

3. Trainings should explicitly demonstrate how voicing honest opinions is crucial for the improvement of OIS and should not be seen as gossiping or subversion.

Most importantly, employees should be stimulated to speak up even when they think they view differs from the perceived majority. Along with such modifications in trainings a change is also needed at the management level to acknowledge and consider the expressed opinions. This way many issues that are related to security fatigue and stress (Reeves et al., 2021) might be effectively resolved and contribute to improvement of organizational resilience.

This study has several non-trivial limitations that can spur further investigations. First, an obvious limitation is that the study context is confined to a higher education setting. The organizational culture in this sector can be specific and characterized by fluid relations between the employees and the management, with the latter having a limited mandate and being frequently pooled from the former (Bess et al., 2012). Nonetheless, having a single organizational context is an important external control as a sample of different industries and organizations may interfere with the spiral of silence mechanisms, thus demanding a more complex, multilevel model (Hox et al., 2017). This research assumed that the university environment offers numerous possibilities for expressing opinions in informal situations, such as halls, informal gatherings and events. But such level of communicative opportunities (Vakola and Bouradas, 2005) might not be representative of other organizations.

In terms of research design, this study is limited in the same way as the majority of cross-sectional investigations on the spiral of silence theory in terms of being unable to fully capture the dynamics of the social processes that the theory explores. For instance, how some opinions become dominant over time and how minority opinions disappear (Noelle‐Neumann, 1974, 1991). Could loud security cynics create a deceptive climate of opinion in which it seems that the majority do not care about IS, resulting in an actual change of employee opinions? Such issues call for a longitudinal research design, which can be logistically and financially complex yet vital for key insights into the growing threats to organizational security.

While many studies within the spiral of silence research tradition are focused on willingness to express opinion, the study of spiral of silence as a real phenomenon requires the actual expression of opinions (Petrič and Pinter, 2002). Thus, it would be relevant to examine how and under what conditions willingness to express opinion translates into real speech acts. Moreover, further research might lean more on the research of organizational voice and provide differentiation of opinion expressing, depending on the intention behind it (Engemann and Scott, 2020). For example, some opinions may be targeted at improving organizational security, some may be frustrations and some could be expressions of displaced dissent (Vakola and Bouradas, 2005), when employees are not willing to speak out in the organization but express their dissatisfaction to the external public. Such a situation can be especially problematic in the field of IS.

This study emphasizes the importance of employee’s agency in OIS matters in the form of opinion expressing, joining the recent research of human factors in IS that shifts its focus away from the predominant assumption that compliant behavior is the crucial human-related determinant in mitigating security threats (Yazdanmehr and Wang, 2016). The study highlights the willingness of employes to voice their opinions on IS and the complex social perception mechanism that can lead employees to remain silent in the face of dissenting majority. More broadly, this study advocates for recognition of IS-related communication processes within organizations that go beyond understanding communication as a top-down persuasive process. Focusing on overlooked communication processes within organizations is necessary for advancing the existing state of the art on the research of social science aspects of OIS and getting practical insights for developing more nuanced and effective security strategies in the faces of evolving IS threats.

The data that support the findings of this study are currently not available but may be provided upon reasonable request.

Funding: This work was supported by the Slovenian Research and Innovation Agency under the research program Social Science Methodology, Statistics and Informatics (grant number P5-0168).