Future research opportunities summary table
| Opp # | Opportunity/Potential research questions | Motivating observation |
|---|---|---|
| 1 | Investigate the unique security demands faced by cybersecurity professionals | Cybersecurity professionals experience both technical and nontechnical security demands. For technical security demands, the unexplored characteristics of security technology involve interoperability, noise, rate of false alarms, chattiness and versatility. Adversarial characteristics of security controls and management of employee discord are another form of demand that cybersecurity professionals uniquely experience Similarly, the nontechnical demands imposed by ever-changing InfoSec security policies and procedures present another unique category of demands experienced by cybersecurity professionals, requiring a continuous investment of time and effort to learn and relearn how to comply with them |
| Potential research question: RQ1: What are the unique security demands faced by cybersecurity professionals? | ||
| 2 | Explore the appraisal process that cybersecurity professionals follow in assessing security demands | Regardless of the theoretical underpinning, a broad notion of the cognitive stress paradigm is that individuals cognitively appraise environmental demands (Lazarus and Folkman, 1984). However, the stress literature applicable to the study of stress among cybersecurity professionals revealed that demand appraisals have been given limited attention among scholars (see Appendix 3). When attended to, demand appraisals have been explained primarily through one of three theoretical lenses (transactional theory of stress, P-E fit theory and cybernetic theory), in which individuals perform a subjective evaluation of their environment in terms of opportunity or threat (D'Arcy et al., 2014, 2018; Galluch et al., 2015; Liang et al., 2019), (mis)fit (Ayyagari et al., 2011; Stich et al., 2019b; Chilton et al., 2005), or (in)equilibrium (Stich et al., 2019a) However, what has lacked the most attention is the explanation of the factors that may influence the demand appraisal process for cybersecurity professionals and how certain factors are more influential than others, creating a challenge or hindrance perception of demand. Some early research suggests that age, gender and personality differences can play an influential role in the stress process, but we have an underdeveloped understanding of how these differences affect cybersecurity professionals' appraisal of demands (Ragu-Nathan et al., 2008; Tams et al., 2017; Srivastava et al., 2015; Maier et al., 2019; Hwang and Cha, 2018; Lazarus and Folkman, 1987). Most research that has considered individual differences has shown how these differences affect the overall experience of stress but not the influence on the appraisal process itself, but cybersecurity professionals are a unique breed of IT professional (Cobb, 2016; Bashir et al., 2017) and therefore deserving of special consideration |
| Potential research questions: RQ1: How do organizational and individual characteristics interact with the characteristics of technical and nontechnical security demands in the demand appraisal process? RQ2: What individual and organizational characteristics increase the likelihood that cybersecurity professionals will appraise a given security demand (technical or nontechnical) as a challenge stressor? RQ3: What individual and organizational characteristics increase the likelihood that a given security demand (technical or nontechnical) will be appraised as a hindrance stressor by cybersecurity professionals? | ||
| 3 | Explore the multitude of stress responses cybersecurity professionals engage in following a demand appraisal | Most studies on stress in a security-related context have applied technostress concepts to SRS research. Commonly studied stress responses in technostress research are negative (see Appendix 3) primarily because technostress has been positioned as a dark side of stress phenomenon (Tarafdar et al., 2019). This limitation has also extended to SRS research. Frustration, fatigue and moral disengagement are some negative stress responses studied in the SRS context. But this limitation presents an opportunity for future research to focus on positive stress responses among cybersecurity professionals, which can manifest as excitement, hope, trust, job engagement, etc. (Simmons and Nelson, 2001, 2007) |
| Potential research question: RQ1: How do cybersecurity professionals savor and cope with the IT security demands of their organizations? | ||
| 4 | Study novel stress outcomes | A key observation from our review is that the conceptualization of stress in the InfoSec domain adds a new perspective to behavioral security research, which focuses primarily on the determinants of information security policy (ISP) violations and noncompliant behaviors. Being rooted in an ISP compliance perspective, InfoSec stress research primarily focuses on policy compliance issues as an outcome variable (for example, (D'Arcy and Teh, 2019; Nasirpouri Shadbad and Biros, 2021; Hwang and Cha, 2018; Pham et al., 2016) leaving an unexplored area of investigation in studying the influence of SRS on other organizational variables such as job satisfaction, productivity, turnover and so forth. Beyond compliance issues, other outcome variables that have emerged in our review are security compliance burnout and information security awareness (McCormac et al., 2018; Pham et al., 2016; Pham, 2019) However, for all of these compliance and compliance-related variables, their influence on the generation of stress among cybersecurity professionals has gone unexplored. Cybersecurity professionals are on the enforcement side of ISPs, and the stress they encounter should result in a unique set of stress related outcomes. Future research is needed to determine what those outcomes are and how stress plays a role in influencing them |
| Potential research question: RQ1: What are the most salient stress related outcomes associated with the cybersecurity profession? | ||
| 5 | Practice theoretical pluralism in studying stress among cybersecurity professionals | Even though research on stress among cybersecurity professionals and in the broader context of InfoSec is still developing, we have found richness in the theoretical perspectives used. This is a somewhat surprising observation, given that a lack of theoretical richness has been suggested as a limitation of the technostress literature (Tarafdar et al., 2019). Yet to its credit, the research that would be applicable to inform a study of stress among cybersecurity professionals exhibits no such limitations and should provide a robust theoretical spectrum from which to conduct future research. We find theories such as moral disengagement theory (MDT) and coping theory, person–organization (P-O) fit theory and transactional theory of stress has been used to explore SRS- and ISS-related phenomena, respectively (Lee et al., 2016; D'Arcy et al., 2014). Affective event theory and coping theory have been applied to understand how security demands can be conceptualized as hindrance stressors (D'Arcy and Teh, 2019). The job demands-resource model has been used to explain information security compliance burnout (Pham et al., 2016; Pham, 2019) |
| Opp | Opportunity/Potential research questions | Motivating observation |
|---|---|---|
| 1 | Investigate the unique security demands faced by cybersecurity professionals | Cybersecurity professionals experience both technical and nontechnical security demands. For technical security demands, the unexplored characteristics of security technology involve interoperability, noise, rate of false alarms, chattiness and versatility. Adversarial characteristics of security controls and management of employee discord are another form of demand that cybersecurity professionals uniquely experience |
| Potential research question: | ||
| 2 | Explore the appraisal process that cybersecurity professionals follow in assessing security demands | Regardless of the theoretical underpinning, a broad notion of the cognitive stress paradigm is that individuals cognitively appraise environmental demands ( |
| Potential research questions: | ||
| 3 | Explore the multitude of stress responses cybersecurity professionals engage in following a demand appraisal | Most studies on stress in a security-related context have applied technostress concepts to SRS research. Commonly studied stress responses in technostress research are negative (see |
| Potential research question: | ||
| 4 | Study novel stress outcomes | A key observation from our review is that the conceptualization of stress in the InfoSec domain adds a new perspective to behavioral security research, which focuses primarily on the determinants of information security policy (ISP) violations and noncompliant behaviors. Being rooted in an ISP compliance perspective, InfoSec stress research primarily focuses on policy compliance issues as an outcome variable (for example, ( |
| Potential research question: | ||
| 5 | Practice theoretical pluralism in studying stress among cybersecurity professionals | Even though research on stress among cybersecurity professionals and in the broader context of InfoSec is still developing, we have found richness in the theoretical perspectives used. This is a somewhat surprising observation, given that a lack of theoretical richness has been suggested as a limitation of the technostress literature ( |
Sharing content requires targeting cookies to be enabled. Please update your cookie preferences to use this feature.