|
| Measurement variables | Item |
|
| Items on effectiveness of telecommuting security policies adapted from Hsu et al. [9] and Knapp [32] |
| Policy effectiveness 01 | In general, information in the organization is sufficiently protected while telecommuting. |
| Policy effectiveness 02 | Overall, the telecommuting information security policy is effective. |
| Policy effectiveness 03 | The telecommuting information security policy achieves most of its goals. |
| Policy effectiveness 04 | The telecommuting information security policy accomplishes its most important objectives. |
| Policy effectiveness 05 | The telecommuting information security policy has kept security losses to a minimum. |
|
| Items on mandatoriness adapted from Boss et al. [13] |
| Mandatoriness 01 | I am required to secure my system according to the organization’s documented policies and procedures while telecommuting. |
| Mandatoriness 02 | It is expected that I will take an active role in securing my computer from cyberattacks (e.g., hacking, virus infection, and data corruption) while telecommuting. |
| Mandatoriness 03 | There is an understanding that I will comply with the organizational security policies and procedures regarding telecommuting. |
| Mandatoriness 04 | Regulatory compliance requirements (e.g., FERPA, HIPAA, and Sarbanes–Oxley) motivate me to follow the organization’s IT security policies, procedures, and guidelines regarding telecommuting to the best of my ability. |
|
| Items on specification adapted from Hsu et al. [9], Boss et al. [13], and D’Arcy et al. [8] |
| Specification 01 | There are written rules on the security policies and procedures followed by the organization regarding telecommuting. |
| Specification 02 | I am familiar with the organization’s IT security policies, procedures, and guidelines for telecommuting. |
| Specification 03 | The organization’s existing policies and guidelines cover how to protect my computer system while telecommuting. |
| Specification 04 | I am required to know many written procedures and general practices to secure my computer system while telecommuting. |
| Specification 05 | My organization has specific guidelines regarding the acceptable use of e-mail while telecommuting. |
| Specification 06 | My organization has established rules regarding the use of computer resources while telecommuting. |
| Specification 07 | My organization has a formal policy that forbids employees from accessing computer systems that they are not authorized to use while telecommuting. |
| Specification 08 | My organization has specific guidelines regarding the acceptable use of computer passwords while telecommuting. |
| Specification 09 | My organization has specific guidelines that outline what employees can do with their computers while telecommuting. |
|
| Items on monitoring adapted from D’Arcy et al. [8] |
| Monitoring 01 | I believe that my organization monitors any modification or alteration of computerized data while telecommuting. |
| Monitoring 02 | I believe that the computing activities of telecommuting employees are monitored by my organization. |
| Monitoring 03 | I believe that my organization monitors computing activities to ensure that employees perform only explicitly authorized tasks while telecommuting. |
| Monitoring 04 | I believe that my organization regularly reviews the system logs of telecommuting employees. |
| Monitoring 05 | I believe that my organization conducts periodic audits to detect the use of unauthorized software on its computers. |
| Monitoring 06 | I believe that my organization actively monitors the content of e-mail messages exchanged by telecommuting employees. |
|
| Items on reward adapted from Hsu et al. [9] and Boss et al. [13] |
| Reward 01 | I will receive a personal mention in oral or written reports if I comply with the security policies and procedures at this organization while telecommuting. |
| Reward 02 | I will be given monetary or nonmonetary rewards for following security policies and procedures while telecommuting. |
| Reward 03 | Tangible rewards depend on whether I follow the organization’s IT security policies, procedures, and guidelines while telecommuting. |
| Reward 04 | My pay raise and/or promotion depend on whether I follow the documented security policies and procedures while telecommuting. |
|
| Items on extrarole behavior adapted from Hsu et al. [9] |
| Extrarole 01 | Employees of this department volunteer to engage in security policy-related behaviors while telecommuting. |
| Extrarole 02 | Employees of this department help each other to learn about the telecommuting security policies. |
| Extrarole 03 | Employees of this department help orient new employees to the telecommuting security policies. |
| Extrarole 04 | Employees of this department develop and make recommendations concerning telecommuting information security policies that affect the entire organization. |
| Extrarole 05 | Employees of this department speak up and encourage others in the organization to become more involved in telecommuting information security policies that affect the entire organization. |
| Extrarole 06 | Employees of this department voice their opinion about new strategies or changes made to the telecommuting information security policies. |
|
| Items on perceived severity adapted from D’Arcy and Devaraj [11] |
| Perceived severity 01 | Severe responsibilities should be taken for accessing personnel systems using administrator passwords while telecommuting. |
| Perceived severity 02 | Accessing unauthorized systems while telecommuting will result in disciplinary action. |
| Perceived severity 03 | Severe responsibilities should be taken for revising personal overtime records using administrator passwords while telecommuting. |
| Perceived severity 04 | Severe responsibilities should be taken for installing unauthorized software on corporate computers while telecommuting. |
| Perceived severity 05 | Severe responsibilities should be taken for sending inappropriate emails to colleagues from the corporate email account while telecommuting. |
|
| Items on perceived certainty adapted from D’Arcy and Devaraj [11] |
| Perceived certainty 01 | Accessing personnel systems using administrator passwords while telecommuting will be discovered. |
| Perceived certainty 02 | It is likely that companies will detect the employees who access unauthorized systems while telecommuting. |
| Perceived certainty 03 | Revising personal overtime records using administrator passwords while telecommuting will be discovered. |
| Perceived certainty 04 | Installing unauthorized software on corporate computers while telecommuting will be discovered. |
| Perceived certainty 05 | It is likely that companies will detect the employees who install unauthorized software on corporate computers while telecommuting. |
| Perceived certainty 06 | Sending inappropriate emails to colleagues from the corporate email account while telecommuting will be discovered. |
|
| Items on moral belief adapted from D’Arcy and Devaraj [11] |
| Moral belief 01 | If the password to a system that contains the payroll information of all employees is known, then it is morally permissible to access the system while telecommuting. |
| Moral belief 02 | It is morally permissible to revise personal overtime records using administrator passwords while telecommuting. |
| Moral belief 03 | It is morally permissible to install unauthorized software on corporate computers while telecommuting. |
| Moral belief 04 | It is morally permissible to send inappropriate emails to colleagues from the corporate email account while telecommuting. |
|
