It Takes a Village: Understanding the Collective Security Efficacy of Employee Groups

An organization's ability to successfully manage information security incidents is determined by the actions of its employees, as well as the actions of various groups of employees within its organizational boundaries. To date, information security research has primarily focused on individual-level phenomena and has not yet explored group-level phenomena such as how employee groups recognize and respond to security incidents in a way that is consistent with the organization's security goals and objectives. The current study addresses this gap, thereby answering the research call for group-level security research perspectives. The present study explores how employee groups formulate their collective security efficacy, which influences how group members recognize and respond to information security incidents. Using a case study of a large healthcare research organization (HRO), we analyze two security incidents, a malware attack, and a physical security breach, to identify a unique set of ecological and social properties of employee groups that are salient to their collective security efficacy.