Opening the Black Box of Employee Vulnerability to Cyberattacks

Organizations implement human resource management (HRM) practices to meet strategic goals by means of influencing employee behavior. In today's digital age, employee cybersecurity behaviors have become critical. Cybercrimes are on the rise, creating organizational liabilities, eroding credibility, and tarnishing the corporate image. Organizational insiders or employees are vulnerable to malicious actors such as hackers (or actors who are not authorized yet desire to access an organization’s information system). How employees become vulnerable is a burgeoning area of scholarship across multiple disciplines. In cybersecurity research, there have been calls to study how best to manage employee cybersecurity behaviors. Despite research on employee deviance, currently little research exists on how employee (unintentional) deviations from organization expected cybersecurity behaviors arise or what makes employees vulnerable to novel cyberattacks. To address this issue, this inter-disciplinary and conceptual work draws from research in cybersecurity, strategic Human Resource Management (HRM), and social cognition. I develop a theoretical model that unravels the role of HRM practices in impacting employee vulnerability to cyberattacks. The model proposes different mechanisms (depleting attentional resources and incentivizing attention allocation) through which the content and process of HRM practices impact employee cognitive load and employee vigilance. The theorizing also disentangles how employee vigilance relates to employee vulnerability to cyberattacks. The theory developed in this paper has implications for research on cybersecurity and strategic HRM. This work also generates insights for managers.