Personality and Employees’ Information Security Behavior among Generational Cohorts

The Big Five Factors Model (FFM) of personality traits theory was tested for its ability to explain employee information security behavior (EISB), when age, measured by generational cohort (GCOHORT), moderated the relationship between the independent variables (IVs) extraversion, agreeableness, conscientiousness, emotional stability, intellect (EACESI) and the dependent variable (DV), employees’ information security behavior (EISB) which is measured by file protection behavior (FPB). Three age groups defined GCOHORT: 52–70 years old (1946–1964, Baby Boomers), 36–51 yrs old (1965–1980, Generation X), and 18– 35 yrs. Old (1981–1998, Millennial). Results of hierarchical multiple regressions analyses revealed statistically significant relationships between overall personality traits, four individual factors of personality traits, and the DV (p < .05). However, contrary to expectations, GCOHORT did not moderate the relationship between any of the main IVs and the DV (p > .05). Recommendations for future research are offered.


Introduction
In an era of big data, when organizations are now more reliant on information systems (InfoSys) for market gains and competitive advantage, data breaches are increasing with dizzying frequency. Goddijn (2019) reported the occurrence of 3813 data breaches by June 30th 2019, which exposed 4.1 billion of customers' records to cyber criminals; startlingly, this was a 54% increase in data breaches and a 52% increase in the number of exposed records compared to the same period in 2018. Emails and passwords accounted for 70% and 68% of breaches respectively. Although the publicly reported number of data breaches in the first Quarter of 2020 was 58% less than the same period in 2019, the likely reason for the decrease was partly due to reporting disruptions caused by COVID19 (Goddijn & Kouns, 2020).
Organizational insiders such as employees account for most data breaches, yet organizations allocate most of their resources to external and technical solutions to prevent these occurrences (Besnard & Arief, 2004;Choi et al., 2018). It is critical for organizational leaders to understand whether or how employees' personal differences inform their information security (InfoSec) or cybersecurity behaviors (Fatokun et al., 2019), and especially important to study personality traits in relation to InfoSec (Uffen, Guhr, & Breitner, 2012). However, there is a gap in the literature in understanding the relationship between employees' behaviors and data breaches since there is a paucity of research on the individual differences in this type of research (Gratian et al., 2017;Whitty et al., 2015). Repeatedly, calls have been made to study the phenomenon of data breaches and employee behaviors from a behavioral science perspective, and, in particular, with a focus on the correlation between personality traits and employees' information security (InfoSec) behaviors (e.g., Gratian et al., 2017;Lounsbury et al., 2014;Pattinson et al., 2015;Shropshire et al., 2015;Whitty et al., 2015;).
The problem that prompted this study is that there are conflicting reports about the relationship between various personality traits, age, and their correlation with employees' InfoSec behaviors (e.g., Gratian et al., 2017;Haddington, 2018;McCormack et al., 2017;Nicholson et al., 2005;Pattinson et al., 2015). Therefore, the purpose of this research is to contribute to the sparse body of literature on personality traits and employees' InfoSec behaviors, based on employees' generational cohorts. Specifically, the InfoSec behavior under investigation is file sharing behavior.

Literature Review
For firms, as well as their customers, consequences of data breaches can be disastrous and can affect firm performance and customer confidence negatively (Martin et al., 2017;van Bavel et al., 2019). Organizations can suffer loss of investors' confidence, loss of market share and revenues, harm to the company's brand and reputation, loss of intellectual property, and decreased customer spending (Janakiraman et al., 2018). Consumers often suffer from firms' data breaches as well when their personally identifiable information become subject to identity theft, which can cause havoc in their personal and professional lives. Goddjin (2019) reported that approximately 70% of breaches were due to -unauthorized access to systems or services, while approximately 90% of the records exposed were attributable to exposing/publishing data online‖ (p. 2).
Traditional approaches to information security (InfoSec) management of data breaches have been rooted in technological solutions (Besnard & Arief, 2004;Choi et al., 2018). Despite major investments in external solutions for data protection, across industries the failure rate of InfoSec initiatives is extraordinarily high as businesses continue to bleed billions of dollars each year on various types of externally-focused initiatives, while overlooking insider human behavior (Choi et al., 2018;Leszczyna, 2013). However, there is now ample proof in the literature, which show that insiders' human errors and actions are responsible for as many as 33% to 90% of data breaches and cyber attacks (e.g., Budzak, 2016;Colwill, 2009;Shepherd & Kline, 2012;Shropshire et al., 2015;Zhen et al., 2020). According to Rafter (2020) in a report for Norton, a global company providing cyber security solutions to homeowners and businesses, employees are on the frontlines of InfoSec; however, they are the weakest links in InfoSec efforts (Gratian, et al., 2017;Vroom & von Solms, 2004). Employees indulge in risk-taking behavior that present a significant threat to InfoSec systems and controls when they exhibit poor information security behavior by not complying with the organization's policies and procedures (Ifinedo, 2014;Kessler et al., 2019); however, consistently, employees overestimated the probability that they could fall victim to InfoSec breaches (Herath & Rao, 2009). Lahcen et al. (2020) postulated, -People's biases and behaviors influence the interactions with software and technology…‖ (p. 2). This had been borne out in the literature in earlier research (e.g. Shropshire et al., 2015;Vroom & von Solms, 2004).
Since firms collect copious amounts of sensitive industry and customer data, it behooves organizational leaders to protect this information; yet, incredibly, organizations focus most of their security control efforts on external solutions even though longstanding evidence has shown that the behaviors of organizational insiders account for most data breaches (Choi et al., 2019;Colwill, 2009;Jeong et al., 2019;Uffen, Guhr, & Breitner, 2012); indeed, employees' noncompliance with internal InfoSec measures as well as deliberate acts of revenge and sabotage account for most security breaches (Peikari & Banazdeh, 2019). Forms of employee noncompliance are rooted in human behaviors, which include seemingly benign acts such as treating information security measures lightly, to more egregious behaviors that can include committing deliberately malicious acts against the organization (Besnard & Arief, 2004;Colwill, 2009;Shepherd & Kline, 2012;Shropshire et al., 2015;Kessler et al., 2019).
In past studies related to technology acceptance and use, researchers tended to rely on theories such as the technology acceptance model (TAM) and the unified theory of acceptance and use of technology (UTAUT) to study employees' acceptance attitude toward IT and InfoSec. However, given the role that employees' behaviors play in data breaches, increasingly, researchers are turning to theories in the behavioral sciences for answers about how personality, cognition, and other behavior-related influences might inform employees' IS behavior (Pfleeger & Caputo, 2012;Uffen, Kaemmerer, & Breitner, 2013). In this study, a behavioral science approach is taken and the Big Five Factor Model (FFM) of personality traits provides the theoretical foundation for the research. The purpose of the study is to (a) investigate the efficacy of the FFM to predict employees' information security behavior (EISB), measured by file protection behavior (FPB), the dependent variable (DV), and (b) to understand the effect that generational age has on the relationship between the five individual factors of personality traits and FPB.

Behavioral Science Approach to Understanding IS Breaches
It is only in the last 15 -20 years that interest emerged in applying a behavioral science approach to understanding the problem of InfoSec breaches. Studies on explanatory relationships between personality traits and InfoSec behaviors have been emerging as areas of interest in understanding human behavior in relation to information security; however, there is still a paucity of literature in this area of research (Gratian et al., 2017;Shropshire et al., 2015); hence Shropshire et al. recommended continued InfoSec research grounded by behavioral theories. Nevertheless, despite the lack of a robust body of literature in this area, there are reports of correlations between personality trait variables and employees and consumers' behaviors toward information technology (IT) and information security behaviors (Cheng et al., 2013;Gratian et al., 2017;Patsiotis et al., 2013;Shropshire et al., 2015;Uffen, Kaemmerer, & Breitner, 2013).

Personality and Personality Traits
According to the American Psychological Association (2020), -personality refers to individual differences in characteristic patterns of thinking, feeling and behaving‖ and a trait is -a dynamic trend of behavior, which results from the integration of numerous specific habits of adjustment, and which expresses a characteristic mode of the individual's reaction to his surroundings‖ (Allport, 1927, p. 288). Personality traits are universal and inherent in all human beings across the globe, across all cultures, and influence human behaviors (Allik et al., 2017;Allport, 1927;Goldberg, 1993;McCrae & Costa, 1997) and has been reported to be stable and consistent over time (Costa et al., 2019;Damian, 2019;McCrae & Costa, 1997). However, Roberts and Mroczek (2008) cited several longitudinal studies, which show that personality traits are malleable, continue to change and develop during all phases of an individual's lifespan.
Because of its bearing on human behaviors, personality traits have been studied in a wide variety of organizational contexts for its relationship with human behavior and various organizational outcomes (Syed & Tappin, 2019). Due to the overwhelming evidence of the presence of five dominant personality traits under which other traits were clustered what became known as the -Five Factor Model‖ (FFM) of personality traits emerged. Barrick et al., (2003) posited, -The FFM model of personality describes the basic dimensions of personality at a global level‖ (p. 46). Eventually, this model of five dominant traits was dubbed the Big Five Factor Model (FFM).

The Big Five Factor Model of Personality Traits
Two FFMs popularly used in behavioral science research are the Revised NEO Personality Inventory (NEO-PI-R) model by Costa and McCrae (1992), which is referred to as the NEOAC model 1 and the Goldberg (1999) model, referred to by the acronym EACESI. The NEO PI-R derives from factor analyses of questionnaires and lower-order facets, and is arranged in a hierarchical order, as follows:  Factor 1 = Neuroticism (easily prone to emotional distress and stress; the opposite of Emotional Stability);  Factor 2 = Extraversion (tendency toward risk-taking and intense and frequent interpersonal interactions);  Factor 3 = Openness to experience (tendency to seek out new experiences)  Factor 4 = Agreeableness (tendency to be helpful, sympathetic, unselfish);  Factor 5 = Conscientiousness (tendency to be hardworking, detail and achievement oriented).
It has long been established in the seminal and contemporary literature that, in social and organizational contexts, the FFM is suitable for studying human behaviors and dispositions. For example, risk-taking behavior is a characteristic of extraversion (Nicholson et al., 2005). In a study of participants in various organizational and social contexts, Nicholson et al. found positive relationships between high extraversion, agreeableness, and propensity for risk. According to Nicholson et al., low neuroticism and low conscientiousness insulate individuals against feelings of guilt or anxiety related to negative consequences of risk-taking. Furthermore, low conscientiousness -makes it easier to cross the cognitive barriers of need for control, deliberation and conformity‖ (p.170). Jackson et al., (2009) reported an increase in the conscientiousness trait with increased age. These findings have implications for employees' InfoSec behavior in regards to whether employees' personality traits explain or predict their file protection behaviors. In fact, in relation to InfoSec, it is important to study personality traits (Uffen, Guhr, & Breitner, 2012).
In the IT and InfoSec fields, the study of personality traits is emerging as an area where the behavioral sciences have been applied to investigate and explain employees' personality and InfoSec behaviors in relation to various organizational outcomes that range from organizational commitment to information security. For example, based on a national sample of IT professionals (N = 279), Syed and Tappin (2019) reported no statistically significant correlations between neuroticism and organizational commitment in a study of the relationship between the neuroticism factor of personality traits (IV), personal characteristics (IV) and organizational commitment (DV).
Specific to InfoSec, Uffen et al. (2012) reported conscientiousness was positively related to an individual's technical and organizational InfoSec activities. Pattinson et al. (2012) reported higher InfoSec behaviors against phishing emails among individuals who scored high on extraversion and openness (intellect); responding to phishing emails is risky InfoSec behavior as respondents are enticed to share sensitive information. Concerning the influence of individual differences on cognitive determinants of behavioral intention to use security measures among a sample of smartphone users (N = 435), Uffen, Kaemmerer, and Breitner (2013) reported that multiple facets of personality traits significantly affected cognitive determinants to predict intention to use security measures; for example, conscientiousness and extraversion were related positively to information security management, but openness was not positively related with intention to use security measures (Halevi, 2013;Uffen et al., 2013 ). Li et al. (2014), observing that individuals displayed similar online and offline behavior, confirmed behavioral consistency in file protection behavior among individuals online and in the workplace such that micro-blogging behavior predicted personality traits among a sample of Chinese micro bloggers (N = 547). Welk et al. (2015) found that individuals with lower scores on extraversion and anxiety were better at phishing detection; low anxiety is indicative of the emotional stability trait, while high anxiety is characteristic of neurotic individuals (Syed & Tappin, 2019). Jeske et al. (2016) confirmed some personality traits can predict human security behavior in smartphone use and on social media. Shropshire et al. (2015) reported that, based on a sample of undergraduate college students (N = 170), attitudinal constructs confirmed evidence of behavior toward InfoSec measures, and two personality traits (conscientiousness and agreeableness) were positively related to intent to adopt IS measures. Pattinson et al. (2012), and Pattison et al. (2015) examined accidental-naï ve (i.e., risky) behaviors such as inadvertently sharing passwords, opening attachments in unsolicited emails, which are types of InfoSec behaviors (Gratian et al., 2017;Hayden, 2009;Herath & Rao, 2009;Shropshire et al., 2015;Stewart & Jṻrgens, 2017;Whitty et al., 2015). Specifically, Pattinson et al. (2015) examined InfoSec related behaviors related to -password management, email use, Internet use, social networking site use, mobile computing, information handling, and incident reporting‖ (p. 5). Personality traits and age were among the variables examined by standard multiple regression analysis to explain InfoSec behavior. Findings were that individuals with low extraversion scores and high scores in agreeableness, conscientiousness, openness (intellect), as well as older individuals, were less likely to indulge in risky InfoSec behaviors; emotional stability was not statistically significantly related to InfoSec behavior. McCormac et al. (2016) reported that agreeableness, conscientiousness, and emotional stability (the opposite of neuroticism) explained statistically significant variances in individuals' information security awareness (ISA). Russell et al., (2017) reported an inverse correlation between neuroticism and secure cyber behaviors such that as neuroticism increased, cybersecurity behaviors decreased. Neuroticism has been long associated with anxiousness, stress, and keener beliefs about impending threats, so the results by Russell et al. that neurotic individuals were less likely to practice secure cyber behavior was surprising. Russell et al. surmised that the high levels of worry and stress among neurotics might limit the mental resources required to maintain secure cyber behaviors. In a study of correlations between human personality traits (i.e., individual differences) and cybersecurity behavior intentions based on a sample of 369 students, faculty, and staff at a large public university, Gratian et al., 2017) reported, -individual differences accounted for 5%-23% of the variance in cyber security behavior intentions, and extraversion and gender were predictors of good security behavior‖ (p. 345).
A close examination of the InfoSec and personality traits literature revealed some conflicting results. Since this area of research is still developing, there is a need for further inquiries into whether behavioral sciences theories-and personality traits in particular-can explain employee IS behaviors (Shropshire et al., 2015).
Inspired by Shropshire, Johnson, Warkentin and Schmidt (2006) and Shropshire et al. (2015), we drew on literature on behaviors in organizational and social contexts as well as individuals' behaviors toward InfoSec adoption and use in a variety of contexts. In this study, we examine the effect that generational age exerts on the relationship between the FFM and employees' information security behavior to explain employees' file protection behavior.

Information Security (InfoSec)
The terms -information security‖ and -cybersecurity‖ have been used interchangeably in the literature (von Solms & van Niekerk, 2013), and is similarly applied in the present study. However, although the two terms carry analogous overlapping meanings related to the protection of data, von Solms and van Niekerk postulated that there are subtle differences in that cyber security goes further than InfoSec in that it includes human security in addition to data security. Wilner (2018) opined that -information security‖ is a more accurate and appropriate term than -cybersecurity‖ to describe protection of data. It is critical for organizations to understand how employees' personal differences inform their InfoSec (cybersecurity) behaviors (Fatokun et al., 2019) as there is a paucity of research on the individual differences in this type of research (Gratian et al., 2017;Whitty et al., 2015). For the purposes of this study, InfoSec is defined as the management and protection of an individual's or a company's information data and/or data assets (e.g. Cheng et al., 2013;Thompson & von Solms, 2005), and carries the same meaning as cybersecurity.

Employee Information Security Behaviors (EISB)
Employees' information security behavior (EISB) is the -core set of information security activities that have to be adhered to by end users to maintain information security as defined by information security policies‖ (Padayachee, 2012, p. 673). InfoSec behaviors include actions by individuals related to -running and updating security software, keeping passwords secure, running a firewall, enabling encryption for home wireless network, etc.‖ (Villafranca, 2015, p. 159). In this study, the employee InfoSec behavior of interest is employees' attitude toward protecting their electronic files, or file protection behavior (FPB).

File Protection Behavior (FPB)
The dependent variable (DV), File protection behavior (FPB), is defined as limiting or allowing access to files on one's computer (Hayden, 2009;Shropshire et al., 2015). File protection behavior operationally defines employee information security behaviors (EISB). Activities related to FPB include-but are not limited to-following prescribed conventions regarding, for example, creating complex passwords; protecting passwords; sharing passwords; backing up data; data sharing; adhering to email policies; scanning documents, detecting; proactive awareness such as avoiding phishing emails; updating to keep abreast of security patches; device securement, and protecting access to sensitive electronic files (Gratian et al, 2017;Hayden, 2009;Herath & Rao, 2009;Shropshire et al., 2015;Stewart & Jṻrgens, 2017;Whitty et al., 2015). Despite emerging interest in investigating the problem of InfoSec through different theoretical lenses, to date, little is known about how behavioral science theories such as the FFM might explain information security behaviors among employees of different generational age groups as evidenced, for example, by their attitudes and behaviors concerning protection of their electronic files.

Age
Personal characteristics such as age, ethnicity, gender, geographic region, educational and socio-economic status, are common and important demographic variables used in social science research. Older individuals were shown to be generally more cautious and less prone to risk-taking (Nicholson et al., 2005). However, regarding InfoSec, age has been associated with risky behaviors (e.g., Chakraborty, Vishik, & Rao, 2013;Grimes, Hough, Mazur, & Signorella, 2010;McGhee, Ehrler, Buckhalt, and Phillips, 2012). Results of a study by Whitty et al. (2015) on the effects of age on password-sharing, which is one type of file-protection behavior, indicated that older people were more likely to share passwords. Contrarily, McCormac et al. (2016) found that age made no statistically significant contribution to information security awareness, and Gratian et al. (2017) found that the age demographic exerted no statistically significant unique effect on security behavior intention. However, more recently, Fatokun et al. (2019) reported a statistically significant relationship between age and cybersecurity behavior among two groups of younger (< 30 years old) and older (> 30 years old) college students, and Shappie, Dawson, and Debb (2019) reported age to be a significant predictor of cybersecurity behaviors.
Due to the widely accepted view concerning the stability of personality traits from childhood through adulthood, these findings carry implications concerning a variety of behaviors in adulthood, including security related behaviors. The seemingly conflicting reports regarding age and InfoSec behavior warranted further studies on the phenomenon. For this study, age is measured by belongingness to one of three generational cohorts (GCOHORT) born between 1946-1964, 1965-1980, and 1981-1998.

Generational Cohort
According to reports from the Bureau of Labor Statistics (BLS), individuals enter the workforce earlier than age 18 and remain in it past the age of 70 (Toossi & Torpey, 2017). Generational cohorts are people with identical birth years, history, and share common or distinct experiences (Zemke, Raines, & Filipczak, 2000). Although the span of years is not typically absolute, the range of years for the generational cohorts falls between 15 to 20 years. The generational groups under investigation in the present study spanned the following periods: 1946-19641965-1980(Generation X), and 1981-1998.
The cultural events, (historical, political, and social), as perceived by the generational cohorts, characterizes and influences their values, work ethics, attitude toward authority, and professional aspirations (Duchscher & Cowin, 2004). Different generations generally respond differently to phenomena in their environment, and these responses can inform organizational functioning in the workplace (Scroxton, 2020). For example, Villafranca (2015) reported Millennials showed a propensity to exhibit responsible InfoSec behaviors in relation to phishing and spamming, but lower awareness in regards to malware, viruses, worms, and Trojans; however, they become more security aware as they age. In a publication by the Society for Human Resource Management (SHRM), Hardy (2016) highlighted security concerns around Millennials' use of personal devices in the workplace and their perceptions about file sharing and use of social media at work. Garba, Armarego and Murray (2015) reported Generation X was more dependent on the use of their own devices at work, and the use of personal devices at work was fraught with InfoSec risks. Baby Boomers are perceived to be slow adopters of technology and not as cognizant of cyber threats as younger generations (Chakraborty et al., 2013;Grimes et al., 2010). This perception might create preconceived notions regarding InfoSec behavior in the workplace toward this generation, especially since Baby Boomers are using some types of social media at higher rates than succeeding generations (Clement, 2020;Madden, 2010). Sixty-eight percent of Baby Boomers use Face Book, and 70% of this generation uses YouTube actively (Clement, 2020). Since employees of all ages use social media at work and since these media have been identified with employee-related InfoSec behaviors (e.g., Ornstein & Huseman, 2015), it is important to study the behaviors of different generational cohorts to understand differences in their behaviors with regards to InfoSec. Whitty et al. (2015) found that older individuals who scored high on self-monitoring, which is associated with conscientiousness, were more likely to share their passwords, hinting at a surprising lack of security awareness. Conscientiousness in individuals is known for attention to detail and high work ethics; perhaps older individuals with high expressions of this trait might actually be less cautious about their file protection behavior due to over confidence in their ability to be detail oriented. McCormac et al. (2016) reported that age did not statistically significantly explain any variance in InfoSec awareness such as attitude and behavior toward sharing password. The apparent conflicting results in the literature, the paucity of literature on the subject, and the knowledge gap in the InfoSec field presented the opportunity to investigate the problem further.
The stability of personality traits from youth through maturity has long been established in the literature; however, within the last decade research revealed changes in personality traits in adulthood, based on individual differences (Roberts & Mroczek, 2008). Therefore, it is reasonable to expect that generational age would affect the relationship between personality traits and employees' information security behavior (EISB). We were prompted to ask whether (a) the FFM had the power to explain a relationship between extraversion, agreeableness, conscientiousness, emotional stability, intellect (EACESI) and employees' InfoSec behavior (EISB), as measured by their file protection behavior (FPB), and whether generational age moderated the relationship between each of the five individual Big Five traits and FPB. The FFM is measured by the IVs, extraversion, agreeableness, conscientiousness, emotional stability, and intellect (Goldberg, 1999). Based on the conflicting evidence, paucity of literature, and gap in the literature, we propose the following hypotheses:

Hypotheses
H 1 : Generational age will moderate the relationship between overall personality traits and employee's file protection behavior.
H 2 : Generational age will moderate the relationship between extraversion and employee's file protection behavior.
H 3 : Generational age will moderate the relationship between agreeableness and employee's file protection behavior.
H 4 : Generational age will moderate the relationship between conscientiousness and employee's file protection behavior.
H 5 : Generational age will moderate the relationship between emotional stability and employee's file protection behavior.
H 6 : Generational age will moderate the relationship between intellect and employee's file protection behavior.
Null hypotheses (H 0 ) were that generational age will not moderate the relationship between all of the main IVs and the DV.

Method
In the study, overall personality traits, extraversion, agreeableness, conscientiousness, emotional stability, and intellect (EACESI) are the main independent variables (IVs), generational age cohort (GCOHORT), a second set of IVs, is the moderating variable (MV), and EISB is the dependent variable (DV). A multiple regressions model was appropriately applied to study relationships between the variables (Tabachnick & Fidell, 2007).
Employees' generational age is measured by 18 -35 yrs old (Generation Y/Millennial, 1981-1998; 36 -51 yrs old (Generation X, 1965(Generation X, -1980, and 52 -70 yrs old (Baby Boomers, 1946-1964. The employees' information security behavior (EISB) construct is measured by the DV, file protection behavior (FPB), as evidenced by employees' attitude toward protecting their electronic files. To investigate relationships among the variables, the study drew upon a broad spectrum of computer users (N = 152) from diverse organizations within the United States (U.S.). These employees were all employed at the time the survey was taken, and all had access to sensitive files in their organization.

Overview
Analysis was at the employee level and a sample frame of employees who had access to sensitive electronic data in their organization was targeted from the population. Based on a G*Power 3.1.9.4 a priori calculation (Faul, Erdfelder, Buchner, & Lang, 2009), the sample size was 153 employees, which had the power (1-β err prob = 0.95) to detect a statistically significant (p = 0.05) medium-sized effect (f 2 = 0.15) in the sample. Qualtrics XM returned responses from158 individuals with fully completed questionnaire surveys.
Six assumptions related to the multiple regressions model were checked to make a preliminary determination of the fitness of the data to use in the regression analysis; these assumptions are independence of errors, linearity, homoscedasticity, multicollinearity, significant outliers/influential points, and normality of distribution (Rahman, Sathik, & Kannan, 2012). Subsequently, of the 158 responses, six outliers were eliminated due to their influence of extreme skewness on the distribution of the data. All future analyses were based on the final sample size of n = 152.
Although some skewness of the data was still evident after removal of the outliers, the residuals were approximately aligned with the end points of the regression line. Regression analysis is robust to the distribution of data assumption (Osborne & Waters, 2002); therefore, the regression model was deemed appropriate for data analysis and, based on the ANOVA output (p < .05), the data were a good fit for the model.

Participants
The population of interest adults was employed within the U.S. at the time of data collection. Primary data collected by Qualtrics XM were used in the study. Qualtrics XM used random sampling probability techniques to select study participants from its panel of voluntary survey participants. The company followed established protocols for ethical research involving human subjects and, although demographic data such as participants' age and geographic region were collected, no personally identifiable information was solicited from participants. Participants completed a self-reported survey online, which took less than 15 minutes to complete. It must be noted that the questions were all presented on one continuous web page; implications regarding this survey type of construction are discussed in section 5.

Measures
Data on the DV, EISB, which is measured by file protection behavior (FPB), were collected on a five-point Likert-type single-item scale instrument. Single-item scales are appropriate when the construct it measures is clear, concrete, and unambiguous such that the question means the same thing to different raters (Diamantopoulos et al, 2012;Wanous et al., 1997). Study participants were asked -How important to you is it that only you or those you authorize are allowed to access the files of your organization‖. Responses were weighted 1 to 5 with lower scores implying lower file protection behavior. Instrument reliability is generally not calculated on single-item scales; however, based on Diamantopoulos et al (2012) and Wanous et al. (1997), these scales are considered reliable and valid when they measure a concrete, unambiguous construct; such is the case with the FPB scale in the present study.
Data on the IVs, personality traits, were collected with the public domain 50-item IPIP Big Five factors questionnaire instrument accessible at https://ipip.ori.org/new_ipip-50-item-scale.htm. Ten questions measured each of the five factors of personality traits. Responses to the 50-item IPIP Big Five Factors questionnaire instrument were measured on scales that ranged from 1 to 5, with 1 = This is very inaccurate, 2 = This is inaccurate, 3 = This is neither inaccurate nor accurate, 4 = This is accurate, and 5 = This is very accurate. Several items needed to be reversed scored (Table 3). Composite scores were obtained for the variables, which were renamed Extra_Avg, Agree_Avg, Consc_Avg, EmStab_Avg, and Intell_Avg. A further composite score of these renamed variables produced a single score for Overall Personality Traits (OPT). High scores on the 50-item IPIP Big Five factors questionnaire translates to higher expression of the personality trait.
The reliability and validity of the 50-Item IPIP instrument has long been established in prior research (e.g., Goldberg, 1993;Fronczyk, 2019;Lim & Ployhart, 2006;Robertson, Jangha, Piedmont, Sherman, & Williams, 2017;Rojas & Widiger, 2014). Psychometric properties of the instrument in the original Goldberg study indicated it exhibited very strong overall reliability (α = .84). Overall reliability of the instrument in the present study was high, α = .78 (Table 2). Differences in scale reliability between the original reports and those of the present study are attributed to sample size and composition. Data for generational cohort (GCOHORT) were taken from the demographic variables, which were collected to present an understanding of the population from which the sample was drawn. Study participants were asked, -The year you were born falls into which of the following age groups?‖ Responses ranged from 1 = 18 -35 yrs old (1981( -1998, 2 = 36 -51 yrs old (1965( -1980, 3 = 52 -70 yrs old (1946-1964. SPSS excluded from the analyses 1 = 18 -35 yrs old (1981( -1998.

Analysis of the Data
Examination of the research questions was by means of six hierarchical (a.k.a. sequential) multiple regressions (HMR) procedures; the HRM procedure is appropriate for assessing the additional contributions each variable makes to variances in the DV (Tabachnick & Fidell, 2007). The IBM ® Statistical Package for the Social Sciences (SPSS) version 26 was used to analyze the data. To answer the theory-testing omnibus question (H 0 ), the variable overall personality traits (i.e., the composite score of the averaged scores for the variables measuring the five dimensions of the FFM) was first entered into the regression equation in Block 1. In a second step, the moderating generational age cohort variables, measured by span of years, were entered into the equation (Block 2). Similarly, to answer H 2 -H 6 , in five separate regression procedures, each of the five factors of personality traits variables (EACESI) was entered in Block 1 and the generational age variables were entered in Block 2 of the regression equation; these were regressed individually against the DV, FPB.
The Pearson's coefficient R was assessed to determine the direction and size of the magnitude of the relationship between the IVs and the DV. The Pearson product-moment correlation coefficient (R) is one type of effect size and is a standardized measure that provides information on the direction and strength of the relationship between two variables; this coefficient can range only from -1 through 0 = no correlation, to +1 = a perfect linear correlation. The R coefficient will always fall in the range of -1 to +1 (Sheskin 2010); the relationship between the tested IV and the DV is considered small effect when R =.10; medium or moderate effect when R = 30; and large effect when R = .50. The coefficient of determination, R 2 , was appraised for the size of the effect contributed by the IV to variations in the DV. Per convention, statistical significance was set at p < .05. According to Cohen (1988), for F-tests multiple regressions, as indicated by R 2 , a small effect size = .02, medium = .15, large = .35.

Results
The purpose of this study was to assess whether generational age cohort (GCOHORT) moderated the Big Five dimensions of personality traits (EACESI -IVs) and EISB to explain or predict FPB. Altogether, six hierarchical multiple regressions procedures were performed.
Personality traits have long been recognized as predictors of human behavior and for remaining stable over time (Costa, McCrae, & Löckenhoff, 2019;Gallagher, Fleeson, & Hoyle, 2010;McCrae & Costa, 1997), so the FFM was an appropriate theoretical model with which to underpin the study. The hierarchical multiple regressions statistical model applied to investigate relationships among the variables was also appropriate as it is useful for assessing the additional contributions each variable makes to variances in the DV, when the variables are entered into the regression equation sequentially. In other words, the main objective of hierarchical multiple regression analysis is to assess the proportion of the variation in the outcome variable explained by the addition of new independent variables. The means and standard deviations for the continuous variables are summarized in Appendix B, Table B1.

Distribution of the Responses in the Sample
To the question -How important to you is it that you or those you authorize are allowed access to the files on your computer‖, of the 152 participants surveyed, 70.4% (n = 107) indicated that it was very important or somewhat important (n = 32, 21.1%) to them. As mentioned previously, the raw personality traits scores were averaged to obtain composite/mean scores for analysis. The personality traits with the highest mean expressions in the sample (Appendix B, Table B2) were agreeableness (n = 39, 25.7%), with highest scores reflecting high agreeableness (n = 24, 15.8%), and extraversion (n = 34). (n = 10, 6.6%), and the lowest was emotional stability (n = 4, 2.6%).

Results of the Test of the Null Hypotheses (H 0 -H 6 )
Six hierarchical multiple regressions procedures were run to determine whether the addition of generational age to the regression equation improved the prediction of file protection behavior (FPB) over and above overall personality traits, extraversion, agreeableness, conscientiousness, emotional stability, and intellect. Two model summaries resulted from each of the tested IVs: the Model 1 Summary output represents the first step in the hierarchical analysis when only the main IV is used as a predictor. The Model 2 summary represents the full model results when generational age is entered into the equation in a second step; the main IV is also included in this output. In all cases, in the full model, the addition of generational age group to the regression equation did not contribute to a statistically significant relationship between any of the IVs and the DV (p > .05). Except for the regression of emotional stability (IV) against FPB (p = .070; p > .05), statistically significant relationships that ranged from fairly moderate to moderate existed between each of the remaining tested main IVs (i.e., overall personality traits, extraversion, agreeableness, conscientiousness, and intellect) and FPB. Full summaries of the results are presented in Table 3.  The F-ratio in the ANOVA Table indicated that the regression model was a good fit for the data, F(1,150) = 13.48, p < .005. Results of the present study agreed with evidence in the literature, which shows that, overall, personality traits explain or predict InfoSec behavior; in this case, FPB. In the present study, the strength of the relationship between OPT and FPB was positive, approximately medium (R = .287), and highly statistically significant ((p = .000; p < .001). The IV (OPT) contributed 8.2% to the variation in the DV (R 2 = .082), which when adjusted, contributed to 7.6% (Adjusted R 2 = .076) of the variance in FPB. OPT added statistically significantly to the prediction of FPB; for each unit increase of OPT, there was a highly statistically significant 38% increase in FPB (ß = .380; p = .000, p <.001). However, the full model of OPT and generational age to predict FPB was not statistically significant (R 2 = .092; p = .47, p > .05). Hypothesis one (H 1 ), which stated that generational cohort will moderate the relationship between overall personality traits and FPB, was not supported.

Extraversion, Generational Cohort vs. File Protection Behavior (H 2 )
The strength of the correlation between extraversion and FPB was positive, fairly moderate (R = .270), and was statistically significant (p = .00; p < .01). The size of the contribution made by the extraversion personality trait to the variance in FPB was 7.3% (R 2 = .073); when adjusted, this contribution accounted for 6.7% of the variance in FPB (Adjusted R 2 = .067). Extraversion added statistically significantly to the prediction of FPB, F(1,150) = 11.8333, p < .05, R 2 = .073. For each unit increase of the extraversion trait, there was a statistically significant 25.9% increase in FPB (ß = .259; p = .001; p < .05). The full model of extraversion and generational age to predict FPB was not statistically significant (R 2 = .072; p = .345, p > .05). Hypothesis two (H 2 ), which stated that generational cohort will moderate the relationship between extraversion and employee's InfoSec behavior, as measured by file protection behavior, was not supported.

Conscientiousness, Generational Cohort, vs. File Protection Behavior (H 4 )
The strength of the correlation between conscientiousness and FPB was fairly weak, and statistically significant (R = .197; p = .015; p < .05). Conscientiousness contributed 3.9% of the variance in FPB (R 2 = .039). When adjusted, this contribution amounted to 2.8% (Adjusted R 2 = .028). The conscientiousness trait added statistically significantly to the prediction of FPB, F(1,150) = 6.081, p = .015, p < .05; R 2 = .039. There was a positive relationship between conscientiousness and FPB such that for each unit increase of the conscientiousness trait there was a statistically significant 24.3% increase in FPB (ß = .243; p = .015, p < .05). The full model of OPT and generational age to predict FPB was not statistically significant (R 2 = .197; p = .529, p > .05). Hypothesis four (H 4 ), which stated that generational cohort will moderate the relationship between conscientiousness and employee's InfoSec behavior, as measured by file protection behavior, was not supported.

Emotional Stability, Generational Cohort, vs. File Protection Behavior (H 5 )
The strength of the correlation between emotional stability and FPB was weak (R = .148), positive, and statistically nonsignificant (R2 = .022; p = .070), contributing a mere 2.2% to variation in the DV. Although it neared statistical significance (p = .07), the emotional stability trait did not statistically significantly add to the prediction of FPB, F(1,150) = 3.338, p = .070, p > .05; R 2 = .022. The full model of emotional stability and generational age to predict FPB was not statistically significant (R 2 = .022; p = .587, p > .05). Hypothesis five (H 5 ), which stated that generational cohort will moderate the relationship between emotional stability and employee's InfoSec behavior, as measured by file protection behavior, was not supported.

Intellect, Generational Cohort, vs. File Protection Behavior (H 6 )
The correlation between intellect and FPB was positive, moderate, and statistically significant (R = .293; p = .000, p < .01). Intellect contributed to 8.6% of the variance in FPB (R 2 = .086). When adjusted, this contribution amounted to 8% (Adjusted R 2 = .080). The intellect trait added statistically significantly to the prediction of FPB, F(1,150) = 14.124, p = .000, p < .001; R 2 = .093 . There was positive relationship between intellect and FPB such that for each unit increase of the intellect trait, there was a highly statistically significant 34.1% increase in FPB (ß = .341; p = .000; p < .001). The full model of intellect and generational age to predict FPB was not statistically significant (R 2 = .093; p = .580, p > .05). Hypothesis six (H 6 ), which stated that generational cohort will moderate the relationship between intellect and employee's InfoSec behavior, as measured by file protection behavior, was not supported.

Discussion
Our hypotheses that generational age cohorts (GCOHORT) will influence (moderate) the relationship between the Big Five dimensions of personality traits and employees' InfoSec behaviors, which was measured by file protection behavior, was not supported. There are differences in how diverse generations respond to their environments and these responses affect functioning in the workplace (Scroxton, 2020), but while our findings confirmed that the FFM has the power to explain or predict employees' InfoSec (file protection) behavior, in no instance did generational GCOHORT exert a statistically significant influence on the relationship between the five factors of personality (i.e., extraversion, agreeableness, conscientiousness, emotional stability, and intellect [EACESI]) and employees' file protection behavior. This result was supported in the literature by McCormac et al. (2016), who reported positive relationships between the Big Five factors of personality traits and InfoSec activities, but no statistically significant relationship between age and InfoSec activities; yet, contrary to findings in the present study and McCormac et al., other inquiries revealed statistically significant relationships between personality, various age groups, and risky behaviors-including risky InfoSec behaviors (e.g. Nicholson et al., 2005;Pattinson et al., 2012Pattinson et al., , 2015Shappie et al, 2019).
Another surprise finding in the present study was that of the nonsignificant effect of emotional stability trait on file sharing behavior, as the contrary is documented in the literature (e.g. Li et al, 2014;Nicholson et al., 2005;). A close examination of the raw data revealed a significant lack of variation in the responses to the questions related to the emotional stability trait. This lack of variability may have been due to fatigue or boredom when answering the questions, which, perhaps, could be attributable to the design construction of the survey, as previously mentioned in section 3.2 and described in the Limitations section. A fairly high number of employees in the sample expressed ambivalence about the emotional stability trait by choosing a neutral response (i.e., 3 = this is neither accurate nor inaccurate) to the emotional stability questions. Nevertheless, a valuable insight that emerged from the study is that, although there has been a lingering perception that older employees are more prone to risky InfoSec behaviors online (Chakraborty, et al., 2013), evidence in the literature seems to suggest otherwise (e.g., Pattinson et al, 2015;McCormac et al., 2016).

Limitations
The strength of the study was evident in the heterogeneous composition of the sample due to the age, gender, income, educational, and regional diversity of the national sample of employees who had access to sensitive files in their organization, which improved the generalizability of the study. However, since the study was conducted in the U.S. among a sample (N = 152) based on specific inclusion and exclusion criteria, the results cannot be generalized beyond the U.S. based sample as cultural or socio-economic differences among different countries might produce different results. Secondly, the age boundary (18 -70) precluded younger and older individuals. According to the Bureau of Labor Statistics, many individuals in the U.S. enter the workforce below the age of 18 and stay in the workforce beyond the age of 70; excluding this population from the study may not have revealed the true effect of generational age on FSB. In fact, the Boomer generation was underrepresented in the sample, and this may have skewed results of the study. Additionally, unemployed and part-time workers were excluded from the study; it is not known whether any of these workers are related to the so-called -gig economy‖, and whether the transient nature of their employment might have an effect on their perceptions of their file protection InfoSec behaviors. Inquiries in these areas might be considered.
Several other limitations must be acknowledged. First, the self-report nature of the data may have biased the study in several ways. For example, the truthfulness of the responses could not be verified (Emerson, Felce, & Stancliffe, 2013). Uncertainty concerning whether their responses could be used against them could cause respondents to choose self-favoring responses. Self-reported data presents a risk to validity (Rosenbaum, Rabenhorst, Reddy, Fleming, & Howells, 2006). However, the guarantee of anonymity in data collection could have mitigated this threat to validity; additionally, in situ studies on the phenomenon might provide deeper insights.
Thirdly, the construction and presentation of the online survey may have biased the responses gravely by causing fatigue amongst the respondents, since all of the questions were presented in one long unbroken webpage. Questionnaires of unbroken length are considered poor as they provoke boredom and mental fatigue in respondents (Foddy, 1993). Additionally, respondents can easily forget instructions posted at the top of the page, omit responses, or provide non-substantive responses with no variability (Ganassali, 2008). In the data used in this study, there was no variability in several of the responses.

Conclusion and Future Directions
Based on results of the present study, with the exception of emotional stability, personality traits were better predictors of employees' file protection behaviors than employees' generational age cohort. The literature revealed that certain personality types, and combination of personality types, were predictive of higher or poorer levels of InfoSec behaviors (e.g. Halevi et al., 2013;McCormac et al, 2016;Pattinson et al, 2015;Shappie et al., 2019;Welk, et al., 2015); however, there are conflicting reports about personality traits and their relationship to InfoSec. Admittedly, the behavioral approach to understanding InfoSec behaviors is still developing so more research is needed in this area to bring clarity to the role that personality plays in information security behaviors such as, among others, file protection behavior.
While we are not suggesting that personality traits should be the sole consideration used to determine whether one employee might be a greater Info-Sec risk than another, we do suggest that results of this study revealed areas of concern regarding InfoSec behaviors that can be explored further. For example, since evidence in the literature is that individuals' personal behaviors at home do not change in the workplace (e.g., Li et al., 2014), and since many employees are now working from home due to COVID-19, it is reasonable to surmise that the results obtained from this study regarding employees' file protection behavior at work is reflective of such behavior at home, and vice versa. Due to the prevalence of at-home workers attributed to the COVID-19 pandemic, further studies might be warranted to compare onsite workers and work-from-home employees as results might reveal whether modifications to InfoSec training might be necessary. Given the gravity of insecure Info-Sec behavior, perhaps organizations' training efforts might include conscious behavior modification efforts for-especially as home based employees might have more opportunities to engage in social media activities; these activities have been shown to be related to risky InfoSec behaviors. It might be beneficial to employees to understand their dominant personality traits and how these traits might affect their attitudes toward InfoSec behaviors. Frequent reinforcement of training that includes role-playing in risky and/or healthy InfoSec behaviors might be beneficial to companies wishing to prioritize and promote InfoSec behaviors among their employees.
Other types of analytical approaches might provide a deeper understanding of the problem, and other types of independent variables, including different demographic variables, might be examined for their effect on different types of InfoSec behaviors. For example, traits might be tested for possible interaction effects on the relationship between personality traits, FPB, or other specific types of employee InfoSec behaviors-especially since only one general aspect of employee InfoSec behavior was examined in the present study. (i.e., file protection behavior). Such studies might provide a more granular and comprehensive understanding of whether there are types of InfoSec behaviors that are more or less affected by personality traits' interaction with each other or other possible moderating influences such as gender, education, job satisfaction, length of employment, etc.
Finally, given the potential gravity of the possible negative effects of the construction and presentation of the online questionnaire, the study might be replicated with a better constructed survey using several short web pages on which questions from a single personality subscale (e.g. items for each of the personality traits) are grouped.  (Generation Y,1981(Generation Y, -1998 .49 .502 152 36 -51 yrs old (Generation X, 1965(Generation X, -1980 .36 .482 152 52 -70 yrs old (Baby Boomers, 1946-1964 .