key: cord-1022192-i4f46pcl authors: Barlette, Yves; Jaouen, Annabelle; Baillette, Paméla title: Bring Your Own Device (BYOD) as reversed IT adoption: Insights into managers’ coping strategies date: 2020-09-11 journal: Int J Inf Manage DOI: 10.1016/j.ijinfomgt.2020.102212 sha: 524260f42119338d0447b8d68a15f4fa4022445d doc_id: 1022192 cord_uid: i4f46pcl The adoption of Bring Your Own Device (BYOD), initiated by employees, refers to the provision and use of personal mobile devices and applications for both private and business purposes. This bottom-up phenomenon, not initiated by managers, corresponds to a reversed IT adoption logic that simultaneously entails business opportunities and threats. Managers are thus confronted with this unchosen BYOD usage by employees and consequently adopt different coping strategies. This research aims to investigate the adaptation strategies embraced by managers to cope with the BYOD phenomenon. To this end, we operationalized the coping model of user adaptation (CMUA) in the organizational decision-making context to conduct a survey addressing 337 top managers. Our main results indicate that the impact of the CMUA constructs varies according to the period (pre- or post-implementation). The coping strategies differ between those who have already implemented measures to regulate BYOD usage and those who have not. We contribute to theory by integrating the perception of BYOD-related opportunities and threats and by shedding light on the decisional processes in the adoption of coping strategies. The managerial contributions of this research correspond to the improved protection of corporate information and the maximization of BYOD-related benefits. The BYOD phenomenon, i.e., Bring Your Own Device, refers to the provision and use of personal mobile devices and applications by employees for both private and business purposes (Cho & Ip, 2018; Hovav & Putri, 2016; Middleton, Scheepers, & Tuunainen, 2014) . As opposed to the classic top-down adoption usually imposed by top management, the BYOD phenomenon is considered to be a disruptive event that is often a bottom-up process, in other words, reversed IT adoption starting with employees (Leclercq-Vandelannoitte & Bertin, 2018) . Since its early period 10-15 years ago, BYOD has undergone major changes. The first evolution related to the devices themselves, which were initially limited to mobile phones and laptops and now include smartphones (approximately 90 %), tablets, and connected devices. The second evolution corresponds to the power and increased connectivity of devices: today's smartphones can include up to 10 cores, offering performance similar to low-end laptops. In terms of connectivity, if the speed of Internet connections underwent dramatical acceleration, 1 the range of networks now includes hi-speed Bluetooth and NFC. 2 Elaborated applications can operate on personal devices, ranging from emails to critical business applications, such as CRM and ERPs (Ding et al., 2014) . In addition, access to cloud-based applications and storage has reinforced even more the variety and sophistication of applications. Operating systems have also evolved from proprietary and often secured solutions (e.g., Blackberry phones) to more open and democratized platforms, such iOS and Android. However, although all of these evolutions increase significantly the opportunities offered by mobile and connected devices, they also involve higher risks. BYOD opportunities are reflected by recent figures showing that companies favoring BYOD obtain an annual savings of $350 per year per employee (Cisco, 2016) . Using portable devices for work tasks can also increase productivity by 34 % (Frost and Sullivan, 2016) . BYOD threats relate to additional security breaches, mainly data leakage and malware infiltration. For example, in 2017, employeeowned devices were culpable in 51 % of corporate data breaches . Such breaches not only endanger the firm itself but also allow access to companies' external partners through the Internet or other digital exchanges, dramatically increasing their vulnerability to cyber-attacks (Lowry, Dinev, & Willison, 2017; McLeod & Dolezel, 2018; Sokolova, Perez, & Lemercier, 2017) . However, despite laws and regulations, there is a lack of effective security measures regarding the specificity of BYOD: for instance, only 40 % of employees are subject to regulations regarding personal device usage (Kemper, 2018) . These figures emphasize the importance of this phenomenon, all the more so because BYOD is increasingly used in businesses and often spontaneously introduced by employees without any regulations to prevent security issues (Weeger et al., 2020) . Employees have an individualistic perception of BYOD opportunities, and their security concerns are mainly focused on privacy issues. However, managers go beyond these individual issues and must consider the organizational impacts of BYOD. Unfortunately, managers do not necessarily perceive the actual opportunities and threats that "rogue" adoption of BYOD represents for their organizations. Since they can barely prohibit its usage within the firm (Baillette, Barlette, & Leclercq-Vandelannoitte, 2018) , especially because the company does not own the devices, they often make reactive decisions according to their own subjective perceptions of BYOD opportunities and threats (Hu, Dinev, Hart, & Cooke, 2012; Puhakainen & Siponen, 2010) . The previous research regarding the perception of BYOD-related opportunities has mainly focused on individuals and has highlighted a set of factors determining the adoption of mobile tools by employees (Hoehle, Zhang, & Venkatesh, 2015; Middleton et al., 2014; Weeger, Wang, & Gewald, 2016) . In terms of BYOD-related threats, the literature has addressed issues related to employee privacy (Garba Bello, Murray, & Armarego, 2017; Pentina, Zhang, Bata, & Chen, 2016 ) and employee compliance with information security (ISS) policies (Cho & Ip, 2018; Palanisamy, Norman, & Mat Kiah, 2020) . Academic research studying how managers cope address bottom-up adoption of BYOD and the types of decisions that they consequently make has been scarce Baker & Singh, 2019; Leclercq-Vandelannoitte & Bertin, 2018; . Therefore, obtaining insights into managers' coping strategies is important to better understand how they can address and regulate BYOD usage, i.e., maximizing the benefits and mitigating the threats. This understanding will also enable managers to better administer and adapt policy and regulatory measures. This article thus investigates the following research question: what adaptation strategies do managers adopt to cope with the BYOD phenomenon? This implies the investigation of (a) managers' perception of BYOD opportunities and threats; and (b) the coping strategies they decide to adopt accordingly. We use the coping model of user adaptation (CMUA, Beaudry & Pinsonneault, 2005 , based on Lazarus' coping theory (1966) . This model allows us to investigate the determinants of managers' "behaviors that occur before, during, and after the implementation of a new IT" (Beaudry & Pinsonneault, 2005, p. 2) and their resulting coping strategies. It also fits individual, as well as organizational, contexts (Tobler, Colvin, & Rawlins, 2017) . However, the research has seldom used this model, with mostly qualitative methods (Beaudry & Pinsonneault, 2010; Beaudry & Pinsonneault, 2005; Elie-Dit-Cosaque & Straub, 2011; Tobler et al., 2017) . In this article, we test the CMUA framework through a quantitative study of 337 managers. Our article contributes to the academic literature in IS by offering insights into managers' perceptions of BYOD adoption by employees, encompassing both opportunities and threats and the decisions stemming from these perceptions. Four types of coping strategies are investigated and discussed, hereby extending the literature on IT adoption, reversed IT adoption, and information security. An important managerial implication of this paper is the identification of a "stop-andstart" process, reflecting evolution of managers' perceptions before and after addressing BYOD usage in their companies. The remainder of this paper is organized as follows. Section 2 discusses the theoretical background of BYOD and the CMUA. In Section 3, we present the research model and develop hypotheses. Section 4 describes the research methods that we use to determine the decisions stemming from managers' perceptions of BYOD implementation and set forth how we complement the CMUA framework. The results are presented in Section 5. This analysis is followed in Section 6 by a discussion of the findings; the contributions to theory, practice and policies; and the study's limitations and suggestions for future research. Researchers and practitioners agree that BYOD is illustrative of the IT consumerization trend (Jarrahi, Crowston, Bondar, & Katzy, 2017; Koch, Yan, & Curry, 2019; Köffer, Ortbach, Junglas, Niehaves, & Harris, 2015; Weeger et al., 2020; Zhang, Mouritsen, & Miller, 2019) . By reversing the traditional IT adoption logic , BYOD creates a disruption in adoption practices (Köffer et al., 2015; Leclercq-Vandelannoitte & Bertin, 2018; Steelman, Lacity, & Sabherwal, 2016) and requires new managerial decisions and behaviors (Koch et al., 2019) . One challenge for researchers is shedding light on this phenomenon. To do so, in the first subsection, we present the theoretical underpinnings of BYOD opportunities and threats. We then detail the possible interventions (at technological or behavioral levels) and focus on the importance of adopting suitable managerial behaviors to address the organizational issues involved in BYOD usage. In the second subsection, we introduce the CMUA framework, which allows us to investigate the behaviors (coping strategies) resulting from managers' appraisals of opportunities and threats. Since it is usually initiated by employees themselves, BYOD has been shown to increase their autonomy, motivation, satisfaction, innovation and performance (Harris, Ives, & Junglas, 2012; Koch et al., 2014) . This employee-chosen adoption leads to easier assimilation and more efficient use, and employees can creatively adapt their own tools and reinterpret workplace tasks (Schmitz, Teng, & Webb, 2016) . BYOD improves the quality of employee interactions, helps to recognize employees' achievements and encourages peer-to-peer employee recognition, in turn favoring employee retention. Organizations can also benefit from numerous tool-embedded innovations (Cook et al., 2013; Köffer et al., 2015; Zhang et al., 2019) , such as the use of social media, which has proved its efficiency regarding firm performance (Chatterjee & Kar, 2020) . For example, employees can use personal apps that initiate new ways to serve the firm's objectives in terms of work performance (Doargajudhur & Dell, 2019; Junglas, Goel, Ives, & Harris, 2019; Leclercq-Vandelannoitte & Bertin, 2018) . By doing so, BYOD enables employees to initiate changes that lead to improving and rethinking some organizational processes (Koch et al., 2019; Köffer et al., 2015) . Because these devices are the employees' property, BYOD reduces organizational costs in terms of tool funding or management . Furthermore, some emergency situations, such as those related to pandemics (such as , promote the use of BYOD when professional devices are no longer accessible (Davison, 2020; Papagiannidis, Harris, & Morton, 2020; Richter, 2020) . BYOD becomes a necessary practice because it enables employees to continue to communicate and work despite social distancing and new working conditions. Finally, at an organizational level, BYOD opportunities correspond to cost savings (Benlian & Hess, 2011; Steelman et al., 2016) ; productivity gains (Leclercq-Vandelannoitte, 2015a; Morrow, 2012; Singh, 2012; Steelman et al., 2016) ; increased innovation, mainly in terms of business process improvement (Aydiner, Tatoglu, Bayraktar, & Zaim, 2019; Law & Ngai, 2007; Zhou, Lu, & Wang, 2010) , and performance expectancy (Moore & Benbasat, 1991; Venkatesh, Morris, Davis, & Davis, 2003) . BYOD and mobile applications involve security issues not only threatening their adoption and diffusion (Balapour, Nikkhah, & Sabherwal, 2020) but also increasing the threats to organizational data, for several reasons. First, hyperconnected BYOD tools increase the complexity of network protection because they can connect to several types of networks (cellular networks, Wi-Fi, Bluetooth and NFC), (Breitinger, Tully-Doyle, & Hassenfeldt, 2020; McLeod & Dolezel, 2018; Palanisamy et al., 2020) and to cloud computing resources, thereby increasing the risks (Ding et al., 2014; Gupta, Seetharaman, & Raj, 2013; Lian, Yen, & Wang, 2014; Morrow, 2012; Sultan, 2014) . Smartphones and tablets are increasingly connected to applications, storage or other digital services, resulting in greater risks (Mustafa & Kar, 2019) . In addition, cloud-based resources are often located in public clouds, which are more prone to malware, viruses (Ali, Shrestha, Soar, & Fosso Wamba, 2018) and unauthorized access by cloud administrators (Kaw et al., 2019) . More recently, the explosion of IoT and connected devices brought to work by employees has worsened the risks (Kaw et al., 2019; Tanenbaum, 2016) because connections and even devices themselves are often poorly secured. Second, the use of personal tools for work also increases the risk that devices will be lost or stolen (Jones & Chin, 2015; Nokia, 2019; Tu, Turel, Yuan, & Archer, 2015) , endangering organizational data . Third, smartphones have become a lucrative target for cybercriminals (Chatterjee, Kar, Dwivedi, & Kizgin, 2019; Checkpoint, 2020) , and corporate data can be corrupted by attacks through hacked or malware-infected smartphones. Fourth, since employees own the devices, their run greater risks when using BYOD than they do when using corporate tools (Hovav & Putri, 2016) or computers Thompson et al., 2017) . Moreover, it is more difficult to monitor their usage and compliance with organizational policies and regulations (Hovav & Putri, 2016) . The risk is even greater for younger generations, mainly digital natives, because they tend to only see the potential benefits of BYOD and neglect the risks to themselves and their institutions (Baillette & Barlette, 2020; Weeger et al., 2020) . Employees' priority is mainly to protect their private information (Mustafa & Kar, 2019) , and they might less care about their organizational data since they are less "personally relevant" (Barlette & Jaouen, 2019) . Moreover, privacy-protective controls and settings on mobile devices are difficult to find and activate, and employees can be reluctant to enact privacy-protective behaviors . Therefore, seen from a manager's perspective, BYOD can harm the organization's information system security and lead to failure. Failure can correspond to information failure (compromised data security), functional failure and system failure and can eventually lead to service failure from companies (Mustafa, Kar, & Janssen, 2020) . A manager mainly considers the BYOD-related perceived opportunities at the organizational level. Tobler et al. (2017) showed that people in power usually focus on problems and adapt technologies to their own ways of working. Hence, to reap these benefits, managers can guide the required changes in business processes. Managers can also facilitate change and innovation by transforming their management practices (Damanpour, 2014; Leclercq-Vandelannoitte, 2015b) . They can also simply be supportive, i.e., provide top management support (TMS, Boonstra, 2013) in seizing the benefits of BYOD usage by showing their involvement, being participative and providing resources when necessary (Liu, Wang, & Chua, 2015) . To mitigate the risks stemming from BYOD usage by employees, many IT-based possibilities exist, such as reinforced passwords, system updates and antivirus software. More specific to BYOD, mobile device management (MDM) software can be implemented on the personal tools of employees to improve the security of organizational data. Employees willing to connect to the corporate network can also be granted a restricted access to a "guest" network. Finally, new software solutions, such as cloud access security brokers (CASBs), can provide security for remote workers who are increasingly accessing applications and data in the cloud (Gartner, 2019) , especially when working with their personal devices from home (Bitglass, 2020; Papagiannidis et al., 2020) . However, better protective technologies are not sufficient (Williams, Wynn, Madupalli, Karahanna, & Dunkan, 2014) to efficiently mitigate BYOD-related security issues; protective behaviors and attitudes are also important (Aurigemma & Mattson, 2019; Balapour et al., 2020) . Some security measures can directly affect the company's management and thus require organizational reflection (Brodin, 2016) and management's decision making (Jeong, Lee, & Lim, 2019) . Hence, managers can also intervene in corporate culture to trigger changes in attitudes toward more compliant and secure employee behaviors. These changes can be initiated by teaching individuals how to improve their security behaviors (Balapour et al., 2020; White, Ekin, & Visinescu, 2017) and awareness-raising campaigns. Employees can be also driven to sign a BYOD-specific charter (Harrington, 1996) , specifying the particular risks arising from the use of personal mobile tools, stating responsibilities and explaining what to do in case of device loss, theft or breakdown, for example. Regarding opportunities, to mitigate threats, previous research has unscored the essential impact of TMS on information security behaviors (Barlette & Jaouen, 2019; Herath, Herath, & D'Arcy, 2020; Hu et al., 2012; Puhakainen & Siponen, 2010) . Moreover, Baillette and Barlette (2018) highlighted a twofold security paradox for managers generated by BYOD. The authors show that the perception of BYOD opportunities, i.e., the numerous benefits of BYOD via reversed adoption, outweighs the threats involved. The authors argue that managers overlook BYOD ISS-related issues through either a misperception of the risks or the erroneous feeling that their company is sufficiently protected. Hence, despite a strong concern over ISS, managers may primarily consider the advantages of BYOD without necessarily implementing the required protective actions. Therefore, the necessity for managers to address BYOD-related opportunities and threats deserves more attention. However, there has been a lack of research about opportunity appraisal and its consequences for behaviors, mainly regarding managers . Academic research has also been scarce about threat appraisal and how managers can address information security threats. The previous literature has repeatedly examined ISS-related employee behaviors, including adoption by employees of more secure behaviors, such as antivirus updates, backups (Boss, Galletta, Lowry, Moody, & Polak, 2015) or behaviors related to compliance with ISS policies (D'Arcy & Teh, 2020; Karjalainen, Sarker, & Siponen, 2019; Moody, Siponen, & Pahnila, 2018; Yazdanmehr & Wang, 2016) including theories such as deterrence theory (Xu, Lu, & Hsu, 2020) . The behavioral research has integrated threat appraisal as a particularly influencing construct to consider. For instance, threat appraisal has been included as a building block in technology threat avoidance theory (TTAT, Liang & Xue, 2010) , the health belief model (HBM, Ng, Kankanhalli, & Xu, 2009 ) and protection motivation theory (PMT, Rogers, 1983; Crossler, Andoh-Baidoo, & Menard, 2019; Wall & Warkentin, 2020) . Business managers are the ultimate decision makers in resource allocation in ISS (Menon & Siponen, 2020) . In addition, their decisions are very specific because they are primarily based on preventing loss, the best outcome being that "nothing happens" (Menon & Siponen, 2020) . However, the ISS literature has rarely focused on manager behavior (Berry & Berry, 2018; Fielder, Panaousis, Malacaria, Hankin, & Smeraldi, 2016) and on their important role in developing and implementing protective measures, regulations or an ISS culture (Barlette, Gundolf, & Jaouen, 2017; Dojkovski, Lichtenstein, & Warren, 2007; Feng, Zhu, Wang, & Liang, 2019; Indihar Štemberger, Manfreda, & Kovačič, 2011) . Hence, while BYOD entails crucial issues in terms of decisionmaking to address or not the related opportunities or threats, the interest of the academic research remains recent and has mainly focused on theoretical approaches (Leclercq-Vandelannoitte & Bertin, 2018). Hence, more empirical studies are required to explore how managers can address BYOD adoption by employees . The CMUA constitutes a relevant theoretical framework to investigate managers' behaviors related to the perception of opportunities and threats when they become aware that BYOD has been introduced in their company by employees. Beaudry and Pinsonneault (2005) based their coping model of user adaptation (CMUA) on Lazarus' (1966 Lazarus' ( , 2000 coping theory from the psychology literature. Coping theory describes the process by which individuals cope with disruptive events in their environment such as the introduction of a new IT (Fang, Benamati, & Lederer, 2011a; Fang, Benamati, & Lederer, 2011b) . Coping corresponds to "the cognitive and behavioral efforts exerted to manage specific external and/or internal demands that are appraised as taxing or exceeding the resources of the person" (Lazarus & Folkman, 1984, p. 141) . Internal demands relate to personal desires or obligations (e.g., need for achievement), and external demands are imposed by the external environment (e.g., social pressures). Such demands can be considered disruptive events if they exceed one's resources to manage them (Bhattacherjee, Davis, Connolly, & Hikmet, 2018; Elie-Dit-Cosaque & Straub, 2011) . Beaudry and Pinsonneault (2005) adapted the coping theory to investigate behaviors that occur before, during, and after an IT event. The CMUA postulates that the perception of an IT event triggers adaptive behaviors, based on two key subprocesses. The primary appraisal consists of assessing the potential consequences and the personal significance of the event, perceived as a threat and/or an opportunity (Folkman, 1992) . The secondary appraisal corresponds to the evaluation of the coping strategies available that will guide the individual's choice. This choice will depend on the individual's level of perceived control over the situation. Further studies have since confirmed the insights offered by the CMUA (Bhattacherjee et al., 2018; Elie-Dit-Cosaque & Straub, 2011) . The CMUA itself is shown in Fig. 1 . To better contextualize the four coping strategies in this research, we define the individual of interest as the manager. The IT event that we address corresponds to when managers become aware of BYOD usage by employees within the firm. They personally assess the threats and opportunities related to BYOD for their organizations (primary appraisal). The situation that we explore consists of the personal decisions of managers to implement organizational measures to address this BYOD usage (coping strategies). The secondary appraisal corresponds to the manager's perceived control over the situation and its organizational outcomes, either to maximize the benefits or to reduce the threats stemming from the usage of BYOD. Primary appraisal begins when an individual becomes aware of the potential consequences of an IT event and assesses its personal and/or professional relevance and importance (Beaudry & Pinsonneault, 2005; Folkman, 1992) . For example, individuals may think that a new tool (hardware or software) will improve their efficiency or their ability to interact with others; thus, they may integrate that new hardware or software into their work routines, which may require (self-)training in the use of the new tool. However, this new tool will appear to be a threat to individuals if they feel insufficiently skilled to use it or if its use may endanger their privacy. Most IT events are multifaceted, and an individual may consider them threats, opportunities or both (Beaudry & Pinsonneault, 2005) . In the latter case, it is their relative importance that will influence the choice of adaptation efforts to be made (Lazarus & Folkman, 1984) . Some elements may influence this assessment such as whether the tool is perceived as concrete or the potential criticality of the consequences of its use. Similarly, the level of 'task-technology fit' or expected performance may result in a negative (if it is low) or positive (if it is high) perception. This primary appraisal leads to a secondary appraisal (Beaudry & Pinsonneault, 2005; Lazarus & Folkman, 1984) . The individual's perception of an IT event as beneficial and/or threatening (i.e., primary appraisal) is followed by the evaluation of the available options (i.e., secondary or coping appraisal), which guide the choice of coping strategies. The CMUA identifies four coping strategies (Table 1) , reflecting the coping efforts required to reduce the emotional stress resulting from the situation and adapt to this situation (Beaudry & Pinsonneault, 2005 . The choice of strategies is based on the individual's level of perceived behavioral control (low or high). A high level of perceived control will cause the individual to adopt mainly problem-focused (i.e., active) coping strategies (benefits maximizing and disturbance handling). Conversely, a low level of perceived control will mainly cause the individual to adopt emotion-focused (i.e., rather passive) coping strategies (benefits satisficing and self-preservation). Interestingly, while problem-focused strategies (i.e., "active" behaviors) have often been investigated, emotion-focused strategies (i.e., "passive" behaviors) remain under-researched (Liang, Xue, Pinsonneault, & Wu, 2019) . The benefits maximizing strategy occurs when managers perceive the IT event (i.e., BYOD usage by employees) as beneficial, and their perceived control over the coping options available is high. In this case, managers feel able to manage the use of BYOD by their employees. Therefore, managers adopt a problem-focused coping strategy, and they aim to maximize the benefits offered by the situation. For example, managers can implement processes to maximize cost reduction, improve their companies' efficiency and foster new ways of working through BYOD. The benefits satisficing strategy corresponds to passively enjoying the benefits of BYOD. In this case, managers perceive BYOD usage as beneficial, and they do not feel any emotional distress, so there is no need to act to restore their psychological balance. Moreover, since Barlette, et al. International Journal of Information Management xxx (xxxx) xxxx managers' perceived control is low, they will adopt emotion-focused coping strategies, such as being simply satisfied with the use of BYOD by their employees. The disturbance handling strategy occurs when managers perceive BYOD usage as threatening, and they have a high level of perceived behavioral control. In this case, managers feel able to implement protective measures in their companies. Therefore, their coping efforts will be mainly problem focused to mitigate perceived threats and prevent potential negative outcomes. The self-preservation strategy corresponds to the case in which managers perceive BOYD to be a potential threat, but they have limited control. They do not feel able to solve the potential problems, and this situation generates emotional stress. To restore their psychological balance, they adopt emotion-focused coping strategies, such as minimization of consequences, passive acceptance, denial and distancing themselves from the stressful situation. At the end of this section, the research model (see Fig. 2 3 ) provides an overview of the hypotheses. The previous IS research has shown that perceived benefits have a positive influence on the use of IT devices and applications (Benlian & Hess, 2011; Gupta, Yousaf, & Mishra, 2020; Kim, Jang, & Yang, 2017; Moser, Bruppacher, & Mosler, 2011; Zhou, Jin, Fang, & Vogel, 2015) . According to the CMUA, the perceived opportunity of an IT event fosters the adoption of benefits maximizing and benefits satisficing strategies (Beaudry & Pinsonneault, 2005; Elie-Dit-Cosaque & Straub, 2011) . Top management can perceive BYOD as offering valuable business opportunities and initiate IT-driven changes (Leclercq-Vandelannoitte, 2015b). Managers that perceive the most clearly BYOD-related business opportunities tend to capitalize on employees' initiatives and to regulate and standardize their practices. A high perception of BYOD-related benefits has also been found to favor engagement behavior and satisfaction (Kim, Kim, & Wachter, 2013) . Accordingly, we hypothesize the following: Hypothesis 1a-b. The perception of BYOD usage as an opportunity will positively influence the manager's adoption of the (a) benefits maximizing strategy and (b) benefits satisficing strategy. As previously underscored (see 2.1.2.), using organizational data through personal devices involves important threats related to cybersecurity and information risks (Ali et al., 2018; Mustafa & Kar, 2019) . Moreover, the perception of threat related to security is the central construct in the behavioral stream of research on security because it affects user intentions and behaviors (Balapour et al., 2020) . The previous IS research showed that IT events perceived as threats (Lee & Larsen, 2009; Vance, Siponen, & Pahnila, 2012) cause managers to adopt more cautious behaviors (Barlette & Jaouen, 2019; Bulgurcu, Cavusoglu, & Benbasat, 2010) . In the context of mobile devices, the perception of a threat exerts a positive and significant influence on the intention to implement ISS protections (Gu, Xu, Xu, Zhang, & Ling, 2017 Y. Barlette, et al. International Journal of Information Management xxx (xxxx) xxxx employees' practices, and top management expectations will correspond to problem-focused behavior, i.e., the development of clear IT policies and the implementation of BYOD-related protection measures (Jarrahi et al., 2017; Leclercq-Vandelannoitte, 2015b) . However, when a threat is perceived, but managers have limited control, they will adopt more passive and emotion-focused behaviors, i.e., self-preservation strategies (Beaudry & Pinsonneault, 2005 ; Elie-Dit-Cosaque & Straub, 2011; Jarrahi et al., 2017) . Therefore, we propose the following: Manager's perception of BYOD usage as a threat will positively influence the adoption of the (a) disturbance handling strategy and (b) self-preservation strategy. As the initial CMUA model was qualitative, no indication was given about the effect of perceived behavioral control (Beaudry & Pinsonneault, 2005) . Consequently, we hypothesized that perceived behavioral control exerts direct and moderating effects on coping behavior. This variable reflects the level of control perceived by managers over the implementation of organizational measures to benefit from the use of BYOD by employees. According to the CMUA, they can adopt problem-focused and/or emotion-focused coping responses (Beaudry & Pinsonneault, 2005; Elie-Dit-Cosaque & Straub, 2011) . When BYOD is perceived as an opportunity, and their perceived control is high, managers will mainly adopt problem-focused strategies to achieve better performance (Beaudry & Pinsonneault, 2005; Elie-Dit-Cosaque & Straub, 2011; Harris et al., 2012) , i.e., benefits maximizing strategies. Conversely, when the behavioral control perceived by managers over the situation is low since no tension emanates from a beneficial situation (Beaudry & Pinsonneault, 2005; Folkman, Lazarus, Gruen, & DeLongis, 1986 ), they will passively enjoy the advantages of BYOD use by employees, i.e., adopt an emotion-focused coping strategy corresponding to simply being satisfied. Hence, we propose the following: Hypothesis 3a-b. (direct effect): When a manager appraises a situation as an opportunity, the more perceived control that s/he has over implementing measures to regulate BYOD usage: (a) the more inclined that s/he will be to adopt a benefits maximizing strategy; and (b) the less inclined that s/he will be to adopt a benefits satisficing strategy. Hypothesis 4a-b. (moderating effect): When a manager appraises a situation as an opportunity, the level of perceived control that s/he has over implementing regulation measures will: (a) positively moderate the relationship between the BYOD-related opportunity and the benefits maximizing strategy; and (b) negatively moderate the relationship between the BYOD-related opportunity and the benefits satisficing strategy. When BYOD usage is perceived as a threat, this variable corresponds to the degree to which managers believe they can implement protective measures (Vance et al., 2012) . Prior research has found that, when individuals perceive greater threats related to IT, their protection motivation increases (Li et al., 2019; Thompson, McGill, & Wang, 2017) and can result in protective and nonprotective responses (Baillette & Barlette, 2020; Moser et al., 2011) . Increased coping efficacy fosters protective responses (i.e., disturbance handling strategy) (Crossler, Bélanger, & Ormond, 2019; Donalds & Osei-Bryson, 2020; Li et al., 2019) and decreases non-protective responses (Moser et al., 2011) . Conversely, low levels of perceived control increase nonprotective responses (i.e., self-preservation strategy), aiming to regulate or reduce the emotional distress triggered by the threat appraisal (Beaudry & Pinsonneault, 2005; Folkman et al., 1986; Jex, Bliese, & Buzzell, 2001; Srivastava & Tang, 2015) . Consequently, we propose the following: Hypothesis 5a-b. (direct effect): When a manager appraises BYOD usage as a threat, the more perceived control s/he has over implementing security measures, (a) the more s/he will adopt disturbance handling strategies and (b) the less s/he will adopt selfpreservation strategies. Hypothesis 6a-b. (moderating effect): When a manager appraises BYOD usage as a threat, the level of perceived control s/he has over implementing security measures will (a) positively moderate the relationship between the BYOD-related threat and the disturbance handling strategy and (b) negatively moderates the relationship between the BYOD-related threat and the self-preservation strategy. The original CMUA in Fig. 1 has been enriched in two stages. The first stage corresponds to adding hypotheses H3 to H6 related to the effect of perceived control on the four coping strategies (Section 3.2). The second stage corresponds to adding seven constructs (dotted in Fig. 2) , permitting a quantitative measurement of perceived opportunities and threats (primary appraisal) and perceived control (secondary appraisal). The details of this second step can be found in Section 4.2, which explains the construct operationalization and measures. To investigate the coping strategies adopted by managers resulting from their perceptions of BYOD usage, we conducted a questionnairebased survey. We used measurement scales borrowed from the previous literature (see 4.3.) . The questions were first discussed and adapted to the BYOD context at three professional seminars held by the authors. The questionnaires were then pretested in face-to-face exchanges with managers (N = 17). Based on their feedback, through six rounds, the authors ensured the understandability and readability of the questions, mostly by removing redundancies. This process led to the final questionnaire (see Appendix A). The questionnaire was managed using the Qualtrics web-based software platform. In the questionnaire introduction, a text presented the objectives of the survey and defined the main terms (information security, personal device, BYOD, etc.). Participation in the survey was voluntary, and the authors clearly assured respondents that their responses would be treated anonymously and confidentially. We added a question to check whether managers intended to implement or had already implemented BYOD measures to address BYOD usage in their companies (Meissonier & Houzé, 2010) . Although the question of period (pre-or post-implementation) is important in the MIS literature (Beaudry & Pinsonneault, 2005; Karahanna, Straub, & Chervany, 1999; Marler, Fisher, & Ke, 2009; Taylor & Todd, 1995; Thompson, Compeau, & Higgins, 2006; Veiga, Keupp, Floyd, & Kellermanns, 2014) , it does not address the issue of BYOD during these two periods. For this purpose, two slightly different sub-versions of the questionnaire were created, using the past or future tense depending on the actual or planned implementation of measures framing BYOD usage. The questionnaire administration was outsourced to a panel company and conducted during May 2018. We chose this company because our previous collaborations were satisfying due to the company's rigor. It has a specific division specializing in academic, quantitative and qualitative studies Hence, panel members are used to respond to scholarly questionnaires. It also uses specific methods of online data collection (CAWI in our case) and meets the standards of qualification criteria and quotas. Our criteria corresponded to the respondents' range of ages, and positions (CEOs, top managers or executive and managers in charge of their own service/department/business units, with at least one employee to manage, with hierarchical responsibility). The respondents had to be in positions and active (non-retired) and not prohibited from BYOD usage. Our criteria for questionnaire rejection were based on several elements. First, we removed incomplete and invalid responses. Second, all questionnaires with excessively short duration were removed because respondents may have not read and carefully answered our questions. Third we used the respondents' IP addresses to control for duplicate submissions and to check if more than one manager had responded, for a specific location. A total of 384 responses were collected, and after applying our rejection criteria, 337 usable responses were retained. We ensured the sample size sufficiency using the G*Power tool (Faul, Erdfelder, Buchner, & Lang, 2009 ) via a priori and post-hoc power analyses. For that purpose, we adopted a lower bound R² value of 0.10, a statistical power of 95 % and three predictors (benefits maximizing, benefits satisficing, disturbance handling and self-preservation constructs have the highest numbers of predictors). The a priori G*Power results indicated that a minimal sample size of 143 was required. In addition, the post-hoc G*Power results for a lower bound R² of 0.10, a sample size of 143, and three predictors showed that the statistical power was 0.95. These results exceed Cohen's (1988) recommendations and support the sufficiency of our sample size. The CMUA is conceptually derived from the "coping" theory (Lazarus, 1966) . However, this theory is "mute regarding what elements of a disruption are used in primary appraisal" (Beaudry & Pinsonneault, 2005, p. 498) . Therefore, to assess this primary appraisal, that is, managers' perceptions of opportunities and threats related to BYOD usage by employees, we complemented the CMUA by adding constructs borrowed from the previous research. To render our model more parsimonious and easier to apprehend (Hair, Sarstedt, Ringle, & Gudergan, 2018, p. 40 ), we created two higher-order 4 constructs (Hair, Hult, Ringle, & Sarstedt, 2017) . Higherorder constructs allow for overcoming the jangle fallacy, and they are better predictors of broadly defined behaviors, (Hair et al., 2018) . Hence, BYOD-related opportunity and BYOD-related threat were operationalized as two higher-order constructs composed of several lowerorder reflective constructs. We used the same logic to assess the secondary appraisal, based on perceived behavioral control. These higher-order constructs were modeled as formative because they are defined by their lower-order constructs (see Fig. 2 ), with each lower-order construct constituting one of its facets (Lee & Cadogan, 2013; Petter, Straub, & Rai, 2007) . In addition, the higher-order constructs must be modeled as formative in this case because: (a) the lowerorder constructs cannot covary since the themes that they represent are distinctive (Petter et al., 2007) ; and (b) the lower-order constructs are not conceptually identical 5 . For each of the three higher-order constructs, the corresponding lower-order constructs are presented in the following subsections. BYOD-related threat is measured using two lower-order reflective constructs, perceived severity and perceived vulnerability, borrowed from the threat appraisal constructs of another coping-based framework: the protection motivation theory (PMT) (Rogers, 1983) . The PMT has been adapted to the ISS context (Aurigemma & Mattson, 2019; Lee & Larsen, 2009; Siponen, Mahmood, & Pahnila, 2014; Vance et al., 2012) and more specifically to smartphone protection and smartphone-related threats (Weeger et al., 2016; Whitten, Hightower, & Sayeed, 2014) . In line with the PMT and in the context of BYOD usage, we assessed the managers' personal perceptions of vulnerability and severity to security breaches, affecting organizational data. -Perceived vulnerability is the probability that an unwanted ISS incident (such as loss of data availability, data loss, etc.) occurs (Vance et al., 2012) if no coping behavior is undertaken. -Perceived severity is the level of the potential impact of the threat (Vance et al., 2012) resulting from insufficient or ineffective ISS measures to manage the threat. This perception of potential impacts is important when considering suitable corrective actions to implement (Mustafa et al., 2020) and reinforce the threat appraisal (Siponen et al., 2014 ). In our model, BYOD-related threat appraisal corresponds to a higherorder construct composed of Perceived vulnerability and Perceived severity (see Fig. 2 ). We assessed the managers' perceived benefits related to BYOD usage by employees as a composite formed by Business process improvement (Law & Ngai, 2007) , Cost advantages (Benlian & Hess, 2011) and Performance expectancy (Moore & Benbasat, 1991; Venkatesh et al., 2003) . -Business process improvement corresponds to the simplification and improvement of business practices and processes through re-engineering (Law & Ngai, 2007) , resulting in tangible benefits related to BYOD usage by employees (Leclercq-Vandelannoitte, 2015a; Steelman et al., 2016) . Kim, Jang, and Yang (2017) showed that this construct had a strong and significant effect on perceived opportunity. -Cost advantages: Many managers seek to take advantage of the potential benefits of BYOD usage, such as cost savings (Steelman et al., 2016) . Permitting the use of BYOD allows companies to avoid buying mobile devices. In addition, companies can also save money when free or low-cost mobile consumer apps are integrated into the corporate infrastructure by employees or when employees store corporate data externally, in the cloud, for example (Weiss & Leimeister, 2012) . Benlian and Hess (2011) highlighted cost advantages as the strongest driver influencing managers' perceptions of opportunities. -Performance expectancy is "the degree to which using an innovation is perceived as being better than using its precursor" (Moore & Benbasat, 1991, p. 196) . Another perceived opportunity is the increase of productivity and innovation stemming from BYOD, resulting in better performance . Opportunity appraisal was modeled as a higher-order construct composed of these three dimensions (see Fig. 2 ). The CMUA postulates that the coping strategies depend on the perception of the event (opportunity and/or threat) and on the perceived behavioral control (high or low) over the individual's resulting coping behavior (Beaudry & Pinsonneault, 2005) . Perceived behavioral control was modeled as a higher-order variable composed of two dimensions (see Fig. 2 ): -Control over BYOD regulations measures implementation: when the primary appraisal is associated with an opportunity, this perceived control relates to the implementation of processes and regulations in order to maximize the benefits of BYOD usage; -Control over BYOD-related security measures implementation: when the primary appraisal is associated with a threat, this perceived control 4 For the rest of this work, we use the terms "higher-order" and "lower-order" constructs as equivalent to "second-order" and "first-order" constructs, respectively. 5 Lee and Cadogan (2013) demonstrated that higher-order reflective models are not valid when the first-order constructs are not conceptually identical. Y. Barlette, et al. International Journal of Information Management xxx (xxxx) xxxx relates to the implementation of protective measures in order to reduce either the tensions or the risks emanating from BYOD usage. The questionnaire and the scales used in this research (see Appendix A) were adapted from previous studies: -The business process improvement (BPI) items were adapted from Law and Ngai (2007) , the cost advantages (CA) scales came from Benlian and Hess (2011) , and performance expectancy (PERF) was borrowed from Moore and Benbasat (1991) Most of the Likert-type scales we used originally contained sevenpoint scales. Following the advice of Goodwin and Goodwin (2016) , we aligned all of our construct measurements on seven-point scales anchored at 1 (Strongly disagree) and 7 (Strongly agree). We included in the model three control variables (CVs) (see Fig. 2 ): Size represents the company's size; Age represents the respondent's age; and Education (EDUC) represents the highest degree achieved by the respondent. In a classical top-down adoption process, implementation is decided by the company managers. We can assume that managers' opportunity and threat appraisals may differ when BYOD is adopted by employees through a reversed adoption logic. For instance, managers can overestimate the risks before addressing BYOD usage, and their appraisal can also evolve after having experimented with BYOD adoption by employees. Meissonier and Houzé (2010) showed that managers must anticipate the outcomes resulting from the adoption of a technology. Given that individuals' strategies and behaviors can evolve according to the pre-or post-adoption stage (Gupta et al., 2020; Meissonier & Houzé, 2010) , we can hypothesize that the managers' coping strategies can also differ before and after addressing BYOD usage in their companies. Through the variable PAST (0=Before; 1=After implementation), we assessed whether they had implemented measures addressing BYOD usage. To validate the measurements and test the hypotheses, we used partial least squares structural equation modeling (PLS-SEM) analyses. PLS-SEM should be selected when the structural model is complex and includes many constructs, indicators and/or model relationships. In addition, our model includes one or more higher-order constructs and formatively measured constructs (Hair, Risher, Sarstedt, & Ringle, 2019, p. 5) . Finally, the PLS-SEM approach has a broad scope and is flexible regarding theory and practice (Hair et al., 2019) . The average manager's age is 42 years old. In terms of gender, the sample was balanced (51 percent male vs. 49 percent female). The companies included 74.1 % SMEs (32.5 % very small, 22.9 % small, 19.6 % medium enterprises) and 25.9 % large enterprises. Among the 337 valid responses, 159 were before and 178 were after BYOD implementation. We adopted a two-stage approach because reflective-formative higher-order constructs (HOCs) and moderator variables were part of the model (Hair et al., 2018, p. 53-54) . During the first stage, the scores of the independent and moderator variables were computed. We used the repeated indicators approach to compute the scores of lower-order latent constructs (LOCs), which were added to the data set. The second stage used the LOC scores as indicators of the HOCs and built the interaction terms for the moderator variables. After this two-stage process, we assessed the measurement model; for this purpose, we ran bootstrapping with 5000 iterations to assess the path coefficients' significance and evaluate their values (Hair et al., 2018 (Hair et al., , 2019 . Indicator Reliability and Constructs' Internal Consistency Reliability (see Table C1 in Appendix C): All of the composite reliability values are greater than 0.7, and all of the AVEs (average variance extracted) exceed 0.5, indicating good convergent validity (Hair et al., 2019) . Indicator loadings exhibited satisfactory values (see Appendix B). Discriminant Validity (see Table C2 in Appendix C): All heterotraitmonotrait ratios of correlations (HTMT) are less than the threshold of 0.85 (Hair et al., 2019; Henseler, Ringle, & Sarstedt, 2015) , exhibiting good discriminant validity 6 . Reflective-formative higher-order construct assessment: The two-stage approach results in weights corresponding to the path coefficients between the LOCs and their corresponding HOCs, i.e., BYOD-related opportunity, BYOD-related threat and perceived behavioral control. For LOCs, all of the tests exhibit satisfactory results (see Appendix D), showing satisfactory internal consistency reliability, convergent validity, and discriminant validity. All of the VIFs (variance inflation factors) are less than 5 (Hair et al., 2018, p. 62) ; hence, potential collinearity between the LOCs forming the HOCs is not problematic. Finally, all of the paths between LOCs and HOCs are positive, highly significant and relatively balanced (see Table D in Appendix D). As shown in Table 2 , the full model exhibits 11 of 12 significant path coefficients. Meissonier and Houzé (2010) used a "before-after" investigation of IT pre-and post-implementation resistance. Several authors have proved the relevance of distinguishing the two stages to shed light on differences in perception between the two phases (Gupta et al., 2020; Meissonier & Houzé, 2010 ) and on the changes affecting coping strategies over time (Tobler et al., 2017) . Hence, to analyze coping strategies related to BYOD adoption in greater depth, we distinguished between managers having actually implemented measures to address BYOD usage and those having planned this implementation. We conducted a multigroup analysis distinguishing between before and after measures implementation to address BYOD usage. First, to ensure measurement invariance, we applied the MICOM procedure (Henseler, Ringle, & Sarstedt, 2016) . We checked configural invariance and then parametric tests with 1000 permutations, which showed that compositional invariance is also established. Therefore, conducting multigroup analysis is meaningful for our study. The sample is balanced as 159 respondents (47 %) had intended to implement and 178 (53 %) had actually implemented measures in their company. Even if all but one of the path coefficients were significant for the full sample, some of them become nonsignificant for the subgroups, due to smaller populations. Table 2 below illustrates the main discrepancies when comparing before (past = 0) and after (past = 1) implementation. The p-values in the last column indicate whether the differences between path coefficients 7 before and after implementation ('path 6 Note that, in their 2015 paper, Henseler et al. discarded the Fornell-Larcker and Cross-loadings criteria. Y. Barlette, et al. International Journal of Information Management xxx (xxxx) xxxx Table 2 Comparison of the constructs' effects for the full sample (n = 337) and before (n = 159) and after (n = 178) implementation of measures. Barlette, et al. International Journal of Information Management xxx (xxxx) xxxx coeffs delta') are significant. Below, we discuss the impact of 'before' and 'after' implementation of measures by managers on the type of coping strategies adopted, first, for the appraisal of BYOD usage as an opportunity, and, second, as a threat. Then, the explanation of R square discrepancies will provide additional insights. After organizational measures implementation (past = 1), all but one direct effect decreases, and the moderating effects are not significant regarding the adoption of benefits maximizing and benefits satisficing strategies. The effect of perceived BYOD-related opportunity on the adoption of benefits maximizing strategies decreases (® = 0.68*** ⇨ 0.39***) but remains strong while the effect on benefits satisficing strategies (® = 0.46*** ⇨ 0.08 NS ) becomes nonsignificant. The influence of perceived control increases (® = 0.20** ⇨ 0.41***) for benefits maximizing strategies and becomes quasi-null for benefits satisficing strategies (® = 0.21* ⇨ 0.07 NS ). These results reflect that managers' initial expectations of BYOD-related opportunities may be reduced after implementation of measures. The managers' coping strategies aim to increase benefits, capabilities and performance (Fig. 3) . Regarding perceived threats, other noticeable while less significant differences appear between the two subgroups. After implementation, the effects of perceived control are much more differentiated for both the disturbance handling and the self-preservation strategies (respectively, ® = 0.52*** and 0.20*) than before implementation (respectively, ® = 0.39*** and 0.28***). The effect of perceived threat remains unchanged after implementation for disturbance handling (® = 0.43*** ⇨ 0.40***), and it becomes significantly negative for self-preservation (®=−0.17 NS ⇨ -0.26**). This influence is reinforced by the moderating effect of perceived control on the relationship between threat appraisal and the adoption of a self-preservation strategy. While this effect is not significant before implementation (® = 0.11 NS ), it becomes much more important (® = 0.25***) after implementation. This finding may reflect the fact that certain managers stop implementing security measures after a certain time. Interestingly, after retesting the items for the 'after implementation' subgroup, the most influential item is "potential risks resulting from BYOD cannot affect my company's information security" (SP2) while "I gave up taking precautions" (SP1) becomes less relevant. Fig. 4 represents the "simple slope analysis" of the moderating effect of perceived control on the relationship between threat appraisal and the adoption of a self-preservation strategy (®= −0.26**). Three lines correspond to moderating effect, at one standard deviation above the mean of the moderator (upper line, +1 SD, +0.25), at the mean of the moderator (central line, null effect, i.e., direct effect of threat only), and at one standard deviation below the mean of the moderator (lower line, −1 SD, −0.25), respectively. Hence, for high levels of control over the implementation of security measures, managers may believe they are sufficiently protected. This result is illustrated by the upper line in Fig. 4 (slope ∼ −0.26 + 0.25= −0.01). In contrast, low perceived control over the implementation of security measures strongly and negatively influences managers' self-preservation behavior. The lower line in Fig. 4 exhibits a steeper negative slope (∼−0.26-0.25= −0.51). Hence, the effect of threat combined with the moderating effect of perceived control (−0.51) compensates for the direct effect of perceived control on self-preservation (® = 0.20*). Consequently, when they perceive low control over the implementation of security measures, managers are discouraged from adopting self-preservation strategies. All these discrepancies exert cumulative effects on the R square values for the adopted coping strategies (see Table 3 ). The most significant result is the vast decrease in the explanatory power of the model for the benefits satisficing strategy (R² = 0.33 ⇨ 0.07) after implementation. This result is explained by the influences of opportunity appraisal and control over implementation in the adoption of benefits satisficing strategies that were strong before implementation and became nonsignificant after (® = 0.46*** ⇨ 0.08 NS and ® = 0.21* ⇨ 0.07 NS , respectively). Referring to the enriched model (see Fig. 2 ), performance expectancy, cost advantages, and business process improvement become insufficient to satisfy managers. Concretely, maximizing the use of BYOD in their companies becomes their main purpose. We can assume that after implementation, managers are less engaged in benefits satisficing strategies. The explanatory power of the model before implementation is higher because of high expectations as reflected by the stronger impact of opportunity appraisal. After implementation, the explanatory power for taking security measures increases (for disturbance handling, R² = 0.24 ⇨ 0.39), mainly due to the increase in perceived control over implementation. For self-preservation, the explanatory power also increases (R² = 0.18 ⇨ 0.25), mainly due to the higher moderating effect of perceived control Fig. 3 . Path coefficients and significance for Past = 0 (159 managers) and for Past = 1 (178 managers). *** p < 0.001, ** p < 0.01, * p < 0.05. 7 For example: for the first line, the path coefficient delta 0.29 corresponds to 0.68-0.39. Y. Barlette, et al. International Journal of Information Management xxx (xxxx) xxxx over implementation on the relationship between threat and the selfpreservation coping strategy. We can assume that some managers, while having more control over the implementation of security measures, adopt more passive strategies because they think they have reached a satisfactory level of security. After computing the average value of both perceived control variables, it is clear that before implementation, perceived control is below average 8 whereas it increases after implementation (See Table 4 ). In our overall model, we noted that while exhibiting strong and significant values, the results for H3b, H5b and H6b were all opposite to what was hypothesized; hence, these hypotheses were not supported. The examination of Tables 2 and 4 allows us to provide another explanation that relativizes our initial hypotheses. We observed that the perception of a threat discourages the adoption of self-preservation strategies (more passive) and encourages the adoption of disturbance handling strategies (i.e., implementing security measures). In contrast, perceived control tends to foster (direct and moderating effects) selfpreservation strategies. The higher overall influence of perceived control may reflect the fact that, after the implementation of security measures, managers tend to presume a high level of security, as reflected in both retained indicators for the self-preservation strategy: the "potential risks resulting from BYOD cannot affect my company's information security" (SP2); therefore, "I gave up taking precautions" (SP1). Consequently, we can assume a "stop-and-start process" restarted by the threat appraisal, which leads to the implementation of information security measures (disturbance handling strategies), results in higher perceived control, and leads to a (false?) sense of immunity, after which no more precautions are implemented (self-preservation strategies). However, the perception of new threats restarts the implementation of new security measures; hence, a cycle is quite possible. Our results could be subject to common method bias since the survey data were self-reported, and behavior was not actually measured since it resulted from self-assessments by managers (Straub, Limayem, & Karahanna-Evaristo, 1995) . Consequently, we adopted the following measures to assess and minimize potential CMB. First, we integrated the a priori procedural remedies recommended by Podsakoff, MacKenzie, and Podsakoff (2012) . We used pre-tests to improve our scale items and reduce potential ambiguities, and we broke the routine of questions based on Likert scales by regularly including multiple-choice questions. Second, the path coefficients of the structural model exhibit different levels of significance. Third, we applied Lindell and Whitney's (2001) correlational approach. Hence, we included in our model the blue attitude construct as an a priori "ideal" marker variable (MV) (Simmering, Fuller, Richardson, Ocal, & Atinc, 2015, p. 491) , which is theoretically uncorrelated with the other variables included in the model (see Appendix A). The results (see Appendix E) show that the highest correlation between the MV and the latent variables included in our model is 3.46 %, which is far less than the threshold of 9 % (Siemsen, Roth, & Oliveira, 2010) . These three elements allow us to believe that CMB is not a critical issue in our study. The effectiveness of BYOD-related changes depends not only on users' acceptance but also on how managers react to and incorporate employees' initiatives to introduce and use their own devices for business purposes (Leclercq-Vandelannoitte, 2015b) . This research builds on this issue and makes several theoretical contributions. First, our results show that adopted behaviors exhibit significant differences before and after implementation. Before implementing regulating measures, managers can have overrated expectations related to BYOD benefits, and after implementation, these expectations diminish, making way for greater influence of control over implementation, with a positive effect on benefits maximizing strategies and negative effects on benefits satisficing strategies. Hence, after implementation, perceived opportunity only fosters benefit maximization, and benefits satisficing strategies are abandoned. After implementation, the threat appraisal fosters disturbance handling and restrains self-preservation strategies. A stop-and-start process occurs whereby managers implement security measures, gain perceived control and tend to stop implementing other security measures until new threats are perceived. In addition, the explanatory power of our models is increased after the implementation of coping strategies related to threats, while it decreases for opportunistic coping strategies. These results emphasize the importance of integrating pre-versus post-implementation periods into such studies. Although the previous literature has highlighted the interest of the period (Beaudry & Pinsonneault, 2005; Karahanna et al., 1999; Marler et al., 2009; Taylor & Todd, 1995; Thompson et al., 2006; Veiga et al., 2014; Vieru & Rivard, 2014) , it has not investigated the differences between BYOD-related practices before and after IT implementation. Hence, the results of this study make an interesting theoretical contribution to the existing work on MIS linked to specific and ever-growing BYOD practices. Second, we also extend the current literature on reversed IT adoption and BYOD through the investigation of managers' adaptation strategies to cope with the BYOD phenomenon. Contrary to a classical top-down IT adoption process, BYOD leads managers to react and adapt themselves to a reversed adoption logic over which their control is limited, mainly because they do not own the devices. Their coping strategies reflect how they can address BYOD usage to maximize (or not) the benefits that they perceive -related to BYOD usage by employees-and to minimize (or not) the BYOD-related threats, depending on their own perceptions of the BYOD phenomenon and their perceived control over the regulation measures that they may/should implement. Third, while the prior research on information security has mainly examined individual compliance and security behaviors, the current study extends this knowledge by investigating the implementation of security measures at an organizational level by managers. On the one hand, this approach provides a more holistic view of BYOD policies which is relatively scarce in the current literature focused on the BYOD usage phenomenon. On the other hand, this approach allows setting the focus on decision-makers in terms of BYOD-related policies and practices. Fourth, our research extends the previous research on the CMUA. While Beaudry and Pinsonneault (2005) stated that an IT event could be perceived both as an opportunity and as a threat, the qualitative interviews that they conducted with 6 account managers linked each respondent with one coping strategy. Hence, this study has separately investigated opportunities and threats. However, since IT events are multifaceted and encompass both opportunities and threats, they are likely to result in distinctive adaptation strategies (Lazarus & Folkman, 1984) . Our work extends the current research because it integrated both types of appraisals by exploring a continuum from threat to opportunity perceptions and permitted us to shed light on the resulting coping strategies. This process also allowed us to identify the differentiated impacts of opportunities and threats on the corresponding strategies. A quantitative study from Elie-Dit-Cosaque and Straub (2011) addressed 168 students: the authors assessed the primary appraisal through scenarios, and the secondary appraisal (level of control) was reduced to a control/no control assessment. Since the authors used scales, they computed the means of their constructs' indicators for each case, instead of conducting more sophisticated analyses, such as structural equation modeling. Our work confirms some of their results: When an IT event is perceived as an opportunity, we can note an important prevalence of benefits maximizing over benefits satisficing strategies. In the case of a threat, the strategies are much closer, and disturbance handling is mainly adopted in the case of high control. However, we do not confirm the link between low behavioral control and the adoption of self-preservation strategies. Several explanations can be proposed. First, the population is different (students vs. executives in charge of a team). Executives might react differently than students do. Second, they examined different strategies, with their threat appraisal leading to coping strategies related to lack of interest in new software (self-preservation) or failure to achieve better performance with this software (disturbance handling), while we focused on strategies to address information security risks (implementing measures for DH and disengagement and denial for SP). Moreover, since their scenarios could distinguish opportunities and threats, the authors could not assess a precise level for the primary appraisal. Using additional constructs for the primary appraisal measurements, we could enrich the CMUA model (see also our last and methodological implication) and obtain a more precise assessment. We contribute to the literature by showing that the primary appraisal exerts a stronger effect on the choice between coping strategies than behavioral control does (secondary appraisal). Bhattacherjee et al. (2018) used the CMUA to investigate individuals' behaviors in the context of mandated IT use. They replaced the usual coping strategies with a typology of behaviors ranging from resistance to acceptance, which reduced the possibilities of comparison with our research. However, they confirmed that emotional and behavioral reactions can coexist and coemerge in response to IT events. Our results underscore that individuals can adopt a spectrum of different types of behaviors (problem and emotion focused) to address specific situations, even in a context of reversed IT adoption. We thus extend the prior research, which mainly considered one type of behavior, such as the intensity of (non-)compliance. Fifth, we contribute to the literature on emotion-focused (benefits satisficing and self-preservation) strategies . These more passive behaviors have been seldom investigated in comparison with more active and problem-focused strategies (i.e., benefits maximizing or disturbance handling by implementing information security measures) in the context of IT adoption and in the context of ISS. Theoretical contributions on passive behavior are even more important to consider given that a company's employees have an increasingly strong action on the choice of tools they use in a professional context. As a result, the rational proactive actions of managers give greater importance to passive behaviors according to an IT reversed adoption logic Leclercq-Vandelannoitte & Bertin, 2018; . Finally, from a methodological point of view, this paper fully operationalizes the CMUA through structural equations and extends it through several latent constructs: using formative higher-order constructs, the CMUA was extended to opportunity appraisals with three reflective lower-order constructs borrowed from Kim et al. (2017) and Moore and Benbasat (1991) and to threat appraisals with two reflective lower-order constructs adapted from Rogers' (1983) protection motivation theory (Siponen et al., 2014) . In addition, while the prior research has been more qualitative (Beaudry & Pinsonneault, 2005 Bhattacherjee et al., 2018) or has used calculated average values to distinguish high from low control (Elie-Dit-Cosaque & Straub, 2011), we operationalized the CMUA's "perceived behavioral control" with moderating and direct effects. Significant influences could be identified for the two types of effects with a prevalence of direct influences over moderating effects. Even if the adoption of BYOD is initiated by employees, managers are aware, but only to some extent, of the opportunities and threats associated with BYOD. Our results showed that, when anticipating BYOD adoption by employees, certain managers can expect "just" enjoying the benefits of more performance, limited expenses and improved business processes. However, after having addressed BYOD usage in their company or service, managers are more sensitive to actually maximizing these benefits. Bhattacherjee et al. (2018) showed that the perception of an IT event as an opportunity when feeling great control over the situation was also synonymous with engagement, Y. Barlette, et al. International Journal of Information Management xxx (xxxx) xxxx which is very important in terms of top management support (Barlette & Jaouen, 2019; Boonstra, 2013) . Hence, initially raising managers' awareness and providing guidance regarding concrete means to optimize company performance and enhance business processes with BYOD, while reducing costs, would trigger TMS and thus save time in reaping the benefits from BYOD introduction in their companies. On the side of BYOD-related threats, addressing the risks is harder. Even if we could identify a stop-and-start process relaunched by the threat appraisal, self-preservation behaviors corresponding to denial -"Risks cannot affect me"-and distancing -"I gave up taking precautions" (see Appendix A) still exist. These behaviors may result not only from higher perceived control over protective behaviors but also from a certain amount of overconfidence, which is common among managers. Managers may not be aware of BYOD-related security issues potentially detrimental to their companies because they are not always actually experienced (Kankanhalli, Teo, Tan, & Wei, 2003) . Managers also have difficulties mastering technological innovations that they consider to be the responsibility of IT leaders. For instance, demonstrating through real-life examples the most common security issues and the actual impacts that they had on companies would help to increase managers' perceptions of potential threats (Schuetz, Lowry, Pienta, & Thatcher, 2020) . Hence, raising managers' awareness will enhance their disturbance handling behaviors, resulting in greater information security for their firms. Managers may also make decisions to improve information security in their company by observing other organizations making the same investment decisions and mimicking their decisions (Shao, Siponen, & Liu, 2020) . Given the importance of achieving a shared understanding of information security policies and measures in companies (Samonas, Dhillon, & Almusharraf, 2020) , even if managers are not technically skilled, through higher engagement and top management support (Feng et al., 2019; Indihar Štemberger et al., 2011; Kankanhalli et al., 2003) , they could provide more funding and could champion the implementation of security measures, charters, training sessions or awareness-raising campaigns (Herath et al., 2020; Soomro, Shah, & Ahmed, 2016) . In addition, TMS would optimize this implementation and favor the adherence of employees (Tobler et al., 2017) . This study generates policy implications linked to the recent European regulations on data protection (GDPR 9 ). By adding the need to demonstrate compliance with the obligation for security, the GDPR imposes a unified framework for the entire EU with financial penalties. The GDPR strengthens individual rights, empowers individuals' processing of data, and makes the regulations more credible through enhanced cooperation between data protection authorities. The implementation of the GDPR could be an opportunity to review charters and internal policies to clarify, among other things, the processes that should be implemented in the event of theft or loss of a private device or the procedures that should be carried out when an employee leaves a company. These issues are all the more important to be proactively considered in handling new contexts due to emergency situations, such as those encountered in pandemic contexts (Covid-19 for instance), which force organizations to work differently, for instance, favoring remote work and ensuring social distancing. Pandemic contexts can also force employees to use their own mobile devices because, to mitigate the health risks arising from direct contact between people, in lockdown situations, their professional devices are no longer accessible (Davison, 2020; Papagiannidis et al., 2020; Richter, 2020) . Organizations are increasingly supportive of BYOD from a theoretical perspective. However, when it comes to implementing it practically, organizations might hesitate because many personal devices and applications might not comply with such regulations. For example, the threats identified in Section 2.1.2 could lead to increased risks of leaks of personal data -exactly the opposite of what the GDPR aims to achieve. Hence, the practice of BYOD should be increasingly regulated, and the employer should be driven to review its entire organizational policy. Data protection, specifically related to personal data, must be implemented on private devices in accordance with the GDPR. Further, it is the employer, not the employee, who accepts full responsibility. This fact poses major legislative, technical and administrative challenges for both management and IT, particularly when a large number of different devices with specific operating systems and programs must be integrated into the same network. Thus, questioning internal processes and regulating BYOD usage become unavoidable and raise new theoretical issues. Despite the theoretical, methodological and managerial contributions of this study, several limitations must be considered. First, since the administration of our questionnaire was outsourced, we could not check for or address non-response bias. Second, despite our requirements to include CIOs in our sample, as the respondents were part of a panel, we could obtain only 35 responses. This small number did not permit us to perform significant subgroup analyses such as comparing CIOs with CEOs and other managers. Third, other personality factors and constructs could also play roles in the formation of BYOD-related threatening and beneficial perceptions. Such factors deserve future research. Fourth, the managers' actual BYOD coping strategies were solicited rather than observed. Consequently, self-reported coping strategies might differ to some extent from actual behavior, even if the respondents were guaranteed anonymity. The explanation proposed for the reversed effect of perceived control on self-preservation strategies deserves to be confirmed through further investigation, either through qualitative studies or through more precise questions integrated in future surveys. Using additional constructs borrowed from the 'ways of coping checklist' (Lazarus & Folkman, 1984) would enrich this measurement. In addition, several cognitive biases could influence managers' perceptions and consequently the potential risks or opportunities for firms. Interest in BYOD-related practices research is increasing due to emergency and disruptive events, such as the current pandemic of Covid-19. Studies of BYOD-related practices will be all the more important to conduct in contexts that require social distancing and remote work performed first out of necessity and then out of habit through the adoption and acceptance of new practices. More broadly, the results obtained regarding the distinction between pre-and post-implementation could be analyzed over a longer period, owing to a longitudinal study. Future research is needed to further investigate all of these issues. This research applied the CMUA to investigate the adaptation strategies adopted by managers to cope with the BYOD phenomenon. To this end, we analyzed the opportunity and threat appraisals of managers and the impacts on the adopted coping strategies in a context of reversed IT adoption. We extended the CMUA with a set of constructs allowing the assessment of managers' perceived threats and opportunities. Through a survey addressing 337 managers, our article contributes to the academic literature in IS by offering insights into managers' perceptions of BYOD adoption by employees. Four types of coping strategies are investigated and discussed, hereby extending the literature on IT adoption, reversed IT adoption, and information security. An important managerial implication of this paper is the identification of a "stop-and-start" process, reflecting evolution of managers' perceptions before and after addressing BYOD usage in their companies. Future research may extend this work, especially to other personality factors and constructs engaged in perceptions of opportunities and threats by managers, as reversed IT adoption is increasingly developing, and managers are known to play a strategic role. This research received support from the LabEx Entrepreneurship, University of Montpellier, France, funded by the French government (Labex Entreprendre, ANR-10-Labex-11-01). The authors report no declarations of interest. Cloud computing-enabled healthcare opportunities, issues, and applications: A systematic review Mind the gap: Cybersecurity's big disconnect -The CEO's guide to cybersecurity Generally speaking, context matters: Making the case for a change from universal to particular ISP research Information system capabilities and firm performance: Opening the black box through decision-making performance and business-process performance BYOD-related innovations and organizational change for entrepreneurs and their employees in SMEs Coping strategies and paradoxes related to BYOD information security threats in France Bring your own device in organizations: Extending the reversed IT adoption logic to security paradoxes for CEOs and end users The roots of misalignment: Insights on strategy implementation from a system dynamics perspective Mobile application security: Role of perceived privacy as the predictor of security perceptions Information security in SMEs: Determinants of CEOs' protective and supportive behaviors CEOs' information security behavior in SMEs: Does ownership matter? Systèmes d Understanding user responses to information technology: A coping model of user adaptation The other side of acceptance: Studying the direct and indirect effects of emotions on information technology use Opportunities and risks of software-as-a-service: Findings from a survey of IT managers An initial assessment of small business risk management approaches for cyber security threats User response to mandatory IT use: A coping theory perspective Work from home, securely How do top managers support strategic information system projects and why do they sometimes withhold this support? What do users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors A survey on smartphone user's security choices, awareness and education BYOD vs. CYOD: What is the difference? 9th IADIS International Conference on Information Systems Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness Why do small and medium enterprises use social media marketing and what is the impact: Empirical insights from India Prevention of cybercrimes in smart cities of India: From a citizen's perspective Cybersecurity report. Checkpoint researchTel Aviv A study of BYOD adoption from the lens of threat and coping appraisal of its security policy 3 big risks of BYOD Statistical power analysis for the behavioral sciences Mobile innovation applications for the BYOD enterprise user Why would I use location-protective settings on my smartphone? Motivating protective behaviors and the existence of the privacy knowledge-belief gap Espoused cultural values as antecedents of individuals' threat and coping appraisal toward protective information technologies: Study of The quest for complete security: An empirical analysis of users' multi-layered protection from security threats Predicting employee information security policy compliance on a daily basis: The interplay of security-related stress, emotions, and neutralization Footnotes to research on management innovation The transformative potential of disruptions: A viewpoint A framework of cloud-based virtual phones for secure intelligent information management Impact of BYOD on organizational commitment: An empirical investigation Fostering information security culture in small and medium size enterprises: An interpretive study in Australia Cybersecurity compliance behavior: Exploring the influences of individual decision style and other antecedents Opening the black box of system usage: User adaptation to disruptive IT Coping with rapid information technology change in different national cultures Erratum: Coping with rapid information technology change in different national cultures Statistical power analyses using G* Power 3.1: Tests for correlation and regression analyses How paternalistic leadership influences IT security policy compliance: The mediating role of the social bond Decision support approaches for cyber security investment Making the case for coping Appraisal, coping, and health status and psychological symptoms Employees say smartphones boost productivity by 34 percent: Frost & Sullivan research A systematic approach to investigating how information security and privacy can be achieved in BYOD environments Open shares in the trenches Research in psychology: Methods and design Privacy concerns for mobile app download: An elaboration likelihood model perspective The usage and adoption of cloud computing by small and medium businesses How pre-adoption expectancies shape postadoption continuance intentions: An extended expectation-confirmation model A primer on partial least squares structural equation modeling (PLS-SEM) When to use and how to report the results of PLS-SEM Advanced issues in partial least squares structural equation modeling The effect of codes of ethics and personal denial of responsibility on computer abuse judgments and intentions IT consumerization: When gadgets turn into enterprise IT tools A new criterion for assessing discriminant validity in variance-based structural equation modeling Testing measurement invariance of composites using partial least squares Organizational adoption of information security solutions: An integrative lens based on innovation adoption and the technology-organization-environment framework. The Data Base for Advances in Information Systems An espoused cultural perspective to understand continued intention to use mobile applications: A four-country study of mobile social media application usability This is my device! Why should I follow your rules? Employees' compliance with BYOD security policy Managing employee compliance with information security policies: The critical role of top management and organizational culture Achieving top management support with business knowledge and role of IT/IS personnel A pragmatic approach to managing enterprise IT infrastructures in the area of consumerization and individualization of IT Information security breaches and IT security investments: Impacts on competitors The impact of self-efficacy on stressor-strain relations: Coping style as an exploratory mechanism On the efficacy of smartphone security: A critical analysis of modifications in business students' practices over time Innovation at work: The relative advantage of using consumer IT in the workplace An integrative study of information systems security effectiveness Information technology adoption across time: A cross-sectional comparison of pre-adoption and post-adoption beliefs Toward a theory of information systems security behaviors of organizational employees: A dialectical process perspective A reversible and secure patient information hiding system for IoT driven e-health How employees engage with company cybersecurity policies Analysis of the determinants of software-asa-service adoption in small businesses: Risks, benefits, and organizational and environmental factors A study of mobile user engagement (MoEN): Engagement motivations, perceived value, satisfaction, and continued engagement intention Consumerization-conflict resolution and changing IT-user relationships Consumerization and IT department conflict Innovation through BYOD?: The influence of IT consumerization on individual IT behavior An investigation of a dynamic model of privacy trade-off in use of mobile social network applications: A longitudinal perspective ERP systems adoption: An exploratory study of the organizational factors and impacts of ERP success Psychological stress and the coping process Toward better research on stress and coping Stress, appraisal, and coping Leaving employees to their own devices: New practices in the workplace Managing BYOD: How do organizations incorporate user-driven IT innovations? Information Technology & People From sovereign IT governance to liberal IT governmentality? A Foucauldian analogy Problems with formative and higher-order reflective variables Threat or coping appraisal: Determinants of SMB managers' decision to adopt anti-malware software Investigating the impact of cybersecurity policy awareness on employees' cybersecurity behavior An exploratory study to understand the critical factors affecting the decision to adopt cloud computing in Taiwan hospital Understanding security behaviors in personal computer usage: A threat avoidance perspective What users do besides problemfocused coping when facing IT security threats: An emotion-focused coping perspective Accounting for common method variance in crosssectional research designs Mobile health: A carrot and stick intervention to improve medication adherence Leveraging social capital to obtain top management support in complex, cross-functional IT projects Why security and privacy research lies at the centre of the information systems (IS) artefact: Proposing a bold research agenda Employee self-service technology acceptance: A comparison of pre-implementation and post-implementation relationships Old risks, new challenges: Exploring differences in security between home computer and mobile device use Cyber-analytics: Modeling factors associated with healthcare data breaches Toward an' IT conflict-resistance theory': Action research during IT pre-implementation Executives' commitment to information security: Interaction between the preferred subordinate influence approach (PSIA) and proposal characteristics. The DATABASE for Advances in Information Systems When mobile is the norm: Researching mobile information systems and mobility as post-adoption phenomena Toward a unified model of information security policy compliance Development of an instrument to measure the perceptions of adopting an information technology innovation BYOD security challenges: Control and protect your most sensitive data How people perceive and will cope with risks from the diffusion of ubiquitous information and communication technologies Prioritization of multi-dimensional risk for digital services using the generalized analytic network process Understanding the impact of digital service failure on users: Integrating Tan's failure and DeLone and McLean's success model Studying users' computer security behavior: A health belief perspective Nokia threat intelligence report 2019 BYOD policy compliance: Risks and strategies in organizations WHO led the digital transformation of your company? A reflection of IT related challenges during the pandemic Exploring privacy paradox in information-sensitive mobile app adoption: A cross-cultural comparison Specifying formative constructs in information systems research Sources of method bias in social science research and recommendations on how to control it Improving employees' compliance through information systems security training: An action research study Locked-down digital work Cognitive and physiological processes in fear appeals and attitude change: A revised theory of protection motivation Stakeholder perceptions of information security policy: Analyzing personal constructs Capturing the complexity of malleable IT use: Adaptive structuration theory for individuals The effectiveness of abstract versus concrete fear appeals in information security Shall we follow? Impact of reputation concern on information security managers' investment decisions. Computers & SecurityArticle 101961 Common method bias in regression models with linear, quadratic, and interaction effects Marker variable choice, reporting, and interpretation in the detection of common method variance Genie is out of the bottle -'devil or angel' Employees' adherence to information security policies: An exploratory field study Android application classification and anomaly detection with graph-based permission patterns Information security management needs more holistic approach: A literature review Coping intelligence: Coping strategies and organizational commitment among boundary spanning employees Charting your organization's bringyour-own-device voyage Measuring system usage: Implications for IS theory testing Making use of cloud computing for healthcare provision: Opportunities and challenges IT systems put security into health care cybersecurity Understanding information technology usage: A test of competing models Intentions to use information technologies: An integrative model Security begins at home": Determinants of home computer and mobile device security behavior Longitudinal analysis and coping model of user adaptation Coping with BYOD security threat: From management perspective Learning to cope with information security risks regarding mobile device loss or theft: An empirical examination Motivating IS security compliance: Insights from habit and protection motivation theory The longitudinal impact of enterprise system users' pre-adoption expectations and organizational support on post-adoption proficient usage User acceptance of information technology: Toward a unified view Organizational identity challenges in a post-merger context: A case study of an information system implementation project Perceived argument quality's effect on threat and coping appraisals in fear appeals: An experiment and exploration of realism check heuristics It consumerization: BYOD-program acceptance and its impact on employer attractiveness Determinants of intention to participate in corporate BYOD-programs: The case of digital natives IT innovations from the consumer market as a challenge for corporate IT Analysis of protective behavior and security incidents for home computers Mobile device adaptation efforts: The impact of hedonic and utilitarian value Explaining users' security behaviors with the security belief model Security lapses and the omission of information security measures: A threat control model and empirical test The privacy trade-off for mobile app downloads: The roles of app value, intrusiveness, and privacy concerns Anger or fear? Effects of discrete emotions on employee's computer-related deviant behavior Employees' information security policy compliance: A norm activation perspective Role of perceived value in acceptance of "bring your own device" policy Integrating TTF and UTAUT to explain mobile banking user adoption Toward a theory of perceived benefits, affective commitment, and continuance intention in social virtual worlds: Cultural values (indulgence and individualism) matter Harmonized authentication based on ThumbStroke dynamics on touch screen mobile phones Montpellier Business School (MBS) is a founding member of the public research center Montpellier Research in Management, MRM (EA 4557, Univ. Montpellier). Supplementary material related to this article can be found, in the online version, at doi:https://doi.org/10.1016/j.ijinfomgt.2020. 102212.