Salvatore Aurigemma,Thomas Mattson

DOI: https://doi.org/10.1109/hicss.2015.424

2015-01-01

Abstract:Using the theory of planned behavior, this paper investigates the relationship between an employee's social status, perceived controllability of co-workers' actions and individual self-efficacy in terms of predicting an employee's perceived behavioral control over and his/her intention to comply with an organization's information security policies. The reported findings in this paper from a survey of 182 employees of a large government organization suggest that decomposing perceived behavioral control into controllability and self-efficacy has more predictive power than using simpler proxies (i.e. Self-efficacy alone) advocated in previous literature, and an employee's status in the organizational hierarchy has both a direct and a moderating effect on an employee's perceived behavioral control (but not on self-efficacy).

Kholekile L. Gwebu,Jing Wang,Michael Y. Hu

DOI: https://doi.org/10.1111/isj.12257

2020-01-01

Abstract:Despite the significant advancements made in understanding the factors that drive employees' compliance and noncompliance behaviours with information security policy (ISP), less is known about how different factors interact to impact such behaviours. Having been drawn on the social information processing theory, this research develops an integrative model that investigates how ethical work climate, beliefs, and neutralization interact to jointly explain ISP noncompliance. The model is tested via a survey of a broad cross section of employees. Neutralization, perceived cost of compliance, and perceived cost of noncompliance are found to significantly impact ISP noncompliance. Egoistic, benevolent, and principled climates are found to differentially influence neutralization and individuals' cognitive beliefs about the cost and benefit of ISP compliance versus noncompliance. Neutralization appears to be a more important moderator of the belief‐noncompliance relationship than the principled climate.

Fan Zhou,Hongxu Lu,Chunping Jiang

DOI: https://doi.org/10.1016/j.ssci.2023.106353

IF: 6.392

2024-01-01

Safety Science

Abstract:Non-compliant behaviors have been indicated to be leading indicators of accidents in workplaces. Though most studies treat intentional non-compliant behavior or violations as monolithic indicators for adverse safety performance, non-compliant behaviors might take different forms with distinct motives and outcomes. To examine and compare the effects of different forms of non-compliant safety behavior, we proposed a construct of risk-adjusted non-compliant behavior, which refers to employees' deliberate deviation from safety rules while considering safety concerns and adjusting their behavior accordingly, and investigated the differential antecedent effects by contextual factors and consequential effects on safety outcomes. By a sample of 390 workers and their supervisors in a power grid construction firm, the results of our study indicated that safety climate and transformational leadership were positively associated with safety compliance and negatively associated with violation by multi-level analyses. However, active transactional leadership also had a positive association with risk-adjusted non-compliant behavior, and this association was moderated by safety climate such that the relationship was stronger in higher level of safety climate. Furthermore, although risk-adjusted non-compliant behavior did not significantly affect penalties for deviance compared to violation behavior, it increased the workers' risk perception of hazard. The implications of these findings for theory were discussed.

Salvatore Aurigemma,Thomas Mattson

DOI: https://doi.org/10.1016/j.cose.2017.11.001

IF: 5.105

2018-01-01

Computers & Security

Abstract:In this paper, we investigate the main and qualifying effect of Hofstede's uncertainty avoidance dimension (i.e., a culture's acceptance of ambiguous or uncertain situations) of national culture on an individual's protection motivation intentions (using protection motivation theory) to adopt an information security control voluntarily. Uncertainty avoidance is particularly relevant to protection motivation theory and voluntary security related actions, because individuals often perceive high levels of ambiguity related to the threat and the mitigating control that can be adopted voluntarily. The voluntary action that we investigated in this paper is the adoption of password managers due to the perceived uncertainty associated with the threat of having poor password management practices and the ambiguity related to the efficacy of adopting a password manager to mitigate this threat. Using a survey of 227 nationally diverse individuals, we found that uncertainty avoidance qualified the impact of perceived threat vulnerability and perceived threat severity on protection motivations to adopt a password manager voluntarily. In our data, the differential effect of uncertainty avoidance on perceived threat vulnerabilities was greater for those individuals reporting a below average level of uncertainty avoidance relative to an above average level of uncertainty avoidance, but we found the opposite qualifying effect on perceived threat severity. Counter to what we hypothesized, we found that the effect of uncertainty avoidance on protection motivations was negative. These results generally hold for the core and full PMT models. Our study suggests that a one-size fits all approach to security awareness education and training (especially for voluntary security actions) may not be appropriate due to the differential effect associated with individuals from different national cultures.

Adel Yazdanmehr,Jingguo Wang,Zhiyong Yang

DOI: https://doi.org/10.1111/isj.12271

2020-01-01

Abstract:Information security in an organization largely depends on employee compliance with information security policy (ISP). Previous studies have mainly explored the effects of command-and-control and self-regulatory approaches on employee ISP compliance. However, how social influence at both individual and organizational levels impacts the effectiveness of these two approaches has not been adequately explored. This study proposes a social contingency model in which a rules-oriented ethical climate (employee perception of a rules-adherence environment) at the organizational level and susceptibility to interpersonal influence (employees observing common practices via peer interactions) at the individual level interact with both command-and-control and self-regulatory approaches to affect ISP compliance. Using employee survey data, we found that these two social influence factors weaken the effects of both command-and-control and self-regulatory approaches on ISP compliance. Theoretical and practical implications are also discussed.

Princely Ifinedo

DOI: https://doi.org/10.1080/08874417.2022.2065553

2022-04-20

Journal of Computer Information Systems

Abstract:Organizations whose employees participate in risky cybersecurity behaviors (RCySecB) could suffer disastrous consequences either directly or indirectly from actions linked to such behaviors. This study used conceptualizations facilitated by Attribution Theory to examine the effects of dispositional factors (self-control and knowledge of IS security threats/risks and their potential consequences) and situational factors (security, education, training, and awareness (SETA) programs and computer monitoring) in reducing employee participation in RCySecB. Data was collected from a survey of working professionals in India, and relevant hypotheses were formulated. The PLS technique was used for data analysis. This study investigated the direct effects of the factors on the dependent construct and analyzed the interacting effects of the constructs as well. The results indicate that all factors reduce employee participation in RCySecB. However, the joint effects of the situational factor elements and the dispositional factor of personal knowledge security threats/risks and their potential consequences were insignificant in the model.

computer science, information systems

Aristotle Onumo,Irfan Ullah-Awan,Andrea Cullen

DOI: https://doi.org/10.1145/3424282

2021-06-01

ACM Transactions on Management Information Systems

Abstract:The increase in cybersecurity threats and the challenges for organisations to protect their information technology assets has made adherence to organisational security control processes and procedures a critical issue that needs to be adequately addressed. Drawing insight from organisational theory literature, we develop a multi-theory model, combining the elements of the theory of planned behaviour, competing value framework, and technology—organisational and environmental theory to examine how the organisational mechanisms interact with espoused cultural values and employee cognitive belief to influence cybersecurity control procedures. Using a structured questionnaire, we deployed structural equation modelling (SEM) to analyse the survey data obtained from public sector information technology organisations in Nigeria to test the hypothesis on the relationship of socio-organisational mechanisms and techno-cultural factors with other key determinants of employee security behaviour. The results showed that knowledge of cybersecurity and employee cognitive belief significantly influence the employees’ intentions to comply with organisational cybersecurity control mechanisms. The research further noted that the influence of organisational elements such as leadership on employee security behaviour is mediated by espoused cultural values while the impact of employee cognitive belief is moderated by security technologies. For effective cybersecurity compliance, leaders and policymakers are therefore to promote organisational security initiatives that ensure incorporation of cybersecurity principles and practices into job descriptions, routines, and processes. This study contributes to behavioural security research by highlighting the critical role of leadership and cultural values in fostering organisational adherence to prescribed security control mechanisms.

Han Li,X. Luo,Jie Zhang,R. Sarathy

2014-01-01

Abstract:Employees’ violation of Internet use policy exposes firms to increasing security risks from cyber-attacks. Extant studies on security policy compliance have largely ignored the role of dispositional and contextual factors in employees’ decision. Drawing on the literature in criminology, this paper extended the rational choice theory by integrating low self-control and two organizational context factors to have a fine-grained understanding of the decision making process involved in Internet use policy compliance. The results will help indicate whether employees’ compliance intention is influenced by the cost-benefit calculus adjusted by their low self-control disposition, procedural justice perception and organizational moral climate. Research results are expected to be presented at the conference.

Political Science

Allen C Johnston,Merrill Warkentin,Maranda McBride,Lemuria Carter

DOI: https://doi.org/10.1057/ejis.2015.15

2016-05-01

European Journal of Information Systems

Abstract:Insiders represent a major threat to the security of an organization’s information resources. Previous research has explored the role of dispositional and situational factors in promoting compliant behavior, but these factors have not been studied together. In this study, we use a scenario-based factorial survey approach to identify key dispositional and situational factors that lead to information security policy violation intentions. We obtained 317 observations from a diverse sample of insiders. The results of a general linear mixed model indicate that dispositional factors (particularly two personality meta-traits, Stability and Plasticity) serve as moderators of the relationships between perceptions derived from situational factors and intentions to violate information security policy. This study represents the first information security study to identify the existence of these two meta-traits and their influence on information security policy violation intentions. More importantly, this study provides new knowledge of how insiders translate perceptions into intentions based on their unique personality trait mix.

information science & library science,management,computer science, information systems

Ying Li,Nan Zhang,Mikko Siponen

DOI: https://doi.org/10.1080/0144929x.2018.1539519

2019-01-01

Abstract:Employees' violation of information security policies is a major threat to an organisation. Some violations such as using an easy-to-guess password or storing confidential data on personal unencrypted flash drives usually do not cause immediate harm; instead, these actions create security flaws that can be attacked in the future and cause delayed consequences. We call such behaviour consequence-delayed information security violation (CDISV). The ignorance or denial of the possible delayed consequences is the main reason employees engage in such insecure behaviour. Due to the delay between the action and the consequence, a long-term mindset could play an important role in employees' current decision-making. Specifically, in this study, we propose that long-term orientation is an influential factor in decreasing CDISV. The long-term orientation includes three dimensions: continuity, futurity, and perseverance. In addition, based on the stewardship theory and the needs theory, we further propose that value identification and the fulfilment of higher-order needs (trusted relationship and growth) are important drivers for employees to have a long-term orientation. We collected survey data using the 170 responses we received from a global company's employees. The empirical results support our arguments. Our findings provide implications to organisations to encourage employees' information security behaviours.

Carlos I. Torres,Robert E. Crossler

DOI: https://doi.org/10.1287/isre.2021.0563

IF: 4.9

2024-07-01

Information Systems Research

Abstract:Organizations worldwide face critical concerns related to cybersecurity threats and information security policy (ISP) compliance. Even though humans are the weakest link in the cybersecurity chain, information security professionals understand the importance of promoting individual information security behaviors because employees are also the first line of defense against ever-increasing cyber threats. Despite a recent trend of working from home, organizations do not make significant differences in their information security interventions for remote workers, relying mainly on VPNs as the only used tool, essentially making employees follow in-office standard information security policies because they are “virtually in-office.” Our study suggests that organizations need to recognize the unique context of remote work and consider personal motivations when shaping information security practices. Furthermore, our study indicates that in order to motivate remote employees to follow secure information security practices, organizations should consider personal characteristics instead of focusing on generic interventions. For instance, our study compares onsite and remote workers, suggesting that personal values are more relevant in remote work settings. Our findings exemplify just one of the many potential personal characteristics to be considered, highlighting how personal values are important motivators for ISP compliance and how they differ for onsite and remote workers in their importance when following information security rules.

information science & library science,management

Han Li,X. Luo

2014-01-01

Abstract:Employees’ violation of Internet use policy exposes firms to increasing security risks from cyber-attacks. Extant studies on security policy compliance have largely ignored the role of dispositional and contextual factors in employees’ decision. Drawing on the literature in criminology, this paper extended the rational choice theory by integrating low self-control and two organizational context factors to have a fine-grained understanding of the decision making process involved in Internet use policy compliance. The results will help indicate whether employees’ compliance intention is influenced by the cost-benefit calculus adjusted by their low self-control disposition, procedural justice perception and organizational moral climate. Research results are expected to be presented at the conference.

Mansour Naser Alraja,Usman Javed Butt,Maysam Abbod

DOI: https://doi.org/10.1016/j.cose.2023.103208

IF: 5.105

2023-06-01

Computers & Security

Abstract:Information security threats have a severe negative impact on enterprises. Organizations rely on employee compliance with information security policies to eliminate or reduce these hazards. The Unified Model of Information Security Policies Compliance (UMISPC) is employed to identify the factors that may affect employees' intention towards compliance with information systems security policy and reactance in a global setting. The study was assessed in two phases. The model's validity and measurement reliability were evaluated in the first phase, while in the second phase, all preliminary model relationships were appraised. This was achieved utilizing structural equation modelling to establish whether the proposed constructs, i.e. neutralization, response efficacy, fear, threat, habit and role values were good predictors for intention or reactance towards compliance with information systems security policy. Participants included 348 employees from 7 nations, i.e. the USA, the UK, Oman, India, Pakistan, Malaysia, and the Philippines. SmartPLS v. 3.3.9 was used for data analysis. The models' measurement reliability and validity were affirmed. Fear and role values have a significant influence on intention toward ISPC. RE significantly predicted threat which in turn significantly predicted fear, and the latter demonstrated a significant effect on reactance as well as Neutralization predicted reactance. In contrast, habit failed to reach a significant influence on intention towards ISPC. The implications are presented, together with proposals for further studies. Our findings are helpful for ISS literature and application by supporting the crucial functions of role values in encouraging employees to behave in a compliant manner. Additionally, it is regarded as the first empirical attempt to estimate intended compliance concerning ISPs in higher education from a worldwide viewpoint.

computer science, information systems

Jie Zhang,Brian J. Reithel,Han Li

DOI: https://doi.org/10.1108/09685220910993980

2009-10-09

Information Management & Computer Security

Abstract:Purpose – The purpose of this paper based on compensation theory, is to incorporate perceived technical security protection into the theory of planned behavior and examined factors affecting end‐user security behaviors, specifically, compliance with security policies.Design/methodology/approach – An online survey is conducted to validate the proposed research model. The survey is sent out to an industrial panel. A total of 176 usable responses are received and used in the data analysis.Findings – The results show that both perceived behavioral control (PBC) and attitude have significant impact on intention to comply with security policy. Perceived technical protection affects behavioral intentions both indirectly, through PBC, and directly. The negative direct effect (i.e. perceived high technical protection leads to low intention to comply with security policy) suggests possible risk compensation effects in the information security context.Practical implications – This result should be of interest to pra...

Computer Science

Dustin Ormond,Merrill Warkentin,Robert E. Crossler,,,

DOI: https://doi.org/10.17705/1jais.00586

2019-01-01

Journal of the Association for Information Systems

Abstract:Information systems security behavioral research has primarily focused on individual <em>cognitive processes</em> and their impact on information security policy noncompliance. However, <em>affective processes</em> (operationalized by affective absorption and affective flow) may also significantly contribute to misuse or information security policy noncompliance. Our research study evaluated the impact of affective absorption (i.e., the trait or disposition to allow one's emotions to drive decision-making) and affective flow (i.e., a state of immersion with one's emotions) on cognitive processes in the context of attitude toward and compliance with information security policies. Our conceptual model was evaluated using a laboratory research design. We found that individuals who were frustrated by work-related tasks experienced negative affective flow and violated information security policies. Furthermore, perceptions of organizational injustice increased negative affective flow. Our findings underscore the need for understanding affective processes as well as cognitive processes which may lead to a more holistic understanding regarding information security policy compliance.

information science & library science,computer science, information systems

Ashraf Mady,Saurabh Gupta,Merrill Warkentin

DOI: https://doi.org/10.1111/isj.12424

IF: 7.767

2023-01-11

Information Systems Journal

Abstract:Organisations implement a variety of knowledge mechanisms such as information security education, training and awareness (SETA) programs and information security policies, to influence employees' secure behaviour. Despite increased efforts to provide information systems (IS) security knowledge to employees, data breaches and other security incidents resulting from insider behaviour continue. Recent IS security research, primarily grounded on assumptions of employees' rational assessment of numerous factors, has yielded inconsistent results. Challenging this paradigm, we model secure behaviour on security knowledge mechanisms, which focuses on the multidimensional nature of security knowledge breadth, depth and finesse to represent the full array of managerial levers. We further draw on construal level theory to conceptualise users' perceptual judgements of security messages. Two studies support our model, with the second building on the first. Study 1, an experiment with 312 participants, focused on validating the treatments. Study 2, a survey with 219 participants, validated the entire model. Results showed that our model has significantly more explanatory and predictive power than the orthodox paradigm. Our results have practical implications for optimising the organisation of knowledge mechanisms by emphasising the personal relevance of threats and defining the factors that lead to secure behaviour. We also contribute to the discourse on information security research and provide a template for integrating theories, thus opening new avenues for future research.

information science & library science

Rosalind H. Searle,Charis Rice

DOI: https://doi.org/10.1080/1359432x.2024.2344870

2024-04-27

European Journal of Work and Organizational Psychology

Abstract:High security organizations utilize a fine balance between control and trust to maintain stability. Drawing on qualitative interviews with managers and employees concerning three Counterproductive Work Behaviour (CWB) incidents occurring within a "high control" organization, we explore the impact of this trust-control dynamic on individuals' sensemaking, social relations and workplace behaviours. We explore Human Resource Management (HRM) control practices, contrasting levels of control (over and under-control), form (formal and informal), and consistency of control management, that variously destabilize the balance of trust and control. Framed by this dynamic, employees undertake CWB as a means of maintaining their trusting relationships, professional goals and well-being in an unpredictable workplace. We demonstrate the value of understanding the trust-control dynamic for CWB and identify potential lessons for prevention.

psychology, applied,management

John D’Arcy,Anat Hovav

DOI: https://doi.org/10.1007/s10551-008-9909-7

IF: 6.331

2008-08-27

Journal of Business Ethics

Abstract:Research from the fields of criminology and social psychology suggests that the deterrent effect of security countermeasures is not uniform across individuals. In this study, we examine whether certain individual characteristics (i.e., computer self-efficacy) or work arrangement (i.e., virtual status) moderate the influence of␣security policies, security education, training, and awareness (SETA) program, and computer monitoring on information systems misuse. The results suggest that computer savvy individuals are less deterred by SETA programs and computer monitoring, while these countermeasures are also less influential (from a deterrence perspective) on employees that spend more working days outside the office. Implications for both the research and practice of information security are discussed.

business,ethics

Ying Li,Ting Pan,Nan Zhang

DOI: https://doi.org/10.1109/access.2019.2949079

IF: 3.9

2019-01-01

IEEE Access

Abstract:The purpose of information systems (IS) security behavior, represented by the difference between work and personal purpose, has been neglected in the research of user's IS security behavior. This is especially important for the organizations that allow or inevitably allow their employees to do personal tasks during work hours, because it may bring big threats to an organization's IS. Unfortunately, few empirical studies have examined if different behavioral purpose, typically, work/personal purpose, affects users' IS security behavior decision. Based on boundary theory and the idea of multidimensional rationality, we argue that people demarcate a psychological boundary for work and personal usages of IS and thus apply different rationalities to make IS security-related decisions. Our empirical investigation indicates that in a work usage context, people apply rule-based rationality and therefore are more influenced by mandatoriness and facilitating conditions. Whereas in a personal usage context, people apply outcome-based rationality and therefore are more concerned with task benefits and costs. The findings imply that organizations and vendors may devise different measures to ensure users' IS security behavior in different contexts.

Alison J. Bianchi,Soong Moon Kang,Daniel Stewart

DOI: https://doi.org/10.1287/orsc.1100.0580

2012-04-01

Organization Science

Abstract:Organizations mediate societal cultural belief systems and group-level encounters by filtering, and sometimes transforming, social information regarding which status characteristics are salient during group encounters embedded within organizations. This study uses status characteristics theory to add to our understanding of social status within organizations by explaining why organizations matter in determining which status characteristics will be activated within task groups. By analyzing status rankings within an organization of open source software programmers, we find that the organization develops its own unique shared belief system, which inculcates actors with beliefs about status characteristics that are potentially unique within the boundaries of the organization. Specifically, in this study we find that through a process of status generalization, organizational members create new status markers (location) that are potentially only meaningful for the given social situation, and they selectively nullify others (education and age). To the best of our knowledge, the current study is the first work in the expectation states tradition to demonstrate an outcome for an organization-level selection process for status characteristics. This paper adds to status characteristics theory by empirically analyzing how organizational contexts create boundaries around groups in which new and extant status characteristics are activated and in which predefined characteristics inherited from more global, society-level contexts are deactivated.

management