Kholekile L. Gwebu,Jing Wang,Michael Y. Hu

DOI: https://doi.org/10.1111/isj.12257

2020-01-01

Abstract:Despite the significant advancements made in understanding the factors that drive employees' compliance and noncompliance behaviours with information security policy (ISP), less is known about how different factors interact to impact such behaviours. Having been drawn on the social information processing theory, this research develops an integrative model that investigates how ethical work climate, beliefs, and neutralization interact to jointly explain ISP noncompliance. The model is tested via a survey of a broad cross section of employees. Neutralization, perceived cost of compliance, and perceived cost of noncompliance are found to significantly impact ISP noncompliance. Egoistic, benevolent, and principled climates are found to differentially influence neutralization and individuals' cognitive beliefs about the cost and benefit of ISP compliance versus noncompliance. Neutralization appears to be a more important moderator of the belief‐noncompliance relationship than the principled climate.

Princely Ifinedo

DOI: https://doi.org/10.1080/08874417.2022.2065553

2022-04-20

Journal of Computer Information Systems

Abstract:Organizations whose employees participate in risky cybersecurity behaviors (RCySecB) could suffer disastrous consequences either directly or indirectly from actions linked to such behaviors. This study used conceptualizations facilitated by Attribution Theory to examine the effects of dispositional factors (self-control and knowledge of IS security threats/risks and their potential consequences) and situational factors (security, education, training, and awareness (SETA) programs and computer monitoring) in reducing employee participation in RCySecB. Data was collected from a survey of working professionals in India, and relevant hypotheses were formulated. The PLS technique was used for data analysis. This study investigated the direct effects of the factors on the dependent construct and analyzed the interacting effects of the constructs as well. The results indicate that all factors reduce employee participation in RCySecB. However, the joint effects of the situational factor elements and the dispositional factor of personal knowledge security threats/risks and their potential consequences were insignificant in the model.

computer science, information systems

AJ Burns,Tom Roberts,Clay Posey,Paul Benjamin Lowry,Bryan Fuller,AJ Burns,Tom Roberts,Clay Posey,Paul Benjamin Lowry,Bryan Fuller

DOI: https://doi.org/10.2139/ssrn.4079801

2022-01-01

SSRN Electronic Journal

Abstract:Despite widespread agreement among practitioners and academicians that organizational insiders are a significant threat to organizational information systems security, insider computer abuse (ICA)—unauthorized and deliberate misuse of organizational information resources by organizational insiders—remains a serious issue. Recent studies have shown that most employees are willing to share confidential or regulated information under certain circumstances and nearly a third to half of major security breaches are tied to insiders. These trends indicate that organizational security efforts, which generally focus on deterrence and sanctions, have yet to effectively address ICA. Therefore, leading security researchers and practitioners have called for a more nuanced understanding of insiders in respect to deterrence efforts. We answer these calls by proposing a middle-range theory of ICA that focuses on understanding the inherent tensions between insider motivations and organizational controls. Our careful review distinguishes two categories of personal motives for ICA: (1) instrumental (i.e., financial benefits) (2) and expressive (i.e., psychological contract violations) motives. Our novel theory of ICA also includes the influence of two classes of controls for ICA: (1) intrinsic (i.e., self-control) and (2) extrinsic (i.e., organizational deterrence) controls. We developed and empirically examined a research model based on our middle-range theory that explains a substantial portion of the variance in ICA (R2 = 0.462). Specifically, our results indicate that both instrumental and expressive motives were positively related to ICA. Moreover, intrinsic self-control exerted significant direct and moderating influences in our research model, whereas extrinsic organizational deterrence failed to exhibit a direct effect on ICA and significantly moderated instrumental motives’ relationship with ICA only. Not only do our results show that self-control exerted a stronger effect on the model than deterrence did (f2self-control = 0.195; f2org.det. = 0.048) but they also help us identify the limits of deterrence in ICA research.

Ying Li,Ting Pan,Nan Zhang,Nan (Andy) Zhang

DOI: https://doi.org/10.1108/jeim-01-2019-0018

2019-09-23

Journal of Enterprise Information Management

Abstract:Purpose This paper is to investigate how employees respond to information security policies (ISPs) when they view the policies as a challenge rather than a hindrance to work. Specifically, the authors examine the roles of challenge security demands (i.e. continuity and mandatory) and psychological resources (i.e. personal and job resources) in influencing employees’ ISP non-compliance. Design/methodology/approach Applying a hypothetical scenario-based survey method, the authors tested our proposed model in six typical ISPs violation scenarios. In sum, 347 responses were collected from a global company. The data were analyzed using partial least square-based structural equation model. Findings Findings indicated that continuity and mandatory demands increased employees’ level of perseverance of effort, which, in turn, decreased their ISPs non-compliance intention. In addition, job resources, such as the trust enhancement gained from co-workers and the opportunities for professional development, enhanced the perseverance of effort. Practical implications The findings offer implications to practice by suggesting that organizations should design training programs to persuade employees to understand the ISPs in a positive way. Meanwhile, organizations should encourage employees to invest more personal resources by creating a trusting atmosphere and providing them opportunities to learn security knowledge and skills. Originality/value This study is among the few to empirically explore how employees respond and behave when they view the security policies as challenge stressors. The paper also provides a novel understanding of how psychological resources contribute to buffering ISP non-compliance.

information science & library science,management

Ashraf Mady,Saurabh Gupta,Merrill Warkentin

DOI: https://doi.org/10.1111/isj.12424

IF: 7.767

2023-01-11

Information Systems Journal

Abstract:Organisations implement a variety of knowledge mechanisms such as information security education, training and awareness (SETA) programs and information security policies, to influence employees' secure behaviour. Despite increased efforts to provide information systems (IS) security knowledge to employees, data breaches and other security incidents resulting from insider behaviour continue. Recent IS security research, primarily grounded on assumptions of employees' rational assessment of numerous factors, has yielded inconsistent results. Challenging this paradigm, we model secure behaviour on security knowledge mechanisms, which focuses on the multidimensional nature of security knowledge breadth, depth and finesse to represent the full array of managerial levers. We further draw on construal level theory to conceptualise users' perceptual judgements of security messages. Two studies support our model, with the second building on the first. Study 1, an experiment with 312 participants, focused on validating the treatments. Study 2, a survey with 219 participants, validated the entire model. Results showed that our model has significantly more explanatory and predictive power than the orthodox paradigm. Our results have practical implications for optimising the organisation of knowledge mechanisms by emphasising the personal relevance of threats and defining the factors that lead to secure behaviour. We also contribute to the discourse on information security research and provide a template for integrating theories, thus opening new avenues for future research.

information science & library science

Aristotle Onumo,Irfan Ullah-Awan,Andrea Cullen

DOI: https://doi.org/10.1145/3424282

2021-06-01

ACM Transactions on Management Information Systems

Abstract:The increase in cybersecurity threats and the challenges for organisations to protect their information technology assets has made adherence to organisational security control processes and procedures a critical issue that needs to be adequately addressed. Drawing insight from organisational theory literature, we develop a multi-theory model, combining the elements of the theory of planned behaviour, competing value framework, and technology—organisational and environmental theory to examine how the organisational mechanisms interact with espoused cultural values and employee cognitive belief to influence cybersecurity control procedures. Using a structured questionnaire, we deployed structural equation modelling (SEM) to analyse the survey data obtained from public sector information technology organisations in Nigeria to test the hypothesis on the relationship of socio-organisational mechanisms and techno-cultural factors with other key determinants of employee security behaviour. The results showed that knowledge of cybersecurity and employee cognitive belief significantly influence the employees’ intentions to comply with organisational cybersecurity control mechanisms. The research further noted that the influence of organisational elements such as leadership on employee security behaviour is mediated by espoused cultural values while the impact of employee cognitive belief is moderated by security technologies. For effective cybersecurity compliance, leaders and policymakers are therefore to promote organisational security initiatives that ensure incorporation of cybersecurity principles and practices into job descriptions, routines, and processes. This study contributes to behavioural security research by highlighting the critical role of leadership and cultural values in fostering organisational adherence to prescribed security control mechanisms.

Lara Khansa,Reza Barkhi,Soumya Ray,Zachary Davis

DOI: https://doi.org/10.1007/s10799-017-0280-1

2017-01-01

Information Technology and Management

Abstract:With the Internet permeating every aspect of daily life, organizations of all types are increasingly concerned about the degree to which their employees are cyberloafing by shirking their work responsibilities to surf the Internet, check e-mail, or send text messages. Although technological interventions against cyberloafing have been shown to be effective, they might be perceived by employees as an invasion to their privacy, and are expected to have repercussions on employee behavior and loyalty. The main objectives of this study are to (1) examine how the introduction of such technological interventions might affect employees’ emotions and fairness perceptions, and (2) understand the effect of the interventions on behavioral outcomes, i.e., employees’ intentions to cyberloaf and their loyalty to the company. We developed a justice-based framework that we empirically test using a field experiment composed of field surveys complemented with hypothetical scenarios describing new organizational initiatives to curb employees’ cyberloafing. Our findings suggest that technological interventions, although associated with perceptions of unfairness, are effective at controlling cyberloafing, albeit at the expense of employee loyalty. On the other hand, contrary to prior findings, we find that fairness perceptions of technological interventions, although reinforcing employee loyalty, are ineffective at curbing cyberloafing. These findings are especially enlightening in that they contradict a common belief that perceived fairness encourages employees, as a sign of their appreciation for this fairness, to curb their misuse of IT. The findings also help managers fine-tune their cyberloafing policies to achieve a long-lasting remedy to their employees’ cyberloafing while maintaining a necessary level of employee loyalty.

John D'Arcy,Paul Benjamin Lowry

DOI: https://doi.org/10.1111/isj.12173

IF: 7.767

2017-11-08

Information Systems Journal

Abstract:We present a model of employee compliance with information security policy (ISP) that (1) explicates stable, cognitive beliefs regarding the consequences of compliance and noncompliance as well as state‐based affective constructs, namely, positive and negative mood states and episodic, security‐related work‐impediment events, and (2) provides an expanded conceptualisation of moral considerations and normative influences regarding employees' ISP compliance. Because affect is central to this theorisation, we ensure that the model captures and explains differences in day‐to‐day affective constructs to account for the often fleeting nature of affective states. We test our multilevel model using an experience‐sampling methodology design, in which employees completed daily surveys over a 2‐week period, followed by a hierarchal linear modelling statistical assessment. Our contribution to theory is a unique account of ISP compliance that integrates affective factors with constructs from rational choice theory and theory of planned behaviour and that diverges from prior conceptualisations of ISP compliance as a purely stable and reason‐based phenomenon. For practitioners, our results suggest that a combination of cognitive and affective influences may produce discrete episodes of ISP compliance that do not coincide with prior behavioural trends.

information science & library science

Simon Trang,Benedikt Brendel

DOI: https://doi.org/10.1007/s10796-019-09956-4

2019-10-25

Information Systems Frontiers

Abstract:Enforcing information security policies is a key concern of information security managers. To deter employees from deviant behavior, organizations often implement sanction mechanisms. However, evidence from research regarding the efficiency of such a deterrence approach has been mixed. Drawing on this inconsistency, this paper examines the applicability of deterrence theory in information security policy compliance research. It is argued that contextual and methodological moderators play a crucial role when conceptualizing deterrence theory in security studies. Applying a meta-analysis, the results suggest that sanctions have an overall effect on deviant behavior. However, the results also indicate that this relationship is dependent on the study's context. Deterrence theory better predicts deviant behavior in malicious contexts, cultures with a high degree of power distance, and cultures with a high uncertainty avoidance. The meta-analysis also reveals no meaningful differences arising from the methodological context in terms of scenario-based and behavior-specific measurement.

Xue Yang,Wei T. Yue,Choon Lin Sia

DOI: https://doi.org/10.1007/978-3-642-29873-8_17

2012-01-01

Abstract:IS security policy is one of the essential tools to ensure the secure use of information systems and technological assets. To enhance the effectiveness of policy implementation, organizations rely on security training, education and awareness (STEA) programs to help employees understand the IS security issues of the organization. However, different levels of STEA informativeness may have conflicting effects on employees' compliance decisions. In addition, the urgency of a task may also lead employees to abandon the compliance decision occasionally. The existing corporate information security policy (ISP) could also serve as a deterrence message that would influence compliance decisions. An experimental survey was conducted to examine this phenomenon and test the related hypotheses. The results of this study can be used to inform and guide researchers and practitioners as to how to better enforce an IS security policy through better implementation of STEA programs and improved design of ISP in different task scenarios.

Jaeung Lee,Jingguo Wang,Melchor C. de Guzman,Manish Gupta,H. Raghav Rao

DOI: https://doi.org/10.1109/tts.2024.3418621

2024-01-01

IEEE Transactions on Technology and Society

Abstract:Employees’ extra-role security behaviors can help organizations reduce safety and security threats in their operational environment and protect organizational assets. What antecedents can foster employees’ engagement in such behaviors is an important question. In this study, we consider such extra-role security behaviors as protective behaviors that are driven by employees’ motivation to protect organizational digital assets. This study draws upon Protection Motivation Theory (PMT) and suggests that employees’ threat appraisal and security self-efficacy are key to such extra-role security behaviors. Also, the study opens the black box of threat appraisal using Routine Activity Theory (RAT), proposing that employees’ appraisal of the threat of data breach is from an understanding of routine activities within their organization. The research model is developed based on the above and test the model with employees working in financial organizations. The analyses show that both perceived threat of data breaches and perceived security efficacy increase employees’ engagement in extra-role behaviors. Further, security efficacy reinforces the effect of the threat of data breaches on extra-role behavior. Finally, the suitability of data as well as, interestingly, the presence of guardianship, increases the perceived threat of data breach.

Nader Sohrabi Safa,Carsten Maple,Steve Furnell,Muhammad Ajmal Azad,Charith Perera,Mohammad Dabbagh,Mehdi Sookhak

DOI: https://doi.org/10.1016/j.future.2019.03.024

IF: 7.307

2019-08-01

Future Generation Computer Systems

Abstract:Previous studies show that information security breaches and privacy violations are important issues for organisations and people. It is acknowledged that decreasing the risk in this domain requires consideration of the technological aspects of information security alongside human aspects. Employees intentionally or unintentionally account for a significant portion of the threats to information assets in organisations. This research presents a novel conceptual framework to mitigate the risk of insiders using deterrence and prevention approaches. Deterrence factors discourage employees from engaging in information security misbehaviour in organisations, and situational crime prevention factors encourage them to prevent information security misconduct. Our findings show that perceived sanctions certainty and severity significantly influence individuals’ attitudes and deter them from information security misconduct. In addition, the output revealed that increasing the effort, risk and reducing the reward (benefits of crime) influence the employees’ attitudes towards prevent information security misbehaviour. However, removing excuses and reducing provocations do not significantly influence individuals’ attitudes towards prevent information security misconduct. Finally, the output of the data analysis also showed that subjective norms, perceived behavioural control and attitude influence individuals’ intentions, and, ultimately, their behaviour towards avoiding information security misbehaviour.

Daeun Lee,Harjinder Singh Lallie,Nadine Michaelides

2023-07-06

Abstract:Despite the rapid rise in social engineering attacks, not all employees are as compliant with information security policies (ISPs) to the extent that organisations expect them to be. ISP non-compliance is caused by a variety of psychological motivation. This study investigates the effect of psychological contract breach (PCB) of employees on ISP compliance intention (ICI) by dividing them into intrinsic and extrinsic motivation using the theory of planned behaviour (TPB) and the general deterrence theory (GDT). Data analysis from UK employees (\textit{n=206}) showed that the higher the PCB, the lower the ICI. The study also found that PCBs significantly reduced intrinsic motivation (attitude and perceived fairness) for ICI, whereas PCBs did not moderate the relationship between extrinsic motivation (sanction severity and sanctions certainty) and ICI. As a result, this study successfully addresses the risks of PCBs in the field of IS security and proposes effective solutions for employees with high PCBs.

Computers and Society

Mansour Naser Alraja,Usman Javed Butt,Maysam Abbod

DOI: https://doi.org/10.1016/j.cose.2023.103208

IF: 5.105

2023-06-01

Computers & Security

Abstract:Information security threats have a severe negative impact on enterprises. Organizations rely on employee compliance with information security policies to eliminate or reduce these hazards. The Unified Model of Information Security Policies Compliance (UMISPC) is employed to identify the factors that may affect employees' intention towards compliance with information systems security policy and reactance in a global setting. The study was assessed in two phases. The model's validity and measurement reliability were evaluated in the first phase, while in the second phase, all preliminary model relationships were appraised. This was achieved utilizing structural equation modelling to establish whether the proposed constructs, i.e. neutralization, response efficacy, fear, threat, habit and role values were good predictors for intention or reactance towards compliance with information systems security policy. Participants included 348 employees from 7 nations, i.e. the USA, the UK, Oman, India, Pakistan, Malaysia, and the Philippines. SmartPLS v. 3.3.9 was used for data analysis. The models' measurement reliability and validity were affirmed. Fear and role values have a significant influence on intention toward ISPC. RE significantly predicted threat which in turn significantly predicted fear, and the latter demonstrated a significant effect on reactance as well as Neutralization predicted reactance. In contrast, habit failed to reach a significant influence on intention towards ISPC. The implications are presented, together with proposals for further studies. Our findings are helpful for ISS literature and application by supporting the crucial functions of role values in encouraging employees to behave in a compliant manner. Additionally, it is regarded as the first empirical attempt to estimate intended compliance concerning ISPs in higher education from a worldwide viewpoint.

computer science, information systems

John D’Arcy,Anat Hovav

DOI: https://doi.org/10.1007/s10551-008-9909-7

IF: 6.331

2008-08-27

Journal of Business Ethics

Abstract:Research from the fields of criminology and social psychology suggests that the deterrent effect of security countermeasures is not uniform across individuals. In this study, we examine whether certain individual characteristics (i.e., computer self-efficacy) or work arrangement (i.e., virtual status) moderate the influence of␣security policies, security education, training, and awareness (SETA) program, and computer monitoring on information systems misuse. The results suggest that computer savvy individuals are less deterred by SETA programs and computer monitoring, while these countermeasures are also less influential (from a deterrence perspective) on employees that spend more working days outside the office. Implications for both the research and practice of information security are discussed.

business,ethics

Hung-Pin Shih,Kee-hung Lai,Xitong Guo,T. C. E. Cheng

DOI: https://doi.org/10.4018/JGIM.294329

2021-01-01

Journal of Global Information Management

Abstract:Most theories of information security policy (ISP), except a few focused on the insider-centric view, are grounded in the control-centric perspective, and most ISP compliance models stem from Western countries. Regulatory focus theory (RFT) proposes two modes of motivational regulation, promotion, and prevention are supposed to motivate employee compliance in a trade-off. Culture is crucial to the study of ISP that puts control over human connections. Chinese guanxi, a specific dimension of Chinese culture, is better understood underlying the trust-distrust frame. To bridge the theoretical gap between the control-centric and the insider-centric perspectives, the authors develop an ISP behavioral model by taking an integrated approach from RFT and the trust-distrust frame. They employed scenario-based events about information security misconduct in the workplace to examine employees' compliance intention and non-violation choice of ISP upon counterfactual thinking. The empirical results improve the theoretical and practical implications of security practices.

Chao-Min Chiu,Hsiang-Lan Cheng,Jack Shih-Chieh Hsu,Chiew Mei Tan,Chiung Hui Huang

DOI: https://doi.org/10.1080/10447318.2024.2422757

IF: 4.92

2024-11-20

International Journal of Human-Computer Interaction

Abstract:Drawing upon the attitude theory, this study theorizes that commitment affects loafing behaviors and ISP compliance. Further, drawing upon the transfer theory, this study adopts the concepts of loafing and commitment transfer in order to explore whether social loafing will enhance employee cyberloafing and whether organizational commitment can enhance ISP commitment, both of which, in turn, influence ISP compliance intention. This study utilized structural equation modeling (SEM) to analyze survey data collected in July 2023 from 361 Taiwanese individuals affiliated with organizations or companies. The results show that social loafing has a strong positive effect on cyberloafing, which, in turn, has a strong negative effect on ISP compliance intention. Organizational commitment has a strong positive effect on ISP commitment, which, in turn, has a strong positive effect on ISP compliance intention. In addition, distortion of consequences moderates the relationship between social loafing and cyberloafing. Advantageous comparison moderates the relationship between cyberloafing and ISP compliance intention.

computer science, cybernetics,ergonomics

Kuang-Ming Kuo,Paul C Talley,Chi-Hsien Huang

DOI: https://doi.org/10.1016/j.cose.2020.101928

2020-09-01

Abstract:Deterrence theory has been widely adopted in the study of information security management; however, evidence frequently presents sometimes contradictory results. Prior meta-analytic studies have focused primarily on the use of formal deterrence constructs to predict security-compliant behavior, while informal deterrence constructs and security-risk behavior are often neglected as a result. This study aims to meta-analyze the relationships formed between both formal/informal deterrence constructs and security-compliant/risk behaviors in a comprehensive manner beyond what has taken place in prior IS security meta-analysis based on deterrence theory. By searching multiple electronic databases, we have located 40 studies, along with 108 effect sizes, pertinent to our study's purpose. Inverse variance method weighted with sample sizes was used to determine mean effect sizes. The random-effects model was used to report meta-analysis results since Q, I2, and H index showed some degree of heterogeneity existent in the collected data. Publication bias was assessed by means of fail-safe N. All proposed relationships occurring between formal/informal deterrence constructs and security-compliant/-risk behaviors were supported. Formal deterrence constructs exerted weak to moderate effects on security behavior, while informal deterrence constructs exerted moderate to strong effects on security behavior. Further, informal deterrence constructs showed greater mean effect sizes than formal deterrence constructs. Additionally, prediction intervals of deterrence constructs, along with detection certainty, included zero, which indicated that moderators may be present. Based on these findings, the mean effect sizes of deterrence constructs may be more clearly identified when dividing security behavior into both compliant- and risk- behaviors. Further moderators might be employed to improve the inconsistent findings evidenced in deterrence theory.

computer science, information systems

Rosalind H. Searle,Charis Rice

DOI: https://doi.org/10.1080/1359432x.2024.2344870

2024-04-27

European Journal of Work and Organizational Psychology

Abstract:High security organizations utilize a fine balance between control and trust to maintain stability. Drawing on qualitative interviews with managers and employees concerning three Counterproductive Work Behaviour (CWB) incidents occurring within a "high control" organization, we explore the impact of this trust-control dynamic on individuals' sensemaking, social relations and workplace behaviours. We explore Human Resource Management (HRM) control practices, contrasting levels of control (over and under-control), form (formal and informal), and consistency of control management, that variously destabilize the balance of trust and control. Framed by this dynamic, employees undertake CWB as a means of maintaining their trusting relationships, professional goals and well-being in an unpredictable workplace. We demonstrate the value of understanding the trust-control dynamic for CWB and identify potential lessons for prevention.

psychology, applied,management

Derrick Ganye,Kane Smith

DOI: https://doi.org/10.1108/intr-04-2023-0329

IF: 5.9

2024-05-25

Internet Research

Abstract:Purpose Enforcing employee compliance with information systems security policies (ISSP) is a herculean task for organizations as security breaches due to non-compliance continue to soar. To improve this situation, researchers have employed fear appeals that are based on protection motivation theory (PMT) to induce compliance behavior. However, extant research on fear appeals has yielded mixed findings. To help explain these mixed findings, the authors contend that efficacy formation is a cognitive process that is impacted by the cognitive load exerted by the design of fear appeal messages. Design/methodology/approach The study draws on cognitive load theory (CLT) to examine the effects of intrinsic cognitive load, extraneous cognitive load and germane cognitive load on stimulating an individual's efficacy and coping appraisals. The authors designed a survey to collect data from 359 respondents and tested the model using partial least squares. Findings The analysis showed significant relationships between cognitive load (intrinsic, extraneous, and germane) and fear, maladaptive rewards, response costs, self-efficacy and response efficacy. Originality/value This provides support for the assertion that fear appeals impact the cognitive processes of individuals that then in turn can potentially affect the efficacy of fear and coping appraisals. These findings demonstrate the need to further investigate how individual cognition is impacted by fear appeal design and the resulting effects on compliance intention and behavior.

computer science, information systems,telecommunications,business