Han Li,X. Luo,Jie Zhang,R. Sarathy

2014-01-01

Abstract:Employees’ violation of Internet use policy exposes firms to increasing security risks from cyber-attacks. Extant studies on security policy compliance have largely ignored the role of dispositional and contextual factors in employees’ decision. Drawing on the literature in criminology, this paper extended the rational choice theory by integrating low self-control and two organizational context factors to have a fine-grained understanding of the decision making process involved in Internet use policy compliance. The results will help indicate whether employees’ compliance intention is influenced by the cost-benefit calculus adjusted by their low self-control disposition, procedural justice perception and organizational moral climate. Research results are expected to be presented at the conference.

Political Science

Kholekile L. Gwebu,Jing Wang,Michael Y. Hu

DOI: https://doi.org/10.1111/isj.12257

2020-01-01

Abstract:Despite the significant advancements made in understanding the factors that drive employees' compliance and noncompliance behaviours with information security policy (ISP), less is known about how different factors interact to impact such behaviours. Having been drawn on the social information processing theory, this research develops an integrative model that investigates how ethical work climate, beliefs, and neutralization interact to jointly explain ISP noncompliance. The model is tested via a survey of a broad cross section of employees. Neutralization, perceived cost of compliance, and perceived cost of noncompliance are found to significantly impact ISP noncompliance. Egoistic, benevolent, and principled climates are found to differentially influence neutralization and individuals' cognitive beliefs about the cost and benefit of ISP compliance versus noncompliance. Neutralization appears to be a more important moderator of the belief‐noncompliance relationship than the principled climate.

Han Li,Jie Zhang,R. Sarathy

2009-01-01

Abstract:Internet security risks are becoming the leading security threats confronting today’s organizations and often result from employees’ non-compliance with the Internet use policy. Current studies on the compliance of security policies have largely ignored the impact of moral factors and the organizational context on employees’ compliance intention. This paper contributes to the literature on information security by theorizing and empirically testing how the intent to comply with the Internet use policy is driven by a cost-benefit analysis bounded by personal moral norms and organization contextual factors. The results of this study indicate that employees’ compliance intention of Internet use policy is the result of competing influences of perceived benefits of Internet abuses, formal sanction risks, personal moral norms and organizational facilitating conditions. In addition, the effect of formal sanctions is found to be moderated by, or is dependent upon, personal moral norms against Internet abuses.

Computer Science

Han Li,R. Sarathy,Jie Zhang,X. Luo

DOI: https://doi.org/10.1111/isj.12037

IF: 7.767

2014-11-01

Information Systems Journal

Abstract:Internet security risks, the leading security threats confronting today's organizations, often result from employees' non‐compliance with the internet use policy (IUP). Extant studies on compliance with security policies have largely ignored the impact of intrinsic motivation on employees' compliance intention. This paper proposes a theoretical model that integrates an intrinsic self‐regulatory approach with an extrinsic sanction‐based command‐and‐control approach to examine employees' IUP compliance intention. The self‐regulatory approach centers on the effect of organizational justice and personal ethical objections against internet abuses. The results of this study suggest that the self‐regulatory approach is more effective than the sanction‐based command‐and‐control approach. Based on the self‐regulatory approach, organizational justice not only influences IUP compliance intention directly but also indirectly through fostering ethical objections against internet abuses. This research provides empirical evidence of two additional effective levers for enhancing security policy compliance: organizational justice and personal ethics.

Computer Science

Han Li

2017-01-01

Abstract:Internet security risks are becoming the leading security threats confronting today’s organizations and often result from employees’ non-compliance with the Internet use policy. Current studies on the compliance of security policies have largely ignored the impact of moral factors and the organizational context on employees’ compliance intention. This paper contributes to the literature on information security by theorizing and empirically testing how the intent to comply with the Internet use policy is driven by a cost-benefit analysis bounded by personal moral norms and organization contextual factors. The results of this study indicate that employees’ compliance intention of Internet use policy is the result of competing influences of perceived benefits of Internet abuses, formal sanction risks, personal moral norms and organizational facilitating conditions. In addition, the effect of formal sanctions is found to be moderated by, or is dependent upon, personal moral norms against Internet abuses.

Fan Zhou,Hongxu Lu,Chunping Jiang

DOI: https://doi.org/10.1016/j.ssci.2023.106353

IF: 6.392

2024-01-01

Safety Science

Abstract:Non-compliant behaviors have been indicated to be leading indicators of accidents in workplaces. Though most studies treat intentional non-compliant behavior or violations as monolithic indicators for adverse safety performance, non-compliant behaviors might take different forms with distinct motives and outcomes. To examine and compare the effects of different forms of non-compliant safety behavior, we proposed a construct of risk-adjusted non-compliant behavior, which refers to employees' deliberate deviation from safety rules while considering safety concerns and adjusting their behavior accordingly, and investigated the differential antecedent effects by contextual factors and consequential effects on safety outcomes. By a sample of 390 workers and their supervisors in a power grid construction firm, the results of our study indicated that safety climate and transformational leadership were positively associated with safety compliance and negatively associated with violation by multi-level analyses. However, active transactional leadership also had a positive association with risk-adjusted non-compliant behavior, and this association was moderated by safety climate such that the relationship was stronger in higher level of safety climate. Furthermore, although risk-adjusted non-compliant behavior did not significantly affect penalties for deviance compared to violation behavior, it increased the workers' risk perception of hazard. The implications of these findings for theory were discussed.

Xue Yang,Wei T. Yue,Choon Lin Sia

DOI: https://doi.org/10.1007/978-3-642-29873-8_17

2012-01-01

Abstract:IS security policy is one of the essential tools to ensure the secure use of information systems and technological assets. To enhance the effectiveness of policy implementation, organizations rely on security training, education and awareness (STEA) programs to help employees understand the IS security issues of the organization. However, different levels of STEA informativeness may have conflicting effects on employees' compliance decisions. In addition, the urgency of a task may also lead employees to abandon the compliance decision occasionally. The existing corporate information security policy (ISP) could also serve as a deterrence message that would influence compliance decisions. An experimental survey was conducted to examine this phenomenon and test the related hypotheses. The results of this study can be used to inform and guide researchers and practitioners as to how to better enforce an IS security policy through better implementation of STEA programs and improved design of ISP in different task scenarios.

Han Li,X. Luo,Yan Chen

DOI: https://doi.org/10.17705/1JAIS.00678

2021-01-01

Abstract:Insiders’ negligence or abuse is regarded as a leading cause of information security breaches in organizations. As most of the extant studies have largely examined insider threats at a high level of abstraction, the role of situational moral reasoning for information security policy (ISP) violations in specific situations has received little attention. To advance this line of research, this paper opens up a potentially fruitful path for IS researchers by applying situational action theory (SAT) to contextually examine why employees violate ISPs in particular situations. We consider the violations of password security policy, internet use policy, and confidential data security policy, and examine specific violation intents ranging from altruistic to malicious. The results support most of the assertions derived from SAT. We found situational moral beliefs to be the predominant driver for ISP violations across three situations in an organizational setting. However, the moderation effect of moral beliefs was only significant in situations involving sharing passwords and selling confidential data. Sanction certainty and sanction severity were also found to have different effects across situations. We conclude by presenting implications for IS security practitioners and suggestions for future research.

Psychology

X. Luo,Han Li,Qing Hu,Heng Xu

DOI: https://doi.org/10.17705/1jais.00646

2020-11-01

Abstract:Prior information security studies have largely focused on understanding employee security behavior from a policy compliance perspective. We contend that there is a pressing need to develop a comprehensive understanding of the circumstances that lead to employee commitment of deliberate and malicious acts against organizational digital assets. Drawing on routine activity theory (RAT), we seek to establish a comprehensive model of employee-committed malicious computer abuse (MCA) by investigating the motivations of the offenders, the suitability of the desired targets, and the effect of security guardianship in organizational settings. Specifically, we delineate the effects of the individual characteristics of self-control, hacking self-efficacy, and moral beliefs, as well as the organizational aspects of deterrence based on the routine activity framework of crime. We tested this research model using research participants holding a wide range of corporate positions and possessing varying degrees of computer skills. Our findings offer fresh insights on insider security threats, identify new directions for future research, and provide managers with prescriptive guidance for formulating effective security policies and management programs for preventing MCA in organizations.

Computer Science

Qing Hu,Zhengchuan Xu

DOI: https://doi.org/10.24251/hicss.2018.466

2018-01-01

Abstract:We draw on recent advances in cognitive neural science to articulate an employee security behavioral model. Cognitive neural science studies suggest two neurological processes occurring in human brain when making decisions: the automatic or reflexive process, which is the default mode for decision making, and the controlled or reflective process, which interrupts the automatic process when the brain encounters unexpected events or novel decisions. We map rational choice to the controlled process and self-control to the automatic process and test a decision model using survey data in the context of employee non-compliance behavior to organization information security policies.

Ying Li,Ting Pan,Nan Zhang,Nan (Andy) Zhang

DOI: https://doi.org/10.1108/jeim-01-2019-0018

2019-09-23

Journal of Enterprise Information Management

Abstract:Purpose This paper is to investigate how employees respond to information security policies (ISPs) when they view the policies as a challenge rather than a hindrance to work. Specifically, the authors examine the roles of challenge security demands (i.e. continuity and mandatory) and psychological resources (i.e. personal and job resources) in influencing employees’ ISP non-compliance. Design/methodology/approach Applying a hypothetical scenario-based survey method, the authors tested our proposed model in six typical ISPs violation scenarios. In sum, 347 responses were collected from a global company. The data were analyzed using partial least square-based structural equation model. Findings Findings indicated that continuity and mandatory demands increased employees’ level of perseverance of effort, which, in turn, decreased their ISPs non-compliance intention. In addition, job resources, such as the trust enhancement gained from co-workers and the opportunities for professional development, enhanced the perseverance of effort. Practical implications The findings offer implications to practice by suggesting that organizations should design training programs to persuade employees to understand the ISPs in a positive way. Meanwhile, organizations should encourage employees to invest more personal resources by creating a trusting atmosphere and providing them opportunities to learn security knowledge and skills. Originality/value This study is among the few to empirically explore how employees respond and behave when they view the security policies as challenge stressors. The paper also provides a novel understanding of how psychological resources contribute to buffering ISP non-compliance.

information science & library science,management

Jin Yan,Zibly Adam

DOI: https://doi.org/10.1109/ICSSSM.2011.5959434

2011-01-01

Abstract:It is generally understood, organizations that provide web access to employees' in the workplace for work-related reasons, has the potential to be used for personal-related reasons. Personal Web Usage (PWU) behavior is a conscious decision making process for differentiating web-activity. In order to justify certain web-behavior, an employee will develop an attitude towards their own behavior which is a self-rationalization strategy. We propose this is a form of cognitive dissonance, similar to a `vice or virtue' decision. For employee web usage the two cognitions would be `work-related' or `non-work-related' internet activity. The present study extends to organizational literatures by conducting a usage assessment, examines attitudes for web usage during company time, and explores employee perceived company web-policy. An exploratory open-ended interview was conducted with a sample of 10 employees to analyze the employee attitudes for the use of internet technology at the workplace. The findings demonstrated distinctive employee web usage patterns where finding PWU to be not only permissible, but also rationalize its usage. We determine this rationalization and the PWU activity are directly conditioned or adjusted by perceived company web-policy, where strict or lenient perceived policy is seen as a threat or opportunity in levels. We conclude on the basis of our interview narrations of PWU experiences in having Individual, Process, and Organizational orientation. Our interview method and PWU coding can contribute to better profiling PWU for Chinese employees. These dimensions include separate categorical variables that we suggest can be useful predictors of the employee web-usage decision making process.

Randi Jiang,Jianru Zhang

DOI: https://doi.org/10.1016/j.cose.2023.103253

Abstract:As businesses have had to change how they operate due to the coronavirus pandemic, the need for remote work has risen. With the continuous advancements in technology and increases in typical job demands, employees need to increase their work productivity beyond regular work hours in the office. This type of work environment creates even more opportunities for security breaches due to employees intentionally violating information security policy violations. Although explicitly prohibited by information security policies (ISP), organizations have observed that employees bring critical data out of the office to complete their work responsibilities remotely. Consequently, developing a deeper understanding of how work pressure may influence employees to violate ISPs intentionally is crucial for organizations to protect their critical information better. Based upon the fraud triangle theory, this study proposes the opportunity to copy critical data, work pressure, and work completion justification as the primary motivational factors behind why employees copy critical company data to unsecured storage devices to work at home. A survey was conducted of 207 employees from a marketing research firm. The results suggest that opportunity, work pressure, and work completion justification are positively related to nonmalicious ISP violation intentions. Furthermore, the interaction effect between work completion justification and work pressure on the ISP violation intention is significant and positive. This study provides new insights into our understanding of the roles of work pressure and work completion justification on intentional nonmalicious ISP violation behaviors.

Hung-Pin Shih,Kee-hung Lai,Xitong Guo,T. C. E. Cheng

DOI: https://doi.org/10.4018/JGIM.294329

2021-01-01

Journal of Global Information Management

Abstract:Most theories of information security policy (ISP), except a few focused on the insider-centric view, are grounded in the control-centric perspective, and most ISP compliance models stem from Western countries. Regulatory focus theory (RFT) proposes two modes of motivational regulation, promotion, and prevention are supposed to motivate employee compliance in a trade-off. Culture is crucial to the study of ISP that puts control over human connections. Chinese guanxi, a specific dimension of Chinese culture, is better understood underlying the trust-distrust frame. To bridge the theoretical gap between the control-centric and the insider-centric perspectives, the authors develop an ISP behavioral model by taking an integrated approach from RFT and the trust-distrust frame. They employed scenario-based events about information security misconduct in the workplace to examine employees' compliance intention and non-violation choice of ISP upon counterfactual thinking. The empirical results improve the theoretical and practical implications of security practices.

Salvatore Aurigemma,Thomas Mattson

DOI: https://doi.org/10.1109/hicss.2015.424

2015-01-01

Abstract:Using the theory of planned behavior, this paper investigates the relationship between an employee's social status, perceived controllability of co-workers' actions and individual self-efficacy in terms of predicting an employee's perceived behavioral control over and his/her intention to comply with an organization's information security policies. The reported findings in this paper from a survey of 182 employees of a large government organization suggest that decomposing perceived behavioral control into controllability and self-efficacy has more predictive power than using simpler proxies (i.e. Self-efficacy alone) advocated in previous literature, and an employee's status in the organizational hierarchy has both a direct and a moderating effect on an employee's perceived behavioral control (but not on self-efficacy).

Xiaofeng Chen,Liqiang Chen,Dazhong Wu

DOI: https://doi.org/10.1080/08874417.2016.1258679

2016-12-27

Journal of Computer Information Systems

Abstract:Information security policy (ISP) plays an important role in information security management in organizations. Past research investigated various factors that may impact employee behavior toward security policy compliance from the perspective of general deterrence theory (GDT), protection and motivation Theory (PMT), and rational choice theory (RCT). However, there is no unifying foundation/framework that examines all of those factors in a harmonic way so that the research findings can guide information security practices and research into the employee ISP compliance management context. Additionally, prior findings provided mixed results. This study proposes a research model based on the awareness-motivation-capability (AMC) framework, aiming to unify the factors to predict employee ISP compliance intention. We believe that a harmonic approach in managing employee ISP compliance can create optimal outcomes.

computer science, information systems

Xue Yang,Xinwei Wang,Wei Thoo Yue,Choon Ling Sia,Xin (Robert) Luo

DOI: https://doi.org/10.1080/10919392.2019.1639913

IF: 2.2368

2019-01-01

Journal of Organizational Computing and Electronic Commerce

Abstract:Bring-Your-Own-Device (BYOD) has gained increased popularity in organizations but may engender information security concerns. To address these concerns, employees are expected to opt-in and comply with organizational BYOD security policy. This study investigates the factors that affect employees' opt-in decisions with BYOD security policy. Drawing on the theoretical lenses of persuasion and cognitive elaboration, we propose that employees' cognitive elaborations of BYOD security policy could be affected by the valence of justification of the BYOD security policy, the stringency of BYOD security measures, and the sequence of the introduction of BYOD security policy in relation to employees' use of personal devices to perform organizational tasks and such cognitive elaborations would in turn affect opt-in decisions. We conducted an experimental survey to test our propositions. The results indicate that positive BYOD security policy justification framing and post-task security policy exposure would lead to more positive cognitive elaboration, decision to opt-in, and compliance with the BYOD security policy. This research has significant implications for security management with respect to the design and implementation of BYOD security policy within an organization according to the nature of security policy and the task requirements.

Hung-Pin Shih,Kee-hung Lai,Xitong Guo,T. C. E. Cheng

DOI: https://doi.org/10.1109/infoman.2016.7477543

2016-01-01

Abstract:Deterrence and rational choice calculus theories can regulate or motivate employees' compliance with information systems security policy (ISSP). However, the two well-developed theories may not fully induce compliance behavior of ISSP given the growing trend of IS security violation in China. Deterrence and rational choice calculus employ an assumption of general awareness of ISSP to address compliance behavior. However, employees may judge their compliance behavior of ISSP in terms of positive and negative emotions but not the trade-off of benefits and costs (risks) only in the compliance. Grounded in regulatory focus theory (RFT), we propose a research model that addresses the motivational mechanisms for employees to comply with ISSP. We adopt a scenario-based questionnaire to survey employees of Chinese SMEs for model testing. The empirical results indicate that promotion-approach is better than promotion-avoidance in motivating compliance intention when employees are aware of the ISSP in their companies. However, promotion-approach and promotion-avoidance are ineffective in inducing compliance intention when employees are unaware of ISSP in Chinese SMEs. Information security awareness is not a necessary condition of the compliance of ISSP. Additionally, prevention-approach is better than prevention-avoidance in motivating compliance intention regardless of whether employees are aware or unaware of ISSP in the workplace. Our empirical results can provide meaningful implications for academics and practitioners.

Lara Khansa,Reza Barkhi,Soumya Ray,Zachary Davis

DOI: https://doi.org/10.1007/s10799-017-0280-1

2017-01-01

Information Technology and Management

Abstract:With the Internet permeating every aspect of daily life, organizations of all types are increasingly concerned about the degree to which their employees are cyberloafing by shirking their work responsibilities to surf the Internet, check e-mail, or send text messages. Although technological interventions against cyberloafing have been shown to be effective, they might be perceived by employees as an invasion to their privacy, and are expected to have repercussions on employee behavior and loyalty. The main objectives of this study are to (1) examine how the introduction of such technological interventions might affect employees’ emotions and fairness perceptions, and (2) understand the effect of the interventions on behavioral outcomes, i.e., employees’ intentions to cyberloaf and their loyalty to the company. We developed a justice-based framework that we empirically test using a field experiment composed of field surveys complemented with hypothetical scenarios describing new organizational initiatives to curb employees’ cyberloafing. Our findings suggest that technological interventions, although associated with perceptions of unfairness, are effective at controlling cyberloafing, albeit at the expense of employee loyalty. On the other hand, contrary to prior findings, we find that fairness perceptions of technological interventions, although reinforcing employee loyalty, are ineffective at curbing cyberloafing. These findings are especially enlightening in that they contradict a common belief that perceived fairness encourages employees, as a sign of their appreciation for this fairness, to curb their misuse of IT. The findings also help managers fine-tune their cyberloafing policies to achieve a long-lasting remedy to their employees’ cyberloafing while maintaining a necessary level of employee loyalty.

Paul Benjamin Lowry,Clay Posey,Rebecca J. Bennett,Tom L. Roberts,Rebecca Becky J. Bennett

DOI: https://doi.org/10.1111/isj.12063

IF: 7.767

2015-02-24

Information Systems Journal

Abstract:Research shows that organisational efforts to protect their information assets from employee security threats do not always reach their full potential and may actually encourage the behaviours they attempt to thwart, such as reactive computer abuse (CA). To better understand this dilemma, we use fairness theory (FT) and reactance theory (RT) to explain why employees may blame organisations for and retaliate against enhanced information security policies (ISPs). We tested our model with 553 working professionals and found support for most of it. Our results show that organisational trust can decrease reactive CA. FT suggests that explanation adequacy (EA) is an important factor that builds trust after an event. Our results also suggest that trust both fully mediates the relationship between EA and CA and partially mediates the relationship between perceived freedom restrictions related to enhanced ISPs and reactive CA. EA also had a strong negative relationship with freedom restrictions. Moreover, organisational security education, training and awareness (SETA) initiatives decreased the perceptions of external control and freedom restrictions and increased EA, and advance notification of changes increased EA. We also included 14 control variables and rival explanations to determine with more confidence what drove reactive CA in our context. Notably, the deterrence theory (DT)‐based constructs of sanction severity, certainty and celerity had no significant influence on reactive CA. We provide support for the importance of respectful communication efforts and SETA programmes, coupled with maximising employee rights and promoting trust and fairness to decrease reactive CA. These efforts can protect organisations from falling victim to their own organisational security efforts.

information science & library science