Results

Found 22 articles

Clear filters

Going Beyond Deterrence: A Middle-Range Theory of Motives and Controls for Insider Computer Abuse
PDF
2023 | Information Systems Research | Citations: 0
Authors: Burns, A. J.; Roberts, Tom L.; Posey, Clay; Lowry, Paul Benjamin; Fuller, Bryan

Abstract: Despite widespread agreement among practitioners and academicians that organizat ... Expand

Abstract: Despite widespread agreement among practitioners and academicians that organizational insiders are a significant threat to organizational information systems security, insider computer abuse (ICA)—unauthorized and deliberate misuse of organizational information resources by organizational insiders—remains a serious issue. Recent studies have shown that most employees are willing to share confidential or regulated information under certain circumstances, and nearly one-third to half of major security breaches are tied to insiders. These trends indicate that organizational security efforts, which generally focus on deterrence and sanctions, have yet to effectively address ICA. Therefore, leading security researchers and practitioners have called for a more nuanced understanding of insiders in respect to deterrence efforts. We answer these calls by proposing a middle-range theory of ICA that focuses on understanding the inherent tensions between insider motivations and organizational controls. Our careful review distinguishes two categories of personal motives for ICA: (1) instrumental (i.e., financial benefits) and (2) expressive (i.e., psychological contract violations) motives. Our novel theory of ICA also includes the influence of two classes of controls for ICA: (1) intrinsic (i.e., self-control) and (2) extrinsic (i.e., organizational deterrence) controls. We developed and empirically examined a research model based on our middle-range theory that explains a substantial portion of the variance in ICA. Specifically, our results indicate that both instrumental and expressive motives are positively related to ICA. Moreover, intrinsic self-control exerted significant direct and moderating influences in our research model, whereas extrinsic organizational deterrence failed to exhibit a direct effect on ICA and significantly moderated instrumental motives’ relationship with ICA only. Not only do our results show that self-control exerted a stronger effect on the model than deterrence did but they also help us identify the limits of deterrence in ICA research.History: Ola Henfridsson served as the senior editor and Debabrata Dey served as associate editor for this article.Supplemental Material: The online appendix is available at https://doi.org/10.1287/isre.2022.1133. Collapse

Semantic filters: common-method variance deterrence theory

Topics: IT security data security anonymity organizational control password

Methods: theory development partial least squares path modeling factor analysis data transformation PLS tool

Theories: control theory deterrence theory
The role of deterrability for the effect of multi-level sanctions on information security policy compliance: Results of a multigroup analysis
PDF
2021 | Information & Management | Citations: 0
Authors: Jaeger, Lennart; Eckhardt, Andreas; Kroenung, Julia

Abstract: This paper offers a new perspective on the effectiveness of sanctions in influen ... Expand

Abstract: This paper offers a new perspective on the effectiveness of sanctions in influencing information security policy compliance. We observe compliance from a group perspective to identify undeterrable employees who comply based on inner conviction and deterrable employees who comply because of external coercion. Drawing upon survey data, we show that multilevel sanctions (i.e., formal, social, and personal sanctions) have a varying impact on the compliance of inclined and disinclined employees. We also find that multilevel sanction percep tions are differently influenced by information security policy awareness. This group-based deterrability perspective opens up new avenues to study the value of sanctions. Collapse

Semantic filters: common-method variance deterrence theory

Topics: security policy information security policy compliance cloud computing data security information security management

Methods: partial least squares regression survey partial least squares path modeling statistical hypothesis test PLS tool

Theories: deterrence theory
Anger or fear? Effects of discrete emotions on employee’s computer-related deviant behavior
PDF
2020 | Information & Management | Citations: 0
Authors: Xu, Feng; Luo, Xin (Robert); Hsu, Carol

Abstract: Security research on the employees’ expressive motives in committing computer-re ... Expand

Abstract: Security research on the employees’ expressive motives in committing computer-related deviant behavior is limited. In this research, drawing on the appraisal tendency framework (ATF), we examine how employees’ emotions (anger vs. fear) and perceived sanctions influence their computer-related deviant behaviors in the workplace. Our empirical results show that employees who experienced anger were more likely to commit computer-related deviant behavior mediated by perceived informal sanctions. In contrast, employees who experienced fear were less likely to commit computer-related deviant behavior mediated by perceived formal and informal sanctions. The results provide important guidance for organizations to improve the effectiveness of deterrent controls. Collapse

Semantic filters: common-method variance deterrence theory

Topics: behavioral intention security policy IT security cybersecurity behavior IT security threat

Methods: survey literature study theoretical contribution self reported survey theory development

Theories: deterrence theory fairness theory organizational behavior theory affective events theory
Peers matter: The moderating role of social influence on information security policy compliance
PDF
2020 | Information Systems Journal | Citations: 30
Authors: Yazdanmehr, Adel; Wang, Jingguo; Yang, Zhiyong

Abstract: Information security in an organization largely depends on employee compliance w ... Expand

Abstract: Information security in an organization largely depends on employee compliance with information security policy (ISP). Previous studies have mainly explored the effects of command-and-control and self-regulatory approaches on employee ISP compliance. However, how social influence at both individual and organizational levels impacts the effectiveness of these two approaches has not been adequately explored. This study proposes a social contingency model in which a rules-oriented ethical climate (employee perception of a rules-adherence environment) at the organizational level and susceptibility to interpersonal influence (employees observing common practices via peer interactions) at the individual level interact with both command-and-control and self-regulatory approaches to affect ISP compliance. Using employee survey data, we found that these two social influence factors weaken the effects of both command-and-control and self-regulatory approaches on ISP compliance. Theoretical and practical implications are also discussed. Collapse

Semantic filters: common-method variance deterrence theory

Topics: social influence data security security policy intrinsic motivation communication service infrastructure

Methods: survey descriptive statistic partial least squares regression literature study scale reliability

Theories: contingency theory general deterrence theory deterrence theory
Moral Hazard in Compliance: The Impact of Moral Intensity and Competing Values

2020 | Americas Conference on Information Systems | Citations: 0
Authors: Zheng, Dailin; Walter, Zhiping

Abstract: This study highlights moral hazard in information systems security policy compl ... Expand

Abstract: This study highlights moral hazard in information systems security policy compliance arising from the fact that it is the employee who bears the compliance cost but it is the organization that bears the consequences of noncompliance. We have built a model that not only evaluates both threat appraisal and coping appraisal, but also more adequately accounts for moral hazard in compliance arising from cost-consequence misalignment. Our model incorporates the concept or moral intensity and highlights the role of employee proximity to the organization and the role of organization type in employee ISSP compliance. We have proposed concrete measures to reduce the cost-consequence alignment and moral hazard in compliance. Collapse

Semantic filters: common-method variance deterrence theory

Topics: moral hazard self efficacy accounting missing data data breach

Methods: survey statistical hypothesis test computational algorithm confirmatory factor analysis data transformation

Theories: deterrence theory theory of planned behavior
Fostering Information Security Compliance: Comparing the Predictive Power of Social Learning Theory and Deterrence Theory

2019 | Americas Conference on Information Systems | Citations: 6
Authors: Lembcke, Tim-Benjamin; Masuch, Kristin; Trang, Simon; Hengstler, Sebastian; Plics, Patience; Pamuk, Mustafa

Abstract: Information security has become an important aspect of contemporary information ... Expand

Abstract: Information security has become an important aspect of contemporary information technology in organizations and influence the way in which work is done and information is sent between organizations. Human information system behaviors with regard to information security policies, i.e. information security compliance (ISC) must not be ignored, as these influence compliance within the defined rules. Social learning theory (SLT) and deterrence theory (DT) are well established theories to explain human behavior, but are rarely used to explain ISC. This article aims at combining behavioral and IS research to better understand ISC. We provide an overview of the effects of SLT and DT on ISC and describe which of their constructs better describes ISC, examining an PLS analysis. This study's results highlight that SLT and DT explain ISC, but the selected constructs of SLT have a higher influence on ISC than those of DT. Collapse

Semantic filters: common-method variance deterrence theory

Topics: organizational context IT skill IT security threat data security social norm

Methods: survey partial least squares regression qualitative interview partial least squares path modeling Student's t-test

Theories: deterrence theory social learning theory
Generally Speaking, Context Matters: Making the Case for a Change from Universal to Particular ISP Research
PDF
2019 | Journal of the Association for Information Systems | Citations: 22
Authors: Aurigemma, Sal; Mattson, Thomas

Abstract: The objective of our paper is to conceptually and empirically challenge the idea ... Expand

Abstract: The objective of our paper is to conceptually and empirically challenge the idea of general information security policy (ISP) compliance. Conceptually, we argue that general ISP compliance is an ill-defined concept that has minimal theoretical usefulness because the policy-directed security actions vary considerably from threat to threat in terms of time, difficulty, diligence, knowledge, and effort. Yet, our senior IS scholars’ basket of journals has a strong preference to publish models in which the authors speculate that their findings are generalizable across all (or many) threats and controls contained in an organization’s ISP document. In our paper, we argue that compliance with each of the mandatory threat-specific security actions may require different (as opposed to similar) explanatory models, which makes constructing a universal model of ISP compliance problematic. Therefore, we argue that future ISP compliance literature will be more valuable if it focuses on the mechanisms, treatments, and behavioral antecedents associated with the required actions around specific threats instead of attempting to build a model that purportedly covers all (or many) threatspecific security actions (or intentions thereof). To support this claim empirically, we conducted two studies comparing general compliance intentions (i.e., undefined security action) and threat-specific compliance intentions. In both studies, our data show that compliance intentions vary significantly across general compliance measures and multiple threat-specific security measures or scenarios. Our results indicate that it is problematic to generalize about the behavioral antecedents from general compliance intentions to threat-specific security compliance intentions, from one threat-specific security action to other threat-specific security actions, and from one threat-specific security action to general compliance intentions. Collapse

Semantic filters: common-method variance deterrence theory

Topics: password workstation IT security threat phishing self efficacy

Methods: literature study survey survey design chi squared test case study

Theories: theory of planned behavior protection motivation theory rational choice theory deterrence theory
Toward a Unified Model of Information Security Policy Compliance

2018 | Management Information Systems Quarterly | Citations: 241
Authors: Moody, Gregory D.; Siponen, Mikko; Pahnila, Seppo

Abstract: Information systems security (ISS) behavioral research has produced different mo ... Expand

Abstract: Information systems security (ISS) behavioral research has produced different models to explain security policy compliance. This paper (1) reviews 11 theories that have served the majority of previous information security behavior models, (2) empirically compares these theories (Study 1), (3) proposes a unified model, called the unified model of information security policy compliance (UMISPC), which integrates elements across these extant theories, and (4) empirically tests the UMISPC in a new study (Study 2), which provided preliminary empirical support for the model. The 11 theories reviewed are (1) the theory of reasoned action, (2) neutralization techniques, (3) the health belief model, (4) the theory of planned behavior, (5) the theory of interpersonal behavior, (6) the protection motivation theory, (7) the extended protection motivation theory, (8) deterrence theory and rational choice theory, (9) the theory of self-regulation, (10) the extended parallel processing model,and (11) the control balance theory. The UMISPC is an initial step toward empirically examining the extent to which the existing models have similar and different constructs. Future research is needed to examine to what extent the UMISPC can explain different types of ISS behaviors (or intentions thereof). Such studies will determine the extent to which the UMISPC needs to be revised to account for different types of ISS policy violations and the extent to which the UMISPC is generalizable beyond the three types of ISS violations we examined. Finally, the UMISPC is intended to inspire future ISS research to further theorize and empirically demonstrate the important differences between rival theories in the ISS context that are not captured by current measures. Collapse

Semantic filters: common-method variance deterrence theory

Topics: password information security policy compliance cybersecurity behavior security policy IT policy

Methods: survey data transformation factor analysis chi squared test theory development

Theories: theory of interpersonal behavior balance theory theory of reasoned action deterrence theory general deterrence theory
Factors Influencing Employees’ Participation in Non-Malicious, Information Systems Security Deviant Behavior: Focus on Formal Control Mechanisms and Sanctions

2017 | Americas Conference on Information Systems | Citations: 0
Authors: Ifinedo, Princely; Idemudia, Efosa C

Abstract: This study examined factors influencing employees’ participation in non-maliciou ... Expand

Abstract: This study examined factors influencing employees’ participation in non-malicious, information systems security deviant behavior (N-ISSDB) (e.g., e.g., connecting computers to the Internet through an insecure wireless network, not disposing and destroying all unneeded sensitive documents and information on computer in a timely manner, and opening emails from unverified senders) from the theoretical lens of formal control mechanisms and formal sanctions. Empirical data was collected from 338 professionals based in the United States of America. Relevant hypotheses were formulated and tested using the partial least squares technique. The results indicate that detection control mechanism (i.e., evaluation/monitoring) and deterrence countermeasures or factors (i.e., punishment certainty and punishment severity) have negative association with employees’ participation in N-ISSDB. The data did not show that control mechanism related to reward and specifications have meaningful roles in dissuading employees’ engagement in N-ISSDB. Collapse

Semantic filters: common-method variance deterrence theory

Topics: cybersecurity behavior security policy IT security information system use data security

Methods: partial least squares regression survey descriptive statistic partial least squares path modeling pilot survey

Theories: deterrence theory
To Cyberloaf or Not to Cyberloaf: The Impact of the Announcement of Formal Organizational Controls
PDF
2017 | Journal of Management Information Systems | Citations: 63
Authors: Khansa, Lara; Kuem, Jungwon; Siponen, Mikko; Kim, Sung S.

Abstract: We investigate the changing causal relationships between cyberloafing behavior a ... Expand

Abstract: We investigate the changing causal relationships between cyberloafing behavior and its antecedents after the announcement of formal organizational controls that, unlike informal controls, are officially imposed by organizations. Drawing on Akers’s social learning theory, we first propose neutralization, perceived risk, past cyberloafing, and peer cyberloafing as antecedents of cyberloafing. We then develop a theoretical account of how their impacts change from before to after the announcement of formal controls. The proposed model was empirically tested using data collected from two separate surveys administered a month apart. The first survey captured the preannouncement state of cyberloafing among respondents; the follow-up survey was administered after the respondents were asked to assume that their company had just announced anti-cyberloafing controls that used explicit monitoring and sanctions. We show that preannouncement, employees’ intentions to cyberloaf are mostly influenced by their past tendencies to cyberloaf and by others’ cyberloafing, but their neutralization and perceived risk play no significant role. In contrast, postannouncement, the impacts of individuals’ neutralization and perceived risk on their cyberloafing suddenly become significant. Theoretically, we demonstrate that to accurately predict noncompliant behavior, it is important to account for all four antecedents and incorporate the announcement of formal controls. Practically, understanding how this announcement affects the relationships between cyberloafing and its antecedents suggests different areas managers need to target, pre- and postannouncement, to curb cyberloafing. Collapse

Semantic filters: common-method variance deterrence theory

Topics: organizational control self efficacy electronic mail societal context productivity

Methods: survey conceptual modelling chi squared test experimental group structural equation modeling

Theories: deterrence theory social learning theory

Page 1 of 3 Next

AIS11

Journals

Conferences

Semantic Filter

Found 22 articles

Going Beyond Deterrence: A Middle-Range Theory of Motives and Controls for Insider Computer Abuse

The role of deterrability for the effect of multi-level sanctions on information security policy compliance: Results of a multigroup analysis

Anger or fear? Effects of discrete emotions on employee’s computer-related deviant behavior

Peers matter: The moderating role of social influence on information security policy compliance

Moral Hazard in Compliance: The Impact of Moral Intensity and Competing Values

Fostering Information Security Compliance: Comparing the Predictive Power of Social Learning Theory and Deterrence Theory

Generally Speaking, Context Matters: Making the Case for a Change from Universal to Particular ISP Research

Toward a Unified Model of Information Security Policy Compliance

Factors Influencing Employees’ Participation in Non-Malicious, Information Systems Security Deviant Behavior: Focus on Formal Control Mechanisms and Sanctions

To Cyberloaf or Not to Cyberloaf: The Impact of the Announcement of Formal Organizational Controls