Identifying the idiosyncrasies of behavioral information security discourse and proposing future research directions: A Foucauldian perspective

2023 | Journal of Information Technology | Citations: 0

Authors: Liang, Nan (Peter); Hirschheim, Rudy; Luo, Xin (Robert); Hollingsworth, Hayden

Abstract: Information security (InfoSec)–related behaviors have been defined in many diffe ... Expand

Abstract: Information security (InfoSec)–related behaviors have been defined in many different ways in the security literature. Indeed, the coexistence of varying terms describing IS security behaviors could be seen as a conceptual inconsistency. However, we believe that it could also be construed as the sign of a vivid and living field embracing dispersed objects of study without changing the disciplinary discourse itself. To test this belief, we conduct a two-part study. Study 1 analyzes the definitions of InfoSec-related behaviors in the existing security literature. The result of Study 1 uncovers the Foucauldian rules that make possible the discourse on behavioral information security, including the surface of emergence, authorities of delimitation, and the grids of specification. Study 1 also indicates that, although behavioral Information Systems Security (ISS) shares the three rules with other disciplines, it is the only field that studies the relations between them. We therefore propose a disciplinary question that reflects this idiosyncrasy. We then conduct Study 2, using Foucault’s view on preconceptual schemata as a theoretical lens, to identify understudied areas in the ISS literature. We found that the existing literature utilizes two variations of the actor and organization schemata to form or to adapt concepts, and utilize two different approaches to study these two variations, namely, an antecedents approach and a dialectics approach. It is noteworthy that the latter is important but understudied in the literature. We then draw an analogy from moral studies to develop three concepts for future ISS research, namely, Stages of Awareness Development, Security Agency, and Security Disengagement. Collapse

Topics: security policy organizational context decision making IT security bring your own device

Methods: theory development literature sample post-hoc analysis qualitative content analysis structured literature research

Theories: agency theory

Why Do Data Analysts Take IT-Mediated Shortcuts? An Ego-Depletion Perspective

2022 | Journal of Management Information Systems | Citations: 0

Authors: Ghasemaghaei, Maryam; Turel, Ofir

Abstract: We aim to understand why employees take information technology (IT)-mediated sho ... Expand

Abstract: We aim to understand why employees take information technology (IT)-mediated shortcuts, that is, skipping one or several steps for completing tasks quicker by bending the rules. This is a specific and often detrimental form of noncompliant behavior. Adopting an ego-depletion perspective, we posit that IT complexity drives IT-mediated shortcuts by increasing employees' ego-depletion. Extending this view, we use a modified Delphi study and build on self-regulatory and goal setting theories to point to key boundary conditions for these effects. First, in a preliminary study we found that taking IT-mediated shortcuts in our context is, on average, detrimental to employee performance. This highlighted the need to focus on IT-mediated shortcuts. Next, we tested our assertions with three experiments focusing on the use of dashboards with 584 data analysts. The results show that (1) dashboard complexity increases ego depletion, (2) ego depletion fully mediates the impact of dashboard complexity on taking IT-mediated shortcuts, (3) moral integrity moderates the influence of ego depletion on taking IT-mediated shortcuts, and (4) outcome compared to learning goals enhance the impact of ego depletion on IT-mediated shortcuts. In all studies, objectively measured IT-mediated shortcut-taking was negatively associated with objectively measured task performance. Ultimately, the integrated perspective explains whether, how, and under what conditions IT complexity drives IT-mediated shortcuts. Collapse

Topics: digital dashboard task productivity analytical information system information system use accounting

Methods: experiment delphi study survey post-hoc analysis theoretical contribution

Theories: goal setting theory ego depletion theory

Prosocial rule breaking on health information security at healthcare organisations in South Korea

2022 | Information Systems Journal | Citations: 4

Authors: Kim, Jongwoo; Park, Eun Hee; Park, Young Soon; Chun, Kyung Hee; Wiles, Lynn L.

Abstract: Regulations, such as the Health Insurance Portability and Accountability Act (HI ... Expand

Abstract: Regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), establish standards to protect patients' medical records from security breaches. Insiders' prosocial misbehaviour within healthcare organisations can cause significant damage to relevant stakeholders. Such behaviour without malicious intention needs to be better understood and carefully managed from the perspective of prosocial behaviour. For this study, a research model was developed that includes the factors influencing student nurses' intention to disclose patient health information. The model was empirically tested with nursing students in South Korea with a scenario-based experiment. We find that both altruistic (impact on others) and egoistic (impact on the self) motivations are significantly important in raising situational empathy. On the other hand, an egoistic motivation (impact on the self) significantly affects people's perception of their responsibility, which mediates the relationship between situational empathy and prosocial intention to disclose. The implications of our findings are discussed. Collapse

Topics: healthcare data IT security threat data security health information system decision making

Methods: experiment partial least squares regression survey theory development PLS tool

How Do Individuals Justify and Rationalize their Criminal Behaviors in Online Romance Fraud?

2022 | Information Systems Frontiers | Citations: 0

Authors: Offei, Martin; Andoh-Baidoo, Francis Kofi; Ayaburi, Emmanuel W.; Asamoah, David

Abstract: Online romance fraud (ORF) is a growing concern with such serious negative conse ... Expand

Abstract: Online romance fraud (ORF) is a growing concern with such serious negative consequences as financial loss or suicide to the victim. Majority of empirical studies on online romance fraud using attachment, deception, protection motivation and relation theories focus on the victim. While neutralization offers insights into how individuals justify their deviant behaviors, the results have not been consistent in different contexts. In the ORF context, offenders may not only rely on justifying techniques but also rationalize their actions by denying risk both to the victim and the offender. Thus, drawing from the neutralization and denial of risk theories, we develop a research model to explain how online romance offenders justify and rationalize their intended criminal activities. To confirm our theoretical model, we collected 320 responses from individuals at Internet Cafés alleged to be online romance fraud hotspots. Our results highlight the boundary conditions of neutralization techniques in the context of online romance fraud. The study shows that denial of risk, a rationalization mechanism, moderates the relationship between denial of victim, a justification technique, and intention to commit romance fraud. This insight advances the frontiers of neutralization theory. We offer both theoretical and managerial implications of the findings. Collapse

Topics: criminality internet technology online dating internet fraud information security policy violation

Methods: psychometrics structural equation modeling theory development data transformation SEM tool

Theories: neutralization theory

Combatting the Neutralization of Security Policy Violations: Insights from the Healthcare Sector

2021 | European Conference On Information Systems | Citations: 0

Authors: Frank, Muriel

Abstract: Employees who do not adhere to security policies and regulations are a major co ... Expand

Abstract: Employees who do not adhere to security policies and regulations are a major concern for today's organizationsespecially in the healthcare sector. Prior research revealed that individuals often use neutralization techniques to justify their non-compliant security behaviors. It therefore seems requisite to investigate how to overcome such rationalizations and how to strengthen an individual's intent to follow security rules. Building on both neutralization theory and relational coordination theory, we propose a theoretical model linking the quality of relational ties to coping responses and information security policy violations. With the help of 199 young healthcare professionals, we provide evidence that factors like sharing the same goal and mutual respect can significantly reduce the usage of neutralization techniques. Our results add to the growing body of behavioral information security research and offer new insights on the impact of relationships in the workplace. Collapse

Topics: information security policy violation data security IT security threat security policy organizational context

Methods: survey factor analysis data transformation structural equation modeling chi squared test

Theories: coordination theory neutralization theory

High-Risk Deviant Decisions: Does Neutralization Still Play a Role?

2021 | Journal of the Association for Information Systems | Citations: 0

Authors: Trinkle, Bradley; Warkentin, Merrill; Malimage, Kalana; Raddatz, Nirmalee

Abstract: Extant research has shown that neutralization processes can enable potential IS ... Expand

Abstract: Extant research has shown that neutralization processes can enable potential IS security policy violators to justify their behavior and overcome the deterrence effect of sanctions in order to engage in unethical behaviors. However, such sanctions are typically moderate and not career ending. We test the boundary conditions of this theory by evaluating whether neutralization plays a role in overcoming the impact of extreme levels of deterrence. We extend the Siponen and Vance (2010) framework within a professional context that assigns extreme sanctions to violators. Using the scenario-based factorial survey method common in IS security research, we collected data from future auditors who understand these extreme sanctions. We test the reasons that auditors may use to form intentions to falsify information concerning an information security issue with a company's accounting information system, thereby jeopardizing data integrity and security by modifying working papers to hide irregularities and, by doing so, violating their professional standards, which could result in career-ending sanctions. We empirically validated and tested the theoretical model. Our results show that sanctions play an important role in reducing employees' intentions to violate policy but that, even under extreme boundary conditions, employees might seek to rationalize their unethical behavior by denying responsibility for their actions through, for example, arguing that their supervisors pressured them into performing the violations. We also establish that messages heightening the awareness and perceptions of the certainty and severity of organizational punishment are likely to attenuate such deviant behaviors. We discuss the implications of these findings and suggest future avenues for research. Collapse

Topics: behavioral intention accounting IT career IT security threat accounting information system

Methods: survey hierarchical linear modeling statistical hypothesis test experiment experimental design

Theories: deterrence theory neutralization theory behavioral theory general deterrence theory protection motivation theory

Peers matter: The moderating role of social influence on information security policy compliance

2020 | Information Systems Journal | Citations: 30

Authors: Yazdanmehr, Adel; Wang, Jingguo; Yang, Zhiyong

Abstract: Information security in an organization largely depends on employee compliance w ... Expand

Abstract: Information security in an organization largely depends on employee compliance with information security policy (ISP). Previous studies have mainly explored the effects of command-and-control and self-regulatory approaches on employee ISP compliance. However, how social influence at both individual and organizational levels impacts the effectiveness of these two approaches has not been adequately explored. This study proposes a social contingency model in which a rules-oriented ethical climate (employee perception of a rules-adherence environment) at the organizational level and susceptibility to interpersonal influence (employees observing common practices via peer interactions) at the individual level interact with both command-and-control and self-regulatory approaches to affect ISP compliance. Using employee survey data, we found that these two social influence factors weaken the effects of both command-and-control and self-regulatory approaches on ISP compliance. Theoretical and practical implications are also discussed. Collapse

Topics: social influence data security security policy intrinsic motivation communication service infrastructure

Methods: survey descriptive statistic partial least squares regression literature study scale reliability

Theories: contingency theory general deterrence theory deterrence theory

Generally Speaking, Context Matters: Making the Case for a Change from Universal to Particular ISP Research

2019 | Journal of the Association for Information Systems | Citations: 22

Authors: Aurigemma, Sal; Mattson, Thomas

Abstract: The objective of our paper is to conceptually and empirically challenge the idea ... Expand

Abstract: The objective of our paper is to conceptually and empirically challenge the idea of general information security policy (ISP) compliance. Conceptually, we argue that general ISP compliance is an ill-defined concept that has minimal theoretical usefulness because the policy-directed security actions vary considerably from threat to threat in terms of time, difficulty, diligence, knowledge, and effort. Yet, our senior IS scholars’ basket of journals has a strong preference to publish models in which the authors speculate that their findings are generalizable across all (or many) threats and controls contained in an organization’s ISP document. In our paper, we argue that compliance with each of the mandatory threat-specific security actions may require different (as opposed to similar) explanatory models, which makes constructing a universal model of ISP compliance problematic. Therefore, we argue that future ISP compliance literature will be more valuable if it focuses on the mechanisms, treatments, and behavioral antecedents associated with the required actions around specific threats instead of attempting to build a model that purportedly covers all (or many) threatspecific security actions (or intentions thereof). To support this claim empirically, we conducted two studies comparing general compliance intentions (i.e., undefined security action) and threat-specific compliance intentions. In both studies, our data show that compliance intentions vary significantly across general compliance measures and multiple threat-specific security measures or scenarios. Our results indicate that it is problematic to generalize about the behavioral antecedents from general compliance intentions to threat-specific security compliance intentions, from one threat-specific security action to other threat-specific security actions, and from one threat-specific security action to general compliance intentions. Collapse

Topics: password workstation IT security threat phishing self efficacy

Methods: literature study survey survey design chi squared test case study

Theories: theory of planned behavior protection motivation theory rational choice theory deterrence theory

Information Security Behavior: A Cross-Cultural Comparison of Irish and US Employees

2019 | Information Systems Management | Citations: 0

Authors: Connolly, Lena Y.; Lang, Michael; Wall, David S.

Abstract: This study explores how aspects of perceived national culture affect the informa ... Expand

Abstract: This study explores how aspects of perceived national culture affect the information security attitudes and behavior of employees. Data was collected using 19 semi-structured interviews in Ireland and the United States of America (US). The main findings are that US employees in the observed organizations are more inclined to adopt formalized information security policies and procedures than Irish employees, and are also more likely to have higher levels of compliance and lower levels of non-compliance. Collapse

Topics: data security national culture cybersecurity behavior laptop computer information security practice

Methods: qualitative interview cross sectional research personal interview constant comparative analysis qualitative content analysis

Seeing the Forest and the Trees: A Meta-Analysis of the Antecedents to Information Security Policy Compliance

2019 | Management Information Systems Quarterly | Citations: 0

Authors: Cram, W. Alec; D’Arcy, John; Proudfoot, Jeffrey G.

Abstract: A rich stream of research has identified numerous antecedents to employee compli ... Expand

Abstract: A rich stream of research has identified numerous antecedents to employee compliance (and noncompliance) with information security policies. However, the number of competing theoretical perspectives and inconsistencies in the reported findings have hampered efforts to attain a clear understanding of what truly drives this behavior. To address this theoretical stalemate and build toward a consensus on the key antecedents of employees’ security policy compliance in different contexts, we conducted a meta-analysis of the relevant literature. Drawing on 95 empirical papers, we classified 401 independent variables into 17 distinct categories and analyzed each category’s relationship with security policy compliance, including an analysis for possible domain-specific moderators. A meta-analytic relative weight analysis determined the relative importance of each category in predicting security policy compliance, while adding robustness to our findings. At a broad level, our results suggest that much of the security policy compliance literature is plagued by suboptimal theoretical framing. Our findings can facilitate more refined theory-building efforts in this research domain and serve as a guide for practitioners to manage security policy compliance initiatives. Collapse

Topics: information security policy compliance security policy IT security IT security threat self efficacy

Methods: meta analysis literature sample literature study cross sectional research survey design

Theories: theory of interpersonal behavior rational choice theory