Information protection behaviors: morality and organizational criticality

Journal of Business Ethics, 2002

This exploratory study of ethical decision making by individuals in organizations found moral intensity, as defined by Jones (1991), to significantly influence ethical decision making intentions of managers. Moral intensity explained 37% and 53% of the variance in ethical decision making in two decision-making scenarios. In part, the results of this research support our theoretical understanding of ethical/unethical decision-making and

insiders, who by definition are trusted, are a major concern for organizations because of their ability to misuse access privileges, steal intellectual property, and commit fraud (Rubenstein 2008; Schmitt 2011). The recent high-profile cases of Private Manning and Edward Snowden have further raised organizations’ concerns of the insider threat (Savage 2013). Consequently, it is important to identify ways to reduce insiders’ abuse of information systems. Previous research has shown the potential of perceived accountability within systems to reduce access policy violations, one common form of insider abuse (Vance et al. 2013). This research expands on this previous effort by showing how the constructs of moral intensity and impulsivity moderate the influence of accountability mechanisms on access policy violations. Our research question is, RQ: How do moral intensity and impulsivity influence the effect of accountability on intentions to violate the access policy? We conducted a field study that presented hypothetical scenarios and a simulated accountability user interface (UI) artifacts to professional users of an Oracle PeopleSoft human resource management system (HRMS) and financial management system (FMS). We anticipate that the analysis will show how the influence of impulsivity and moral intensity influence the effectiveness of these accountability UI artifacts in reducing access policy violations.

Safety critical systems can cause injury or death to people if they malfunction, and thus it is of vital importance for employees to report bugs in such systems. Based on the notions of moral intensity and morality judgment, we propose a model that explains employees' intentions to report bugs in safety critical systems. We conducted a conjoint experiment to test the model. Based on data from 173 software engineers, we found that morality judgment plays a key role in mediating the relationship between moral intensity and bad news reporting. Specifically, we found that two dimensions of moral intensity-magnitude of consequences and probability of effect-exert both direct and indirect effects on the willingness to report bad news. Further, we found that two other dimensions of moral intensity-temporal immediacy and proximity to victims-do not exert direct effects, but influence bad news reporting indirectly through morality judgment.

2006

Information technology (IT) has proliferated at an unprecedented rate in our society. Technical advances have come quickly yet the social and ethical infrastructure to support these advances has been slow in development. A group of individuals have developed a general code of ethical conduct for information technology professionals to begin to identify the proper ethical choices that IT professionals should make. This paper examines this code and explores whether there are underlying ethical constructs that underlie the code. After examining ten key provisions of the code, it was found through exploratory factor analysis that there were two factors which emerged—information technology integrity and information technology security. There were found to be no differences in level of agreement with these IT ethical factors based on several demographic variables. The implications of these finding for educators, researchers and practitioners are briefly discussed.

2013

The issue of "professional ethics" in the workplace has been put under the spotlight in recent years; especially several scandals have involved questionable behaviour on the part of information systems (IS) professionals. In the past years, many countries have constructively paid attention to the rules of professional ethics. Among these efforts, many acts asked for corporate information disclosures, for example, the disclosure of IS security and privacy policies. In this study, two research questions are explored. The first of these investigates the disclosure of IS security policies and perception of codes in Taiwan IS corporations. The second empirically validates a research model to understand whether the disclosure of IS security policies have any influence on the IS professionals' perceptions of codes, and in turn, how these perceptions impact their ethical and unethical conducts. Finally, the theoretical and practical implications to the management of ethics concerning information ethics are discussed.

Unethical information technology (IT) use, related to activities such as hacking, software piracy, phishing, and spoofing, has become a major security concern for individuals, organizations, and society in terms of the threat to information systems (IS) security. While there is a growing body of work on this phenomenon, we notice several gaps, limitations, and inconsistencies in the literature. In order to further understand this complex phenomenon and reconcile past findings, we conduct an exploratory study to uncover the nomological network of key constructs salient to this phenomenon, and the nature of their interrelationships. Using a scenario-based study of young adult participants, and both linear and nonlinear analyses, we uncover key nuances of this phenomenon of unethical IT use. We find that unethical IT use is a complex phenomenon, often characterized by nonlinear and idiosyncratic relationships between the constructs that capture it. Overall, ethical beliefs held by the individuals, along with economic, social, and technological considerations are found to be relevant to this phenomenon. In terms of practical implications, these results suggest that multiple interventions at various levels may be required to combat this growing threat to IS security.

Dewald Roode Workshop on IS Security Research 2010, IFIP WG 8.11 / 11.13, Waltham, Massachusetts, USA, October 8–

European Journal of Information Systems, 2016

Insiders represent a major threat to the security of an organization's information resources. Previous research has explored the role of dispositional and situational factors in promoting compliant behavior, but these factors have not been studied together. In this study, we use a scenario-based factorial survey approach to identify key dispositional and situational factors that lead to information security policy violation intentions. We obtained 317 observations from a diverse sample of insiders. The results of a general linear mixed model indicate that dispositional factors (particularly two personality meta-traits, Stability and Plasticity) serve as moderators of the relationships between perceptions derived from situational factors and intentions to violate information security policy. This study represents the first information security study to identify the existence of these two meta-traits and their influence on information security policy violation intentions. More importantly, this study provides new knowledge of how insiders translate perceptions into intentions based on their unique personality trait mix.

Interdisciplinary Journal of Information, Knowledge, and Management

Aim/Purpose: This paper examines the behavior of financial firm employees with regard to information security procedures instituted within their organization. Furthermore, the effect of information security awareness and its importance within a firm is explored. Background: The study focuses on employees’ attitude toward compliance with information security policies (ISP), combined with various norms and personal abilities. Methodology: A self-reported questionnaire was distributed among 202 employees of a large financial Corporation Contribution: As far as we know, this is the first paper to thoroughly explore employees’ awareness of information system procedures, among financial organizations in Israel, and also the first to develop operative recommendations for these organizations aimed at increasing ISP compliance behavior. The main contribution of this study is that it investigates compliance with information security practices among employees of a defined financial corporation...

"http://aisel.aisnet.org/misq/vol34/iss3/9/ Many organizations recognize that their employees, who are often considered the weakest link in information security, can also be great assets in the effort to reduce risk related to information security. Since the key is employees who comply with the information security rules and regulations of the organization, understanding compliance behavior is crucial for organizations that want to leverage their human capital to strengthen information security. This research identifies the antecedents of employee compliance with the information security policy (ISP) of an organization. Specifically, we investigate the rationality-based factors that drive an employee to comply with requirements of the ISP with regard to protecting the organization’s information and technology resources. Drawing on the theory of planned behavior, we posit that, along with normative belief and self-efficacy, an employee’s attitude toward compliance determines intention to comply with the ISP. As a key contribution, we posit that an employee’s attitude is influenced by benefit of compliance, cost of compliance, and cost of noncompliance, which are beliefs about the overall assessment of consequences of compliance or noncompliance. We then postulate that these beliefs are shaped by the employee’s outcome beliefs concerning the events that follow compliance or noncompliance: benefit of compliance is shaped by intrinsic benefit, safety of resources, and rewards, while cost of compliance is shaped by work impediment; and cost of noncompliance is shaped by intrinsic cost, vulnerability of resources, and sanctions. We also investigate the impact of information security awareness (ISA) on outcome beliefs and an employee’s attitude toward compliance with the ISP. Our results show that an employee’s intention to comply with the ISP is significantly influenced by attitude, normative beliefs, and self-efficacy to comply. Outcome beliefs significantly affect beliefs about overall assessment of consequences, and they, in turn, significantly affect an employee’s attitude. Furthermore, ISA positively affects both attitude and outcome beliefs. As the importance of employees’ following their organizations’ information security rules and regulations increases, our study sheds light on the role of ISA and compliance-related beliefs in an organization’s efforts to encourage compliance."

Journal of Business Ethics , 2013

Computer abuse (CA) by employees is a critical concern for managers. Misuse of an organization’s information assets leads to costly damage to an organization’s reputation, decreases in sales, and impositions of fines. We use this opportunity to introduce and expand the theoretical framework proffered by Thong and Yap (1998) to better understand the factors that lead an individual to commit CA in organizations. The study uses a survey of 449 respondents from the banking, financial, and insurance industries. Our results indicate that individuals who adhere to a formalist ethical perspective are significantly less likely to engage in CA activities than those following a utilitarian ethical framework. In addition, the results provide evidence that employees with individualistic natures are linked to increased CA incidents, whereas collectivist tendencies are associated with decreases in CA behaviors. Our results also show that collectivism acts as a strong moderator that further decreases both the relationships between formalism and CA, and utilitarianism and CA. Finally, we offer detailed suggestions on how organizations and researchers can leverage our findings to decrease CA occurrences.

AIS Transactions on Replication Research, 2018

The purpose of this study is to methodologically replicate the model presented by D'Arcy et al. (2014) using a new sampling frame that consists of employees in a single organizationa large academic institution in Canada (N = 150). This is in contrast to the original study, which used a large, demographically diverse sample of online panel respondents that spanned multiple organizations and industries. Our replication results confirm the results of the original study, and in doing so, support the theoretical position that security-related stress induces moral disengagement of information security policy (ISP) violations, which in turn increases ISP violation intention. The findings also indirectly support the viability of online panel respondents for studies of employees' security-related intentions. Having established the robustness of the D'Arcy et al. (2014) model across two sampling frames, we recommend future conceptual replications that employ alternate measures of security-related stress and more rigorous research designs that capture the relationships between security-related stress, moral disengagement, and ISP violations.

Decision Sciences, 2012

We develop an individual behavioral model that integrates the role of top management and organizational culture into the theory of planned behavior in an attempt to better understand how top management can influence security compliance behavior of employees. Using survey data and structural equation modeling, we test hypotheses on the relationships among top management participation, organizational culture, and key determinants of employee compliance with information security policies. We find that top management participation in information security initiatives has significant direct and indirect influences on employees' attitudes towards, subjective norm of, and perceived behavioral control over compliance with information security policies. We also find that the top management participation strongly influences organizational culture which in turn impacts employees' attitudes towards and perceived behavioral control over compliance with information security policies. Furthermore, we find that the effects of top management participation and organizational culture on employee behavioral intentions are fully mediated by employee cognitive beliefs about compliance with information security policies. Our findings extend information security research literature by showing how top management can play a proactive role in shaping employee compliance behavior in addition to the deterrence oriented remedies advocated in the extant literature. Our findings also refine the theories about the role of organizational culture in shaping employee compliance behavior. Significant theoretical and practical implications of * This project was partially funded by a grant to the authors from the Defense Information Systems Agency (DISA) of the Department of Defense (DoD). The authors express their thanks to the editor, senior editor, associate editor, and two anonymous reviewers for their detailed and constructive comments and suggestions throughout the review process. † Corresponding author. 615 616 Managing Employee Compliance with Information Security Policies these findings are discussed. has served as a special issue associate editor for MIS Quarterly and European Journal of Information Systems. Tamara Dinev is an associate professor and Chair of the Department of Information Technology and Operations Management (ITOM), College of Business, Florida Atlantic University, Boca Raton, Florida. She received her PhD in theoretical physics in 1997. Following several senior positions in information technology companies, her interests migrated to management information systems research and she joined the Florida Atlantic University ITOM faculty in 2000. Her research

Journal of Business Ethics

Computer abuse (CA) by employees is a critical concern for managers. Misuse of an organization’s information assets leads to costly damage to an organization’s reputation, decreases in sales, and impositions of fines. We use this opportunity to introduce and expand the theoretical framework proffered by Thong and Yap (1998) to better understand the factors that lead an individual to commit CA in organizations. The study uses a survey of 449 respondents from the banking, financial, and insurance industries. Our results indicate that individuals who adhere to a formalist ethical perspective are significantly less likely to engage in CA activities than those following a utilitarian ethical framework. In addition, the results provide evidence that employees with individualistic natures are linked to increased CA incidents, whereas collectivist tendencies are associated with decreases in CA behaviors. Our results also show that collectivism acts as a strong moderator that further decreas...