Antecedent factors of violation of information security rules

Purpose – This paper aims to investigatethe in ﬂ uence of moral disengagement,perceivedpenalty,negative experiencesandturnover intention ontheintention toviolate theestablished securityrules. Design/methodology/approach – The method used involves two stages of analysis, using techniques of structural equation modeling and arti ﬁ cial intelligence with neural networks, based on information collected from 318 workersof organizationalinformationsystems. Findings – The model provides a reasonable prediction regarding the intention to violate information security policies (ISP). The results revealed that the relationships of moral disengagement and perceived penalty signi ﬁ cantlyin ﬂ uencesuch an intention. Research limitations/implications – This research presents a multi-analytical approach that expands the robustness of the results by the complementarity of each analysis technique. In addition, it offers scienti ﬁ c evidence of thefactors that reinforcethecognitive processesthat involve workers ’ decision-makinginsecurity breaches. Practical implications – The practical recommendation is to improve organizational communication to mitigate information security vulnerabilities in several ways, namely, training actions that simulate daily work routines; exposing the consequences of policy violations; disseminating internal newsletters with examplesof inappropriatebehavior. Social implications – Results indicate that information security does not depend on the employees ’ commitment to the organization; system vulnerabilities can be explored even by employees committed to the companies. Originality/value – The study expands the knowledge about the individual factors that make information security in companies vulnerable, one of the few in the literature which aims to offer an in-depth perspective onwhichindividualantecedentfactors affectthe violation of ISP.


Introduction
Cyber-attacks and information leaks resulting from failures in the control of information systems are recurrent news in the daily lives of organizations. Financial data, production information, suppliers and customers are targeted by people with bad intentions who seek to take advantage of the absence of efficient security controls (Sen, Verma, & Heim, 2020).
In its annual report on cybercrimes, research firm cybersecurity ventures estimates that losses from digital crimes will reach US$6tn in 2021 (Morgan, 2019). To illustrate the impacts of these problems, one can mention some attacks suffered by large companies in the first quarter of 2020 (McCandless, Evans, Barton, Starling, & Geere, 2020), such as the online exposure of 250 million customer support records of Microsoft, payment data of 300,000 Nintendo accounts, and improper access to the registration of five million guests of the Marriott hotel chain.
Organizational information is considered a company asset, and because of its importance to the business, it must be protected by everyone involved in the processes that make up organizations. In an attempt to avoid cyber-attacks, fraud, information leakage and other risks inherent to information, applying effective Information Security controls in organizations' processes has become fundamental. Likewise, employees' knowledge and skills are critical to mitigating risks and managing the overall effectiveness of organizational information security (Yoo, Goo, & Rao, 2020). In addition to tools, controls and training, many companies have guidelines established in their information security policies (ISP), which all employees must follow according to good practice standards defined in the Information Systems literature (International Organization for Standardization [ISO], 2013[ISO], , 2013.
Although ISP have rules that companies and employees must follow, it is known that the violations occur both due to external attacks and to internal factors, including reasons that involve the employees who work in these companies.
Information security literature studies show that the employee's failure to follow ISP increases the possibility of invasions to information assets, although losses and damages to organizational assets are highly undesirable (D'Arcy, Herath, & Shoss, 2014;Dhillon, Talib, & Picoto, 2020). However, studies exploring intrinsic factors related to ISP are still scarce (Dhillon et al., 2020) and information security at the working group level cannot be separated from the individual level because individual security is a necessary condition for processes to occur in the desired way (Yoo et al., 2020).
The moral disengagement of individuals that is linked to their inappropriate behaviors, as a rule, results in a penalty for them through disciplinary processes. In addition, this disengagement can lead the employee to practice harmful acts to violate the established safety rules. Thus, this study aims to answer the following research question:

RQ1. What impacts do individual factors have in decisions to violate ISP?
More specifically, it seeks to examine the influence of moral disengagement, perceived penalty, negative experiences of invasion and privacy and the effect of turnover intention on the intention to violate the established security rules.
The following chapters address the theoretical basis to formulate hypotheses about the factors that may involve violations of organizational ISP, the method used for data acquisition and analysis, the discussion of results and, finally, the research conclusions.

Theoretical framework 2.1 Moral disengagement
The literature recommends that the subjective mechanisms that support unwanted actions must be addressed to understand the cognitive processes that promote counterproductive behaviors in the workplace (Fida, Tramontano, Paciello, Ghezzi, & Barbaranelli, 2018).
The theory of moral disengagement (Bandura, Barbaranelli, Caprara, & Pastorelli, 1996) has been used to explain why individuals misbehave, for example, in their professional lives (Moore, Detert, Trevino, Baker, & Mayer, 2012). Based on this theory, moral disengagement is a mechanism through which individuals subjectively mitigate the consequences of unwanted behaviors from their own moral values (Bandura et al., 1996). For instance, research shows that employees may rationalize their undesirable behavior based on work stressors (D'Arcy et al., 2014). Khan, Dapeng, Adnan Muhammad, and Ullah (2018) confirmed the interaction between moral disengagement, ethical leadership and unethical behavior in the context of sales competition. Furthermore, the study showed a positive relationship between employees' moral disengagement and anticompetitive behavior and presents ethical leadership as a factor to mitigate counterproductive behaviors during work activities (Khan et al., 2018).
As a recommendation to mitigate the development of attitudes that support moral disengagement, it is recommended that employees take part in planning organizational goals with their leaders, thus promoting greater assertiveness of management expectations by employees (Barsky, 2011).
In addition, reminding potential offenders that their actions can harm others reduces the disconnection of acts from those people's moral values (Kish-Gephart, Detert, Treviño, Baker, & Martin, 2014). Aspects of organizational environments that discourage workers, such as situations that reduce commitment and harmony between work teams or financial losses linked to professional roles, increase the difficulties in the social relationship among employees, promote a feeling of helplessness and weaken moral values within organizations.
Thus, it is believed that moral disengagement is also linked to the emotional aspects of workers, as it positions itself as a mediating variable in the relation of negative emotions and counterproductive behaviors of professionals (Fida et al., 2018). In other words, the attitudes formed by negative emotions about work can support the individual's belief that it is acceptable to harm other people for the benefits achieved by the transgressive actions.
Actions that result in fraud can be elaborated from different subjective means, such as the lack of recognition that the unethical act is a fraud, the use of rationality to mitigate the negative results that follow the negative behaviors and the development of different methods to reduce unwanted consequences (Murphy & Dacin, 2011).
It is known that personal interests reinforce human motivations in their daily actions. Therefore, situations that exhibit opportunities for gains or benefits and involve such personal interests increase individuals' possibility of disengaging morally (Kish-Gephart et al., 2014). Thus, the effects of individual moral judgment are valuable for the security of information in an organization (D'Arcy & Lowry, 2019).
Attacks and violations of organizational ISP can have various motivations, but the moral disengagement of employees appears to be a significant factor, given their characteristics (D'Arcy et al., 2014).
Moral disengagement is one of the explanations that support decisions involving fraud in companies, selfish acts of employees in the workplace, as well as unethical actions that weaken the security of organizational processes (Zheng, Qin, Liu, & Liao, 2019).
Furthermore, the potential of moral disengagement to increase inappropriate actions and to be an inherently individual phenomenon places organizational moral disengagement as one of the main factors managers should consider (D'Arcy et al., 2014). Thus, the following hypothesis is elaborated: H1. Moral disengagement positively influences the intention to violate ISP.

Perceived penalty
By the standard of good practices ISO/IEC 27002/2013, the management of information security includes applying disciplinary processes based on punishments or penalties, also called sanctions, to all those who violate the guidelines established in the ISP.
Sanctions can be seen as a disciplinary imposition by top management on wrongdoers. Guo and Yuan (2012, p. 321) address sanctions as formal controls imposed on employees to ensure compliance with established guidelines, discouraging undesirable attitudes to the organizational environment. Straub (1990) and Fajardo (2016) also state that sanctions function as a "disincentive" to commit a criminal act or to deviate from the stated guidelines.
Several studies address the issue of administrative sanctions from the general deterrence theory, the main focus of criminological theories for over 30 years (Pahnila, Siponem, & Mahmood, 2007;Santiago, Diño, & Caballero, 2017). The concept of deterrence was developed "originally to control criminal behavior," which suggests that the certainty and severity "of punishment affect people's decision to commit a crime or not." The general deterrence theory also encompasses components such as social disapproval, which is the feeling of shame toward others for the act committed; self-disapproval, which is the shame of oneself and impulsiveness as the inability to resist, mentioned by Pahnila et al. (2007). Santiago et al. (2017) pointed out some equivalent findings in their study about violations and penalties involving plagiarism in advanced educational research. Straub's (1990) studies also concluded that "when the risk of punishment is high" and "sanctions for violation are serious," offenders are inhibited from committing violations. Furthermore, they observed that applying sanctions "for non-compliance with the Information Security Policy increases the appropriate Information Security behavior." Therefore, the following hypothesis is proposed to assess the effect of the perceived penalty on the intention to violate security: H2. The perceived penalty negatively influences the Intention to violate ISP.

Turnover intention
In the information age, companies that operate in knowledge-intensive sectors devote many resources to retain their talents, as turnover is expensive (Soltis, Agneessens, Sasovova, & Labianca, 2013). Furthermore, aspects related to workers' careers may also be related to turnover in companies: opportunities for career growth interact with the reduction in the turnover intention by employees.
According to Ohunakin, Adeniji, Oludayo, and Osibanjo (2018), the definition of career goals and the development of professional skills of the team, as well as the speed of promotions and the adequacy of remuneration to talented employees, are essential factors to reduce turnover, in addition to saving on hiring costs and providing the retention of highperformance professionals in companies (Ohunakin et al., 2018).
Employee turnover can generate costly consequences and serious problems for companies. The People Management literature reveals a wide variety of factors that lead individuals to leave their organizations searching for a new job, either in a different organization or in a different field (Coetzee & van Dyk, 2018).
Job turnover is associated with changes in the staff of an organization, whether due to hiring or firing. On the other hand, turnover intention refers to the estimated probability, by subjective means, of employees leaving their current job in the future (Mowday, Porter, & Steers, 1982).
Motivating employees to engage in work and remain faithful in defending the organization's image has been a challenge for organizations for decades (Rafiq, Wu, Chin, & Nasir, 2019).
In general, companies must direct their resources to improve the well-being and the organizational climate among employees. Such dedication from management usually results in lower turnover rates in the staff and greater identification of employees with the organization (Tinwala & Biswas, 2020). One possible explanation for these results is that trust in top management promotes the permanence of employees in their organizations (Mölders, Brosi, Spörrle, & Welpe, 2019).
Also, there is a positive relationship between turnover intentions and workplace incivility, which may relate to many negative behaviors, such as decreased job satisfaction, absenteeism, citizenship behavior and an increase in counterproductive behavior (Manzoor, Manzoor, & Khan, 2020) which may reduce compliance with internal organizational ISP by employees.
Haque, Fernando, and Caputi (2019) indicate that workers who manifest low turnover intention tend to exhibit increased organizational commitment, promoting citizenship behavior (Katz & Kahn, 1978) and adopting internal regulations and standards to fulfill organizational activities, such as internal security policies.
Therefore, the following hypothesis is elaborated: H3. The turnover intention positively influences the intention to violate ISP.

Negative privacy invasion experience
According to some studies, individuals may have different concerns about their privacy (Culnan & Armstrong, 1999;Smith, Milberg, & Burke, 1996). However, commonly, privacy violations caused by negative experiences, such as data leakage or theft, end up causing greater concern to individuals due to the fear that the negative experience will reoccur (Hong, Chan, & Thong, 2021;Xu, Teo, Tan, & Agarwal, 2012). The study of these phenomena was based on the relation of delivering information based on the trust of a social contract, whose rules govern the behavior of the parties involved. The existence of such a contract suggests that there will be adequate management of the data entrusted to one of the parties, establishing a relationship of trust that is undone when the data subject perceives an invasion of their privacy, affecting them psychologically and generating a feeling of betrayal (Bansal, Zahedi, & Gefen, 2010).
Attacks or exploitation of flawed security controls exposes data and information that can cause harm not only to organizations but also to data subjects. This experience can leave a negative perception regarding the privacy of individuals. Some studies focus on assessing how previous negative experiences can influence the increase in concern about the privacy of information (Bansal et al., 2010).
Other studies argue that the negative association between trust and breach of privacy is linked to the perception that something could have been done to decrease the likelihood of the occurrence (Ramos, Ferreira, de Freitas, & Rodrigues, 2018).
However, even with continuous efforts to protect the privacy of users, incidents of data breaches remain constant (Sen & Borle, 2015). Moreover, the negative aspects related to the breach of data privacy may even affect customer and firm performance (Martin, Borah, & Palmatier, 2017).
Attacks are less effective when administrators apply controls, but trust is reduced when the intention to share data is perceived (Bansal et al., 2010). Thus, with frequent data breaches, individuals feel that they are not in control of their information online and this causes a feeling of tiredness regarding privacy issues, when individuals believe there are no effective ways to manage information on the internet (Hargittai & Marwick, 2016). In addition, individuals with previous negative experiences of hacking tend to reduce their decision-making efforts to protect information (Levav, Heitmann, Herrmann, & Iyengar, 2010).
The concern with privacy and information protection is inherent to Information Security; thus, the association between the negative experience and the security breach becomes hypothetical. Then, the following hypothesis is proposed: H4. The negative experience of invasion of privacy negatively influences the intention to violate ISP.

Methodological procedures
This study was developed with a single quantitative cross-sectional approach and was carried out through a questionnaire that seeks, among other objectives, to identify opinions and the distribution of the phenomenon in the population using statistical techniques of data analysis. Before data collection, the research project was sent to a Research Ethics Committee and applied after its approval. Then, data collection took place in person and was carried out using psychometric five-point Likert scales according to the original studies of these instruments.
We used structural equation modeling by partial least squares (PLS-SEM) with the SMARTPLS 3.0 M3 software to analyze the proposed hypotheses. The choice of PLS-SEM is justified because it is intended to test a theoretical structure from a predicting perspective and the structural model includes a considerable number of constructs and relations; therefore, it is not possible to suppose a normal data distribution (Hair, Risher, Sarstedt, & Ringle, 2019). In addition, the research's objective is to understand better antecedent factors of violation of information security rules, which makes this an exploratory research for the development of theory, which is in line with the use of the technique (Hair et al., 2019).
As a form of complementary validation of the results of the hypothesis tests, a multianalytical approach was also used, involving machine learning to study the relations between the factors and the analysis technique using neural networks.
A neural network is an artificial intelligence tool that has the ability to acquire and store knowledge and make it available for use. Furthermore, knowledge acquisition through a learning process is a characteristic of the neural network analysis technique (Haykin, 1998).
For instance, in the case of a study of the relations between variables, the shape of these relations is determined in the learning process. If a linear relationship between variables is appropriate, neural network results should approximate the linear regression models.
However, if a non-linear relationship is more appropriate, the neural network will seek other forms of relations that better fit between variables (Ripley, 1996).
Given the learning ability of this technique, studies using it can provide superior results compared to other multivariate analysis techniques, in addition to helping to verify the consistency of the results obtained by multiple regression, given that some assumptions of linear analysis techniques are not required (Lee, Hew, Leong, Tan, & Ooi, 2020). The analysis of neural networks was performed using the International Business Machines Corporation, Statistical Package for the Social Sciences v.23 software.

Operationalization of variables
Turnover Intention was measured using the instrument presented by Siqueira, Gomide, Oliveira, and Polizzi Filho (2014); negative experience of invasion of privacy belongs to the study by Santos, Cappellozza, and Albertin (2018).
To expose a situation of violation of ISP, respondents had access to a short film that exposed a hypothetical situation of password sharing at work. The film and the other indicators that deal with the perceptions of ISP were obtained from the study by D'Arcy et al. (2014). The measurement instrument, which is available in the Appendix (Table A1), also includes three questions to control common method bias (Podsakoff, MacKenzie, Lee, & Podsakoff, 2003) that may influence the conclusions of this study.

Data collection and sample profile
To assess the size of the study sample and the statistical power of the analyzes, we used software G*Power 3.1 (Faul, Erdfelder, Buchner, & Lang, 2009). Considering four variables that are predictive of the intention to violate policy construct, with a 5% significance level, 0.8 statistical power (Cohen, 1988) and average effect size (f 2 = 0.15, which is equivalent to r 2 = 13%), it was assumed that the minimum sample size is equal to 85 respondents. Data collections were carried out in person with the voluntary participation of respondents from the state of São Paulo, selected by convenience from the researchers' network of contacts.
The questionnaire was printed and applied to 338 people who worked in companies with ISP established more than a year ago to compose the final sample. After analyzing the integrity of the responses, 20 incomplete questionnaires were discarded from the final analyzes. Therefore, the final sample used to analyze the hypotheses included 318 participants.
Among the collected sample, 44% were male respondents (140 people) and 56% female respondents (178 people). Regarding the respondents' age range, the mean age is 30 years old, with a standard deviation of 10.18 years. As for the size of respondent organizations concerning the number of employees, 68.3% of respondents stated that they work in organizations with more than 50 professionals.
Approximately 95% of the respondents claim to be aware of reports of invasion of personal and organizational data, which indicates that the sample understands that data security breaches are recurrent in their daily lives and that they are subject to these discomforts if they give up measures to protect their information.
The initial treatment of the data was based on the analysis of normality, collinearity, homoscedasticity and the absence of multicollinearity in the data distribution. The results indicate that the data distribution is not normal and there are no collinearity problems, as no correlation between the dependent variables is higher than 0.60. In the analysis of homoscedasticity, the scatterplot of the residuals does not have an obvious pattern, indicating that it is adequate. In the multicollinearity analysis, the variables' variance inflation factor value was lower than 5. All values are within the established by Hair, Hult, Ringle, and Sarstedt (2017).
In addition, analyzes of the common method bias (Podsakoff et al., 2003) were conducted: significant correlations values between dependent variables and control variables were not found in the result (Appendix), which indicates the absence or little influence, from this bias in this study.

Analyzes of hypotheses 4.1 Analysis by structural models
To evaluate the measurement model, we verified convergent validity, discriminant validity and reliability of the indicators. Average variance extracted (AVE) with a value higher than 0.50 and composite reliability of each construct with a value higher than 0.70 are recommended for validation of the measurement model (Hair et al., 2019). Another indicator of discriminant validity refers to the square root of the AVE from the constructs (highlighted in bold diagonal in Table 1), which must be higher than the correlation between the latent variables (Fornell & Larcker, 1981). The values of these metrics are shown in Table 1 and indicate that the results allow further analyzes.
Intention to violate ISP presented an R 2 with a high effect (Hair et al., 2019), indicating that the antecedent variables are suitable for investigating the researched phenomenon.
To validate the structural model, we assessed the significance of the indicators and the student's t-test. Among the four relationships analyzed, we observed that the relations of moral disengagement and perceived penalty have a significant influence on the intention to violate security policies and the relation of turnover intention is a little above the limit value (p-value equal to 0.06) of what is usually considered significant in a relation between variables (Table 2). Conversely, the privacy invasion experience relation was not significant.
The complete model resulting from our empirical approach is presented in Figure 1. Given the threshold significance value in the turnover intention and violation relations, in a complementary way, we decided to conduct a second analysis with artificial intelligence techniques under the neural networks approach to reassess the values obtained.

Analysis by neural networks
In general, a neural network can be composed of several layers, called the input, hidden and output layers. In this case, the neural network was designed to act in a multi-layer format under the learning algorithm Perceptron, which adjusts the weights of the network relations to minimize the residuals (Maliki, Agbo, Maliki, Ibeh, & Agwu, 2011). Furthermore, the three independent variables that obtained significance or threshold value, were considered in the multiple regression analysis for the composition of the input layer, namely, perceived penalty, turnover intention and moral disengagement. Finally, the output layer was composed of the dependent variable intention to violate ISP. Until the elaboration of this study, the authors did not find a definitive recommendation on the composition of the layers that could bring better results to the research  Violation of Information security rules model. Therefore, several simulations of network architectures were tested so that the results obtained could assist the selection of how to improve result performance. The analysis examined the network with 1 to 10 hidden nodes. The nodes' number in one hidden layer was set to 2 and the activation function was set to sigmoid function in both hidden and output layers. As for increasing the effectiveness of training, both inputs and outputs were normalized to the range [0,1] (Liébana-Cabanillas, Marinkovi c, & Kalini c, 2017). Among the results, the composition of the neural network with the best performance referred to the architecture with three nodes in the second hidden layer, as shown in Figure 2.
After selecting the composition, we calculated the results with compositions ranging from one to 10 nodes in the first hidden layer and three nodes in the output layer. To obtain the neural network results, we considered 90% of the total sample for the training stage and 10% for the test of the final model, as suggested by Hew, Leong, Tan, Ooi, and Lee (2019). This can be seen in Tables 3 and 4.
The calculated Root Mean Squared Error values indicate that the neural network can provide good accuracy in predicting the results of the research model relations (Leong, Hew, Wei-Han, & Ooi, 2013;Ooi, Hew, & Lin, 2018). Table 4 presents the results of the sensitivity analysis calculated for all compositions of neural networks and one can observe that the values obtained from the coefficients of determination (R 2 ) can also be considered high and associated with good quality of prediction of the observed values of intention to violate security policies.
Table 4 also demonstrates that the sensitivity analysis shows the importance of each of the variables prior to predicting the observed values of intention to violate. Thus, moral disengagement was considered the most critical factor in the intention to violate, followed by the perceived penalty and turnover intention.
The results obtained with moral disengagement are similar to other studies (Fida et al., 2018;Valle, Kacmar, & Zivnuska, 2019) designed to assess unethical behavior and confirm that this factor interferes in cognitive processes as an element that promotes the execution of unwanted actions in the workplace. Perceived penalty, on the other hand, reinforces the need for organizational governance to develop the rules and policies that must be established to protect technological information assets but also to emphasize that, in addition to complying with the rules, the due consequences must be prescribed to members who infringe the responsibilities established by the company's management. These results are also similar to other studies (D'Arcy et al., 2014) that relate this factor to unwanted behaviors of workers.
Considering the order of magnitude of the calculated magnitudes of the values of normalized amounts for each independent variable, turnover intention has an influence about five times lower than the influence of moral disengagement and perceived penalty.
Given the similarities in the interpretation of results of the SEM and the analysis of neural networks, the authors understand that it is not possible to confirm the hypothesis that turnover intention influences the intention to violate ISP. However, the additional usage

Research conclusion
Information security must be a factor to be considered by company leaders. Currently, the protection of users' information has become not only a competitive differential but an essential factor in the economic and a risk-mitigating development of organizations (Kauspadiene, Ramanauskaite, & Cenys, 2019), which leads to the orientation that the implementation of controls that promote information security is not a matter of choice, but survival in the organizational market.
This study sought to answer the following question:

Q1. What impacts do individual factors have in decisions to violate ISP?
The answer presents and tests a research model that weighs four potential predictive variables on behavioral intent in the perspective of violation of ISP. Therefore, it provides theoretical and managerial implications for the management of information systems and organizational policies. Thus, the study expands the knowledge about the individual factors that make information security in companies vulnerable under a research model that contemplates dimensions that are associated with the organization's governance, such as perceived penalty, as well as factors that are associated with ethical decision-making, potential job transition and individual experiences related to privacy.
The research results emphasize that the certainty and the severity of the punishment significantly affect employees' decisions in their intention to commit a crime. Other aspects linked to the general theory of deterrence also consider some components, such as the social disapproval of the other employees of the company for the infraction committed, shame and impulsiveness as the inability to resist, which is in line with the propositions of Pahnila et al. (2007).
A relevant contribution of this study is the fact that until the end of the elaboration of this article, no studies were found presenting a similar research model in the information systems management literature, which adds a theoretical contribution to the studies in this research area.
We understand that the article makes a significant methodological contribution by using two multivariate techniques to analyze the collected data. This research presents a multi-analytical approach that integrates statistical analysis techniques of SEM and neural networks, expanding the results' robustness. We did not identify any article that combined the two techniques used in this field of study.
As noted by many scholars, these techniques complement each other, and therefore, provide a more rigorous data analysis (Lee et al., 2020). This is because neural network analysis can compensate for SEM analysis's weaknesses by capturing linear and complex non-linear relations between variables (Leong, Hew, Lee, & Ooi, 2015).
Although PLS-SEM has often been used to verify hypothesized relations in social and behavioral science (Hair et al., 2017), there are few studies on integrating it with other artificial intelligence algorithms (Xu, Zhang, Bao, Zhang, & Xiang, 2019) and even fewer on information security studies.
We understood that one of the contributions of this study is the scientific evidence of the factors that reinforce the cognitive processes that involve workers' decision-making in security breaches within organizations. We also consider that our results may bring opportunities to deepen the general deterrence theory in studies related to information security and cybercrimes, for example, by adopting new dimensions related to the future consequences of a previous penalty. The introduction of such new dimensions could serve as an opportunity to transform potential non-compliance into potential compliance behaviors, as suggested in the theoretical study by Ali, Dominic, Ali, Rehman, and Sohail (2021).
Comparing the factors analyzed in this study, the results confirmed moral disengagement as the primary influence in the decision to violate ISP, followed by the perceived penalty. Based on this evidence, the first practical recommendation of this study is to improve organizational communication aimed at mitigating information security vulnerabilities.
Such communication improvement can be implemented in several ways, for example, with training actions that simulate daily work routines and situations that offer opportunities for violating organizational policies, so that professionals can have a real sense of the susceptibility of failures to data protection and mitigate individual tendencies that may favor unwanted behavior.
In addition, given the significant influence of the perceived penalty of violating actions as a force that reduces the intention to violate policies, it is suggested that training also expose the consequences of policy violations as a way of broadening the notion of penalties that employees will be subject to if they behave contrary to internal guidelines.
Another possible way to reduce moral disengagement is the dissemination of internal newsletters that can expose examples of misbehavior to increase the understanding of employees about the internal policies and rules established by the company's governance.
According to the results obtained, it also deserves attention from the information system managers that one cannot affirm that employees who plan to leave their current job tend to violate the safety rules established compared to other employees.
Even though there are studies (Silva & Cappellozza, 2014) that negatively relate affective commitment to turnover intention, our results indicate that information security does not depend on the employees' commitment to the organization; in other words, system vulnerabilities can be initiated by any employee, including those committed to the companies in which they work.
Consequently, the saying "scalded cat fears cold water" also does not apply to the results of this study: the negative experiences that workers have suffered in the context of loss of privacy do not necessarily result in attitudes that qualitatively protect organizational systems.
Thus, the fact that workers have previously had experiences with invasions or loss of private information does not exempt them from the need for training on the security of organizational information systems, given the possibility of committing acts that weaken the protections of the adopted technologies in the company.
In analytical terms, the research model analyzed provides a reasonable prediction regarding the intention to violate ISP, keeping in mind its limitations, as data collection associates a hypothetical situation with the manifestation of a behavioral intention and not, appropriately, the observation of actual security breach behavior.
Future research can adapt the measurement instrument provided in this study with the insertion of actual observations of violations of security policies to compare results and improve collection methods.
Although this study uses a neural network architecture with acceptable statistical values on the residuals and plausible results of the coefficient of determination, it is presumable that the results obtained vary under different samples and network configurations.
Another limitation of the study is the cross-sectional approach of data collection, which, although convenient, has limitations in establishing greater control over the causality of relations. Data collected over extended periods with a longitudinal approach may reveal behavioral patterns over time and shed more light on the phenomenon studied.
As another possibility for future research, after an extensive investigation of the relevant literature and the identification of the adopted constructs, it may be interesting to evaluate the effect of other factors adding to this research model (for example, the perceived complexity of the established security policies) to obtain a more comprehensive view regarding decision-making on this topic.