Search results

1 – 10 of 810
Article
Publication date: 6 April 2020

Gaurav Bansal, Steven Muzatko and Soo Il Shin

This study examines how neutralization strategies affect the efficacy of information system security policies. This paper proposes that neutralization strategies used to…

1038

Abstract

Purpose

This study examines how neutralization strategies affect the efficacy of information system security policies. This paper proposes that neutralization strategies used to rationalize security policy noncompliance range across ethical orientations, extending from those helping the greatest number of people (ethics of care) to those damaging the fewest (ethics of justice). The results show how noncompliance differs between genders based on those ethical orientations.

Design/methodology/approach

A survey was used to measure information system security policy noncompliance intentions across six different hypothetical scenarios involving neutralization techniques used to justify noncompliance. Data was gathered from students at a mid-western, comprehensive university in the United States.

Findings

The empirical analysis suggests that gender does play a role in information system security policy noncompliance. However, its significance is dependent upon the underlying neutralization method used to justify noncompliance. The role of reward and punishment is contingent on the situation-specific ethical orientation (SSEO) which in turn is a combination of internal ethical positioning based on one's gender and external ethical reasoning based on neutralization technique.

Originality/value

This study extends ethical decision-making theory by examining how the use of punishments and rewards might be more effective in security policy compliance based upon gender. Importantly, the study emphasizes the interplay between ethics, gender and neutralization techniques, as different ethical perspectives appeal differently based on gender.

Details

Information Technology & People, vol. 34 no. 1
Type: Research Article
ISSN: 0959-3845

Keywords

Article
Publication date: 6 May 2020

Bowen Guan and Carol Hsu

The purpose of this paper is to investigate the association between abusive supervision and employees' information security policy (ISP) noncompliance intention, building on…

1399

Abstract

Purpose

The purpose of this paper is to investigate the association between abusive supervision and employees' information security policy (ISP) noncompliance intention, building on affective commitment, normative commitment and continuance commitment. The study also examines the moderating effect of perceived certainty and severity of sanctions on the relationship between the three dimensions of organizational commitment and ISP noncompliance intention.

Design/methodology/approach

Survey methodology was used for data collection through a well-designed online questionnaire. Data was analyzed using the structural equation model with Amos v. 22.0 software.

Findings

This study demonstrates that abusive supervision has a significant, negative impact on affective, normative and continuance commitment, and the three dimensions of organizational commitment are negatively associated with employees' ISP noncompliance intention. Results also indicate that the moderating effect of perceived severity of sanctions is significant, and perceived certainty of sanctions plays a positive moderating role in the relationship between affective commitment and employees' ISP noncompliance intention.

Practical implications

Findings of this research are beneficial for organizational management in the relationships between supervisors and employees. These results provide significant evidence that avoiding abusive supervision is important in controlling employees' ISP noncompliance behavior.

Originality/value

This research fills an important gap in examining employees' ISP noncompliance intentions from the perspective of abusive supervision and the impact of affective, normative and continuance commitment on ISP noncompliance. The study is also of great value for information systems research to examine the moderating role of perceived certainty and severity of sanctions.

Article
Publication date: 12 March 2021

Chenhui Liu, Huigang Liang, Nengmin Wang and Yajiong Xue

Employees’ information security policy (ISP) compliance exerts a significant strain on information security management. Drawing upon the compliance theory and control theory, this…

1344

Abstract

Purpose

Employees’ information security policy (ISP) compliance exerts a significant strain on information security management. Drawing upon the compliance theory and control theory, this study attempts to examine the moderating roles of organizational commitment and gender in the relationships between reward/punishment expectancy and employees' ISP compliance.

Design/methodology/approach

Using survey data collected from 310 employees in Chinese organizations that have formally adopted information security policies, the authors applied the partial least square method to test hypotheses.

Findings

Punishment expectancy positively affects ISP compliance, but reward expectancy has no significant impact on ISP compliance. Compared with committed employees, both reward expectancy and punishment expectancy have stronger impacts on low-commitment employees' ISP compliance. As for gender differences, punishment expectancy exerts a stronger effect on females' ISP compliance than it does on males.

Originality/value

By investigating the moderating roles of organizational commitment and gender, this paper offers a deeper understanding of reward and punishment in the context of ISP compliance. The findings reveal that efforts in building organizational commitment will reduce the reliance on reward and punishment, and further controls rather than the carrot and stick should be applied to ensure male employees' ISP compliance.

Details

Information Technology & People, vol. 35 no. 2
Type: Research Article
ISSN: 0959-3845

Keywords

Article
Publication date: 14 August 2018

Tejaswini Herath, Myung-Seong Yim, John D’Arcy, Kichan Nam and H.R. Rao

Employee security behaviors are the cornerstone for achieving holistic organizational information security. Recent studies in the information systems (IS) security literature have…

1308

Abstract

Purpose

Employee security behaviors are the cornerstone for achieving holistic organizational information security. Recent studies in the information systems (IS) security literature have used neutralization and moral disengagement (MD) perspectives to examine employee rationalizations of noncompliant security behaviors. Extending this prior work, the purpose of this paper is to identify mechanisms of security education, training, and awareness (SETA) programs and deterrence as well as employees’ organizational commitment in influencing MD of security policy violations and develop a theoretical model to test the proposed relationships.

Design/methodology/approach

The authors validate and test the model using the data collected from six large multinational organizations in Korea using survey-based methodology. The model was empirically analyzed by structural equation modeling.

Findings

The results suggest that security policy awareness (PA) plays a central role in reducing MD of security policy violations and that the certainty of punishment and immediacy of enforcing penalties are instrumental toward reducing such MD; however, the higher severity of penalties does not have an influence. The findings also suggest that SETA programs are an important mechanism in creating security PA.

Originality/value

The paper expands the literature in IS security that has examined the role of moral evaluations. Drawing upon MD theory and social cognitive theory, the paper points to the central role of SETA and security PA in reducing MD of security policy violations, and ultimately the likelihood of this behavior. The paper not only contributes to theory but also provides important insights for practice.

Article
Publication date: 23 March 2022

Eric Amankwa, Marianne Loock and Elmarie Kritzinger

This paper aims to examine the individual and combined effects of organisational and behavioural factors on employees’ attitudes and intentions to establish an information…

1239

Abstract

Purpose

This paper aims to examine the individual and combined effects of organisational and behavioural factors on employees’ attitudes and intentions to establish an information security policy compliance culture (ISPCC) in organisations.

Design/methodology/approach

Based on factors derived from the organisational culture theory, social bond theory and accountability theory, a testable research model was developed and evaluated in an online survey that involves the use of a questionnaire to collect quantitative data from 313 employees, from ten different organisations in Ghana. The data collected were analysed using the partial least squares-structural equation modelling approach, involving the measurement and structural model tests.

Findings

The study reveals that the individual measures of accountability – identifiability (2.4%), expectations of evaluation (38.8%), awareness of monitoring (55.7%) and social presence (−41.2%) – had weak to moderate effects on employees’ attitudes towards information security policy compliance. However, the combined effect showed a significant influence. In addition, organisational factors – supportive organisational culture (15%), security compliance leadership (2%) and user involvement (63%) – showed positive effects on employees’ attitudes. Further, employees’ attitudes had a substantial influence (65%), while behavioural intentions demonstrated a weak effect (24%) on the establishment of an ISPCC in the organisation. The combined effect also had a substantial statistical influence on the establishment of an ISPCC in the organisation.

Practical implications

Given the findings of the study, information security practitioners should implement organisational and behavioural factors that will have an impact on compliance, in tandem, with the organisational effort to build a culture of compliance for information security policies.

Originality/value

The study provides new insights on how to address the problem of non-compliance with regard to the information security policy in organisations through the combined application of organisational and behavioural factors to establish an information security policy compliance culture, which has not been considered in any past research.

Details

Information & Computer Security, vol. 30 no. 4
Type: Research Article
ISSN: 2056-4961

Keywords

Article
Publication date: 7 November 2023

Marko Niemimaa

The purpose of this research is to study how compliance evaluation becomes performed in practice. Compliance evaluation is a common practice among organizations that need to…

Abstract

Purpose

The purpose of this research is to study how compliance evaluation becomes performed in practice. Compliance evaluation is a common practice among organizations that need to evaluate their posture against a set of criteria (e.g. a standard, legislative framework and “best practices”). The results of these evaluations have significant importance for organizations, especially in the context of information security and continuity. The author argues that how these evaluations become performed is not merely a “social” activity but shaped by the materiality of the evaluation criteria

Design/methodology/approach

The authors adopt a sociomaterial practice-based view to study the compliance evaluation through in situ participant observations from compliance evaluation workshops to evaluate organizational compliance against a information security and business continuity criteria. The empirical material was analyzed to construct vignettes that serve to illustrate the practice of compliance evaluation.

Findings

The research analysis shows how the information security and business continuity criteria themselves partake in the compliance evaluations by operating through (ventriloqually) the evaluators on three strata: the material, the textual and the structural. The author also provides a conceptualization of a hybrid agency.

Originality/value

This research contributes to lack of studies on the organizational-level compliance. Further, the research is an original contribution to information security and business continuity management by focusing on the practices of compliance evaluation. Further, the research has theoretical novelty by adopting the ventriloqual agency as a hybrid agency to study the sociomateriality of a phenomenon.

Details

Information Technology & People, vol. ahead-of-print no. ahead-of-print
Type: Research Article
ISSN: 0959-3845

Keywords

Article
Publication date: 11 June 2018

Martin Karlsson, Thomas Denk and Joachim Åström

The purpose of this paper is to investigate the occurrence of value conflicts between information security and other organizational values among white-collar workers. Further…

Abstract

Purpose

The purpose of this paper is to investigate the occurrence of value conflicts between information security and other organizational values among white-collar workers. Further, analyzes are conducted of the relationship between white-collar workers’ perceptions of the culture of their organizations and value conflicts involving information security.

Design/methodology/approach

Descriptive analyses and regression analyses were conducted on survey data gathered among two samples of white-collar workers in Sweden.

Findings

Value conflicts regarding information security occur regularly among white-collar workers in the private and public sectors and within different business sectors. Variations in their occurrence can be understood partly as a function of employees’ work situations and the sensitivity of the information handled in the organization. Regarding how perceived organizational culture affects the occurrence of value conflicts, multivariate regression analysis reveals that employees who perceive their organizations as having externally oriented, flexible cultures experience value conflicts more often.

Research limitations/implications

The relatively low share of explained variance in the explanatory models indicates the need to identify alternative explanations of the occurrence of value conflicts regarding information security.

Practical implications

Information security managers need to recognize that value conflicts occur regularly among white-collar workers in different business sectors, more often among workers in organizations that handle sensitive information, and most often among white-collar workers who perceive the cultures of their organizations as being externally oriented and flexible.

Originality/value

The study addresses a gap in the information security literature by contributing to the understanding of value conflicts between information security and other organizational values. This study has mapped the occurrence of value conflicts regarding information security among white-collar professionals and shows that the occurrence of value conflicts is associated with work situation, information sensitivity and perceived organizational culture.

Details

Information & Computer Security, vol. 26 no. 2
Type: Research Article
ISSN: 2056-4961

Keywords

Article
Publication date: 24 May 2023

Siqi Hu, Carol Hsu and Zhongyun Zhou

Security education, training and awareness (SETA) programs are the key to addressing “people problems” in information systems (IS) security. Contrary to studies using conventional…

Abstract

Purpose

Security education, training and awareness (SETA) programs are the key to addressing “people problems” in information systems (IS) security. Contrary to studies using conventional methods, the present study leveraged an “event” lens and dimensionalized employees' perceptions into three sub-dimensions: perceived novelty, perceived disruption and perceived criticality. Moreover, this research went a step further by examining how pedagogical and communication approaches to a SETA program affect employees' perceptions of the program. This study then investigated whether – and if so, how – these approaches impact employees' perceptions of the SETA program and their subsequent commitment to it.

Design/methodology/approach

Utilizing a factorial-based scenario survey, this study empirically tested a model of the above relationships via covariance-based structural equation modeling.

Findings

The results of this research showed that pedagogical approaches were more effective than communication approaches and that employees' perceptions of the SETA program accounted for a large variance in their commitment to SETA.

Originality/value

First, this research deepens understanding of the protection of information assets by elaborating on the different approaches that organizations can take to encourage employees' commitment to SETA. Second, the study enriches the SETA literature by theorizing a SETA program as an organizational “event”, which represents a major shift from the conventional approach. Third, the study adds to the theoretical knowledge of the event lens by extending it to the SETA context and investigating the relationship among three event strength components.

Article
Publication date: 15 May 2023

Cynthia K. Riemenschneider, Laurie L. Burney and Saman Bina

With increased remote working, employers are concerned with employees’ commitment and compliance with security procedures. Through the lens of psychological capital, this study…

Abstract

Purpose

With increased remote working, employers are concerned with employees’ commitment and compliance with security procedures. Through the lens of psychological capital, this study aims to investigate whether strong organizational values can improve employees’ commitment to the organization and security behaviors.

Design/methodology/approach

Using Qualtrics platform, the authors conducted an online survey. The survey participants are college-educated, full-time employees. The authors used structural equation modeling to analyze 289 responses.

Findings

The results indicate perceived importance of organizational values is associated with increased organizational commitment and information security behavior. The authors find that psychological capital partially mediates these relations suggesting that employees’ psychological capital effectively directs employees toward an affinity for the organization and information security behavior. The results highlight the importance of organizational values for improving security behavior and organizational commitment. Second, the results suggest that psychological capital is an effective mechanism for this influence. Finally, the authors find that individual differences (gender, organizational level and education) are boundary conditions on their findings, providing a nuanced view of their results and offering opportunities for further investigation.

Originality/value

To the best of the authors’ knowledge, this study is the first to explore organizational values in relation to information security behaviors. In addition, this study investigates the underlying mechanism of this relationship by showing psychological capital’s mediating role in this relationship. Therefore, the authors suggest organizations create a supportive environment that appreciates innovation, quality services, diversity and collaboration. Furthermore, organizations should communicate the importance of these values to their employees to motivate them to have a stronger affective commitment and a more careful set of security behaviors.

Details

Information & Computer Security, vol. 31 no. 2
Type: Research Article
ISSN: 2056-4961

Keywords

Article
Publication date: 10 October 2023

Stefano De Paoli and Jason Johnstone

This paper presents a qualitative study of penetration testing, the practice of attacking information systems to find security vulnerabilities and fixing them. The purpose of this…

Abstract

Purpose

This paper presents a qualitative study of penetration testing, the practice of attacking information systems to find security vulnerabilities and fixing them. The purpose of this paper is to understand whether and to what extent penetration testing can reveal various socio-organisational factors of information security in organisations. In doing so, the paper innovates theory by using Routine Activity Theory together with phenomenology of information systems concepts.

Design/methodology/approach

The articulation of Routine Activity Theory and phenomenology emerged inductively from the data analysis. The data consists of 24 qualitative interviews conducted with penetration testers, analysed with thematic analysis.

Findings

The starting assumption is that penetration testers are akin to offenders in a crime situation, dealing with targets and the absence of capable guardians. A key finding is that penetration testers described their targets as an installed base, highlighting how vulnerabilities, which make a target suitable, often emerge from properties of the existing built digital environments. This includes systems that are forgotten or lack ongoing maintenance. Moreover, penetration testers highlighted that although the testing is often predicated on planned methodologies, often they resort to serendipitous practices such as improvisation.

Originality/value

This paper contributes to theory, showing how Routine Activity Theory and phenomenological concepts can work together in the study of socio-organisational factors of information security. This contribution stems from considering that much research on information security focuses on the internal actions of organisations. The study of penetration testing as a proxy of real attacks allows novel insights into socio-organisational factors of information security in organisations.

Details

Information Technology & People, vol. ahead-of-print no. ahead-of-print
Type: Research Article
ISSN: 0959-3845

Keywords

1 – 10 of 810