Moral Beliefs and Organizational Information Security Policy Compliance: The Role of Gender

Data breaches are a continuing problem for managers in the digital age. Currently, there is very little guidance available to companies and managers in particular on how to mitigate data breach risks arising due to malicious or negligent insiders. This study examines the factors impacting employees’ intentions to violate an organization’s information systems (IS) security policies – using hypothetical scenarios. Specifically, the research attempts to understand the role of gender on the relationship between moral beliefs, understandability of the security policy, underlying moral issue (necessity vs. metaphor of the ledger), and intentions to violate the security policy. Our results suggest that moral beliefs and understandability of the security policy lower intentions to violate the policy, and do so differently depending upon one’s gender and the underlying moral issue. Data was gathered from 173 students using an online survey tool, and analyzed using multiple regression. We examined regression assumptions and found no major issues. The study has several practical and theoretical implications. The findings suggest that using ethical and gender perspectives provide additional insight into IS security non-compliance issues. The findings could help IS security managers as they develop effectual security policies and devise more effective training programs

Information Security Policy Violations in the Work-From-Home Era

Remote working has become the new normal in modern organizations. This transition has brought various challenges for the organizations in terms of their security infrastructure. Insider threats in organizations have been increasing in recent years. This paper proposes various behavioral and situational aspects that can influence employees’ intentions to violate information security policies (ISP) in a remote working environment, including subjective norms, the absence of peer monitoring, and the moderating role of shame. This research also proposes the role of neutralization techniques utilized by employees to rationalize and justify their behavior in the context of policy violations. A conceptual model has been developed, and a pilot study was conducted among 30 participants. This paper contributes to the body of knowledge on ISP compliance in the era of remote working, characterized by behavioral changes of employees

How system complexity and organizational culture affect AIS misuse

The demands for more studies on precarious practices in the AIS environment indicate that employees pose greater threats than outsiders. Addressing internally-bred security pandemonium with external-threat-oriented solutions further complicates the matter. The real issue is obscured rather than solved. Based on theory of planned behaviour (TPB), organisational culture and complexity of an accounting information system (AIS) were introduced to see how these factors affect employees’ mal-intention when working with an organisation AIS. Using partial-least-square structural equation modelling (PLS-SEM) approach, it was found that culture and complexity acting as pure moderating variables affecting certain forms of predictor-criterion relationship in TPB model. Within the context of this study, the results explain how culture and system complexity induce or reduce the predictors’ effects on intention to misbehave

Interaction Effect of Gender and Neutralization Techniques on Information Security Policy Compliance: An Ethical Perspective

The study examines the following research question - does gender impact the efficacy of moral beliefs, and security policy understandability on security policy compliance intentions differently for various neutralization techniques? The empirical analysis conducted with data gathered from students using hypothetical scenarios suggest that gender does play a role in security policy noncompliance, however its significance is dependent upon the underlying neutralization technique. The paper provides several novel and important contributions. First, the study is among the first to extend the ethical decision making theory by suggesting that moral intensity is a function of neutralization, and individual factors such as perceived weight, value and one’s gender. Second, and more importantly the study is among the first to emphasize on the interplay between the ethics, gender, and neutralization techniques, as different ethical perspectives appeal differently to females than to males. The study has several important managerial implications as well

Anger or Fear? Effects of Discrete Emotions on Deviant Security Behavior

Deterrence theory has received considerable attention in recent years. However, scholars have begun to call for research beyond the deterrence approach on security behaviors, and argue that the theory of emotion should not be omitted from information systems security decision making [15, 81]. In this research, we examine and distinguish effects of anger and fear on perceived costs of sanctions and deviant security behavior. A research model is developed based on deterrence theory and cognitive appraisal theory of emotion. We propose to design a scenario of introducing a new security monitoring system, to analyze the interplays of anger, fear, perceived certainty, perceived severity of sanctions and deviant security behavior. The results will have important implications for comprehensively understanding employees’ deviant security behavior

A unified classification model to insider threats to information security

Prior work on insider threat classification has adopted a range of definitions, constructs, and terminology, making it challenging to compare studies. We address this issue by introducing a unified insider threat classification model built through a comprehensive and systematic review of prior work. An insider threat can be challenging to predict, as insiders may utilise motivation, creativity, and ingenuity. Understanding the different types of threats to information security (and cybersecurity) is crucial as it helps organisations develop the right preventive strategies. This paper presents a thematic analysis of the literature on the types of insider threats to cybersecurity to provide cohesive definitions and consistent terminology of insider threats. We demonstrate that the insider threat exists on a continuum of accidental, negligent, mischievous, and malicious behaviour. The proposed insider threat classification can help organisations to identify, implement, and contribute towards improving their cybersecurity strategies

Contextualising the Insider Threat: A Mixed Method Study

The insider threat is potentially the most damaging and costly threat to organisations, and while there is a considerable body of literature aimed at understanding this phenomenon, we contend that the theories contained in such literature are most beneficial if they can be utilised in a way that is contextually relevant. Our research, and this paper, is specifically focussed on developing and improving this contextual validity. We find that malicious acts arising from disgruntlement are perceived as very real problems in practice. We also present a current list of non-malicious aberrant behaviors and show how they rank in relative seriousness to one another. Given that the primary motivation for conducting this study is the view that reliance on the traditional conceptualization of a boundary or perimeter is no longer viable, our essential contribution lies in devising a series of vignettes that empirically reflect this current contextual validity

Deterrence in Cyberspace: An Interdisciplinary Review of the Empirical Literature

The popularity of the deterrence perspective across multiple scientific disciplines has sparked a lively debate regarding its relevance in influencing both offenders and targets in cyberspace. Unfortunately, due to the invisible borders between academic disciplines, most of the published literature on deterrence in cyberspace is confined within unique scientific disciplines. This chapter therefore provides an interdisciplinary review of the issue of deterrence in cyberspace. It begins with a short overview of the deterrence perspective, presenting the ongoing debates concerning the relevance of deterrence pillars in influencing cybercriminals’ and cyberattackers’ operations in cyberspace. It then reviews the existing scientific evidence assessing various aspects of deterrence in the context of several disciplines: criminology, law, information systems, and political science. This chapter ends with a few policy implications and proposed directions for future interdisciplinary academic research