Three Essays on Managing Information Security Using the Fraud Triangle

Managing information security has increasingly become more important as information security breaches, computer fraud, and other devastating events are increasingly more frequent and disrupting business processes. Information is one of the most important enterprise assets. Therefore, information is valuable and should be properly protected. Accounting employees are tasked with specific responsibilities of information risk management. Therefore, ineffectively managing accountants may result in countless problems for the company, not the least of which are reputational problems, loss of stock value, material financial reporting errors, and financial losses. In Essay 1, I examine the elements of the fraud triangle and the impact to specific information security policy violations of copying sensitive financial information. In Essay 2, I find the unexpected effects of implementing higher demands on accountants. In Essay 3, I explore a deeper dimension of the accountant’s internal justification when considering a violation in information security policies. This dissertation considers the challenges of managing the human aspect especially the role of accountants in information security. Security techniques and management tools have caught the attention from both academia and practitioners. This dissertation examines the fraud triangle as a theoretical framework for information security risk management among accountants. In the three essays’, I attempt to integrate security policy theory, management system theory, the fraud triangle, and moral disengagement theory to provide a deeper understanding of information security management. The findings carry implications for not only for future research on security violation behaviors, but also for continuation of broadening the theoretical foundation of the fraud triangle for further empirical research and application

Assessing and mitigating the impact of organisational change on counterproductive work behaviour: An operational (dis)trust based framework.:Full Report

This report comprises the findings of CREST funded research into organisational change and insider threat. It outlines the individual, social and organisational factors that over time, can contribute to negative employee perceptions and experiences.These factors can produce a reduction in an employee’s psychological attachment to, and trust in, their employing organisation which then allows them to undertake Counterproductive Work Behaviour (CWB). CWB concerns action which threatens the effectiveness, or harms the safety of, an employer and its stakeholders.It can develop from small scale discretions (e.g., time wasting, or knowledge hiding) into serious insider threat activities (e.g., destroying systems or exchanging confidential information with malicious others). Following past research linking CWB to both organisational change and trust breach, the aim of the study was to produce a (dis)trust based framework for predicting, identifying and mitigating counterproductive work behaviour and insider threat within the context of organisational change.We posed the following research questions:1. What effect does organisational change have in relation to counterproductive work behaviour (CWB) and insider threat acts?2. What role does (dis)trust play in CWB during organisational change?3. What preventative measures can be taken by organisations to help mitigate CWB and insider threat in organisational change initiatives?To address these questions, we collected empirical data from a case study organisation undergoing change: two sets of interviews, i.) with selected managers and staff outlining the key changes in the organisation, ii.) with a range of stakeholders involved in/privy to one of three insider threat case studies in two different departments, iii.) a review of HR and security paperwork on the insider threat cases, and then, iv.) anonymous surveys of the workforce in the same two departments in which our case studies occurred. Using these methods, we explored individuals’ cognitions and emotions to understand why while some employees remain engaged, loyal and trusting during change, others become disengaged, distrusting and behave in deviant ways

Peers matter: The moderating role of social influence on information security policy compliance

Information security in an organization largely depends on employee compliance with information security policy (ISP). Previous studies have mainly explored the effects of command-and-control and self-regulatory approaches on employee ISP compliance. However, how social influence at both individual and organizational levels impacts the effectiveness of these two approaches has not been adequately explored. This study proposes a social contingency model in which a rules-oriented ethical climate (employee perception of a rules-adherence environment) at the organizational level and susceptibility to interpersonal influence (employees observing common practices via peer interactions) at the individual level interact with both command-and-control and self-regulatory approaches to affect ISP compliance. Using employee survey data, we found that these two social influence factors weaken the effects of both command-and-control and self-regulatory approaches on ISP compliance. Theoretical and practical implications are also discussed

Understanding the Roles of Challenge Security Demands, Psychological Resources in Information Security Policy Noncompliance

It is widely agreed that employees’ noncompliance with information security policies (ISP) is still a major problem for organizations. In order to understand the factors that reduce employees’ ISP noncompliance, previous studies have focused on stressful security demands that consequently aggravate noncompliance, and tangible job resources to promote compliance. However, how security demands encourage employees to comply and how intangible resources affect employees’ ISP noncompliance have been largely overlooked. In this study, we posit and argue that challenge security demands and intangible psychological resources can help promote employees’ ISP compliance. Drawing on the Job Demands- Resources Model and the theory of psychological resource, we specifically examine the roles of continuity demand, mandatory demand as challenge security demands, and felt trust, professional development and personal resource as psychological resources in influencing employees’ ISP noncompliance. The proposed model is validated by survey data from 224 employees. The theoretical and practical contributions are also discussed

Orientation and Social Influences Matter: Revisiting Neutralization Tendencies in Information Systems Security Violation

It is estimated that over half of all information systems security breaches are due directly or indirectly to the poor security practices of an organization’s employees. Previous research has shown neutralization techniques as having influence on the intent to violate information security policy. In this study, we proposed an expansion of the neutralization model by including the effects of business and ethical orientation of individuals on their tendencies to neutralize and compromise with information security policy. Additionally, constructs from social influences and pressures have been integrated into this model to measure the impact on the intent to violate information security policy from social perspectives. This study is a quantitative study that used a survey methodology for data collection. A stratified sampling method was used to ensure equal representation in the population. A sample of members was collected using a random sampling procedure from each stratum. All data were collected by sending a survey link via email through SurveyMonkey’s participant outreach program to the aforementioned groups. Partial least squares were used for data analysis. Findings showed business and ethical orientation had a negative impact on accepting neutralization techniques which ultimately result in the intent to violate information security policy. Furthermore, this research found neutralization, social influences, and social pressures as having 24 percent of influence to violate information security policy. Business orientation and ethical orientation contributed to 15 percent of influence in variance on employees accepting neutralization techniques. Implications of this research suggest information security policies can be compromised by employees and additional measures are needed. Behavioral analytics may provide an understanding of how employees act and why. Routine training is necessary to help minimize risks, and a healthy security culture will promote information security as a focal point to the organization

Exploring the role of moral disengagement and counterproductive work behaviours in information security awareness

As security breaches in organisations are on the rise, developing an understanding of factors enabling and preventing such breaches is crucial. Even though previous studies have examined organisational aspects of information security, not much focus has been placed on human factors. In the present work we examined the tendency to morally disengage (MD), information security awareness (ISA), and counterproductive work behaviours (CWB), in a sample of 718 employees who used computers on daily basis, in order to establish predictors of CWB and the behavioural outcomes of ISA. The results showed that the propensity to morally disengage plays an important role in ISA, particularly the aspect of diffusion of responsibility. Secondly, ISA knowledge and ISA attitude, as expected, were part of a mediating mechanism underlying the relationship between MD and ISA behaviours, as well as MD and CWB. This demonstrates that ISA and CWB constructs overlap to a certain degree, and thus affecting one, should have effects also on the other. Targeted interventions need to consider ways of improving ISA knowledge and attitudes, as well as employees’ sense of responsibility for the information they work with

Human factors in information leakage: mitigation strategies for information sharing integrity

Structured Abstract Purpose-The purpose of this paper is to explore the human factors triggering information leakage and investigate how companies mitigate insider threat for information sharing integrity. Design/methodology/approach-The methodology employed is multiple case studies approach with in-depth interviews with five Multinational Enterprises/Multinational Corporations. Findings-The findings reveal that information leakage can be approached with human governance mechanism such as organizational ethical climate and information security culture. Besides, higher frequency of leakages negatively affects information sharing integrity. Moreover, this paper also contributes to a research framework which could be a guide to overcome information leakage issue in information sharing. Research limitations/implications-The current study involved MNC/MNEs operating in Malaysia while companies in other countries may have different ethical climate and information sharing culture. Thus, for future research, it will be good to replicate the study in a larger geographic region to verify the findings and insights of this research. Practical implications-This research contributes to the industry and business that are striving towards solving the mounting problem of information leakage by raising awareness of human factors and to take appropriate mitigating governance strategies to preempt information leakage. This paper also contributes to a novel theoretical model that characterizes the iniquities of humans in sharing information, and suggests measures which could be a guide to avert disruptive leakages. Originality/value-This paper is likely an unprecedented research in moulding human governance in the domain of information sharing and its Achilles' heel which is information leakage

Impact of Leadership Style on Moral Conduct in the Ghana Air Force

The conduct of personnel in the military is important in maintaining professionalism. The traditional hierarchical level of interactions in the military environment imposes on commanders a critical role to balance their authority in shaping the attitudes of subordinates to achieve objectives. This study was conducted to address the lack of awareness of how commanders’ leadership styles influence the moral conduct of personnel in the Ghana Air Force. The theoretical framework for this study was Bass and Avolio’s full range leadership model. The research question focused on subordinates’ perceptions of operational commanders’ leadership on subordinates’ moral conduct. This non-experimental correlational design used convenience sampling with Bass and Avolio’s multifactor leadership questionnaire and Moore et al.’s eight-item scale on moral disengagement. An online questionnaire was used to collect data from 147 officers and noncommissioned officers below the rank of squadron leader from a selected Ghana Air Force base. Data were analyzed using linear regression and multivariate analysis of variance. The results indicated a significant correlation between leadership styles and conduct with no significant difference in the interaction between gender and rank status on leadership style and moral conduct. The findings of this study have potential implications for positive social change that include the opportunity to improve leadership practices in the Ghana Air Force and other state institutions

An Empirical Examination of the Impact of Organizational Injustice and Negative Affect on Attitude and Non-Compliance with Information Security Policy

Employees’ non-compliance with Information Security (IS) policies is an important socio-organizational issue that represents a serious threat to the effective management of information security programs in organizations. Prior studies have demonstrated that information security policy (ISP) violation in the workplace is a common significant problem in organizations. Some of these studies have earmarked the importance of this problem by drawing upon cognitive processes to explain compliance with information security policies, while others have focused solely on factors related to non-compliance behavior, one of which is affect. Despite the findings from these studies, there is a dearth of extant literature that integrates both affective and cognitive theories that shed light on a more holistic understanding of information security non-compliance behaviors. This research developed a theoretical model of the relationship between negative affect and cognitive processes and their influence on employees’ ISP non-compliance at the workplace. Cognitive processes provide a significant foundation in understanding why employees show non-compliance behavior with ISPs and rules at the workplace. However, they do not completely explain the motivations behind the deviant employee’s non-compliance behavior. This research examined how the relationships between organizational injustice frameworks and negative affect influence attitude, which, in turn, influences behaviors that can be used to understand ISP non-compliance. Extant literature has explored theories like neutralization, deterrence, theory of planned behavior, rational choice theory, affective events theory, and work-related events as an outcome of neutralization, and organizational injustice, to explain cognitive reactions. The research model was empirically tested using the data collected from 115 participants who participated in a scenario-based survey. The results showed that negative affect has a significantly positive impact on employees’ attitude and ISP non-compliance behavior. Distributive, informational and interpersonal injustices were also found to influence ISP non-compliance in a significant but negative direction. The study contributes to both theory for IS research and practice for organizational management of security policies

The Disclosure of Organizational Secrets by Employees

Organizational secrets enable firms to protect their unique stocks of knowledge, reduce the imitability of their capabilities and achieve sustained competitive advantages (Hannah, 2005). In today’s business environments, the loss of valuable proprietary organizational knowledge due to intentional employee disclosure represents a substantial threat to firm competitiveness. Anecdotal evidence suggests that firms in the United States lose more than $250 billion of intellectual property every year, with intentional employee disclosure accounting for a significant portion of these losses (Dandliker, 2012; Heffernan & Swartwood, 1993). Thus, understanding factors that influence such intentional secret disclosure is a key concern, especially in knowledge-intensive industries. While prior research has primarily focused on the disclosure of personal secrets, family secrets or ‘dark’ organizational secrets, very few studies have examined the disclosure of value-creating organizational secrets – i.e., strategic secrets that encapsulate knowledge about a firm’s plans from competitors and Social secrets that create valued identity categorizations within organizations (Goffman, 1959). This dissertation begins to address this gap in the literature by putting forth a person-situation interaction model of secret disclosure. Specifically, drawing on the resource-based view of the firm and Social identity theory, it explores how certain characteristics of value-creating organizational secrets (e.g., market value of knowledge and Social value of concealment) may interact with certain individual-level variables (e.g., moral identity and need for status) to influence employees’ secret disclosure intent. Using scenario-based surveys of undergraduate and EMBA students and a cross-sectional sample of working adults in the United States, this dissertation finds evidence for the key proposition that employees’ perceptions of market value of knowledge and Social value of concealment shape their secret disclosure intentions. Individual-level factors like moral identity and organizational disidentification were also found to play important roles in the disclosure of organizational secrets. This dissertation contributes to the emerging field of organizational secrecy by integrating key informational and Social perspectives to address concerns regarding secret protection in organizations