Revisiting neutralization theory and its underlying assumptions to inspire future information security research

Over two decades ago, neutralization theory was introduced to information systems research from the field of criminology and is currently emerging as an influential foundation to both explain and solve the information security policy noncompliance problem. Much of what we know about the theory focuses exclusively on the neutralization techniques identified in the original as well as subsequent criminological writings. What is often left unexamined in IS research is the underlying assumptions about the theory’s core elements; assumptions about the actor, the act, the normative system, and the nature of neutralizing itself. The objective of this commentary is to revisit the origin of neutralization theory to identify its core assumptions and to lay a foundation for future IS research inspired by these assumptions. This paper points to five core assumptions: (1) The actor is an early-stage offender; (2) The act is shameful; (3) Neutralizing precedes and facilitates deviance; (4) Normative rules are disputable; and (5) Specific neutralization techniques are more relevant to specific violations. Ignoring these underlying assumptions could lead to a situation where we make unfounded claims about the theory or provide practitioners with harmful, rather than helpful, guidance

Improving fault prevention with proactive root cause analysis (PRORCA method)

Measures taken to prevent faults from slipping through to operation can secure development of highly reliable software systems. One such measure is analyzing the root causes of reoccurring faults and preventing them from ever appearing again. PRORCA method was developed in order to provide a proactive, lightweight and flexible way for fault prevention. To this end, PRORCA method relies on expert knowledge of the development context and development practices to identify individuals’ erratic behaviors that can contribute to faults slipping through to operation. The development of the method was done according to teachings of design science research. Three expert interviews with representatives of a case company supported the development of PRORCA. The first interview helped the problem identification and solution generation, while the other two interviews were carried out with the purpose of demonstrating the use of the PRORCA method in two different projects. Using the PRORCA proved to be easy and insightful findings were drawn from conducting it with respect to individuals’ erratic behavior in each project. Proactive analysis of faults using the PRORCA method supports development of highly reliable software systems in a simple, flexible and resource-friendly manner

Disentangling a complicated relationship: information technology and consideration of harm in information security

Information Systems Security (ISS) risks have the capacity to harm others; thus, behaviors carrying such risks may raise moral concerns. Existing research shows that moral considerations of users could play an inhibitory role, discouraging users from engaging in activities that undermine ISS. However, information technology (IT) may create difficulties for users to understand and perceive the moral implications of their ISS decisions. If such difficulties distract or confuse users regarding the potential harm and ways to prevent such harm, moral considerations may not play the inhibitory role that previous ISS research has reported. Therefore, examining the role of IT characteristics in users’ moral considerations is of necessity. With this in mind, this dissertation aims to conceptualize and examine the potential means via which IT characteristics could introduce challenges to moral considerations of users. It will achieve this through a literature review and conceptualization of the role of IT characteristics in moral considerations of ISS, followed by an empirical study. The empirical examination concerns the process whereby individuals become aware of the potential harmful consequences of their actions for the welfare of others and realize that a decision-making situation is morally relevant. This process is called moral sensitivity and involves recognition of the parties involved, potential consequences for those involved and the possible courses of action in a given situation. By examining moral sensitivity, several IT characteristics are unearthed, perceptions of which could be linked with recognition of harm and users’ emotional engagement in ISS decisions. In doing so, this dissertation contributes to the disentanglement of links between users’ understanding of harm, their perceptions of IT characteristics, and their affective experiences in ISS decisions. Keywords: information security, moral sensitivity, IT characteristicsTietojärjestelmäturvallisuuteen liittyvät riskit voivat vahingoittaa muita; näin ollen tällaisia riskejä kantava käyttäytyminen voi herättää moraalisia huolenaiheita. Olemassa olevat tutkimukset osoittavat, että käyttäjien moraaliset näkökohdat voivat olla estävässä roolissa, mikä estää käyttäjiä osallistumasta tietojärjestelmäturvallisuutta heikentävään toimintaan. Tietotekniikka voi kuitenkin aiheuttaa käyttäjille vaikeuksia ymmärtää ja havaita tietojärjestelmäturvallisuuspäätöstensä moraalisia vaikutuksia. Jos tällaiset vaikeudet häiritsevät tai hämmentävät käyttäjiä mahdollisista haitoista ja tavoista estää tällainen vahinko, moraaliset näkökohdat eivät välttämättä ole siinä estävässä roolissa, jonka aiempi tietojärjestelmäturvallisuustutkimus on raportoinut. Siksi on välttämätöntä tarkastella IT-ominaisuuksien roolia käyttäjien moraalisissa näkökohdissa. Tätä varten väitöskirjan tavoitteena on käsitteellistää ja tutkia mahdollisia tapoja, joilla IT-ominaisuudet saattavat tuoda haasteita käyttäjien moraalisille näkökohdille. Se saavuttaa tämän tekemällä kirjallisuuskatsauksen ja käsitteellistämällä IT-ominaisuuksien roolin tietojärjestelmäturvallisuuden moraalisissa näkökohdissa. Tätä seuraa empiirinen tutkimus. Empiirinen tarkastelu koskee prosessia, jossa yksilöt tiedostavat tekojensa mahdolliset haitalliset seuraukset muiden hyvinvoinnille ja ymmärtävät, että päätöksentekotilanne on moraalisesti merkityksellinen. Tätä prosessia kutsutaan moraaliseksi herkkyydeksi, ja siihen kuuluu asianosaisten tunnistaminen, mahdolliset seuraukset asianosaisille ja mahdolliset toimintatavat tilanteessa. Moraalista herkkyyttä tutkimalla kaivetaan esiin useita IT-ominaisuuksia, joiden käsitykset voivat liittyä haittojen tunnistamiseen ja käyttäjien emotionaaliseen sitoutumiseen tietojärjestelmäturvallisuuspäätöksiin. Näin tehdessään tämä väitöskirja edistää linkkien selvittämistä käyttäjien haittojen ymmärtämisen, heidän käsitystensä IT-ominaisuuksista ja heidän affektiivisten kokemustensa välillä tietojärjestelmäturvallisuuspäätöksissä. Avainsanat: tietojärjestelmäturvallisuus, moraali, IT-ominaisuu

New Insights into the Justifiability of Organizational Information Security Policy Noncompliance : A Case Study

Information security policies as apparatus for communicating security principles with employees are the cornerstone of organizational information security. Resultantly, extant literature has looked at different theories to better understand the noncompliance problem. Neutralization theory is emerging as one of the most popular approaches, not only as an explanation but also as a solution. In this in-depth qualitative study, we ask the question ‘how do employees justify violating the ISP’? Our findings reveal nine rationalizing techniques, three of which have not been recognized in previous research. We label them ‘I follow my own rules’, ‘matter of mere legality’ and ‘defense of uniqueness’. But more importantly, our in-depth insights point to the danger of taking these rationalizations out of context, since without context, it becomes impossible to judge whether the behavior or the rule, needs correcting, reflecting a dilemma recognized in the original writing of neutralization theory, which has since been forgotten.peerReviewe

Moral sensitivity in information security dilemmas

Activities that undermine information security such as noncompliance with information security policies raise moral concerns since they can expose valuable information assets. Existing research shows that moral reflection could play an inhibitory role in one’s decision to undermine information security. However, it is not clear whether users interpret such decisions from a moral standpoint to engage in moral reflection in the first place. Users have to be morally sensitive before they engage in moral reflection. Moral sensitivity involves perceiving a situation as morally relevant, identifying the parties involved and perceiving possible courses of action. We examine moral sensitivity in security dilemmas in a Finnish university setting. We develop audio records of conversations about two policy compliance scenarios, each involving moral concerns. After playing back these audio records to participants, we pose probing questions to examine their moral sensitivity. Our preliminary results indicate that users may not be sensitive towards the moral concerns raised by security dilemmas. Based on our findings, we suggest providing users with information regarding those affected by security decisions, IT capabilities in an organization and the possible consequences of different courses of action in security education programs rather than directives about morally right or wrong behavior.peerReviewe

A Root Cause Analysis Method for Preventing Erratic Behavior in Software Development: PEBA

Measures taken to prevent faults from being introduced or going undetected can secure development of highly reliable software systems. One such measure is analyzing root causes of recurring faults and preventing them from appearing again. Previous methods developed for this purpose have been reactive in nature and relied heavily on fault reporting mechanisms of ogranizations. Additionally, previous efforts lack a defined mechanism for innovating corrective actions. In this study, we strive to complement the existing methods by introducing a proactive and qualitative method that does not rely on fault data. During the course of the research, in addition to an extensive literature search, an empirical field study is conducted with representatives of companies active in safety-critical and business-critical domains. Our proposed method relies on identifying mismatches between development practices and development context in order to predict erratic behaviors. Corrective actions in this method are innovated by resolving these mismatches. The use of the method is demonstrated in two safety-critical projects. Evaluation of the proposed method is done by two experts with respect to proactivity, resource-intensity, and effectiveness.peerReviewe