Effects of Organization Insiders' Self-Control and Relevant Knowledge on Participation in Information Systems Security Deviant Behavior: [Best Paper Nominee]

Disastrous consequences tend to befall organizations whose employees participate in information systems security deviant behavior (ISSDB) (e.g., connecting computers to the Internet through an insecure wireless network and opening emails from unverified senders). Although organizations recognize that ISSDB poses a serious problem, understanding what motivates its occurrence continues to be a key concern. While studies on information technology (IT) misuse abounds, research specifically focusing on the drivers of ISSDB remains scant in the literature. Using self-control theory, augmented with knowledge of relevant factors, this study examined the effects of employees' self-control, knowledge of computers/IT, and information systems (IS) security threats and risks on participation in ISSDB. A research model, including the aforementioned factors, was proposed and tested using the partial least squares technique. Data was collected from a survey of Canadian professionals. The results show that low self-control and lower levels of knowledge of computers/IT are related to employees' involvement in ISSDB. The data did not provide a meaningful relationship between employees' knowledge of IS security threats/risks and desire to participate in ISSDB.

[1]  Catherine E. Connelly,et al.  Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model , 2011, J. Manag. Inf. Syst..

[2]  Michael E. Whitman,et al.  In defense of the realm: understanding the threats to information security , 2004, Int. J. Inf. Manag..

[3]  Lori N. K. Leonard,et al.  What influences IT ethical behavior intentions - planned behavior, reasoned action, perceived importance, or individual characteristics? , 2004, Inf. Manag..

[4]  Wynne W. Chin Issues and Opinion on Structural Equation Modeling by , 2009 .

[5]  Lixuan Zhang,et al.  Examining Digital Piracy: Self-Control, Punishment, and Self-Efficacy , 2009, Inf. Resour. Manag. J..

[6]  George E. Higgins Digital Piracy, Self-Control Theory, and Rational Choice: An Examination of the Role of Value , 2007 .

[7]  Terrance Weatherbee Counterproductive use of technology at work: Information & communications technologies and cyberdeviancy , 2010 .

[8]  Scott B. MacKenzie,et al.  Common method biases in behavioral research: a critical review of the literature and recommended remedies. , 2003, The Journal of applied psychology.

[9]  Younghwa Lee,et al.  Threat or coping appraisal: determinants of SMB executives’ decision to adopt anti-malware software , 2009, Eur. J. Inf. Syst..

[10]  Ken H. Guo Security-related behavior in using information systems in the workplace: A review and synthesis , 2013, Comput. Secur..

[11]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[12]  Jan Guynes Clark,et al.  Why there aren't more information security research studies , 2004, Inf. Manag..

[13]  Harold G. Grasmick,et al.  Testing the Core Empirical Implications of Gottfredson and Hirschi's General Theory of Crime , 1993 .

[14]  Patrick Y. K. Chau,et al.  Development and validation of instruments of information security deviant behavior , 2014, Decis. Support Syst..

[15]  Laurie J. Kirsch,et al.  If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security , 2009, Eur. J. Inf. Syst..

[16]  Marianne Junger,et al.  An Empirical Test of a General Theory of Crime: A Four-Nation Comparative Study of Self-Control and the Prediction of Deviance , 2001 .

[17]  R. Frank Falk,et al.  A Primer for Soft Modeling , 1992 .

[18]  Peter M. Yellowlees,et al.  Problematic Internet use or Internet addiction? , 2007, Comput. Hum. Behav..

[19]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[20]  Claudia van Oppen,et al.  USING PLS PATH MODELING FOR ASSESSING HIERARCHICAL CONSTRUCT MODELS : GUIDELINES AND EMPIRICAL , 2022 .

[21]  Princely Ifinedo,et al.  Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition , 2014, Inf. Manag..

[22]  Michel Tenenhaus,et al.  PLS path modeling , 2005, Comput. Stat. Data Anal..

[23]  Scott B. MacKenzie,et al.  Construct Measurement and Validation Procedures in MIS and Behavioral Research: Integrating New and Existing Techniques , 2011, MIS Q..

[24]  P. Ackerman,et al.  Assessing individual differences in knowledge: Knowledge, intelligence, and related traits. , 1999 .

[25]  AttewellPaul Technology Diffusion and Organizational Learning , 1992 .

[26]  Tejaswini Herath,et al.  Understanding Employee Responses to Stressful Information Security Requirements: A Coping Perspective , 2014, J. Manag. Inf. Syst..

[27]  Princely Ifinedo,et al.  Effects of Organizational Citizenship Behavior and Social Cognitive Factors on Employees' Non-Malicious Counterproductive Computer Security Behaviors: An Empirical Analysis , 2015, CONF-IRM.

[28]  Stephanie D. Hight The importance of a security , education , training and awareness program ( November 2005 ) , 2005 .

[29]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[30]  Lori N. K. Leonard,et al.  Illegal, Inappropriate, And Unethical Behavior In An Information Technology Context: A Study To Explain Influences , 2001, J. Assoc. Inf. Syst..

[31]  Tom L. Roberts,et al.  Insiders' Protection of Organizational Information Assets: Development of a Systematics-Based Taxonomy and Theory of Diversity for Protection-Motivated Behaviors , 2013, MIS Q..

[32]  T. Pratt,et al.  THE EMPIRICAL STATUS OF GOTTFREDSON AND HIRSCHI'S GENERAL THEORY OF CRIME: A META‐ANALYSIS , 2000 .

[33]  Zhen Shen,et al.  The effects and moderators of cyber-loafing controls: an empirical study of Chinese public servants , 2013, Information Technology and Management.

[34]  Yixin Zhang,et al.  Age, gender, and Internet attitudes among employees in the business world , 2005, Comput. Hum. Behav..

[35]  Linda Little,et al.  Unpacking Security Policy Compliance: The Motivators and Barriers of Employees' Security Behaviors , 2015, SOUPS.

[36]  Sarv Devaraj,et al.  Employee Misuse of Information Technology Resources: Testing a Contemporary Deterrence Model , 2012, Decis. Sci..

[37]  Houston H. Carr,et al.  Threats to Information Systems: Today's Reality, Yesterday's Understanding , 1992, MIS Q..

[38]  Jungwoo Lee,et al.  Measures of perceived end-user computing skills , 2003, Inf. Manag..

[39]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[40]  R. Baumeister,et al.  High self-control predicts good adjustment, less pathology, better grades, and interpersonal success. , 2004, Journal of personality.

[41]  Princely Ifinedo,et al.  Internal IT Knowledge and Expertise as Antecedents of ERP System Effectiveness: An Empirical Investigation , 2011, J. Organ. Comput. Electron. Commer..

[42]  Catherine D. Marcum,et al.  Digital Piracy: An Examination of Three Measurements of Self-Control , 2008 .

[43]  Merrill Warkentin,et al.  Beyond Deterrence: An Expanded View of Employee Computer Abuse , 2013, MIS Q..

[44]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[45]  Michael R. Gottfredson,et al.  A general theory of crime. , 1992 .

[46]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[47]  Velmer S. Burton,et al.  Age, self-control, and adults' offending behaviors: A research note assessing A general theory of crime , 1999 .

[48]  Ben Shneiderman,et al.  Severity and impact of computer user frustration: A comparison of student and workplace users , 2006, Interact. Comput..

[49]  P. Attewell Technology Diffusion and Organizational Learning: The Case of Business Computing , 1992 .

[50]  S. Turner,et al.  Self-Control and Criminal Opportunity , 1998 .

[51]  Rabelani Dagada,et al.  The Impact of Information Security Awareness Training on Information Security Behaviour: The Case for Further Research , 2009, ISSA.

[52]  Qing Hu,et al.  The Role of Self-Control in Information Security Violations: Insights from a Cognitive Neuroscience Perspective , 2015, J. Manag. Inf. Syst..

[53]  Ned Kock,et al.  Advanced Mediating Effects Tests, Multi-Group Analyses, and Measurement Model Assessments in PLS-Based SEM , 2014, Int. J. e Collab..