Security Policy Opt-in Decisions in Bring-Your-Own-Device (BYOD) – A Persuasion and Cognitive Elaboration Perspective

ABSTRACT Bring-Your-Own-Device (BYOD) has gained increased popularity in organizations but may engender information security concerns. To address these concerns, employees are expected to opt-in and comply with organizational BYOD security policy. This study investigates the factors that affect employees’ opt-in decisions with BYOD security policy. Drawing on the theoretical lenses of persuasion and cognitive elaboration, we propose that employees’ cognitive elaborations of BYOD security policy could be affected by the valence of justification of the BYOD security policy, the stringency of BYOD security measures, and the sequence of the introduction of BYOD security policy in relation to employees’ use of personal devices to perform organizational tasks and such cognitive elaborations would in turn affect opt-in decisions. We conducted an experimental survey to test our propositions. The results indicate that positive BYOD security policy justification framing and post-task security policy exposure would lead to more positive cognitive elaboration, decision to opt-in, and compliance with the BYOD security policy. This research has significant implications for security management with respect to the design and implementation of BYOD security policy within an organization according to the nature of security policy and the task requirements.

[1]  Chalee Vorakulpipat,et al.  A Policy-Based Framework for Preserving Confidentiality in BYOD Environments: A Review of Information Security Perspectives , 2017, Secur. Commun. Networks.

[2]  Kuang-Wei Wen,et al.  Organizations' Information Security Policy Compliance: Stick or Carrot Approach? , 2012, J. Manag. Inf. Syst..

[3]  Richard Baskerville,et al.  Information Security Control Theory: Achieving a Sustainable Reconciliation Between Sharing and Protecting the Privacy of Information , 2017, J. Manag. Inf. Syst..

[4]  Alessandro Armando,et al.  Automatic security verification of mobile app configurations , 2018, Future Gener. Comput. Syst..

[5]  Jacob Cohen,et al.  Weighted kappa: Nominal scale agreement provision for scaled disagreement or partial credit. , 1968 .

[6]  Tom L. Roberts,et al.  Leveraging fairness and reactance theories to deter reactive computer abuse following enhanced organisational information security policies: an empirical study of the influence of counterfactual reasoning and organisational trust , 2015, Inf. Syst. J..

[7]  Graham K. Rand,et al.  Quantitative Applications in the Social Sciences , 1983 .

[8]  M. Dainton,et al.  Applying Communication Theory for Professional Life: A Practical Introduction , 2004 .

[9]  Paul Benjamin Lowry,et al.  The Role of Extra-Role Behaviors and Social Controls in Information Security Policy Effectiveness , 2015, Inf. Syst. Res..

[10]  Ronald L. Akers,et al.  Rational Choice, Deterrence, and Social Learning Theory in Criminology: The Path Not Taken , 1990 .

[11]  Merrill Warkentin,et al.  Introducing the Check-Off Password System (COPS): An Advancement in User Authentication Methods and Information Security , 2004, J. Organ. End User Comput..

[12]  Mikko T. Siponen,et al.  Which Factors Explain Employees' Adherence to Information Security Policies? An Empirical Study , 2007, PACIS.

[13]  Ronald L. Akers Rational Choice, Deterrence, and Social Learning Theory in Criminology: The Path Not Taken , 1990 .

[14]  Vasilios Katos,et al.  Using Human Factor Approaches to an Organisation's Bring Your Own Device Scheme , 2017, HCI.

[15]  Merrill Warkentin,et al.  Beyond Deterrence: An Expanded View of Employee Computer Abuse , 2013, MIS Q..

[16]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[17]  Huseyin Cavusoglu,et al.  The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers , 2004, Int. J. Electron. Commer..

[18]  R. Petty,et al.  Elaboration as a Determinant of Attitude Strength: Creating Attitudes That Are Persistent, Resistant, and Predictive of Behavior , 1995 .

[19]  Gergana Y. Nenkov,et al.  Considering the Future: The Conceptualization and Measurement of Elaboration on Potential Outcomes , 2008 .

[20]  Russell H. Fazio,et al.  Attitudes as object-evaluation associations: Determinants, consequences, and correlates of attitude accessibility. , 1995 .

[21]  Marc D. Street,et al.  The Impact of Cognitive Expenditure on the Ethical Decision-Making Process: The Cognitive Elaboration Model , 2001 .

[22]  Stephen Griffin,et al.  Attitude change. , 2001, Nursing standard (Royal College of Nursing (Great Britain) : 1987).

[23]  Tom R. Tyler,et al.  Can Businesses Effectively Regulate Employee Conduct? The Antecedents of Rule Following in Work Settings , 2005 .

[24]  Shashikant Rai,et al.  BRING YOUR OWN DEVICE (BYOD): SECURITY RISKS AND MITIGATING STRATEGIES , 2013 .

[25]  Leandre R. Fabrigar,et al.  The role of amount, cognitive elaboration, and structural consistency of attitude‐relevant knowledge in the formation of attitude certainty , 2008 .

[26]  John S. Seiter,et al.  Persuasion: Social Inflence and Compliance Gaining , 2015 .

[27]  Heiko Gewald,et al.  Determinants of Intention to Participate in Corporate BYOD-Programs: The Case of Digital Natives , 2020, Inf. Syst. Frontiers.

[28]  Jung P. Shim,et al.  Current Status, Issues, and Future of Bring Your Own Device (BYOD) , 2014, Commun. Assoc. Inf. Syst..

[29]  Robert S. Wyer,et al.  Language and advertising effectiveness: Mediating influences of comprehension and cognitive elaboration , 2002 .

[30]  Anat Hovav,et al.  This is my device! Why should I follow your rules? Employees' compliance with BYOD security policy , 2016, Pervasive Mob. Comput..

[31]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[32]  Robert E. Crossler,et al.  The Impact of Moral Intensity and Ethical Tone Consistency on Policy Compliance , 2017, J. Inf. Syst..

[33]  Juan Julián Merelo Guervós,et al.  Corporate security solutions for BYOD: A novel user-centric and self-adaptive system , 2015, Comput. Commun..

[34]  Yuval Elovici,et al.  An attack scenario and mitigation mechanism for enterprise BYOD environments , 2018, SIAP.

[35]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[36]  Sarv Devaraj,et al.  Employee Misuse of Information Technology Resources: Testing a Contemporary Deterrence Model , 2012, Decis. Sci..

[37]  Tero Vartiainen,et al.  What levels of moral reasoning and values explain adherence to information security rules? An empirical study , 2009, Eur. J. Inf. Syst..

[38]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[39]  Prashant Malaviya,et al.  The Moderating Influence of Advertising Context on Ad Repetition Effects: The Role of Amount and Type of Elaboration , 2007 .

[40]  Björn Niehaves,et al.  Innovation Through BYOD? , 2015, Business & Information Systems Engineering.

[41]  H. Vries,et al.  Distinct pathways to persuasion: The role of affect in message-framing effects , 2010 .

[42]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[43]  Mikko T. Siponen,et al.  Toward a Unified Model of Information Security Policy Compliance , 2018, MIS Q..

[44]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[45]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[46]  R. Petty,et al.  Message Framing and Persuasion: A Message Processing Analysis , 1996 .

[47]  E. Tory Higgins,et al.  Primacy and recency in communication and self-persuasion : how successive audiences and multiple encodings influence subsequent evaluative judgments , 1991 .

[48]  James T. C. Teng,et al.  Capturing the Complexity of Malleable IT Use: Adaptive Structuration Theory for Individuals , 2016, MIS Q..

[49]  Robert E. Crossler,et al.  Understanding Compliance with Bring Your Own Device Policies Utilizing Protection Motivation Theory: Bridging the Intention-Behavior Gap , 2014, J. Inf. Syst..

[50]  Merrill Warkentin,et al.  Behavioral and policy issues in information systems security: the insider threat , 2009, Eur. J. Inf. Syst..

[51]  Prashant Palvia,et al.  Methodological and Topic Trends in Information Systems Research: A Meta-Analysis of IS Journals , 2015, Commun. Assoc. Inf. Syst..

[52]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[53]  Ritu Agarwal,et al.  Practicing Safe Computing: A Multimedia Empirical Examination of Home Computer User Security Behavioral Intentions , 2010, MIS Q..

[54]  Duane T. Wegener,et al.  The elaboration likelihood model: Current status and controversies. , 1999 .

[55]  K. Williams,et al.  Perceptual research on general deterrence: A critical review. , 1986 .