The Role of Self-Control in Information Security Violations: Insights from a Cognitive Neuroscience Perspective

Abstract Self-control has been identified as a major factor influencing individual behavior in the social science, neuroscience, criminology, and information security literatures. In this study, we first developed and validated a novel paradigm suitable for use with event-related potentials (ERPs) in scenario-based laboratory experiments of decision making in the context of information security. We then used this paradigm to examine the association between individual differences in self-control and ERPs elicited while individuals deliberated over violations of information security policies. Our results show that the left and right hemispheres of the brain were involved in decision making, and that the participants with low self-control had lower levels of neural recruitment in both hemispheres relative to those with high self-control. This was especially the case for regions in or near the dorsal lateral prefrontal cortex (DLPFC) and inferior frontal cortex (IFC). These results extend the findings in neuroscience literature related to the role of self-control in decision making in general, and validate a new paradigm for use with the electroencephalography/event-related potentials (EEG/ERP) technique to examine theoretical questions in information security and criminology research.

[1]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[2]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[3]  R. Baumeister,et al.  Self-regulation and depletion of limited resources: does self-control resemble a muscle? , 2000, Psychological bulletin.

[4]  T. Robbins,et al.  Inhibition and the right inferior frontal cortex , 2004, Trends in Cognitive Sciences.

[5]  J. Patton,et al.  Factor structure of the Barratt impulsiveness scale. , 1995, Journal of clinical psychology.

[6]  Marina Schmid,et al.  An Introduction To The Event Related Potential Technique , 2016 .

[7]  T. Braver,et al.  Impulsivity and Self-Control during Intertemporal Decision Making Linked to the Neural Dynamics of Reward Value Representation , 2013, The Journal of Neuroscience.

[8]  E. Fehr,et al.  Resisting the Power of Temptations , 2007, Annals of the New York Academy of Sciences.

[9]  Anthony Randal McIntosh,et al.  Partial least squares analysis of neuroimaging data: applications and advances , 2004, NeuroImage.

[10]  A. Bechara Decision making, impulse control and loss of willpower to resist drugs: a neurocognitive perspective , 2005, Nature Neuroscience.

[11]  Christian Seipel,et al.  Opportunities, Rational Choice, and Self-Control , 2010 .

[12]  Fred D. Davis,et al.  Trusting Humans and Avatars: A Brain Imaging Study Based on Evolution Theory , 2014, J. Manag. Inf. Syst..

[13]  Fred D. Davis,et al.  NeuroIS: The Potential of Cognitive Neuroscience for Information Systems Research , 2008, ICIS.

[14]  Susan J. Harrington,et al.  The Effect of Codes of Ethics and Personal Denial of Responsibility on Computer Abuse Judgments and Intentions , 1996, MIS Q..

[15]  Alex R. Piquero,et al.  Specifying the direct and indirect effects of low self-control and situational factors in offenders' decision making: Toward a more complete model of rational offending , 1996 .

[16]  Angelika Dimoka,et al.  THE POTENTIAL OF COGNITIVE NEUROSCIENCE FOR INFORMATION SYSTEMS RESEARCH , 2008 .

[17]  Qing Hu,et al.  Why College Students Commit Computer Hacks: Insights from a Cross Culture Analysis , 2013, PACIS.

[18]  Ting-Peng Liang,et al.  Guidelines for Neuroscience Studies in Information Systems Research , 2014, J. Manag. Inf. Syst..

[19]  Harold G. Grasmick,et al.  Testing the Core Empirical Implications of Gottfredson and Hirschi's General Theory of Crime , 1993 .

[20]  Laurie J. Kirsch,et al.  If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security , 2009, Eur. J. Inf. Syst..

[21]  F. H. Kanfer,et al.  Self-Control and Tolerance of Noxious Stimulation , 1966, Psychological reports.

[22]  Avshalom Caspi,et al.  Does the Perceived Risk of Punishment Deter Criminally Prone Individuals? Rational Choice, Self-Control, and Crime , 2004 .

[23]  Yvonne Neudorf,et al.  A General Theory Of Crime , 2016 .

[24]  E. Miller,et al.  An integrative theory of prefrontal cortex function. , 2001, Annual review of neuroscience.

[25]  R. Baumeister,et al.  Social exclusion impairs self-regulation. , 2005, Journal of personality and social psychology.

[26]  Tamás D. Gedeon,et al.  Neuroscience and a Nomological Network for the Understanding and Assessment of Emotions in Information Systems Research , 2014, J. Manag. Inf. Syst..

[27]  Michael Inzlicht,et al.  Running on empty: neural signals for self-control failure. , 2007, Psychological science.

[28]  Seana Coulson,et al.  Knowing When to Trust Others: An ERP Study of Decision Making After Receiving Information from Unknown People , 2009, Social cognitive and affective neuroscience.

[29]  Marianne Junger,et al.  An Empirical Test of a General Theory of Crime: A Four-Nation Comparative Study of Self-Control and the Prediction of Deviance , 2001 .

[30]  Daniel Tranel,et al.  Asymmetric Functional Roles of Right and Left Ventromedial Prefrontal Cortices in Social Conduct, Decision-Making, and Emotional Processing , 2002, Cortex.

[31]  Ryad Titah,et al.  Explicit and Implicit Antecedents of Users' Behavioral Beliefs in Information Systems: A Neuropsychological Investigation , 2014, J. Manag. Inf. Syst..

[32]  Tamara Dinev,et al.  Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture , 2012, Decis. Sci..

[33]  Qing Hu,et al.  Does deterrence work in reducing information security policy abuse by employees? , 2011, Commun. ACM.

[34]  D. Balota,et al.  Individual differences in information-processing rate and amount: implications for group differences in response latency. , 1999, Psychological bulletin.

[35]  Alan R. Dennis,et al.  Putting on the Thinking Cap: Using NeuroIS to Understand Information Processing Biases in Virtual Teams , 2014, J. Manag. Inf. Syst..

[36]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[37]  Patrick Y. K. Chau,et al.  Informational and Normative Social Influence in Group-Buying: Evidence from Self-Reported and EEG Data , 2014, J. Manag. Inf. Syst..

[38]  Lixuan Zhang,et al.  Examining Digital Piracy: Self-Control, Punishment, and Self-Efficacy , 2009, Inf. Resour. Manag. J..

[39]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[40]  Luke Clark,et al.  The contributions of lesion laterality and lesion volume to decision-making impairment following frontal lobe damage , 2003, Neuropsychologia.

[41]  Olena P Antonaccio,et al.  MORALITY, SELF‐CONTROL, AND CRIME* , 2008 .

[42]  Robert Svensson,et al.  When does self-control matter? The interaction between morality and self-control in crime causation , 2010 .

[43]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[44]  Angelika Dimoka,et al.  Research Commentary - NeuroIS: The Potential of Cognitive Neuroscience for Information Systems Research , 2011, Inf. Syst. Res..

[45]  J. Duncan,et al.  Common regions of the human frontal lobe recruited by diverse cognitive demands , 2000, Trends in Neurosciences.

[46]  A. McIntosh,et al.  Spatiotemporal analysis of experimental differences in event-related potential data with partial least squares. , 2001, Psychophysiology.

[47]  George E. Higgins,et al.  An Application of Deterrence Theory to Software Piracy , 2005 .

[48]  G. Potts,et al.  Impulsivity in Decision-Making: An Event-Related Potential Investigation. , 2009, Personality and individual differences.

[49]  Scott B. MacKenzie,et al.  Common method biases in behavioral research: a critical review of the literature and recommended remedies. , 2003, The Journal of applied psychology.

[50]  Kevin M. Beaver,et al.  Toward a General Theory of Criminal Justice , 2008 .

[51]  J. Polivy,et al.  The (mis)measurement of restraint: an analysis of conceptual and psychometric issues. , 1988, Journal of abnormal psychology.

[52]  Angela L. Duckworth,et al.  A Meta-Analysis of the Convergent Validity of Self-Control Measures. , 2011, Journal of research in personality.

[53]  Travis Hirschi,et al.  Self-control and crime. , 2004 .

[54]  Qing Hu,et al.  Why computer talents become computer hackers , 2013, CACM.

[55]  Michael R. Gottfredson,et al.  A general theory of crime. , 1992 .

[56]  Alex R. Piquero,et al.  Self-Control, Moral Beliefs, and Criminal Activity , 2006 .

[57]  T. Heatherton,et al.  Neural Predictors of Giving in to Temptation in Daily Life , 2014, Psychological science.

[58]  Colin Camerer,et al.  Self-control in decision-making involves modulation of the vmPFC valuation system , 2009, NeuroImage.

[59]  Angelika Dimoka,et al.  What Does the Brain Tell Us About Trust and Distrust? Evidence from a Functional Neuroimaging Study , 2010, MIS Q..

[60]  Bonnie Brinton Anderson,et al.  Using Measures of Risk Perception to Predict Information Security Behavior: Insights from Electroencephalography (EEG) , 2014, J. Assoc. Inf. Syst..

[61]  Angelika Dimoka,et al.  On the Foundations of NeuroIS: Reflections on the Gmunden Retreat 2009 , 2010, Commun. Assoc. Inf. Syst..

[62]  Douglas W. Bray,et al.  Ethical issues in testing and evaluation for personnel decisions. , 1980 .

[63]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[64]  Daniel Tranel,et al.  Right ventromedial prefrontal cortex: a neuroanatomical correlate of impulse control in boys. , 2009, Social cognitive and affective neuroscience.