Critical impact of organizational and individual inertia in explaining non-compliant security behavior in the Shadow IT context

Abstract Shadow IT refers to the use of information technology (IT) solutions and systems without prior explicit organizational approval. In this research, we have investigated an important role of organizational and individual inertia in explaining non-compliant security behavior in the Shadow IT context. Using the theory of organizational and individual inertia and status quo framework as theoretical lenses, we sought to explain the factors that form an individual's cognitive based inertia. Our study offers important insights into how inertia shapes and drives cognitive based inertia, which drives the behavioral intention to continue using Shadow IT. We suggest several new insights for theory and practitioners on how to better address the Shadow IT phenomenon with the objective that organizations are more agile, productive and efficient but at the same time, more compliant with information security policy requirements.

[1]  Linda Klebe Trevino,et al.  Experimental Approaches to Studying Ethical-Unethical Behavior in Organizations , 1992, Business Ethics Quarterly.

[2]  Paul Benjamin Lowry,et al.  Partial Least Squares (PLS) Structural Equation Modeling (SEM) for Building and Testing Behavioral Causal Theory: When to Choose It and How to Use It , 2014, IEEE Transactions on Professional Communication.

[3]  R. Hall,et al.  Management Reactions to Technological Change , 2006 .

[4]  Andrea Back,et al.  Shadow it – A View from Behind the Curtain , 2014, Comput. Secur..

[5]  Alex R. Piquero,et al.  Control balance and exploitative corporate crime , 2006 .

[6]  E. Nijssen,et al.  Exploring product and service innovation similarities and differences , 2006 .

[7]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[8]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[9]  James D. Herbsleb,et al.  Conceptual simplicity meets organizational complexity: case study of a corporate metrics program , 1998, Proceedings of the 20th International Conference on Software Engineering.

[10]  J. Scott Armstrong,et al.  Estimating nonresponse bias in mail surveys. , 1977 .

[11]  Qing Hu,et al.  Assimilation of Enterprise Systems: The Effect of Institutional Pressures and the Mediating Role of Top Management , 2007, MIS Q..

[12]  William Samuelson,et al.  Status quo bias in decision making , 1988 .

[13]  Andrea Back,et al.  A new perspective on neutralization and deterrence: Predicting shadow IT usage , 2017, Inf. Manag..

[14]  Lesley White,et al.  Why customers stay: reasons and consequences of inertia in financial services , 2004 .

[15]  Daniel S. Nagin,et al.  THE DETERRENT EFFECT OF PERCEIVED CERTAINTY AND SEVERITY OF PUNISHMENT REVISITED , 1989 .

[16]  Jiage Huo,et al.  How does knowledge inertia affect firms product innovation , 2016 .

[17]  Mario Silic,et al.  Influence of Shadow IT on Innovation in Organizations , 2016, Complex Syst. Informatics Model. Q..

[18]  Binny M. Samuel,et al.  Shackled to the Status Quo: A Replication , 2018, AIS Trans. Replication Res..

[19]  Sandy Behrens,et al.  Shadow systems: the good, the bad and the ugly , 2009, CACM.

[20]  Mark J. Martinko,et al.  Toward an Integrative Theory of Counterproductive Workplace Behavior: A Causal Reasoning Perspective , 2002 .

[21]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[22]  R. Rumelt,et al.  Inertia and Transformation , 1995 .

[23]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[24]  D. Oliver,et al.  ERP Systems in Universities: Rationale Advanced for Their Adoption , 2002 .

[25]  Diane M. Strong,et al.  A roadmap for enterprise system implementation , 2004, Computer.

[26]  Hee-Woong Kim,et al.  The Effects of Switching Costs on User Resistance to Enterprise Systems Implementation , 2011, IEEE Transactions on Engineering Management.

[27]  Leiser Silva,et al.  From disruptions to struggles: Theorizing power in ERP implementation projects , 2012, Inf. Organ..

[28]  Elena Karahanna,et al.  Shackled to the Status Quo: The Inhibiting Effects of Incumbent System Habit, Switching Costs, and Inertia on New System Acceptance , 2012, MIS Q..

[29]  S. Liao,et al.  Relationships between knowledge inertia, organizational learning and organization innovation , 2008 .

[30]  Sandy Behrens,et al.  Why Do Shadow Systems Exist after an ERP Implementation? Lessons from a Case Study , 2004, PACIS.

[31]  Hao-Chen Huang,et al.  Overcoming organizational inertia to strengthen business model innovation , 2013 .

[32]  C. Gilbert Unbundling the Structure of Inertia: Resource Versus Routine Rigidity , 2005 .

[33]  L. Lai,et al.  The moderating effects of switching costs and inertia on the customer satisfaction-retention link: auto liability insurance service in Taiwan , 2017 .

[34]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[35]  James W. Fredrickson,et al.  Inertia And Creeping Rationality In Strategic Decision Processes , 1989 .

[36]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[37]  Ricardo A. Lim,et al.  The Impact of Inertia as Mediator and Antecedent on Consumer Loyalty and Continuance Intention , 2017 .

[38]  Shu-Hsien Liao,et al.  Problem solving and knowledge inertia , 2002, Expert Syst. Appl..

[39]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[40]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[41]  D. Kolb Experiential Learning: Experience as the Source of Learning and Development , 1983 .

[42]  Walter Brenner,et al.  European Conference on Information Systems ( ECIS ) 5-15-2012 EXPLORING THE SHADOWS : IT GOVERNANCE APPROACHES TO USER-DRIVEN INNOVATION , 2012 .

[43]  Scott B. MacKenzie,et al.  Common method biases in behavioral research: a critical review of the literature and recommended remedies. , 2003, The Journal of applied psychology.

[44]  Dustin Ormond,et al.  Don't make excuses! Discouraging neutralization to reduce IT policy violation , 2013, Comput. Secur..

[45]  Harry I. Greenfield Consumer Inertia: A Missing Link? , 2005 .