Information Security Policy Compliance: An Empirical Study of Ethical Ideology

Information security policy compliance (ISP) is one of the key concerns that face organizations today. Although technical and procedural measures help improve information security, there is an increased need to accommodate human, social and organizational factors. Despite the plethora of studies that attempt to identify the factors that motivate compliance behavior or discourage abuse and misuse behaviors, there is a lack of studies that investigate the role of ethical ideology per se in explaining compliance behavior. The purpose of this research is to investigate the role of ethics in explaining Information Security Policy (ISP) compliance. In that regard, a model that integrates behavioral and ethical theoretical perspectives is developed and tested. Overall, analyses indicate strong support for the validation of the proposed theoretical model.

[1]  S. Hunt,et al.  A General Theory of Marketing Ethics , 1986 .

[2]  Mikko T. Siponen,et al.  Which Factors Explain Employees' Adherence to Information Security Policies? An Empirical Study , 2007, PACIS.

[3]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[4]  A. B. Ruighaver,et al.  Ethical decision making: Improving the quality of acceptable use policies , 2010, Comput. Secur..

[5]  Jussipekka Leiwo,et al.  An analysis of ethics as foundation of information security in distributed systems , 1998, Proceedings of the Thirty-First Hawaii International Conference on System Sciences.

[6]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[7]  Michael Workman,et al.  Punishment and ethics deterrents: A study of insider security contravention , 2007, J. Assoc. Inf. Sci. Technol..

[8]  Yunjie Calvin Xu,et al.  Studying Users' Computer Security Behavior Using the Health Belief Model , 2007, PACIS.

[9]  D. Straub Effective IS Security , 1990 .

[10]  M. Fishbein A Reasoned Action Approach to Health Promotion , 2008, Medical decision making : an international journal of the Society for Medical Decision Making.

[11]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[12]  W. Zikmund Business Research Methods , 1984 .

[13]  David A. Makin,et al.  Self-Control, Deviant Peers, and Software Piracy , 2004, Psychological reports.

[14]  G. Lawrence Sanders,et al.  Considerations in Ethical Decision-Making and Software Piracy , 2001 .

[15]  Tom R. Tyler,et al.  Can Businesses Effectively Regulate Employee Conduct? The Antecedents of Rule Following in Work Settings , 2005 .

[16]  Patrick Y. K. Chau,et al.  Influence of Computer Attitude and Self-Efficacy on IT Usage Behavior , 2001, J. Organ. End User Comput..

[17]  Pauline Bowen,et al.  Information Security Training Requirements: A Role- and Performance-Based Model [DRAFT] , 2009 .

[18]  Charlie C. Chen,et al.  Mitigating Information Security Risks by Increasing User Security Awareness : A Case Study of an Information Security Awareness System , 2007 .

[19]  Mikko T. Siponen,et al.  Critical analysis of different approaches to minimizing user-related faults in information systems security: implications for research and practice , 2000, Inf. Manag. Comput. Secur..

[20]  Geoff Walsham,et al.  Ethical theory, codes of ethics and IS practice , 1996, Inf. Syst. J..

[21]  Hassan Aleassa,et al.  Investigating Software Piracy in Jordan: An Extension of the Theory of Reasoned Action , 2011 .

[22]  Younghwa Lee,et al.  The Technology Acceptance Model: Past, Present, and Future , 2003, Commun. Assoc. Inf. Syst..

[23]  Cheolho Yoon Theory of Planned Behavior and Ethics Theory in Digital Piracy: An Integrated Model , 2011 .

[24]  I. Ajzen,et al.  Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research , 1977 .

[25]  Kirstie Hawkey,et al.  Human, Organizational and Technological Challenges of Implementing IT Security in Organizations , 2007, International Symposium on Human Aspects of Information Security and Assurance.

[26]  Jie Zhang,et al.  Impact of perceived technical protection on security behaviors , 2009, Inf. Manag. Comput. Secur..

[27]  Robert M. Davison,et al.  Professional Ethics in Information Systems: A Personal Perspective , 2000, Commun. Assoc. Inf. Syst..

[28]  B. C. Postow,et al.  Principles of Ethics: An Introduction , 1975 .

[29]  I. Staveren,et al.  Beyond Utilitarianism and Deontology: Ethics in Economics , 2007 .

[30]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[31]  Susan J. Harrington,et al.  The Effect of Codes of Ethics and Personal Denial of Responsibility on Computer Abuse Judgments and Intentions , 1996, MIS Q..

[32]  Mark Warr,et al.  A Reconceptualization of General and Specific Deterrence , 1993 .

[33]  Bart Victor,et al.  The Ethical Climate Questionnaire: An Assessment of its Development and Validity , 1993 .

[34]  K. I. Munro,et al.  Ethical Behavior and Information Systems Codes: The Effects of Code Communication, Awareness, Understanding, and Enforcement , 2004, ICIS.

[35]  Ricky Y. K. Chan,et al.  Does ethical ideology affect software piracy attitude and behaviour? An empirical investigation of computer users in China , 2011, Eur. J. Inf. Syst..

[36]  Darryl A. Seale,et al.  It's not really theft!: Personal and workplace ethics that enable software piracy , 1998, Behav. Inf. Technol..

[37]  Stephanie Teufel,et al.  Analyzing information security culture: increased trust by an appropriate information security culture , 2003, 14th International Workshop on Database and Expert Systems Applications, 2003. Proceedings..

[38]  T. P. Cronan,et al.  Factors that Influence the Intention to Pirate Software and Media , 2008 .

[39]  Larry W. Cornwell,et al.  A question of ethics: Developing information system ethics , 1989 .

[40]  S. Vitell,et al.  The Influence of Norms on Ethical Judgments and Intentions: An Empirical Study of Marketing Professionals , 1998 .

[41]  Ritu Agarwal,et al.  Practicing Safe Computing: A Multimedia Empirical Examination of Home Computer User Security Behavioral Intentions , 2010, MIS Q..

[42]  Max M. North,et al.  A comparative study of information security and ethics awareness in diverse university environments , 2010 .

[43]  Gloria E. Wheeler,et al.  An empirical study of ethical predispositions , 1996 .

[44]  Tero Vartiainen,et al.  What levels of moral reasoning and values explain adherence to information security rules? An empirical study , 2009, Eur. J. Inf. Syst..

[45]  Trevor T. Moores,et al.  Ethical Decision Making in Software Piracy: Initial Development and a Test of a Four-Component Model , 2006, MIS Q..

[46]  Ram D. Gopal,et al.  Preventive and Deterrent Controls for Software Piracy , 1997, J. Manag. Inf. Syst..

[47]  Ellen R. Foxman,et al.  Information Technology, Marketing Practice, and Consumer Privacy: Ethical Issues , 1993 .

[48]  Bernd Carsten Stahl,et al.  The ethical nature of critical research in information systems , 2008, Inf. Syst. J..

[49]  T. Kline,et al.  Common Method Variance and Specification Errors: A Practical Approach to Detection , 2000, The Journal of psychology.

[50]  Amitava Dutta,et al.  Management's Role in Information Security in a Cyber Economy , 2002 .

[51]  I. Ajzen The theory of planned behavior , 1991 .

[52]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[53]  Anthony M. Townsend,et al.  Information Systems Security and the Need for Policy , 2001 .

[54]  G. Stoney Alder,et al.  Employee Reactions to Internet Monitoring: The Moderating Role of Ethical Orientation , 2008 .

[55]  R. Mason Four ethical issues of the information age , 1986 .

[56]  Laurie J. Kirsch,et al.  If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security , 2009, Eur. J. Inf. Syst..

[57]  Shalom H. Schwartz,et al.  A test of a model for reducing measured attitude-behavior discrepancies. , 1972 .

[58]  Mo Adam Mahmood,et al.  Compliance with Information Security Policies: An Empirical Investigation , 2010, Computer.

[59]  Gian Luca Casali,et al.  Developing a Multidimensional Scale for Ethical Decision Making , 2011 .