Increasing Accountability Through User-Interface Design Artifacts: A New Approach to Addressing the Problem of Access-Policy Violations

Access-policy violations are a growing problem with substantial costs for organizations. Although training programs and sanctions have been suggested as a means of reducing these violations, evidence shows the problem persists. It is thus imperative to identify additional ways to reduce access-policy violations, especially for systems providing broad access to data. We use accountability theory to develop four user-interface (UI) design artifacts that raise users' accountability perceptions within systems and in turn decrease access-policy violations. To test our model, we uniquely applied the scenario-based factorial survey method to various graphical manipulations of a records system containing sensitive information at a large organization with over 300 end users who use the system daily. We show that the UI design artifacts corresponding to four submanipulations of accountability can raise accountability and reduce access policy violation intentions. Our findings have several theoretical and practical implications for increasing accountability using UI design. Moreover, we are the first to extend the scenario-based factorial survey method to test design artifacts. This method provides the ability to use more design manipulations and to test with fewer users than is required in traditional experimentation and research on human--computer interaction. We also provide bootstrapping tests of mediation and moderation and demonstrate how to analyze fixed and random effects within the factorial survey method optimally.

[1]  Paul Benjamin Lowry,et al.  Proposing the control‐reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policies , 2015, Inf. Syst. J..

[2]  P. Tetlock,et al.  Social and cognitive strategies for coping with accountability: conformity, complexity, and bolstering. , 1989, Journal of personality and social psychology.

[3]  Dennis F. Galletta,et al.  A model of end-user computing policy: Context, process, content and compliance , 1992, Inf. Manag..

[4]  P. Shrout,et al.  Mediation in experimental and nonexperimental studies: new procedures and recommendations. , 2002, Psychological methods.

[5]  R. Paternoster,et al.  Sanction threats and appeals to morality : Testing a rational choice model of corporate crime , 1996 .

[6]  David W. Wilson,et al.  A Picture is Worth a Thousand Words: Source Credibility Theory Applied to Logo and Website Design for Heightened Credibility and Consumer Trust , 2014, Int. J. Hum. Comput. Interact..

[7]  Surinder S. Kahai,et al.  Anonymity and Counter-Normative Arguments in Computer-Mediated Discussions , 2009 .

[8]  John Paul Wright,et al.  Taking Stock: The Status of Criminological Theory-Advances in Criminological Theory , 2005 .

[9]  J. Walther Interpersonal Effects in Computer-Mediated Interaction , 1992 .

[10]  David P. MacKinnon,et al.  Current Directions in Mediation Analysis , 2009, Current directions in psychological science.

[11]  Constantine Sedikides,et al.  Accountability as a deterrent to self-enhancement: the search for mechanisms. , 2002, Journal of personality and social psychology.

[12]  Dennis F. Galletta,et al.  The Drivers in the Use of Online Whistle-Blowing Reporting Systems , 2013, J. Manag. Inf. Syst..

[13]  Detmar W. Straub,et al.  Examining Trust in Information Technology Artifacts: The Effects of System Quality and Culture , 2008, J. Manag. Inf. Syst..

[14]  Lesya M. Hassall,et al.  An Examination of a Theory of Embodied Social Presence in Virtual Worlds , 2011, Decis. Sci..

[15]  John Karat,et al.  Privacy in information technology: Designing to enable privacy policy management in organizations , 2005, Int. J. Hum. Comput. Stud..

[16]  S. Robinson Trust and Breach of the Psychological Contract , 1996 .

[17]  B. Nijstad,et al.  Motivated information processing and group decision-making: Effects of process accountability on information processing and decision quality☆ , 2007 .

[18]  Alain Pinsonneault,et al.  Research Note. The Illusion of Electronic Brainstorming Productivity: Theoretical and Empirical Issues , 1999, Inf. Syst. Res..

[19]  B. R. Schlenker,et al.  Coping with accountability: Self-identification and evaluative reckonings. , 1991 .

[20]  Tejaswini Herath,et al.  A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings , 2011, Eur. J. Inf. Syst..

[21]  Barry M. Staw,et al.  Knee-deep in the Big Muddy: A study of escalating commitment to a chosen course of action. , 1976 .

[22]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[23]  Detmar W. Straub,et al.  A Practical Guide To Factorial Validity Using PLS-Graph: Tutorial And Annotated Example , 2005, Commun. Assoc. Inf. Syst..

[24]  Lisa Wallander 25 years of factorial surveys in sociology: A review , 2009 .

[25]  Tom L. Roberts,et al.  Bridging the divide: A qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders , 2014, Inf. Manag..

[26]  C. F. Bond,et al.  Social facilitation: a meta-analysis of 241 studies. , 1983, Psychological bulletin.

[27]  Clifton L. Smith,et al.  The Development of Access Control Policies for Information Technology Systems , 2002, Comput. Secur..

[28]  J.F. Nunamaker,et al.  The impact of process structure on novice, virtual collaborative writing teams , 2005, IEEE Transactions on Professional Communication.

[29]  Anthony P. Ammeter,et al.  A social relationship conceptualization of trust and accountability in organizations , 2004 .

[30]  P. Tetlock The Impact of Accountability on Judgment and Choice: Toward A Social Contingency Model , 1992 .

[31]  P. Tetlock Accountability: A social check on the fundamental attribution error. , 1985 .

[32]  C. Judd,et al.  When moderation is mediated and mediation is moderated. , 2005, Journal of personality and social psychology.

[33]  Jay F. Nunamaker,et al.  The Impact of Process Structure on Novice, Internet-Based, Asynchronous-Distributed Collaborative Writing Teams , 2005 .

[34]  Charles R. Tittle,et al.  Sanctions and social deviance: The question of deterrence , 1980 .

[35]  D'ArcyJohn,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse , 2009 .

[36]  M. Bovens Two Concepts of Accountability: Accountability as a Virtue and as a Mechanism , 2010 .

[37]  R. Scheines,et al.  Organizational Behavior and Human Decision Processes , 1977 .

[38]  Bernard Guerin,et al.  Reducing Evaluation Effects in Mere Presence , 1989 .

[39]  F. Ramsey,et al.  The statistical sleuth : a course in methods of data analysis , 2002 .

[40]  Paul D. Johnson,et al.  Structural and psychological empowerment climates, performance, and the moderating role of shared felt accountability: a managerial perspective. , 2011, The Journal of applied psychology.

[41]  Donn B. Parker,et al.  Fighting computer crime - a new framework for protecting information , 1998 .

[42]  Malinda Desjarlais,et al.  The Function and Specificity of Sensitivity to Cues to Facial Identity: An Individual-Differences Approach , 2010, Perception.

[43]  Clay Posey,et al.  When Computer Monitoring Backfires: Invasion of Privacy and Organizational Injustice as Precursors to Computer Abuse , 2011 .

[44]  Paul Benjamin Lowry,et al.  Using Accountability to Reduce Access Policy Violations in Information Systems , 2013, J. Manag. Inf. Syst..

[45]  J. Gibbs Crime, punishment, and deterrence , 1975 .

[46]  Irene Alonso Aparicio,et al.  Recensión: "Theories in second language acquisition: an introduction. Van Patten, B. & Williams, J. (eds.). Mahwah, NJ: Lawrence Erlbaum Associates, 2007" , 2008 .

[47]  Daniel L. Sherrell,et al.  Communications of the Association for Information Systems , 1999 .

[48]  D. A. Kenny,et al.  The moderator-mediator variable distinction in social psychological research: conceptual, strategic, and statistical considerations. , 1986, Journal of personality and social psychology.

[49]  H. Becker,et al.  The Use of Vignettes in Survey Research , 1978 .

[50]  P. Tetlock,et al.  Accounting for the effects of accountability. , 1999, Psychological bulletin.

[51]  Philip E. Tetlock,et al.  Accountability and complexity of thought. , 1983 .

[52]  Tom L. Roberts,et al.  Toward Building Self-Sustaining Groups in PCR-Based Tasks Through Implicit Coordination: The Case of Heuristic Evaluation , 2009, J. Assoc. Inf. Syst..

[53]  Werner Wirth,et al.  Heuristic and Systematic Use of Search Engines , 2007, J. Comput. Mediat. Commun..

[54]  Philip E. Tetlock,et al.  Accountability amplifies the status quo effect when change creates victims , 1994 .

[55]  P. Sweeney,et al.  An evaluation of the impact of social presence through Group size and the use of collaborative software on Group member "Voice" in face-to-face and computer-mediated task Groups , 2006, IEEE Transactions on Professional Communication.

[56]  T. Postmes,et al.  Social Cues and Impression Formation in CMC , 2003 .

[57]  Ferran Argelaguet,et al.  See-through techniques for referential awareness in collaborative virtual reality , 2011, Int. J. Hum. Comput. Stud..

[58]  Young Eun Lee,et al.  The Effects of Virtual Reality on Consumer Learning: An Empirical Investigation , 2005, MIS Q..

[59]  Joseph B. Walther,et al.  Is a Picture Worth a Thousand Words? , 2001, Commun. Res..

[60]  Paul Benjamin Lowry,et al.  Using Theories of Formal Control, Mandatoriness, and Reactance to Explain Working Professionals’ Intent to Comply with New IT Security Policies , 2010 .

[61]  M. J. Rosenberg,et al.  WHEN DISSONANCE FAILS: ON ELIMINATING EVALUATION APPREHENSION FROM ATTITUDE MEASUREMENT. , 1965, Journal of personality and social psychology.

[62]  Linda L. Neider,et al.  New directions in human resource management , 2003 .

[63]  R. Bennett,et al.  Is Your Banker Leaking Your Personal Information? The Roles of Ethics and Individual-Level Cultural Characteristics in Predicting Organizational Computer Abuse , 2013, Journal of Business Ethics.

[64]  Bernard Guerin,et al.  Mere presence effects in humans: A review , 1986 .

[65]  M. Gelfand,et al.  Individualism-collectivism and accountability in intergroup negotiations. , 1999 .

[66]  M. Gheini,et al.  Intracranial Stenting: A Review of the Literature and Recommended Remedies , 2016, Galen Medical Journal.

[67]  Alan R. Hevner,et al.  POSITIONING AND PRESENTING DESIGN SCIENCE RESEARCH FOR MAXIMUM IMPACT 1 , 2013 .

[68]  R. Baumeister A SELF-PRESENTATIONAL VIEW OF SOCIAL PHENOMENA , 1982 .

[69]  Detmar W. Straub,et al.  Validation Guidelines for IS Positivist Research , 2004, Commun. Assoc. Inf. Syst..

[70]  Daniel S. Nagin,et al.  THE DETERRENT EFFECT OF PERCEIVED CERTAINTY AND SEVERITY OF PUNISHMENT REVISITED , 1989 .

[71]  Patricia M. Fandt,et al.  The management of information and impressions: When employees behave opportunistically , 1990 .

[72]  Mark Levine,et al.  Deindividuation, power relations between groups and the expression of social identity: The effects of visibility to the out‐group , 1994 .

[73]  A. Hovav,et al.  Does One Size Fit All? Examining the Differential Effects of IS Security Countermeasures , 2009 .

[74]  J. I. Kim,et al.  Accountability and judgment processes in a personality prediction task. , 1987, Journal of personality and social psychology.

[75]  A. Hayes Beyond Baron and Kenny: Statistical Mediation Analysis in the New Millennium , 2009 .

[76]  Bernard C. Y. Tan,et al.  Group Polarization and Computer-Mediated Communication: Effects of Communication Cues, Social Presence, and Anonymity , 2002, Inf. Syst. Res..

[77]  Laurie J. Kirsch,et al.  If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security , 2009, Eur. J. Inf. Syst..

[78]  Jay F. Nunamaker,et al.  Toward a broader vision for Information Systems , 2011, TMIS.

[79]  Susan J. Harrington,et al.  The Effect of Codes of Ethics and Personal Denial of Responsibility on Computer Abuse Judgments and Intentions , 1996, MIS Q..

[80]  Daniel W. Schafer,et al.  Student Solutions Manual for Ramsey/Schafer's The Statistical Sleuth: A Course in Methods of Data Analysis, 3rd , 2012 .

[81]  Kenneth D. Butterfield,et al.  A Review of The Empirical Ethical Decision-Making Literature: 1996–2003 , 2005 .

[82]  Travis C. Pratt,et al.  The Empirical Status of Deterrence Theory: A Meta-Analysis , 2006 .

[83]  W. Crano,et al.  Attitudes and persuasion. , 2006, Annual review of psychology.

[84]  Gerald R. Ferris,et al.  Negative affectivity as a moderator of the form and magnitude of the relationship between felt accountability and job tension , 2005 .

[85]  Izak Benbasat,et al.  Online Consumer Trust and Live Help Interfaces: The Effects of Text-to-Speech Voice and Three-Dimensional Avatars , 2005, Int. J. Hum. Comput. Interact..

[86]  Jay F. Nunamaker,et al.  Autonomous Scientifically Controlled Screening Systems for Detecting Information Purposely Concealed by Individuals , 2014, J. Manag. Inf. Syst..

[87]  R. Zajonc Feeling and thinking : Preferences need no inferences , 1980 .

[88]  S. West,et al.  A comparison of methods to test mediation and other intervening variable effects. , 2002, Psychological methods.

[89]  Alan R. Hevner,et al.  Design Science in Information Systems Research , 2004, MIS Q..

[90]  Dwight D. Frink,et al.  Political skill as neutralizer of felt accountability--job tension effects on job performance ratings: A longitudinal investigation , 2007 .

[91]  Dennis F. Galletta,et al.  Software Piracy in the Workplace: A Model and Empirical Test , 2003, J. Manag. Inf. Syst..

[92]  Qing Hu,et al.  Does deterrence work in reducing information security policy abuse by employees? , 2011, Commun. ACM.

[93]  Martin Bichler,et al.  Design science in information systems research , 2006, Wirtschaftsinf..

[94]  Sally S. Simpson,et al.  Integrating the desire–for–control and rational choice in a corporate crime context , 2005 .

[95]  P. Tetlock Accountability and the perseverance of first impressions. , 1983 .

[96]  P. Tetlock,et al.  Accountability: a social magnifier of the dilution effect. , 1989, Journal of personality and social psychology.

[97]  Andrea Everard,et al.  Privacy Concerns Versus Desire for Interpersonal Awareness in Driving the Use of Self-Disclosure Technologies: The Case of Instant Messaging in Two Cultures , 2011, J. Manag. Inf. Syst..

[98]  A. L. Beaman,et al.  Effects of deindividuation variables on stealing among Halloween trick-or-treaters. , 1976 .

[99]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[100]  M. Sobel Asymptotic Confidence Intervals for Indirect Effects in Structural Equation Models , 1982 .

[101]  K. Williams,et al.  Identifiability as a deterrant to social loafing: Two cheering experiments. , 1981 .

[102]  Katja Hutter,et al.  Virtual worlds as knowledge management platform – a practice‐perspective , 2011, Inf. Syst. J..

[103]  Geoffrey S. Hubona,et al.  The mediation of external variables in the technology acceptance model , 2006, Inf. Manag..

[104]  Dwight David Frink Accountability in human resources systems: The impression management and performance-directed functions of goal-setting in the performance evaluation process , 1994 .

[105]  Carroll Seron,et al.  HOW CITIZENS ASSESS JUST PUNISHMENT FOR POLICE MISCONDUCT , 2006 .

[106]  M. Eric Johnson,et al.  Usability Failures and Healthcare Data Hemorrhages , 2011, IEEE Security & Privacy.

[107]  Phillip E. Tetlock Accountability theory: Mixing properties of human agents with properties of social systems. , 1999 .

[108]  D. A. Kenny,et al.  Reflections on Mediation , 2008 .

[109]  C. L. Cox,et al.  The Role of Identifiability in the Reduction of Interindividual-Intergroup Discontinuity , 1995 .

[110]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[111]  Sarv Devaraj,et al.  Employee Misuse of Information Technology Resources: Testing a Contemporary Deterrence Model , 2012, Decis. Sci..

[112]  Mikko T. Siponen,et al.  Guidelines for improving the contextual relevance of field surveys: the case of information security policy violations , 2014, Eur. J. Inf. Syst..

[113]  D. Whetten What Constitutes a Theoretical Contribution , 1989 .

[114]  G. Jasso Factorial Survey Methods for Studying Beliefs and Judgments , 2006 .

[115]  Jay F. Nunamaker,et al.  Breaking out of the Design Science Box: High-Value Impact Through Multidisciplinary Design Science Programs of Research , 2013, AMCIS.

[116]  Michele J. Gelfand,et al.  Culture and accountability in organizations: Variations in forms of social control across cultures , 2004 .

[117]  Xiaolan Fu,et al.  Effects of culture, social presence, and group composition on trust in technology‐supported decision‐making groups , 2010, Inf. Syst. J..

[118]  Tom Postmes,et al.  Two faces of anonymity: Paradoxical effects of cues to identity in CMC , 2007, Comput. Hum. Behav..

[119]  Greg Pogarsky,et al.  PROJECTED OFFENDING AND CONTEMPORANEOUS RULE‐VIOLATION: IMPLICATIONS FOR HETEROTYPIC CONTINUITY* , 2004 .

[120]  T. Judge,et al.  Can "good" stressors spark "bad" behaviors? The mediating role of emotions in links of challenge and hindrance stressors with citizenship and counterproductive behaviors. , 2009, The Journal of applied psychology.

[121]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[122]  Guillermina Jasso,et al.  Measuring household social standing , 1974 .

[123]  Barbara Deml,et al.  Human Factors Issues on the Design of Telepresence Systems , 2007, PRESENCE: Teleoperators and Virtual Environments.

[124]  R. Mclean,et al.  A Unified Approach to Mixed Linear Models , 1991 .

[125]  Kenneth L. Kraft,et al.  Moral Intensity and Ethical Decision-Making of Marketing Professionals , 1996 .

[126]  Linda Klebe Trevino,et al.  Experimental Approaches to Studying Ethical-Unethical Behavior in Organizations , 1992, Business Ethics Quarterly.

[127]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[128]  Paul Benjamin Lowry,et al.  The CMC Interactivity Model: How Interactivity Enhances Communication Quality and Process Satisfaction in Lean-Media Groups , 2009, J. Manag. Inf. Syst..

[129]  D. Mackinnon Introduction to Statistical Mediation Analysis , 2008 .

[130]  Matthew L. Jensen,et al.  Using an elaboration likelihood approach to better understand the persuasiveness of website privacy assurance cues for online consumers , 2012, J. Assoc. Inf. Sci. Technol..

[131]  Tom L. Roberts,et al.  Insiders' Protection of Organizational Information Assets: Development of a Systematics-Based Taxonomy and Theory of Diversity for Protection-Motivated Behaviors , 2013, MIS Q..

[132]  Alfredo Liverani,et al.  Interactive control of manufacturing assemblies with Mixed Reality , 2006, Integr. Comput. Aided Eng..

[133]  Robert J. Moore,et al.  Doing Virtually Nothing: Awareness and Accountability in Massively Multiplayer Online Worlds , 2007, Computer Supported Cooperative Work (CSCW).

[134]  Detmar W. Straub,et al.  Structural Equation Modeling and Regression: Guidelines for Research Practice , 2000, Commun. Assoc. Inf. Syst..

[135]  Scott B. MacKenzie,et al.  Common method biases in behavioral research: a critical review of the literature and recommended remedies. , 2003, The Journal of applied psychology.

[136]  Ned Kock,et al.  The Psychobiological Model: Towards a New Theory of Computer-Mediated Communication Based on Darwinian Evolution , 2004, Organ. Sci..

[137]  M. King,et al.  Social desirability bias: A neglected aspect of validity testing , 2000 .

[138]  Tom L. Roberts,et al.  Proposing the online community self-disclosure model: the case of working professionals in France and the U.K. who use online communities , 2010, Eur. J. Inf. Syst..

[139]  S. Chaiken,et al.  Heuristic processing can bias systematic processing: effects of source credibility, argument ambiguity, and task importance on attitude judgment. , 1994, Journal of personality and social psychology.

[140]  Terri L. Griffith Monitoring and Performance: A Comparison of Computer and Supervisor Monitoring , 1993 .