Factors Influencing Employees' Participation in Non-Malicious, Information Systems Security Deviant Behavior: Focus on Formal Control Mechanisms and Sanctions

This study examined factors influencing employees’ participation in non-malicious, information systems security deviant behavior (N-ISSDB) (e.g., e.g., connecting computers to the Internet through an insecure wireless network, not disposing and destroying all unneeded sensitive documents and information on computer in a timely manner, and opening emails from unverified senders) from the theoretical lens of formal control mechanisms and formal sanctions. Empirical data was collected from 338 professionals based in the United States of America. Relevant hypotheses were formulated and tested using the partial least squares technique. The results indicate that detection control mechanism (i.e., evaluation/monitoring) and deterrence countermeasures or factors (i.e., punishment certainty and punishment severity) have negative association with employees’ participation in N-ISSDB. The data did not show that control mechanism related to reward and specifications have meaningful roles in dissuading employees’ engagement in N-ISSDB.

[1]  Paul A. Pavlou,et al.  Understanding and Mitigating Uncertainty in Online Exchange Relationships: A Principal-Agent Perspective , 2007, MIS Q..

[2]  Atreyi Kankanhalli,et al.  Studying users' computer security behavior: A health belief perspective , 2009, Decis. Support Syst..

[3]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[4]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[5]  Kathleen M. Eisenhardt,et al.  Control: Organizational and Economic Approaches , 1985 .

[6]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[7]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[8]  Marko Sarstedt,et al.  PLS-SEM: Indeed a Silver Bullet , 2011 .

[9]  Detmar W. Straub,et al.  Specifying Formative Constructs in Information Systems Research , 2007, MIS Q..

[10]  Linda Klebe Trevino,et al.  The Social Effects of Punishment in Organizations: A Justice Perspective , 1992 .

[11]  Tom L. Roberts,et al.  Insiders' Protection of Organizational Information Assets: Development of a Systematics-Based Taxonomy and Theory of Diversity for Protection-Motivated Behaviors , 2013, MIS Q..

[12]  Ahmad Al-Omari,et al.  Information Security Policy Compliance: An Empirical Study of Ethical Ideology , 2013, 2013 46th Hawaii International Conference on System Sciences.

[13]  Sarv Devaraj,et al.  Employee Misuse of Information Technology Resources: Testing a Contemporary Deterrence Model , 2012, Decis. Sci..

[14]  WarkentinMerrill,et al.  Future directions for behavioral information security research , 2013 .

[15]  Houston H. Carr,et al.  Threats to Information Systems: Today's Reality, Yesterday's Understanding , 1992, MIS Q..

[16]  Terrance Weatherbee Counterproductive use of technology at work: Information & communications technologies and cyberdeviancy , 2010 .

[17]  Laurie J. Kirsch,et al.  Portfolios of Control Modes and IS Project Management , 1997, Inf. Syst. Res..

[18]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[19]  Princely Ifinedo,et al.  Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition , 2014, Inf. Manag..

[20]  Michel Tenenhaus,et al.  PLS path modeling , 2005, Comput. Stat. Data Anal..

[21]  V. G. Ouchi,et al.  A conceptual framework for the design and organizational control mechanisms , 1979 .

[22]  Douglas P. Twitchell,et al.  Employees' Adherence to Information Security Policies: A Partial Replication , 2016, AMCIS.

[23]  Anat Hovav,et al.  Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the U.S. and South Korea , 2012, Inf. Manag..

[24]  Catherine E. Connelly,et al.  Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model , 2011, J. Manag. Inf. Syst..

[25]  Gaby Odekerken-Schröder,et al.  Using PLS path modeling for assessing hierarchial construct models: guidelines and impirical illustration , 2009 .

[26]  P. Ifinedo Relationships between socio-technological factors and information security threats and controls: perspectives from the global financial services industry , 2015 .

[27]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[28]  Claudia van Oppen,et al.  USING PLS PATH MODELING FOR ASSESSING HIERARCHICAL CONSTRUCT MODELS : GUIDELINES AND EMPIRICAL , 2022 .

[29]  Patrick Y. K. Chau,et al.  Development and validation of instruments of information security deviant behavior , 2014, Decis. Support Syst..

[30]  Mo Adam Mahmood,et al.  Employees' adherence to information security policies: An exploratory field study , 2014, Inf. Manag..

[31]  Jai-Yeol Son,et al.  Out of fear or desire? Toward a better understanding of employees' motivation to follow IS security policies , 2011, Inf. Manag..

[32]  Mikko T. Siponen,et al.  Using the theory of interpersonal behavior to explain non-work-related personal use of the Internet at work , 2013, Inf. Manag..

[33]  Yajiong Xue,et al.  Ensuring Employees' IT Compliance: Carrot or Stick? , 2013, Inf. Syst. Res..

[34]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[35]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[36]  Kuang-Wei Wen,et al.  Organizations' Information Security Policy Compliance: Stick or Carrot Approach? , 2012, J. Manag. Inf. Syst..

[37]  Scott B. MacKenzie,et al.  Common method biases in behavioral research: a critical review of the literature and recommended remedies. , 2003, The Journal of applied psychology.

[38]  Laurie J. Kirsch,et al.  If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security , 2009, Eur. J. Inf. Syst..