Effects of sanctions, moral beliefs, and neutralization on information security policy violations across cultures

Abstract A principal concern of organizations is the failure of employees to comply with information security policies (ISPs). Deterrence theory is one of the most frequently used theories for examining ISP violations, yet studies using this theory have produced mixed results. Past research has indicated that cultural differences may be one reason for these inconsistent findings and have hence called for cross-cultural research on deterrence in information security. To address this gap, we formulated a model including deterrence, moral beliefs, shame, and neutralization techniques and tested it with the employees from 48 countries working for a large multinational company.

[1]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[2]  S. Blackwell,et al.  States of Denial , 2007 .

[3]  Tejaswini Herath,et al.  A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings , 2011, Eur. J. Inf. Syst..

[4]  Anat Hovav,et al.  Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the U.S. and South Korea , 2012, Inf. Manag..

[5]  R. M. Hare Freedom and reason , 1964 .

[6]  D. Straub,et al.  Editor's comments: a critical look at the use of PLS-SEM in MIS quarterly , 2012 .

[7]  R. Bachman,et al.  The Rationality of Sexual Offending: Testing a Deterrence/Rational Choice Conception of Sexual Assault , 1992 .

[8]  P. Dorfman,et al.  Leadership and Organizations: The GLOBE Study of 62 Societies , 2004 .

[9]  E. Weber,et al.  Cross‐Cultural Differences in Risk Perception: A Model‐Based Approach , 1997 .

[10]  Paul Benjamin Lowry,et al.  The Impact of Collectivism and Psychological Ownership on Protection Motivation: A Cross-Cultural Examination , 2018, Comput. Secur..

[11]  Detmar W. Straub,et al.  Validation in Information Systems Research: A State-of-the-Art Assessment , 2001, MIS Q..

[12]  Huiwen Lian,et al.  Does power distance exacerbate or mitigate the effects of abusive supervision? It depends on the outcome. , 2012, The Journal of applied psychology.

[13]  W. Alec Cram,et al.  Seeing the Forest and the Trees: A Meta-Analysis of the Antecedents to Information Security Policy Compliance , 2019, MIS Q..

[14]  Merrill Warkentin,et al.  Beyond Deterrence: An Expanded View of Employee Computer Abuse , 2013, MIS Q..

[15]  Catherine E. Connelly,et al.  Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model , 2011, J. Manag. Inf. Syst..

[16]  Shadd Maruna,et al.  What Have We Learned from Five Decades of Neutralization Research? , 2005, Crime and Justice.

[17]  A. Piquero,et al.  Self-Control, Violent Offending, and Homicide Victimization: Assessing the General Theory of Crime , 2005 .

[18]  Dustin Ormond,et al.  Don't make excuses! Discouraging neutralization to reduce IT policy violation , 2013, Comput. Secur..

[19]  Traci Carte,et al.  In Pursuit of Moderation: Nine Common Errors and Their Solutions , 2003, MIS Q..

[20]  Wynne W. Chin,et al.  A Partial Least Squares Latent Variable Modeling Approach for Measuring Interaction Effects: Results from a Monte Carlo Simulation Study and an Electronic - Mail Emotion/Adoption Study , 2003, Inf. Syst. Res..

[21]  Jacob Cohen Statistical Power Analysis for the Behavioral Sciences , 1969, The SAGE Encyclopedia of Research Design.

[22]  H. Markus,et al.  Culture and the self: Implications for cognition, emotion, and motivation. , 1991 .

[23]  Tero Vartiainen,et al.  Teaching End-User Ethics: Issues and a Solution Based on Universalizability , 2002, Commun. Assoc. Inf. Syst..

[24]  C. Hsee,et al.  Cross-Cultural Differences in Risk Perception,But Cross-Cultural Similarities in Attitudes Towards Perceived Risk , 1998 .

[25]  Cheryl Burke Jarvis,et al.  A Critical Review of Construct Indicators and Measurement Model Misspecification in Marketing and Consumer Research , 2003 .

[26]  E. Weber,et al.  Perceived risk attitudes: relating risk perception to risky choice , 1997 .

[27]  D. Nagin,et al.  Enduring individual differences and rational choice theories of crime , 1993 .

[28]  Mark Srite,et al.  The Role of Espoused National Cultural Values in Technology Acceptance , 2006, MIS Q..

[29]  Harold G. Grasmick,et al.  Conscience, significant others, and rational choice: Extending the deterrence model. , 1990 .

[30]  John Snarey,et al.  Childhood development as a predictor of adaptation in adulthood. , 1984 .

[31]  M. Bond,et al.  Cross-cultural social and organizational psychology. , 1996, Annual review of psychology.

[32]  James R. Rest Background: theory and research , 1994 .

[33]  J. Fletcher Situation Ethics: The New Morality , 1966 .

[34]  Sally S. Simpson,et al.  Informal Sanction Threats and Corporate Crime: Additive Versus Multiplicative Models , 1995 .

[35]  Jussipekka Leiwo,et al.  An analysis of ethics as foundation of information security in distributed systems , 1998, Proceedings of the Thirty-First Hawaii International Conference on System Sciences.

[36]  John Braithwaite,et al.  Crime, Shame, And Reintegration , 1989 .

[37]  Qing Hu,et al.  User behavior toward preventive technologies - cultural differences between the United States and South Korea , 2006, ECIS.

[38]  Joseph P. Cannon,et al.  Understanding the Influence of National Culture on the Development of Trust , 1998 .

[39]  Qing Hu,et al.  User behaviour towards protective information technologies: the role of national cultural differences , 2009, Inf. Syst. J..

[40]  Wynne W. Chin,et al.  Extending the technology acceptance model: the influence of perceived user resources , 2001, DATB.

[41]  R. M. Hare,et al.  The Language of Morals. , 1952 .

[42]  Dustin Ormond,et al.  Don't Even Think About It! The Effects of Antineutralization, Informational, and Normative Communication on Information Security Compliance , 2018, J. Assoc. Inf. Syst..

[43]  Paul Benjamin Lowry,et al.  Increasing Accountability Through User-Interface Design Artifacts: A New Approach to Addressing the Problem of Access-Policy Violations , 2015, MIS Q..

[44]  S. Tibbetts,et al.  Shame and Rational Choice in Offending Decisions , 1997 .

[45]  R. Paternoster,et al.  Sanction threats and appeals to morality : Testing a rational choice model of corporate crime , 1996 .

[46]  Sangmoon Kim,et al.  Library and Knowledge Services Literature Search Results Summary Guidelines Evidence-based Reviews Shame, Guilt, and Depressive Symptoms: a Meta-analytic Review , 2022 .

[47]  Daniel S. Nagin,et al.  INTEGRATING CELERITY, IMPULSIVITY, AND EXTRALEGAL SANCTION THREATS INTO A MODEL OF GENERAL DETERRENCE: THEORY AND EVIDENCE* , 2001 .

[48]  Detmar W. Straub,et al.  Specifying Formative Constructs in Information Systems Research , 2007, MIS Q..

[49]  H. Triandis The Self and Social Behavior in Differing Cultural Contexts , 1989 .

[50]  J. Scott Armstrong,et al.  Estimating nonresponse bias in mail surveys. , 1977 .

[51]  J. Tangney,et al.  Recent Advances in the Empirical Study of Shame and Guilt , 1995 .

[52]  Winston R. Sieck,et al.  Organizational Behavior and Human Decision Processes Cross-cultural Variations in Probability Judgment Accuracy: beyond General Knowledge Overconfidence? , 2022 .

[53]  Richard Baskerville,et al.  Intervention Effect Rates as a Path to Research Relevance: Information Systems Security Example , 2018, J. Assoc. Inf. Syst..

[54]  Thomas Mattson,et al.  Exploring the effect of uncertainty avoidance on taking voluntary protective security actions , 2018, Comput. Secur..

[55]  Tero Vartiainen,et al.  What levels of moral reasoning and values explain adherence to information security rules? An empirical study , 2009, Eur. J. Inf. Syst..

[56]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[57]  Melvin R. Lansky,et al.  Shame and the Scope of Psychoanalytic Understanding , 1995 .

[58]  Detmar W. Straub,et al.  Toward a Theory-Based Measurement of Culture , 2002, J. Glob. Inf. Manag..

[59]  Alex R. Piquero,et al.  Specifying the direct and indirect effects of low self-control and situational factors in offenders' decision making: Toward a more complete model of rational offending , 1996 .

[60]  S. A. Wasti,et al.  Organizational commitment, turnover intentions and the influence of cultural values. , 2003 .

[61]  W. S. Robinson Ecological correlations and the behavior of individuals. , 1950, International journal of epidemiology.

[62]  Mikko T. Siponen,et al.  Guidelines for improving the contextual relevance of field surveys: the case of information security policy violations , 2014, Eur. J. Inf. Syst..

[63]  Fatemeh Zahedi,et al.  Individuals' Internet Security Perceptions and Behaviors: Polycontextual Contrasts Between the United States and China , 2016, MIS Q..

[64]  Suprateek Sarker,et al.  One Size Does Not Fit All: Different Cultures Require Different Information Systems Security Interventions , 2013, PACIS.

[65]  B. Tepper Abusive Supervision in Work Organizations: Review, Synthesis, and Research Agenda , 2007 .

[66]  L. Kohlberg The Philosophy of Moral Development Moral Stages and the Idea of Justice , 1981 .

[67]  James C. Beaty,et al.  Effect size and power in assessing moderating effects of categorical variables using multiple regression: a 30-year review. , 2005, The Journal of applied psychology.

[68]  G. Hofstede Culture′s Consequences: Comparing Values, Behaviors, Institutions and Organizations Across Nations , 2001 .

[69]  Detmar W. Straub,et al.  An Update and Extension to SEM Guidelines for Admnistrative and Social Science Research , 2011 .

[70]  Merrill Warkentin,et al.  Behavioral and policy issues in information systems security: the insider threat , 2009, Eur. J. Inf. Syst..

[71]  W. Alec Cram,et al.  Organizational information security policies: a review and research framework , 2017, Eur. J. Inf. Syst..

[72]  Gresham M. Sykes,et al.  Techniques of neutralization: A theory of delinquency. , 1957 .

[73]  Qing Hu,et al.  Does deterrence work in reducing information security policy abuse by employees? , 2011, Commun. ACM.

[74]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[75]  H. Triandis,et al.  Measurement in Cross-Cultural Psychology , 1985 .