Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations

Employees' failure to comply with information systems security policies is a major concern for information technology security managers. In efforts to understand this problem, IS security researchers have traditionally viewed violations of IS security policies through the lens of deterrence theory. In this article, we show that neutralization theory, a theory prominent in Criminology but not yet applied in the context of IS, provides a compelling explanation for IS security policy violations and offers new insight into how employees rationalize this behavior. In doing so, we propose a theoretical model in which the effects of neutralization techniques are tested alongside those of sanctions described by deterrence theory. Our empirical results highlight neutralization as an important factor to take into account with regard to developing and implementing organizational security policies and practices.

[1]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[2]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[3]  Moez Limayem,et al.  Force of Habit and Information Systems Usage: Theory and Initial Validation , 2003, J. Assoc. Inf. Syst..

[4]  Detmar W. Straub,et al.  Specifying Formative Constructs in Information Systems Research , 2007, MIS Q..

[5]  Alex R. Piquero,et al.  Specifying the direct and indirect effects of low self-control and situational factors in offenders' decision making: Toward a more complete model of rational offending , 1996 .

[6]  Detmar W. Straub,et al.  Validating Instruments in MIS Research , 1989, MIS Q..

[7]  Klaus Krippendorff,et al.  Content Analysis: An Introduction to Its Methodology , 1980 .

[8]  Harold G. Grasmick,et al.  Conscience, significant others, and rational choice: Extending the deterrence model. , 1990 .

[9]  Kenneth D. Butterfield,et al.  A Review of The Empirical Ethical Decision-Making Literature: 1996–2003 , 2005 .

[10]  Paul A. Pavlou,et al.  Understanding and Mitigating Uncertainty in Online Exchange Relationships: A Principal-Agent Perspective , 2007, MIS Q..

[11]  R. Bagozzi,et al.  Multitrait-Multimethod Matrices in Consumer Research , 1991 .

[12]  Greg Pogarsky,et al.  PROJECTED OFFENDING AND CONTEMPORANEOUS RULE‐VIOLATION: IMPLICATIONS FOR HETEROTYPIC CONTINUITY* , 2004 .

[13]  Georgina Spelvin,et al.  The Devil Made Me Do It , 2008 .

[14]  John Braithwaite,et al.  Restorative Justice: Assessing Optimistic and Pessimistic Accounts , 1999, Crime and Justice.

[15]  Ted Chiricos,et al.  Perceived Risk and Deterrence: Methodological Artifacts in Perceptual Deterrence Research , 1982 .

[16]  Timothy Paul Cronan,et al.  Modeling IT Ethics: A Study in Situational Ethics , 1998, MIS Q..

[17]  G. Jasso Factorial Survey Methods for Studying Beliefs and Judgments , 2006 .

[18]  Gresham M. Sykes,et al.  Techniques of neutralization: A theory of delinquency. , 1957 .

[19]  Charles Cresson Wood,et al.  Policies for deterring computer abuse , 1982, Comput. Secur..

[20]  Wynne W. Chin,et al.  Extending the technology acceptance model: the influence of perceived user resources , 2001, DATB.

[21]  Wynne W. Chin Issues and Opinion on Structural Equation Modeling by , 2009 .

[22]  K. Law,et al.  Multidimensional constructs in structural equation analysis: An illustration using the job perception and job satisfaction constructs , 1999 .

[23]  Paul F. Cromwell,et al.  the devil made me do it: use of neutralizations by shoplifters , 2003 .

[24]  T. Pratt,et al.  THE EMPIRICAL STATUS OF GOTTFREDSON AND HIRSCHI'S GENERAL THEORY OF CRIME: A META‐ANALYSIS , 2000 .

[25]  James Weber,et al.  Scenarios in Business Ethics Research: Review, Critical Assessment, and Recommendations , 1992, Business Ethics Quarterly.

[26]  George Bakehouse,et al.  Empirical Research in Information Systems , 2000 .

[27]  D. Straub,et al.  Knowledge Worker Communications and Recipient Availability: Toward a Task Closure Explanation of Media Choice , 1998 .

[28]  Michael B. Blankenship,et al.  examining the role of differential association and techniques of neutralization in explaining corporate crime , 2005 .

[29]  Quint C. Thurman,et al.  Deviance and the neutralization of moral commitment: An empirical analysis , 1984 .

[30]  Paul A. Pavlou,et al.  Cultural Diversity and Trust in IT Adoption: A Comparison of Potential e-Voters in the USA and South Africa , 2005, J. Glob. Inf. Manag..

[31]  J. Tangney,et al.  Shame and Guilt , 2002 .

[32]  J. Tangney,et al.  Shame and guilt in interpersonal relationships. , 1995 .

[33]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[34]  I. Ajzen,et al.  Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research , 1977 .

[35]  V. Lim The IT way of loafing on the job: cyberloafing, neutralizing and organizational justice , 2002 .

[36]  Petri Puhakainen,et al.  A design theory for information security awareness , 2006 .

[37]  Wynne W. Chin,et al.  A Partial Least Squares Latent Variable Modeling Approach for Measuring Interaction Effects: Results from a Monte Carlo Simulation Study and an Electronic - Mail Emotion/Adoption Study , 2003, Inf. Syst. Res..

[38]  R. Hollinger,et al.  neutralizing in the workplace: an empirical analysis of property theft and production deviance , 1991, Work Place Sabotage.

[39]  Donald E. Green Measures of Illegal Behavior in Individual-Level Deterrence Research , 1989 .

[40]  D. Nagin,et al.  Enduring individual differences and rational choice theories of crime , 1993 .

[41]  P. Cook Research in Criminal Deterrence: Laying the Groundwork for the Second Decade , 1980, Crime and Justice.

[42]  R. A. Dodder,et al.  techniques of neutralization used by deer poachers in the western united states: a research note , 1999 .

[43]  Gurpreet Dhillon,et al.  Computer crimes: theorizing about the enemy within , 2001, Comput. Secur..

[44]  Cheryl Burke Jarvis,et al.  A Critical Review of Construct Indicators and Measurement Model Misspecification in Marketing and Consumer Research , 2003 .

[45]  Donn B. Parker,et al.  Fighting computer crime - a new framework for protecting information , 1998 .

[46]  W. W. Minor,et al.  Techniques of Neutralization: a Reconceptualization and Empirical Examination , 1981 .

[47]  C. Saunders,et al.  Editor's comments: PLS: a silver bullet? , 2006 .

[48]  Naresh K. Malhotra,et al.  Internet Users' Information Privacy Concerns (IUIPC): The Construct, the Scale, and a Causal Model , 2004, Inf. Syst. Res..

[49]  J. Greenberg Employee Theft as a Reaction to Underpayment Inequity: The Hidden Cost of Pay Cuts , 1990 .

[50]  Sally S. Simpson,et al.  Informal Sanction Threats and Corporate Crime: Additive Versus Multiplicative Models , 1995 .

[51]  Quint C. Thurman,et al.  Neutralization and Tax Evasion: How Effective Would a Moral Appeal Be in Improving Compliance to Tax Laws? , 1984 .

[52]  KarahannaElena,et al.  The relative advantage of electronic channels , 2008 .

[53]  L. Kohlberg Stage and sequence: The cognitive-developmental approach to socialization , 1969 .

[54]  R. Bachman,et al.  The Rationality of Sexual Offending: Testing a Deterrence/Rational Choice Conception of Sexual Assault , 1992 .

[55]  Detmar W. Straub,et al.  Validation in Information Systems Research: A State-of-the-Art Assessment , 2001, MIS Q..

[56]  Carl B. Klockars The Professional Fence , 1975 .

[57]  Jana L. Pershing To Snitch or Not to Snitch? Applying the Concept of Neutralization Techniques to the Enforcement of Occupational Misconduct , 2003 .

[58]  John Braithwaite,et al.  Crime, Shame, And Reintegration , 1989 .

[59]  George A. Marcoulides,et al.  Latent variable and latent structure models , 2002 .

[60]  Alex R. Piquero,et al.  AN EMPIRICAL TEST OF TITTLE'S CONTROL BALANCE THEORY* , 1999 .

[61]  Detmar W. Straub,et al.  Validation Guidelines for IS Positivist Research , 2004, Commun. Assoc. Inf. Syst..

[62]  B. Byers,et al.  Bias Crime Motivation , 1999 .

[63]  Izak Benbasat,et al.  Empirical Research in Information Systems: The Practice of Relevance , 1999, MIS Q..

[64]  Daniel S. Nagin,et al.  THE DETERRENT EFFECT OF PERCEIVED CERTAINTY AND SEVERITY OF PUNISHMENT REVISITED , 1989 .

[65]  Hock-Hai Teo,et al.  An integrative study of information systems security effectiveness , 2003, Int. J. Inf. Manag..

[66]  Detmar W. Straub,et al.  Discovering and Disciplining Computer Abuse in Organizations: A Field Study , 1990, MIS Q..

[67]  H. Becker,et al.  The Use of Vignettes in Survey Research , 1978 .

[68]  Susan J. Harrington,et al.  The Effect of Codes of Ethics and Personal Denial of Responsibility on Computer Abuse Judgments and Intentions , 1996, MIS Q..

[69]  Harold G. Grasmick,et al.  The Deterrent Effect of Perceived Severity of Punishment , 1980 .

[70]  Kathryn J. Fox,et al.  Reproducing criminal types : Cognitive treatment for violent offenders in prison , 1999 .

[71]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[72]  James R. Rest Development in Judging Moral Issues , 1979 .

[73]  Qing Hu,et al.  Assimilation of Enterprise Systems: The Effect of Institutional Pressures and the Mediating Role of Top Management , 2007, MIS Q..

[74]  August Bequai Employee abuses in cyberspace: Management's legal quagmire , 1998, Comput. Secur..

[75]  S. Tibbetts,et al.  Shame and Rational Choice in Offending Decisions , 1997 .

[76]  Linda Klebe Trevino,et al.  Experimental Approaches to Studying Ethical-Unethical Behavior in Organizations , 1992, Business Ethics Quarterly.

[77]  Trevor T. Moores,et al.  Ethical Decision Making in Software Piracy: Initial Development and a Test of a Four-Component Model , 2006, MIS Q..

[78]  Mikko T. Siponen,et al.  Which Factors Explain Employees' Adherence to Information Security Policies? An Empirical Study , 2007, PACIS.

[79]  D. Parker Crime by computer , 1976 .

[80]  Detmar W. Straub,et al.  A Practical Guide To Factorial Validity Using PLS-Graph: Tutorial And Annotated Example , 2005, Commun. Assoc. Inf. Syst..

[81]  Jan Killmeyer,et al.  Information Security Architecture , 2000 .

[82]  Dorothy E. Leidner,et al.  Review: A Review of Culture in Information Systems Research: Toward a Theory of Information Technology Culture Conflict , 2006, MIS Q..

[83]  Charles R. Tittle,et al.  Sanctions and social deviance: The question of deterrence , 1980 .

[84]  Cheryl Burke Jarvis,et al.  The problem of measurement model misspecification in behavioral and organizational research and some recommended solutions. , 2005, The Journal of applied psychology.

[85]  Elena Karahanna,et al.  The Relative Advantage of Electronic Channels: A Multidimensional View , 2008, MIS Q..

[86]  Shadd Maruna,et al.  What Have We Learned from Five Decades of Neutralization Research? , 2005, Crime and Justice.

[87]  Ronald L. Akers,et al.  Criminological Theories : Introduction, Evaluation, and Application , 2000 .

[88]  Carol Saunders,et al.  PLS: A Silver Bullet? , 2006 .

[89]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[90]  T. Priest,et al.  TECHNIQUES OF NEUTRALIZATION: YOUNG ADULT MARIJUANA SMOKERS , 1970 .

[91]  Jon David,et al.  Policy enforcement in the workplace , 2002, Comput. Secur..

[92]  R. Paternoster,et al.  Sanction threats and appeals to morality : Testing a rational choice model of corporate crime , 1996 .

[93]  Joseph W. Rogers,et al.  Neutralization Techniques , 1974 .

[94]  Donn B. Parker,et al.  Information Security in a Nutshell , 1997, Inf. Secur. J. A Glob. Perspect..