The amplification effects of procedural justice on a threat control model of information systems security behaviours

Organisations are increasingly impacted by employee failures to implement readily available systems security countermeasures that result in security lapses. An area where this is most intriguing is among those organisational members who know how to implement security measures but do not do so. Important suggestions have been made, but despite them, the problem continues, and even grows worse. Most of the research into these security behaviours have been either purely self-report perceptions (many with low response rates) or have consisted of theory and model building and testing. In addition, the extant research has concentrated on either individual or organisational factors. With our research, we were interested in addressing two literature gaps: (1) to determine how well perceptions of security behaviours translated into the world of practice, and (2) to understand the relationships between individual and organisational factors. Our study found that individual factors outlined in the threat control model amplified with high perceptions of organisational procedural justice on taking specified security countermeasures. Consequently, we make recommendations for research and practice.

[1]  John T. Scholz Enforcement Policy and Corporate Misconduct: The Changing Perspective of Deterrence Theory , 1997 .

[2]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[3]  Vincent J. Calluzzo,et al.  Ethics in Information Technology and Software Use , 2004 .

[4]  StraubDetmar,et al.  Security lapses and the omission of information security measures , 2008 .

[5]  J. H. Davis,et al.  An Integrative Model Of Organizational Trust , 1995 .

[6]  John Leach,et al.  Improving user security behaviour , 2003, Comput. Secur..

[7]  J. S. Adams,et al.  Inequity In Social Exchange , 1965 .

[8]  Hao Zhao,et al.  THE IMPACT OF PSYCHOLOGICAL CONTRACT BREACH ON WORK‐RELATED OUTCOMES: A META‐ANALYSIS , 2007 .

[9]  Alessandro Acquisti,et al.  When 25 Cents is Too Much: An Experiment on Willingness-To-Sell and Willingness-To-Protect Personal Information , 2007, WEIS.

[10]  Michael Workman,et al.  Punishment and ethics deterrents: A study of insider security contravention , 2007, J. Assoc. Inf. Sci. Technol..

[11]  Eugene F. Stone,et al.  Clarifying some controversial issues surrounding statistical procedures for detecting moderator variables: Empirical evidence and related matters. , 1989 .

[12]  Anja J E Dirkzwager,et al.  The role of the media and media hypes in the aftermath of disasters. , 2005, Epidemiologic reviews.

[13]  D. Dillman,et al.  How to conduct your own survey , 1994 .

[14]  Hock-Hai Teo,et al.  An integrative study of information systems security effectiveness , 2003, Int. J. Inf. Manag..

[15]  Irene Hanson Frieze,et al.  A Theoretical Perspective for Understanding Reactions to Victimization , 1983 .

[16]  Deborah Compeau,et al.  Computer Self-Efficacy: Development of a Measure and Initial Test , 1995, MIS Q..

[17]  N. Milgram,et al.  Typology in procrastination , 1996 .

[18]  Tom Pyszczynski,et al.  Why Do We Need What We Need? A Terror Management Perspective on the Roots of Human Social Motivation , 1997 .

[19]  Vernon J. Richardson,et al.  Information Transfer among Internet Firms: The Case of Hacker Attacks , 2003, J. Inf. Syst..

[20]  Scott C. D'Urso,et al.  Who’s Watching Us at Work? Toward a Structural–Perceptual Model of Electronic Monitoring and Surveillance in Organizations , 2006 .

[21]  Robert D. Marx,et al.  Relapse Prevention for Managerial Training: A Model for Maintenance of Behavior Change , 1982 .

[22]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[23]  A. Mahmood,et al.  Factors Influencing Protection Motivation and IS Security Policy Compliance , 2006, 2006 Innovations in Information Technology.

[24]  Michael Workman,et al.  Redesigning computer call center work: a longitudinal field experiment , 2004 .

[25]  Seth C. Kalichman,et al.  People at risk. , 1996 .

[26]  Abhinav Rastogi,et al.  Secure Coding: Building Security into the Software Development Life Cycle , 2004, Inf. Secur. J. A Glob. Perspect..

[27]  J. Rotter Generalized expectancies for internal versus external control of reinforcement. , 1966, Psychological monographs.

[28]  A. Bandura Self-efficacy: toward a unifying theory of behavioral change. , 1977, Psychological review.

[29]  Cherng G. Ding,et al.  Modeling Information Ethics: The Joint Moderating Role of Locus of Control and Job Insecurity , 2003 .

[30]  D. Cicchetti Emotion and Adaptation , 1993 .

[31]  Joel Brockner,et al.  A Self-Affirmation Analysis of Survivors' Reactions to Unfair Organizational Downsizings , 1999 .

[32]  Larry E. Toothaker,et al.  Multiple Regression: Testing and Interpreting Interactions , 1991 .

[33]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[34]  P. Allison Multiple Regression: A Primer , 1994 .

[35]  A. Bandura,et al.  Social learning and personality development , 1964 .

[36]  Detmar W. Straub,et al.  Discovering and Disciplining Computer Abuse in Organizations: A Field Study , 1990, MIS Q..

[37]  I. Levin,et al.  Common and distinct factors in decision making under ambiguity and risk: A psychometric study of individual differences , 2007 .

[38]  James P. Stevens,et al.  Intermediate Statistics: A Modern Approach , 1990 .

[39]  Herbert W. Marsh,et al.  The Rotter locus of control scale: The comparison of alternative response formats and implications for reliability, validity, and dimensionality , 1986 .

[40]  Henry L. Tosi,et al.  Organizational behavior and management , 1975 .

[41]  Hervé Debar,et al.  Security information management as an outsourced service , 2006, Inf. Manag. Comput. Secur..

[42]  Charles Oppenheim,et al.  Legal aspects of the web , 2005, Annu. Rev. Inf. Sci. Technol..

[43]  R. Rogers Cognitive and physiological processes in fear appeals and attitude change: a revised theory of prote , 1983 .

[44]  Julie J. C. H. Ryan Information security tools and practices: what works? , 2004, IEEE Transactions on Computers.

[45]  Colin Camerer,et al.  Not So Different After All: A Cross-Discipline View Of Trust , 1998 .

[46]  T. Grothmann,et al.  People at Risk of Flooding: Why Some Residents Take Precautionary Action While Others Do Not , 2006 .

[47]  M. Conner,et al.  Predicting health behaviour : research and practice with social cognition models , 2005 .

[48]  E. Lind,et al.  Thinking Critically about Justice Judgments , 2001 .

[49]  R. W. Rogers,et al.  Effects of components of protection-motivation theory on adaptive and maladaptive coping with a health threat. , 1987, Journal of personality and social psychology.

[50]  Stefan Linnhoff,et al.  The Emergence of Biometrics and Its Effect on Consumers , 2005 .

[51]  Xiaoming Li,et al.  Protection motivation theory and adolescent drug trafficking: relationship between health motivation and longitudinal risk involvement. , 2005, Journal of pediatric psychology.

[52]  Eirik Albrechtsen,et al.  A qualitative study of users' view on information security , 2007, Comput. Secur..

[53]  P. Sheeran,et al.  Prediction and Intervention in Health-Related Behavior: A Meta-Analytic Review of Protection Motivation Theory , 2000 .

[54]  S Roe-Berning,et al.  The association between illusions of invulnerability and exposure to trauma. , 1997, Journal of traumatic stress.

[55]  Peter Fischer,et al.  Terror salience and punishment: Does terror salience induce threat to social order? , 2007 .

[56]  William H. Bommer,et al.  ON THE INTERCHANGEABILITY OF OBJECTIVE AND SUBJECTIVE MEASURES OF EMPLOYEE PERFORMANCE: A META-ANALYSIS , 1995 .

[57]  J. H. Davis,et al.  An integrative model of organizational trust, Academy of Management Review, : . , 1995 .

[58]  A. D. De Lange,et al.  Psychological contract breach and job attitudes: A meta-analysis of age as a moderator , 2008 .

[59]  Ted O’Donoghue,et al.  The economics of immediate gratification , 2000 .

[60]  C. D. De Dreu,et al.  Social motives and trust in integrative negotiation : The disruptive effects of punitive capability , 1998 .

[61]  A. Bandura Social cognitive theory of self-regulation☆ , 1991 .

[62]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[63]  Daniel J. Brass,et al.  The Role of Instrumental and Expressive Social Ties in Employees' Perceptions of Organizational Justice , 2003, Organ. Sci..

[64]  Susan J. Harrington,et al.  The Effect of Codes of Ethics and Personal Denial of Responsibility on Computer Abuse Judgments and Intentions , 1996, MIS Q..

[65]  I. Ajzen Perceived behavioral control, self-efficacy, locus of control, and the theory of planned behavior. , 2002 .

[66]  Nicholas Alex,et al.  On Being Mugged , 1973 .

[67]  Dan Jong Kim,et al.  A Study of Online Transaction Self-Efficacy, Consumer Trust, and Uncertainty Reduction in Electronic Commerce Transaction , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[68]  R. Ramanujam,et al.  EMPLOYEE SILENCE ON CRITICAL WORK ISSUES: THE CROSS LEVEL EFFECTS OF PROCEDURAL JUSTICE CLIMATE , 2008 .

[69]  Mikko T. Siponen,et al.  Six Design Theories for IS Security Policies and Guidelines , 2006, J. Assoc. Inf. Syst..

[70]  F. P. Bresz People – Often the Weakest Link in Security, but One of the Best Places to Start , 2004 .

[71]  Gavriel Salvendy,et al.  Improving computer security for authentication of users: Influence of proactive password restrictions , 2002, Behavior research methods, instruments, & computers : a journal of the Psychonomic Society, Inc.

[72]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[73]  Yadong Luo An integrated anti-opportunism system in international exchange , 2007 .

[74]  Steve Werner,et al.  Fair or Foul?: The Effects of External, Internal, and Employee Equity on Changes in Performance of Major League Baseball Players , 1999 .

[75]  Lisa Dorn,et al.  Making sense of invulnerability at work—a qualitative study of police drivers , 2003 .

[76]  S. Robinson,et al.  THE IMP ACT OF COMMUNITY VIOLENCE AND AN ORGANIZATION ' S PROCEDURAL JUSTICE CLIMATE ON WORKPLACE AGGRESSION , 2003 .

[77]  P. Pavlou,et al.  Perceived Information Security, Financial Liability and Consumer Trust in Electronic Commerce Transactions , 2002 .

[78]  Alessandro Acquisti,et al.  Privacy and rationality in individual decision making , 2005, IEEE Security & Privacy.

[79]  Amy L. Pablo,et al.  Reconceptualizing the Determinants of Risk Behavior , 1992 .

[80]  Michael K. Buckland,et al.  Annual Review of Information Science and Technology , 2006, J. Documentation.

[81]  E. Seydel,et al.  Protection Motivation Theory , 2022 .