Theorising Information Security Policy Violations

Information system security threats perpetuates organisations in spite of enormous investments in security measures. The academic literature and the media reflect the huge financial loss and reputational harm to organisations due to computer related security breaches. Although technical safeguards are indispensable, the academic literature highlights the ‘insider threat’. Organisational employees pose a significant threat, considering, they already have access to the organizations’ information systems. It’s a matter of how they use/abuse it. This article explores the theoretical foundation in the domain of information systems security policy violations. The academic databases are queried for key theories in computer compliance/non-compliance. These theories are examined for theoretical development. A problem area is identified and subsequently, a theoretical model is proposed in an attempt to explain: Why employees violate information systems security policies?

[1]  Tejaswini Herath,et al.  A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings , 2011, Eur. J. Inf. Syst..

[2]  Carol Saunders,et al.  PLS: A Silver Bullet? , 2006 .

[3]  Merrill Warkentin,et al.  The Role of Perceptions of Organizational Injustice and Techniques of Neutralization in Forming Computer Abuse Intentions , 2011, AMCIS.

[4]  Mun Y. Yi,et al.  An empirical test of three mediation models for the relationship between personal innovativeness and user acceptance of technology , 2013, Inf. Manag..

[5]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[6]  Jenessa Malin,et al.  Adolescent self-control and music and movie piracy , 2009, Comput. Hum. Behav..

[7]  Judy Drennan,et al.  Privacy, Risk Perception, and Expert Online Behavior: An Exploratory Study of Household End Users , 2006, J. Organ. End User Comput..

[8]  Gresham M. Sykes,et al.  Techniques of neutralization: A theory of delinquency. , 1957 .

[9]  Tom R. Tyler,et al.  Can Businesses Effectively Regulate Employee Conduct? The Antecedents of Rule Following in Work Settings , 2005 .

[10]  Paul Benjamin Lowry,et al.  Cognitive‐affective drivers of employees' daily compliance with information security policies: A multilevel, longitudinal study , 2019, Inf. Syst. J..

[11]  Evangelos A. Kiountouzis,et al.  The insider threat to information systems and the effectiveness of ISO17799 , 2005, Comput. Secur..

[12]  R. Power CSI/FBI computer crime and security survey , 2001 .

[13]  Mo Adam Mahmood,et al.  Employees' adherence to information security policies: An exploratory field study , 2014, Inf. Manag..

[14]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[15]  Tom L. Roberts,et al.  Multiple Indicators and Multiple Causes (MIMIC) Models as a Mixed-Modelling Technique: A Tutorial and an Annotated Example , 2014, Commun. Assoc. Inf. Syst..

[16]  Houston H. Carr,et al.  Threats to Information Systems: Today's Reality, Yesterday's Understanding , 1992, MIS Q..

[17]  Merrill Warkentin,et al.  Behavioral and policy issues in information systems security: the insider threat , 2009, Eur. J. Inf. Syst..

[18]  S. Hinduja,et al.  Neutralizing Music Piracy: An Empirical Examination , 2008 .

[19]  W. Alec Cram,et al.  Organizational information security policies: a review and research framework , 2017, Eur. J. Inf. Syst..

[20]  Michael R. Gottfredson,et al.  Commentary: Testing the General Theory of Crime , 1993 .

[21]  InduShobha N. Chengalur-Smith,et al.  Metrics for characterizing the form of security policies , 2010, J. Strateg. Inf. Syst..

[22]  Dustin Ormond,et al.  Don't make excuses! Discouraging neutralization to reduce IT policy violation , 2013, Comput. Secur..

[23]  P. Sheeran,et al.  Descriptive norms as an additional predictor in the theory of planned behaviour: A meta-analysis , 2003 .

[24]  C. Saunders,et al.  Editor's comments: PLS: a silver bullet? , 2006 .

[25]  Dennis F. Galletta,et al.  What Do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear that Motivate Protective Security Behaviors , 2015, MIS Q..

[26]  Ken H. Guo Security-related behavior in using information systems in the workplace: A review and synthesis , 2013, Comput. Secur..

[27]  Richard Baskerville,et al.  Power and Practice in Information Systems Security Research , 2008, ICIS.

[28]  Murray A. Straus,et al.  Self-Control in Global Perspective , 2008 .

[29]  Qing Hu,et al.  Does deterrence work in reducing information security policy abuse by employees? , 2011, Commun. ACM.

[30]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[31]  I. Ajzen The theory of planned behaviour: Reactions and reflections , 2011, Psychology & health.

[32]  Mikko T. Siponen,et al.  Which Factors Explain Employees' Adherence to Information Security Policies? An Empirical Study , 2007, PACIS.

[33]  Merrill Warkentin,et al.  Beyond Deterrence: An Expanded View of Employee Computer Abuse , 2013, MIS Q..

[34]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[35]  Shirley Gregor,et al.  On the Merits and Limits of Replication and Negation for IS Research , 2017, AIS Trans. Replication Res..