Understanding Organization Employee's Information Security Omission Behavior: an Integrated Model of Social norm and Deterrence

Employee`s information security behavior is critical to ensure the security of organization`s information assets. Countermeasures, such as information security policies, are helpful to reduce computer abuse and information systems misuse. However, employees in practice tend to engage in these violation behaviors, although they know policies and countermeasures. Undoubtedly, these omission behaviors will bring big loss or other potential risks to information assets security. The current study try to make clear on the influence factors of information security omission behaviors and how these drive factors work. From organization control perspective, we integrate deterrence theory and social norm theory to construct research model. We expect deterrence (as normal control) will effectively decrease omission behavioral intention. Besides, colleague`s security omission behaviors may mislead some employee`s behaviors more or less, which is easy to form error code of conduct and induce to the similar omission behaviors. To date, social norms of misperception (as informal control) has not been sufficiently concerned in IS security literature and we believe that may provide a new perceptive to understand the formation mechanism of security omission behaviors.

[1]  S. Furnell,et al.  Understanding the influences on information security behaviour , 2012 .

[2]  Sang M. Lee,et al.  The Role of Pluralistic Ignorance in Internet Abuse , 2008, J. Comput. Inf. Syst..

[3]  Tamara Dinev,et al.  Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture , 2012, Decis. Sci..

[4]  Catherine E. Connelly,et al.  Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model , 2011, J. Manag. Inf. Syst..

[5]  Qinyu Liao,et al.  Workplace Management and Employee Misuse: Does Punishment Matter? , 2009, J. Comput. Inf. Syst..

[6]  Jie Zhang,et al.  Impact of perceived technical protection on security behaviors , 2009, Inf. Manag. Comput. Secur..

[7]  Amy M. Hageman,et al.  Analyzing the Role of Social Norms in Tax Compliance Behavior , 2013 .

[8]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[9]  H. Perkins Social norms and the prevention of alcohol misuse in collegiate contexts. , 2002, Journal of studies on alcohol. Supplement.

[10]  James Cox,et al.  Information systems user security: A structured model of the knowing-doing gap , 2012, Comput. Hum. Behav..

[11]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[12]  H. Perkins,et al.  The social norms approach to preventing school and college age substance abuse: A handbook for educators, counselors, and clinicians. , 2003 .

[13]  Anthony R. Wheeler,et al.  Everybody Else is Doing it, So Why Can’t We? Pluralistic Ignorance and Business Ethics Education , 2005 .

[14]  Omar F. El-Gayar,et al.  Security Policy Compliance: User Acceptance Perspective , 2012, 2012 45th Hawaii International Conference on System Sciences.

[15]  A. Berkowitz,et al.  Applications of social norms theory to other health and social justice issues. , 2003 .

[16]  Fred D. Davis,et al.  A Theoretical Extension of the Technology Acceptance Model: Four Longitudinal Field Studies , 2000, Management Science.

[17]  Fred D. Davis,et al.  Extension of the Technology Acceptance Model: Four Longitudinal Field : . , 2000 .

[18]  Hock-Hai Teo,et al.  An integrative study of information systems security effectiveness , 2003, Int. J. Inf. Manag..

[19]  Cranberries Everybody else is doing it, so why can't we ? , 1992 .

[20]  Anthony R. Wheeler,et al.  Understanding pluralistic ignorance in organizations: application and theory , 2007 .

[21]  Anu Nieminen,et al.  Organisational control in programme teams: An empirical study in change programme context , 2008 .

[22]  Charles R. Tittle,et al.  Sanctions and social deviance: The question of deterrence , 1980 .

[23]  Michael E. Whitman Enemy at the gate: threats to information security , 2003, CACM.

[24]  A. B. Ruighaver,et al.  Towards Understanding Deterrence: Information Security Managers' Perspective , 2011, ICITCS.

[25]  A. Jaeger,et al.  Control systems and strategic adaptation: Lessons from the Japanese experience , 1985 .

[26]  Rathindra Sarathy,et al.  Understanding compliance with internet use policy from the perspective of rational choice theory , 2010, Decis. Support Syst..

[27]  Alan D. Berkowitz,et al.  Fostering Healthy Norms to Prevent Violence and Abuse: The Social Norms Approach , 2010 .

[28]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[29]  T. Das,et al.  Between Trust and Control: Developing Confidence in Partner Cooperation in Alliances , 1998 .

[30]  Todd M. Dugo,et al.  The Insider Threat to Organizational Information Security: A Structural Model and Empirical Test , 2007 .

[31]  Yajiong Xue,et al.  Ensuring Employees' IT Compliance: Carrot or Stick? , 2013, Inf. Syst. Res..

[32]  Younghwa Lee,et al.  Threat or coping appraisal: determinants of SMB executives’ decision to adopt anti-malware software , 2009, Eur. J. Inf. Syst..

[33]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[34]  Qing Hu,et al.  Does deterrence work in reducing information security policy abuse by employees? , 2011, Commun. ACM.

[35]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[36]  Laurie J. Kirsch,et al.  Portfolios of Control Modes and IS Project Management , 1997, Inf. Syst. Res..

[37]  Zoonky Lee,et al.  Pluralistic Ignorance in the Personal Use of the Internet and System Monitoring , 2005, AMCIS.

[38]  Merrill Warkentin,et al.  Behavioral and policy issues in information systems security: the insider threat , 2009, Eur. J. Inf. Syst..

[39]  Raymond M. Henry,et al.  Effects of culture on control mechanisms in offshore outsourced IT projects , 2005, SIGMIS CPR '05.

[40]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[41]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[42]  Detmar W. Straub,et al.  Discovering and Disciplining Computer Abuse in Organizations: A Field Study , 1990, MIS Q..