Security lapses and the omission of information security measures: A threat control model and empirical test

Computers in Human Behavior

Volumn 24, Issue 6, 2008, Pages 2799-2816

  Workman, Michael ^a   Bommer, William H ^b   Straub, Detmar ^c  

^a FLORIDA INSTITUTE OF TECHNOLOGY   (United States)

^b CALIFORNIA STATE UNIVERSITY   (United States)

^c GEORGIA STATE UNIVERSITY   (United States)

Author keywords

Information security; Omissive behaviors; Protection motivation theory; Social cognitive theory; Threat control model

Indexed keywords

COMPUTER NETWORKS;

INFORMATION SECURITY; OMISSIVE BEHAVIORS; PROTECTION MOTIVATION THEORY; SOCIAL COGNITIVE THEORY; THREAT CONTROL MODEL;

INFORMATION SERVICES;

EID: 51349158689     PISSN: 07475632     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.chb.2008.04.005     Document Type: Article

References (91)

1. Acquisti A., and Grossklags J. Privacy and rationality in individual decision making. IEEE Security and Privacy 3 (2005) 26-33
2. Acquisti, J., & Grossklags, A. (2007). When 25 cents is too much: An experiment on willingness-to-sell and willingness-to-protect personal information, Sixth Workshop on the Economics of Information Security (WEIS 2007), June 6, Pittsburgh, PA (pp. 7-18).
3. Adams D.A., Nelson R.R., and Todd P.A. Perceived usefulness, ease of use, and usage of information technology: A replication. MIS Quarterly 16 (1992) 227-247
4. Ajzen I. Perceived behavioral control, self-efficacy, locus of control, and the theory of planned behavior. Journal of Applied Social Psychology 32 (2002) 665-683
5. Albrechtsen E. A qualitative study of users' view on information security. Computers and Security 25 (2006) 445-451
6. Bandura A. Self-efficacy: Toward a unifying theory of behavioral change. Psychological Review 84 2 (1977) 191-215
7. Bandura A. Social cognitive theory of self-regulation. Organizational Behavior and Human Decision Processes 50 (1991) 248-287
8. Bandura A. Social cognitive theory: An agentive perspective. Annual Review of Psychology 52 (2001) 1-26
9. Bandura A., and Walters R.H. Social learning and personality development (1963), Holt, Rinehart and Winston, New York
10. Bartels A. Global IT spending and investment forecast, 2006 To 2007. Forrester Research 12 (2006) 4-31
11. Blankenship K.L., and Whitley B.E. Relation of general deviance to academic dishonesty. Ethics and Behavior 10 1 (2000) 1-12
12. Boer H., and Seydel E. Protection motivation theory. In: Conner M., and Norman P. (Eds). Predicting health behavior: Research and practice with social cognition models (1996), Open University Press, Buckingham, UK 95-120
13. Borrull A.L., and Oppenheim C. Legal aspects of the Web. In: Cronin B. (Ed). Annual Review of Information Science and Technology Vol. 38 (2004), Information Today, Medford, NJ 483-548
14. Bresz F.P. People - Often the weakest link in security, but one of the best places to start. Journal of Health Care Compliance (2004) 57-60
15. Burke P.B. Collaboration for successful prisoner reentry: The role of parole and the courts. Corrections Management Quarterly 5 (2001) 11-22
16. Calluzzo V.J., and Cante C.J. Ethics in information technology and software use. Journal of Business Ethics 51 3 (2004) 301-312
17. Challappa R.K., and Pavlou P. Perceived information security, financial liability, and consumer trust in electronic commerce transactions. Journal of Logistics Information Management 15 (2002) 358-368
18. Cohen F., Ogilvie D.M., Solomon S., Greenberg J., and Pyszczynski T. American roulette: The effect of reminders of death on support for George W. Bush in the 2004 Presidential Election. Analyses of Social Issues and Public Policy 5 (2005) 177-187
19. Compeau D.R., and Higgins C.A. Computer self-efficacy: Development of a measure and initial test. MIS Quarterly 19 (1995) 189-211
20. Davis F.D. Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Quarterly 13 (1989) 319-340
21. Davis F.D., Bagozzi R.P., and Warshaw P.R. User acceptance of computer technology: A comparison of two theoretical models. Management Science 35 (1989) 982-1003
22. Debar H., and Viinikka J. Security information management as an outsourced service. Information Management and Computer Security 14 (2006) 417-435
23. Dhillon G., and Backhouse J. Current directions in IS security research: Towards socio-organizational perspectives. Information Systems Journal 11 (2001) 127-153
24. Diamantopoulos A., and Winklhofer H.M. Index construction with formative indicators: An alternative to scale development. Journal of Marketing Research 38 (2001) 269-277
25. Dorn L., and Brown B. Making sense of invulnerability at work - A qualitative study of police drivers. Safety Science 41 (2003) 837-859
26. Eloff M.M., and von Solms S.H. Information security management: A hierarchical framework for various approaches. Computers and Security 19 (2000) 243-256
27. Ettredge M.L., and Richardson V.J. Information transfer among internet firms: The case of Hacker attacks. Journal of Information Systems 17 2 (2003) 71-82
28. Fornell C., and Larcker D.F. Evaluating structural equation models with unobservable variables and measurement error. Journal of Marketing Research 18 (1981) 39-50
29. Gregor S., and Benbasat I. Explanations from intelligent systems: Theoretical foundations and implications for practice. MIS Quarterly 23 (1999) 497-527
30. Grothmann T., and Reusswig F. People at risk of flooding: Why some residents take precautionary action while others do not. Natural Hazards 38 (2006) 101-120
31. Harrington S.J. The effect of codes of ethics and personal denial of responsibility on computer abuse judgments and intentions. MIS Quarterly 20 (1996) 257-258
32. Harvey, C. (2007). The boss has new technology to spy on you. Datamation, April (pp. 1-5).
33. Hochhauser M. Smart executives, dumb decisions. Journal of Risk Management 51 (2004) 64-73
34. Hsu M.-H., and Kuo F.-Y. An investigation of volitional control in information ethics. Behavior and Information Technology 22 (2003) 53-62
35. International Federation of Accountants (2006). Intellectual assets and value creation: Implications for corporate reporting. Paris France. Retrieved 11.4.07.
36. Janoff-Bulman R., and Frieze I.H. A theoretical perspective for understanding reactions to victimization. Journal of Social Issues 39 (1983) 1-17
37. Jones R.L., and Rastogi A. Secure coding: Building security into the software development life cycle. Information Systems Security 13 (2004) 29-39
38. Jutla D.N., and Bodorik P. Sociotechnical architecture for online privacy. IEEE, Security and Privacy 3 (2005) 29-39
39. Kankanhalli A., Teo H.-H., Tan B.C.Y., and Wei K.-K. An integrative study of information systems security effectiveness. International Journal of Information Management 23 (2003) 139-154
40. Keck R. Disruptive technologies and the evolution of the law. Legal Briefs 23 (2005) 22-49
41. Kim, Y., & Kim, D. J. (2005). A study of online transaction self-efficacy, consumer trust, and uncertainty reduction in electronic commerce transaction. In Proceedings of the 38th annual Hawaii international conference on system sciences (HICSS), June (pp. 170-183).
42. Kuo F.-Y., and Hsu M.-H. Development and validation of ethical computer self-efficacy measure: The case of shoplifting. Journal of Business Ethics 32 (2001) 299-315
43. Kurland N.B. Ethical intentions and the theories of reasoned action and planned behavior. Journal of Applied Social Psychology 25 (1995) 297-313
44. Lazarus R.S. Emotion and adaptation (1991), Oxford University Press, New York
45. Leach J. Improving user security behaviour. Computers and Security 22 (2003) 685-691
46. Lejeune R., and Alex N. On being mugged: The event and its aftermath. Urban Life and Culture 2 (1973) 259-287
47. Leyden, J. (2004). Clueless office workers help spread computer viruses, The Register, February 6 (pp. 17-21).
48. Lin C.-P., and Ding C.G. Modeling information ethics: The joint moderating role of locus of control and job insecurity. Journal of Business Ethics 48 (2003) 335-347
49. Losey, R. C. (1998). The electronic communications privacy act: United States Code. Orlando, FL. Retrieved 10.12.07.
50. Marsh H.W., and Richards G.E. The rotter locus of control scale: The comparison of alternative response formats and implications for reliability, validity and dimensionality. Journal of Research in Personality 20 (1986) 509-558
51. Marx R.D. Relapse prevention in managerial training: A model for maintenance of behavior change. Academy of Management Review 7 1 (1982) 433-441
52. Milgram N.N., and Naaman N. Typology in procrastination. Personality and Individual Differences 20 (1996) 679-683
53. Milne S.S.P., and Orbell S. Prediction and intervention in health-related behaviour: A meta-analytic review of protection motivation theory. Journal of Applied Social Psychology 30 (2000) 106-143
54. Nunnally J.C. Psychometric theory (1978), McGraw-Hill, New York
55. O'Donoghue T., and Rabin M. The economics of immediate gratification. Journal of Behavioral Decision Making 13 (2000) 233-250
56. Ong, T. H., Tan, C. P., Tan, Y. T., & Ting, C. (1999). SNMS - Shadow network management system. In Symposium on network computing and management. Singapore. May 21 (pp. 1-9).
57. Pahnila, S., Siponen, M. T., & Mahmood, A. (2007). Employees' behavior towards IS security policy compliance. In Proceedings of the 40th Hawaii International Conference on System Sciences, HICSS (pp. 156-165).
58. Pechmann C., Zhao G., Goldberg M., and Reibling E.T. What to convey in antismoking advertisements of adolescents: The use of protection motivation theory to identify effective message themes. Journal of Marketing 67 (2003) 1-18
59. Post G.V., and Kagan A. Evaluating information security tradeoffs: Restricting access can interfere with user tasks. Computers and Security 26 (2007) 229-237
60. Proctor R.W., Kim P.L., Vu Schultz E., and Salvendy G. Improving computer security for authentication of users: Influence of proactive password restrictions. Behavior Research Methods, Instruments, and Computer 34 (2002) 163-169
61. Pyszczynski T., Greenberg J., and Solomon S. Why do we need what we need? A terror management perspective on the roots of human social motivation. Psychological Inquiry 8 (1997) 1-20
62. Rippetoe P.A., and Rogers R.W. Effects of components of protection-motivation theory on adaptive and maladaptive coping with a health threat. Journal of Personnel Social Psychology 52 (1987) 596-604
63. Roe-Berning S., and Straker G. The association between illusions of invulnerability and exposure to trauma. Journal of Traumatic Stress 10 (1997) 319-327
64. Rogers R.W. A protection motivation theory of fear appeals and attitude change. Journal of Psychology 91 (1975) 93-114
65. Rogers R.W. Cognitive and physiological processes in fear appeals and attitude change: A revised theory of protection motivation. In: Cacioppo J., and Petty R. (Eds). Social Psychophysiology (1983), Guilford Press, New York 153-176
66. Rotter J. Generalized expectancies for internal versus external control of reinforcement. Psychological Monographs 1 (1966) 1-28
67. Ruighaver A.B., Maynard S.B., and Chang S. Organisational security culture: Extending the end-user perspective. Computers and Security 26 (2007) 56-62
68. Ryan J. Information security tools and practices: What works?. IEEE Transactions on Computers 53 (2004) 1060-1064
69. Salant P., and Dillman D.A. How to conduct your survey (1994), John Wiley and Sons, New York
70. SANS. (2005). The SANS security policy project. Bethesda, MD.
71. Sasse M.A., Brostoff S., and Weirich D. Transforming the weakest link - A human/computer interaction approach to usable and effective security. BT Technology Journal 19 (2004) 122-131
72. Scholz J.T. Enforcement policy and corporate misconduct: The changing perspective of deterrence theory. Law and Contemporary Problems 60 (1997) 153-268
73. Sherif J.S., Ayers R., and Dearmond T.G. Intrusion detection: The art and the practice. Information Management and Computer Security 11 (2003) 175-186
74. Shreve, M. (2004). The office now a major place for identity theft. Crains. September, (pp. 1-4).
75. Siponen, M. T., Pahnila, S., Mahmood, A. (2006). Factors influencing protection motivation and IS security policy compliance, Innovations in Information Technology, November, 1-5.
76. Siponen M.T., and Iivari J. IS security design theory framework and six approaches to the application of IS security policies and guidelines. Journal of the Association for Information Systems 7 7 (2006) 445-472
77. Stajkovic A.D., and Luthans F. Self-efficacy and work-related performance: A meta-analysis. Psychological Bulletin 124 (1998) 240-261
78. Stanton J.M., Stam K.R., Mastrangelo P., and Jolton J. Analysis of end user security behaviors. Journal of Computers and Security 24 (2005) 124-133
79. Straub D.W., Carlson P.J., and Jones E.H. Deterring cheating by student programmers: A field experiment in computer security. Journal of Management Systems 5 (1993) 33-48
80. Straub D.W., and Nance W.D. Discovering and disciplining computer abuse in organizations: A field study. MIS Quarterly 14 (1990) 45-62
81. Straub D.W., and Welke R.J. Coping with systems risk: Security planning models for management decision making. MIS Quarterly 22 (1998) 441-469
82. Tang C.S.-K., Pun S.H., and Cheung F.M. Responsibility attribution for violence against women: A study of Chinese public service professionals. Psychology of Women Quarterly 26 (2002) 175-185
83. Theoharidou M., Kokolakis S., Karyda M., and Kiountouzis E. The insider threat to information systems and the effectiveness of IS017799. Computers and Security 24 (2005) 472-484
84. Thomas T.M. Network security first-step (2004), Cisco Press, Indianapolis, IN
85. von Solms B., and von Solms R. The 10 deadly sins of information security management. Computers and Security 23 (2004) 371-376
86. Wilde G.J.S. Target risk (2001), PDE Publications, Toronto
87. Woon, I. M. Y., Tan, G. W., & Low, R. T. (2005). A protection motivation theory approach to home wireless security. International Conference on Information Systems, Las Vegas (Vol. 26, pp. 367-380).
88. Workman M. Gaining access with social engineering: An empirical study of the threat. Information Systems Security Journal 16 (2007) 315-331
89. Workman, M., & Gathegi, J. (2005). Observance and contravention of information security measures. In Proceedings of the world conference on security management and applied computing, Las Vegas, NV (pp. 241-247).
90. Workman M., and Gathegi J. Punishment and ethics deterrents: A study of insider security contravention. Journal of the American Society for Information Science and Technology 58 (2007) 210-222
91. Wu Y., Stanton B.F., Li X., Galbraith J., and Cole M.L. Protection motivation theory and adolescent drug trafficking: Relationship between health motivation and longitudinal risk involvement. Journal of Pediatric Psychology 30 (2005) 122-137