Understanding nonmalicious security violations in the workplace: A composite behavior model

Journal of Management Information Systems

Volumn 28, Issue 2, 2011, Pages 203-236

  Guo, Ken H ^a   Yuan, Yufei ^b   Archer, Norman P ^b   Connelly, Catherine E ^b  

^a WESTERN NEW ENGLAND UNIVERSITY   (United States)

^b MCMASTER UNIVERSITY   (Canada)

Author keywords

information systems security; nonlinear construct relationships; nonmalicious security violation; perceived identity match; perceived security risk; relative advantage for job performance; workgroup norms

Indexed keywords

INFORMATION SYSTEMS SECURITY; JOB PERFORMANCE; NONLINEAR CONSTRUCT RELATIONSHIPS; NONMALICIOUS SECURITY VIOLATION; PERCEIVED IDENTITY MATCH; SECURITY RISKS; WORKGROUPS;

INDUSTRIAL MANAGEMENT; INFORMATION MANAGEMENT; INFORMATION SYSTEMS; MATHEMATICAL MODELS; RISK PERCEPTION; SECURITY SYSTEMS;

BEHAVIORAL RESEARCH;

EID: 81255163048     PISSN: 07421222     EISSN: None     Source Type: Journal    
DOI: 10.2753/MIS0742-1222280208     Document Type: Article

References (98)

1. Adams, A., and Blandford, A. Bridging the gap between organizational and user perspectives of security in the clinical domain. International Journal of Human-Computer Studies, 63, 1-2 (2005), 175-202.
2. Ajzen, I. The theory of planned behavior. Organizational Behavior and Human Decision Processes, 50, 2 (1991), 179-211.
3. Ajzen, I. Constructing a TPB questionnaire: Conceptual and methodological considerations. University of Massachusetts, Amherst, 2006 (available at http://people.umass.edu/aizen/ pdf/tpb.measurement.pdf).
4. Ajzen, I., and Fishbein, M. Understanding Attitudes and Predicting Social Behavior. Englewood Cliffs, NJ: Prentice Hall, 1980.
5. Banerjee, D.; Cronan, T.P.; and Jones, T.W. Modeling IT ethics: A study in situational ethics. MIS Quarterly, 22, 1 (1998), 31-60.
6. Baskerville, R.L., and Siponen, M.T. An information security meta-policy for emergent organizations. Logistics Information Management, 15, 5-6 (2002), 337-346.
7. Besnard, D., and Arief, B. Computer security impaired by legitimate users. Computers & Security, 23, 3 (2004), 253-264.
8. Bhattacherjee, A., and Sanford, C. Influence processes for information technology acceptance: An elaboration likelihood model. MIS Quarterly, 30, 4 (2006), 805-825.
9. Blanton, H., and Christie, C. Deviance regulation: A theory of action and identity. Review of General Psychology, 7, 2 (2003), 115-149.
10. Bulgurcu, B.; Cavusoglu, H.; and Benbasat, I. Information security policy compliance: An empirical study on rationality-based beliefs and information security awareness. MIS Quarterly, 34, 3 (2010), 523-548.
11. Cenfetelli, R.T. The inhibitors of technology use. Ph.D. dissertation, University of British Columbia, 2004.
12. Chan, M.; Woon, I.; and Kankanhalli, A. Perceptions of information security at the workplace: Linking information security climate to compliant behavior. Journal of Information Privacy and Security, 1, 3 (2005), 18-41.
13. Charng, H.W.; Piliavin, J.A.; and Callero, P.L. Role identity and reasoned action in the prediction of repeated behavior. Social Psychology Quarterly, 51, 4 (1988), 303-317.
14. Cheung, C.M.K., and Lee, M.K.O. User satisfaction with an Internet-based portal: An asymmetric and nonlinear approach. Journal of the American Society for Information Science and Technology, 60, 1 (2009), 111-122.
15. Chin, W.W. The partial least squares approach to structural equation modeling. In G.A. Marcoulides (ed.), Modern Methods for Business Research. Mahwah, NJ: Lawrence Erlbaum, 1998, pp. 295-336.
16. Churchill, G.A., Jr. A paradigm for developing better measures of marketing constructs. Journal of Marketing Research, 16, 1 (1979), 64-73.
17. Coleman, J.S. Foundations of Social Theory. Cambridge, MA: Belknap Press, 1990.
18. D'Arcy, J.; Hovav, A.; and Galletta, D. User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research, 20, 1 (2009), 79-98.
19. Dhillon, G., and Backhouse, J. Information systems security management in the new millennium. Communications of the ACM, 43, 7 (2000), 125-128.
20. Doolin, B., and McLeod, L. Information technology at work: The implications for dignity at work. In S.C. Bolton (ed.), Dimensions of Dignity at Work. Oxford, UK: Butterworth- Heinemann, 2007, pp. 154-175.
21. Dourish, P.; Grinter, R.E.; de la Flor, R.D.; and Joseph, M. Security in the wild: User strategies for managing security as an everyday, practical problem. Personal and Ubiquitous Computing, 8, 6 (2004), 391-401.
22. Dubie, D. End users behaving badly. Network World, December 10, 2007 (available at www. networkworld.com/slideshows/2007/121007-end-users-behaving- badly.html). 23. Eagly, A.H., and Chaiken, S. The Psychology of Attitudes. Fort Worth, TX: Harcourt Brace Jovanovich, 1993.
23. Eagly, A.H., and Chaiken, S. The Psychology of Attitudes. Fort Worth, TX: Harcourt Brace Jovanovich, 1993.
24. Falk, R.F., and Miller, N.B. A Primer for Soft Modeling. Akron, OH: University of Akron Press, 1992.
25. Fornell, C., and Larcker, D.F. Evaluating structural equation models with unobservable variables and measurement error. Journal of Marketing Research, 18, 1 (1981), 39-50.
26. Fulk, J. Social construction of communication technology. Academy of Management Journal, 36, 5 (1993), 921-950.
27. Gerbing, D.W., and Anderson, J.C. An updated paradigm for scale development incorporating unidimensionality and its assessment. Journal of Marketing Research, 25, 2 (1988), 186-192.
28. Gibbs, J.P. Crime, Punishment, and Deterrence. New York: Elsevier, 1975.
29. Grazioli, S., and Jarvenpaa, S.L. Perils of Internet fraud: An empirical investigation of deception and trust with experienced Internet consumers. IEEE Transactions on Systems, Man, and Cybernetics-Part A: Systems and Human, 30, 4 (2000), 395-410.
30. Harrington, S.J. The effects of codes of ethics and personal denial of responsibility on computer abuse judgments and intentions. MIS Quarterly, 20, 3 (1996), 257-278.
31. Heckhausen, H., and Kuhl, J. From wishes to action: The dead ends and short cuts on the long way to action. In M. Frese and J. Sabini (eds.), Goal Directed Behavior: The Concept of Action in Psychology. Hillsdale, NJ: Lawrence Erlbaum, 1985, pp. 134-159.
32. Herath, T., and Rao, H.R. Encouraging information security behaviors in organizations: Role of penalties, pressures, and perceived effectiveness. Decision Support Systems, 47, 2 (2009), 154-165.
33. Herath, T., and Rao, H.R. Protection motivation an deterrence: A framework for security policy compliance in organizations. European Journal of Information Systems, 18, 2 (2009), 106-125.
34. Hilton, D.J., and Slugoski, B.R. Knowledge-based causal attribution-The abnormal conditions focus model. Psychological Review, 93, 1 (1986), 75-88.
35. Hulland, J. Use of partial least squares (PLS) in strategic management research: A review of four recent studies. Strategic Management Journal, 20, 2 (1999), 195-204.
36. Im, G.P., and Baskerville, R.L. A longitudinal study of information system threat categories: The enduring problem of human error. DATA BASE for Advances in Information Systems, 36, 4 (2005), 68-79.
37. Information security breaches survey 2008. Department for Business Enterprise & Regulatory Reform (BERR), London, 2008 (available at www.bis.gov.uk/files/file45714.pdf).
38. James, T.; Pirim, T.; Boswell, K.; Reithel, B.; and Barkhi, R. An extension of the technology acceptance model to determine the intention to use biometric devices. In S. Clarke (ed.), End User Computing Challenges and Technologies: Emerging Tools and Applications. Hershey, PA: IGI Global, 2008, pp. 57-78.
39. Jarvenpaa, S.L.; Tractinsky, N.; and Vitale, M. Consumer trust in an Internet store. Information Technology and Management, 1, 1-2 (2000), 45-71.
40. Jehn, K.A.; Northcraft, G.B.; and Neale, M.A. Why differences make a difference: A field study of diversity, conflict, and performance in workgroups. Administrative Science Quarterly, 44, 4 (1999), 741-763.
41. Johnson, M.E. Information risk of inadvertent disclosure: An analysis of file-sharing risk in the financial supply chain. Journal of Management Information Systems, 25, 2 (Fall 2008), 97-123.
42. Jöreskog, K.G. How large can a standardized coefficient be? Scientific Software International, Chicago, 1999 (available at www.ssicentral.com/lisrel/techdocs/HowLargeCana StandardizedCoefficientbe.pdf).
43. Karahanna, E.; Straub, D.W.; and Chervany, N.L. Information technology adoption across time: A cross-sectional comparison of pre-adoption and post-adoption beliefs. MIS Quarterly, 23, 2 (1999), 183-213.
44. Kelloway, E.K.; Loughlin, C.; Barling, J.; and Nault, A. Self-reported counterproductive behaviors and organizational citizenship behaviors: Separate but related constructs. International journal of Selection and Assessment, 10, 1-2 (2002), 143-151.
45. Kling, R. Computer abuse and computer crime as organizational activities. Computer/ Law Journal, 2, 2 (1980), 186-196.
46. Knapp, K.J.; Marshall, T.E.; Rainer, R.K.; and Ford, F.N. Information security: Management's effect on culture and policy. Information Management & Computer Security, 14, 1 (2006), 24-36.
47. Kock, N. WarpPLS 1.0 user manual. ScriptWarp Systems, 2010 (available at www .scriptwarp.com/warppls/UserManual.pdf).
48. Kock, N. Why are cross-loadings so low in WarpPLS? WarpPLS, 2010 (available at http:// warppls.blogspot.com/2010/01/why-are-cross-loadings-so- low-in.html).
49. Kotulic, A.G., and Clark, J.G. Why there aren't more information security research studies. Information & Management, 41, 5 (2004), 597-607.
50. Lapointe, L., and Rivard, S. A multilevel model of resistance to information technology implementation. MIS Quarterly, 29, 3 (2005), 461-491.
51. Lee, R.M. Doing Research on Sensitive Topics. Newbury Park, CA: Sage, 1993.
52. Leonard, L.N.K., and Cronan, T.P. Illegal, inappropriate, and unethical behavior in an information technology context: A study to explain influences. Journal of the Association for Information Systems, 1, 1 (2001), Article 12.
53. Lewis, B.R.; Templeton, G.F.; and Byrd, T.A. A methodology for construct development in MIS research. European Journal of Information Systems, 14, 4 (2005), 388-400.
54. Liang, H.; Saraf, N.; Hu, Q.; and Xue, Y. Assimilation of enterprise systems: The effect of institutional pressures and the mediating role of top management. MIS Quarterly, 31, 1 (2007), 59-87.
55. Loch, K.D.; Carr, H.H.; and Warkentin, M.E. Threats to information systems: Today's reality, yesterday's understanding. MIS Quarterly, 17, 2 (1992), 173-186.
56. Malhotra, N.K.; Kim, S.S.; and Agarwal, J. Internet users' information privacy concerns (IUIPC): The construct, the scale, and a causal model. Information Systems Research, 15, 4 (2004), 336-355.
57. Moore, G.C., and Benbasat, I. Development of an instrument to measure the perceptions of adopting an information technology innovation. Information Systems Research, 2, 3 (1991), 192-222.
58. Myyry, L.; Siponen, M.; Pahnila, S.; Vartiainen, T., and Vance, A. What levels of moral reasoning and values explain adherence to information security rules? An empirical study. European Journal of Information Systems, 18, 2 (2009), 126-139.
59. Pahnila, S.; Siponen, M.T.; and Mahmood, A. Employees' behavior towards IS security policy compliance. In R.H. Sprague (ed.), Proceedings of the 40th Annual Hawaii International Conference on System Sciences. Los Alamitos, CA: IEEE Computer Society Press, 2007.
60. Pavlou, P.A. Consumer acceptance of electronic commerce: Integrating trust and risk with the technology acceptance model. International Journal of Electronic Commerce, 7, 3 (2003), 69-103.
61. Pavlou, P.A., and Gefen, D. Building effective online marketplaces with institution-based trust. Information Systems Research, 15, 1 (2004), 37-59.
62. Perceptions and behaviors of remote workers: Keys to building a secure company. White Paper, Cisco Systems, San Jose, CA, 2006.
63. Ployhart, R.E., and Schneider, B. A multi-level perspective on personal selection research and practice: Implications for selection system design, assessment, and construct validation. In F.J. Yammarino and F. Dansereau (eds.), The Many Faces of Multi-Level Issues. Oxford: Elsevier Science, 2002, pp. 95-140.
64. Ployhart, R.E., and Schneider, B. Multilevel selection and prediction: Theories, methods, and models. In A. Evers, O. Omit-Voskuyl, and N. Anderson (eds.), The Blackwell Handbook of Personnel Selection. Malden, MA: Blackwell, 2005, pp. 495-516.
65. Podasakoff, P.M., and Organ, D.W. Self-reports in organizational research: Problems and prospects. Journal of Management, 12, 4 (1986), 531-544.
66. Podasakoff, P.M.; MacKenzie, S.B.; Lee, J.-Y.; and Podsakoff, N.P. Common method biases in behavioral research: A critical review of the literature and recommended remedies. Journal of Applied Psychology, 88, 5 (2003), 879-903.
67. Post, G.V., and Kagan, A. Evaluating information security tradeoff: Restricting access can interfere with user tasks. Computers & Security, 26, 3 (2007), 229-237.
68. Richardson, R. CSI computer crime and security survey. Computer Security Institute, New York, 2010.
69. Ringle, C.M.; Wende, S.; and Will, S. SmartPLS 2.0 (M3) beta. Hamburg, 2005.
70. Roberts, L.M. Changing faces: Professional image construction in diverse organizational settings. Academy of Management Review, 30, 4 (2005), 685-711.
71. Robinson, S.L., and O'Leary-Kelly, A.M. Monkey see, monkey do: The influence of work groups on the antisocial behavior of employees. Academy of Management Journal, 41, 6 (1998), 658-672.
72. Sasse, M.A.; Brostoff, S.; and Weirich, D. Transforming the "weakest link"-A human/ computer interaction approach to usable and effective security. BT Technology Journal, 19, 2 (2001), 122-131.
73. Schneier, B. Secrets and Lies: Digital Security in a Networked World. Indianapolis: Wiley Computer, 2000.
74. Semmer, N.K.; Tschan, F.; Meier, L.L.; Facchin, S.; and Jacobshagen, N. Illegitimate tasks and counterproductive work behavior. Applied Psychology: An International Review, 59, 1 (2010), 70-96.
75. Siponen, M.T. A conceptual foundation for organizational information security awareness. Information Management & Computer Security, 8, 1 (2000), 31-41.
76. Siponen, M.T., and Vance, A. Neutralization: New insight into the problem of employee information systems security policy violation. MIS Quarterly, 34, 3 (2010), 487-502.
77. Sirdeshmukh, D.; Singh, J.; and Sabol, B. Consumer trust, value, and loyalty in relational exchanges. Journal of Marketing, 65, 1 (2002), 15-37.
78. Snyder, M., and Kendzierski, D. Acting on one's attitudes: Procedures for linking attitude and behavior. Journal of Experimental Social Psychology, 18, 2 (1982), 165-183.
79. Spears, J.L., and Barki, H. User participation in information systems security risk management. MIS Quarterly, 34, 3 (2010), 503-522.
80. Straub, D.W. Validating instruments in MIS research. MIS Quarterly, 13, 2 (1989), 147-169.
81. Straub, D.W. Effective IS security: An empirical study. Information Systems Research, 1, 3 (1990), 255-276.
82. Straub, D.W., and Nance, W.D. Discovering and disciplining computer abuse in organizations: A field study. MIS Quarterly, 14, 1 (1990), 45-60.
83. Straub, D.W.; Boudreau, M.; and Gefen, D. Validation guidelines for IS positivist research. Communications of the Association for Information Systems, 13, 1 (2004), 380-427.
84. Terry, D.J.; Hogg, M.A.; and White, K.M. The theory of planned behaviour: Self-identity, social identity and group norms. British Journal of Social Psychology, 38, 3 (1999), 225-244.
85. Thoits, P.A. Multiple identities and psychological well-being: A reformulation and test of the social isolation hypothesis. American Sociological Review, 48, 2 (1983), 174-187.
86. Thoits, P.A. On merging identity theory and stress research. Social Psychology Quarterly, 54, 2 (1991), 101-112.
87. Titah, R., and Barki, H. Nonlinearities between attitude and subjective norms in information technology acceptance: A negative synergy? MIS Quarterly, 33, 4 (2009), 827-844.
88. Triandis, H.C. Interpersonal Behavior. Monterey, CA: Brooks/Cole, 1977.
89. Tyler, T.R., and Blader, S.L. Can businesses effectively regulate employee conduct? The antecedents of rule following in work settings. Academy of Management Journal, 48, 6 (2005), 1143-1158.
90. Venkatesh, V.; Morris, M.G.; Davis, G.B.; and Davis, F.D. User acceptance of information technology: Toward a unified view. MIS Quarterly, 27, 3 (2003), 425-478.
91. Wason, K.D.; Polonsky, M.J.; and Hyman, M.R. Designing vignette studies in marketing. Australasian Marketing Journal, 10, 3 (2002), 41-58.
92. Webster, J., and Trevino, L.K. Rational and social theories as complementary explanations of communication media choices: Two policy-capturing studies. Academy of Management Journal, 38, 6 (1995), 1544-1572.
93. Wood, C.C. An unappreciated reason why information security policies fail. Computer Fraud & Security, 10 (2000), 13-14.
94. Workman, M., and Gathegi, J. Punishment and ethics deterrents: A study of insider security contravention. Journal of the American Society for Information Science and Technology, 58, 2 (2006), 212-222.
95. Workman, M.; Bommer, W.H.; and Straub, D.W. Security lapses and the omission of information security measures: A threat control model and empirical test. Computers in Human Behavior, 24, 6 (2008), 2799-2816.
96. Xu, H.; Wang, H.; and Teo, H.-H. Predicting the usage of P2P sharing software: The role of trust and perceived risk. In R.H. Sprague (ed.), Proceedings of the 38th Annual Hawaii International Conference on System Sciences. Los Alamitos, CA : IEEE Computer Society Press, 2005.
97. Zielke, S. Exploring asymmetric effects in the formation of retail price satisfaction. Journal of Retailing and Consumer Services, 15, 5 (2008), 335-347.
98. Zviran, M., and Haga, W.J. Password security: An empirical study. Journal of Management Information Systems, 15, 4 (Spring 1999), 161-185.