Sensitizing Employees' Corporate IS Security Risk Perception

35th International Conference on Information Systems "Building a Better World Through Information Systems", ICIS 2014

Volumn , Issue 110383, 2014, Pages

  Haag, Steffi ^a   Eckhardt, Andreas ^a  

^a GOETHE UNIVERSITY   (Germany)

Author keywords

bring your own cloud; IS policy; Security risk perception; shadow IT; social influence

Indexed keywords

DISTRIBUTED DATABASE SYSTEMS; ECONOMIC AND SOCIAL EFFECTS; PERSONNEL; RISK ASSESSMENT; SOCIAL ASPECTS; SURVEYS; WEB SERVICES;

BRING YOUR OWN CLOUD; CLOUD SERVICES; CORPORATES; IS POLICY; ORGANISATIONAL; POLICY INTERACTION; SECURITY RISK PERCEPTION; SECURITY RISKS; SHADOW IT; SOCIAL INFLUENCE;

RISK PERCEPTION;

EID: 84930236649     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (69)

1. Ajzen, I. 1991. “The theory of planned behavior,” Organizational Behavior and Human Decision Processes (50:2), pp. 179-211.
2. Armstrong, J. S., and Overton, T. S. 1977. “Estimating Nonresponse Bias in Mail Surveys,” Journal of Marketing Research (14:3), pp. 396-402.
3. Bandura, A. 1969. Principles of Behavior Modification, New York: Holt, Rinehart and Winston, Inc.
4. Bandura, A., and Walters, R. H. 1963. Social Learning and Personality Development, New York: Holt, Rinehart and Winston, Inc.
5. Behrens, S. 2009. “Shadow systems: The Good, The Bad and The Ugly,” Communications of the ACM (52:2), pp. 124-129.
6. Beimborn, D., and Palitza, M. 2013. “Enterprise App Stores for Mobile Applications,” in Proceedings of the 19th Americas Conference on Information Systems, Chicago.
7. Bulgurcu, B., Cavusoglu, H., and Benbasat, I. 2010. “Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness,” MIS Quarterly (34:3), pp. 523-548.
8. Caracelli, V. J., and Greene, J. C. 1993. “Data Analysis Strategies for Mixed-Method Evaluation Designs,” Educational Evaluation and Policy Analysis (15:2), pp. 195-207.
9. Chin, W. W. 1998. “The partial least squares approach to structural equation modeling,” in Modern Methods for Business Research, G. A. Marcoulides (ed.), (Vol. 295) Mahwah, NJ: Lawrence Erlbaum, pp. 295-336.
10. Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M., and Baskerville, R. 2013. “Future directions for behavioral information security research,” Computers & Security (32), pp. 90-101.
11. Crossler, R. E., Long, J. H., Loraas, T. M., and Trinkle, B. S. 2014. “Understanding Compliance with Bring Your Own Device Policies Utilizing Protection Motivation Theory: Bridging the Intention-Behavior Gap,” Journal of Information Systems (28:1), pp. 209-226.
12. D'Arcy, J., Hovav, A., and Galletta, D. 2009. “User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach,” Information Systems Research (20:1), pp. 79-98.
13. Eagly, A. H., and Chaiken, S. 1993. The Psychology of Attitudes, Fort Worth, TX: Harcourt Brace Jovanovich.
14. Eckhardt, A., Laumer, S., and Weitzel, T. 2009. “Who influences whom? Analyzing workplace referents' social influence on IT adoption and non-adoption,” Journal of Information Technology (24:1), pp. 11-24.
15. Erbes, J., Motahari-Nezhad, H. R., and Graupner, S. 2012. “The Future of Enterprise IT in the Cloud,” IEEE Computer Society (45:5), pp. 66-72.
16. Gefen, D., and Keil, M. 1998. “The Impact of Developer Responsiveness on Perceptions of Usefulness and Ease of Use: An Extension of the Technology Acceptance Model,” The DATA BASE for Advances in Information Systems (29:2), pp. 35-49.
17. Gefen, D., and Ridings, C. M. 2003. “IT Acceptance: Managing User - IT Group Boundaries,” The DATA BASE for Advances in Information Systems (34:3), pp. 25-40.
18. Gens, F., Adam, M., Bradshaw, D., Christiansen, C. A., DuBois, L., Florean, A., Hochmuth, P., V., K., Mahowald, R. P., Matsumoto, S., Morris, C., Olvet, T., Quinn, K., Turner, M. J., Villars, R. L., and Posey, M. 2013. “Worldwide and Regional Public IT Cloud Services 2013-2017 Forecast,” IDC, http://www.idc.com/getdoc.jsp?containerId=242464; Accessed 03 May 2014
19. Greene, J. C., Caracelli, V. J., and Graham, W. F. 1989. “Toward a Conceptual Framework for Mixed-Method Evaluation Designs,” Educational Evaluation and Policy Analysis (11:3), pp. 255-274.
20. Guo, K. H., Yuan, Y., Archer, N. P., and Connelly, C. E. 2011. “Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model,” Journal of Management Information Systems (28:2), pp. 203-236.
21. Györy, A., Cleven, A., Uebernickel, F., and Brenner, W. 2012. “Exploring the Shadows: IT Governance Approaches to User-Driven Innovation,” in Proceedings of the 20th European Conference on Information Systems, (Vol. 6312) Barcelona.
22. Haag, S., and Eckhardt, A. 2014. “Organizational cloud service adoption: a scientometric and content-based literature analysis,” Journal of Business Economics (84:3), pp. 407-440.
23. Haag, S., Eckhardt, A., and Krönung, J. 2014. “From the Ground to the Cloud - A Structured Literature Analysis of the Cloud Service Landscape around the Public and Private Sector,” in Proceedings of the 47th Hawaii International Conference on System Sciences, Big Island, Hawaii.
24. Hair, J. F. J., Hult, G. T. M., Ringle, C. M., and Sarstedt, M. 2013. A Primer on Partial Least Squares Structural Equation Modeling (PLS-SEM), Thousand Oaks, USA: SAGE Publications, Inc., p. 308.
25. Harrington, S. J. 1996. “The Effect of Codes of Ethics and Personal Denial of Responsibility on Computer Abuse Judgments and Intentions,” MIS Quarterly (20:3), pp. 257-278.
26. Herath, T., and Rao, H. R. 2009a. “Protection motivation and deterrence: a framework for security policy compliance in organisations,” European Journal of Information Systems (18:2), pp. 106-125.
27. Herath, T., and Rao, H. R. 2009b. “Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness,” Decision Support Systems (47:2), pp. 154-165.
28. Hofstede, G. 1980. Culture's consequences: international differences in work-related values, Beverly Hills: Sage Publications.
29. Hollander, M., and Wolfe, D. A. 1999. Nonparametric statistical methods, Methods, (Vol. 2) New York: Wiley-Interscience.
30. Hovav, A., and D'Arcy, J. 2012. “Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the U.S. and South Korea,” Information & Management (49:2), pp. 99-110.
31. Hu, Q., Dinev, T., Hart, P., and Cooke, D. 2012. “Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture,” Decision Sciences (43:4), pp. 615-660.
32. Hu, Q., Xu, Z., Dinev, T., and Ling, H. 2011. “Does deterrence work in reducing information security policy abuse by employees?,” Communications of the ACM (54:6), pp. 54-60.
33. Ifinedo, P. 2012. “Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory,” Computers & Security (31:1), pp. 83-95.
34. Kim, C., Jahng, J., and Lee, J. 2006. “An empirical investigation into the utilization-based information technology success model: integrating task-performance and social influence perspective,” Journal of Information Technology (22:2), pp. 152-160.
35. Kock, N. 2012. “WarpPLS 3.0 User Manual,” Laredo, TX: ScriptWarp Systems. http://www.scriptwarp.com/warppls/. Accessed 15 Dec 2013
36. Kruskal, W. H., and Wallis, W. A. 1952. “Use of Ranks in One-Criterion Variance Analysis,” Journal of the American Statistical Association (47:260), pp. 583-621.
37. Kwok, C.-K., Au, W. T., and Ho, J. M. C. 2005. “Normative Controls and Self‐Reported Counterproductive Behaviors in the Workplace in China,” Applied Psychology: An International Review (54:4), pp. 456-475.
38. Lee, J., Crossler, R. E., and Warkentin, M. 2013. “Implications of Monitoring Mechanisms on Bring Your Own Device (BYOD) Adoption,” in Proceedings of the 34th International Conference on Information Systems, (Vol. 2) Milan.
39. Lee, S. M., Lee, S.-G., and Yoo, S. 2004. “An integrative model of computer abuse based on social control and general deterrence theories,” Information & Management (41:6), pp. 707-718.
40. Loch, K. D., Carr, H. H., and Warkentin, M. 1992. “Threats to Information Systems: Today' s Reality, Yesterday' s Understanding,” MIS Quarterly (16:2), pp. 173-186.
41. Madey, D. 1982. “Some benefits of integrating qualitative and quantitative methods in program evaluation, with illustrations,” Educational Evaluation and Policy Analysis (4:2), pp. 223-236.
42. Malhotra, N. K., Kim, S. S., and Agarwal, J. 2004. “Internet Users' Information Privacy Concerns (IUIPC): The Construct, the Scale, and a Causal Model,” Information Systems Research (15:4), pp. 336-355.
43. Marston, S., Li, Z., Bandyopadhyay, S., Zhang, J., and Ghalsasi, A. 2011. “Cloud computing - The business perspective,” Decision Support Systems (51:1), pp. 176-189.
44. Mitchell, R. L. 2013. “IT's new concern: the personal cloud,” Computerworld, http://www.computerworld.com/s/article/9239348/IT_s_new_concern_The_personal_cloud?taxonomyId=220&pageNumber=1. Accessed 25 April 2014
45. Myers, M. D., and Newman, M. 2007. “The qualitative interview in IS research: Examining the craft,” Information and Organization (17:1), pp. 2-26.
46. Myyry, L., Siponen, M., Pahnila, S., Vartiainen, T., and Vance, A. 2009. “What levels of moral reasoning and values explain adherence to information security rules? An empirical study,” European Journal of Information Systems (18:2)Nature Publishing Group, pp. 126-139.
47. Norušis, M. J. 1996. SPSS 6.1 guide to data analysis, Englewood Cliffs, NJ: Prentice-Hall.
48. Nunnally, J. C., and Bernstein, I. H. 1994. Psychometric Theory, New York: McGraw-Hill.
49. Ortbach, K., Koeffer, S., Bode, M., and Niehaves, B. 2013. “Individualization of Information Systems - Analyzing Antecedents of IT Consumerization Behavior,” in Proceedings of the 34th International Conference on Information Systems, Milan.
50. Pavlou, P. A. 2003. “Consumer Acceptance of Electronic Commerce: Integrating Trust and Risk with the Technology Acceptance Model.,” International Journal of Electronic Commerce (7), pp. 101-134.
51. Pavlou, P. A., and Gefen, D. 2004. “Building Effective Online Marketplaces with Institution-Based Trust,” Information Systems Research (15:1), pp. 37-59.
52. Posey, C., Bennett, R. J., and Roberts, T. L. 2011. “Understanding the mindset of the abusive insider: An examination of insiders' causal reasoning following internal security changes,” Computers & Security (30:6-7), pp. 486-497.
53. Salancik, G. R., and Pfeffer, J. 1978. “A Social Information Processing Approach to Job Attitudes and Task Design,” Administrative Science Quarterly (23:June), pp. 224-253.
54. Schalow, P. S. R., Winkler, T. J., Repschlaeger, J., and Zarnekow, R. 2013. “The blurring boundaries of work-related and personal media use: A grounded theory study on the employee's perspective,” in Proceedings of the 21st European Conference on Information Systems, (Vol. 2) Utrecht.
55. Sheeran, P., and Orbell, S. 1999. “Augmenting the Theory of Planned Behavior: Roles for Anticipated Regret and Descriptive Norms,” Journal of Applied Social Psychology (29:10), pp. 2107-2142.
56. Shumarova, E., and Swatman, P. A. 2008. “Informal eCollaboration Channels: Shedding Light on 'Shadow CIT,'” in Proceedings of the 21st BLED eConference, Bled.
57. Sieber, S. D. 1973. “The Integration of Fieldwork and Survey Methods,” American Journal of Sociology (78:6), pp. 1335-1359.
58. Siponen, M., and Vance, A. 2010. “Neutralization: New Insights into the Problem of Employee Information Systems Security,” MIS Quarterly (34:3), pp. 487-502.
59. Stadtmueller, L. 2013. “The Hidden Truth Behind Shadow IT Six trends impacting your security posture,” Stratecast and Frost & Sullivan; 50 Years of Growth, Innovation and Leadership, Mountain View, CA, pp. 1-13.
60. Straub, D. W. J., and Nance, W. D. 1990. “Discovering and Disciplining Computer Abuse in Organizations: A Field Study,” MIS Quarterly (14:1), pp. 45-60.
61. Straub, D. W., and Welke, R. J. 1998. “Coping With Systems Risk: Security Planning Models for Management Decision Making,” MIS Quarterly (22:4), pp. 441-469.
62. Tully, D. 2013. “Three Tips for Tackling Bring Your Own Cloud (BYOC) Within Your Organization,” http://www.cloudtweaks.com/2013/09/three-tips-for-tackling-bring-your-own-cloud-byoc-withinyour-organization/. Accessed 08 April 2014
63. Victor, B., Cullen, J. B., Quarterly, A. S., and Global, I. 1988. “The Organizational Bases of Ethical Work Climates,” Administrative Science Quarterly (33:1), pp. 101-125.
64. Warkentin, M., Gefen, D., Pavlou, P. A., and Rose, G. M. 2002. “Encouraging citizen adoption of e-government by building trust,” Electronic Markets (12:3), pp. 157-162.
65. Warkentin, M., Johnston, A. C., and Shropshire, J. 2011. “The influence of the informal social learning environment on information privacy policy compliance efficacy and intention,” European Journal of Information Systems (20:3), pp. 267-284.
66. Whitman, M. E. 2004. “In defense of the realm: Understanding the threats to information security,” International Journal of Information Management (24:1), pp. 43-57.
67. Willison, R., and Warkentin, M. 2013. “Beyond Deterrence: An Expanded View of Employee Computer Abuse,” MIS Quarterly (37:1), pp. 1-20.
68. Xu, H., Wang, H., and Teo, H.-H. 2005. “Predicting the usage of P2P sharing software: The role of trust and perceived risk,” in Proceedings of the 38th Annual Hawaii International Conference on System Sciences, Hawaii, Big Island.
69. Zainuddin, E. 2012. “Secretly SaaS-ing: Stealth Adoption of Software-as-a-Service from the Embeddedness Perspective,” in Proceedings of the 33rd International Conference on Information Systems, Orlando.