Abstract
The aim of this study is to gain an understanding of why employees misuse information systems resources (commit IS resource misuse) in the workplace. Rather than consider “intention,” as existing behavioral research commonly does, this study investigates actual behavior and employs IS resource misuse as the dependent variable. Data from a web-based survey are analyzed using the partial least squares approach. In light of the dual-process approach and the theory of planned behavior, the findings suggest that IS resource misuse may be both an intentional type of behavior and an unreasoned action. Perceived behavioral control influences employees’ IS resource misuse actions via their desires or intentions, whereas attitude toward such misuse affects these actions via employees’ desires alone. Subjective norm is found not to affect employees’ IS resource misuse via either desires or intentions. In terms of its theoretical contribution, this study considers unethical behavior in information systems by incorporating a dual-process model and the theory of planned behavior. With regard to its managerial significance, the study’s results will help managers to better understand why employees commit IS resource misuse within organizations.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Ajzen, I. (1985). From intention to actions: A theory of planned behavior. In J. Kuhl & J. Beckmann (Eds.), Action control: From cognition to behavior (pp. 11–39). New York: Springer Verlag.
Ajzen, I. (1988). Attitiudes, personality and behavior. Milton Keynes: Open University Press.
Ajzen, I. (1991). The theory of planned behavior. Organizational Behavior and Human Decision Processes, 50(2), 179–211.
Ajzen, I., & Fishbein, M. (1980). Understanding attitudes and predicting social behavior. Englewood-Cliff, NJ: Prentice-Hall.
Albarracín, D., Johnson, B. T., Fishbein, M., & Muellerleile, P. A. (2001). Theories of reasoned action and planned behavior as models of condom use: A meta-analysis. Psychological Bulletin, 127(1), 142–161.
Al-Debei, M. M., Al-Lozi, E., & Papazafeiropoulou, A. (2013). Why people keep coming back to Facebook: Explaining and predicting continuance participation from an extended theory of planned behaviour perspective. Decision Support Systems, 55(1), 43–54.
Al-Rafee, S., & Cronan, T. P. (2006). Digital piracy: Factors that influence attitude toward behavior. Journal of Business Ethics, 63(3), 237–259.
Anderson, C. L., & Agarwal, R. (2010). Practicing safe computing: A multimethod empirical examination of home computer user security behavioral intentions. MIS Quarterly, 34(3), 613–643.
Auoub, R. (2011). The 2011 (ISC) 2 Global Information Security Workforce Study. Mountain View, CA: Frost & Sullivan.
Backhouse, J., Hsu C. W., & Silva L. (2006). Circuits of power in creating de jure standards: Shaping an international information systems security standard. MIS Quarterly 30(Special issue), 413–438.
Bagozzi, R. P. (1992). The self-regulation of attitudes, intentions, and behavior. Social Psychology Quarterly, 55(2), 178–204.
Bagozzi, R. P., Dholakia, U. M., & Basuroy, S. (2003). How effortful decisions get enacted: The motivating role of decision processes, desires, and anticipated emotions. Journal of Behavioral Decision Making, 16(4), 273–295.
Bagozzi, R. P., & Edwards, E. A. (1998). Goal setting and goal pursuit in the regulation of body weight. Psychology and Health, 13(4), 593–621.
Bagozzi, R. P., & Kimmel, S. K. (1995). A comparison of leading theories for the prediction of goal-directed behaviors. British Journal of Social Psychology, 34(4), 437–461.
Banerjee, D., Cronan, T. P., & Jones, T. W. (1998). Modeling IT ethics: A study in situational ethics. MIS Quarterly, 22(1), 31–60.
Beck, L., & Ajzen, I. (1991). Predicting dishonest actions using the theory of planned behavior. Journal of Research in Personality, 25(3), 285–301.
Bennett, R. J., & Robinson, S. L. (2000). Development of a measure of workplace deviance. Journal of Applied Psychology, 85(3), 349–360.
Bock, G.-W., Zmud, R. W., & Lim, Y.-G. (2005). Behavioral intention formation in knowledge sharing: Examining the roles of extrinsic motivators, socia-psychological forces, and organizational climate. MIS Quarterly, 29(1), 87–111.
Bratman, M. (1984). Two faces of intention. The Philosophical Review, 93(3), 375–405.
Calluzzo, V. J., & Cante, C. J. (2004). Ethics in information technology and software use. Journal of Business Ethics, 51(3), 301–312.
Cavalli, E., Mattasoglio, A., Pinciroli, F., & Spaggiari, P. (2004). Information security concepts and practices: The case of a provincial multi-specialty hospital. International Journal of Medical Informatics, 73(3), 297–303.
Chaiken, S. (1980). Heuristic versus systematic information processing and the use of source versus message cues in persuasion. Journal of Personality and Social Psychology, 39(5), 752–766.
Chang, M. K. (1998). Predicting unethical behavior: A comparison of the theory of reasoned action and the theory of planned behavior. Journal of Business Ethics, 17(16), 1825–1834.
Chang, S. E., & Ho, C. B. (2006). Organizational factors to the effectiveness of implementing information security management. Industrial Management & Data Systems, 106(3), 345–361.
Chen, M. F., Pan, C. T., & Pan, M. C. (2009). The joint moderating impact of moral intensity and moral judgment on consumer’s use intention of pirated software. Journal of Business Ethics, 90(3), 361–373.
Chin, W. W. (1998). Issues and opinion on structural equation modeling. MIS Quarterly 22(1), vii–xvi.
Chu, M. Y. (2012). Information security deviant behavior: Its typology, measures, and causes, Doctorial dissertation, The University of Hong Kong, http://hub.hku.hk/handle/10722/183045.
Churchill, G. A. (1979). A paradigm for developing better measures of marketing constructs. Journal of Marketing Research, 16(1), 64–73.
Cohen, P. R., & Levesque, H. J. (1990). Intention is choice with commitment. Artificial Intelligence, 42(2–3), 213–261.
Collins, L. J. (1988). Workers are top threat to computer data. Business Insurance, 22(18), 60.
Conner, M., & Armitage, G. (1998). Extending the theory of planned behavior: A review and avenues for further research. Journal of Applied Social Psychology, 28(15), 1429–1464.
Conner, M., & Norman, P. (2005). Predicting health behaviour: Research and practice with social cognition models. Maidenhead, England: Open University Press.
Conway, R. W., Maxwell, W. L., & Morgan, H. L. (1972). On the implementation of security measures in information systems. Communications of the ACM, 15(4), 211–220.
Cox, D., Cox, A. D., & Moschis, G. P. (1990). When consumer behavior goes bad: An investigation of adolescent shoplifting. Journal of Consumer Research, 17(2), 149–159.
Cronan, T. P., & Al-Rafee, S. (2008). Factors that influence the intention to pirate software and media. Journal of Business Ethics, 78(4), 527–545.
Davis, W. A. (1984). A causal theory of intending. American Philosophical Quarterly, 21(1), 43–54.
Dubinsky, A. J., & Loken, B. (1989). Analyzing ethical decision making in marketing. Journal of Business Research, 19(2), 83–107.
Epstein, S. (1994). Integration of the cognitive and the psychodynamic unconscious. American Psychologist, 49(8), 709–724.
Ernst & Young. (2008). Moving beyond compliance: Ernst & Young’s 2008 global information security survey. http://www.ey.com/Publication/vwLUAssets/102008_etude_global_securite_SI/$file/102008_Etude_Global_Securite_SI.pdf.
Evans, J. S. B. T., & Over, D. E. (1996). Rationality and reasoning. Hove, East Sussex, UK: Psychology Press.
Fishbein, M., & Ajzen, I. (1975). Beliefs, attitude, intention and behavior: An introduction to theory and research. Reading, MA: Addison-Wesley Publishing Company.
Fisher, R. (1984). Information systems security. Englewood Cliffs, CA: Prentice Hall.
Fornell, C., & Larcker, D. F. (1981). Evaluating structural equation models with unobservable variables and measurement error. Journal of Marketing Research, 18(1), 39–50.
Gaertner, K. N., & Nollen, S. D. (1992). Turnover intentions and desire among executives. Human Relations, 45(5), 447–465.
Gaes, G. G., Kalle, R. J., & Tedeschi, J. I. (1978). Impression management in the forced compliance situation: Two studies using the bogus pipeline. Journal of Experimental Social Psychology, 14(5), 493–510.
Gefen, D., & Straub, D. (2005). A practical guide to factorial validity using PLSGraph: Tutorial and annotated example. Communications of the Association for Information Systems, 16(1), 91–109.
Gefen, D., Straub, D., & Boudreau, M.-C. (2000). Structural equation modeling and regression: Guidelines for research practice. Communications of the Association for Information Systems, 4(7), 1–78.
Gerrard, M., Gibbons, F. X., Houlihan, A. E., Stock, M. L., & Pomery, E. A. (2008). A dual-process approach to health risk decision making: The prototype willingness model. Developmental Review, 28(1), 29–61.
Gerrard, M., Gibbons, F. X., Reis-Bergan, M., Trudeau, L., Vande Lune, L. S., & Buunk, B. (2002). Inhibitory effects of drinker and nondrinker prototypes on adolescent alcohol consumption. Health Psychology, 21(6), 601–609.
Gibbons, F. X., Gerrard, M., Reimer, R. A., & Pomery, E. A. (2006). Unintentional behavior: A subrational approach to health risk. In D. T. M. de Ridder & J. B. F. de Wit (Eds.), Self-regulation in health behavior, 45–70. Chichester, UK: Wiley.
Grady, M. F., & Parisi, F. (2006). The law and economics of cybersecurity. Cambridge: Cambridge University Press.
Gramkowski, B., Kools, S., Paul, S., Boyer, C., Monasterio, E., & Robbins, N. (2009). Health risk behavior of youth in foster care. Journal of Child and Adolescent Psychiatric Nursing, 22(2), 77–85.
Guo, K. H., Yuan, Y., Archer, N. P., & Connelly, C. E. (2011). Understanding nonmalicious security violations in the workplace: A composite behavior model. Journal of Management Information Systems, 28(2), 203–236.
Hammond, K. R. (1996). Human judgment and social policy: Irreducible uncertainty, inevitable error, unavoidable injustice. New York: Oxford University Press.
Heide, D., & Hightower, J. K. (1983). Organizations, ethics and the computing professional. Journal of Systems Management, 34(11), 38–42.
Herath, T., & Rao, H. R. (2009). Protection motivation and deterrence: A framework for security policy compliance in organizations. European Journal of Information Systems, 18(2), 106–125.
Highland, H. J. (1985). Microcomputer security: Data protection techniques. Computers & Security, 4(2), 123–134.
Hsieh, P.-A., Rai, A., & Keil, M. (2008). Understanding digital inequality: Comparing continued use behavioral models of the socio-economically advantaged and disadvantaged. MIS Quarterly, 32(1), 97–126.
Hsu, C. W. (2009). Frame misalignment: Interpreting the implementation of information systems security certification in an organization. European Journal of Information Systems, 18(2), 140–150.
Ifinedo, P. (2014). Information systems security policy compliance: An empirical study of the effects of socialisation, influence and cognition. Information & Management, 51, 69–79.
Kahneman, D. (2003). A perspective on judgment and choice. American Psychologist, 58(9), 697–720.
Kalafatis, S. P., Pollard, M., East, R., & Tsogas, M. H. (1999). Green marketing and Ajzen’s theory of planned behavior: A cross-market examination. Journal of Consumer Marketing, 16(5), 441–460.
Kankanhalli, A., Teo, H.-H., Tan, B. C. Y., & Wei, K.-K. (2003). An integrative study of information systems security effectiveness. International Journal of Information Management, 23(2), 139–154.
Kemery, E. R., & Dunlap, W. P. (1986). Partialling factor scores does not control method variance: A reply to Podsakoff and Todor. Journal of Management, 12(4), 525–544.
Khazanchi, D. (1995). Unethical behavior in information systems: The gender factor. Journal of Business Ethics, 14(9), 741–749.
Klaczynski, P. A. (2001). Analytic and heuristic processing influences on adolescent reasoning and decision-making. Child Development, 72(3), 844–861.
Klein, G. (1998). Sources of power: How people make decisions. Cambridge, MA: The MIT Press.
Kotulic, A. G., & Clark, J. G. (2004). Why there aren’t more information security research studies. Information & Management, 41(5), 597–607.
Krischer, M. M., Penney, L. M., & Hunter, E. M. (2010). Can counterproductive work behaviors be productive? CWB as emotion-focused coping. Journal of Occupational Health Psychology, 15(2), 154–166.
Kuo, F. Y., & Hsu, M. H. (2001). Development and validation of ethical computer self-efficiency measure: The case of softlifting. Journal of Business Ethics, 32(4), 299–315.
Kuo, W.-J., Sjöström, T., Chen, Y.-P., Wang, Y.-H., & Huang, C.-Y. (2009). Intuition and deliberation: Two systems for strategizing in the brain. Science, 324(5926), 519–522.
Kurland, N. B. (1995). Ethical intentions and the theories of reasoned action and planned behavior. Journal of Applied Social Psychology, 25(4), 297–313.
Kwan, S. (2007). End-user digital piracy: Contingency framework, affective determinants and response distortion, Unpublished doctoral dissertation, The Hong Kong University of Science and Technology, Hong Kong.
Lee, Y., Lee, Z., & Kim, Y. (2007). Understanding personal web usage in organizations. Journal of Organizational Computing and Electronic Commerce, 17(1), 75–99.
Leonard, L. N. K., & Cronan, T. P. (2001). Illegal, inappropriate, and unethical behavior in an information technology context: A study to explain influences. Journal of the Association for Information Systems, 1(1), 12.
Leone, L., Perugini, M., & Ercolani, A. P. (1999). A comparison of three models of attitude-behaviour relationships in studying behaviour domain. European Journal of Social Psychology, 29(2/3), 161–189.
Levinson, S. (1995). Interactional biases in human thinking. In E. Goody (Ed.), Social intelligence and interaction: Expressions and implications of the social bias in human intelligence (pp. 221–260). Cambridge, England: Cambridge University Press.
Lewis, B. R., Templeton, G. F., & Byrd, T. A. (2005). A methodology for construct development in MIS research. European Journal of Information Systems, 14(4), 388–400.
Liao, C., Lin, H.-N., & Liu, Y.-P. (2010). Predicting the use of pirated software: A contingency model integrating perceived risk with the theory of planned behavior. Journal of Business Ethics, 91(2), 237–252.
Lin, C.-P., & Ding, C. G. (2003). Modeling information ethics: The joint moderating role of locus of control and job insecurity. Journal of Business Ethics, 48(4), 335–346.
Loch, K. D., Carr, H. H., & Warkentin, M. E. (1992). Threats to information systems: Today’s reality, yesterday’s understanding. MIS Quarterly, 16(2), 173–186.
Mahmood, M. A., Siponen, M., Straub, D., & Rao, H. R. (2010). Moving toward black hat research in information systems security: An editorial introduction to the special issue. MIS Quarterly, 34(3), 431–433.
Malhotra, N. K., Kim, S. S., & Patil, A. (2006). Common method variance in IS research: A comparison of alternative approaches and a reanalysis of past research. Management Science, 52(12), 1865–1883.
Malle, B. F., & Knobe, J. (2001). The distinction between desire and intention: A folk-conceptual analysis. In B. F. Malle, L. J. Moses, & D. A. Baldwin (Eds.), Intentions and intentionality (pp. 45–67). Cambridge, MA: MIT Press.
McQuade, S. C. (2006). Understanding and managing cybercrime. Boston: Pearson/Allyn and Bacon.
Mele, A. R. (1988). Against a belief/desire analysis of intention. Philosophia, 18(2–3), 239–242.
Oliver, R. L., & Berger, P. K. (1979). A path analysis of preventive health care decision models. Journal of Consumer Research, 6(2), 113–122.
Ones, D. S., Viswesvaran, C., & Schmidt, F. L. (1993). Comprehensive meta-analysis of integrity test validities: Findings and implications for personnel selection and theories of job performance. Journal of Applied Psychology, 78(4), 679–703.
Parker, D. B. (1981). Computer security management. Reston, VA: Reston Publishers.
Pee, L. G., Woon, I. M. Y., & Kankanhalli, A. (2008). Explaining non-work-related computing in the workplace: A comparison of alternative models. Information & Management, 45(2), 120–130.
Perugini, M., & Bagozzi, R. P. (2001). The role of desires and anticipated emotions in goal-directed behaviours: Broadening and deepening the theory of planned behavior. British Journal of Social Psychology, 40(1), 79–98.
Perugini, M., & Bagozzi, R. P. (2004). The distinction between desires and intention. European Journal of Social Psychology, 39(1), 69–84.
Pollock, J. L. (1991). OSCAR: A general theory of rationality. In J. Cummins & J. L. Pollock (Eds.), Philosophy and AI: Essays at the interface (pp. 189–213). Cambridge, MA: MIT Press.
Pomery, E. A., Gibbons, F. X., Reis-Bergan, M., & Gerrard, M. (2009). From willingness to intention: Experience moderates the shift from reactive to reasoned behavior. Personality and Social Psychology Bulletin, 35(7), 894–908.
Randall, D. M., & Gibson, A. M. (1991). Ethical decision making in the medical profession: An application of the theory of planned behavior. Journal of Business Ethics, 10(2), 111–122.
Reber, A. S. (1993). Implicit learning and tactic knowledge. New York: Oxford University Press.
Reyna, V. F., & Farley, F. (2006). Risk and rationality in adolescent decision making: Implications for theory, practice, and public policy. Psychological Science in the Public Interest, 7(1), 1–44.
Robinson, S. L., & Bennett, R. J. (1997). Workplace deviance: Its definition, its manifestations, and its causes. Research on Negotiations in Organizations, 6, 3–27.
Roozen, I., Pelsmacker, P. D., & Bostyn, F. (2001). The ethical dimensions of decision processes of employees. Journal of Business Ethics, 33(2), 87–99.
Schultz, E. (2005). The human factor in security. Computers & Security, 24(6), 425–426.
Sheppard, B. H., Hartwick, J., & Warshaw, P. R. (1988). The theory of reasoned action: A meta-analysis of past research with recommendations for modifications and future research. Journal of Consumer Research, 15(3), 325–343.
Siponen, M., Willison, R., & Baskerville, R. (2008). Power and practice in information systems security research. In Proceedings of the International Conference on Information Systems (Paris, France) (pp. 14–17).
Sloman, S. A. (1996). The empirical case for two systems of reasoning. Psychological Bulletin, 119(1), 3–22.
Spector, P. E. (2006). Method variance in organizational research: Truth or urban legend? Organizational Research Methods, 9(2), 221–232.
Straub, D. W. (1989). Validating instruments in MIS research. MIS Quarterly, 13(2), 147–169.
Straub, D. W. (1990). Effective IS security: An empirical study. Information Systems Research, 1(3), 255–276.
Straub, D. W., Goodman, S., & Baskerville, R. L. (2008). Information security policy, processes, and practices. Armonk, NY: M. E. Sharpe.
Straub, D. W., & Welke, R. J. (1998). Coping with systems risk: Security planning models for management decision making. MIS Quarterly, 22(4), 441–469.
Sundt, C. (2006). Information security and the law. Information Security Technical Report, 11(1), 2–9.
Sutton, S. (1987). Social-psychological approaches to understanding addictive behaviours: Attitude-behavior and decision making models. British Journal of Addiction, 82(4), 355–370.
Sutton, S. (1998). Predicting and explaining intentions and behavior: How well are we doing? Journal of Applied Social Psychology, 28(15), 1317–1338.
Theoharidous, M., Kokolakis, S., Karyda, M., & Kiountouzis, E. (2005). The insider threat to information systems and the effectiveness of ISO17799. Computers & Security, 24(6), 472–484.
Udas, K., Fuerst, W. L., & Paradice, D. B. (1996). An investigation of ethical perceptions of public sector MIS professionals. Journal of Business Ethics, 15(7), 721–734.
Vitell, S. J., & Davis, D. L. (1990). Ethical beliefs of MIS professionals: The frequency and opportunity for unethical behavior. Journal of Business Ethics, 9(1), 63–70.
von Solms, R., & von Solms, S. H. (2006). Information security governance: A model based on the direct-control cycle. Computers & Security, 25(6), 408–412.
Warshaw, P. R., & Davis, F. D. (1985). Disentangling behavioral intention and behavioral expectation. Journal of Experimental Social Psychology, 21(3), 213–228.
Werlinger, R., Hawkey, K., & Beznosov, K. (2009). An integrated view of human, organizational, and technological challenges of IT security management. Information Management & Computer Security, 17(1), 4–19.
Willison, R., & Warkentin, M. (2013). Beyond deterrence: An expanded view of employee computer abuse. MIS Quarterly, 37(1), 1–20.
Wold, H. (1982). Soft modeling: The basic design and some extensions. In K. G. Joreskog & H. Wold (Eds.), Systems under indirect observation (pp. 1–53). Amsterdam: North-Holland.
Yeh, Q. J., & Chang, A. J. T. (2007). Threats and countermeasures for information system security: A cross-industry study. Information & Management, 44(5), 480–491.
Yoon, C. (2011). Theory of planned behavior and ethics theory in digital piracy: An integrated model. Journal of Business Ethics, 100(3), 405–417.
Acknowledgments
The authors would like to thank the main editor (Professor Alex C. Michalos), a section editor, and three anonymous reviewers for their valuable suggestions and comments.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Chu, A.M.Y., Chau, P.Y.K. & So, M.K.P. Explaining the Misuse of Information Systems Resources in the Workplace: A Dual-Process Approach. J Bus Ethics 131, 209–225 (2015). https://doi.org/10.1007/s10551-014-2250-4
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10551-014-2250-4