Dispositional and situational factors: influences on information security policy violations
- 727 Downloads
Insiders represent a major threat to the security of an organization’s information resources. Previous research has explored the role of dispositional and situational factors in promoting compliant behavior, but these factors have not been studied together. In this study, we use a scenario-based factorial survey approach to identify key dispositional and situational factors that lead to information security policy violation intentions. We obtained 317 observations from a diverse sample of insiders. The results of a general linear mixed model indicate that dispositional factors (particularly two personality meta-traits, Stability and Plasticity) serve as moderators of the relationships between perceptions derived from situational factors and intentions to violate information security policy. This study represents the first information security study to identify the existence of these two meta-traits and their influence on information security policy violation intentions. More importantly, this study provides new knowledge of how insiders translate perceptions into intentions based on their unique personality trait mix.
Keywordsinformation security policy violation protection motivation theory general deterrence theory Big Five personality traits meta-traits factorial survey method
This study was funded by a grant from the Institute of Homeland Security Solutions (IHSS) as part of their Cyber Security Test Bed project. IHSS is a federally funded collaborative initiative that coordinates its research activities with the U.S. Department of Homeland Security’s Human Factors/Behavioral Sciences Division. An earlier version of this research was presented at the IFIP WG 8.11/11.13 Dewald Roode Workshop on Information Security Research. The authors also thank the anonymous reviewers for their insightful recommendations on earlier versions of this manuscript.
- Anderson C and Agarwal R (2010) Practicing safe computing: a multimethod empirical examination of home computer user security behavioral intentions. MIS Quarterly 34 (3), 613–643.Google Scholar
- Bidjerano T and Dai DY (2007) The relationship between the big-five model of personality and self-regulated learning strategies. Science Direct 17 (1), 69–81.Google Scholar
- Bulgurcu B, Cavusoglu H and Benbasat I (2010) Information security compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Quarterly 34 (3), 523–548.Google Scholar
- Burke K (1969) A Rhetoric of Motives. University of California Press, Berkeley, CA.Google Scholar
- Carroll JB (2002) The five factor personality model: how complete and satisfactory is it? In The Role of Constructs in Psychological and Educational Measurement (Braun HI, Jackson DN and Wiley DE, Eds), pp 91–126, Routledge Publisher, London.Google Scholar
- Carte T and Russell C (2003) In pursuit of moderation: nine common errors and their solutions. MIS Quarterly 27 (3), 479–502.Google Scholar
- Dutta MJ and Vanacker B (2000) Effects of personality on persuasive appeals in health communication. Advances in Consumer Research 27 (1), 119–124.Google Scholar
- Emm D (2013) The threat landscape: A practical guide from the Kaspersky lab experts. [WWW document] http://media.kaspersky.com/en/business-security/kaspersky-threat-landscape-it-online-security-guide.pdf (accessed 17 November 2014).
- Ernst & Young (2013) Under cyber attack: EY’s global information security survey 2013. [WWW document] http://www.ey.com/Publication/vwLUAssets/EY_-_2013_Global_Information_Security_Survey/$FILE/EY-GISS-Under-cyber-attack.pdf (accessed 17 November 2014).
- Hoffer JA and Straub DW (1989) The 9-to-5 underground: are you policing computer crimes. Sloan Management Review 30 (4), 35–43.Google Scholar
- Hofmann W, Gschwendner T, Friese M, Wiers R and Shmitt M (2008) Working memory capacity and self-regulatory behavior: toward an individual differences perspective on behavior determination by automatic versus controlled processes. Journal of Personality and Social Psychology 95 (4), 962–977.CrossRefGoogle Scholar
- Hofstede G (1991) Work-Related Values, Software of the Mind. McGraw-Hill, UK, Berkshire.Google Scholar
- Hsu JS-C, Shih S-P, Hung YW and Lowry PB (forthcoming) The role of extra-role behaviors and social controls in information security policy effectiveness. Information Systems Research.Google Scholar
- John OP and Srivastava S (1999) The big-five trait taxonomy: history, measurement, and theoretical perspectives. In Handbook of Personality: Theory and Research (Pervin LA and John OP Eds) Guilford Press, New York.Google Scholar
- Johnston AC and Warkentin M (2010) Fear appeals and information security behaviors: an empirical study. MIS Quarterly 34 (3), 549–566.Google Scholar
- Johnston AC, Warkentin M and Siponen M (2015) An enhanced fear appeal framework: leveraging threats to the human asset through sanctioning rhetoric. MIS Quarterly 39 (1), 113–134.Google Scholar
- Kajzer M, D’Arcy J, Crowell CR, Striegel A and Van Bruggen D (2014) An exploratory investigation of message-person congruence in information security awareness campaigns. Computers & Security 43 (June), 65–76.Google Scholar
- Lindqvist J (2012) Nudging people. WINLAB, Dept. of ECE, Rutgers University Presentation at the NSF/DIMACS Workshop for Aspiring PIs in Secure and Trustworthy Cyberspace, Raleigh, NC. 15 October. [WWW document] http://dimacs.rutgers.edu/Workshops/Aspiring/program.html (accessed 29 November 2012).
- Littell R, Milliken G, Stroup W and Wolfinger R (1996) SAS Systems for Mixed Models. SAS Institute, Cary, NC.Google Scholar
- McBride M, Carter L and Warkentin M (2012) One size doesn’t fit all: cybersecurity training should be customized. Technical Report, Institute for Homeland Security Solutions. [WWW document] http://sites.duke.edu/ihss/files/2011/12/CyberSecurity_2page-summary_mcbride-2012. pdf (accessed 25 June 2014).Google Scholar
- McLean R, Sanders W and Stroup W (1991) A unified approach to mixed linear models. The American Statistician 45 (1), 54–64.Google Scholar
- Mischel W (1968) Personality and Assessment. John Wiley & Sons, Hoboken, NJ.Google Scholar
- Ponemon Institute (2013) 2014 state of endpoint risk. [WWW document] http://www.lumension.com/Lumension/media/graphics/Resources/2014-state-of-the-endpoint/2014-State-of-the-Endpoint-Whitepaper-Lumension.pdf (accessed 17 November 2014).
- Posey C, Bennett RJ, Roberts TL and Lowry PB (2011) When computer monitoring backfires: privacy invasions and organizational injustice as precursors to computer abuse. Journal of Information Systems Security 7 (1), 24–47.Google Scholar
- Rossi PH and Anderson AB (1982) The factorial survey approach: an introduction. In Measuring Social Judgments: The Factorial Survey Approach (Rossi PH and Nock SL, Eds), pp 15–67, Sage, Beverly Hills, CA.Google Scholar
- Rossi PH and Nock SL (1982) Measuring Social Judgments: The Factorial Survey Approach. Sage Publications, Beverly Hills.Google Scholar
- Shlay AB, Tran H, Weinraub M and Harmon M (2005) Teasing apart the child care conundrum: a factorial survey analysis of perceptions of child care quality, fair market price and willingness to pay by low-income, African American parents. Early Childhood Research Quarterly 20 (4), 393–413.CrossRefGoogle Scholar
- Siponen M and Vance A (2010) Neutralization: new Insights into the problem of employee information systems security policy violations. MIS Quarterly 34 (3), 487–502.Google Scholar
- Vance A, Lowry PB and Eggett D (2015) Increasing accountability through user-interface design artifacts: a new approach to address the problem of access-policy violations. MIS Quarterly 39 (2), 345–366.Google Scholar
- Verizon (2015) Verizon data breach investigation report. [WWW document] http://www.verizonenterprise.com/DBIR/ (accessed 7 June 2015).
- Warkentin M, Carter L and McBride ME (2011) Exploring the role of individual employee characteristics and personality on employee compliance with cyber security policies. Paper presented at the International Federation of Information Processing (IFIP) Dewald Roode Workshop on Information Systems Security Research, Blacksburg, VA.Google Scholar
- Warkentin M, Straub D and Malimage K (2012) Measuring secure behavior: a research commentary. In Proceedings of the 7th Annual Symposium on Information Assurance, pp. 1–8, Albany, NY. [WWW document] http://www.albany.edu/iasymposium/proceedings/2012/5-Warkentin_Straub&Malimage.pdf (accessed 15 October 2015).
- Warkentin M, Willison R and Johnston AC (2011) The role of perceptions of organizational injustice and techniques of neutralization in forming computer abuse intentions. In Proceedings of the 17th Americas Conference on Information Systems (AMCIS), pp 1–8, Detroit, MI, August, [WWW document] http://aisel.aisnet.org/amcis2011_submissions/318/.
- Willison R and Warkentin M (2009) Motivations for employee computer crime: understanding and addressing workplace disgruntlement through the application of organisational justice. In Proceedings of the International Federation of Information Processing (IFIP) International Workshop on Information Systems Security Research (VANCE A. Ed), pp 127–144, Cape Town, South Africa, May.Google Scholar
- Willison R and Warkentin M (2013) Beyond deterrence: an expanded view of employee computer abuse. MIS Quarterly 37 (1), 1–20.Google Scholar