Advertisement

European Journal of Information Systems

, Volume 25, Issue 3, pp 231–251 | Cite as

Dispositional and situational factors: influences on information security policy violations

  • Allen C Johnston
  • Merrill Warkentin
  • Maranda McBride
  • Lemuria Carter
Empirical Research

Abstract

Insiders represent a major threat to the security of an organization’s information resources. Previous research has explored the role of dispositional and situational factors in promoting compliant behavior, but these factors have not been studied together. In this study, we use a scenario-based factorial survey approach to identify key dispositional and situational factors that lead to information security policy violation intentions. We obtained 317 observations from a diverse sample of insiders. The results of a general linear mixed model indicate that dispositional factors (particularly two personality meta-traits, Stability and Plasticity) serve as moderators of the relationships between perceptions derived from situational factors and intentions to violate information security policy. This study represents the first information security study to identify the existence of these two meta-traits and their influence on information security policy violation intentions. More importantly, this study provides new knowledge of how insiders translate perceptions into intentions based on their unique personality trait mix.

Keywords

information security policy violation protection motivation theory general deterrence theory Big Five personality traits meta-traits factorial survey method 

Notes

Acknowledgements

This study was funded by a grant from the Institute of Homeland Security Solutions (IHSS) as part of their Cyber Security Test Bed project. IHSS is a federally funded collaborative initiative that coordinates its research activities with the U.S. Department of Homeland Security’s Human Factors/Behavioral Sciences Division. An earlier version of this research was presented at the IFIP WG 8.11/11.13 Dewald Roode Workshop on Information Security Research. The authors also thank the anonymous reviewers for their insightful recommendations on earlier versions of this manuscript.

References

  1. Akers R (1990) Rational choice, deterrence, and social learning theory in criminology: the path not taken. The Journal of Criminal Law and Criminology 81 (3), 653–676.CrossRefGoogle Scholar
  2. Alessandri G and Vecchione M (2012) The higher-order factors of the big five as predictors of job performance. Personality and Individual Differences 53 (6), 779–784.CrossRefGoogle Scholar
  3. Anderson C and Agarwal R (2010) Practicing safe computing: a multimethod empirical examination of home computer user security behavioral intentions. MIS Quarterly 34 (3), 613–643.Google Scholar
  4. Arthur W and Graziano W (1996) The five-factor model, conscientiousness, and driving accident involvement. Journal of Personality 64 (3), 594–618.CrossRefGoogle Scholar
  5. Ashton MC, Lee K, Goldberg LR and deVries RE (2009) Higher-order factors of personality: do they exist? Personality and Social Psychology Review 13 (2), 79–91.CrossRefGoogle Scholar
  6. Bandura A (1977) Self-efficacy: toward a unifying theory of behavioral change. Psychological Review 84 (2), 191–215.CrossRefGoogle Scholar
  7. Barlow JB, Warkentin M, Ormond D and Dennis AR (2013) Don’t make excuses! Discourage neutralization to reduce IT policy violation. Computers & Security 39 (B), 145–159.CrossRefGoogle Scholar
  8. Barnett T, Pearson AW, Pearson R and Kellermanns FW (2015) Five-factor model personality traits as predictors of perceived and actual usage of technology. European Journal of Information Systems 24 (4), 374–390.CrossRefGoogle Scholar
  9. Besnard D and Arief B (2004) Computer security impaired by legitimate users. Computers & Security 23 (3), 253–264.CrossRefGoogle Scholar
  10. Bidjerano T and Dai DY (2007) The relationship between the big-five model of personality and self-regulated learning strategies. Science Direct 17 (1), 69–81.Google Scholar
  11. Bollen K and Lennox R (1991) Conventional wisdom on measurement: a structural equation perspective. Psychological Bulletin 110 (2), 305.CrossRefGoogle Scholar
  12. Boss S, Kirsch LJ, Angermeier I, Shingler RA and Boss W (2009) If someone is watching, I’ll do what I’m asked: mandatoriness, control, and information security. European Journal of Information Systems 18 (18), 151–164.CrossRefGoogle Scholar
  13. Buchanan T, Johnson JA and Goldberg LR (2005) Implementing a five-factor personality inventory for use on the internet. European Journal of Psychological Assessment 21 (2), 115–127.CrossRefGoogle Scholar
  14. Bulgurcu B, Cavusoglu H and Benbasat I (2010) Information security compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Quarterly 34 (3), 523–548.Google Scholar
  15. Burke K (1969) A Rhetoric of Motives. University of California Press, Berkeley, CA.Google Scholar
  16. Carroll JB (2002) The five factor personality model: how complete and satisfactory is it? In The Role of Constructs in Psychological and Educational Measurement (Braun HI, Jackson DN and Wiley DE, Eds), pp 91–126, Routledge Publisher, London.Google Scholar
  17. Carte T and Russell C (2003) In pursuit of moderation: nine common errors and their solutions. MIS Quarterly 27 (3), 479–502.Google Scholar
  18. Carver C and Scheier M (1994) Situational coping and coping dispositions in a stressful transaction. Journal of Personality and Social Psychology 66 (1), 184–195.CrossRefGoogle Scholar
  19. Cheney G (1983) The rhetoric of identification and the study of organizational communication. Quarterly Journal of Speech 69 (2), 143–158.CrossRefGoogle Scholar
  20. Conley JJ (1985) Longitudinal stability of personality traits: a multitrait-multimethod-multioccasion analysis. Journal of Personality and Social Psychology 49 (5), 1266–1282.CrossRefGoogle Scholar
  21. Connor-Smith JK and Flachsbart C (2007) Relations between personality and coping: a meta-analysis. Journal of Personality and Social Psychology 93 (6), 1080–1107.CrossRefGoogle Scholar
  22. D’Arcy J, Hovav A and Galletta DF (2009) User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Information Systems Research 20 (1), 79–98.CrossRefGoogle Scholar
  23. Darley JM and Batson D (1973) ‘From Jerusalem to Jericho’: a study of situational and dispositional variables in helping behavior. Journal of Personality and Social Psychology 27 (1), 100–108.CrossRefGoogle Scholar
  24. DeYoung CG (2006) Higher-order factors of the big five in a multi-informant sample. Journal of Personality and Social Psychology 91 (6), 1138–1151.CrossRefGoogle Scholar
  25. DeYoung CG, Peterson JB and Higgins DM (2002) Higher-order factors of the big five predict conformity: are there neuroses of health? Personality and Individual Differences 33 (4), 533–552.CrossRefGoogle Scholar
  26. Diamantopoulos A and Siguaw JA (2006) Formative versus reflective indicators in organizational measure development: a comparison and empirical illustration. British Journal of Management 17 (4), 263–282.CrossRefGoogle Scholar
  27. Digman JM (1997) Higher-order factors of the big five. Journal of Personality and Social Psychology 73 (6), 1246–1256.CrossRefGoogle Scholar
  28. Dutta MJ and Vanacker B (2000) Effects of personality on persuasive appeals in health communication. Advances in Consumer Research 27 (1), 119–124.Google Scholar
  29. Earley P, Gibson CB and Chen CC (1999) How did I do? versus how did we do? Cultural contrasts of performance feedback use and self-efficacy. Journal of Cross-Cultural Psychology 30 (5), 594–619.CrossRefGoogle Scholar
  30. Ehrlich I (1996) Crime, punishment, and the market for offenses. Journal of Economic Perspectives 10 (1), 43–67.CrossRefGoogle Scholar
  31. Ellingson JE, Smith DB and Sackett PR (2001) Investigating the influence of social desirability on personality factor structure. Journal of Applied Psychology 86 (1), 122–133.CrossRefGoogle Scholar
  32. Emm D (2013) The threat landscape: A practical guide from the Kaspersky lab experts. [WWW document] http://media.kaspersky.com/en/business-security/kaspersky-threat-landscape-it-online-security-guide.pdf (accessed 17 November 2014).
  33. Engelberg E and Sjöberg L (2004) Internet use, social skills, and adjustment. Cyber Psychology & Behavior 7 (1), 41–47.CrossRefGoogle Scholar
  34. Ernst & Young (2013) Under cyber attack: EY’s global information security survey 2013. [WWW document] http://www.ey.com/Publication/vwLUAssets/EY_-_2013_Global_Information_Security_Survey/$FILE/EY-GISS-Under-cyber-attack.pdf (accessed 17 November 2014).
  35. Faul F, Erdfelder E, Lang A-G and Buchner A (2007) G*Power 3: a flexible statistical power analysis program for the social, behavioral, and biomedical sciences. Behavior Research Methods 39 (2), 175–191.CrossRefGoogle Scholar
  36. Faul F, Erdfelder E, Lang A-G and Buchner A (2009) Statistical power analyses using G*Power 3.1: tests for correlation and regression analyses. Behavior Research Methods 41 (4), 1149–1160.CrossRefGoogle Scholar
  37. Floyd DL, Prentice-Dunn S and Rogers RW (2000) A meta-analysis of research on protection motivation theory. Journal of Applied Social Psychology 30 (2), 407–429.CrossRefGoogle Scholar
  38. Goldberg LR (1993) The structure of phenotypic personality traits. American Psychologist 48 (1), 26–34.CrossRefGoogle Scholar
  39. Gullone E and Moore S (2000) Adolescent risk-taking and the five-factor model of personality. Journal of Adolescence 23 (4), 393–407.CrossRefGoogle Scholar
  40. Guo KH (2013) Security-related behavior in using information systems in the workplace: a review and synthesis. Computers & Security 32 (February), 242–251.CrossRefGoogle Scholar
  41. Herath R and Rao HR (2009) Protection motivation and deterrence: a framework for security policy compliance in organisations. European Journal of Information Systems 18 (2), 106–125.CrossRefGoogle Scholar
  42. Hirsh JB, DeYoung CG and Peterson JB (2009) Metatraits of the big five differentially predict engagement and restraint of behavior. Journal of Personality 77 (4), 1085–1102.CrossRefGoogle Scholar
  43. Hoffer JA and Straub DW (1989) The 9-to-5 underground: are you policing computer crimes. Sloan Management Review 30 (4), 35–43.Google Scholar
  44. Hofmann W, Gschwendner T, Friese M, Wiers R and Shmitt M (2008) Working memory capacity and self-regulatory behavior: toward an individual differences perspective on behavior determination by automatic versus controlled processes. Journal of Personality and Social Psychology 95 (4), 962–977.CrossRefGoogle Scholar
  45. Hofstede G (1991) Work-Related Values, Software of the Mind. McGraw-Hill, UK, Berkshire.Google Scholar
  46. Hsu JS-C, Shih S-P, Hung YW and Lowry PB (forthcoming) The role of extra-role behaviors and social controls in information security policy effectiveness. Information Systems Research.Google Scholar
  47. Janis IL and Feshbach S (2006) Personality differences associated with responsiveness to fear-arousing communications. Journal of Personality 23 (2), 154–166.CrossRefGoogle Scholar
  48. Jasso G and Rossi PH (1977) Distributive justice and earned income. American Sociological Review 42 (4), 639–651.CrossRefGoogle Scholar
  49. Jasso G (2006) Factorial survey methods for studying beliefs and judgments. Sociological Methods & Research 34 (3), 334–423.CrossRefGoogle Scholar
  50. John OP and Srivastava S (1999) The big-five trait taxonomy: history, measurement, and theoretical perspectives. In Handbook of Personality: Theory and Research (Pervin LA and John OP Eds) Guilford Press, New York.Google Scholar
  51. Johnston AC and Warkentin M (2010) Fear appeals and information security behaviors: an empirical study. MIS Quarterly 34 (3), 549–566.Google Scholar
  52. Johnston AC, Wech B and Jack E (2013) Engaging remote employees: the moderating role of ‘remote’ status in determining employee information security policy awareness. Journal of Organizational and End User Computing 25 (1), 1–23.CrossRefGoogle Scholar
  53. Johnston AC, Warkentin M and Siponen M (2015) An enhanced fear appeal framework: leveraging threats to the human asset through sanctioning rhetoric. MIS Quarterly 39 (1), 113–134.Google Scholar
  54. Junglas IA, Johnson NA and Spitzmüller C (2008) Personality traits and concern for privacy: an empirical study in the context of location-based services. European Journal of Information Systems 17 (4), 387–402.CrossRefGoogle Scholar
  55. Kajzer M, D’Arcy J, Crowell CR, Striegel A and Van Bruggen D (2014) An exploratory investigation of message-person congruence in information security awareness campaigns. Computers & Security 43 (June), 65–76.Google Scholar
  56. Kammrath L, Mendoza-Denton R and Mischel W (2005) Incorporating if … then … personality signatures in person perception: beyond the person – situation dichotomy. Journal of Personality and Social Psychology 88 (4), 605–618.CrossRefGoogle Scholar
  57. Karim NSA, Zamzuri NHA and Nor YM (2009) Exploring the relationship between Internet ethics in university students and the big five model of personality. Computers & Education 53 (1), 86–93.CrossRefGoogle Scholar
  58. Keil M, Tan BCY, Wei K-K, Saarinen T, Tuunainen V and Wassanaar A (2000) A cross-cultural study on escalation of commitment behavior in software projects. MIS Quarterly 24 (2), 299–325.CrossRefGoogle Scholar
  59. Landers RN and Lounsbury JW (2006) An investigation of big five and narrow personality traits in relation to internet usage. Computers in Human Behavior 22 (2), 283–293.CrossRefGoogle Scholar
  60. Lee Y and Larsen KR (2009) Threat or coping appraisal: determinants of SMB executives’ decision to adopt anti-malware software. European Journal of Information Systems 18 (2), 177–187.CrossRefGoogle Scholar
  61. Lim KH and Benbasat I (2000) The effect of multimedia on perceived equivocality and perceived usefulness of information systems. MIS Quarterly 24 (3), 449–471.CrossRefGoogle Scholar
  62. Lindqvist J (2012) Nudging people. WINLAB, Dept. of ECE, Rutgers University Presentation at the NSF/DIMACS Workshop for Aspiring PIs in Secure and Trustworthy Cyberspace, Raleigh, NC. 15 October. [WWW document] http://dimacs.rutgers.edu/Workshops/Aspiring/program.html (accessed 29 November 2012).
  63. Littell R, Milliken G, Stroup W and Wolfinger R (1996) SAS Systems for Mixed Models. SAS Institute, Cary, NC.Google Scholar
  64. Lyons CJ (2008) Individual perceptions and the social construction of hate crimes: a factorial survey. The Social Science Journal 45 (1), 107–131.CrossRefGoogle Scholar
  65. Maddux JE and Rogers RW (1983) Protection motivation and self-efficacy: a revised theory of fear appeals and attitude change. Journal of Experimental Social Psychology 19 (5), 469–479.CrossRefGoogle Scholar
  66. Major DA, Turner JE and Fletcher TD (2006) Linking proactive personality and the big five to motivation to learn and development activity. Journal of Applied Psychology 91 (4), 927–935.CrossRefGoogle Scholar
  67. McBride M, Carter L and Warkentin M (2012) One size doesn’t fit all: cybersecurity training should be customized. Technical Report, Institute for Homeland Security Solutions. [WWW document] http://sites.duke.edu/ihss/files/2011/12/CyberSecurity_2page-summary_mcbride-2012. pdf (accessed 25 June 2014).Google Scholar
  68. McLean R, Sanders W and Stroup W (1991) A unified approach to mixed linear models. The American Statistician 45 (1), 54–64.Google Scholar
  69. Mischel W (1968) Personality and Assessment. John Wiley & Sons, Hoboken, NJ.Google Scholar
  70. Mischel W, Ebbesen EB and Zeiss AR (1973) Selective attention to the self: situational and dispositional determinants. Journal of Personality and Social Psychology 27 (1), 129–142.CrossRefGoogle Scholar
  71. Musek J (2007) A general factor of personality: evidence for the big one in the five-factor model. Journal of Research in Personality 41 (6), 1213–1233.CrossRefGoogle Scholar
  72. Nicholson N, Soane E, Fenton-O’creevy M and Willman P (2005) Personality and domain-specific risk taking. Journal of Risk Research 8 (2), 157–176.CrossRefGoogle Scholar
  73. Paulhus DL and Williams KM (2002) The dark triad of personality: narcissism, machiavellianism, and psychopathy. Journal of Research in Personality 36 (6), 556–563.CrossRefGoogle Scholar
  74. Piquero AR, MacIntosh R and Hickman M (2000) Does self‐control affect survey response? Applying exploratory, confirmatory, and item response theory analysis to Grasmick et al’s self‐control scale. Criminology 38 (3), 897–930.CrossRefGoogle Scholar
  75. Ponemon Institute (2013) 2014 state of endpoint risk. [WWW document] http://www.lumension.com/Lumension/media/graphics/Resources/2014-state-of-the-endpoint/2014-State-of-the-Endpoint-Whitepaper-Lumension.pdf (accessed 17 November 2014).
  76. Posey C, Bennett RJ, Roberts TL and Lowry PB (2011) When computer monitoring backfires: privacy invasions and organizational injustice as precursors to computer abuse. Journal of Information Systems Security 7 (1), 24–47.Google Scholar
  77. Rossi PH and Anderson AB (1982) The factorial survey approach: an introduction. In Measuring Social Judgments: The Factorial Survey Approach (Rossi PH and Nock SL, Eds), pp 15–67, Sage, Beverly Hills, CA.Google Scholar
  78. Rossi PH and Nock SL (1982) Measuring Social Judgments: The Factorial Survey Approach. Sage Publications, Beverly Hills.Google Scholar
  79. Self CA and Rogers RW (1990) Coping with threats to health: effects of persuasive appeals on depressed, normal, and antisocial personalities. Journal of Behavioral Medicine 13 (4), 343–357.CrossRefGoogle Scholar
  80. Shlay AB, Tran H, Weinraub M and Harmon M (2005) Teasing apart the child care conundrum: a factorial survey analysis of perceptions of child care quality, fair market price and willingness to pay by low-income, African American parents. Early Childhood Research Quarterly 20 (4), 393–413.CrossRefGoogle Scholar
  81. Shropshire J, Warkentin M and Sharma S (2015) Personality, attitudes, and intentions: predicting initial adoption of information security behavior. Computers & Security 29 (March), 177–191.CrossRefGoogle Scholar
  82. Sigall H and Mills J (1998) Measures of independent variables and mediators are useful in social psychological experiments: but are they necessary? Personality and Social Psychology Review 2 (3), 218–226.CrossRefGoogle Scholar
  83. Siponen M and Vance A (2010) Neutralization: new Insights into the problem of employee information systems security policy violations. MIS Quarterly 34 (3), 487–502.Google Scholar
  84. Siponen M and Vance A (2014) Guidelines for improving the contextual relevance of field surveys: the case of information security policy violations. European Journal of Information Systems 23 (3), 289–305.CrossRefGoogle Scholar
  85. Soane E and Chmiel N (2005) Are risk preferences consistent? The influence of decision domain and personality. Personality and Individual Differences 38 (8), 1781–1791.CrossRefGoogle Scholar
  86. Swickert RJ, Hittner JB, Harris JL and Herring JA (2002) Relationships among internet use, personality, and social support. Computers in Human Behavior 18 (4), 437–451.CrossRefGoogle Scholar
  87. Taylor BJ (2006) Factorial surveys: using vignettes to study professional judgement. British Journal of Social Work 36 (7), 1187–1207.CrossRefGoogle Scholar
  88. Trevino L and Victor B (1992) Peer reporting of unethical behavior: a social context perspective. Academy of Management Journal 35 (1), 38–64.CrossRefGoogle Scholar
  89. Trinkle BS, Crossler RE and Warkentin M (2014) I’m game, are you? Reducing real-world security threats by managing employee activity in virtual environments. Journal of Information Systems 28 (2), 307–327.CrossRefGoogle Scholar
  90. Vance A, Lowry PB and Eggett D (2013) Using accountability to reduce access policy violations in information systems. Journal of Management Information Systems 29 (4), 263–290.CrossRefGoogle Scholar
  91. Vance A, Lowry PB and Eggett D (2015) Increasing accountability through user-interface design artifacts: a new approach to address the problem of access-policy violations. MIS Quarterly 39 (2), 345–366.Google Scholar
  92. Vecchione M, Alessandri G, Barbaranelli C and Caprara G (2011) Higher-order factors of the big five and basic values: empirical and theoretical relations. British Journal of Psychology 102 (3), 478–498.CrossRefGoogle Scholar
  93. Verizon (2015) Verizon data breach investigation report. [WWW document] http://www.verizonenterprise.com/DBIR/ (accessed 7 June 2015).
  94. Warkentin M, Carter L and McBride ME (2011) Exploring the role of individual employee characteristics and personality on employee compliance with cyber security policies. Paper presented at the International Federation of Information Processing (IFIP) Dewald Roode Workshop on Information Systems Security Research, Blacksburg, VA.Google Scholar
  95. Warkentin M, Johnston AC and Shropshire J (2011) The influence of the informal social learning environment on information privacy policy compliance efficacy and intention. European Journal of Information Systems 20 (3), 267–284.CrossRefGoogle Scholar
  96. Warkentin M, Straub D and Malimage K (2012) Measuring secure behavior: a research commentary. In Proceedings of the 7th Annual Symposium on Information Assurance, pp. 1–8, Albany, NY. [WWW document] http://www.albany.edu/iasymposium/proceedings/2012/5-Warkentin_Straub&Malimage.pdf (accessed 15 October 2015).
  97. Warkentin M and Willison R (2009) Behavioral and policy issues in information systems security: the insider threat. European Journal of Information Systems 18 (2), 101–105.CrossRefGoogle Scholar
  98. Warkentin M, Willison R and Johnston AC (2011) The role of perceptions of organizational injustice and techniques of neutralization in forming computer abuse intentions. In Proceedings of the 17th Americas Conference on Information Systems (AMCIS), pp 1–8, Detroit, MI, August, [WWW document] http://aisel.aisnet.org/amcis2011_submissions/318/.
  99. Wheeler SC, Petty R and Bizer G (2005) Self‐schema matching and attitude change: situational and dispositional determinants of message elaboration. Journal of Consumer Research 31 (4), 787–797.CrossRefGoogle Scholar
  100. Willison R and Warkentin M (2009) Motivations for employee computer crime: understanding and addressing workplace disgruntlement through the application of organisational justice. In Proceedings of the International Federation of Information Processing (IFIP) International Workshop on Information Systems Security Research (VANCE A. Ed), pp 127–144, Cape Town, South Africa, May.Google Scholar
  101. Willison R and Warkentin M (2013) Beyond deterrence: an expanded view of employee computer abuse. MIS Quarterly 37 (1), 1–20.Google Scholar
  102. Wilt J, Olson BD and McAdams DP (2011) Higher-order factors of the big five predict exploration and threat in life stories. Journal of Research in Personality 45 (6), 613–621.CrossRefGoogle Scholar
  103. Workman M, Bommer WH and Straub D (2008) Security lapses and the omission of information security measures: a threat control model and empirical test. Computers in Human Behavior 24 (6), 2799–2816.CrossRefGoogle Scholar
  104. Wright J and Mischel W (1987) A conditional approach to dispositional constructs: the local predictability of social behavior. Journal of Personality and Social Psychology 53 (6), 1159–1177.CrossRefGoogle Scholar
  105. Zhang L (2006) Thinking styles and the big five personality traits revisited. Personality and Individual Differences 40 (6), 1177–1187.CrossRefGoogle Scholar
  106. Zhang J, Luo X, Akkaladevi S and Ziegelmayer J (2009) Improving multiple-password recall: an empirical study. European Journal of Information Systems 18 (2), 165–176.CrossRefGoogle Scholar
  107. Zuckerman M and Kuhlman DM (2000) Personality and risk-taking: common bisocial factors. Journal of Personality 68 (6), 999–1029.CrossRefGoogle Scholar

Copyright information

© Operational Research Society 2016

Authors and Affiliations

  • Allen C Johnston
    • 1
  • Merrill Warkentin
    • 2
  • Maranda McBride
    • 3
  • Lemuria Carter
    • 4
  1. 1.Department of ManagementInformation Systems, and Quantitative Methods, School of Business, University of Alabama at BirminghamBirminghamU.S.A.
  2. 2.Department of Management and Information SystemsCollege of Business, Mississippi State UniversityMississippi State, MSU.S.A.
  3. 3.Department of ManagementNorth Carolina A&T State UniversityGreensboroU.S.A.
  4. 4.Department of Information SystemsVirginia Commonwealth UniversityRichmondU.S.A.

Personalised recommendations