Dispositional and situational factors: influences on information security policy violations
Insiders represent a major threat to the security of an organization’s information resources. Previous research has explored the role of dispositional and situational factors in promoting compliant behavior, but these factors have not been studied together. In this study, we use a scenario-based factorial survey approach to identify key dispositional and situational factors that lead to information security policy violation intentions. We obtained 317 observations from a diverse sample of insiders. The results of a general linear mixed model indicate that dispositional factors (particularly two personality meta-traits, Stability and Plasticity) serve as moderators of the relationships between perceptions derived from situational factors and intentions to violate information security policy. This study represents the first information security study to identify the existence of these two meta-traits and their influence on information security policy violation intentions. More importantly, this study provides new knowledge of how insiders translate perceptions into intentions based on their unique personality trait mix.
Keywordsinformation security policy violation protection motivation theory general deterrence theory Big Five personality traits meta-traits factorial survey method
Employee violations of organizational information security policies, whether intentional or unintentional, are frequently identified as the greatest single threat to organizational information security (Boss et al, 2009; Warkentin & Willison, 2009). Indeed, employees are typically called the ‘weakest link’ in the security environment, as they will often fail to perform specified security behaviors because of an insufficient awareness of policies, low self-efficacy, or carelessness (Hsu et al, forthcoming). Recent industry reports (Emm, 2013; Ernst & Young, 2013; Ponemon Institute, 2013; Verizon, 2015) confirm academic research findings, (Warkentin & Willison, 2009) which indicate that insider violations of information security policies continue to be a concern for organizations, especially in contexts in which disgruntled workers engage in various improper acts (Willison & Warkentin, 2013). Technical controls do not effectively prevent motivated insiders from violating information security policies. Thus, organizations employ a range of behavioral controls, including protection motivation appeals or ‘fear appeals’ (Johnston & Warkentin, 2010; Johnston et al, 2015) and sanctions (D’Arcy et al, 2009). Furthermore, research indicates that individual differences, such as personality traits, may influence certain insider behaviors (Kajzer et al, 2014; Shropshire et al, 2015).
When facing decisions about information security, insiders have been shown to behave in response to (1) various perceptions (such as perceptions of threat and efficacy) and to (2) various extrinsic influences (such as deterrence and fear appeals). The process by which insiders evaluate these factors is, in turn, influenced by the insiders’ dispositions and by various situational factors within the environment. Dispositional factors are distinct characteristics that comprise the ‘make-up’ of each individual and shape his/her core values and beliefs (Hofstede, 1991; Earley et al, 1999). These factors, which are relatively stable over time, include personality, propensity to trust, cognitive style, self-esteem, forgetfulness, narcissism, Machiavellianism, psychopathy (Paulhus & Williams, 2002), and other traits. Situational (or contextual) factors, on the other hand, are external – found in the individual’s environment – but similarly influence perceptions of external stimuli, including those linked to information security policy compliance (Besnard & Arief, 2004; Workman et al, 2008; Lee & Larsen, 2009; Shropshire et al, 2015). Situational factors can include policy-compliance-related managerial interventions within an organizational environment and are generally beyond the control of the insider.
Researchers in diverse domains have explored the interactions between dispositional and situational factors (Darley & Batson, 1973; Mischel et al, 1973; Wheeler et al, 2005); however, information security research has only examined the influence of situational and dispositional factors independently. For example, Kajzer et al (2014) found that personality traits impact the effectiveness of security awareness messages. Likewise, Shropshire et al (2015) found a link between personality traits and security compliance behaviors. A plethora of information security empirical studies (c.f. Junglas et al, 2008; D’Arcy et al, 2009; Bulgurcu et al, 2010; Johnston & Warkentin, 2010; Johnston et al, 2015) have also established the impact of situational factors, such as deterrence measures and fear appeals – yet there has been no scientific investigation of the interaction between dispositional and situational factors in the context of individual responses to security messages, though it has been shown in other domains that dispositional and situational factors interact to influence how an insider will assess and respond in a given information security policy compliance/non-compliance situation.
We assert that the design and administration of situational factors, such as information security communications to insiders (including training protocols and IT-based communications, such as pop-up reminders or electronic ‘nudges’, Lindqvist, 2012), should be contingent on a set of salient dispositional factors rather than on a ‘one-size-fits-all’ approach (Wright & Mischel, 1987; Carver & Scheier, 1994; Kammrath et al, 2005; Hofmann et al, 2008; Warkentin et al, 2011; McBride et al, 2012). Understanding the interaction between situational and dispositional factors can assist managers in developing controls tailored to particular employee groups to minimize information security policy violations and maximize compliance. Though dispositions, such as personality traits, cannot be easily altered through traditional interventions (situational factors), they can be used to establish empirically tested alternative interventions. By understanding how personality traits influence the downstream impact of security interventions on policy violation intentions, we can tailor these interventions further, establishing, for example, guidelines for designing various information security communications or pop-up reminders. Information security interventions developed using these guidelines can be customized to meet the unique needs of diverse types of insiders and will thus be more effective at influencing their behavior. Our research is designed to provide this knowledge, which can then be used to establish a foundation for the development of customized information security interventions.
In this study, we examined the effects of the interaction between personality traits (which are important dispositional factors) and perceptions of fear appeals and sanctions (two frequently studied situational factors), using a factorial experimental design. Our goal was to identify how one particular set of dispositional factors, namely personality traits, influences the efficacy of various situational factors that are applied in the workplace to influence insider-security-related behaviors. This is an unexplored space in the cognitive progression from situational factor exposure to the intention to violate information security policy, but it is important for understanding, for example, how two people with similar perspectives regarding threat severity and sanction certainty could arrive at different intentions to violate security policy. Previous research has examined the impact of personality traits on individuals’ interpretations of situational factors – for example, personal appraisals of communicated threats, coping strategies, sanction severity, and sanction certainty (Self & Rogers, 1990; Janis & Feshbach, 2006; Johnston & Warkentin, 2010; Kajzer et al, 2014; Johnston et al, 2015). We do not know, however, how personality traits influence the translation of these interpretations and meanings into information security policy compliance or non-compliance intentions. To this extent, we are interested in answering the following question: How do personality traits influence how perspectives, formed from information security interventions, translate to information security policy violation intentions?
The remainder of this paper is organized as follows. The next section provides an overview of the background literature, the research model, and the hypotheses. The following section includes a detailed discussion of our research methodology. Thereafter follows an overview of the data analysis and results, the limitations of the study, and a discussion of the implications for research and practice. Finally, the last section provides a conclusion that synthesizes our findings.
Background literature, research model, and hypotheses
Recent research, found largely within the Information Systems (IS) research community and supported by theories found in social psychology, criminology, and other related disciplines, has identified a number of factors that influence individuals to either comply with information security policies or violate them. Many of these factors can be classified as either dispositional or situational, with the majority of the factors regarded as perceptions derived from the influence of situational factors, such as warnings about threats or sanctions for non-compliance. For example, in a recent study involving remote insiders of an organization, perceptions of vicarious experience and verbal support derived from social learning situational factors were found to shape insider perceptions of information security policy awareness (Johnston et al, 2013). Situational factors, such as social cues from employers and co-workers, were also shown by Warkentin et al (2011) to positively influence insider compliance with security and privacy policies. The relationships between these situational factors and the perceptions derived from policy awareness were predicted using social cognitive theory (Bandura, 1977). Other situational factors, such as persuasive messages (Johnston & Warkentin, 2010; Johnston et al, 2015) have also been used to invoke perceptions so as to motivate compliance with information security practices, with the latter leveraging protection motivation theory as a theoretical foundation for predicting reactions to the messages.
Various dispositional factors have also been shown to influence security outcomes. However, the research on how dispositional factors interact with situational factors to influence intentions to violate information security policy is limited. On the basis of the extant literature regarding situational and dispositional factors and their influence on violation intentions, we can only speculate as to how these forces may interact to influence violations of information security policy compliance. However, by applying the personality trait theory to this problem, we can begin to understand this interaction.
Extant literature establishes a link between the Big Five personality traits and information security compliance behaviors (Shropshire et al, 2015). However, few studies to date have explored the role of all of the Big Five personality traits in the context of information security (Major et al, 2006; Shropshire et al, 2015) and how these traits may form higher-order groups and interact with situational factors. While situational and dispositional factors are each likely to influence behaviors, such as violations of information security policies, independently of one another, we posit that individuals with certain dispositions are more or less likely to engage in specific risky behaviors based on the circumstances they face (Warkentin et al, 2011). Mischel (1968) provided support for this belief when he concluded ‘it is evident that the behaviors which are often construed as stable personality trait indicators actually are highly specific and depend on the details of the evoking situations and the response mode employed to measure them’ (p. 37). For this reason, the moderating effects of personality meta-traits on the influence of situational factors on policy violation intentions should be explored. Hirsh et al (2009) use neuropharmacological trait theory to explore Big Five personality meta-traits, stating that ‘not only were the metatraits able to predict behavioral outcomes above and beyond the Big Five, but the hypothesized pattern of negative and positive correlations was also more pronounced at the metatrait level’ (p. 1098). Although information security research acknowledges the importance of individual personality traits, few studies have examined the role of meta-traits in this context. Examining the role of meta-traits presents an opportunity for information security researchers and practitioners to develop a more comprehensive understanding of this phenomenon.
Situational factors and associated derived perceptions
Perceived harshness of the punishment associated with violating information security policy
Perceived likelihood of being punished if the information security policy is violated
Perceived likelihood of something negative occurring if the information security policy is violated
Perceived seriousness of the risk associated with violating IS security policy
Perceived confidence in the ability to comply with information security policy
Perceived effectiveness of information security policy
Perceived negative consequences associated with complying with information security policy
Sanctions represent a relatively common situational factor used to generate insider perceptions that align favorably with information security policy prescriptions (Boss et al, 2009; D’Arcy et al, 2009; Herath & Rao, 2009). Deterrence theory (Akers, 1990; Ehrlich, 1996) suggests that individuals will be discouraged from performing undesirable behavior (e.g., crime, computer abuse, policy violation) if they perceive that there will be punishments or sanctions that are certain and severe. The effective application of deterrence controls presumes that individuals consider the benefits of a policy violation (e.g., convenience of temporarily leaving a workstation without logging off, selecting a weak password that is easy to remember, Zhang et al, 2009, avoiding proper patch management, or breaking into a database to steal valuable information) and the costs of such violations (perceived sanction certainty and severity), and elect to engage in non-compliant or criminal behavior. Policies can inform insiders about sanctions, but individuals will cognitively process that information in unique ways.
Another important situational factor is characterized by the communication of threats to insiders along with the recommended protective behaviors associated with these threats. This class of communication is generally referred to as fear appeals. Protection motivation theory suggests that when individuals perceive that they are more vulnerable to security threats and when the threats are more severe, they are more likely to adopt a recommended response to the threat, as long as the individual perceives a sufficient level of self-efficacy, perceived efficacy in the recommended response, and a limited impact on costs associated with the response (Herath & Rao, 2009; Anderson & Agarwal, 2010; Johnston & Warkentin, 2010; Johnston et al, 2015). Recent research examining the influence of fear appeals on security policy compliance intentions reveals mostly consistent outcomes. For example, Johnston & Warkentin (2010) as well as Herath & Rao (2009) provide evidence to support the positive influence of perceived threat severity, self-efficacy, and response efficacy on policy compliance outcomes. Herath and Rao also provide support for the negative influence of response cost on compliance outcomes. Anderson & Agarwal (2010) reinforce the impact of perceived security threats and efficacy on intentions to follow security protocols. Each of these studies provides unique perspectives and representations for a threat and the efficacy elements of a fear appeal, but these are ultimately derived from the earlier works of Floyd et al (2000) and Maddux & Rogers (1983), from which we model our understanding.
Dispositional factors influence how individuals perceive their environment (Hofstede, 1991; Earley et al, 1999) and respond to communication interventions (Burke, 1969; Cheney, 1983; Dutta & Vanacker, 2000). One dispositional factor of particular importance is personality type, which remains relatively stable over a person’s lifetime (Conley, 1985; Bidjerano & Dai, 2007). Research has found that certain characteristics of a person’s personality are linked to a propensity for risk-taking (Zuckerman & Kuhlman, 2000; Nicholson et al, 2005; Soane & Chmiel, 2005). Other studies have found that the personality trait that most significantly affects a person’s risk-taking behavior may differ based on the type of risk (Gullone & Moore, 2000). Violating security policy can be considered a form of risk-taking behavior because the violator runs the risk of being caught and/or punished. Though one’s personality cannot easily be altered through intervention, it can be used to establish empirically tested insider selection and communication intervention strategies as well as other managerial influences on insider behavior. In other words, if we can establish statistically significant relationships between dispositional factors (such as personality traits) and their influence on how individuals respond to situational factors, we can then develop strategies for customizing various information security interventions to meet the unique needs of diverse information security users within the workplace.
Dispositional factors – Big Five personality traits (the ‘five factor model’)
Openness to experience
‘[People scoring high on the openness scale are] characterized by such attributes as open-mindedness, active imagination, preference for variety, and independence of judgment’
‘People [scoring] high on the conscientiousness scale tend to distinguish themselves for their trustworthiness and their sense of purposefulness and of responsibility. They tend to be strong-willed, task-focused, and achievement-oriented’
‘People [scoring] high on the extraversion scale tend to be sociable and assertive, and they prefer to work with other people’
‘People [scoring] high on the agreeableness scale tend to be tolerant, trusting, accepting, and they value and respect other people’s beliefs and conventions’
‘People [scoring] high on the [neuroticism] scale tend to experience such negative feelings as emotional instability, embarrassment, guilt, pessimism, and low self-esteem’
In light of the generalizability of this model, we explored literature from diverse fields – accident prevention, organizational safety, and cognitive development – to support our proposed research model. Initial investigations have established linkages between the Big Five personality traits and information security compliance behaviors (Shropshire et al, 2015); for instance, preliminary investigations have established that the traits of conscientiousness and agreeableness may be strongly linked with an individual’s intention to comply with information security policies and to adopt protective technologies (Major et al, 2006; Shropshire et al, 2015). However, to date, few studies have explored the role of all of the Big Five personality traits in the context of information security and how these traits may form higher-order groups and interact with situational factors.
Several scholars have argued for the existence of two higher-order, non-orthogonal factors, or broader personality types, that have emerged from a meaningful pattern of correlations among the Big Five traits (Vecchione et al, 2011). Digman (1997) was the first to note the existence of two personality meta-traits combining others, labeling them α and β α reflects the common variance among a cluster of agreeableness, conscientiousness, and emotional stability (opposite of neuroticism) traits, while β reflects the common variance among the trait cluster, and consists of extraversion and openness. Since Digman’s initial finding, numerous scholars have supported this higher-order structure (Carroll, 2002; DeYoung, 2006), providing additional evidence for the convergence of the Big Five traits with the two broader meta-traits and multiple interpretations of their meaning. Though several studies have criticized the assumption of stable higher-order traits (Ashton et al, 2009) or have argued for alternative hierarchical solutions, such as the Big One (Musek, 2007), the two meta-trait solution from Digman (1997) has persevered and continues to be at the heart of meta-trait research.
Agreeableness, conscientiousness, and emotional stability (reverse of neuroticism) will emerge as a significant meta-trait (Stability).
Openness and extraversion will emerge as a significant meta-trait (Plasticity).
Interaction of dispositional and situational factors
An individual’s personality meta-traits are dispositional factors that influence how he/she will interpret the message, and, when juxtaposed with perceptions derived from sanction and/or fear appeal situational factors, these meta-traits will influence how an individual will ultimately respond to the message (Connor-Smith & Flachsbart, 2007). The key to predicting the influence of personality meta-traits on responses to situational factors, however, is in how the meta-traits of individuals are interpreted. Different contexts require different interpretations. The security context is no different in this regard, and translating behaviors from a previous context to the security context is critical to a proper interpretation.
One of the more influential interpretations of the two meta-trait proposition by Digman (1997) was proposed by DeYoung (2006), who referred to α as ‘Stability’ and determined that the shared variance of agreeableness, conscientiousness, and emotional stability appears to reflect an individual’s tendency to be risk averse – perceiving and behaving in a manner that avoids environmental threats that may introduce risk and cause emotional strain. Stability has been linked with threat fixation and the avoidance of experiences that may result in detrimental outcomes (Wilt et al, 2011). Ellingson et al (2001) and Vecchione et al (2011) further contend that persons with high levels of these characteristics are more readily influenced by social or normative pressures. Alessandri & Vecchione (2012) also found this meta-trait to be a significant determinant of job performance, likely the result of the individuals’ willingness to conform to rules (DeYoung et al, 2002) and avoid strain.
DeYoung (2006) referred to β as ‘Plasticity’ and determined that persons exhibiting high levels of the unique blend of extraversion and openness are less risk averse and more open to engaging their environment and others in ways that yield potential rewards. Plasticity has been linked with the exploration of opportunities that generate positive outcomes (Wilt et al, 2011). Persons exhibiting high levels of these characteristics are inclined to act independently when faced with social or normative pressures (Ellingson et al, 2001; DeYoung et al, 2002; Vecchione et al, 2011) and maintain a sense of adventure in how they live their lives (Wilt et al, 2011).
In the context of information security policy compliance, we can extrapolate the findings from the extant meta-trait literature to predict how meta-trait characteristics will influence relationships stemming from perspectives derived from situational factors and intentions to violate information security policies. Because of their tendency to be influenced by social or normative pressures, we can reasonably expect fear appeals and deterrence interventions to have a greater impact on individuals that share characteristics consistent with the Stability meta-trait. The result of these interventions should be a reduced likelihood for policy violations. Persons with personalities closely aligned with the Plasticity meta-trait, however, are more risk-inclined than their Stability counterparts. Because of the more independent nature of these individuals, fear appeals and deterrence interventions are less likely to have the desired impact, and so long as the opportunity for rewards exists, policy violation intentions will be more likely.
The Stability meta-trait will reduce the effect of threat appraisals on intentions to violate IS security policies.
The Stability meta-trait will reduce the effect of coping appraisals on intentions to violate IS security policies.
The Stability meta-trait will reduce the effect of sanction perceptions on intentions to violate IS security policies.
The Plasticity meta-trait will increase the effect of threat appraisals on intentions to violate IS security policies.
The Plasticity meta-trait will increase the effect of coping appraisals on intentions to violate IS security policies.
The Plasticity meta-trait will increase the effect of sanction perceptions on intentions to violate IS security policies.
To answer the research questions and to test the subsequent research model posed by our study, we applied a scenario-based factorial survey method (Rossi & Nock, 1982). The factorial survey approach is a variant of the vignette design and, through the use of vignettes (or scenarios), is able to provide contextual detail to decision-making situations and to evenly distribute these details across all participants in the study. By asking participants to read randomly generated vignettes and place themselves in the context of the vignette and in the position of the vignette’s primary actor, a reliable and valid measure of perceptions related to the actor’s experiences can be obtained and then regressed against dependent outcomes (Jasso, 2006). Used extensively by criminologists, IS researchers, and others exploring deviant behaviors (Barlow et al, 2013; Vance et al, 2013; Trinkle et al, 2014; Vance et al, 2015), the factorial survey approach is appropriate for this study, in that it provides a mechanism by which to elicit straightforward responses from participants who might otherwise be subject to social desirability bias (or acquiescence bias), which compels most people to provide socially acceptable answers instead of conceding that they might violate social norms. By placing themselves in the position of fictional vignette characters, the research participants are not reporting personal intentions, but rather how they might respond if presented with similar circumstances (Trevino & Victor, 1992). The factorial survey approach is also noted for its ability to reveal the social and individual structures of decision making. Both rationales are important to the successful execution of this study and its ability to fulfill its stated purpose.
Whereas many of these benefits stem from the use of scenarios, even when a factorial approach is not pursued, further research rigor is gained from applying the factorial survey approach to data collection. The factorial survey method involves vignette-based experiments in which the participants are presented with one or more versions of a short-story-style vignette. In the vignettes, variable manipulations are embedded within the sentences, which appear in a fixed order and with the sentences relating to the manipulated factors varying randomly across the vignettes (Taylor, 2006), thus ‘introducing more realistic complexity’ (Lyons, 2008, p. 112). Each vignette was one version of the base scenario, producing a set of scenario versions or types. Developing the individual vignettes in this manner yields ‘an almost completely crossed experimental design’ (Jasso & Rossi, 1977, p. 642). The random assignment of the factors, which are approximately orthogonal (Rossi & Anderson, 1982; Lyons, 2008), ensures that the levels within the manipulated factors are not correlated with each other, as each has an equal probability of assignment (Shlay et al, 2005). Further, the factorial survey method is efficient in that it makes use of statistical sampling to estimate the effect of a factor on a dependent variable without having to test for each combination (Rossi & Anderson, 1982; Jasso, 2006). For our study, six variables were manipulated: self-efficacy, threat vulnerability and severity (combined in one statement), sanction certainty and severity (combined in one statement), and response efficacy.
Survey participants’ demographic information
55 or older
Less than 3 years
25 or more years
Business Services, Legal, Accounting, Consulting, and so on
Finance, Insurance, and Real Estate
Government – Civilian
Electric, Gas, Utilities, and Sanitary Services
Research design and instrumentation
Following a random design factorial survey approach advocated by Rossi & Anderson (1982), we asked each participant to read and respond to an online survey that contained three randomly assigned hypothetical vignettes drawn from a ‘vignette universe’ of 64 variations of the baseline vignette. Each vignette described a situation in which a company’s insider, named Joe, has collected sensitive customer data for his company and wants to take the data home to continue his work. In each vignette, Joe disregards a mandatory password encryption procedure, thus violating an information security policy. We asked respondents to estimate the likelihood or chance that they would duplicate the insider’s actions under similar conditions. (See Appendix A for a sample vignette and Appendix B for the constructs manipulated in each vignette version.) After reading each of three randomly assigned vignettes, participants were asked to respond to a series of survey questions, including a four-item manipulation check to ensure that the participant recognized the vignette conditions, a three-item measure of perceived response cost, and a three-item measure of behavioral intention to respond in the same way that Joe did. Also included in the survey, but only asked once of each participant, were demographic items and a 28-item assessment of the Big Five personality traits, which represent the dispositional factors of interest in the present study. (See Appendix C for the Big Five personality traits survey items.)
As previously mentioned, the dependent variable in this study is the respondent’s self-reported intention to violate information security policies (unauthorized removal of sensitive customer information from the workplace, a clear violation of information security policy as described in each vignette). This behavior would be categorized by Guo (2013) as security risk-taking behavior and by Willison & Warkentin (2013) as an internal volitional non-malicious security threat. After reading a vignette in which Joe disregards the security policy and removes the unencrypted information, respondents were asked to estimate the likelihood that they would mirror the insider’s actions under similar conditions. The response options ranged on a scale from 1 to 7, with 7 serving as a ‘strongly agree’ with conducting actions similar to those of Joe. (See Appendix A for elaboration of the instrument’s vignette and dependent variable measure.)
A variety of variables served as independent variables associated with the formation of behavioral intention to violate information security policy. The direct determinants of behavioral intention to perpetrate information security policy violations include perceptions of threat severity, threat vulnerability, self-efficacy, response efficacy, response cost, sanction severity, and sanction certainty (see Table 1 for descriptions), derived from the influence of situational factors: sanctions and fear appeals. All of these variables, with the exception of response cost, were randomly manipulated at either high or low levels within each vignette. This represents a Cartesian product of six variables, each with two levels (e.g., threat severity [high/low] × threat vulnerability [high/low] × self-efficacy [high/low] × response efficacy [high/low] × sanction severity [high/low] × sanction certainty [high/low]), resulting in (26)=64 unique combinations. Please see Appendix B for the text representing each manipulation (high/low) for each variable.
As noted by Piquero et al (2000) and, more recently, Siponen &Vance (2010, 2014), vignettes must be designed in such a manner so as to maintain relevance and realism with potential respondents. To ensure realistic vignette design, two controls were embedded into the study. First, as part of the instrument development process before the pilot test, a nine-member panel of experts in research design and instrument development reviewed each vignette and validated the appropriate presence of each independent, dependent, and control variable. The expert review panel also evaluated each generated vignette version to identify unrealistic or logically impossible vignettes for removal from the total universe of potential vignettes. Ultimately, all vignettes were considered realistic and logically possible, maintaining the final universe of vignettes at 64. In addition, the panelists suggested changes to instructions and other wording to improve the clarity of the instrument.
Manipulation check and test for realism
Following each vignette, the participants were also presented with a four-item manipulation check and a three-item realism test. The manipulation check consisted of questions, such as ‘How confident was Joe about his ability to complete the password request procedure?’ and was intended to ensure that the respondent paid close attention to the important details of the vignette. All four manipulation check questions are shown in Appendix A. The realism questions can also be found in Appendix A (e.g., ‘I could imagine a similar vignette taking place at work.’), and were used to assess whether or not the respondent perceived that a vignette such as the one presented could occur in his or her workplace. Manipulation checks and realism items are commonly used in vignette-based research survey instruments that present the participant with hypothetical situations (Keil et al, 2000; Barlow et al, 2013). If the manipulation checks are not answered correctly, then it can be assumed that the participant did not notice the manipulations within a particular vignette (Sigall & Mills, 1998) and that his or her responses are not based on the appropriate set of vignette conditions. In addition, if the vignette is not considered realistic, then it may be difficult for the participant to imagine him- or herself in that particular situation and provide a rational response to the question.
High/low manipulation count
Representation within acquired vignette-level observations (%)
169 (high); 148 (low)
high (53.3%); low (46.7%)
154 (high); 163 (low)
high (48.6%); low (51.4%)
159 (high); 158 (low)
high (50.2%); low (49.8%)
165 (high); 152 (low)
high (52.1%); low (47.9%)
167 (high); 150 (low)
high (52.7%); low (47.3%)
175 (high); 142 (low)
high (55.2%); low (44.8%)
Data analysis and results
Model estimation followed a generalized form of the standard linear model that accounts for both fixed and random effects (McLean et al, 1991). This approach was deemed appropriate because each participant was asked to assess multiple vignettes, and there is the possibility for bias in vignette assessments because of unobserved differences in the participants. By using a linear mixed model procedure, however, we were able to control for this fixed individual effect. The general linear mixed model process in SPSS (version 19.0.0) is similar to the PROC MIXED procedure in SAS in that it uses maximum likelihood estimates of variances, thereby accounting for correlation within the data because of repeated measures (i.e., each participant rating three vignettes). This is a significant departure from typical least squares analysis, which does not account for such correlation. Therefore, because we obtained maximum likelihood estimates, the individual effects were controlled for, and we were able to obtain accurate variance estimates.
Control variable model tests
Similar to other vignette-based studies, we included several control variables in our study. These control variables included: (1) scenario type (the version seen by the respondent); (2) manipulation check; (3) realism test; (4) participant source; (5) participant gender; (6) participant age; (7) participant experience; and (8) participant employment industry. Each of these control variables were included in an initial control variable model to determine the extent to which they significantly influence behavioral intention to violate an information security policy. This control variable model establishes baseline fit statistics from which our theoretical models need to improve upon to demonstrate predictive power.
Control variable model
Fit statistics: AIC=1047.472; BIC=1058.748
Research model tests
With low realism ratings (N=365)
Without low realism ratings (N=317)
Tests of meta-trait existence (tests of H1a and H1b)
Principal axis factoring results
Meta-trait 1: stability
Meta-trait 2: plasticity
Emotional stability (−N)
Because individual personality traits are unique and not likely to contribute equally to their respective meta-trait, we treated them as formative constructs. Consequently, we created a composite variable for each meta-trait based on a weighted score for each of its individual personality traits. These weighted scores are generated using a structural equation modeling technique known as partial least squares (PLS) regression and indicate the impact of the individual personality traits. In other words, for each meta-trait, we multiplied each of its significant Big Five traits by their PLS weight and added these to form a composite meta-trait value. These values could then be used as independent variables in the moderating influence analyses, which are described next. The version of PLS software used to provide the weighted values for each personality trait was SmartPLS 2.0.3; a depiction of the PLS model used to obtain the PLS weights for each of the Big Five traits on their respective meta-traits is provided in Appendix F.
Tests of meta-trait moderating influence (tests of H2a-H2c and H3a-H3c)
Meta-trait influence results
Dimension and level
Stability meta-trait (C, A, −N)
Plasticity meta-trait (O, E)
Direct influence model
Moderating influence model
Direct influence model
Moderating influence model
Scenario type (version)
Stability (C, A, −N)
Plasticity (O, E)
Stability (C, A, −N)*scenario type (version)
Stability (C, A, −N)*self-efficacya
Stability (C, A, −N)*response efficacyb
Stability (C, A, −N)*threat severityc
Stability (C, A, −N)*threat vulnerabilityd
Stability (C, A, −N)*sanction severitye
Stability (C, A, −N)*sanction certaintyf
Stability (C, A, −N)*response costs
Examining the moderating effects of the Stability meta-trait (C, A, −N), we obtained improved fit statistics (AIC=911.037; BIC=953.037). Using a likelihood ratio test to compare these fit statistics with that of the direct influence model (AIC=949.572; BIC=998.438), we found a significant difference between the two models (P<0.001). These results, summarized in Table 8, suggest that people who exhibit high degrees of this meta-trait differ from the average person in how they consider a policy violation opportunity. These individuals are significantly more sensitive than the average person to threat vulnerability as well as to both the severity and certainty of sanctions, and are more conservative in their responses. The negative coefficient estimates for the interaction of this meta-trait with threat vulnerability, sanction severity, and sanction certainty suggest that people exhibiting high degrees of this meta-trait are significantly less likely than their peers to commit a policy violation when these elements of threat and deterrence are perceived to be low. In other words, while the average person would commit an information security policy violation when threat vulnerability, sanction severity, and sanction certainty were low, a person whose personality favors the Stability characteristics would be significantly less likely to commit a policy violation given similar perceived circumstances. These significant interaction effects are also illustrated in the given figure in Appendix D.
These results were expected (see H2a and H2c), as the literature suggests that these people are risk averse. As discussed in our support for H2a and H2c, Vecchione et al (2011) and Ellingson et al (2001) contend that persons with these characteristics are more readily influenced by social or normative pressures. In addition, Alessandri & Vecchione (2012) found this meta-trait to be a significant determinant of job performance, likely the result of the willingness of these individuals to conform to rules (DeYoung et al, 2002) and avoid strain.
Examining the moderating effects of the Plasticity meta-trait (O and E), we see that the fit statistics are an improvement to the direct effects model (AIC=913.234; BIC=955.234), suggesting a reasonable model for analysis. A likelihood ratio test of the moderating model’s fit statistics to that of the direct influence model (AIC=949.572; BIC=998.438) confirms a significant improvement (P<0.001) in the moderating effects model over the direct effects model. The significant results of this test are provided in Table 8 and suggest that, for people who exhibit the qualities of this meta-trait, how they assess the threat, efficacy, and deterrence elements of a policy violation opportunity is mostly consistent with others. Where they differ, however, is in how they assess response efficacy and sanction certainty. The average person is more likely to commit a crime if the certainty of sanctions is perceived to be low. The efficacy of their response to a perceived threat is immaterial in forming their policy violation intentions. People exhibiting qualities more consistent with the Plasticity meta-trait, however, respond differently. If a policy violation could potentially yield rewards, these people are less likely to be deterred and significantly more likely than their peers to follow through with a policy violation, even if they perceive response efficacy and sanction certainty to be high. This finding supports H3b and H3c and is consistent with what some scholars (DeYoung, 2006) have said about people whose personalities are dominant toward this meta-trait – they are less risk averse and more open to engaging in activities that potentially yield rewards. These significant interaction effects are also illustrated in the given figure in Appendix E.
Combined stability (C, A, −N) and plasticity (O, E) moderating influence results
Dimension and level
Direct influence model
Moderating influence model
Stability (C, A, −N)*threat vulnerabilitya
Stability (C, A, −N)*sanction severityb
Stability (C, A, −N)*sanction certaintyc
Plasticity (O, E)*response efficacyd
Plasticity (O, E)*sanction certaintyc
Our study has examined the impact of dispositional and situational factors on intentions to violate an information security policy. Others have suggested that these factors may not operate in a vacuum, but rather, may interact with each other. However, a search of the literature uncovered no studies that explore this interaction. Hence, using personality traits to represent dispositional factors and using protection motivation and general deterrence factors to represent situational factors, we conducted an exploratory study to assess how information security policy violation intentions are formed from the interaction of dispositional and situational factors. More specifically, we wanted to understand the role that personality traits play in the translation of the perspectives invoked by information security interventions into information security policy violation intentions.
The results of our factorial survey indicate that dispositional and situational factors interact in security settings. In particular, two meta-traits – Stability and Plasticity – were shown to have an impact on one’s intention to violate an information security policy. For insiders for whom the Stability meta-trait is the prevailing trait, conscientiousness, agreeableness, and emotional stability (opposite of neuroticism) are dominant. Within the context of information security policy compliance, we find that persons with personalities exhibiting a strong Stability meta-trait are found to be more risk-averse and may avoid actions that place them at risk for threat and sanction-related consequences. From the results of this study, we contend that the reason for this is believed to be tied to their desire to conform with others and with the safety of stable environments. On the other hand, insiders with a strong Plasticity meta-trait are characterized primarily by the dominant openness and extraversion traits. These insiders are more likely to take risks when compared with their peers, but seemingly only in situations in which a clear benefit is possible from the added risk. These important findings demonstrate the efficacy of using personality meta-traits as indicators in the investigation of insider behaviors within the context of information security policy violation.
Contributions to research and theory
Our findings contribute to the theoretical perspective on the important phenomenon of employee violations of information security policies and have several implications for future research. First, ours is the first study to demonstrate the significant influence of personality meta-traits on information security policy violation intentions, opening the door for further investigation into this important insight. The literature describing personality meta-traits is relatively immature, but within the information security literature, it has been non-existent. Kajzer et al (2014) and Shropshire et al (2015), for instance, established that personality traits are important in terms of how security awareness messages are received and in shaping security compliance behaviors, respectively. But no study to date has moved to the meta-level of examination, a level of study supported within multiple other contexts (Carroll, 2002; DeYoung, 2006). By demonstrating the existence of two higher-order personality type factors, our study increases the preliminary understanding of the role of personality traits in information security and provides the first evidence for personality meta-traits as significant elements of the compliance equation.
Second, this study is the first to interpret meta-traits into the information security context. The literature that has examined the existence and role of personality meta-traits, specifically Digman’s (1997) two meta-trait proposition, has elucidated the importance of understanding how the two meta-traits are interpreted within different contexts (Connor-Smith & Flachsbart, 2007). Once we determined the two meta-trait solution was present within the information security policy violation context, the interpretation and labeling of those meta-traits were important components in the process of outcome prediction. This interpretation also establishes the foundation for future research in this context. Future scholarship should continue to explore the role of meta-traits within this context and further refine the interpretations of our research results.
Finally, our results are the first to show how dispositional factors in general, and personality meta-traits in particular, influence the translation of perspectives derived from situational factors into information security policy violation intentions. Previous research has presented several perspectives on how dispositional factors, including personality traits, influence how individuals interpret situational factors – that is, how they receive and process factors such as fear appeals and sanctions (Self & Rogers, 1990; Janis & Feshbach, 2006; Johnston & Warkentin, 2010; Kajzer et al, 2014; Johnston et al, 2015). This study extends this research by being the first to demonstrate how dispositional factors may influence how these interpretations are ultimately translated into information security policy compliance or non-compliance intentions. Our findings from this study provide rationale for why insiders, when in agreement on the severity of a threat or on the imminence of sanctions, for instance, arrive at different intentions for information security policy violation. Perhaps more importantly, this study sheds light on an underserved area in our search to understand the cognitive progression from perspective development to behavioral action. Future research is still needed, however, to refine this initial understanding.
Contributions to and implications for practice
On the basis of our findings, we posit that customized information security interventions (situational factors) may be more effective at preventing security policy violations than generic interventions. An organization that does not provide a nuanced approach to information security is less likely to achieve its goal of insider compliance with information security policies. Customization of information security interventions should be based on the profiles of the two meta-traits determined by this research (i.e., Plasticity and Stability) to influence information security policy violation intentions (see Figure 1). For example, the results of our research study indicate that response efficacy and sanction certainty, even when perceived to be at high levels, may not effectively deter policy violation intentions by insiders with strong Plasticity tendencies. Therefore, to appeal to these insiders, fear appeals should emphasize the threat elements, and sanction interventions should focus primarily on the sanction severity rhetoric. Because insiders who exhibit high degrees of the Stability meta-trait are more likely to avoid risk overall, information security interventions directed at them can focus less on the severity of sanctions and more on the vulnerability to threats and the certainty of sanctions. More broadly, our work confirms and extends the premise that ‘one size does not fit all’ when it comes to communicating arguments for information security policy compliance to insiders. Employers are advised to leverage individual differences, including personality types, when tailoring persuasive messages to their staff. However, the organizational justice literature regarding security contexts (Willison & Warkentin, 2009; Posey et al, 2011; Warkentin et al, 2011) indicates that differential treatment of employees can be viewed negatively and can have undesirable effects on behaviors (Posey et al, 2011); thus, employers must be mindful, when tailoring these messages for diverse personality types, that the procedures used to reward or punish employees as well as the methods for assessing employee performance (Hsu et al, forthcoming) must be designed to be fair and consistent to avoid perceptions of procedural justice (Willison & Warkentin, 2013). In other words, persuasive communications can be differential, but other controls (such as the use of sanctions) must be seen as fair and equitable.
Limitations and future research
Several limitations of our work point to exciting opportunities for future research. First, in our study, we measured the intention to violate a security policy. While the factorial survey design enables us to overcome some of the weaknesses of survey-based research, future studies should also explore actual security behaviors (Warkentin et al, 2012). Second, our research model incorporates many of the fundamental individual differences that impact compliance behavior; however, the model is not exhaustive. There are numerous situational and dispositional factors that may impact intention to comply with an information security policy. For instance, future studies could incorporate both formal and informal sanctions into the proposed model. In addition, we only assessed a single type of information security policy violation. Non-compliance with information security policies by failing to encrypt data removed from the workplace is only one of many possible violation behaviors (Guo, 2013; Willison & Warkentin, 2013). To some extent, the choice of one behavior limits the generalizability of the findings to other security misbehaviors. However, given the large number of manipulations included in the study, adding multiple violations was not feasible. Hence, future research should utilize diverse methods, such as action research or design science, to explore the impact of these meta-traits on additional security misbehaviors.
Finally, one of criticisms of scenario-based designs is that subjects are asked to assess how they would respond in given fictitious situations. If the situation is perceived as unrealistic, it is difficult for the subject to envision it or him/herself within it. For that reason, it is a tradition of researchers employing the factorial survey design to control for realism in scenario construction (Piquero et al, 2000; Barlow et al, 2013; Siponen & Vance, 2014; Vance et al, 2015). Furthermore, because we are ‘setting’ the levels of the perceptions derived from situational factors (e.g., sanction severity, self-efficacy, etc.), it is important for the subjects to believe that those levels are realistic for a given scenario. Otherwise, their reported intentions to violate information security policies could be confounded and not attributable to their meta-trait disposition. A common technique among factorial survey designs is to include the full sample of data, including all of the records formerly excluded because of low realism scores, and control for realism. This is less attractive for our study, however, given that we are establishing the levels of perceptions from the situational factors, while most factorial survey studies let those vary by respondent.
Our study integrates situational and dispositional factors into a comprehensive model of information security policy violation intentions. The results confirm that individuals with different dispositional factors indeed react differently to similar situational factors in the context of security-related behaviors. In other words, individuals are not the same; insiders respond to information security interventions differently. Now there is data to show that this differentiation even exists after the perspectives derived from information security interventions have been formed and is because of differences in personality profiles, which are explained by personality meta-traits. Our findings establish the foundation for further explorations of the impact of dispositional factors on insiders’ interpretations of managerial communications about information security policies and procedures.
This study was funded by a grant from the Institute of Homeland Security Solutions (IHSS) as part of their Cyber Security Test Bed project. IHSS is a federally funded collaborative initiative that coordinates its research activities with the U.S. Department of Homeland Security’s Human Factors/Behavioral Sciences Division. An earlier version of this research was presented at the IFIP WG 8.11/11.13 Dewald Roode Workshop on Information Security Research. The authors also thank the anonymous reviewers for their insightful recommendations on earlier versions of this manuscript.
- Anderson C and Agarwal R (2010) Practicing safe computing: a multimethod empirical examination of home computer user security behavioral intentions. MIS Quarterly 34 (3), 613–643.Google Scholar
- Bidjerano T and Dai DY (2007) The relationship between the big-five model of personality and self-regulated learning strategies. Science Direct 17 (1), 69–81.Google Scholar
- Bulgurcu B, Cavusoglu H and Benbasat I (2010) Information security compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Quarterly 34 (3), 523–548.Google Scholar
- Burke K (1969) A Rhetoric of Motives. University of California Press, Berkeley, CA.Google Scholar
- Carroll JB (2002) The five factor personality model: how complete and satisfactory is it? In The Role of Constructs in Psychological and Educational Measurement (Braun HI, Jackson DN and Wiley DE, Eds), pp 91–126, Routledge Publisher, London.Google Scholar
- Carte T and Russell C (2003) In pursuit of moderation: nine common errors and their solutions. MIS Quarterly 27 (3), 479–502.Google Scholar
- Dutta MJ and Vanacker B (2000) Effects of personality on persuasive appeals in health communication. Advances in Consumer Research 27 (1), 119–124.Google Scholar
- Emm D (2013) The threat landscape: A practical guide from the Kaspersky lab experts. [WWW document] http://media.kaspersky.com/en/business-security/kaspersky-threat-landscape-it-online-security-guide.pdf (accessed 17 November 2014).
- Ernst & Young (2013) Under cyber attack: EY’s global information security survey 2013. [WWW document] http://www.ey.com/Publication/vwLUAssets/EY_-_2013_Global_Information_Security_Survey/$FILE/EY-GISS-Under-cyber-attack.pdf (accessed 17 November 2014).
- Hoffer JA and Straub DW (1989) The 9-to-5 underground: are you policing computer crimes. Sloan Management Review 30 (4), 35–43.Google Scholar
- Hofmann W, Gschwendner T, Friese M, Wiers R and Shmitt M (2008) Working memory capacity and self-regulatory behavior: toward an individual differences perspective on behavior determination by automatic versus controlled processes. Journal of Personality and Social Psychology 95 (4), 962–977.CrossRefGoogle Scholar
- Hofstede G (1991) Work-Related Values, Software of the Mind. McGraw-Hill, UK, Berkshire.Google Scholar
- Hsu JS-C, Shih S-P, Hung YW and Lowry PB (forthcoming) The role of extra-role behaviors and social controls in information security policy effectiveness. Information Systems Research.Google Scholar
- John OP and Srivastava S (1999) The big-five trait taxonomy: history, measurement, and theoretical perspectives. In Handbook of Personality: Theory and Research (Pervin LA and John OP Eds) Guilford Press, New York.Google Scholar
- Johnston AC and Warkentin M (2010) Fear appeals and information security behaviors: an empirical study. MIS Quarterly 34 (3), 549–566.Google Scholar
- Johnston AC, Warkentin M and Siponen M (2015) An enhanced fear appeal framework: leveraging threats to the human asset through sanctioning rhetoric. MIS Quarterly 39 (1), 113–134.Google Scholar
- Kajzer M, D’Arcy J, Crowell CR, Striegel A and Van Bruggen D (2014) An exploratory investigation of message-person congruence in information security awareness campaigns. Computers & Security 43 (June), 65–76.Google Scholar
- Lindqvist J (2012) Nudging people. WINLAB, Dept. of ECE, Rutgers University Presentation at the NSF/DIMACS Workshop for Aspiring PIs in Secure and Trustworthy Cyberspace, Raleigh, NC. 15 October. [WWW document] http://dimacs.rutgers.edu/Workshops/Aspiring/program.html (accessed 29 November 2012).
- Littell R, Milliken G, Stroup W and Wolfinger R (1996) SAS Systems for Mixed Models. SAS Institute, Cary, NC.Google Scholar
- McBride M, Carter L and Warkentin M (2012) One size doesn’t fit all: cybersecurity training should be customized. Technical Report, Institute for Homeland Security Solutions. [WWW document] http://sites.duke.edu/ihss/files/2011/12/CyberSecurity_2page-summary_mcbride-2012. pdf (accessed 25 June 2014).Google Scholar
- McLean R, Sanders W and Stroup W (1991) A unified approach to mixed linear models. The American Statistician 45 (1), 54–64.Google Scholar
- Mischel W (1968) Personality and Assessment. John Wiley & Sons, Hoboken, NJ.Google Scholar
- Ponemon Institute (2013) 2014 state of endpoint risk. [WWW document] http://www.lumension.com/Lumension/media/graphics/Resources/2014-state-of-the-endpoint/2014-State-of-the-Endpoint-Whitepaper-Lumension.pdf (accessed 17 November 2014).
- Posey C, Bennett RJ, Roberts TL and Lowry PB (2011) When computer monitoring backfires: privacy invasions and organizational injustice as precursors to computer abuse. Journal of Information Systems Security 7 (1), 24–47.Google Scholar
- Rossi PH and Anderson AB (1982) The factorial survey approach: an introduction. In Measuring Social Judgments: The Factorial Survey Approach (Rossi PH and Nock SL, Eds), pp 15–67, Sage, Beverly Hills, CA.Google Scholar
- Rossi PH and Nock SL (1982) Measuring Social Judgments: The Factorial Survey Approach. Sage Publications, Beverly Hills.Google Scholar
- Shlay AB, Tran H, Weinraub M and Harmon M (2005) Teasing apart the child care conundrum: a factorial survey analysis of perceptions of child care quality, fair market price and willingness to pay by low-income, African American parents. Early Childhood Research Quarterly 20 (4), 393–413.CrossRefGoogle Scholar
- Siponen M and Vance A (2010) Neutralization: new Insights into the problem of employee information systems security policy violations. MIS Quarterly 34 (3), 487–502.Google Scholar
- Vance A, Lowry PB and Eggett D (2015) Increasing accountability through user-interface design artifacts: a new approach to address the problem of access-policy violations. MIS Quarterly 39 (2), 345–366.Google Scholar
- Verizon (2015) Verizon data breach investigation report. [WWW document] http://www.verizonenterprise.com/DBIR/ (accessed 7 June 2015).
- Warkentin M, Carter L and McBride ME (2011) Exploring the role of individual employee characteristics and personality on employee compliance with cyber security policies. Paper presented at the International Federation of Information Processing (IFIP) Dewald Roode Workshop on Information Systems Security Research, Blacksburg, VA.Google Scholar
- Warkentin M, Straub D and Malimage K (2012) Measuring secure behavior: a research commentary. In Proceedings of the 7th Annual Symposium on Information Assurance, pp. 1–8, Albany, NY. [WWW document] http://www.albany.edu/iasymposium/proceedings/2012/5-Warkentin_Straub&Malimage.pdf (accessed 15 October 2015).
- Warkentin M, Willison R and Johnston AC (2011) The role of perceptions of organizational injustice and techniques of neutralization in forming computer abuse intentions. In Proceedings of the 17th Americas Conference on Information Systems (AMCIS), pp 1–8, Detroit, MI, August, [WWW document] http://aisel.aisnet.org/amcis2011_submissions/318/.
- Willison R and Warkentin M (2009) Motivations for employee computer crime: understanding and addressing workplace disgruntlement through the application of organisational justice. In Proceedings of the International Federation of Information Processing (IFIP) International Workshop on Information Systems Security Research (VANCE A. Ed), pp 127–144, Cape Town, South Africa, May.Google Scholar
- Willison R and Warkentin M (2013) Beyond deterrence: an expanded view of employee computer abuse. MIS Quarterly 37 (1), 1–20.Google Scholar