Abstract
Insiders represent a major threat to the security of an organization’s information resources. Previous research has explored the role of dispositional and situational factors in promoting compliant behavior, but these factors have not been studied together. In this study, we use a scenario-based factorial survey approach to identify key dispositional and situational factors that lead to information security policy violation intentions. We obtained 317 observations from a diverse sample of insiders. The results of a general linear mixed model indicate that dispositional factors (particularly two personality meta-traits, Stability and Plasticity) serve as moderators of the relationships between perceptions derived from situational factors and intentions to violate information security policy. This study represents the first information security study to identify the existence of these two meta-traits and their influence on information security policy violation intentions. More importantly, this study provides new knowledge of how insiders translate perceptions into intentions based on their unique personality trait mix.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Akers R (1990) Rational choice, deterrence, and social learning theory in criminology: the path not taken. The Journal of Criminal Law and Criminology 81 (3), 653–676.
Alessandri G and Vecchione M (2012) The higher-order factors of the big five as predictors of job performance. Personality and Individual Differences 53 (6), 779–784.
Anderson C and Agarwal R (2010) Practicing safe computing: a multimethod empirical examination of home computer user security behavioral intentions. MIS Quarterly 34 (3), 613–643.
Arthur W and Graziano W (1996) The five-factor model, conscientiousness, and driving accident involvement. Journal of Personality 64 (3), 594–618.
Ashton MC, Lee K, Goldberg LR and deVries RE (2009) Higher-order factors of personality: do they exist? Personality and Social Psychology Review 13 (2), 79–91.
Bandura A (1977) Self-efficacy: toward a unifying theory of behavioral change. Psychological Review 84 (2), 191–215.
Barlow JB, Warkentin M, Ormond D and Dennis AR (2013) Don’t make excuses! Discourage neutralization to reduce IT policy violation. Computers & Security 39 (B), 145–159.
Barnett T, Pearson AW, Pearson R and Kellermanns FW (2015) Five-factor model personality traits as predictors of perceived and actual usage of technology. European Journal of Information Systems 24 (4), 374–390.
Besnard D and Arief B (2004) Computer security impaired by legitimate users. Computers & Security 23 (3), 253–264.
Bidjerano T and Dai DY (2007) The relationship between the big-five model of personality and self-regulated learning strategies. Science Direct 17 (1), 69–81.
Bollen K and Lennox R (1991) Conventional wisdom on measurement: a structural equation perspective. Psychological Bulletin 110 (2), 305.
Boss S, Kirsch LJ, Angermeier I, Shingler RA and Boss W (2009) If someone is watching, I’ll do what I’m asked: mandatoriness, control, and information security. European Journal of Information Systems 18 (18), 151–164.
Buchanan T, Johnson JA and Goldberg LR (2005) Implementing a five-factor personality inventory for use on the internet. European Journal of Psychological Assessment 21 (2), 115–127.
Bulgurcu B, Cavusoglu H and Benbasat I (2010) Information security compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Quarterly 34 (3), 523–548.
Burke K (1969) A Rhetoric of Motives. University of California Press, Berkeley, CA.
Carroll JB (2002) The five factor personality model: how complete and satisfactory is it? In The Role of Constructs in Psychological and Educational Measurement (Braun HI, Jackson DN and Wiley DE, Eds), pp 91–126, Routledge Publisher, London.
Carte T and Russell C (2003) In pursuit of moderation: nine common errors and their solutions. MIS Quarterly 27 (3), 479–502.
Carver C and Scheier M (1994) Situational coping and coping dispositions in a stressful transaction. Journal of Personality and Social Psychology 66 (1), 184–195.
Cheney G (1983) The rhetoric of identification and the study of organizational communication. Quarterly Journal of Speech 69 (2), 143–158.
Conley JJ (1985) Longitudinal stability of personality traits: a multitrait-multimethod-multioccasion analysis. Journal of Personality and Social Psychology 49 (5), 1266–1282.
Connor-Smith JK and Flachsbart C (2007) Relations between personality and coping: a meta-analysis. Journal of Personality and Social Psychology 93 (6), 1080–1107.
D’Arcy J, Hovav A and Galletta DF (2009) User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Information Systems Research 20 (1), 79–98.
Darley JM and Batson D (1973) ‘From Jerusalem to Jericho’: a study of situational and dispositional variables in helping behavior. Journal of Personality and Social Psychology 27 (1), 100–108.
DeYoung CG (2006) Higher-order factors of the big five in a multi-informant sample. Journal of Personality and Social Psychology 91 (6), 1138–1151.
DeYoung CG, Peterson JB and Higgins DM (2002) Higher-order factors of the big five predict conformity: are there neuroses of health? Personality and Individual Differences 33 (4), 533–552.
Diamantopoulos A and Siguaw JA (2006) Formative versus reflective indicators in organizational measure development: a comparison and empirical illustration. British Journal of Management 17 (4), 263–282.
Digman JM (1997) Higher-order factors of the big five. Journal of Personality and Social Psychology 73 (6), 1246–1256.
Dutta MJ and Vanacker B (2000) Effects of personality on persuasive appeals in health communication. Advances in Consumer Research 27 (1), 119–124.
Earley P, Gibson CB and Chen CC (1999) How did I do? versus how did we do? Cultural contrasts of performance feedback use and self-efficacy. Journal of Cross-Cultural Psychology 30 (5), 594–619.
Ehrlich I (1996) Crime, punishment, and the market for offenses. Journal of Economic Perspectives 10 (1), 43–67.
Ellingson JE, Smith DB and Sackett PR (2001) Investigating the influence of social desirability on personality factor structure. Journal of Applied Psychology 86 (1), 122–133.
Emm D (2013) The threat landscape: A practical guide from the Kaspersky lab experts. [WWW document] http://media.kaspersky.com/en/business-security/kaspersky-threat-landscape-it-online-security-guide.pdf (accessed 17 November 2014).
Engelberg E and Sjöberg L (2004) Internet use, social skills, and adjustment. Cyber Psychology & Behavior 7 (1), 41–47.
Ernst & Young (2013) Under cyber attack: EY’s global information security survey 2013. [WWW document] http://www.ey.com/Publication/vwLUAssets/EY_-_2013_Global_Information_Security_Survey/$FILE/EY-GISS-Under-cyber-attack.pdf (accessed 17 November 2014).
Faul F, Erdfelder E, Lang A-G and Buchner A (2007) G*Power 3: a flexible statistical power analysis program for the social, behavioral, and biomedical sciences. Behavior Research Methods 39 (2), 175–191.
Faul F, Erdfelder E, Lang A-G and Buchner A (2009) Statistical power analyses using G*Power 3.1: tests for correlation and regression analyses. Behavior Research Methods 41 (4), 1149–1160.
Floyd DL, Prentice-Dunn S and Rogers RW (2000) A meta-analysis of research on protection motivation theory. Journal of Applied Social Psychology 30 (2), 407–429.
Goldberg LR (1993) The structure of phenotypic personality traits. American Psychologist 48 (1), 26–34.
Gullone E and Moore S (2000) Adolescent risk-taking and the five-factor model of personality. Journal of Adolescence 23 (4), 393–407.
Guo KH (2013) Security-related behavior in using information systems in the workplace: a review and synthesis. Computers & Security 32 (February), 242–251.
Herath R and Rao HR (2009) Protection motivation and deterrence: a framework for security policy compliance in organisations. European Journal of Information Systems 18 (2), 106–125.
Hirsh JB, DeYoung CG and Peterson JB (2009) Metatraits of the big five differentially predict engagement and restraint of behavior. Journal of Personality 77 (4), 1085–1102.
Hoffer JA and Straub DW (1989) The 9-to-5 underground: are you policing computer crimes. Sloan Management Review 30 (4), 35–43.
Hofmann W, Gschwendner T, Friese M, Wiers R and Shmitt M (2008) Working memory capacity and self-regulatory behavior: toward an individual differences perspective on behavior determination by automatic versus controlled processes. Journal of Personality and Social Psychology 95 (4), 962–977.
Hofstede G (1991) Work-Related Values, Software of the Mind. McGraw-Hill, UK, Berkshire.
Hsu JS-C, Shih S-P, Hung YW and Lowry PB (forthcoming) The role of extra-role behaviors and social controls in information security policy effectiveness. Information Systems Research.
Janis IL and Feshbach S (2006) Personality differences associated with responsiveness to fear-arousing communications. Journal of Personality 23 (2), 154–166.
Jasso G and Rossi PH (1977) Distributive justice and earned income. American Sociological Review 42 (4), 639–651.
Jasso G (2006) Factorial survey methods for studying beliefs and judgments. Sociological Methods & Research 34 (3), 334–423.
John OP and Srivastava S (1999) The big-five trait taxonomy: history, measurement, and theoretical perspectives. In Handbook of Personality: Theory and Research (Pervin LA and John OP Eds) Guilford Press, New York.
Johnston AC and Warkentin M (2010) Fear appeals and information security behaviors: an empirical study. MIS Quarterly 34 (3), 549–566.
Johnston AC, Wech B and Jack E (2013) Engaging remote employees: the moderating role of ‘remote’ status in determining employee information security policy awareness. Journal of Organizational and End User Computing 25 (1), 1–23.
Johnston AC, Warkentin M and Siponen M (2015) An enhanced fear appeal framework: leveraging threats to the human asset through sanctioning rhetoric. MIS Quarterly 39 (1), 113–134.
Junglas IA, Johnson NA and Spitzmüller C (2008) Personality traits and concern for privacy: an empirical study in the context of location-based services. European Journal of Information Systems 17 (4), 387–402.
Kajzer M, D’Arcy J, Crowell CR, Striegel A and Van Bruggen D (2014) An exploratory investigation of message-person congruence in information security awareness campaigns. Computers & Security 43 (June), 65–76.
Kammrath L, Mendoza-Denton R and Mischel W (2005) Incorporating if … then … personality signatures in person perception: beyond the person – situation dichotomy. Journal of Personality and Social Psychology 88 (4), 605–618.
Karim NSA, Zamzuri NHA and Nor YM (2009) Exploring the relationship between Internet ethics in university students and the big five model of personality. Computers & Education 53 (1), 86–93.
Keil M, Tan BCY, Wei K-K, Saarinen T, Tuunainen V and Wassanaar A (2000) A cross-cultural study on escalation of commitment behavior in software projects. MIS Quarterly 24 (2), 299–325.
Landers RN and Lounsbury JW (2006) An investigation of big five and narrow personality traits in relation to internet usage. Computers in Human Behavior 22 (2), 283–293.
Lee Y and Larsen KR (2009) Threat or coping appraisal: determinants of SMB executives’ decision to adopt anti-malware software. European Journal of Information Systems 18 (2), 177–187.
Lim KH and Benbasat I (2000) The effect of multimedia on perceived equivocality and perceived usefulness of information systems. MIS Quarterly 24 (3), 449–471.
Lindqvist J (2012) Nudging people. WINLAB, Dept. of ECE, Rutgers University Presentation at the NSF/DIMACS Workshop for Aspiring PIs in Secure and Trustworthy Cyberspace, Raleigh, NC. 15 October. [WWW document] http://dimacs.rutgers.edu/Workshops/Aspiring/program.html (accessed 29 November 2012).
Littell R, Milliken G, Stroup W and Wolfinger R (1996) SAS Systems for Mixed Models. SAS Institute, Cary, NC.
Lyons CJ (2008) Individual perceptions and the social construction of hate crimes: a factorial survey. The Social Science Journal 45 (1), 107–131.
Maddux JE and Rogers RW (1983) Protection motivation and self-efficacy: a revised theory of fear appeals and attitude change. Journal of Experimental Social Psychology 19 (5), 469–479.
Major DA, Turner JE and Fletcher TD (2006) Linking proactive personality and the big five to motivation to learn and development activity. Journal of Applied Psychology 91 (4), 927–935.
McBride M, Carter L and Warkentin M (2012) One size doesn’t fit all: cybersecurity training should be customized. Technical Report, Institute for Homeland Security Solutions. [WWW document] http://sites.duke.edu/ihss/files/2011/12/CyberSecurity_2page-summary_mcbride-2012. pdf (accessed 25 June 2014).
McLean R, Sanders W and Stroup W (1991) A unified approach to mixed linear models. The American Statistician 45 (1), 54–64.
Mischel W (1968) Personality and Assessment. John Wiley & Sons, Hoboken, NJ.
Mischel W, Ebbesen EB and Zeiss AR (1973) Selective attention to the self: situational and dispositional determinants. Journal of Personality and Social Psychology 27 (1), 129–142.
Musek J (2007) A general factor of personality: evidence for the big one in the five-factor model. Journal of Research in Personality 41 (6), 1213–1233.
Nicholson N, Soane E, Fenton-O’creevy M and Willman P (2005) Personality and domain-specific risk taking. Journal of Risk Research 8 (2), 157–176.
Paulhus DL and Williams KM (2002) The dark triad of personality: narcissism, machiavellianism, and psychopathy. Journal of Research in Personality 36 (6), 556–563.
Piquero AR, MacIntosh R and Hickman M (2000) Does self‐control affect survey response? Applying exploratory, confirmatory, and item response theory analysis to Grasmick et al’s self‐control scale. Criminology 38 (3), 897–930.
Ponemon Institute (2013) 2014 state of endpoint risk. [WWW document] http://www.lumension.com/Lumension/media/graphics/Resources/2014-state-of-the-endpoint/2014-State-of-the-Endpoint-Whitepaper-Lumension.pdf (accessed 17 November 2014).
Posey C, Bennett RJ, Roberts TL and Lowry PB (2011) When computer monitoring backfires: privacy invasions and organizational injustice as precursors to computer abuse. Journal of Information Systems Security 7 (1), 24–47.
Rossi PH and Anderson AB (1982) The factorial survey approach: an introduction. In Measuring Social Judgments: The Factorial Survey Approach (Rossi PH and Nock SL, Eds), pp 15–67, Sage, Beverly Hills, CA.
Rossi PH and Nock SL (1982) Measuring Social Judgments: The Factorial Survey Approach. Sage Publications, Beverly Hills.
Self CA and Rogers RW (1990) Coping with threats to health: effects of persuasive appeals on depressed, normal, and antisocial personalities. Journal of Behavioral Medicine 13 (4), 343–357.
Shlay AB, Tran H, Weinraub M and Harmon M (2005) Teasing apart the child care conundrum: a factorial survey analysis of perceptions of child care quality, fair market price and willingness to pay by low-income, African American parents. Early Childhood Research Quarterly 20 (4), 393–413.
Shropshire J, Warkentin M and Sharma S (2015) Personality, attitudes, and intentions: predicting initial adoption of information security behavior. Computers & Security 29 (March), 177–191.
Sigall H and Mills J (1998) Measures of independent variables and mediators are useful in social psychological experiments: but are they necessary? Personality and Social Psychology Review 2 (3), 218–226.
Siponen M and Vance A (2010) Neutralization: new Insights into the problem of employee information systems security policy violations. MIS Quarterly 34 (3), 487–502.
Siponen M and Vance A (2014) Guidelines for improving the contextual relevance of field surveys: the case of information security policy violations. European Journal of Information Systems 23 (3), 289–305.
Soane E and Chmiel N (2005) Are risk preferences consistent? The influence of decision domain and personality. Personality and Individual Differences 38 (8), 1781–1791.
Swickert RJ, Hittner JB, Harris JL and Herring JA (2002) Relationships among internet use, personality, and social support. Computers in Human Behavior 18 (4), 437–451.
Taylor BJ (2006) Factorial surveys: using vignettes to study professional judgement. British Journal of Social Work 36 (7), 1187–1207.
Trevino L and Victor B (1992) Peer reporting of unethical behavior: a social context perspective. Academy of Management Journal 35 (1), 38–64.
Trinkle BS, Crossler RE and Warkentin M (2014) I’m game, are you? Reducing real-world security threats by managing employee activity in virtual environments. Journal of Information Systems 28 (2), 307–327.
Vance A, Lowry PB and Eggett D (2013) Using accountability to reduce access policy violations in information systems. Journal of Management Information Systems 29 (4), 263–290.
Vance A, Lowry PB and Eggett D (2015) Increasing accountability through user-interface design artifacts: a new approach to address the problem of access-policy violations. MIS Quarterly 39 (2), 345–366.
Vecchione M, Alessandri G, Barbaranelli C and Caprara G (2011) Higher-order factors of the big five and basic values: empirical and theoretical relations. British Journal of Psychology 102 (3), 478–498.
Verizon (2015) Verizon data breach investigation report. [WWW document] http://www.verizonenterprise.com/DBIR/ (accessed 7 June 2015).
Warkentin M, Carter L and McBride ME (2011) Exploring the role of individual employee characteristics and personality on employee compliance with cyber security policies. Paper presented at the International Federation of Information Processing (IFIP) Dewald Roode Workshop on Information Systems Security Research, Blacksburg, VA.
Warkentin M, Johnston AC and Shropshire J (2011) The influence of the informal social learning environment on information privacy policy compliance efficacy and intention. European Journal of Information Systems 20 (3), 267–284.
Warkentin M, Straub D and Malimage K (2012) Measuring secure behavior: a research commentary. In Proceedings of the 7th Annual Symposium on Information Assurance, pp. 1–8, Albany, NY. [WWW document] http://www.albany.edu/iasymposium/proceedings/2012/5-Warkentin_Straub&Malimage.pdf (accessed 15 October 2015).
Warkentin M and Willison R (2009) Behavioral and policy issues in information systems security: the insider threat. European Journal of Information Systems 18 (2), 101–105.
Warkentin M, Willison R and Johnston AC (2011) The role of perceptions of organizational injustice and techniques of neutralization in forming computer abuse intentions. In Proceedings of the 17th Americas Conference on Information Systems (AMCIS), pp 1–8, Detroit, MI, August, [WWW document] http://aisel.aisnet.org/amcis2011_submissions/318/.
Wheeler SC, Petty R and Bizer G (2005) Self‐schema matching and attitude change: situational and dispositional determinants of message elaboration. Journal of Consumer Research 31 (4), 787–797.
Willison R and Warkentin M (2009) Motivations for employee computer crime: understanding and addressing workplace disgruntlement through the application of organisational justice. In Proceedings of the International Federation of Information Processing (IFIP) International Workshop on Information Systems Security Research (VANCE A. Ed), pp 127–144, Cape Town, South Africa, May.
Willison R and Warkentin M (2013) Beyond deterrence: an expanded view of employee computer abuse. MIS Quarterly 37 (1), 1–20.
Wilt J, Olson BD and McAdams DP (2011) Higher-order factors of the big five predict exploration and threat in life stories. Journal of Research in Personality 45 (6), 613–621.
Workman M, Bommer WH and Straub D (2008) Security lapses and the omission of information security measures: a threat control model and empirical test. Computers in Human Behavior 24 (6), 2799–2816.
Wright J and Mischel W (1987) A conditional approach to dispositional constructs: the local predictability of social behavior. Journal of Personality and Social Psychology 53 (6), 1159–1177.
Zhang L (2006) Thinking styles and the big five personality traits revisited. Personality and Individual Differences 40 (6), 1177–1187.
Zhang J, Luo X, Akkaladevi S and Ziegelmayer J (2009) Improving multiple-password recall: an empirical study. European Journal of Information Systems 18 (2), 165–176.
Zuckerman M and Kuhlman DM (2000) Personality and risk-taking: common bisocial factors. Journal of Personality 68 (6), 999–1029.
Acknowledgements
This study was funded by a grant from the Institute of Homeland Security Solutions (IHSS) as part of their Cyber Security Test Bed project. IHSS is a federally funded collaborative initiative that coordinates its research activities with the U.S. Department of Homeland Security’s Human Factors/Behavioral Sciences Division. An earlier version of this research was presented at the IFIP WG 8.11/11.13 Dewald Roode Workshop on Information Security Research. The authors also thank the anonymous reviewers for their insightful recommendations on earlier versions of this manuscript.
Author information
Authors and Affiliations
Corresponding author
Appendices
Appendix A
Sample vignette (plus items that follow each vignette)
Joe has just collected sensitive customer data for his company, and he wants to take that data home to continue his work. He knows his company requires that he request a password to be issued and applied to all data before taking it out of the office on a USB drive so that it cannot be accessed by an unauthorized individual. Joe has completed the password request procedure before, so he is confident he can do it again easily. Joe believes that without the password, it is not likely that unauthorized people will see the data, but if they do, nothing bad will happen. Joe believes that the password procedure is effective and prevents unauthorized people from seeing the data. Regardless, the password procedure takes several minutes, and he needs to leave now, so he skips the procedure. Joe believes his chances of being caught are low, but if caught, the punishment would be minimal.
Please select an answer for the following items as they relate to the vignette.
How confident was Joe about his ability to complete the password request procedure?
-
a
He was confident he could do it again easily.
-
b
He was not confident he could do it again easily.
What did Joe believe about the threat of other people seeing the data?
-
c He believed it was not likely they would see the data, but if they did, nothing bad would happen.
-
d He believed it was not likely they would see the data, but if they did, they may alter or misuse it.
-
e He believed it was likely they would see the data, but if they did, nothing bad would happen.
-
f He believed it was likely they would see the data, and if they did, they may alter or misuse it.
What did Joe believe about the effectiveness of the password procedure?
-
g He believes that the password procedure is effective and prevents unauthorized people from seeing the data.
-
h He believes that the password procedure is not effective and does not prevent unauthorized people from seeing the data.
What did Joe think about the punishment for his actions?
-
i Joe thought that it was unlikely he would be punished, and if so, the punishment would not be severe.
-
j Joe thought that it was unlikely he would be punished, but if he was, the punishment would be severe.
-
k Joe thought that it was likely he would be punished, but the punishment would not be severe.
-
l Joe thought that it was likely he would be punished, and the punishment would be severe.
Appendix B
Constructs manipulated in the vignettes (scenario versions)
Below are the statements associated with the various levels of each of the situational factors manipulated in the vignettes. The levels are shown in parentheses.
Self-efficacy levels
-
Joe has completed the password request procedure before, but he is not confident he can do it again easily – (low)
-
Joe has completed the password request procedure before, so he is confident he can do it again easily – (high)
Threat vulnerability and severity
-
Joe believes that, without the password, it is not likely that unauthorized people will see the data, but if they do, nothing bad will happen – (low/low)
-
Joe believes that, without the password, it is not likely that unauthorized people will see the data, but if they do, they may alter or misuse it – (low/high)
-
Joe believes that, without the password, it is likely that unauthorized people will see the data, but if they do, nothing bad will happen – (high/low)
-
Joe believes that, without the password, it is likely that unauthorized people will see the data and if they do, they may alter or misuse it – (high/high)
Sanction certainty and severity
-
Joe believes his chances of being caught are low, but if caught, the punishment would be minimal – (low/low)
-
Joe believes his chances of being caught are low, but if caught, the punishment would be severe – (low/high)
-
Joe believes his chances of being caught are high, and if caught, the punishment would be minimal – (high/low)
-
Joe believes his chances of being caught are high, and if caught, the punishment would be severe – (high/high)
Response efficacy
-
Joe believes that the password procedure is not effective and does not prevent unauthorized people from seeing the data – (low)
-
Joe believes that the password procedure is effective and prevents unauthorized people from seeing the data – (high)
Appendix C
Five factor (Big Five) survey
Please choose a number for each statement to indicate the extent to which you agree or disagree with that statement by selecting 1 to 7 where 1 means you Strongly Disagree with the statement and 7 means you Strongly Agree with the statement.
I see myself as someone who …
Extraversion
-
1
Is outgoing, sociable.
-
2
Is talkative.
-
3
Has an assertive personality.
-
4
Generates a lot of enthusiasm.
-
5
Is full of energy.
Agreeableness
-
1
Is considerate and kind to almost everyone.
-
2
Likes to cooperate with others.
-
3
Is helpful and unselfish with others.
-
4
Has a forgiving nature.
-
5
Is generally trusting.
Conscientiousness
-
1
Does a thorough job.
-
2
Does things efficiently.
-
3
Makes plans and follows through with them.
-
4
Is a reliable worker.
-
5
Perseveres until the task is finished.
Neuroticism
-
1
Can be moody.
-
2
Is depressed, blue.
-
3
Gets nervous easily.
-
4
Can be tense.
-
5
Worries a lot.
Openness
-
1
Is inventive.
-
2
Is original, comes up with new ideas.
-
3
Values artistic, esthetic experiences.
-
4
Has an active imagination.
-
5
Likes to reflect, play with ideas.
-
6
Is sophisticated in art, music, or literature.
-
7
Is ingenious, a deep thinker.
-
8
Is curious about many different things.
Appendix D
‘Stability’ meta-trait (C,A,−N) moderating influence plots. (a) Stability*Threat Vulnerability (TSUS) Plot; (b) Stability*Sanction Severity (SSEV) Plot; (c) Stability*Sanction Certainty (SCER) Plot.
Note: These plots depict a negative moderating effect of Stability on threat vulnerability, sanction severity, and sanction certainity. These plots suggest that as one's personality becomes more strongly aligned with the Stability meta-trait, he or she will be less likely than their less Stability oriented counterparts to form information security policy violation intentions when perceiving high degrees of threat vulnerability (TSUS=1), sanction severity (SSEV=1), or sanction certainty (SCER=1).
Appendix E
‘Plasticity’ meta-trait (O, E) moderating influence plots. (a) Plasticity*Response Efficacy (RESP) Plot; (b) Plasticity*Sanction Certainty Plot.
Note: These plots depict a positive moderating effect of Plasticity on response efficacy and sanction certainty. These plots suggest that as one's personality becomes more strongly aligned with the Plasticity meta-trait, he or she will be more likely than their less Plasticity-oriented counterparts to form information security policy violation intentions when perceiving high degrees of response efficacy (RESP=1) or sanction certainty (SCER=1).
Appendix F
PLS model for obtaining Big Five PLS weights.
Rights and permissions
About this article
Cite this article
Johnston, A., Warkentin, M., McBride, M. et al. Dispositional and situational factors: influences on information security policy violations. Eur J Inf Syst 25, 231–251 (2016). https://doi.org/10.1057/ejis.2015.15
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1057/ejis.2015.15