Skip to main content

What levels of moral reasoning and values explain adherence to information security rules? An empirical study

Abstract

It is widely agreed that employee non-adherence to information security policies poses a major problem for organizations. Previous research has pointed to the potential of theories of moral reasoning to better understand this problem. However, we find no empirical studies that examine the influence of moral reasoning on compliance with information security policies. We address this research gap by proposing a theoretical model that explains non-compliance in terms of moral reasoning and values. The model integrates two well-known psychological theories: the Theory of Cognitive Moral Development by Kohlberg and the Theory of Motivational Types of Values by Schwartz. Our empirical findings largely support the proposed model and suggest implications for practice and research on how to improve information security policy compliance.

This is a preview of subscription content, access via your institution.

Figure 1
Figure 2

Notes

  1. Philosophers have defined moral conflicts in a variety of ways (Nagel, 1987; Hill, 1996; Mason, 1996), but consensus holds that in a moral conflict the moral agent should do A, but, simultaneously, should also do B. However, the agent cannot do both A and B.

References

  • Akers RL and Sellers CS (1994) Criminological Theories: Introduction, Evaluation, and Application. Roxbury Publishing, Los Angeles, CA.

    Google Scholar 

  • Allport G (1963) Pattern and Growth in Personality. Holt, Rinehart & Winston, London.

    Google Scholar 

  • Banerjee D, Cronan TP and Jones TW (1998) Modeling IT ethics: a study in situational ethics. MIS Quarterly 22 (1), 31–60.

    Article  Google Scholar 

  • Bardi A and Schwartz SH (2003) Values and behaviour: strength and structure of relations. Personality and Social Psychology Bulletin 29 (10), 1207–1220.

    Article  Google Scholar 

  • Bilsky W and Schwartz SH (1994) Values and personality. European Journal of Personality 8 (3), 161–181.

    Article  Google Scholar 

  • Blasi A (1980) Bridging moral cognition and moral action: a critical review of the literature. Psychological Bulletin 88 (1), 1–45.

    Article  Google Scholar 

  • Carpendale J and Krebs DL (1992) Situational variation in moral judgment: in a stage or on a stage? Journal of Youth and Adolescence 21 (2), 203–224.

    Article  Google Scholar 

  • Carpendale J and Krebs DL (1995) Variations in level of moral judgments as a function of type of dilemma and moral choice. Journal of Personality 63 (2), 289–313.

    Article  Google Scholar 

  • Colby A and Kohlberg L (1987) The Measurement of Moral Judgment, Vols. 1 and 2. Cambridge University Press, New York.

    Google Scholar 

  • D'Arcy J, Hovav A and Galletta DF (2009) User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Information Systems Research 20 (1), 79–98.

    Article  Google Scholar 

  • Denton K and Krebs K (1990) From the scene to the crime: the effect of alcohol and social context on moral judgment. Journal of Personality and Social Psychology 59 (2), 242–248.

    Article  Google Scholar 

  • Deutsch M (1985) Distributive Justice: A Social-Psychological Perspective. Yale University Press, New Haven.

    Google Scholar 

  • Devos T, Spini D and Schwartz SH (2002) Conflicts among human values and trust in institutions. British Journal of Social Psychology 41 (4), 491–494.

    Article  Google Scholar 

  • deVries B and Walker LJ (1986) Moral reasoning and attitudes toward capital punishment. Developmental Psychology 22 (4), 509–513.

    Article  Google Scholar 

  • Emler N, Tarry H and St. James A (2007) Post-conventional moral reasoning and reputation. Journal of Research in Personality 41 (1), 76–89.

    Article  Google Scholar 

  • Feather NT (1990) Bridging the gap between values and actions. Recent applications of the expectancy-value model. In Handbook of Motivation and Cognition (HIGGINS ET and SORRENTINO RM, Eds), Vol. 2, pp 151–192, Guilford Press, New York.

    Google Scholar 

  • Feather NT (1992) Values, valences, expectations, and actions. Journal of Social Issues 48 (2), 109–124.

    Article  Google Scholar 

  • Finne T (1996) The information security chain in a company. Computers & Security 15 (4), 297–316.

    Article  Google Scholar 

  • Greenberg J (2002) Who stole the money, and when? Individual and situational determinants of employee theft. Organizational Behavior and Human Decision Processes 89 (1), 985–1003.

    Article  Google Scholar 

  • Hair JF, Anderson RE, Tatham RL and Black WC (1998) Multivariate Data Analysis 5th edn, Prentice Hall, Englewood Cliffs, NJ.

    Google Scholar 

  • Hare RM (1981) Moral Thinking: Its Levels, Methods, and Point. Clarendon Press, Oxford.

    Book  Google Scholar 

  • Harré R (1983) Personal Being. A Theory for Individual Psychology. Blackwell, Oxford.

    Google Scholar 

  • Harrington SJ (1996) The effects of codes of ethics and personal denial of responsibility on computer abuse judgments and intentions. MIS Quarterly 20 (3), 257–278.

    Article  Google Scholar 

  • Helkama K, Uutela A, Pohjanheimo E, Salminen S, Koponen A and Rantanen-Väntsi L (2003) Moral reasoning and values in medical school: a longitudinal study in Finland. Scandinavian Journal of Educational Research 47 (4), 399–411.

    Article  Google Scholar 

  • Hill TE (1996) Moral dilemmas, gaps, and residues: a Kantian perspective. In Moral Dilemmas and Moral Theory (MASON HE, Ed), pp 167–198, Oxford University Press, New York.

    Google Scholar 

  • Hoffman ML (1970) Moral development. In Carmichael's Manual of Child Psychology (MUSSEN PH, Ed), Vol. 2, 3rd edn, Wiley, Wiley, New York.

    Google Scholar 

  • Hofstede G (1980) Culture's Consequences: International Differences in Work-related Values. Sage, London.

    Google Scholar 

  • Inglehart R (1977) The Silent Revolution: Changing Values and Political Styles in Advanced Industrial Society. Princeton University Press, Princeton, NJ.

    Google Scholar 

  • King PM and Mayhew MJ (2002) Moral judgment development in higher education: insights from the defining issues test. Journal of Moral Education 31 (3), 247–270.

    Article  Google Scholar 

  • Kohlberg L (1969) Stage and sequence: the cognitive-developmental approach to socialization. In Handbook of Socialization Theory and Research (GOSLIN D, Ed), pp 347–480, Rand McNally, Chicago.

    Google Scholar 

  • Kohlberg L (1984) The Psychology of Moral Development. Harper & Row, New York.

    Google Scholar 

  • Kristiansen CM and Hotte AM (1996) Morality and self: implications for the when and how of value-attitude-behaviour relations. In Ontario Symposium on Personality and Social Psychology: Values (SELIGMAN C, OLSON J and ZANNA MP, Eds), Vol. 8, pp 77–106, Erlbaum, Hillsdale, NJ.

    Google Scholar 

  • Lan G, Gowing M, McMahon S, Rieger F and King N (2008) A study of the relationship between personal values and moral reasoning of undergraduate business students. Journal of Business Ethics 78 (1), 121–139.

    Article  Google Scholar 

  • Lee AS and Baskerville RL (2003) Generalizing generalizability in information systems research. Information Systems Research 14 (3), 221–243.

    Article  Google Scholar 

  • Lee J and Lee Y (2002) A holistic model of computer abuse within organizations. Information Management and Computer Security 10 (2), 57–63.

    Article  Google Scholar 

  • Lind G and Wakenhut R (1985) Testing for moral judgment competence. In Moral Development and the Social Environment (LIND G, HARTMANN HA and WAKENHUT R, Eds), pp 79–115, Precedent Publishing, Chicago.

    Google Scholar 

  • Logsdon JM, Thompson JK and Reid RA (1994) Software piracy: is it related to level of moral judgment? Journal of Business Ethics 13 (11), 849–857.

    Article  Google Scholar 

  • Macquarrie J and Childress J (1986) A New Dictionary of Christian Ethics 2nd edn, SCM Press, London.

    Google Scholar 

  • Malhotra N, Kim S and Agarwal J (2004) Internet users’ information privacy concerns (IUIPC): the construct, the scale, and a causal model. Information Systems Research 15 (4), 336–355.

    Article  Google Scholar 

  • Mason HE (1996) Introduction. In Moral Dilemmas and Moral Theory (MASON HE, Ed), pp 3–9, Oxford University Press, New York.

    Google Scholar 

  • Moores T and Chang J (2006) Ethical decision making in software piracy: initial development and test of a four-component model. MIS Quarterly 30 (1), 167–180.

    Google Scholar 

  • Myyry L (2002) Everyday value conflicts and integrative complexity of thought. Scandinavian Journal of Psychology 43 (5), 385–395.

    Article  Google Scholar 

  • Myyry L and Helkama K (2002) The role of value priorities and professional ethics training in moral sensitivity. Journal of Moral Education 31 (1), 35–50.

    Article  Google Scholar 

  • Nagel T (1987) The fragmentation of value. In Moral Dilemmas (GOWANS CW, Ed), pp 174–187, Oxford University Press, New York.

    Google Scholar 

  • Narvaez D and Bock T (2002) Moral schemas and tacit judgment or how the defining issues test is supported by cognitive science. Journal of Moral Education 31 (3), 297–314.

    Article  Google Scholar 

  • Nunnally JC (1967) Psychometric Theory. McGraw-Hill, New York.

    Google Scholar 

  • Pahnila S, Siponen MT and Mahmood A (2007) Which factors explain employees’ adherence to information security policies? An empirical study. Proceedings of the PACIS 2007, 3–6 July 2007, Auckland, New Zealand.

  • Popper K (1985) Popper Selections (MILLER DW, Ed), Princeton University Press, Princeton, NJ.

    Google Scholar 

  • Puhakainen P (2006) Design theory for information security awareness. Unpublished Ph.D. Thesis, University of Oulu, Finland.

  • Renwick S and Emler N (1984) Moral reasoning and delinquent behaviour among students. British Journal of Social Psychology 23 (3), 281–283.

    Article  Google Scholar 

  • Rest JR (1979) Development in Judging Moral Issues. University of Minnesota, Minneapolis, MN.

    Google Scholar 

  • Rest JR (1986) Moral Development: Advances in Research and Theory. Praeger, New York.

    Google Scholar 

  • Rest JR (1994) Background: theory and research. In Moral Development in the Professions: Psychology and Applied Ethics (REST JR and NARVAEZ D, Eds), pp 1–26, Lawrence Erlbaum Associates, Hillsdale, NJ.

    Google Scholar 

  • Rest JR, Thoma S and Edwards L (1997) Designing and validating a measure of moral judgment: stage preference and stage consistency approaches. Journal of Educational Psychology 89 (1), 5–28.

    Article  Google Scholar 

  • Rokeach M (1973) The Nature of Human Values. Free Press, New York.

    Google Scholar 

  • Sagiv L and Schwartz SH (2000) Value priorities and subjective well-being: direct relations and congruity effects. European Journal of Social Psychology 30 (2), 177–198.

    Article  Google Scholar 

  • Sagiv L and Schwartz SH (2004) Values, intelligence and client behaviour in career counselling: a field study. European Journal of Psychology of Education 19 (3), 237–254.

    Article  Google Scholar 

  • Schwartz SH (1992) Universals in the content and structure of values: theoretical advances and empirical tests in 20 countries. In Advances in Experimental Social Psychology (ZANNA MP, Ed), Vol. 25, pp 1–65, Academic Press, San Diego, CA.

    Google Scholar 

  • Schwartz SH (2007) Universalism values and the inclusiveness of our moral universe. Journal of Cross-Cultural Psychology 38 (6), 711–728.

    Article  Google Scholar 

  • Schwartz SH and Boehnke K (2004) Evaluating the structure of human values with confirmatory factor analysis. Journal of Research in Personality 38 (3), 230–255.

    Article  Google Scholar 

  • Schwartz SH, Lehmann A and Roccas S (1999) Multimethod probes of basic human values. In Social Psychology and Cultural Context (ADAMOPOULS J and KASHIMA Y, Eds), pp 107–123, Sage, Thousand Oaks, CA.

    Chapter  Google Scholar 

  • Schwartz SH and Rubel T (2005) Sex differences in value priorities: cross-cultural and multimethod studies. Journal of Personality and Social Psychology 89 (6), 1010–1028.

    Article  Google Scholar 

  • Schwartz SH, Sagiv L and Boehnke K (2000) Worries and values. Journal of Personality 68 (2), 309–346.

    Article  Google Scholar 

  • Silfver M, Helkama K, Lönnqist J and Verkasalo M (2008) The relation between value priorities and proneness to guilt, shame, and empathy. Motivation and Emotion 32 (2), 69–80.

    Article  Google Scholar 

  • Siponen M (2000) A conceptual foundation for organizational is security awareness. Information Management & Computer Security 8 (1), 31–41.

    Article  Google Scholar 

  • Siponen MT (2002) On the role of human morality in information system security: from the problems of descriptivism to non-descriptive foundations. In Ethical Issues of Information Systems (SALEHNIA A, Ed), Idea Group Publishing, Hershey, PA.

    Google Scholar 

  • Siponen MT and Vartiainen T (2004) Unauthorized copying of software and levels of moral development: implications for research and practice. Information Systems Journal 14 (4), 387–407.

    Article  Google Scholar 

  • Siponen MT, Pahnila S and Mahmood A (2007) Employees’ adherence to information security policies: an empirical study. Proceedings of the IFIP SEC 2007, 14–16 May 2007, Sandton, Gauteng, South Africa.

  • Skoe EEA (1998) The ethic of care: issues in moral development. In Personality Development in Adolescence: A Cross National and Life Span Perspective (SKOE E and VON DER LIPPE A, Eds), pp 143–171, Routledge, London.

    Google Scholar 

  • Straub DW (1990) Effective IS security: an empirical study. Information Systems Research 1 (3), 255–276.

    Article  Google Scholar 

  • Straub DW and Welke RJ (1998) Coping with systems risk: security planning models for management decision making. MIS Quarterly 22 (4), 441–469.

    Article  Google Scholar 

  • Trevino LK (1992) Experimental approaches to studying ethical-unethical behavior in organizations. Business Ethics Quarterly 2 (2), 121–136.

    Article  Google Scholar 

  • Vartiainen T (2007) Moral conflicts in teaching project work: a job burdened by role strains. Communications of the Association for Information Systems 20 (1), 681–711.

    Google Scholar 

  • Verkasalo M, Daun Å and Niit T (1994) Universal values in Estonia, Finland and Sweden. Ethonologia Europaea 24 (2), 101–117.

    Google Scholar 

  • Walker L, deVries B and Bichard SL (1984) The hierarchical nature of stages of moral development. Developmental Psychology 20 (5), 960–966.

    Article  Google Scholar 

  • Warkentin M, Shropshire J and Johnston AC (2007) The IT security adoption conundrum: an initial step towards validation of applicable measures. Proceedings of the 13th Americas Conference on Information Systems, Keystone, CO.

  • Weber J (1992) Scenarios in business ethics research: review, critical assessment, and recommendations. Business Ethics Quarterly 2 (2), 137–160.

    Article  Google Scholar 

  • Whitman ME and Mattord HJ (2008) Management of Information Security 2nd edn, Thompson Course Technology, Boston, MA.

    Google Scholar 

  • Willison R (2006) Understanding the perpetration of employee computer crime in the organisational context. Information and Organization 16 (4), 304–324.

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Mikko Siponen.

Appendix A

Appendix A

The case: sharing personal user name and password with co-workers

Nurses use a healthcare information system. They obtain patient information from this system, and the nurses have to use a personal user name and password in the system. Many nurses find the use of personal user names and passwords to be cumbersome because they have difficulty remembering their passwords. One of the nurses wondered whether he should share his username and password with his co-workers.

Should the nurse share his password with his co-workers? (Mark only one answer.) illustration

figure b

How important do you regard each of the following questions to be when it comes to the question of whether the nurse should share his/her password to his/her co-workers. (Please mark only one ‘X’ for each line.) illustration

figure a

Select the four most important questions:

Most important _____

Next most important _____

Third in importance _____

Fourth in importance _____

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Myyry, L., Siponen, M., Pahnila, S. et al. What levels of moral reasoning and values explain adherence to information security rules? An empirical study. Eur J Inf Syst 18, 126–139 (2009). https://doi.org/10.1057/ejis.2009.10

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1057/ejis.2009.10

Keywords

  • information security
  • information security policy compliance
  • moral reasoning
  • theory of cognitive moral development
  • theory of motivational types of values