Skip to main content

Dispositional and situational factors: influences on information security policy violations

European Journal of Information Systems volume 25pages 231–251 (2016)Cite this article

Abstract

Insiders represent a major threat to the security of an organization’s information resources. Previous research has explored the role of dispositional and situational factors in promoting compliant behavior, but these factors have not been studied together. In this study, we use a scenario-based factorial survey approach to identify key dispositional and situational factors that lead to information security policy violation intentions. We obtained 317 observations from a diverse sample of insiders. The results of a general linear mixed model indicate that dispositional factors (particularly two personality meta-traits, Stability and Plasticity) serve as moderators of the relationships between perceptions derived from situational factors and intentions to violate information security policy. This study represents the first information security study to identify the existence of these two meta-traits and their influence on information security policy violation intentions. More importantly, this study provides new knowledge of how insiders translate perceptions into intentions based on their unique personality trait mix.

This is a preview of subscription content, access via your institution.

Access options

Buy single article

Instant access to the full article PDF.

USD 39.95

Price includes VAT (USA)
Tax calculation will be finalised during checkout.

Figure 1
Figure 2

References

  • Akers R (1990) Rational choice, deterrence, and social learning theory in criminology: the path not taken. The Journal of Criminal Law and Criminology 81 (3), 653–676.

    Article  Google Scholar 

  • Alessandri G and Vecchione M (2012) The higher-order factors of the big five as predictors of job performance. Personality and Individual Differences 53 (6), 779–784.

    Article  Google Scholar 

  • Anderson C and Agarwal R (2010) Practicing safe computing: a multimethod empirical examination of home computer user security behavioral intentions. MIS Quarterly 34 (3), 613–643.

    Google Scholar 

  • Arthur W and Graziano W (1996) The five-factor model, conscientiousness, and driving accident involvement. Journal of Personality 64 (3), 594–618.

    Article  Google Scholar 

  • Ashton MC, Lee K, Goldberg LR and deVries RE (2009) Higher-order factors of personality: do they exist? Personality and Social Psychology Review 13 (2), 79–91.

    Article  Google Scholar 

  • Bandura A (1977) Self-efficacy: toward a unifying theory of behavioral change. Psychological Review 84 (2), 191–215.

    Article  Google Scholar 

  • Barlow JB, Warkentin M, Ormond D and Dennis AR (2013) Don’t make excuses! Discourage neutralization to reduce IT policy violation. Computers & Security 39 (B), 145–159.

    Article  Google Scholar 

  • Barnett T, Pearson AW, Pearson R and Kellermanns FW (2015) Five-factor model personality traits as predictors of perceived and actual usage of technology. European Journal of Information Systems 24 (4), 374–390.

    Article  Google Scholar 

  • Besnard D and Arief B (2004) Computer security impaired by legitimate users. Computers & Security 23 (3), 253–264.

    Article  Google Scholar 

  • Bidjerano T and Dai DY (2007) The relationship between the big-five model of personality and self-regulated learning strategies. Science Direct 17 (1), 69–81.

    Google Scholar 

  • Bollen K and Lennox R (1991) Conventional wisdom on measurement: a structural equation perspective. Psychological Bulletin 110 (2), 305.

    Article  Google Scholar 

  • Boss S, Kirsch LJ, Angermeier I, Shingler RA and Boss W (2009) If someone is watching, I’ll do what I’m asked: mandatoriness, control, and information security. European Journal of Information Systems 18 (18), 151–164.

    Article  Google Scholar 

  • Buchanan T, Johnson JA and Goldberg LR (2005) Implementing a five-factor personality inventory for use on the internet. European Journal of Psychological Assessment 21 (2), 115–127.

    Article  Google Scholar 

  • Bulgurcu B, Cavusoglu H and Benbasat I (2010) Information security compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Quarterly 34 (3), 523–548.

    Google Scholar 

  • Burke K (1969) A Rhetoric of Motives. University of California Press, Berkeley, CA.

    Google Scholar 

  • Carroll JB (2002) The five factor personality model: how complete and satisfactory is it? In The Role of Constructs in Psychological and Educational Measurement (Braun HI, Jackson DN and Wiley DE, Eds), pp 91–126, Routledge Publisher, London.

    Google Scholar 

  • Carte T and Russell C (2003) In pursuit of moderation: nine common errors and their solutions. MIS Quarterly 27 (3), 479–502.

    Google Scholar 

  • Carver C and Scheier M (1994) Situational coping and coping dispositions in a stressful transaction. Journal of Personality and Social Psychology 66 (1), 184–195.

    Article  Google Scholar 

  • Cheney G (1983) The rhetoric of identification and the study of organizational communication. Quarterly Journal of Speech 69 (2), 143–158.

    Article  Google Scholar 

  • Conley JJ (1985) Longitudinal stability of personality traits: a multitrait-multimethod-multioccasion analysis. Journal of Personality and Social Psychology 49 (5), 1266–1282.

    Article  Google Scholar 

  • Connor-Smith JK and Flachsbart C (2007) Relations between personality and coping: a meta-analysis. Journal of Personality and Social Psychology 93 (6), 1080–1107.

    Article  Google Scholar 

  • D’Arcy J, Hovav A and Galletta DF (2009) User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Information Systems Research 20 (1), 79–98.

    Article  Google Scholar 

  • Darley JM and Batson D (1973) ‘From Jerusalem to Jericho’: a study of situational and dispositional variables in helping behavior. Journal of Personality and Social Psychology 27 (1), 100–108.

    Article  Google Scholar 

  • DeYoung CG (2006) Higher-order factors of the big five in a multi-informant sample. Journal of Personality and Social Psychology 91 (6), 1138–1151.

    Article  Google Scholar 

  • DeYoung CG, Peterson JB and Higgins DM (2002) Higher-order factors of the big five predict conformity: are there neuroses of health? Personality and Individual Differences 33 (4), 533–552.

    Article  Google Scholar 

  • Diamantopoulos A and Siguaw JA (2006) Formative versus reflective indicators in organizational measure development: a comparison and empirical illustration. British Journal of Management 17 (4), 263–282.

    Article  Google Scholar 

  • Digman JM (1997) Higher-order factors of the big five. Journal of Personality and Social Psychology 73 (6), 1246–1256.

    Article  Google Scholar 

  • Dutta MJ and Vanacker B (2000) Effects of personality on persuasive appeals in health communication. Advances in Consumer Research 27 (1), 119–124.

    Google Scholar 

  • Earley P, Gibson CB and Chen CC (1999) How did I do? versus how did we do? Cultural contrasts of performance feedback use and self-efficacy. Journal of Cross-Cultural Psychology 30 (5), 594–619.

    Article  Google Scholar 

  • Ehrlich I (1996) Crime, punishment, and the market for offenses. Journal of Economic Perspectives 10 (1), 43–67.

    Article  Google Scholar 

  • Ellingson JE, Smith DB and Sackett PR (2001) Investigating the influence of social desirability on personality factor structure. Journal of Applied Psychology 86 (1), 122–133.

    Article  Google Scholar 

  • Emm D (2013) The threat landscape: A practical guide from the Kaspersky lab experts. [WWW document] http://media.kaspersky.com/en/business-security/kaspersky-threat-landscape-it-online-security-guide.pdf (accessed 17 November 2014).

  • Engelberg E and Sjöberg L (2004) Internet use, social skills, and adjustment. Cyber Psychology & Behavior 7 (1), 41–47.

    Article  Google Scholar 

  • Ernst & Young (2013) Under cyber attack: EY’s global information security survey 2013. [WWW document] http://www.ey.com/Publication/vwLUAssets/EY_-_2013_Global_Information_Security_Survey/$FILE/EY-GISS-Under-cyber-attack.pdf (accessed 17 November 2014).

  • Faul F, Erdfelder E, Lang A-G and Buchner A (2007) G*Power 3: a flexible statistical power analysis program for the social, behavioral, and biomedical sciences. Behavior Research Methods 39 (2), 175–191.

    Article  Google Scholar 

  • Faul F, Erdfelder E, Lang A-G and Buchner A (2009) Statistical power analyses using G*Power 3.1: tests for correlation and regression analyses. Behavior Research Methods 41 (4), 1149–1160.

    Article  Google Scholar 

  • Floyd DL, Prentice-Dunn S and Rogers RW (2000) A meta-analysis of research on protection motivation theory. Journal of Applied Social Psychology 30 (2), 407–429.

    Article  Google Scholar 

  • Goldberg LR (1993) The structure of phenotypic personality traits. American Psychologist 48 (1), 26–34.

    Article  Google Scholar 

  • Gullone E and Moore S (2000) Adolescent risk-taking and the five-factor model of personality. Journal of Adolescence 23 (4), 393–407.

    Article  Google Scholar 

  • Guo KH (2013) Security-related behavior in using information systems in the workplace: a review and synthesis. Computers & Security 32 (February), 242–251.

    Article  Google Scholar 

  • Herath R and Rao HR (2009) Protection motivation and deterrence: a framework for security policy compliance in organisations. European Journal of Information Systems 18 (2), 106–125.

    Article  Google Scholar 

  • Hirsh JB, DeYoung CG and Peterson JB (2009) Metatraits of the big five differentially predict engagement and restraint of behavior. Journal of Personality 77 (4), 1085–1102.

    Article  Google Scholar 

  • Hoffer JA and Straub DW (1989) The 9-to-5 underground: are you policing computer crimes. Sloan Management Review 30 (4), 35–43.

    Google Scholar 

  • Hofmann W, Gschwendner T, Friese M, Wiers R and Shmitt M (2008) Working memory capacity and self-regulatory behavior: toward an individual differences perspective on behavior determination by automatic versus controlled processes. Journal of Personality and Social Psychology 95 (4), 962–977.

    Article  Google Scholar 

  • Hofstede G (1991) Work-Related Values, Software of the Mind. McGraw-Hill, UK, Berkshire.

    Google Scholar 

  • Hsu JS-C, Shih S-P, Hung YW and Lowry PB (forthcoming) The role of extra-role behaviors and social controls in information security policy effectiveness. Information Systems Research.

  • Janis IL and Feshbach S (2006) Personality differences associated with responsiveness to fear-arousing communications. Journal of Personality 23 (2), 154–166.

    Article  Google Scholar 

  • Jasso G and Rossi PH (1977) Distributive justice and earned income. American Sociological Review 42 (4), 639–651.

    Article  Google Scholar 

  • Jasso G (2006) Factorial survey methods for studying beliefs and judgments. Sociological Methods & Research 34 (3), 334–423.

    Article  Google Scholar 

  • John OP and Srivastava S (1999) The big-five trait taxonomy: history, measurement, and theoretical perspectives. In Handbook of Personality: Theory and Research (Pervin LA and John OP Eds) Guilford Press, New York.

    Google Scholar 

  • Johnston AC and Warkentin M (2010) Fear appeals and information security behaviors: an empirical study. MIS Quarterly 34 (3), 549–566.

    Google Scholar 

  • Johnston AC, Wech B and Jack E (2013) Engaging remote employees: the moderating role of ‘remote’ status in determining employee information security policy awareness. Journal of Organizational and End User Computing 25 (1), 1–23.

    Article  Google Scholar 

  • Johnston AC, Warkentin M and Siponen M (2015) An enhanced fear appeal framework: leveraging threats to the human asset through sanctioning rhetoric. MIS Quarterly 39 (1), 113–134.

    Google Scholar 

  • Junglas IA, Johnson NA and Spitzmüller C (2008) Personality traits and concern for privacy: an empirical study in the context of location-based services. European Journal of Information Systems 17 (4), 387–402.

    Article  Google Scholar 

  • Kajzer M, D’Arcy J, Crowell CR, Striegel A and Van Bruggen D (2014) An exploratory investigation of message-person congruence in information security awareness campaigns. Computers & Security 43 (June), 65–76.

    Google Scholar 

  • Kammrath L, Mendoza-Denton R and Mischel W (2005) Incorporating if … then … personality signatures in person perception: beyond the person – situation dichotomy. Journal of Personality and Social Psychology 88 (4), 605–618.

    Article  Google Scholar 

  • Karim NSA, Zamzuri NHA and Nor YM (2009) Exploring the relationship between Internet ethics in university students and the big five model of personality. Computers & Education 53 (1), 86–93.

    Article  Google Scholar 

  • Keil M, Tan BCY, Wei K-K, Saarinen T, Tuunainen V and Wassanaar A (2000) A cross-cultural study on escalation of commitment behavior in software projects. MIS Quarterly 24 (2), 299–325.

    Article  Google Scholar 

  • Landers RN and Lounsbury JW (2006) An investigation of big five and narrow personality traits in relation to internet usage. Computers in Human Behavior 22 (2), 283–293.

    Article  Google Scholar 

  • Lee Y and Larsen KR (2009) Threat or coping appraisal: determinants of SMB executives’ decision to adopt anti-malware software. European Journal of Information Systems 18 (2), 177–187.

    Article  Google Scholar 

  • Lim KH and Benbasat I (2000) The effect of multimedia on perceived equivocality and perceived usefulness of information systems. MIS Quarterly 24 (3), 449–471.

    Article  Google Scholar 

  • Lindqvist J (2012) Nudging people. WINLAB, Dept. of ECE, Rutgers University Presentation at the NSF/DIMACS Workshop for Aspiring PIs in Secure and Trustworthy Cyberspace, Raleigh, NC. 15 October. [WWW document] http://dimacs.rutgers.edu/Workshops/Aspiring/program.html (accessed 29 November 2012).

  • Littell R, Milliken G, Stroup W and Wolfinger R (1996) SAS Systems for Mixed Models. SAS Institute, Cary, NC.

    Google Scholar 

  • Lyons CJ (2008) Individual perceptions and the social construction of hate crimes: a factorial survey. The Social Science Journal 45 (1), 107–131.

    Article  Google Scholar 

  • Maddux JE and Rogers RW (1983) Protection motivation and self-efficacy: a revised theory of fear appeals and attitude change. Journal of Experimental Social Psychology 19 (5), 469–479.

    Article  Google Scholar 

  • Major DA, Turner JE and Fletcher TD (2006) Linking proactive personality and the big five to motivation to learn and development activity. Journal of Applied Psychology 91 (4), 927–935.

    Article  Google Scholar 

  • McBride M, Carter L and Warkentin M (2012) One size doesn’t fit all: cybersecurity training should be customized. Technical Report, Institute for Homeland Security Solutions. [WWW document] http://sites.duke.edu/ihss/files/2011/12/CyberSecurity_2page-summary_mcbride-2012. pdf (accessed 25 June 2014).

  • McLean R, Sanders W and Stroup W (1991) A unified approach to mixed linear models. The American Statistician 45 (1), 54–64.

    Google Scholar 

  • Mischel W (1968) Personality and Assessment. John Wiley & Sons, Hoboken, NJ.

    Google Scholar 

  • Mischel W, Ebbesen EB and Zeiss AR (1973) Selective attention to the self: situational and dispositional determinants. Journal of Personality and Social Psychology 27 (1), 129–142.

    Article  Google Scholar 

  • Musek J (2007) A general factor of personality: evidence for the big one in the five-factor model. Journal of Research in Personality 41 (6), 1213–1233.

    Article  Google Scholar 

  • Nicholson N, Soane E, Fenton-O’creevy M and Willman P (2005) Personality and domain-specific risk taking. Journal of Risk Research 8 (2), 157–176.

    Article  Google Scholar 

  • Paulhus DL and Williams KM (2002) The dark triad of personality: narcissism, machiavellianism, and psychopathy. Journal of Research in Personality 36 (6), 556–563.

    Article  Google Scholar 

  • Piquero AR, MacIntosh R and Hickman M (2000) Does self‐control affect survey response? Applying exploratory, confirmatory, and item response theory analysis to Grasmick et al’s self‐control scale. Criminology 38 (3), 897–930.

    Article  Google Scholar 

  • Ponemon Institute (2013) 2014 state of endpoint risk. [WWW document] http://www.lumension.com/Lumension/media/graphics/Resources/2014-state-of-the-endpoint/2014-State-of-the-Endpoint-Whitepaper-Lumension.pdf (accessed 17 November 2014).

  • Posey C, Bennett RJ, Roberts TL and Lowry PB (2011) When computer monitoring backfires: privacy invasions and organizational injustice as precursors to computer abuse. Journal of Information Systems Security 7 (1), 24–47.

    Google Scholar 

  • Rossi PH and Anderson AB (1982) The factorial survey approach: an introduction. In Measuring Social Judgments: The Factorial Survey Approach (Rossi PH and Nock SL, Eds), pp 15–67, Sage, Beverly Hills, CA.

    Google Scholar 

  • Rossi PH and Nock SL (1982) Measuring Social Judgments: The Factorial Survey Approach. Sage Publications, Beverly Hills.

    Google Scholar 

  • Self CA and Rogers RW (1990) Coping with threats to health: effects of persuasive appeals on depressed, normal, and antisocial personalities. Journal of Behavioral Medicine 13 (4), 343–357.

    Article  Google Scholar 

  • Shlay AB, Tran H, Weinraub M and Harmon M (2005) Teasing apart the child care conundrum: a factorial survey analysis of perceptions of child care quality, fair market price and willingness to pay by low-income, African American parents. Early Childhood Research Quarterly 20 (4), 393–413.

    Article  Google Scholar 

  • Shropshire J, Warkentin M and Sharma S (2015) Personality, attitudes, and intentions: predicting initial adoption of information security behavior. Computers & Security 29 (March), 177–191.

    Article  Google Scholar 

  • Sigall H and Mills J (1998) Measures of independent variables and mediators are useful in social psychological experiments: but are they necessary? Personality and Social Psychology Review 2 (3), 218–226.

    Article  Google Scholar 

  • Siponen M and Vance A (2010) Neutralization: new Insights into the problem of employee information systems security policy violations. MIS Quarterly 34 (3), 487–502.

    Google Scholar 

  • Siponen M and Vance A (2014) Guidelines for improving the contextual relevance of field surveys: the case of information security policy violations. European Journal of Information Systems 23 (3), 289–305.

    Article  Google Scholar 

  • Soane E and Chmiel N (2005) Are risk preferences consistent? The influence of decision domain and personality. Personality and Individual Differences 38 (8), 1781–1791.

    Article  Google Scholar 

  • Swickert RJ, Hittner JB, Harris JL and Herring JA (2002) Relationships among internet use, personality, and social support. Computers in Human Behavior 18 (4), 437–451.

    Article  Google Scholar 

  • Taylor BJ (2006) Factorial surveys: using vignettes to study professional judgement. British Journal of Social Work 36 (7), 1187–1207.

    Article  Google Scholar 

  • Trevino L and Victor B (1992) Peer reporting of unethical behavior: a social context perspective. Academy of Management Journal 35 (1), 38–64.

    Article  Google Scholar 

  • Trinkle BS, Crossler RE and Warkentin M (2014) I’m game, are you? Reducing real-world security threats by managing employee activity in virtual environments. Journal of Information Systems 28 (2), 307–327.

    Article  Google Scholar 

  • Vance A, Lowry PB and Eggett D (2013) Using accountability to reduce access policy violations in information systems. Journal of Management Information Systems 29 (4), 263–290.

    Article  Google Scholar 

  • Vance A, Lowry PB and Eggett D (2015) Increasing accountability through user-interface design artifacts: a new approach to address the problem of access-policy violations. MIS Quarterly 39 (2), 345–366.

    Google Scholar 

  • Vecchione M, Alessandri G, Barbaranelli C and Caprara G (2011) Higher-order factors of the big five and basic values: empirical and theoretical relations. British Journal of Psychology 102 (3), 478–498.

    Article  Google Scholar 

  • Verizon (2015) Verizon data breach investigation report. [WWW document] http://www.verizonenterprise.com/DBIR/ (accessed 7 June 2015).

  • Warkentin M, Carter L and McBride ME (2011) Exploring the role of individual employee characteristics and personality on employee compliance with cyber security policies. Paper presented at the International Federation of Information Processing (IFIP) Dewald Roode Workshop on Information Systems Security Research, Blacksburg, VA.

  • Warkentin M, Johnston AC and Shropshire J (2011) The influence of the informal social learning environment on information privacy policy compliance efficacy and intention. European Journal of Information Systems 20 (3), 267–284.

    Article  Google Scholar 

  • Warkentin M, Straub D and Malimage K (2012) Measuring secure behavior: a research commentary. In Proceedings of the 7th Annual Symposium on Information Assurance, pp. 1–8, Albany, NY. [WWW document] http://www.albany.edu/iasymposium/proceedings/2012/5-Warkentin_Straub&Malimage.pdf (accessed 15 October 2015).

  • Warkentin M and Willison R (2009) Behavioral and policy issues in information systems security: the insider threat. European Journal of Information Systems 18 (2), 101–105.

    Article  Google Scholar 

  • Warkentin M, Willison R and Johnston AC (2011) The role of perceptions of organizational injustice and techniques of neutralization in forming computer abuse intentions. In Proceedings of the 17th Americas Conference on Information Systems (AMCIS), pp 1–8, Detroit, MI, August, [WWW document] http://aisel.aisnet.org/amcis2011_submissions/318/.

  • Wheeler SC, Petty R and Bizer G (2005) Self‐schema matching and attitude change: situational and dispositional determinants of message elaboration. Journal of Consumer Research 31 (4), 787–797.

    Article  Google Scholar 

  • Willison R and Warkentin M (2009) Motivations for employee computer crime: understanding and addressing workplace disgruntlement through the application of organisational justice. In Proceedings of the International Federation of Information Processing (IFIP) International Workshop on Information Systems Security Research (VANCE A. Ed), pp 127–144, Cape Town, South Africa, May.

  • Willison R and Warkentin M (2013) Beyond deterrence: an expanded view of employee computer abuse. MIS Quarterly 37 (1), 1–20.

    Google Scholar 

  • Wilt J, Olson BD and McAdams DP (2011) Higher-order factors of the big five predict exploration and threat in life stories. Journal of Research in Personality 45 (6), 613–621.

    Article  Google Scholar 

  • Workman M, Bommer WH and Straub D (2008) Security lapses and the omission of information security measures: a threat control model and empirical test. Computers in Human Behavior 24 (6), 2799–2816.

    Article  Google Scholar 

  • Wright J and Mischel W (1987) A conditional approach to dispositional constructs: the local predictability of social behavior. Journal of Personality and Social Psychology 53 (6), 1159–1177.

    Article  Google Scholar 

  • Zhang L (2006) Thinking styles and the big five personality traits revisited. Personality and Individual Differences 40 (6), 1177–1187.

    Article  Google Scholar 

  • Zhang J, Luo X, Akkaladevi S and Ziegelmayer J (2009) Improving multiple-password recall: an empirical study. European Journal of Information Systems 18 (2), 165–176.

    Article  Google Scholar 

  • Zuckerman M and Kuhlman DM (2000) Personality and risk-taking: common bisocial factors. Journal of Personality 68 (6), 999–1029.

    Article  Google Scholar 

Download references

Acknowledgements

This study was funded by a grant from the Institute of Homeland Security Solutions (IHSS) as part of their Cyber Security Test Bed project. IHSS is a federally funded collaborative initiative that coordinates its research activities with the U.S. Department of Homeland Security’s Human Factors/Behavioral Sciences Division. An earlier version of this research was presented at the IFIP WG 8.11/11.13 Dewald Roode Workshop on Information Security Research. The authors also thank the anonymous reviewers for their insightful recommendations on earlier versions of this manuscript.

Author information

Authors and Affiliations

  1. Department of Management, Information Systems, and Quantitative Methods, School of Business, University of Alabama at Birmingham, Birmingham, U.S.A.

    Allen C Johnston

  2. Department of Management and Information Systems, College of Business, Mississippi State University, Mississippi State, MS, U.S.A.

    Merrill Warkentin

  3. Department of Management, North Carolina A&T State University, Greensboro, U.S.A.

    Maranda McBride

  4. Department of Information Systems, Virginia Commonwealth University, Richmond, U.S.A.

    Lemuria Carter

Authors
  1. Allen C Johnston
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Merrill Warkentin
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Maranda McBride
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Lemuria Carter
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Merrill Warkentin.

Appendices

Appendix A

Sample vignette (plus items that follow each vignette)

Joe has just collected sensitive customer data for his company, and he wants to take that data home to continue his work. He knows his company requires that he request a password to be issued and applied to all data before taking it out of the office on a USB drive so that it cannot be accessed by an unauthorized individual. Joe has completed the password request procedure before, so he is confident he can do it again easily. Joe believes that without the password, it is not likely that unauthorized people will see the data, but if they do, nothing bad will happen. Joe believes that the password procedure is effective and prevents unauthorized people from seeing the data. Regardless, the password procedure takes several minutes, and he needs to leave now, so he skips the procedure. Joe believes his chances of being caught are low, but if caught, the punishment would be minimal.

Please select an answer for the following items as they relate to the vignette.

How confident was Joe about his ability to complete the password request procedure?

  1. a

    He was confident he could do it again easily.

  2. b

    He was not confident he could do it again easily.

What did Joe believe about the threat of other people seeing the data?

  • c He believed it was not likely they would see the data, but if they did, nothing bad would happen.

  • d He believed it was not likely they would see the data, but if they did, they may alter or misuse it.

  • e He believed it was likely they would see the data, but if they did, nothing bad would happen.

  • f He believed it was likely they would see the data, and if they did, they may alter or misuse it.

What did Joe believe about the effectiveness of the password procedure?

  • g He believes that the password procedure is effective and prevents unauthorized people from seeing the data.

  • h He believes that the password procedure is not effective and does not prevent unauthorized people from seeing the data.

What did Joe think about the punishment for his actions?

  • i Joe thought that it was unlikely he would be punished, and if so, the punishment would not be severe.

  • j Joe thought that it was unlikely he would be punished, but if he was, the punishment would be severe.

  • k Joe thought that it was likely he would be punished, but the punishment would not be severe.

  • l Joe thought that it was likely he would be punished, and the punishment would be severe.

illustration

figure a

Appendix B

Constructs manipulated in the vignettes (scenario versions)

Below are the statements associated with the various levels of each of the situational factors manipulated in the vignettes. The levels are shown in parentheses.

Self-efficacy levels

  • Joe has completed the password request procedure before, but he is not confident he can do it again easily – (low)

  • Joe has completed the password request procedure before, so he is confident he can do it again easily – (high)

Threat vulnerability and severity

  • Joe believes that, without the password, it is not likely that unauthorized people will see the data, but if they do, nothing bad will happen – (low/low)

  • Joe believes that, without the password, it is not likely that unauthorized people will see the data, but if they do, they may alter or misuse it – (low/high)

  • Joe believes that, without the password, it is likely that unauthorized people will see the data, but if they do, nothing bad will happen – (high/low)

  • Joe believes that, without the password, it is likely that unauthorized people will see the data and if they do, they may alter or misuse it – (high/high)

Sanction certainty and severity

  • Joe believes his chances of being caught are low, but if caught, the punishment would be minimal – (low/low)

  • Joe believes his chances of being caught are low, but if caught, the punishment would be severe – (low/high)

  • Joe believes his chances of being caught are high, and if caught, the punishment would be minimal – (high/low)

  • Joe believes his chances of being caught are high, and if caught, the punishment would be severe – (high/high)

Response efficacy

  • Joe believes that the password procedure is not effective and does not prevent unauthorized people from seeing the data – (low)

  • Joe believes that the password procedure is effective and prevents unauthorized people from seeing the data – (high)

Appendix C

Five factor (Big Five) survey

Please choose a number for each statement to indicate the extent to which you agree or disagree with that statement by selecting 1 to 7 where 1 means you Strongly Disagree with the statement and 7 means you Strongly Agree with the statement.

I see myself as someone who …

Extraversion

  1. 1

    Is outgoing, sociable.

  2. 2

    Is talkative.

  3. 3

    Has an assertive personality.

  4. 4

    Generates a lot of enthusiasm.

  5. 5

    Is full of energy.

Agreeableness

  1. 1

    Is considerate and kind to almost everyone.

  2. 2

    Likes to cooperate with others.

  3. 3

    Is helpful and unselfish with others.

  4. 4

    Has a forgiving nature.

  5. 5

    Is generally trusting.

Conscientiousness

  1. 1

    Does a thorough job.

  2. 2

    Does things efficiently.

  3. 3

    Makes plans and follows through with them.

  4. 4

    Is a reliable worker.

  5. 5

    Perseveres until the task is finished.

Neuroticism

  1. 1

    Can be moody.

  2. 2

    Is depressed, blue.

  3. 3

    Gets nervous easily.

  4. 4

    Can be tense.

  5. 5

    Worries a lot.

Openness

  1. 1

    Is inventive.

  2. 2

    Is original, comes up with new ideas.

  3. 3

    Values artistic, esthetic experiences.

  4. 4

    Has an active imagination.

  5. 5

    Likes to reflect, play with ideas.

  6. 6

    Is sophisticated in art, music, or literature.

  7. 7

    Is ingenious, a deep thinker.

  8. 8

    Is curious about many different things.

Appendix D

Figure D1

Figure D1
figure 3

‘Stability’ meta-trait (C,A,−N) moderating influence plots. (a) Stability*Threat Vulnerability (TSUS) Plot; (b) Stability*Sanction Severity (SSEV) Plot; (c) Stability*Sanction Certainty (SCER) Plot.

Note: These plots depict a negative moderating effect of Stability on threat vulnerability, sanction severity, and sanction certainity. These plots suggest that as one's personality becomes more strongly aligned with the Stability meta-trait, he or she will be less likely than their less Stability oriented counterparts to form information security policy violation intentions when perceiving high degrees of threat vulnerability (TSUS=1), sanction severity (SSEV=1), or sanction certainty (SCER=1).

Full size image

Appendix E

Figure E1

Figure E1
figure 4

‘Plasticity’ meta-trait (O, E) moderating influence plots. (a) Plasticity*Response Efficacy (RESP) Plot; (b) Plasticity*Sanction Certainty Plot.

Note: These plots depict a positive moderating effect of Plasticity on response efficacy and sanction certainty. These plots suggest that as one's personality becomes more strongly aligned with the Plasticity meta-trait, he or she will be more likely than their less Plasticity-oriented counterparts to form information security policy violation intentions when perceiving high degrees of response efficacy (RESP=1) or sanction certainty (SCER=1).

Full size image

Appendix F

Figure F1

Figure F1
figure 5

PLS model for obtaining Big Five PLS weights.

Full size image

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Johnston, A., Warkentin, M., McBride, M. et al. Dispositional and situational factors: influences on information security policy violations. Eur J Inf Syst 25, 231–251 (2016). https://doi.org/10.1057/ejis.2015.15

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1057/ejis.2015.15

Keywords

  • information security policy violation
  • protection motivation theory
  • general deterrence theory
  • Big Five personality traits
  • meta-traits
  • factorial survey method