Abstract
Information system security threats perpetuates organisations in spite of enormous investments in security measures. The academic literature and the media reflect the huge financial loss and reputational harm to organisations due to computer related security breaches. Although technical safeguards are indispensable, the academic literature highlights the ‘insider threat’. Organisational employees pose a significant threat, considering, they already have access to the organizations’ information systems. It’s a matter of how they use/abuse it. This article explores the theoretical foundation in the domain of information systems security policy violations. The academic databases are queried for key theories in computer compliance/non-compliance. These theories are examined for theoretical development. A problem area is identified and subsequently, a theoretical model is proposed in an attempt to explain: Why employees violate information systems security policies?
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
PwC. http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html. Accessed 21 Nov 2018
D’Arcy, J., Herath, T.: A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings. Eur. J. Inf. Syst. 20(6), 643–658 (2011)
Posey, C., Roberts, T.L., Lowry, P.B., Bennett, R.J.: Multiple indicators and multiple causes (MIMIC) models as a mixed-modeling technique: a tutorial and annotated example. Commun. Assoc. Inf. Syst. 36(11), 179–204 (2015)
Crossler, R.E., Johnston, A.C., Lowry, P.B., Hu, Q., Warkentin, M., Baskerville, R.: Future directions for behavioral information security research. Comput. Secur. 32(1), 90–101 (2013)
Warkentin, M., Willison, R.: Behavioral and policy issues in information systems security: the insider threat. Eur. J. Inf. Syst. 18(2), 101–105 (2009)
Richardson, R.: CSI/FBI Computer Crime and Security Survey. Computer Security Institute (2011). http://www.gocsi.com/survey
PwC. http://www.pwc.com/gx/en/consulting‐services/information‐security‐survey/download.jhtml. Accessed 23 Sept 2017
SpectorSoft. https://www.sans.org/reading‐room/whitepapers/analyst/insider-threats‐fast‐directed‐response‐35892. Accessed 23 Sept 2017
Willison, R., Warkentin, M.: Beyond deterrence: an expanded view of employee computer abuse. MIS Q. 37(1), 1–20 (2013)
Guo, K.H.: Security-related behavior in using information systems in the workplace: a review and synthesis. Comput. Secur. 32, 242–251 (2013)
Stanton, J.M., Stam, K.R., Mastrangelo, P.M., Jolton, J.A.: Behavioral information security: an overview, results, and research agenda. In: Zhang, P., Galletta, D.F. (eds.) Human Computer Interaction and Management Information Systems: Foundations, pp. 262–280. M.E. Sharpe, Armonk (2006)
Cram, W.A., Proudfoot, J.G., D’Arcy, J.: Organizational information security policies: a review and research framework. Eur. J. Inf. Syst. 26(6), 605–641 (2017)
Bulgurcu, B., Cavusoglu, H., Benbasat, I.: Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Q. 34(3), 523–548 (2010)
Siponen, M., Pahnila, S., Mahmood, A.: Employees’ adherence to information security policies: an empirical study. In: Venter, H., Eloff, M., Labuschagne, L., Eloff, J., von Solms, R. (eds.) SEC 2007. IIFIP, vol. 232, pp. 133–144. Springer, Boston, MA (2007). https://doi.org/10.1007/978-0-387-72367-9_12
Siponen, M., Vance, A.: Neutralization: new insights into the problem of employee information systems security policy violations. MIS Q. 34(3), 487–502 (2010)
Siponen, M., Mahmood, M.A., Pahnila, S.: Employees’ adherence to information security policies: an exploratory field study. Inf. Manag. 51(2), 217–224 (2014)
Hu, Q., Xu, Z., Dinev, T., Ling, H.: Does deterrence work in reducing information security policy abuse by employees? Commun. ACM 54(6), 54–60 (2011)
D’Arcy, J., Lowry, P.B.: Cognitive-affective drivers of employees’ daily compliance with information security policies: a multilevel, longitudinal study. Inf. Syst. J. 29(1), 43–69 (2019)
Dell. https://software.dell.com/whitepaper/insider‐threat‐spotlight‐report890546/. Accessed 23 Sept 2017
Goel, S., Chengalur-Smith, I.N.: Metrics for characterizing the form of security policies. J. Strateg. Inf. Syst. 19(4), 281–295 (2010)
Cronan, T.P., Douglas, D.E.: Toward a comprehensive ethical behavior model for information technology. J. Organ. End User Comput. 18(1), 1–11 (2006)
Boss, S.R., Galletta, D.F., Lowry, P.B., Moody, G.D., Polak, P.: What do systems users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors. MIS Q. 39(4), 837–864 (2015)
Siponen, M., Willison, R., Baskerville, R.: Power and practice in information systems security research. In: International Conference on Information Systems, pp. 1–13. Association for Information Systems, Paris (2008)
Theoharidou, M., Kokolakis, S., Karyda, M., Kiountouzis, E.: The insider threat to information systems and the effectiveness of ISO17799. Comput. Secur. 24(6), 472–484 (2005)
Tyler, T.R., Blader, S.L.: Can business effectively regulate employee conduct? The antecedents of rule following in work settings. Acad. Manag. J. 48(6), 1143–1158 (2005)
Ajzen, I.: The theory of planned behaviour: reactions and reflections. Psychol. Health 26, 1113–1127 (2011)
Rivis, A., Sheeran, P.: Current psychology: developmental, learning, personality, social. Fall 22(3), 218–233 (2003)
Herath, T., Rao, H.: Protection motivation and deterrence: a framework for security policy compliance in organisations. Eur. J. Inf. Syst. 18(2), 106–125 (2009)
Loch, K.D., Carr, H.H., Warkentin, M.E.: Threats to information systems: today’s reality, yesterday’s understanding. MIS Q. 16, 173–186 (1992)
The cyber security experience: Cyber security pros from Mars; users from Mercury. http://www.meritalk.com/cybersecurityexperience. Accessed 23 Oct 2017
Sykes, G.M., Matza, D.: Techniques of neutralization: a theory of delinquency. Am. Sociol. Rev. 22(6), 664–670 (1957)
Barlow, J.B., Warkentin, M., Ormond, D., Dennis, A.R.: Don’t make excuses! Discouraging neutralization to reduce IT policy violation. Comput. Secur. 39, 145–159 (2013)
Marcoulides, G.A., Saunders, C.: PLS: a silver bullet? MIS Q. 30(2), iii–ix (2006)
Warkentin, M., Willison, R., Johnston, A.C.: The role of perceptions of organizational injustice and techniques of neutralization in forming computer abuse intentions. In: AMCIS (2011)
Gottfredson, M.R., Hirschi, T.: A General Theory of Crime. Stanford University Press, Palo Alto (1990)
Ingram, J., Hinduja, S.: Neutralizing Music Piracy: An Empirical Examination. Deviant Behav. 24(4), 334–366 (2008)
Jackson, J.D., Mun, Y.Y., Park, J.S.: An empirical test of three mediation models for the relationship between personal innovativeness and user acceptance of technology. Inf. Manag. 50(4), 154–161 (2013)
Olbrich, S., Frank, U., Gregor, S., Niederman, F., Rowe, F.: On the merits and limits of replication and negation for IS research. AIS Trans. Replication Res. 3(1), 1–19 (2017)
Hirschi, T., Gottfredson, M.: Commentary: testing the general theory of crime. J. Res. Crime Delinq. 30(1), 47–54 (1993)
Rebellon, C.J., Straus, M.A., Medeiros, R.: Self-control in global perspective: An empirical assessment of Gottfredson and Hirschi’s general theory within and across 32 national settings. Eur. J. Criminol. 5(3), 331–361 (2008)
Malin, J., Fowers, B.J.: Adolescent self-control and music and movie piracy. Comput. Hum. Behav. 25(3), 718–722 (2009)
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Govender, I., Watson, B. (2020). Theorising Information Security Policy Violations. In: Venter, H., Loock, M., Coetzee, M., Eloff, M., Eloff, J. (eds) Information and Cyber Security. ISSA 2019. Communications in Computer and Information Science, vol 1166. Springer, Cham. https://doi.org/10.1007/978-3-030-43276-8_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-43276-8_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-43275-1
Online ISBN: 978-3-030-43276-8
eBook Packages: Computer ScienceComputer Science (R0)