Skip to main content
SpringerLink
Log in

Theorising Information Security Policy Violations

  • Conference paper
  • First Online:
Information and Cyber Security (ISSA 2019)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1166))

Included in the following conference series:

  • 611 Accesses

Abstract

Information system security threats perpetuates organisations in spite of enormous investments in security measures. The academic literature and the media reflect the huge financial loss and reputational harm to organisations due to computer related security breaches. Although technical safeguards are indispensable, the academic literature highlights the ‘insider threat’. Organisational employees pose a significant threat, considering, they already have access to the organizations’ information systems. It’s a matter of how they use/abuse it. This article explores the theoretical foundation in the domain of information systems security policy violations. The academic databases are queried for key theories in computer compliance/non-compliance. These theories are examined for theoretical development. A problem area is identified and subsequently, a theoretical model is proposed in an attempt to explain: Why employees violate information systems security policies?

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. PwC. http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html. Accessed 21 Nov 2018

  2. D’Arcy, J., Herath, T.: A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings. Eur. J. Inf. Syst. 20(6), 643–658 (2011)

    Article  Google Scholar 

  3. Posey, C., Roberts, T.L., Lowry, P.B., Bennett, R.J.: Multiple indicators and multiple causes (MIMIC) models as a mixed-modeling technique: a tutorial and annotated example. Commun. Assoc. Inf. Syst. 36(11), 179–204 (2015)

    Google Scholar 

  4. Crossler, R.E., Johnston, A.C., Lowry, P.B., Hu, Q., Warkentin, M., Baskerville, R.: Future directions for behavioral information security research. Comput. Secur. 32(1), 90–101 (2013)

    Article  Google Scholar 

  5. Warkentin, M., Willison, R.: Behavioral and policy issues in information systems security: the insider threat. Eur. J. Inf. Syst. 18(2), 101–105 (2009)

    Article  Google Scholar 

  6. Richardson, R.: CSI/FBI Computer Crime and Security Survey. Computer Security Institute (2011). http://www.gocsi.com/survey

  7. PwC. http://www.pwc.com/gx/en/consulting‐services/information‐security‐survey/download.jhtml. Accessed 23 Sept 2017

  8. SpectorSoft. https://www.sans.org/reading‐room/whitepapers/analyst/insider-threats‐fast‐directed‐response‐35892. Accessed 23 Sept 2017

  9. Willison, R., Warkentin, M.: Beyond deterrence: an expanded view of employee computer abuse. MIS Q. 37(1), 1–20 (2013)

    Article  Google Scholar 

  10. Guo, K.H.: Security-related behavior in using information systems in the workplace: a review and synthesis. Comput. Secur. 32, 242–251 (2013)

    Article  Google Scholar 

  11. Stanton, J.M., Stam, K.R., Mastrangelo, P.M., Jolton, J.A.: Behavioral information security: an overview, results, and research agenda. In: Zhang, P., Galletta, D.F. (eds.) Human Computer Interaction and Management Information Systems: Foundations, pp. 262–280. M.E. Sharpe, Armonk (2006)

    Google Scholar 

  12. Cram, W.A., Proudfoot, J.G., D’Arcy, J.: Organizational information security policies: a review and research framework. Eur. J. Inf. Syst. 26(6), 605–641 (2017)

    Article  Google Scholar 

  13. Bulgurcu, B., Cavusoglu, H., Benbasat, I.: Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Q. 34(3), 523–548 (2010)

    Article  Google Scholar 

  14. Siponen, M., Pahnila, S., Mahmood, A.: Employees’ adherence to information security policies: an empirical study. In: Venter, H., Eloff, M., Labuschagne, L., Eloff, J., von Solms, R. (eds.) SEC 2007. IIFIP, vol. 232, pp. 133–144. Springer, Boston, MA (2007). https://doi.org/10.1007/978-0-387-72367-9_12

    Chapter  Google Scholar 

  15. Siponen, M., Vance, A.: Neutralization: new insights into the problem of employee information systems security policy violations. MIS Q. 34(3), 487–502 (2010)

    Article  Google Scholar 

  16. Siponen, M., Mahmood, M.A., Pahnila, S.: Employees’ adherence to information security policies: an exploratory field study. Inf. Manag. 51(2), 217–224 (2014)

    Article  Google Scholar 

  17. Hu, Q., Xu, Z., Dinev, T., Ling, H.: Does deterrence work in reducing information security policy abuse by employees? Commun. ACM 54(6), 54–60 (2011)

    Article  Google Scholar 

  18. D’Arcy, J., Lowry, P.B.: Cognitive-affective drivers of employees’ daily compliance with information security policies: a multilevel, longitudinal study. Inf. Syst. J. 29(1), 43–69 (2019)

    Article  Google Scholar 

  19. Dell. https://software.dell.com/whitepaper/insider‐threat‐spotlight‐report890546/. Accessed 23 Sept 2017

  20. Goel, S., Chengalur-Smith, I.N.: Metrics for characterizing the form of security policies. J. Strateg. Inf. Syst. 19(4), 281–295 (2010)

    Article  Google Scholar 

  21. Cronan, T.P., Douglas, D.E.: Toward a comprehensive ethical behavior model for information technology. J. Organ. End User Comput. 18(1), 1–11 (2006)

    Article  Google Scholar 

  22. Boss, S.R., Galletta, D.F., Lowry, P.B., Moody, G.D., Polak, P.: What do systems users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors. MIS Q. 39(4), 837–864 (2015)

    Article  Google Scholar 

  23. Siponen, M., Willison, R., Baskerville, R.: Power and practice in information systems security research. In: International Conference on Information Systems, pp. 1–13. Association for Information Systems, Paris (2008)

    Google Scholar 

  24. Theoharidou, M., Kokolakis, S., Karyda, M., Kiountouzis, E.: The insider threat to information systems and the effectiveness of ISO17799. Comput. Secur. 24(6), 472–484 (2005)

    Article  Google Scholar 

  25. Tyler, T.R., Blader, S.L.: Can business effectively regulate employee conduct? The antecedents of rule following in work settings. Acad. Manag. J. 48(6), 1143–1158 (2005)

    Article  Google Scholar 

  26. Ajzen, I.: The theory of planned behaviour: reactions and reflections. Psychol. Health 26, 1113–1127 (2011)

    Article  Google Scholar 

  27. Rivis, A., Sheeran, P.: Current psychology: developmental, learning, personality, social. Fall 22(3), 218–233 (2003)

    Google Scholar 

  28. Herath, T., Rao, H.: Protection motivation and deterrence: a framework for security policy compliance in organisations. Eur. J. Inf. Syst. 18(2), 106–125 (2009)

    Article  Google Scholar 

  29. Loch, K.D., Carr, H.H., Warkentin, M.E.: Threats to information systems: today’s reality, yesterday’s understanding. MIS Q. 16, 173–186 (1992)

    Article  Google Scholar 

  30. The cyber security experience: Cyber security pros from Mars; users from Mercury. http://www.meritalk.com/cybersecurityexperience. Accessed 23 Oct 2017

  31. Sykes, G.M., Matza, D.: Techniques of neutralization: a theory of delinquency. Am. Sociol. Rev. 22(6), 664–670 (1957)

    Article  Google Scholar 

  32. Barlow, J.B., Warkentin, M., Ormond, D., Dennis, A.R.: Don’t make excuses! Discouraging neutralization to reduce IT policy violation. Comput. Secur. 39, 145–159 (2013)

    Article  Google Scholar 

  33. Marcoulides, G.A., Saunders, C.: PLS: a silver bullet? MIS Q. 30(2), iii–ix (2006)

    Article  Google Scholar 

  34. Warkentin, M., Willison, R., Johnston, A.C.: The role of perceptions of organizational injustice and techniques of neutralization in forming computer abuse intentions. In: AMCIS (2011)

    Google Scholar 

  35. Gottfredson, M.R., Hirschi, T.: A General Theory of Crime. Stanford University Press, Palo Alto (1990)

    Google Scholar 

  36. Ingram, J., Hinduja, S.: Neutralizing Music Piracy: An Empirical Examination. Deviant Behav. 24(4), 334–366 (2008)

    Article  Google Scholar 

  37. Jackson, J.D., Mun, Y.Y., Park, J.S.: An empirical test of three mediation models for the relationship between personal innovativeness and user acceptance of technology. Inf. Manag. 50(4), 154–161 (2013)

    Article  Google Scholar 

  38. Olbrich, S., Frank, U., Gregor, S., Niederman, F., Rowe, F.: On the merits and limits of replication and negation for IS research. AIS Trans. Replication Res. 3(1), 1–19 (2017)

    Article  Google Scholar 

  39. Hirschi, T., Gottfredson, M.: Commentary: testing the general theory of crime. J. Res. Crime Delinq. 30(1), 47–54 (1993)

    Article  Google Scholar 

  40. Rebellon, C.J., Straus, M.A., Medeiros, R.: Self-control in global perspective: An empirical assessment of Gottfredson and Hirschi’s general theory within and across 32 national settings. Eur. J. Criminol. 5(3), 331–361 (2008)

    Article  Google Scholar 

  41. Malin, J., Fowers, B.J.: Adolescent self-control and music and movie piracy. Comput. Hum. Behav. 25(3), 718–722 (2009)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Stellenbosch University, Stellenbosch, South Africa

    Indren Govender & Bruce Watson

Authors
  1. Indren Govender
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Bruce Watson
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Indren Govender or Bruce Watson .

Editor information

Editors and Affiliations

  1. University of Pretoria, Pretoria, Gauteng, South Africa

    Hein Venter

  2. University of South Africa, Florida, Gauteng, South Africa

    Marianne Loock

  3. University of Johannesburg, Auckland Park, Gauteng, South Africa

    Marijke Coetzee

  4. University of South Africa, Pretoria, Gauteng, South Africa

    Mariki Eloff

  5. University of Pretoria, Pretoria, Gauteng, South Africa

    Jan Eloff

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Govender, I., Watson, B. (2020). Theorising Information Security Policy Violations. In: Venter, H., Loock, M., Coetzee, M., Eloff, M., Eloff, J. (eds) Information and Cyber Security. ISSA 2019. Communications in Computer and Information Science, vol 1166. Springer, Cham. https://doi.org/10.1007/978-3-030-43276-8_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-43276-8_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-43275-1

  • Online ISBN: 978-3-030-43276-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation