Dispositional and situational factors: influences on information security policy violations

Johnston, Allen C.; Warkentin, Merrill; McBride, Maranda; Carter, Lemuria

doi:10.1057/ejis.2015.15

Cited by 140 publications

(71 citation statements)

References 85 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…These messages are often communicated via email and other forms of mass organizational communication because they can cost‐effectively reach wide audiences. But with mass communication, these messages can easily end up being generic or undifferentiated and subsequently not considered by some members of the target audience because they do not match these members’ expectations for the communication, perspectives on the topic of communication, or preferences for how the communication should be structured (Te'eni, ; Johnston, McBride, Carter, & Warkentin, ). Fortunately, scholars continue to advance our understanding of effective fear appeal communication strategies (Ruiter et al., ) and have provided a solid foundation upon which to enhance their effectiveness even further.…”

Section: Theoretical Frameworkmentioning

confidence: 99%

Speak their Language: Designing Effective Messages to Improve Employees’ Information Security Decision Making

et al. 2018

Self Cite

View full text Add to dashboard Cite

Employee disinterest in information security remains one of the greatest impediments to effective information security management programs. How can organizations enhance the persuasiveness of the information security messages used to warn employees of threats and encourage employees to take specific actions to improve their security? We use fear appeal theory and the elaboration likelihood model to argue that security messages presented using more personally relevant language are more likely to induce employees to engage in the recommended protective security behaviors. Our strategy uses organization identification theory to segment employees into two groups and then develops security messages that use language aligned with each of the two segments. We tested this strategy within a large U.S. organization, and found that employees were more likely to consider and act upon messages that used language aligned with their organizational identification than messages using language not aligned. The effect size was large. Our results show that subtly changing less than a dozen words in the way a security message was presented without changing its substantive content (e.g., using “our” instead of “your”) has both significant and meaningful effects on how employees think about and respond to it.

show abstract

Section: Theoretical Frameworkmentioning

confidence: 99%

Speak their Language: Designing Effective Messages to Improve Employees’ Information Security Decision Making

et al. 2018

Self Cite

View full text Add to dashboard Cite

show abstract

“…Although data were collected from individual decision makers in individual scenario evaluations, we did not account for individual differences, which have been shown to exert a significant influence on an employee's computer security actions (Johnston et al, ). Future research might control for many other individual‐level factors, such as dispositional differences in the way that individuals perceive sanctions, threats and responses, as well as key differences in the way that security policy compliance messages are received and processed by individuals (Johnston et al, ; Warkentin et al, ).…”

Section: Discussionmentioning

confidence: 99%

Examining employee computer abuse intentions: insights from justice, deterrence and neutralization perspectives

Willison

Warkentin

Johnston

2016

Information Systems Journal

Self Cite

112

View full text Add to dashboard Cite

Although employee computer abuse is a costly and significant problem for firms, the existing academic literature regarding this issue is limited. To address this gap, we apply a multi‐theoretical model to explain employees' intentions to abuse computers. To understand the motives for such behaviour, we investigate the role of two forms of organizational justice – distributive and procedural – both of which provide explanations of how perceptions of unfairness are created in the organizational context. By applying deterrence theory, we also examine the extent to which formal sanctions influence and moderate the intentions to abuse computers. Finally, we examine how the potential motives for abuse may be moderated by techniques of neutralization, which allow offenders to justify their actions and absolve themselves of any associated feelings of guilt and shame. Utilizing the scenario‐based factorial survey method for our experimental design, we empirically evaluated the association between these antecedents and the behavioural intention to violate Information systems (IS) security policies in an environment where the measurement of actual behaviour would be impossible. Our findings suggest that individual employees may form intentions to commit computer abuse if they perceive the presence of procedural injustice and that techniques of neutralization and certainty of sanctions moderate this influence. The implications of these findings for research and practice are presented. © 2016 John Wiley & Sons Ltd

show abstract

“…PMT for information security was extended by Johnston and Warkentin (2010) who argued that it invokes two separate appraisals, the threat (severity and likelihood) and the response (efficacy, cost, and one's self-efficacy to enact it). Studies have examined habit and PMT (Vance, Siponen, & Pahnila, 2012), used PMT and DT to further examine compliance (Johnston et al, 2015), and various extensions to PMT and fear appeals (Crossler et al, 2013;Johnston et al, 2016;Warkentin et al, 2011;Willison & Warkentin, 2013). For our phishing example, PMT would argue that an employee receiving an email with a link would first assess the likelihood that it was a threat and the magnitude of threat, and then assess the response cost (and efficacy and self-efficacy) of not clicking the link.…”

Section: Phishingmentioning

confidence: 99%

“…Much research has examined behavioral compliance (Johnston, Warkentin, McBride, & Carter, 2016;Johnston, Warkentin, & Siponen, 2015;Moody, Siponen, & Pahnila, 2018;Siponen & Vance, 2010), and many theories have been useful in explaining compliance behavior (e.g., Straub & Collins, 1990;Workman, Bommer, & Straub, 2008). Like most theories in information systems research, these theories quite naturally assume a rational actor thinking about and planning his or her behavior.…”

Section: Introductionmentioning

confidence: 99%

Security on Autopilot

Dennis

Minas

2018

SIGMIS Database

View full text Add to dashboard Cite

Most current information systems security theories assume a rational actor making deliberate decisions, yet recent research in psychology suggests that such deliberate thinking is not as common as we would expect. Much of human behavior is controlled by nonconscious automatic cognition (called System 1 cognition). The deliberate rational cognition of System 2 is triggered when System 1 detects something that is not normal; otherwise we often operate on autopilot. When we do engage System 2 cognition, it is influenced by the System 1 cognition that preceded it. In this paper we present an alternative theoretical approach to information security that is based on the nonconscious automatic cognition of System 1. In a System 1 world, cognition is a sub-second process of pattern-matching a stimulus to an existing person-context heuristic. These person-context heuristics are influenced by personality characteristics and a lifetime of experiences in the context. Thus System 1 theories are closely tied to individuals and the specific security context of interest. Methods to improve security compliance take on a very new form; the traditional approaches to security education and training that provide guidelines and ways to think about security have no effect when behavior is controlled by System 1, because System 1 cognition is instant pattern matching not deliberative. Thus in a System 1 world, we improve security by changing the heuristics used by System 1's pattern matching and/or by changing what System 1 sees as "normal" so that it triggers the deliberate cognition of System 2. In this article, we examine System 1 and System 2 cognition, while calling for increased research to develop theories of System 1 cognition in the cybersecurity literature.

show abstract

Dispositional and situational factors: influences on information security policy violations

Cited by 140 publications

References 85 publications

Speak their Language: Designing Effective Messages to Improve Employees’ Information Security Decision Making

Speak their Language: Designing Effective Messages to Improve Employees’ Information Security Decision Making

Examining employee computer abuse intentions: insights from justice, deterrence and neutralization perspectives

Security on Autopilot

Contact Info

Product

Resources

About