Examining employee security violations: moral disengagement and its environmental influences

Herath, Tejaswini; Yim, Myung-Seong; D’Arcy, John; Nam, Kichan; Rao, H. Raghav

doi:10.1108/itp-10-2017-0322

Cited by 29 publications

(15 citation statements)

References 70 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…36 , 37 In our study, SETA programs refer to hospital staff’s perceived level of proficiency on common knowledge of information security environment, along with required information security skills provided by hospitals. 49 Prior evidence confirms that a SETA program can improve employees’ self-efficacy on security, 50 motivate employees to comply with security policy, 51 and increase employees’ perceptions concerning punishment severity and punishment certainty. 17 Therefore, hospital staff who attend these SETA programs are expected to possess a deeper knowledge about punishments of non-compliance to the ISP in addition to regular security policies and procedures.…”

Section: Theoretical Foundation Research Model and Hypothesesmentioning

confidence: 93%

“…16 In other words, proper compelling policies are required for useful security policy implementations. 49 Organizations should therefore make potential perpetrators aware of those enforcement rules in advance. 61 In this vein, if hospital staff are aware of the probability they will be punished when they are caught violating ISP, they will be more likely than not abide by the stated ISP.…”

Section: Theoretical Foundation Research Model and Hypothesesmentioning

confidence: 99%

See 1 more Smart Citation

Hospital Staff’s Adherence to Information Security Policy: A Quest for the Antecedents of Deterrence Variables

Kuo

Talley

Lin

2021

INQUIRY

View full text Add to dashboard Cite

Information security has come to the forefront as an organizational priority since information systems are considered as some of the most important assets for achieving competitive advantages. Despite huge capital expenditures devoted to information security, the occurrence of security breaches is still very much on the rise. More studies are thus required to inform organizations with a better insight on how to adequately promote information security. To address this issue, this study investigates important factors influencing hospital staff’s adherence to Information Security Policy (ISP). Deterrence theory is adopted as the theoretical underpinning, in which punishment severity and punishment certainty are recognized as the most significant predictors of ISP adherence. Further, this study attempts to identify the antecedents of punishment severity and punishment certainty by drawing from upper echelon theory and well-acknowledged international standards of IS security practices. A survey approach was used to collect 299 valid responses from a large Taiwanese healthcare system, and hypotheses were tested by applying partial least squares-based structural equation modeling. Our empirical results show that Security Education, Training, and Awareness (SETA) programs, combined with internal auditing effectiveness are significant predictors of punishment severity and punishment certainty, while top management support is not. Further, punishment severity and punishment certainty are significant predictors of hospital staff’s ISP adherence intention. Our study highlights the importance of SETA programs and internal auditing for reinforcing hospital staff’s perceptions on punishment concerning ISP violation, hospitals can thus propose better internal strategies to improve their staff’s ISP compliance intention accordingly.

show abstract

Section: Theoretical Foundation Research Model and Hypothesesmentioning

confidence: 93%

Section: Theoretical Foundation Research Model and Hypothesesmentioning

confidence: 99%

Hospital Staff’s Adherence to Information Security Policy: A Quest for the Antecedents of Deterrence Variables

Kuo

Talley

Lin

2021

INQUIRY

View full text Add to dashboard Cite

show abstract

“…Partially supported in 9 studies:  Computer abuse/crime (Dhillon et al, 2004;Harrington, 1996;Lee et al, 2004;Nicho & Kamoun, 2014;. Fan & Zhang, 2011;Hovav & D'Arcy, 2012) Not supported in 1 study:  Illegal policy violation (Hu, Xu, Dinev, & Ling, 2011) Noncriminal Supported in 18 studies:  Policy violation (Alshare et al, 2018;Barlow et al, 2013;Herath et al, 2018;Johnston et al, 2016;Khan & AlShare, 2019;Workman & Gathegi, 2007).…”

Section: About the Authorsmentioning

confidence: 99%

Common Misunderstandings of Deterrence Theory in Information Systems Research and Future Research Directions

2022

View full text Add to dashboard Cite

In the 1980s, information systems (IS) borrowed deterrence theory (DT) from the field of criminology to explain information security behaviors (or intention). Today, DT is among the most commonly used theories in IS security research. Our review of IS research applying DT highlights that many fundamental assumptions of DT are unrecognized and therefore unexamined. This may have resulted in misunderstandings and conceptual confusions regarding some of the basic concepts of DT. For example, some IS studies confuse general deterrence with specific deterrence or do not recognize the difference between the two. Moreover, these fundamental assumptions, when directly examined, may provide important information about the applicability of DT in certain IS security contexts. This research commentary aims to identify and discuss some of the fundamental assumptions of DT and their implications for IS research. By examining these assumptions, IS researchers can study the previously unexplored aspects of DT in different IS contexts. Further, by recognizing these assumptions, IS scholars can revise them and build new variants of DT to better account for specific characteristics of IS behaviors and contexts.

show abstract

“…The extant literature on ISP compliance has mostly focused on employees’ attitudinal state (value), perceptions of punishment and reward and competency (skills) (Cram et al , 2019). According to Cram et al (2019), the following concepts showed a robust positive influence on employee’s ISP compliance: social values and beliefs (Bulgurcu et al , 2010; Guo et al , 2011; Cheng et al , 2013; D’Arcy and Greene, 2014), individual norms and morality (Myyry et al , 2009; Vance and Siponen, 2012; Ifinedo, 2014; Moody et al , 2018), a proper reward system (Bulgurcu et al , 2010; Chen et al , 2012), sanctions (Bulgurcu et al , 2010; Hu et al , 2012), self-efficacy (Bulgurcu et al , 2010; Burns et al , 2018) and SETA (Bulgurcu et al , 2010; Burns et al , 2018; Han et al , 2017; Herath et al , 2018).…”

Section: Theoretical Backgroundmentioning

confidence: 99%

Protecting intellectual property from insider threats

Kim

Hovav

Han

2019

JIC

View full text Add to dashboard Cite

Purpose The purpose of this paper is to propose a theory of information security intelligence and examine the effects of managers’ information security intelligence (MISI) on employees’ procedural countermeasure awareness and information security policy (ISP) compliance intention. Design/methodology/approach A survey approach and structural equation modeling is utilized. Partial least squares (WarpPLS 6.0) and nonlinear algorithm are employed to analyze and examine the hypotheses. In total, 324 employees from companies in South Korea participated in the survey, which was conducted by a professional survey service company. Findings MISI positively affects employees’ awareness of information security procedural countermeasures; information security knowledge and problem-solving skills have positive effects on procedural countermeasures awareness; MISI increases employees’ compliance intention through procedural countermeasure awareness; and information security procedural countermeasures positively affect employees’ ISP compliance intention. Research limitations/implications This study proposes a theory of information security intelligence and examines its impacts on employees’ compliance intentions. The study highlights the mediating role of information security procedural countermeasures between information security intelligence and employees’ compliance intentions. Practical implications Managers should improve and explicitly demonstrate information security knowledge and problem-solving skills to increase employees’ ISP compliance intention. To protect the organization’s intellectual capital, managers should champion the development and promotion of PCM, rather than leave these functions to the information security group. Originality/value This is the first empirical study to propose and validate MISI.

show abstract

Examining employee security violations: moral disengagement and its environmental influences

Cited by 29 publications

References 70 publications

Hospital Staff’s Adherence to Information Security Policy: A Quest for the Antecedents of Deterrence Variables

Hospital Staff’s Adherence to Information Security Policy: A Quest for the Antecedents of Deterrence Variables

Common Misunderstandings of Deterrence Theory in Information Systems Research and Future Research Directions

Protecting intellectual property from insider threats

Contact Info

Product

Resources

About