(Goldstein et al. 2011). Information security practices should ensure

advertisement
An Analysis of the Combined Influences of
Neutralization and Planned Behavior on
Desirable Information Security Behavior
Stefan Bauer
Vienna University of Economics and Business
Stefan.Bauer@wu.ac.at
Edward W. N. Bernroider
Vienna University of Economics and Business
Edward.Bernroider@wu.ac.at
Abstract
The aim of this paper is to develop a better understanding of the importance of
neutralization methods in the context of desirable information security behavior of
employees. Past behavioral intention theories, such as the theory of planned behavior, have
not sufficiently accounted for neutralization by which employees may temporarily neutralize
certain values when determining the formation of an intention and consequently behavior.
We provide a new integrated view on security behavior by combining the theory of planned
behavior and neutralization theory in one study. Based on the analysis of 220 data sets
acquired by an online survey, our results support the hypotheses gained from both theories.
In particular, neutralization techniques are used by employees to justify undesired security
behaviors. In relative terms, neutralization seems to be at least equally important as the
predictors of the theory of planned behavior when considering effect sizes. Our main
contribution is to provide evidence for the important role of six considered neutralization
techniques, which implicates to proactively utilize these in the development of effective
information security awareness programs.
Information Institute Conferences, Las Vegas, NV, May 21-23, 2014
1
Bauer; Bernroider
Introduction
The provision of information security is nowadays a very important topic for most enterprise across all
industries. Several reports of industries show that information security incidents are threatening
organizations’ business, especially organizations which highly rely on information processing and data
assets (Goldstein et al. 2011). Information security practices should ensure availability, confidentiality and
integrity of data and data assets of an organization (Hu et al. 2012). Previous research stated that not only
technological measures alone can protect organizations information system, but rather employees have to
act in a desirable way to ensure the goals of information security (Willison et al. 2013).
Employees' behavior regarding information systems and technology is an important topic for organizations'
information security management. Employees act not always desirably regarding information technology
or information systems (Warkentin et al. 2009). Several scholars have established classifications of
employee security behavior (Guo 2013; Padayachee 2012; Stanton et al. 2005). In our research context, we
differentiate between desirable and undesirable employee behavior. Desirable employee behavior is
normally made explicit in information security policies of an organization prescribing rules, for example
about handling e-mails, passwords or data in a way, which ensures security in an organization.
Desirable employee behavior can be defined as a set of behaviors, where an employee acts compliant with
information security policies and work instructions. Furthermore, it is desirable that employees take
precautions, actively protect their information systems and technology (Bauer et al. 2013a; Bauer et al.
2013b). Employees’ undesirable behavior regarding information security could have unpredictable
consequences, because a violation of the security policy could open a loophole for an internal malicious
coworker or external perpetrator (Willison et al. 2013). Further, the aggregation of small violations could
have a huge impact on the organizations’ security, especially if the data and their assets are critical resources
for the organization.
Employees' violations of the information security policy have different specific reasons. We assume that
neutralization techniques such as the denial of responsibilities provide acceptable justifications for
employees to act in a deviant way (Lim 2002). Employees may apologize their undesirable behavior through
a range of different neutralization techniques (Barlow et al. 2013; Siponen et al. 2010). In general, we can
differ between malicious behavior and non-malicious behavior. Malicious employee behavior is defined as
security damaging behavior, where the employee’s intention is to harm the organization for his own benefit
(Guo 2013). The underlying research focuses on non-malicious behavior. We assume that employees use
neutralization techniques to excuse their deviant behavior concerning information security without the
actual intention to harm the organization.
The main contribution of the underlying research is to analyze the influence of different neutralization
techniques in the context of the theory of planned behavior in one research model. To our knowledge until
now, the theory of planned behavior was not analyzed in connection with the neutralization theory in the
information systems (IS) context. Based on previous studies we assume that neutralization together with
the well-established predictors of the theory of planned behavior, namely subjective norm, attitude and
perceived behavioral control, influence the individual's desirable information security behavior or at least
the individual's intention to behave accordingly.
The outcome of the study provides important insights for researchers as well as for practitioners.
Organizations' chief information security officers need to design and implement information security
awareness programs to make the employees aware of potential threats (Bauer et al. 2013b). The findings of
our research confirm that common self-centered beliefs from neutralization theory should corroborate the
traditional belief-systems in behavioral reasoning analysis. Some neutralization techniques may even be
more important than general attitudes towards the security behavior in question and subjective norms.
The remainder of the paper has been divided into the following sections. Next, we introduce the theoretical
backgrounds of the theory of planned behavior (TPB) and neutralization theory in the context of this study.
This is followed by a presentation of the research model, hypotheses and variables. The next section
describes methodological issues of the research. Finally, we discuss the preliminary results of the
quantitative study before concluding the paper.
2
Editors: Gurpreet Dhillon and Spyridon Samonas
An Analysis of the Combined Influences of Neutralization and Planned Behavior on Desirable Information Security
Behavior
Theoretical Background
Previous literature on behavioral reasoning dealing with information security behavior of employees
applied several theories ranging from, e.g., deterrence theory (Gibbs 1968), protection motivation theory
(Rogers 1975), or theory of reasoned action (Ajzen et al. 1980) to its extension the theory of planned
behavior (Ajzen 1991). A number of authors have suggested that future research in behavioral information
security research has to identify and combine more innovative concepts to explore information security
behavior (Warkentin et al. 2012). For that matter, we chose to explore a range of neutralization techniques
in conjunction with the theory of planned behavior (TPB) as potential predictors of employees' security
behavior. Neutralization theory is a sociological theory explaining anomalous individual behavior and the
link with TPB was perceived as gap in current literature in the field of information security management.
Previous work on the Theory of Planned Behavior and Security Behavior in IS
The theory of planned behavior (Ajzen 1991) is a popular theory from psychology stating that attitude
toward behavior, subjective norms, and perceived behavioral control, together predict a person's deliberate
behavior intentions and behavior. It was often used to research safety behavior like driving speed, health
behavior or condom use. In general, the TPB measures the relation between human thought and human
action (Sommestad et al. 2013). Previous research has often used parts of the theory of planned behavior,
but as a recent review of the latest academic literature showed, only a limited number of the TPB constructs
were analyzed (Sommestad et al. 2013). The authors of this recently published meta-study suggested to
more comprehensively test the TPB in information security contexts. Following this suggestion, we
incorporated the TPB to analyze the intention for a desirable information security behavior and actual
information security behavior. In what follows, we shortly introduce the research constructs of the original
TPB (Ajzen 1991) and shortly link into the context of information security.
According to the TPB, the attitude of a person toward the behavior in question plays an important role for
explaining behavior. Previous research confirmed attitude as a valid predictor of the intention for
information security compliance of employees (Bulgurcu et al. 2010). Social norms reflect how other
employees care about the behavior in question. The violation of information security work instructions and
policies is normally not a criminal activity, but rather a violation of social norms of the organization.
Previous research highlights the importance of social norms in information security behavior research and
connects social norms with the organization's security culture (Albrechtsen 2007; Cox 2012). In the TPB,
social norms are represented by the concept of subjective norm, which describes the level of pressure that
a person perceives imposed by significant peers to perform or not to perform a behavior. Finally, perceived
behavioral control refers to a person's perception of the ability to perform a given behavior. This factor is
held to exert both direct and interactive effects on behavior. These TPB predictors lead to behavioral
intentions and consequently deliberate behavior. There is a substantial amount of research that has
confirmed the relationship of the intention for information security behavior and actual security behavior
(Cox 2012; Sommestad et al. 2013).
Previous work on Neutralization Theory in IS
The principles of neutralization theory (Sykes et al. 1957) have previously been used to explain deviant
behavior like drug use, theft, or deviant consumer behavior (Maruna et al. 2004). Neutralization theory is
based on the idea that individuals apologize their undesirable behavior by so-called neutralization
techniques (Lim 2002). In general, social behavior is internalized and learned in the process of social
interaction (Sykes et al. 1957). Scientific information security behavior literature has investigated
neutralization theory in connection with deterrence theory (Barlow et al. 2013; Siponen et al. 2010).
However, prior research has largely neglected the relative influences of each of three generally accepted
TPB predictors in comparison with different neutralization techniques for information security behavior.
Constructs of Neutralization Theory
Neutralization theory describes several neutralization techniques (Sykes et al. 1957), which were later
extend by IS related studies (Barlow et al. 2013; Siponen et al. 2010). While one IS study used the three
constructs "denial of injury", "metaphor of the ledger" and "defense of necessity" as neutralization
Information Institute Conferences, Las Vegas, NV, May 21-23, 2014
3
Bauer; Bernroider
constructs (Barlow et al. 2013), another study used six constructs (Siponen et al. 2010). In general, findings
confirmed that these neutralization techniques influence security behavior of employees and in particular
seem to be more effective than sanctions. One study proposed that focusing communication and training
on neutralization techniques is just as effective as focusing on deterrent sanctions (Barlow et al. 2013). A
more extensive taxonomy uses six types of neutralization techniques, which we have also considered in our
research (Siponen et al. 2010):






Denial of Responsibility: The employee sometimes negate his responsibility for certain actions.
Additionally, he considers himself to be powerless regarding the control of these types of incidents
(Siponen et al. 2010; Sykes et al. 1957).
Denial of Injury: The employee is totally convinced that his or her non-malicious actions violating
the information security do not have a substantial negative impact. In other words, the person tries
to excuse behavior by emphasizing the minimal potential damage (Barlow et al. 2013; Siponen et
al. 2010; Sykes et al. 1957).
Defense of Necessity: In this strategy, the employee thinks that she has no other acceptable choice
to act. In this particular case, the employee sees herself to be forced to break the security rules for
example in order to meet important deadlines (Barlow et al. 2013; Siponen et al. 2010).
Condemnation of the Condemners: The employees do not regard the rules as just and fair and
consider those who condemn as doing so out of spite. Thus, the lack of recognition can induce the
fraudulent behavior (Siponen et al. 2010; Sykes et al. 1957).
Appeal to Higher Loyalties: Sometimes employees excuse their violation of security rules by
justifying for the greater good. A common reason is that they consider the rules being too restrictive
(Siponen et al. 2010; Sykes et al. 1957).
The Metaphor of the Ledger: Employees tend to rather emphasize other high-quality work and
perhaps neglect the gravity of committed mistakes related to information security (Barlow et al.
2013; Siponen et al. 2010; Sykes et al. 1957).
Research Model and Operationalization
Research Model and Hypotheses
Figure 1 shows the research model, which is based on the theory of planned behavior and neutralization
theory. The effects of attitude, subjective norm and perceived behavioral control on the intention for a
desirable information security behavior are widely accepted, but the whole model of the TBP needs more
validation for the information security context (Sommestad et al. 2013). In principle, however we can
assume that attitude, subjective norm and perceived behavioral control will have an influence on intention
for a desirable security behavior (H1, H2, H3). Further, we also seek to confirm the direct link between
perceived behavioral control and actual security behavior (H4). So far hardly any attention was paid to
neutralization in the context of TPB. The effects of neutralization on intention for security violations has
been considered (Barlow et al. 2013; Siponen et al. 2010). We approach security behavior differently and
concentrate on the anticipated negative effect of neutralization on the intention for a desirable security
behavior (H5). Moreover, the underlying study assumes that the intention of a desirable security behavior
influences actual security behavior (H6). Consequently, we assume the following:
Hypotheses 1 (H1): Attitude has a positive effect on the intention for a desirable information security
behavior.
Hypotheses 2 (H2): Subjective norm has a positive effect on intention for a desirable information security
behavior.
Hypotheses 3 (H3): Perceived Behavioral Control has a positive effect on intention for a desirable
information security behavior.
Hypotheses 4 (H4): Perceived Behavioral Control has a positive effect on actual information security
behavior.
Hypotheses 5 (H5): Neutralization has a negative effect on intention for a desirable information security
behavior.
4
Editors: Gurpreet Dhillon and Spyridon Samonas
An Analysis of the Combined Influences of Neutralization and Planned Behavior on Desirable Information Security
Behavior
Hypotheses 6 (H6): Intention for a desirable information security behavior has a positive effect on actual
information security behavior.
Variable Selection and Measurement
We have summarized how we conceptualized the various variables in Table A2 (Appendix). For each
construct, the table offers an overall description and cites supporting literature. Table A1 (Appendix) lists
the measurement items of these respective variables. Each of the three exogenous TPB constructs and six
exogenous neutralizations were designed as reflective constructs, where the direction of causality runs from
the items to the construct. In addition, the two endogenous (dependent) constructs were defined as
reflective construct. The higher-order component is overall neutralization, which is too complex to measure
as single dimension. We therefore represented neutralization by the six underlying techniques described in
the previous section, which we considered together as a reflective-formative hierarchical component model.
According to recommendations (Hair et al. 2013), the number of indicators in Table A1 is similar across
these lower level components.
Research Methodology
Research Approach
The research process is illustrated in Figure 1. Firstly, a comprehensive literature review was conducted
(Webster et al. 2002). The research team consulted the academic databases ‘Thomson Reuters Web of
Knowledge’, ‘Scopus’, ‘Google scholar’, ‘ProQuest ABI/INFORM Global’ through combinations of the
keywords "neutralization", "information security" and "security behavior". Based on the findings, we
developed the research model and hypotheses. In the next step, we designed and implemented the survey
for data collection before analyzing the data.
Literature
Review
Development of
Research
Questions and
Hypothesis
Development of
the Online
Survey
Writing the
Paper
Interpretation of
the results
Data Analysis
with SmartPLS
Pretest &
Improvement of
the Online
Survey
Data Collection
Figure 1. Main Stages of Research Approach
Data Collection
The data collection method used in this particular study was an online survey, which was conducted in
December 2013 and targeted all enrolled students of WU Vienna with work experience. Survey participation
was voluntary and no incentives were provided. After sending one invitation email to all registered students,
512 responses were registered within a week after which we closed the survey.
Concerning the structure of the online survey, there was a filter after the demographics section, which asked
the respondents if they had acquired work experience from a company having an information security
policy. 220 respondents approved this question and confirmed that they have at least little knowledge about
such a policy. Only these 220 members of the actual working population were included in the data analysis
to ensure a degree of external validity of the results
Information Institute Conferences, Las Vegas, NV, May 21-23, 2014
5
Bauer; Bernroider
Statistical Methods
We chose partial least squares structural equation modeling (PLS-SEM) approach for the data analysis. The
advantage of this approach lies in the fact that with SEM the measurement and the structural model can be
analyzed at once (Park et al. 2007; Su et al. 2010). Furthermore, the decision for SEM, based on the
underlying approach of PLS, is due to our research aims, which is to explain the variance of the endogenous
construct 'intention for desirable information security behavior' (Chin 1998). Furthermore, PLS has fewer
stringent requirements regarding distribution properties (Wold 1982). The software package SmartPLS was
used to analyze the data (Ringle et al. 2005). Our research model was developed as a reflective measurement
model. The bootstrap re-sampling procedure was used to test the significance of all model paths (Gefen et
al. 2000).
Data Analysis
Sample Descriptives
Table 1 shows the demographic characteristics of our acquired sample. Our respondents all have the general
qualification for university entrance, but not completed their degrees. The majority of respondents are
between 21 and 30 years old and have between 1 and 10 years of work experience. On average respondents
work 6.3 hours per day with a computer and work in 17 different industries.
Table 1. Demographic Characteristics of Respondents
Demographic Characteristic
Gender
Age
(years)
Work experience
(years)
N
Percentage
Female
101
45.9%
Male
119
54.1%
< 20
32
14.6%
21-25
107
48.6%
26-30
42
36.8%
> 30
39
17.7%
<1
15
6.8%
1-3
104
47.3%
4-10
71
32.3%
11+
30
13.6%
Measurement Model Validation
We tested the measurement model with the goodness-of-fit criteria in Table 2 following current
recommendations (Hair et al. 2013; Hair et al. 2011; Sarstedt et al. 2011). First, we considered internal
consistency reliability by assessing Cronbach's α and composite reliability, which considers the different
outer loadings of the indicator variables. All respective values are above 0.70, which is considered to be
acceptable. In terms of convergent validity, the AVE criteria are also all above the recommended threshold
(0.5), which indicates that, on average, the construct explains more than half of the variance of its
indicators. For assessing discriminant validity, we controlled the cross loadings of the items (Hair et al.
2011), which were also acceptable.
6
Editors: Gurpreet Dhillon and Spyridon Samonas
An Analysis of the Combined Influences of Neutralization and Planned Behavior on Desirable Information Security
Behavior
Table 2. Constructs and Measurement Model Validity
Latent Variable
Indicators
Loadings
ATT1
0.84
ATT2
0.90
ATT3
0.94
ATT4
0.90
Subjective
norm toward
Information
Security
SN1
0.72
SN2
0.85
SN3
0.79
Perceived
Behavioral
Control
PBC1
0.88
PBC2
0.89
Intention for
desirable
security
behavior
DSB1
0.79
DSB2
0.82
DSB3
0.83
Actual desirable
security
behavior
ASB1
0.93
ASB2
0.94
Denial of
responsibility
DOR1
0.85
DOR2
0.90
DOR3
0.88
CC1
0.86
CC2
0.92
CC3
0.92
Appeal to
higher loyalties
AHL1
0.96
AHL2
0.96
Denial of injury
DJ1
0.94
DJ2
0.94
Defense of
necessity
DN1
0.92
DN2
0.91
Metaphor of the
ledger
ML1
0.97
ML2
0.97
Attitude toward
Information
Security
Behavior
Condemnation
of the
condemners
Cronbach's
α
Composite
Reliability
AVE
0.92
0.94
0.80
0.70
0.83
0.62
0.72
0.88
0.78
0.75
0.85
0.66
0.86
0.93
0.88
0.85
0.91
0.77
0.88
0.93
0.81
0.92
0.96
0.92
0.87
0.94
0.88
0.81
0.91
0.84
0.93
0.97
0.94
Evaluation of the Structural Model
The most commonly used measure to evaluate the structural model is R², which is a measure of the models
predictive accuracy and represents the amount of variance in the endogenous constructs explained by all of
the exogenous constructs linked to it. R² of "the intention for a desirable security behavior" is 0.44 and for
"actual security behavior" it is 0.30, which are relatively high compared to previous studies of similar
Information Institute Conferences, Las Vegas, NV, May 21-23, 2014
7
Bauer; Bernroider
constructs (Sommestad et al. 2013) and can be seen described as moderate according to general
recommendation in scholarly research (Hair et al. 2013).
Table 3: Verdict on Structural Relationships of the Research Model
Hypotheses
Path
coefficient
Tvalues
f²
f² Effect
(H1): Attitude has a positive effect on intention for a
desirable information security behavior.
0.27***
5.71
0.10
Weak
(H2): Subjective norm has a positive effect on intention for
a desirable information security behavior.
0.17***
3.81
0.04
Weak
(H3): Perceived Behavioral Control has a positive effect on
intention for a desirable information security behavior.
0.35***
9.70
0.19
Moderate
(H4): Perceived Behavioral Control has a positive effect on
actual information security behavior.
0.14***
2.67
0.02
Weak
(H5): Neutralization has a negative effect on intention for a
desirable information security behavior.
-0.19***
5.29
0.18
Moderate
(H6): Intention for a desirable information security
behavior has a positive effect on actual information security
behavior.
0.47***
11.17
0.23
Moderate
*p<0.10, **p<0.05, ***p<0.01
The purpose of the structural equation model was to test the direct effects of the potential latent predictors
identified from the TPB and the Neutralization theory as captured by our 6 research hypotheses. We used
the results from bootstrapping with 5000 subsamples as a non-parametric re-sampling procedure to
calculate t-statistics (Chin 1998). The path coefficients show weak and moderate relationship of the
research constructs. Table 3 illustrates the hypotheses, all path coefficients of the research model,
significance levels, and effect sizes. The effect size f2 of a latent factor results from analyzing the decrease
in R2 when excluding one independent latent factor (Cohen 1988). It was suggested that f2 values of .02,
.15, and .35 mean small, medium, and large effects, respectively. The results indicate that neutralization
and perceived behavioral control have the greatest influence on the intention of a desirable information
security behavior. As anticipated, the intention for a desirable security behavior predicts actual behavior.
The other relationships show weak effects.
8
Editors: Gurpreet Dhillon and Spyridon Samonas
An Analysis of the Combined Influences of Neutralization and Planned Behavior on Desirable Information Security
Behavior
Figure 2. Research Model and Results
Discussion and Conclusions
The main contribution of this paper is to explicate neutralization techniques in conjunction with the theory
of planned behavior in the context of desirable employee information security behavior. The findings
confirm that individual neutralizations have a negative effect on security behavior and together with the
classical indicators of the TPB significantly explain the intention to comply with information security rules,
policies and working procedures and in turn actual compliance. Prior research, to our knowledge, has not
yet provided the same analysis. The results advance our understanding about the social construction of
reality of employees in terms of six defense mechanisms through which employees may rationalize their
deviant behavior. We also call for more research on similar offender’s perspectives. Next, we will discuss
these findings and implications in relation to the underlying theories (TPB, Neutralization) in more detail.
Information Institute Conferences, Las Vegas, NV, May 21-23, 2014
9
Bauer; Bernroider
Our research confirms the classical beliefs-intention-behavior link as suggested by the TPB in the
application context of this study. More specifically, attitudes towards desirable security behavior, subjective
norms and perceived behavioral control are valid predictors of the individual's intention to act accordingly
(H1-3). In addition, the direct link between perceived behavioral control was also validated although only
marginally (H4) as well as the obvious strong association between behavioral intention and actual behavior
(H6). The latter relationship was already known to hold in general and also in the context of security
behavior (Cox 2012; Sommestad et al. 2013).
In terms of Neutralization theory, we can also confirm the general importance of the investigated
neutralization techniques, which taken together negatively impact the intention of employees to behave
desirably (H5). The effect sizes show that neutralization has a roughly similar effect than the most important
predictor of the TPB, which is perceived behavioral control. Theoretically, this finding adds to our
understanding of how to predict desirable security behavior in extension to the TPB or deterrence theory
(Barlow et al. 2013; Siponen et al. 2010). The internal mechanisms by which employees neutralize their
security values should be considered in conjunction with the predictors of the TPB when reflecting upon
the desirable security behavior. All six assessed neutralization techniques seem to be important methods
by which individuals justify less desired security behaviors. The most important techniques, however, seem
to be the defense of necessity and the condemnation of the condemners. For the former, employers defend
their undesirable security behavior by their needs to meet their work objectives such as deadlines. In terms
of the latter, the employees simply perceive the rules as unfair. We believe that contemporary information
security awareness programs should pay more attention to these defense mechanisms (Bauer et al. 2013b).
Finally, we need to acknowledge some limitations of this study. A common problem in empirical
quantitative research is external reliability. In this context, the results must be interpreted with caution.
Firstly, the sample consists of students with most of the respondents being younger than 30 years. We
therefore cannot assume that our results can be unconditionally extended to the context of employees in
general. However, we controlled reliability with a number of measures. As a start we contacted the full
population to ensure a good representation of all students. We controlled the role of the target person by
applying filter questions and semantically linking most questions to the context of work environments. We
could not avoid the use of a mono method, which however is common in many studies of similar designs
(e.g. Fink et al. 2009).
Conclusions
Our findings provide important insights for scholars and practitioners. Overall, all proposed hypotheses are
supported according to our theoretical analysis. It is noteworthy to highlight the relatively stronger effects
of perceived behavioral control and neutralization on the intention of desirable information security
behavior.
Neutralization theory, which is an essential perspective for explaining employees’ workplace security
violations, should be considered in conjunction with the traditional aspects of subjective norm, general
attitudes or perceived behavioral control to analyze and influence the intention of employees for desirable
security behavior.
Additional research would be required to fully understand the potential influence of neutralization theory
on design and content of information security awareness delivery methods and programs. Therefore, we
suggest conducting exploratory interviews with employees to explore the cause effect relationships behind
their neutralization techniques. Furthermore, innovative information security awareness delivery methods
should be designed according to the new insights about the factors influencing desirable information
security behavior. These innovative methods should be evaluated in a real world context.
10 Editors: Gurpreet Dhillon and Spyridon Samonas
An Analysis of the Combined Influences of Neutralization and Planned Behavior on Desirable Information Security
Behavior
References
Ajzen, I. 1991. "The theory of planned behavior," Organizational Behavior and Human Decision Processes
(50:2), pp 179–211.
Ajzen, I., and Fishbein, M. 1980. Understanding attitudes and predicting social behavior, (Prentice-Hall:
Englewood Cliffs, NJ.
Albrechtsen, E. 2007. "A qualitative study of users' view on information security," Computers & Security
(26:4), pp 276-289.
Barlow, J. B., Warkentin, M., Ormond, D., and Dennis, A. R. 2013. "Don't make excuses! Discouraging
neutralization to reduce IT policy violation," Computers & Security:In Press).
Bauer, S., and Bernroider, E. W. N. 2013. "IT Operational Risk Awareness Building in Banking
Companies: A Preliminary Research Design Highlighting the Importance of Risk Cultures and
Control Systems," International Conference on Information Resource Management, Natal, Brazil,
2013a, pp. 1-4.
Bauer, S., Bernroider, E. W. N., and Chudzikowski, K. 2013. "End User Information Security Awareness
Programs for Improving Information Security in Banking Organizations: Preliminary Results from
an Exploratory Study," AIS SIGSEC Workshop on Information Security & Privacy (WISP2013),
Milano, 2013b.
Boss, S. R., Kirsch, L. J., Angermeier, I., Shingler, R. A., and Boss, R. W. 2009. "If someone is watching,
I'll do what I'm asked: mandatoriness, control, and information security," European Journal of
Information Systems (18:2), pp 151-164.
Bulgurcu, B., Cavusoglu, H., and Benbasat, I. 2010. "Information security policy compliance: an
empirical study of rationality-based beliefs and information security awareness," MIS Quarterly
(34:3), pp 523-548.
Chin, W. W. 1998. "The Partial Least Squares Approach to Structural Equation Modeling," in Modern
Methods for Business Research, G. A. Marcoulides (ed.), Lawrence Erlbaum Associates: New Jersey,
p. 297.
Cohen, J. 1988. Statistical power analysis for the behavioral sciences, (2 ed.) Lawrence, Erlbaum
Associates: Hillsdale, New Jersey.
Cox, J. 2012. "Information systems user security: A structured model of the knowing–doing gap,"
Computers in Human Behavior (28:5), pp 1849-1858.
Fink, L., and Neumann, S. 2009. "Exploring the perceived business value of the flexibility enabled by
information technology infrastructure," Information & Management (46:2), pp 90-99.
Gefen, D., Straub, D. W., and Boudreau, M.-C. 2000. "Structural Equation Modeling and Regression:
Guidelines for research practice," Communications of the Association for Information Systems (4:7),
pp 1-79.
Gibbs, J. P. 1968. "Crime, punishment and deterrence," Southwestern Social Science Quarterly (48:5), pp
515–530.
Goldstein, J., Chernobai, A., and Benaroch, M. 2011. "An Event Study Analysis of the Economic Impact of
IT Operational Risk and its Subcategories," Journal of the Association for Information Systems
(12:9), pp 606-631.
Guo, K. H. 2013. "Security-related behavior in using information systems in the workplace: A review and
synthesis," Computers & Security (32), pp 242-251.
Hair, J. F., Hult, G. T. M., Ringle, C. M., and Sarstedt, M. 2013. A primer on partial least squares structural
equation modeling (pls-sem), (Sage: Los Angeles.
Hair, J. F., Sarstedt, M., Ringle, C. M., and Mena, J. A. 2011. "An assessment of the use of partial least
squares structural equation modeling in marketing research," Journal of the Academy of Marketing
Science (40:3), pp 414-433.
Hu, Q., Dinev, T., Hart, P., and Cooke, D. 2012. "Managing Employee Compliance with Information
Security Policies: The Critical Role of Top Management and Organizational Culture," Decision
Sciences (43:4), pp 615-659.
Lim, V. K. G. 2002. "The IT way of loafing on the job: cyberloafing, neutralizing and organizational
justice," Journal of Organizational Behavior (23:5), pp 675-694.
Information Institute Conferences, Las Vegas, NV, May 21-23, 2014
11
Bauer; Bernroider
Maruna, S., and Copes, H. 2004. "What Have We Learned from Five Decades of Neutralization
Research?," Crime and Justice (32), pp 221-320.
Padayachee, K. 2012. "Taxonomy of compliant information security behavior," Computers & Security
(31:5), pp 673-680.
Park, J.-H., Suh, H.-J., and Yang, H.-D. 2007. "Perceived absorptive capacity of individual users in
performance of Enterprise Resource Planning (ERP) usage: The case for Korean firms," Information
& Management (44:3), pp 300-312.
Ringle, C., Wende, S., and Will, A. 2005. "SmartPLS 2.0 (beta)," University of Hamburg.
Rocha Flores, W., and Antonsen, E. 2013. "The development of an instrument for assessing information
security in organizations: Examining the content validity using quantitative methods," in
Proceedings of the International Conference on Information Resource Management 2013 (Conf-IRM
2013), L. Janczewski (ed.): Natal, Brazil, pp. 1-15.
Rogers, R. W. 1975. " A protection motivation theory of fear appeals and attitude change," Journal of
Psychology (91:1), pp 93-114.
Sarstedt, M., Ringle, C. M., and Hair, J. F. 2011. "PLS-SEM: Indeed a Silver Bullet," The Journal of
Marketing Theory and Practice (19:2), pp 139-152.
Siponen, M., and Vance, A. 2010. "Neutralization: New Insights into the Problem of Employee
Information Systems Security Policy Violations," MIS Quarterly (34:3), pp 487-502.
Sommestad, T., and Hallberg, J. 2013. "A review of the theory of planned behaviour in the context of
information security policy compliance," International Information Security and Privacy
Conference, Springer Verlag Berlin Heidelberg.
Stanton, J. M., Stam, K. R., Mastrangelo, P., and Jolton, J. 2005. "Analysis of end user security behaviors,"
Computers & Security (24:2), pp 124-133.
Su, Y.-f., and Yang, C. 2010. "Why are enterprise resource planning systems indispensable to supply chain
management?," European Journal of Operational Research (203:1), pp 81-94.
Sykes, G. M., and Matza, D. 1957. "Techniques of Neutralization: A Theory of Delinquency," American
Sociological Association (22:6), pp 664-670.
Vance, A., Siponen, M., and Pahnila, S. 2012. "Motivating IS security compliance: Insights from Habit
and Protection Motivation Theory," Information & Management (49:3-4), pp 190-198.
Warkentin, M., Straub, D., and Malimage, K. 2012. "Featured Talk: Measuring Secure Behavior: A
Research Commentary," in Annual Symposium of Information Assurance & Secure Knowledge
Management: Albany, NY.
Warkentin, M., and Willison, R. 2009. "Behavioral and policy issues in information systems security: the
insider threat," European Journal of Information Systems (18:2), pp 101-105.
Webster, J., and Watson, R. T. 2002. "Analyzing the Past to Prepare for the Future: Writing a Literature
Review," MIS Quarterly (26:2), pp xiii-xxiii.
Willison, R., and Warkentin, M. 2013. "Beyond Deterrrence: An Expanded View of Employee Computer
Abuse," MIS Quarterly (37:1), pp 1-20.
Wold, H. 1982. "Soft modeling: the basic design and some extensions," in Systems under indirect
observations: Causality, structure, prediction. Part 2, K. G. Jöreskog and H. Wold (eds.), NorthHolland: Amsterdam, pp. 1-54.
12 Editors: Gurpreet Dhillon and Spyridon Samonas
An Analysis of the Combined Influences of Neutralization and Planned Behavior on Desirable Information Security
Behavior
Appendix
Table A1. Measurement Model
Construct
Attitude
toward
Information
Security
Behavior
Adapted
from
ATT1
To me, information security procedures and operating
instructions in our daily work are _______. (Scale from
unnecessary to necessary)
ATT2
To me, information security procedures and operating
instructions in our daily work are _______. (Scale from
unbeneficial to beneficial)
ATT3
To me, information security procedures and operating
instructions in our daily work are _______. (Scale from
unimportant to important)
ATT4
To me, information security procedures and operating
instructions in our daily work are _______. (Scale from
useless to useful)
SN1
In our organization, information security is viewed as a
collective responsibility.
SN2
Both my colleagues and I share the same ambitions and
vision of protecting information assets from being
compromised in our organization.
SN3
Both my colleagues and I share and agree on the way
collective information security goals are being pursued in
our organization.
Perceived
Behavioral
Control
toward
Information
Security
PBC1
I have the necessary skills to fulfill the requirements of the
information
security
procedures
and
operating
instructions.
PBC2
I have the necessary knowledge to fulfill the requirements of
the information security procedures and operating
instructions.
Intention for
desirable
security
behavior
DSB1
I plan to keep aware of the latest security threats so I can
protect my system.
(Boss et al.
2009)
DSB2
I intend to comply with information security rules, policies
and working procedures.
(Vance et
al. 2012)
DSB3
I intend to assist others in complying with information
security rules, policies and working procedures.
(Vance et
al. 2012)
Actual
desirable
security
behavior
ASB1
I take IT-security very seriously.
ASB2
I tend to greater care concerning IT-security.
self
constructed
Denial of
responsibility
DOR1
It is OK to violate the company information security policy
if you aren’t sure what the policy is.
DOR2
It is OK to violate the company information security policy
if you don’t understand it.
Subjective
norm toward
Information
Security
(Bulgurcu
et al. 2010)
(Rocha
Flores et al.
2013)
(Bulgurcu
et al. 2010)
(Siponen et
al. 2010)
Information Institute Conferences, Las Vegas, NV, May 21-23, 2014 13
Bauer; Bernroider
Condemnation
of the
condemners
Appeal
higher
loyalties
Denial of
injury
Defense of
necessity
Metaphor of
the ledger
to
DOR3
It is OK to violate the company information security policy
if the policy is not advertised.
CC1
It is not as wrong to violate a company information security
policy that is not reasonable.
CC2
It is not as wrong to violate a company information security
policy that requires too much time to comply with.
CC3
It is not as wrong to violate a company information security
policy that is too restrictive.
AHL1
It is all right to violate a company information security
policy if you get your work done.
AHL2
It is all right to violate a company information security
policy if you complete the task given by management.
DJ1
It is OK to violate the company information security policy
if no damage is done to the company.
DJ2
It is OK to violate the company information security policy
if no one gets hurt.
DN1
It is all right to violate the company information security
policy when you are under a tight deadline.
DN2
It is all right to violate the company information security
policy when you are in a hurry.
ML1
I feel my general adherence to company information
security policy compensates for occasionally violating an
information security policy.
ML2
I feel my good job performance compensates for
occasionally violating information security policy.
14 Editors: Gurpreet Dhillon and Spyridon Samonas
(Siponen et
al. 2010)
(Siponen et
al. 2010)
(Siponen et
al. 2010)
(Siponen et
al. 2010)
(Siponen et
al. 2010)
An Analysis of the Combined Influences of Neutralization and Planned Behavior on Desirable Information Security
Behavior
Table A2. Theories, Constructs and Measures
Constructs
Measures
Codes
Descriptions and Sources
Based on the Theory of Planned Behavior (Ajzen 1991)
Attitude toward
information
security behavior
4-Items
ATT1-4
Employee’s attitudes on whether it is good or bad to
perform a security compliant behavior. Adapted from
(Bulgurcu et al. 2010).
Subjective norm
3-Items
SN 1-3
Employee’s perceptions of whether the behavior is
accepted and encouraged by people who are important to
him or her in the organization, such as colleagues,
subordinates, or superiors. Adapted from (Rocha Flores et
al. 2013).
Perceived
behavioral control
2-Items
PBC1-2
Employee’s perceived ease or difficulty of performing a
behavior and personal sense of having the skills and
control over performing it. Adapted from (Bulgurcu et al.
2010).
Intention for
desirable security
behavior
3-Items
DSB1-3
Employee’s belief that he or she will perform the desirable
behavior sometime in the future. Adapted from (Boss et
al. 2009; Vance et al. 2012).
Actual desirable
security behavior
2-Items
ASB1-2
Employee’s belief that he or she will perform the desirable
behavior sometime in the future.
Based on the Neutralization Theory (Sykes et al. 1957)
Denial of
responsibility
3-Items
DOR1-3
Employee feels not responsible for his action and he
thinks that his behavior is beyond his control (Sykes et al.
1957).
Condemnation of
the condemners
3-Items
CC1-3
Employee feels that the rules are unjust or make no sense,
hence a violates the information security policy
Appeal to higher
loyalties
2-Items
AHL1-2
Employees explain their deviant behavior by excusing the
violation because they have too less time to carry out the
work or that the rules are too restrictive (Sykes et al.
1957).
Denial of injury
2-Items
DJ1-2
Employee justifies his action by minimizing the harm it
causes.
Defense of
necessity
2-Items
DN1-2
Employee thinks that he has no other acceptable choice to
act.
Metaphor of the
ledger
2-Items
ML1-2
Employee feels that he/she has done enough good deeds
to justify doing something against policy.
Information Institute Conferences, Las Vegas, NV, May 21-23, 2014 15
Download