(Goldstein et al. 2011). Information security practices should ensure
advertisement
An Analysis of the Combined Influences of Neutralization and Planned Behavior on Desirable Information Security Behavior Stefan Bauer Vienna University of Economics and Business Stefan.Bauer@wu.ac.at Edward W. N. Bernroider Vienna University of Economics and Business Edward.Bernroider@wu.ac.at Abstract The aim of this paper is to develop a better understanding of the importance of neutralization methods in the context of desirable information security behavior of employees. Past behavioral intention theories, such as the theory of planned behavior, have not sufficiently accounted for neutralization by which employees may temporarily neutralize certain values when determining the formation of an intention and consequently behavior. We provide a new integrated view on security behavior by combining the theory of planned behavior and neutralization theory in one study. Based on the analysis of 220 data sets acquired by an online survey, our results support the hypotheses gained from both theories. In particular, neutralization techniques are used by employees to justify undesired security behaviors. In relative terms, neutralization seems to be at least equally important as the predictors of the theory of planned behavior when considering effect sizes. Our main contribution is to provide evidence for the important role of six considered neutralization techniques, which implicates to proactively utilize these in the development of effective information security awareness programs. Information Institute Conferences, Las Vegas, NV, May 21-23, 2014 1 Bauer; Bernroider Introduction The provision of information security is nowadays a very important topic for most enterprise across all industries. Several reports of industries show that information security incidents are threatening organizations’ business, especially organizations which highly rely on information processing and data assets (Goldstein et al. 2011). Information security practices should ensure availability, confidentiality and integrity of data and data assets of an organization (Hu et al. 2012). Previous research stated that not only technological measures alone can protect organizations information system, but rather employees have to act in a desirable way to ensure the goals of information security (Willison et al. 2013). Employees' behavior regarding information systems and technology is an important topic for organizations' information security management. Employees act not always desirably regarding information technology or information systems (Warkentin et al. 2009). Several scholars have established classifications of employee security behavior (Guo 2013; Padayachee 2012; Stanton et al. 2005). In our research context, we differentiate between desirable and undesirable employee behavior. Desirable employee behavior is normally made explicit in information security policies of an organization prescribing rules, for example about handling e-mails, passwords or data in a way, which ensures security in an organization. Desirable employee behavior can be defined as a set of behaviors, where an employee acts compliant with information security policies and work instructions. Furthermore, it is desirable that employees take precautions, actively protect their information systems and technology (Bauer et al. 2013a; Bauer et al. 2013b). Employees’ undesirable behavior regarding information security could have unpredictable consequences, because a violation of the security policy could open a loophole for an internal malicious coworker or external perpetrator (Willison et al. 2013). Further, the aggregation of small violations could have a huge impact on the organizations’ security, especially if the data and their assets are critical resources for the organization. Employees' violations of the information security policy have different specific reasons. We assume that neutralization techniques such as the denial of responsibilities provide acceptable justifications for employees to act in a deviant way (Lim 2002). Employees may apologize their undesirable behavior through a range of different neutralization techniques (Barlow et al. 2013; Siponen et al. 2010). In general, we can differ between malicious behavior and non-malicious behavior. Malicious employee behavior is defined as security damaging behavior, where the employee’s intention is to harm the organization for his own benefit (Guo 2013). The underlying research focuses on non-malicious behavior. We assume that employees use neutralization techniques to excuse their deviant behavior concerning information security without the actual intention to harm the organization. The main contribution of the underlying research is to analyze the influence of different neutralization techniques in the context of the theory of planned behavior in one research model. To our knowledge until now, the theory of planned behavior was not analyzed in connection with the neutralization theory in the information systems (IS) context. Based on previous studies we assume that neutralization together with the well-established predictors of the theory of planned behavior, namely subjective norm, attitude and perceived behavioral control, influence the individual's desirable information security behavior or at least the individual's intention to behave accordingly. The outcome of the study provides important insights for researchers as well as for practitioners. Organizations' chief information security officers need to design and implement information security awareness programs to make the employees aware of potential threats (Bauer et al. 2013b). The findings of our research confirm that common self-centered beliefs from neutralization theory should corroborate the traditional belief-systems in behavioral reasoning analysis. Some neutralization techniques may even be more important than general attitudes towards the security behavior in question and subjective norms. The remainder of the paper has been divided into the following sections. Next, we introduce the theoretical backgrounds of the theory of planned behavior (TPB) and neutralization theory in the context of this study. This is followed by a presentation of the research model, hypotheses and variables. The next section describes methodological issues of the research. Finally, we discuss the preliminary results of the quantitative study before concluding the paper. 2 Editors: Gurpreet Dhillon and Spyridon Samonas An Analysis of the Combined Influences of Neutralization and Planned Behavior on Desirable Information Security Behavior Theoretical Background Previous literature on behavioral reasoning dealing with information security behavior of employees applied several theories ranging from, e.g., deterrence theory (Gibbs 1968), protection motivation theory (Rogers 1975), or theory of reasoned action (Ajzen et al. 1980) to its extension the theory of planned behavior (Ajzen 1991). A number of authors have suggested that future research in behavioral information security research has to identify and combine more innovative concepts to explore information security behavior (Warkentin et al. 2012). For that matter, we chose to explore a range of neutralization techniques in conjunction with the theory of planned behavior (TPB) as potential predictors of employees' security behavior. Neutralization theory is a sociological theory explaining anomalous individual behavior and the link with TPB was perceived as gap in current literature in the field of information security management. Previous work on the Theory of Planned Behavior and Security Behavior in IS The theory of planned behavior (Ajzen 1991) is a popular theory from psychology stating that attitude toward behavior, subjective norms, and perceived behavioral control, together predict a person's deliberate behavior intentions and behavior. It was often used to research safety behavior like driving speed, health behavior or condom use. In general, the TPB measures the relation between human thought and human action (Sommestad et al. 2013). Previous research has often used parts of the theory of planned behavior, but as a recent review of the latest academic literature showed, only a limited number of the TPB constructs were analyzed (Sommestad et al. 2013). The authors of this recently published meta-study suggested to more comprehensively test the TPB in information security contexts. Following this suggestion, we incorporated the TPB to analyze the intention for a desirable information security behavior and actual information security behavior. In what follows, we shortly introduce the research constructs of the original TPB (Ajzen 1991) and shortly link into the context of information security. According to the TPB, the attitude of a person toward the behavior in question plays an important role for explaining behavior. Previous research confirmed attitude as a valid predictor of the intention for information security compliance of employees (Bulgurcu et al. 2010). Social norms reflect how other employees care about the behavior in question. The violation of information security work instructions and policies is normally not a criminal activity, but rather a violation of social norms of the organization. Previous research highlights the importance of social norms in information security behavior research and connects social norms with the organization's security culture (Albrechtsen 2007; Cox 2012). In the TPB, social norms are represented by the concept of subjective norm, which describes the level of pressure that a person perceives imposed by significant peers to perform or not to perform a behavior. Finally, perceived behavioral control refers to a person's perception of the ability to perform a given behavior. This factor is held to exert both direct and interactive effects on behavior. These TPB predictors lead to behavioral intentions and consequently deliberate behavior. There is a substantial amount of research that has confirmed the relationship of the intention for information security behavior and actual security behavior (Cox 2012; Sommestad et al. 2013). Previous work on Neutralization Theory in IS The principles of neutralization theory (Sykes et al. 1957) have previously been used to explain deviant behavior like drug use, theft, or deviant consumer behavior (Maruna et al. 2004). Neutralization theory is based on the idea that individuals apologize their undesirable behavior by so-called neutralization techniques (Lim 2002). In general, social behavior is internalized and learned in the process of social interaction (Sykes et al. 1957). Scientific information security behavior literature has investigated neutralization theory in connection with deterrence theory (Barlow et al. 2013; Siponen et al. 2010). However, prior research has largely neglected the relative influences of each of three generally accepted TPB predictors in comparison with different neutralization techniques for information security behavior. Constructs of Neutralization Theory Neutralization theory describes several neutralization techniques (Sykes et al. 1957), which were later extend by IS related studies (Barlow et al. 2013; Siponen et al. 2010). While one IS study used the three constructs "denial of injury", "metaphor of the ledger" and "defense of necessity" as neutralization Information Institute Conferences, Las Vegas, NV, May 21-23, 2014 3 Bauer; Bernroider constructs (Barlow et al. 2013), another study used six constructs (Siponen et al. 2010). In general, findings confirmed that these neutralization techniques influence security behavior of employees and in particular seem to be more effective than sanctions. One study proposed that focusing communication and training on neutralization techniques is just as effective as focusing on deterrent sanctions (Barlow et al. 2013). A more extensive taxonomy uses six types of neutralization techniques, which we have also considered in our research (Siponen et al. 2010): Denial of Responsibility: The employee sometimes negate his responsibility for certain actions. Additionally, he considers himself to be powerless regarding the control of these types of incidents (Siponen et al. 2010; Sykes et al. 1957). Denial of Injury: The employee is totally convinced that his or her non-malicious actions violating the information security do not have a substantial negative impact. In other words, the person tries to excuse behavior by emphasizing the minimal potential damage (Barlow et al. 2013; Siponen et al. 2010; Sykes et al. 1957). Defense of Necessity: In this strategy, the employee thinks that she has no other acceptable choice to act. In this particular case, the employee sees herself to be forced to break the security rules for example in order to meet important deadlines (Barlow et al. 2013; Siponen et al. 2010). Condemnation of the Condemners: The employees do not regard the rules as just and fair and consider those who condemn as doing so out of spite. Thus, the lack of recognition can induce the fraudulent behavior (Siponen et al. 2010; Sykes et al. 1957). Appeal to Higher Loyalties: Sometimes employees excuse their violation of security rules by justifying for the greater good. A common reason is that they consider the rules being too restrictive (Siponen et al. 2010; Sykes et al. 1957). The Metaphor of the Ledger: Employees tend to rather emphasize other high-quality work and perhaps neglect the gravity of committed mistakes related to information security (Barlow et al. 2013; Siponen et al. 2010; Sykes et al. 1957). Research Model and Operationalization Research Model and Hypotheses Figure 1 shows the research model, which is based on the theory of planned behavior and neutralization theory. The effects of attitude, subjective norm and perceived behavioral control on the intention for a desirable information security behavior are widely accepted, but the whole model of the TBP needs more validation for the information security context (Sommestad et al. 2013). In principle, however we can assume that attitude, subjective norm and perceived behavioral control will have an influence on intention for a desirable security behavior (H1, H2, H3). Further, we also seek to confirm the direct link between perceived behavioral control and actual security behavior (H4). So far hardly any attention was paid to neutralization in the context of TPB. The effects of neutralization on intention for security violations has been considered (Barlow et al. 2013; Siponen et al. 2010). We approach security behavior differently and concentrate on the anticipated negative effect of neutralization on the intention for a desirable security behavior (H5). Moreover, the underlying study assumes that the intention of a desirable security behavior influences actual security behavior (H6). Consequently, we assume the following: Hypotheses 1 (H1): Attitude has a positive effect on the intention for a desirable information security behavior. Hypotheses 2 (H2): Subjective norm has a positive effect on intention for a desirable information security behavior. Hypotheses 3 (H3): Perceived Behavioral Control has a positive effect on intention for a desirable information security behavior. Hypotheses 4 (H4): Perceived Behavioral Control has a positive effect on actual information security behavior. Hypotheses 5 (H5): Neutralization has a negative effect on intention for a desirable information security behavior. 4 Editors: Gurpreet Dhillon and Spyridon Samonas An Analysis of the Combined Influences of Neutralization and Planned Behavior on Desirable Information Security Behavior Hypotheses 6 (H6): Intention for a desirable information security behavior has a positive effect on actual information security behavior. Variable Selection and Measurement We have summarized how we conceptualized the various variables in Table A2 (Appendix). For each construct, the table offers an overall description and cites supporting literature. Table A1 (Appendix) lists the measurement items of these respective variables. Each of the three exogenous TPB constructs and six exogenous neutralizations were designed as reflective constructs, where the direction of causality runs from the items to the construct. In addition, the two endogenous (dependent) constructs were defined as reflective construct. The higher-order component is overall neutralization, which is too complex to measure as single dimension. We therefore represented neutralization by the six underlying techniques described in the previous section, which we considered together as a reflective-formative hierarchical component model. According to recommendations (Hair et al. 2013), the number of indicators in Table A1 is similar across these lower level components. Research Methodology Research Approach The research process is illustrated in Figure 1. Firstly, a comprehensive literature review was conducted (Webster et al. 2002). The research team consulted the academic databases ‘Thomson Reuters Web of Knowledge’, ‘Scopus’, ‘Google scholar’, ‘ProQuest ABI/INFORM Global’ through combinations of the keywords "neutralization", "information security" and "security behavior". Based on the findings, we developed the research model and hypotheses. In the next step, we designed and implemented the survey for data collection before analyzing the data. Literature Review Development of Research Questions and Hypothesis Development of the Online Survey Writing the Paper Interpretation of the results Data Analysis with SmartPLS Pretest & Improvement of the Online Survey Data Collection Figure 1. Main Stages of Research Approach Data Collection The data collection method used in this particular study was an online survey, which was conducted in December 2013 and targeted all enrolled students of WU Vienna with work experience. Survey participation was voluntary and no incentives were provided. After sending one invitation email to all registered students, 512 responses were registered within a week after which we closed the survey. Concerning the structure of the online survey, there was a filter after the demographics section, which asked the respondents if they had acquired work experience from a company having an information security policy. 220 respondents approved this question and confirmed that they have at least little knowledge about such a policy. Only these 220 members of the actual working population were included in the data analysis to ensure a degree of external validity of the results Information Institute Conferences, Las Vegas, NV, May 21-23, 2014 5 Bauer; Bernroider Statistical Methods We chose partial least squares structural equation modeling (PLS-SEM) approach for the data analysis. The advantage of this approach lies in the fact that with SEM the measurement and the structural model can be analyzed at once (Park et al. 2007; Su et al. 2010). Furthermore, the decision for SEM, based on the underlying approach of PLS, is due to our research aims, which is to explain the variance of the endogenous construct 'intention for desirable information security behavior' (Chin 1998). Furthermore, PLS has fewer stringent requirements regarding distribution properties (Wold 1982). The software package SmartPLS was used to analyze the data (Ringle et al. 2005). Our research model was developed as a reflective measurement model. The bootstrap re-sampling procedure was used to test the significance of all model paths (Gefen et al. 2000). Data Analysis Sample Descriptives Table 1 shows the demographic characteristics of our acquired sample. Our respondents all have the general qualification for university entrance, but not completed their degrees. The majority of respondents are between 21 and 30 years old and have between 1 and 10 years of work experience. On average respondents work 6.3 hours per day with a computer and work in 17 different industries. Table 1. Demographic Characteristics of Respondents Demographic Characteristic Gender Age (years) Work experience (years) N Percentage Female 101 45.9% Male 119 54.1% < 20 32 14.6% 21-25 107 48.6% 26-30 42 36.8% > 30 39 17.7% <1 15 6.8% 1-3 104 47.3% 4-10 71 32.3% 11+ 30 13.6% Measurement Model Validation We tested the measurement model with the goodness-of-fit criteria in Table 2 following current recommendations (Hair et al. 2013; Hair et al. 2011; Sarstedt et al. 2011). First, we considered internal consistency reliability by assessing Cronbach's α and composite reliability, which considers the different outer loadings of the indicator variables. All respective values are above 0.70, which is considered to be acceptable. In terms of convergent validity, the AVE criteria are also all above the recommended threshold (0.5), which indicates that, on average, the construct explains more than half of the variance of its indicators. For assessing discriminant validity, we controlled the cross loadings of the items (Hair et al. 2011), which were also acceptable. 6 Editors: Gurpreet Dhillon and Spyridon Samonas An Analysis of the Combined Influences of Neutralization and Planned Behavior on Desirable Information Security Behavior Table 2. Constructs and Measurement Model Validity Latent Variable Indicators Loadings ATT1 0.84 ATT2 0.90 ATT3 0.94 ATT4 0.90 Subjective norm toward Information Security SN1 0.72 SN2 0.85 SN3 0.79 Perceived Behavioral Control PBC1 0.88 PBC2 0.89 Intention for desirable security behavior DSB1 0.79 DSB2 0.82 DSB3 0.83 Actual desirable security behavior ASB1 0.93 ASB2 0.94 Denial of responsibility DOR1 0.85 DOR2 0.90 DOR3 0.88 CC1 0.86 CC2 0.92 CC3 0.92 Appeal to higher loyalties AHL1 0.96 AHL2 0.96 Denial of injury DJ1 0.94 DJ2 0.94 Defense of necessity DN1 0.92 DN2 0.91 Metaphor of the ledger ML1 0.97 ML2 0.97 Attitude toward Information Security Behavior Condemnation of the condemners Cronbach's α Composite Reliability AVE 0.92 0.94 0.80 0.70 0.83 0.62 0.72 0.88 0.78 0.75 0.85 0.66 0.86 0.93 0.88 0.85 0.91 0.77 0.88 0.93 0.81 0.92 0.96 0.92 0.87 0.94 0.88 0.81 0.91 0.84 0.93 0.97 0.94 Evaluation of the Structural Model The most commonly used measure to evaluate the structural model is R², which is a measure of the models predictive accuracy and represents the amount of variance in the endogenous constructs explained by all of the exogenous constructs linked to it. R² of "the intention for a desirable security behavior" is 0.44 and for "actual security behavior" it is 0.30, which are relatively high compared to previous studies of similar Information Institute Conferences, Las Vegas, NV, May 21-23, 2014 7 Bauer; Bernroider constructs (Sommestad et al. 2013) and can be seen described as moderate according to general recommendation in scholarly research (Hair et al. 2013). Table 3: Verdict on Structural Relationships of the Research Model Hypotheses Path coefficient Tvalues f² f² Effect (H1): Attitude has a positive effect on intention for a desirable information security behavior. 0.27*** 5.71 0.10 Weak (H2): Subjective norm has a positive effect on intention for a desirable information security behavior. 0.17*** 3.81 0.04 Weak (H3): Perceived Behavioral Control has a positive effect on intention for a desirable information security behavior. 0.35*** 9.70 0.19 Moderate (H4): Perceived Behavioral Control has a positive effect on actual information security behavior. 0.14*** 2.67 0.02 Weak (H5): Neutralization has a negative effect on intention for a desirable information security behavior. -0.19*** 5.29 0.18 Moderate (H6): Intention for a desirable information security behavior has a positive effect on actual information security behavior. 0.47*** 11.17 0.23 Moderate *p<0.10, **p<0.05, ***p<0.01 The purpose of the structural equation model was to test the direct effects of the potential latent predictors identified from the TPB and the Neutralization theory as captured by our 6 research hypotheses. We used the results from bootstrapping with 5000 subsamples as a non-parametric re-sampling procedure to calculate t-statistics (Chin 1998). The path coefficients show weak and moderate relationship of the research constructs. Table 3 illustrates the hypotheses, all path coefficients of the research model, significance levels, and effect sizes. The effect size f2 of a latent factor results from analyzing the decrease in R2 when excluding one independent latent factor (Cohen 1988). It was suggested that f2 values of .02, .15, and .35 mean small, medium, and large effects, respectively. The results indicate that neutralization and perceived behavioral control have the greatest influence on the intention of a desirable information security behavior. As anticipated, the intention for a desirable security behavior predicts actual behavior. The other relationships show weak effects. 8 Editors: Gurpreet Dhillon and Spyridon Samonas An Analysis of the Combined Influences of Neutralization and Planned Behavior on Desirable Information Security Behavior Figure 2. Research Model and Results Discussion and Conclusions The main contribution of this paper is to explicate neutralization techniques in conjunction with the theory of planned behavior in the context of desirable employee information security behavior. The findings confirm that individual neutralizations have a negative effect on security behavior and together with the classical indicators of the TPB significantly explain the intention to comply with information security rules, policies and working procedures and in turn actual compliance. Prior research, to our knowledge, has not yet provided the same analysis. The results advance our understanding about the social construction of reality of employees in terms of six defense mechanisms through which employees may rationalize their deviant behavior. We also call for more research on similar offender’s perspectives. Next, we will discuss these findings and implications in relation to the underlying theories (TPB, Neutralization) in more detail. Information Institute Conferences, Las Vegas, NV, May 21-23, 2014 9 Bauer; Bernroider Our research confirms the classical beliefs-intention-behavior link as suggested by the TPB in the application context of this study. More specifically, attitudes towards desirable security behavior, subjective norms and perceived behavioral control are valid predictors of the individual's intention to act accordingly (H1-3). In addition, the direct link between perceived behavioral control was also validated although only marginally (H4) as well as the obvious strong association between behavioral intention and actual behavior (H6). The latter relationship was already known to hold in general and also in the context of security behavior (Cox 2012; Sommestad et al. 2013). In terms of Neutralization theory, we can also confirm the general importance of the investigated neutralization techniques, which taken together negatively impact the intention of employees to behave desirably (H5). The effect sizes show that neutralization has a roughly similar effect than the most important predictor of the TPB, which is perceived behavioral control. Theoretically, this finding adds to our understanding of how to predict desirable security behavior in extension to the TPB or deterrence theory (Barlow et al. 2013; Siponen et al. 2010). The internal mechanisms by which employees neutralize their security values should be considered in conjunction with the predictors of the TPB when reflecting upon the desirable security behavior. All six assessed neutralization techniques seem to be important methods by which individuals justify less desired security behaviors. The most important techniques, however, seem to be the defense of necessity and the condemnation of the condemners. For the former, employers defend their undesirable security behavior by their needs to meet their work objectives such as deadlines. In terms of the latter, the employees simply perceive the rules as unfair. We believe that contemporary information security awareness programs should pay more attention to these defense mechanisms (Bauer et al. 2013b). Finally, we need to acknowledge some limitations of this study. A common problem in empirical quantitative research is external reliability. In this context, the results must be interpreted with caution. Firstly, the sample consists of students with most of the respondents being younger than 30 years. We therefore cannot assume that our results can be unconditionally extended to the context of employees in general. However, we controlled reliability with a number of measures. As a start we contacted the full population to ensure a good representation of all students. We controlled the role of the target person by applying filter questions and semantically linking most questions to the context of work environments. We could not avoid the use of a mono method, which however is common in many studies of similar designs (e.g. Fink et al. 2009). Conclusions Our findings provide important insights for scholars and practitioners. Overall, all proposed hypotheses are supported according to our theoretical analysis. It is noteworthy to highlight the relatively stronger effects of perceived behavioral control and neutralization on the intention of desirable information security behavior. Neutralization theory, which is an essential perspective for explaining employees’ workplace security violations, should be considered in conjunction with the traditional aspects of subjective norm, general attitudes or perceived behavioral control to analyze and influence the intention of employees for desirable security behavior. Additional research would be required to fully understand the potential influence of neutralization theory on design and content of information security awareness delivery methods and programs. Therefore, we suggest conducting exploratory interviews with employees to explore the cause effect relationships behind their neutralization techniques. Furthermore, innovative information security awareness delivery methods should be designed according to the new insights about the factors influencing desirable information security behavior. These innovative methods should be evaluated in a real world context. 10 Editors: Gurpreet Dhillon and Spyridon Samonas An Analysis of the Combined Influences of Neutralization and Planned Behavior on Desirable Information Security Behavior References Ajzen, I. 1991. "The theory of planned behavior," Organizational Behavior and Human Decision Processes (50:2), pp 179–211. Ajzen, I., and Fishbein, M. 1980. Understanding attitudes and predicting social behavior, (Prentice-Hall: Englewood Cliffs, NJ. Albrechtsen, E. 2007. "A qualitative study of users' view on information security," Computers & Security (26:4), pp 276-289. Barlow, J. B., Warkentin, M., Ormond, D., and Dennis, A. R. 2013. "Don't make excuses! Discouraging neutralization to reduce IT policy violation," Computers & Security:In Press). Bauer, S., and Bernroider, E. W. N. 2013. "IT Operational Risk Awareness Building in Banking Companies: A Preliminary Research Design Highlighting the Importance of Risk Cultures and Control Systems," International Conference on Information Resource Management, Natal, Brazil, 2013a, pp. 1-4. Bauer, S., Bernroider, E. W. N., and Chudzikowski, K. 2013. "End User Information Security Awareness Programs for Improving Information Security in Banking Organizations: Preliminary Results from an Exploratory Study," AIS SIGSEC Workshop on Information Security & Privacy (WISP2013), Milano, 2013b. Boss, S. R., Kirsch, L. J., Angermeier, I., Shingler, R. A., and Boss, R. W. 2009. "If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security," European Journal of Information Systems (18:2), pp 151-164. Bulgurcu, B., Cavusoglu, H., and Benbasat, I. 2010. "Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness," MIS Quarterly (34:3), pp 523-548. Chin, W. W. 1998. "The Partial Least Squares Approach to Structural Equation Modeling," in Modern Methods for Business Research, G. A. Marcoulides (ed.), Lawrence Erlbaum Associates: New Jersey, p. 297. Cohen, J. 1988. Statistical power analysis for the behavioral sciences, (2 ed.) Lawrence, Erlbaum Associates: Hillsdale, New Jersey. Cox, J. 2012. "Information systems user security: A structured model of the knowing–doing gap," Computers in Human Behavior (28:5), pp 1849-1858. Fink, L., and Neumann, S. 2009. "Exploring the perceived business value of the flexibility enabled by information technology infrastructure," Information & Management (46:2), pp 90-99. Gefen, D., Straub, D. W., and Boudreau, M.-C. 2000. "Structural Equation Modeling and Regression: Guidelines for research practice," Communications of the Association for Information Systems (4:7), pp 1-79. Gibbs, J. P. 1968. "Crime, punishment and deterrence," Southwestern Social Science Quarterly (48:5), pp 515–530. Goldstein, J., Chernobai, A., and Benaroch, M. 2011. "An Event Study Analysis of the Economic Impact of IT Operational Risk and its Subcategories," Journal of the Association for Information Systems (12:9), pp 606-631. Guo, K. H. 2013. "Security-related behavior in using information systems in the workplace: A review and synthesis," Computers & Security (32), pp 242-251. Hair, J. F., Hult, G. T. M., Ringle, C. M., and Sarstedt, M. 2013. A primer on partial least squares structural equation modeling (pls-sem), (Sage: Los Angeles. Hair, J. F., Sarstedt, M., Ringle, C. M., and Mena, J. A. 2011. "An assessment of the use of partial least squares structural equation modeling in marketing research," Journal of the Academy of Marketing Science (40:3), pp 414-433. Hu, Q., Dinev, T., Hart, P., and Cooke, D. 2012. "Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture," Decision Sciences (43:4), pp 615-659. Lim, V. K. G. 2002. "The IT way of loafing on the job: cyberloafing, neutralizing and organizational justice," Journal of Organizational Behavior (23:5), pp 675-694. Information Institute Conferences, Las Vegas, NV, May 21-23, 2014 11 Bauer; Bernroider Maruna, S., and Copes, H. 2004. "What Have We Learned from Five Decades of Neutralization Research?," Crime and Justice (32), pp 221-320. Padayachee, K. 2012. "Taxonomy of compliant information security behavior," Computers & Security (31:5), pp 673-680. Park, J.-H., Suh, H.-J., and Yang, H.-D. 2007. "Perceived absorptive capacity of individual users in performance of Enterprise Resource Planning (ERP) usage: The case for Korean firms," Information & Management (44:3), pp 300-312. Ringle, C., Wende, S., and Will, A. 2005. "SmartPLS 2.0 (beta)," University of Hamburg. Rocha Flores, W., and Antonsen, E. 2013. "The development of an instrument for assessing information security in organizations: Examining the content validity using quantitative methods," in Proceedings of the International Conference on Information Resource Management 2013 (Conf-IRM 2013), L. Janczewski (ed.): Natal, Brazil, pp. 1-15. Rogers, R. W. 1975. " A protection motivation theory of fear appeals and attitude change," Journal of Psychology (91:1), pp 93-114. Sarstedt, M., Ringle, C. M., and Hair, J. F. 2011. "PLS-SEM: Indeed a Silver Bullet," The Journal of Marketing Theory and Practice (19:2), pp 139-152. Siponen, M., and Vance, A. 2010. "Neutralization: New Insights into the Problem of Employee Information Systems Security Policy Violations," MIS Quarterly (34:3), pp 487-502. Sommestad, T., and Hallberg, J. 2013. "A review of the theory of planned behaviour in the context of information security policy compliance," International Information Security and Privacy Conference, Springer Verlag Berlin Heidelberg. Stanton, J. M., Stam, K. R., Mastrangelo, P., and Jolton, J. 2005. "Analysis of end user security behaviors," Computers & Security (24:2), pp 124-133. Su, Y.-f., and Yang, C. 2010. "Why are enterprise resource planning systems indispensable to supply chain management?," European Journal of Operational Research (203:1), pp 81-94. Sykes, G. M., and Matza, D. 1957. "Techniques of Neutralization: A Theory of Delinquency," American Sociological Association (22:6), pp 664-670. Vance, A., Siponen, M., and Pahnila, S. 2012. "Motivating IS security compliance: Insights from Habit and Protection Motivation Theory," Information & Management (49:3-4), pp 190-198. Warkentin, M., Straub, D., and Malimage, K. 2012. "Featured Talk: Measuring Secure Behavior: A Research Commentary," in Annual Symposium of Information Assurance & Secure Knowledge Management: Albany, NY. Warkentin, M., and Willison, R. 2009. "Behavioral and policy issues in information systems security: the insider threat," European Journal of Information Systems (18:2), pp 101-105. Webster, J., and Watson, R. T. 2002. "Analyzing the Past to Prepare for the Future: Writing a Literature Review," MIS Quarterly (26:2), pp xiii-xxiii. Willison, R., and Warkentin, M. 2013. "Beyond Deterrrence: An Expanded View of Employee Computer Abuse," MIS Quarterly (37:1), pp 1-20. Wold, H. 1982. "Soft modeling: the basic design and some extensions," in Systems under indirect observations: Causality, structure, prediction. Part 2, K. G. Jöreskog and H. Wold (eds.), NorthHolland: Amsterdam, pp. 1-54. 12 Editors: Gurpreet Dhillon and Spyridon Samonas An Analysis of the Combined Influences of Neutralization and Planned Behavior on Desirable Information Security Behavior Appendix Table A1. Measurement Model Construct Attitude toward Information Security Behavior Adapted from ATT1 To me, information security procedures and operating instructions in our daily work are _______. (Scale from unnecessary to necessary) ATT2 To me, information security procedures and operating instructions in our daily work are _______. (Scale from unbeneficial to beneficial) ATT3 To me, information security procedures and operating instructions in our daily work are _______. (Scale from unimportant to important) ATT4 To me, information security procedures and operating instructions in our daily work are _______. (Scale from useless to useful) SN1 In our organization, information security is viewed as a collective responsibility. SN2 Both my colleagues and I share the same ambitions and vision of protecting information assets from being compromised in our organization. SN3 Both my colleagues and I share and agree on the way collective information security goals are being pursued in our organization. Perceived Behavioral Control toward Information Security PBC1 I have the necessary skills to fulfill the requirements of the information security procedures and operating instructions. PBC2 I have the necessary knowledge to fulfill the requirements of the information security procedures and operating instructions. Intention for desirable security behavior DSB1 I plan to keep aware of the latest security threats so I can protect my system. (Boss et al. 2009) DSB2 I intend to comply with information security rules, policies and working procedures. (Vance et al. 2012) DSB3 I intend to assist others in complying with information security rules, policies and working procedures. (Vance et al. 2012) Actual desirable security behavior ASB1 I take IT-security very seriously. ASB2 I tend to greater care concerning IT-security. self constructed Denial of responsibility DOR1 It is OK to violate the company information security policy if you aren’t sure what the policy is. DOR2 It is OK to violate the company information security policy if you don’t understand it. Subjective norm toward Information Security (Bulgurcu et al. 2010) (Rocha Flores et al. 2013) (Bulgurcu et al. 2010) (Siponen et al. 2010) Information Institute Conferences, Las Vegas, NV, May 21-23, 2014 13 Bauer; Bernroider Condemnation of the condemners Appeal higher loyalties Denial of injury Defense of necessity Metaphor of the ledger to DOR3 It is OK to violate the company information security policy if the policy is not advertised. CC1 It is not as wrong to violate a company information security policy that is not reasonable. CC2 It is not as wrong to violate a company information security policy that requires too much time to comply with. CC3 It is not as wrong to violate a company information security policy that is too restrictive. AHL1 It is all right to violate a company information security policy if you get your work done. AHL2 It is all right to violate a company information security policy if you complete the task given by management. DJ1 It is OK to violate the company information security policy if no damage is done to the company. DJ2 It is OK to violate the company information security policy if no one gets hurt. DN1 It is all right to violate the company information security policy when you are under a tight deadline. DN2 It is all right to violate the company information security policy when you are in a hurry. ML1 I feel my general adherence to company information security policy compensates for occasionally violating an information security policy. ML2 I feel my good job performance compensates for occasionally violating information security policy. 14 Editors: Gurpreet Dhillon and Spyridon Samonas (Siponen et al. 2010) (Siponen et al. 2010) (Siponen et al. 2010) (Siponen et al. 2010) (Siponen et al. 2010) An Analysis of the Combined Influences of Neutralization and Planned Behavior on Desirable Information Security Behavior Table A2. Theories, Constructs and Measures Constructs Measures Codes Descriptions and Sources Based on the Theory of Planned Behavior (Ajzen 1991) Attitude toward information security behavior 4-Items ATT1-4 Employee’s attitudes on whether it is good or bad to perform a security compliant behavior. Adapted from (Bulgurcu et al. 2010). Subjective norm 3-Items SN 1-3 Employee’s perceptions of whether the behavior is accepted and encouraged by people who are important to him or her in the organization, such as colleagues, subordinates, or superiors. Adapted from (Rocha Flores et al. 2013). Perceived behavioral control 2-Items PBC1-2 Employee’s perceived ease or difficulty of performing a behavior and personal sense of having the skills and control over performing it. Adapted from (Bulgurcu et al. 2010). Intention for desirable security behavior 3-Items DSB1-3 Employee’s belief that he or she will perform the desirable behavior sometime in the future. Adapted from (Boss et al. 2009; Vance et al. 2012). Actual desirable security behavior 2-Items ASB1-2 Employee’s belief that he or she will perform the desirable behavior sometime in the future. Based on the Neutralization Theory (Sykes et al. 1957) Denial of responsibility 3-Items DOR1-3 Employee feels not responsible for his action and he thinks that his behavior is beyond his control (Sykes et al. 1957). Condemnation of the condemners 3-Items CC1-3 Employee feels that the rules are unjust or make no sense, hence a violates the information security policy Appeal to higher loyalties 2-Items AHL1-2 Employees explain their deviant behavior by excusing the violation because they have too less time to carry out the work or that the rules are too restrictive (Sykes et al. 1957). Denial of injury 2-Items DJ1-2 Employee justifies his action by minimizing the harm it causes. Defense of necessity 2-Items DN1-2 Employee thinks that he has no other acceptable choice to act. Metaphor of the ledger 2-Items ML1-2 Employee feels that he/she has done enough good deeds to justify doing something against policy. Information Institute Conferences, Las Vegas, NV, May 21-23, 2014 15
