Proposing the control‐reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policies

Organisations increasingly rely on information and related systems, which are also a source of risk. Unfortunately, employees represent the greatest risk to organisational information because they are the most frequent source of information security breaches. To address this ‘weak link’ in organisational security, most organisations have strict information security policies (ISPs) designed to thwart employee information abuses. Regrettably, these ISPs are only partially effective because employees often ignore them, circumvent them or even do the opposite of what management desires. Research on attempts to increase ISP compliance has produced similarly mixed results. Lack of compliance with ISPs is a widespread organisational issue that increasingly bears disproportionately large direct and qualitative costs that undermine strategy. Consequently, the purpose of our study was to contribute to the understanding of both motivations to comply with new ISPs and motivations to react negatively against them. To do so, we proposed an innovative model, the control‐reactance compliance model (CRCM), which combines organisational control theory – a model that explains ISP compliance – with reactance theory – a model used to explain ISP noncompliance. To test CRCM, we used a sample of 320 working professionals in a variety of industries to examine the likely organisational outcomes of the delivery of a new ISP to employees in the form of a typical memo sent throughout an organisation. We largely found support for CRCM, and this study concludes with an explanation of the model's contributions to research and practice related to organisational ISP compliance.     

Organizational information security as a complex adaptive system: insights from three agent-based models

The management of information security can be conceptualized as a complex adaptive system because the actions of both insiders and outsiders co-evolve with the organizational environment, thereby leading to the emergence of overall security of informational assets within an organization. Thus, the interactions among individuals and their environments at the micro-level form the overall security posture at the macro-level. Additionally, in this complex environment, security threats evolve constantly, leaving organizations little choice but to evolve alongside those threats or risk losing everything. In order to protect organizational information systems and associated informational assets, managers are forced to adapt to security threats by training employees and by keeping systems and security procedures updated. This research explains how organizational information security can perhaps best be managed as a complex adaptive system (CAS) and models the complexity of IS security risks and organizational responses using agent-based modeling (ABM). We present agent-based models that illustrate simple probabilistic phishing problems as well as models that simulate the organizational security outcomes of complex theoretical security approaches based on general deterrence theory (GDT) and protection motivation theory (PMT).     

The effects and moderators of cyber-loafing controls: an empirical study of Chinese public servants

Cyber-loafing—using the internet for non-work purposes during work time—can lower employee productivity and expose organizations to security risks. Organizations need to control this type of behavior. We studied two control methods: internet use policies and electronic monitoring. We empirically investigated the effectiveness of these two methods and how their effectiveness is influenced by the employees’ individual differences. Based on the data collected from 209 Chinese public servants, we found that both methods can significantly lower employees’ cyber-loafing intentions. Additionally, an internet use policy is more effective for employees with a high level of self-esteem than for those with a low level of self-esteem, whereas electronic monitoring is more effective for employees with a high level of job satisfaction than for those with a low level of job satisfaction. This study advances the theoretical understanding of methods for the control of cyber-loafing and has practical implications for the mitigation of its negative effects.     

Managing People to Promote Innovation

There is growing evidence available to suggest that Human Resource Management (HRM) practice is an important predictor of organizational performance. Drawing upon organizational learning perspectives, we argue that HRM systems also have the potential to promote organizational innovation. We present longitudinal data from thirty‐five UK manufacturing organizations to suggest that effective HRM systems – incorporating sophisticated approaches to recruitment and selection, induction, appraisal and training – predict organizational innovation in products and production technology. We further show that organizational innovation is enhanced where there is a supportive learning climate, and inhibited (for innovation in production processes) where there is a link between appraisal and remuneration.     

Managers’ and Employees’ Differing Responses to Security Approaches

ABSTRACT

Modern organizations face significant information security threats, to which they respond with various managerial techniques. It is widely believed that “one size does not fit all” for achieving employee information security policy compliance; nevertheless, it is yet to be determined which techniques work best to different organizational employees. We further this research stream by finding that different levels of users might be effectively motivated by different types of coercive and empowering techniques that are suitable to their level and position in the organizational chart. Our results suggest that participation in the ISP decision-making process might prove to be a more effective approach to motivate lower-level employees toward compliance and that enhancing the meaningfulness of policy compliance could be the preferred method among higher levels of management. Members within each level of the organization can be effectively influenced to comply with ISPs when such strategies are customized for their level.     

Examining employee computer abuse intentions: insights from justice,deterrence and neutralization perspectives

Although employee computer abuse is a costly and significant problem for firms, the existing academic literature regarding this issue is limited. To address this gap, we apply a multi‐theoretical model to explain employees' intentions to abuse computers. To understand the motives for such behaviour, we investigate the role of two forms of organizational justice – distributive and procedural – both of which provide explanations of how perceptions of unfairness are created in the organizational context. By applying deterrence theory, we also examine the extent to which formal sanctions influence and moderate the intentions to abuse computers. Finally, we examine how the potential motives for abuse may be moderated by techniques of neutralization, which allow offenders to justify their actions and absolve themselves of any associated feelings of guilt and shame. Utilizing the scenario‐based factorial survey method for our experimental design, we empirically evaluated the association between these antecedents and the behavioural intention to violate Information systems (IS) security policies in an environment where the measurement of actual behaviour would be impossible. Our findings suggest that individual employees may form intentions to commit computer abuse if they perceive the presence of procedural injustice and that techniques of neutralization and certainty of sanctions moderate this influence. The implications of these findings for research and practice are presented. © 2016 John Wiley & Sons Ltd     

A neo-institutional perspective on the establishment of information security knowledge sharing practices

Information security knowledge sharing (ISKS) among an organization's employees is vital to the organization's ability to protect itself from any number of prevalent threats, yet for many organizations, their ability to establish ISKS practices is hampered by a lack of understanding of where and how the key drivers of these practices will emerge. Based on neoinstitutional theory and a multi-study field survey of 834 professional managers in the USA, we develop and test a model that explains the establishment of ISKS practices in an organization as a product of the institutional forces abut to the organization providing normative, mimetic, and coercive influences on top management beliefs and participations in ISKS. Our findings also emphasize the importance of establishing ISKS practices for ensuring employee compliance with information security policies and an effective culture of security. Prior research has shown the importance of institutional forces on organizational processes as well as the importance of ISKS to organizational security efforts. However, this study is one of the early studies to provide insight into the manner, in which institutional forces hold sway over the people responsible for establishing the ISKS practices of a firm; insight that it is essential for firms that have yet to establish such practices or have struggled in their attempts to do so.     

The dark side of social networking sites:Understanding phishing risks

LinkedIn, with over 1.5 million Groups, has become a popular place for business employees to create private groups to exchange information and communicate. Recent research on social networking sites (SNSs) has widely explored the phenomenon and its positive effects on firms. However, social networking's negative effects on information security were not adequately addressed. Supported by the credibility, persuasion and motivation theories, we conducted 1) a field experiment, demonstrating how sensitive organizational data can be exploited, followed by 2) a qualitative study of employees engaged in SNSs activities; and 3) interviews with Chief Information Security Officers (CISOs). Our research has resulted in four main findings: 1) employees are easily deceived and susceptible to victimization on SNSs where contextual elements provide psychological triggers to attackers; 2) organizations lack mechanisms to control SNS online security threats, 3) companies need to strengthen their information security policies related to SNSs, where stronger employee identification and authentication is needed, and 4) SNSs have become important security holes where, with the use of social engineering techniques, malicious attacks are easily facilitated.     

The influence of the informal social learning environment on information privacy policy compliance efficacy and intention

Throughout the world, sensitive personal information is now protected by regulatory requirements that have translated into significant new compliance oversight responsibilities for IT managers who have a legal mandate to ensure that individual employees are adequately prepared and motivated to observe policies and procedures designed to ensure compliance. This research project investigates the antecedents of information privacy policy compliance efficacy by individuals. Using Health Insurance Portability and Accountability Act compliance within the healthcare industry as a practical proxy for general organizational privacy policy compliance, the results of this survey of 234 healthcare professionals indicate that certain social conditions within the organizational setting (referred to as external cues and comprising situational support, verbal persuasion, and vicarious experience) contribute to an informal learning process. This process is distinct from the formal compliance training procedures and is shown to influence employee perceptions of efficacy to engage in compliance activities, which contributes to behavioural intention to comply with information privacy policies. Implications for managers and researchers are discussed.     

Praxiserfahrungen bei der Einführung dezentraler Wissensmanagement-Lösungen

Efficient management of knowledge is a major success factor for corporations and organizations. Many corporations have started Knowledge Management initiatives with the goal to actively manage knowledge creation and flow. Apart from the necessary organizational changes they have tried to support the quest for knowledge with Knowledge-Management systems. Peer-to-peer systems offer a cost-efficient, user-friendly alternative to server-based knowledge management solutions. However, due to various reasons they have not gained significant market share. During our sales activities for Dinow, our distributed knowledge management system, we have encountered various reasons for the slow adoption of this promising technology. In addition to technological concerns, e.g. regarding security, we have found that psychological factors are very significant: the possibility of “free” information flow contradicts the rigid frameworks, policies, and procedures in most organizations. It is a common misconception that currently used technology, i.e. e-mail, protects against such unwanted information flow.     

Mind your E-manners: Impact of cyber incivility on employees’ work attitude and behavior

We examined cyber incivility in the workplace of Singapore and also examined its impact on employee job satisfaction, organizational commitment, quit intention, and workplace deviance. Data were collected from 192 employees. Results of the survey showed that male supervisors engaged in active forms of cyber incivility while female supervisors engaged in passive cyber incivility. Regression analyses also showed that cyber incivility was negatively related to employees’ job satisfaction and organizational commitment. Employees who experienced cyber incivility were also more likely to quit their jobs or engaged in deviant behavior against their organization. Thus, cyber incivility has negative consequences on both individuals and organizations. Consequently, it is important that firms educate employees and have appropriate policies to discourage cyber incivility.     

Work–family role integration and personal well-being: The moderating effect of attitudes towards personal web usage

Managing the spillover and integrating the work and life domains has become a critical challenge for both individuals and organizations as the two domains become increasingly interlocked. An under-research area in our understanding of the integration of role domains is how individual employees have taken the initiative to “work through” the issues – that is to improvise solutions to role integration often apart from formally sanctioned organizational initiatives. We propose that many employees are using information technology, specifically the web, to facilitate role integration between the work and family domains. Using the role integration perspective, this study examines the role of attitudes towards work/family personal web usage (PWU) as a moderator between role integration and well-being outcomes. Our data support a direct negative relationship between role conflict and well-being as well as a direct positive relationship between role facilitation and personal well-being. We also find that attitudes towards work/family PWU strongly buffer the relationship between role conflict and personal well-being. Finally, our data provide partial support for the enhancing role of PWU attitudes with role facilitation and well-being.     

Exploring the effects of organizational justice,personal ethics and sanction on internet use policy compliance

Internet security risks, the leading security threats confronting today's organizations, often result from employees' non‐compliance with the internet use policy (IUP). Extant studies on compliance with security policies have largely ignored the impact of intrinsic motivation on employees' compliance intention. This paper proposes a theoretical model that integrates an intrinsic self‐regulatory approach with an extrinsic sanction‐based command‐and‐control approach to examine employees' IUP compliance intention. The self‐regulatory approach centers on the effect of organizational justice and personal ethical objections against internet abuses. The results of this study suggest that the self‐regulatory approach is more effective than the sanction‐based command‐and‐control approach. Based on the self‐regulatory approach, organizational justice not only influences IUP compliance intention directly but also indirectly through fostering ethical objections against internet abuses. This research provides empirical evidence of two additional effective levers for enhancing security policy compliance: organizational justice and personal ethics.     

Combating the Insider Cyber Threat

The penetration of US national security by foreign agents as well as American citizens is a historical and current reality that's a persistent and increasing phenomenon. Surveys, such as the e-crime watch survey, reveal that current or former employees and contractors are the second greatest cybersecurity threat, exceeded only by hackers, and that the number of security incidents has increased geometrically in recent years. The insider threat is manifested when human behavior departs from compliance with established policies, regardless of whether it results from malice or a disregard for security policies. In this article, we focus on the need for effective training to raise staff awareness about insider threats and the need for organizations to adopt a more effective approach to identifying potential risks and then taking proactive steps to mitigate them.     

Out of fear or desire? Toward a better understanding of employees’ motivation to follow IS security policies

Given the significant role of people in the management of security, attention has recently been paid to the issue of how to motivate employees to improve security performance of organizations. However, past work has been dependent on deterrence theory rooted in an extrinsic motivation model to help understand why employees do or do not follow security rules in their organization. We postulated that we could better explain employees’ security-related rule-following behavior with an approach rooted in an intrinsic motivation model. We therefore developed a model of employees’ motivation to comply with IS security policies which incorporated both extrinsic and intrinsic models of human behavior. It was tested with data collected through a survey of 602 employees in the United States. We found that variables rooted in the intrinsic motivation model contributed significantly more to the explained variance of employees’ compliance than did those rooted in the extrinsic motivation model.     

Implications Regarding Computer Technology Attitudes of New Employees

Employee attitudes toward computer technology change over time. As computer technology becomes increasingly more prevalent throughout society and throughout the educational process, appreciative and critical attitudes toward the technology change. Understanding these attitudes can help organizations develop appropriate strategies to improve organizational effectiveness. Entry-level employees often present the greatest challenge for assimilation into the organization. Because today's student becomes tomorrow's entry-level employee, an examination of today's students to determine the appreciative and critical attitudes of future employees can prove beneficial in making modifications to organizational policies and procedures.     

The impacts of organizational culture on information security culture: a case study

Information security cannot rely solely on technology. More attention must be drawn to the users’ behavioral perspectives regarding information security. In this study, we propose that a culture encouraging employees to comply with information policies related to collecting, preserving, disseminating and managing information will improve information security. Information security culture is believed to be influenced by an organization’s corporate culture (or organizational culture). We examine how this occurs through an in-depth case study of a large organization. We present a relationship map for organizational culture and information security practices. Six propositions are drawn from the findings of our interviews and discussions. Managerial insights, such as how to measure an organization’s information security culture and subsequently determine what perspective(s) is important for the organization to improve, are also discussed.     

A Theoretical Framework Linking Creativity,Empowerment, and Organizational Memory

Empowerment, creativity, and organizational memory are constructs that have been researched in MIS. While each construct has received individual attention, we have found relatively little research linking them. One of the major edicts of empowerment is delegation of decision making authority to lower-level employees. Increased authority allows employees more freedom to be creative. However, if creative thought is generated but not captured, innovative ideas may be lost. Organizational memory can capture creative ideas as they are generated so that empowered teams can draw upon positive creative experiences. We developed a theoretical model to illuminate the relationships between organizational memory, worker empowerment, and creativity. The model portrays the linkages between empowerment and creativity, creativity and organizational memory, and organizational memory and empowerment. The model was developed based on the literature in each respective area and an interview-based study concerning “empowered” systems development project teams and organizational memory. Analysis of the interview data revealed that empowered workers generate creative solutions to problems. However, creative solutions can only be used for future projects if they are somehow recorded into organizational memory. Organizations that empowered their workforce and embraced creativity reported increased customer satisfaction, waste reduction, and some quality gains. In contrast, those that did not empower reported little or no change. Organizations that recorded creative solutions to problems believe that retrieval of this information could be potentially useful for future projects. Potential challenges faced by organizations classified into each cell are also presented. This classification scheme should prove useful as a guide to organizations examining the potential benefits and pitfalls of worker empowerment and organizational memory.     

Customer orientation among employees in public administration: a transnational, longitudinal study

The relation between ergonomic principles and quality management initiatives, both, in the private and public sector, has received increasing attention in the recent years. Customer orientation among employees is not only an important quality principle, but also an essential prerequisite for customer satisfaction, especially in service organizations. In this context, the objective of introducing new public management (NPM) in public-service organizations is to increase customer orientation among employees who are at the forefront of service providing. In this study, we developed a short scale to measure perceived customer orientation. In two separate longitudinal studies carried out in Austria and the US, we analyzed changes in customer orientation resulting from the introduction of NPM. In both organizations, we observed a significant increase in customer orientation. Perceived customer orientation was related to job characteristics, organizational characteristics and employee quality of working life. Creating positive influences on these characteristics within the framework of an organizational change process has positive effects on employee customer orientation.     

A context for information systems security planning

Management is often rightfully dissatisfied with the performance of many information security efforts. After investment of considerable resources, and prolonged waiting for results, many efforts can demonstrate little if any significant improvement. This is largely due to a lack of planning. Many efforta lack explicitly articulated plans as well as specific performance milestones. Although many are loathe to admit it, information security efforts at many organizations lack formal planning and performance monitoring.Management's dissatisfaction with information security is exemplified by the seriously inadequate staffing levels found at a large number of organizations. When management is convinced that information security is a prudent investment, they will respond with additional resources.This article examines why information security efforts are often ineffective and why more formal planning efforts can alleviate this condition. It discusses tools best used to prepare an action plan for information security and gives some tips on how to sell such a plan to management. Also discussed are organizational design, policies, standards, and guidelines and other elements of a foundation that is required if an effective information security planning process is to be sustained. The article dwells on the establishment of a context for effective information security planning.