Article

What Drives Information Security Policy Violations among Banking Employees? Insights from Neutralization and Social Exchange Theory

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

Employees' information security policy (ISP) violations are a major problem that plagues organizations worldwide, particularly in the banking/financial sector. Research shows that employees use neutralization techniques to rationalize their ISP violating behaviors; it is therefore important to understand what leads to and influences these neutralization techniques. The authors' study draws upon social exchange theory to develop a set of factors that drive employees' neutralization of ISP violations. The model specifies previously untested relationships between job satisfaction, organizational commitment, role conflict, role ambiguity,and neutralization techniques. Using a sample of Malaysian banking employees, the authors found a positive relationship between role conflict and neutralization of ISP violations, whereas organizational commitment was negatively related to neutralization in this context. The authors' findings offer fresh insights for scholars and practitioners in dealing with the problem of employees' intentional ISP violations while extending the reach of neutralization theory beyond North American and European cultures.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... Although one element of Relationship 2 examines how security policies can shape an employee's social and emotional well-being (e.g., feelings of stress associated with the introduction of a new security policy), this stream of research extends the concept by examining the subsequent consequences to compliance. For example, where a security policy can generate positive social and emotional outcomes, such as happiness (Siponen & Iivari, 2006), job satisfaction (D'Arcy and Greene, 2014), and organizational commitment (Aurigemma & Leonard, 2015;Teh et al, 2015), these factors impact the degree that employees will comply with the guidelines. In contrast, security policies that contribute to stress (D'Arcy et al, 2014) and role conflict/ambiguity (Teh et al, 2015) are found to lead to non-compliance. ...
... For example, where a security policy can generate positive social and emotional outcomes, such as happiness (Siponen & Iivari, 2006), job satisfaction (D'Arcy and Greene, 2014), and organizational commitment (Aurigemma & Leonard, 2015;Teh et al, 2015), these factors impact the degree that employees will comply with the guidelines. In contrast, security policies that contribute to stress (D'Arcy et al, 2014) and role conflict/ambiguity (Teh et al, 2015) are found to lead to non-compliance. ...
... Similarly, response efficacy (i.e., the belief that employees can make a difference in security) is commonly found to link to compliance (Herath & Rao, 2009b;Ifinedo, 2012;Vance et al, 2012), but contrasting results are also found . Finally, a relatively new approach to examining the employee policy compliance rationalizations is the study of neutralization techniques (e.g., ''no one will be hurt if I violate the policy''), which have found positive links with policy violations (Siponen & Vance, 2010;Teh et al, 2015), as well as evidence of only partial support (Barlow et al, 2013). ...
Article
A major stream of research within the field of information systems security examines the use of organizational policies that specify how users of information and technology resources should behave in order to prevent, detect, and respond to security incidents. However, this growing (and at times, conflicting) body of research has made it challenging for researchers and practitioners to comprehend the current state of knowledge on the formation, implementation, and effectiveness of security policies in organizations. Accordingly, the purpose of this paper is to synthesize what we know and what remains to be learned about organizational information security policies, with an eye toward a holistic understanding of this research stream and the identification of promising paths for future study. We review 114 influential security policy-related journal articles and identify five core relationships examined in the literature. Based on these relationships, we outline a research framework that synthesizes the construct linkages within the current literature. Building on our analysis of these results, we identify a series of gaps and draw on additional theoretical perspectives to propose a revised framework that can be used as a basis for future research.
... Although past research has employed coping, neutralization, and social exchange perspectives as theoretical frameworks to explain why individuals rationalize their behaviors through emotions and cost-benefit analysis to respond to stress, 12,30 we draw on the role theory to understand how the stress induced by overload, ambiguous and conflicting role expectations influence employee ISP compliant behaviors. This research develops and empirically assesses a model to provide knowledge of the effect of three types of role-stressors (conflict, ambiguity, and overload) on employees' intention to ISP compliant behaviors. ...
... 35 ISPs contribute to stress, and employees' perceptions of security-related stressors contribute to the neutralization of ISP violations. 11,30 These studies suggest that security requirements cause work impediments (i.e., stress) as the constant change of ISPs is associated with confusion and ambiguity, where one can experience a lack of explicit knowledge and understanding regarding InfoSec. 25 We argue that it is not only security-related stressors that lead to insecure behaviors. ...
... Second, previous research investigated the effect of security-related stress, wherein the objective of the studies is to determine how employees respond to security requirements. 11,25,30 These studies applied neutralization and copying theories to explain why employees violate ISPs when they feel high complexity, uncertainty, and overload due to security requirements. Although these studies provide insightful findings, they have some limitations: ...
Article
Previous research indicated security-related stress at the workplace accounts for employee non-compliant behavior with information security policy (ISP). Drawing on the role theory, we investigate stress rooted in employee job role expectations arising from role-ambiguity, role-conflict, and role-overload known as role-stressors. These role-stressors cause employees to endeavor to perform their role tasks and, in turn, provide favorable situations for them to neglect ISP requirements. Using a survey of 350 employees, we found a combination of role-stressors contributes to employees’ ISP violations. Furthermore, we posit that this relationship is partially mediated by organizational commitment. Also, we examined the effect of one mitigating factor: organizational support. However, a statistically significant mitigation effect of organizational support was not found on the relationship between role stress and intention toward ISP compliant behavior. This paper contributes to the behavioral information security literature by demonstrating the importance of role-stressors on employees’ security-related behaviors.
... Considerable cybersecurity incidents also occur from inside-cyberattacks that are related to unethical or behavioral issues of employees (Li et al., 2019). Employees may use neutralization techniques to rationalize IS policy violations; these violations plague firms worldwide (Teh et al., 2015) and affect firms' reputations. The IS culture improves employees' security awareness, and through training, firms can improve employee's security behavior (Lyu & Zhang, 2015). ...
Article
Full-text available
Data security incidents are continually increasing; hackers, governments, and other actors increasingly attempt to gain unauthorized access to confidential data. Information Systems users are becoming more vulnerable to the risks of data breaches. Many stakeholders perceive cybersecurity incidents as indicators of firms' operational and technological internal deficiencies. Previous research has revealed that investors react negatively to data breaches, yet little is known about investors' reactions to material data security incidents. Using a sample of 232 data security incidents for 132 publicly traded companies in the United States, we applied an event study methodology to discern investors' reactions to material versus immaterial incidents. We also use multivariate regression and time to event analysis to examine what determines the degree of investors' reaction, considering several intervals around the event day. Our results show that investors perceive material data security incidents as a deficiency of breached companies in comparison to immaterial incidents.
... The ToN expands our understanding of ISS research by suggesting that people generate excuses as rationalizations, through which they justify their insecure behaviors to themselves. , Teh et al. (2015) used neutralization techniques to explain employee noncompliance (intention) with ISS policies within organizations. ...
Article
Information systems security (ISS) behavioral research has produced different models to explain security policy compliance. This paper (1) reviews 11 theories that have served the majority of previous information security behavior models, (2) empirically compares these theories (Study 1), (3) proposes a unified model, called the unified model of information security policy compliance (UMISPC), which integrates elements across these extant theories, and (4) empirically tests the UMISPC in a new study (Study 2), which provided preliminary empirical support for the model. The 11 theories reviewed are (1) the theory of reasoned action, (2) neutralization techniques, (3) the health belief model, (4) the theory of planned behavior, (5) the theory of interpersonal behavior, (6) the protection motivation theory, (7) the extended protection motivation theory, (8) deterrence theory and rational choice theory, (9) the theory of self-regulation, (10) the extended parallel processing model, and (11) the control balance theory. The UMISPC is an initial step toward empirically examining the extent to which the existing models have similar and different constructs. Future research is needed to examine to what extent the UMISPC can explain different types of ISS behaviors (or intentions thereof). Such studies will determine the extent to which the UMISPC needs to be revised to account for different types of ISS policy violations and the extent to which the UMISPC is generalizable beyond the three types of ISS violations we examined. Finally, the UMISPC is intended to inspire future ISS research to further theorize and empirically demonstrate the important differences between rival theories in the ISS context that are not captured by current measures.
... In some instances, this is attributed to technologyrelated work stress. Specifically, ambiguity over technology-related roles and responsibilities (Tarafdar, Tu, Ragu-Nathan, & Ragu-Nathan, 2007;Teh, Ahmed, & D'Arcy, 2015), as well as the pressure to meet complex security policy requirements (D'Arcy, Herath, & Shoss, 2014;Hwang & Cha, 2018) exacerbate technostress and lead to non-compliance of security policy. While our research, presented in this paper, does not investigate aspects of technostress and security policy compliance, it does introduce the importance of understanding different stakeholder perceptions for managing security policies. ...
Article
Organizational stakeholders, such as employees and security managers, may understand security rules and policies differently. Extant literature suggests that stakeholder perceptions of security policies can contribute to the success or failure of policies. This paper draws on the Theory of Personal Constructs and the associated methodology, the Repertory Grid technique, to capture the convergence and divergence of stakeholder perceptions with regards to security policy. We collected data from the employees of an e-commerce company that had developed five information security sub-policies. Our study highlights the practical utility of the Repertory Grid analysis in helping information security researchers and managers pinpoint a) the aspects of a security policy that are well-received by stakeholders, as well as those that are not, and b) the variance in the perceptions of stakeholders. Organizations can, then, capitalize on the well-received aspects of the policy and take corrective action for the ill-received ones.
... In IS research, the appeal to higher loyalties is among the most applied neutralization technique to justify norm-breaking in both organizational [26], [75], [76] and non-organizational contexts [63], [64], [77]. For instance, in the context of software piracy, this technique is often used to argue that creating unauthorized copies of software is justifiable when it is done to help a friend who cannot afford to purchase the software [65]. ...
Conference Paper
Full-text available
Unlike classical forms of deception where the deceiver deceives their victims directly, the crowdsourcing of cyber deception provides a powerful and cost-effective mechanism for deceivers to create and spread falsehood from the shadows. But for a mass deception campaign to be effective, the crowdworkers must rationalize (and willingly accept) their role in the deceptive act. What, then, could justify participation in a mass-deception campaign? To answer this question, we adopt the qualitative vignette approach and utilize neutralization theory as our guiding lens. Our results point to several neutralization techniques that crowdworkers could invoke to convincingly rationalize involvement in a cyber deception campaign. Importantly, the findings shed new light on a growing pessimism about work ethics in cyberspace which may lead some ordinary people into joining deception campaigns, believing it to be the future of advertising. We discuss the theoretical and practical implications of these novel insights.
... To date, however, neutralization-based ISS research design has been predominantly confirmatory in nature, aiming to test the extent to which one or more neutralization techniques is significantly associated with a given violation. In this regard, multiple studies provide evidence that neutralization techniques could increase one's intention to engage in ISP violation in general [8], [35]- [37], commit computer abuse [29], [38], use the workplace Internet for personal purposes [30], [39], [40] as well as engage in shadow IT use [11]. Furthermore, some studies suggest that deploying neutralization techniques may discourage employees from complying with ISP [10], [41], [42]. ...
Conference Paper
Full-text available
Information security policies as apparatus for communicating security principles with employees are the cornerstone of organizational information security. Resultantly, extant literature has looked at different theories to better understand the noncompliance problem. Neutralization theory is emerging as one of the most popular approaches, not only as an explanation but also as a solution. In this in-depth qualitative study, we ask the question 'how do employees justify violating the ISP'? Our findings reveal nine rationalizing techniques, three of which have not been recognized in previous research. We label them 'I follow my own rules', 'matter of mere legality' and 'defense of uniqueness'. But more importantly, our in-depth insights point to the danger of taking these rationalizations out of context, since without context, it becomes impossible to judge whether the behavior or the rule, needs correcting, reflecting a dilemma recognized in the original writing of neutralization theory, which has since been forgotten.
... From an argumentative perspective, these techniques are a form of knowledge of governance used to debate, deflect criticism, and neutralize opposition (Fischer, 1990). Researchers using techniques of neutralization in sociospatial research have recently considered ethical and sustainable consumption practices (Antonetti & Maklan, 2014;Hansmann, Bernasconi, Smieszek, Loukopoulos, & Scholz, 2006;Harris & Daunt, 2011;Johnstone & Tan, 2015;Yeow, Dean, & Tucker, 2014), wildlife crime (Enticott, 2011), and corporate social responsibility and industrial production (Boiral, 2016;Fooks, Gilmore, Collin, Holden, & Lee, 2013;Meyer & Höllerer, 2016;Stuart & Worosz, 2012;Talbot & Boiral, 2015;Teh, Ahmed, & D'Arcy, 2015). Yet the intersections of knowledge, governance, and techniques of neutralization in land use governance have yet to be considered. ...
Chapter
Full-text available
The term governance often evokes processes of negotiation and collaboration between civil society, private sector, and state actors. Yet, governance processes also involve a contest of ideas in efforts to legitimate state-backed decision making. Drawing on empirical cases of coastal property developments in South Australia, this chapter investigates how key actors in land-use governance—such as developers, planners, politicians, and scientists—reflexively deploy “techniques of neutralization” to deflect critiques and manage opposition to contentious new developments. The author explores how these techniques draw on particular spatial metaphors and images to suggest that, somewhat ironically, a tacit meta technique is to neutralize the projected environmental risks to coastal space through narratives of time. By outlining these everyday techniques of neutralization, the author argues that such routines are a form of knowledge of governance—knowing what can be said and ways of speaking within governance processes—that is in turn a form of knowledge for governance.
... However, developing a robust cybersecurity defense remains challenging given the evolution, the frequency and the sophistication of cybersecurity attacks, particularly those that use social engineering methods such as phishing and malware (Conteh and Schmick, 2016;Yaokumah et al., 2019). Since people are often the weakest link in an organization's cybersecurity chain (Teh et al., 2015;De Maggio et al., 2019), organizations should not only provide sufficient security training and resources to their employees (Chatterjee, 2019) but should also create and maintain a culture of security awareness (Norris et al., 2019). Implementing the latest security technologies is unlikely to prevent or to mitigate cyberattacks without the provision of ongoing personnel training (Norris et al., 2019). ...
Article
Purpose: Employees must receive proper cybersecurity training so that they can recognize the threats to their organizations and take the appropriate actions to reduce cyber risks. However, many cybersecurity awareness training (CSAT) programs fall short due to their misaligned training focuses. Design/methodology/approach: To help organizations develop effective CSAT programs, we have developed a theoretical framework for conducting a cost–benefit analysis of those CSAT programs. We differentiate them into three types of CSAT programs (constant, complementary and compensatory) by their costs and into four types of CSAT programs (negligible, consistent, increasing and diminishing) by their benefits. Also, we investigate the impact of CSAT programs with different costs and the benefits on a company's optimal degree of security. Findings: Our findings indicate that the benefit of a CSAT program with different types of cost plays a disparate role in keeping, upgrading or lowering a company's existing security level. Ideally, a CSAT program should spend more of its expenses on training employees to deal with the security threats at a lower security level and to reduce more losses at a higher security level. Originality/value: Our model serves as a benchmark that will help organizations allocate resources toward the development of successful CSAT programs.
Chapter
Successful implementation of information security policies (ISP) and IT controls play an important role in safeguarding patient privacy in healthcare organizations. Our study investigates the factors that lead to healthcare practitioners’ neutralisation of ISPs, leading to non-compliance. The study adopted a qualitative approach and conducted a series of semi-structured interviews with medical interns and hospital IT department managers and staff in an academic hospital in Saudi Arabia. The study’s findings revealed that the MIs imitate their peers’ actions and employ similar justifications when violating ISP dictates. Moreover, MI team superiors’ (seniors) ISP non-compliance influences MI’s tendency to invoke neutralisation techniques. We found that trust between medical team members is an essential social facilitator that motivates MI’s to invoke neutralisation techniques to justify violating ISP policies and controls. These findings add new insights that help us to understand the relationship between the social context and neutralisation theory in triggering ISP non-compliance.
Article
Full-text available
Organizational information security (ISec) threats have exploded with advances in globalization and technology. Thus, organizations are scrambling to find both technical and behavioral approaches to shore up security. Whereas security technologies are crucial to these efforts, they are often rendered useless by employees' misunderstanding, carelessness, or deliberate disregard of ISec polices (ISPs). Accordingly, organizations are increasingly seeking ways to encourage employees to work as security allies. A key approach in many organizations is encouraging employees to better understand and comply with ISPs. Consequently, ISec research has leveraged several theories to identify the underlying reasons for ISP compliance behaviors among employees. However, most of this research focuses unilaterally on compliance without simultaneously considering noncompliance, as if noncompliance were caused by opposite factors. A pressing need thus exists for a theoretical foundation that can consider both common outcomes and whether there is an explainable tipping point that can explain when a normally compliant employee chooses to become noncompliant, and vice versa. In this study, we contextualize the extended parallel process model (EPPM) to ISP compliance by accounting for dual outcomes of compliance/noncompliance and dual roles of coping-problem-focused coping and emotion-focused coping. We further extend the EPPM to include response costs and maladaptive rewards to predict the two possible outcomes. Additionally, we employ a weighted discriminant value measurement approach to examine the tipping point between compliance and noncompliance. To test our resulting theoretical model and new measure, we conducted two separate empirical studies with 816 employees, using survey and scenario methodologies. The empirical results from these studies indicate that our contextualization and extension of EPPM better explain the gaps than alternative theories in the ISP literature.
Article
We conceptualized security-related stress (SRS) and proposed a theoretical model linking SRS, discrete emotions, coping response, and information security policy (ISP) compliance. We used an experience sampling design, wherein 138 professionals completed surveys. We observed that SRS had a positive association with frustration and fatigue, and these negative emotions were associated with neutralization of ISP violations. Additionally, frustration and fatigue make employees more likely to follow through on their rationalizations of ISP violations by decreased ISP compliance. Our findings provide evidence that neutralization is not a completely stable phenomenon but can vary within individuals from one time point to another.
Article
Purpose Employee security behaviors are the cornerstone for achieving holistic organizational information security. Recent studies in the information systems (IS) security literature have used neutralization and moral disengagement (MD) perspectives to examine employee rationalizations of noncompliant security behaviors. Extending this prior work, the purpose of this paper is to identify mechanisms of security education, training, and awareness (SETA) programs and deterrence as well as employees’ organizational commitment in influencing MD of security policy violations and develop a theoretical model to test the proposed relationships. Design/methodology/approach The authors validate and test the model using the data collected from six large multinational organizations in Korea using survey-based methodology. The model was empirically analyzed by structural equation modeling. Findings The results suggest that security policy awareness (PA) plays a central role in reducing MD of security policy violations and that the certainty of punishment and immediacy of enforcing penalties are instrumental toward reducing such MD; however, the higher severity of penalties does not have an influence. The findings also suggest that SETA programs are an important mechanism in creating security PA. Originality/value The paper expands the literature in IS security that has examined the role of moral evaluations. Drawing upon MD theory and social cognitive theory, the paper points to the central role of SETA and security PA in reducing MD of security policy violations, and ultimately the likelihood of this behavior. The paper not only contributes to theory but also provides important insights for practice.
Article
Purpose This study aims to identify antecedents to noncompliance behaviour influenced by decision contexts where investments in time, effort, and resources are devoted to a task – referred to as a task unlikely to be completed without violating the organization’s information security policy (ISP). Design/methodology/approach An empirical test of the suggested relationships in the proposed model was conducted through a field study using the survey method for data collection. Pre-tests, pre-study, main study and a follow-up study compose the frame of our methodology where more than 500 respondents are involved across different organizations. Findings The results confirm that the antecedents that explain the escalation of commitment behaviour in terms of the effect of lost assets, such as time, effort and other resources, give us a new lens to understand noncompliance behaviour; employees seem to escalate their commitments to the completion of their tasks at the expense of becoming noncompliant with ISP. Research limitations/implications One of the key areas that requires further attention from this study is to better understand the role of risk perceptions on employee behaviour when dealing with value conflicts. Depending on how risk-averse or risk-seeking an employee is, our model showed no significant support in either case to influence their noncompliance behaviour. We therefore argue that employees' noncompliance may be influenced by more powerful beliefs such as self-justification and sunk costs. Practical implications Our results show that when employees are caught in tasks undergoing difficulties they are more likely to increase noncompliance behaviour. By understanding better how project obstacles result in such tasks, security managers can define new mechanisms to counter employees’ shift from compliance to noncompliance. Originality/value This study is the first to tackle escalation of commitment theories and utilize antecedents that explain the effect of lost assets, such as time, effort and other resources can also explain noncompliance with ISP in terms of the value conflicts, where employees would often choose to forego compliance at the expense of finishing their tasks.
Article
Social interaction acts as a key motivation for playing online games; however, some players engage in in-game intra-group aggressive behavior, such as swearing, ignoring, and sabotaging their teammates. This study uses the motivation theory and techniques of the neutralization theory to understand this phenomenon in the multiplayer online battle arena (MOBA) game. A partial least squares analysis conducted on the data collected from 221 League of Legends players revealed three types of aggressive acts: psychological, passive, and active. Psychological acts have the least negative impact on victory, while passive and active acts have the greatest negative impact. Players’ achievement, immersion, and social motivations have limited contribution to aggressive acts. Those engaging in psychological acts deploy many neutralization techniques to justify their actions, while players who only engage in active acts employ a very limited set of neutralization techniques. Thus, this study contributes to the understanding of the phenomenon that deviates from the MOBA norm of intra-team co-operation and cohesion through the techniques of the neutralization theory.
Article
Purpose The purpose of this paper is to investigate the association between abusive supervision and employees' information security policy (ISP) noncompliance intention, building on affective commitment, normative commitment and continuance commitment. The study also examines the moderating effect of perceived certainty and severity of sanctions on the relationship between the three dimensions of organizational commitment and ISP noncompliance intention. Design/methodology/approach Survey methodology was used for data collection through a well-designed online questionnaire. Data was analyzed using the structural equation model with Amos v. 22.0 software. Findings This study demonstrates that abusive supervision has a significant, negative impact on affective, normative and continuance commitment, and the three dimensions of organizational commitment are negatively associated with employees' ISP noncompliance intention. Results also indicate that the moderating effect of perceived severity of sanctions is significant, and perceived certainty of sanctions plays a positive moderating role in the relationship between affective commitment and employees' ISP noncompliance intention. Practical implications Findings of this research are beneficial for organizational management in the relationships between supervisors and employees. These results provide significant evidence that avoiding abusive supervision is important in controlling employees' ISP noncompliance behavior. Originality/value This research fills an important gap in examining employees' ISP noncompliance intentions from the perspective of abusive supervision and the impact of affective, normative and continuance commitment on ISP noncompliance. The study is also of great value for information systems research to examine the moderating role of perceived certainty and severity of sanctions.
Article
Full-text available
Employees' failure to comply with information systems security policies is a major concern for information technology security managers. In efforts to understand this problem, IS security researchers have traditionally viewed violations of IS security policies through the lens of deterrence theory. In this article, we show that neutralization theory, a theory prominent in Criminology but not yet applied in the context of IS, provides a compelling explanation for IS security policy violations and offers new insight into how employees rationalize this behavior. In doing so, we propose a theoretical model in which the effects of neutralization techniques are tested alongside those of sanctions described by deterrence theory. Our empirical results highlight neutralization as an important factor to take into account with regard to developing and implementing organizational security policies and practices.
Article
Full-text available
Purpose – The purpose of this paper is to identify variables that influence compliance with information security policies of organizations and to identify how important these variables are. Design/methodology/approach – A systematic review of empirical studies described in extant literature is performed. This review found 29 studies meeting its inclusion criterion. The investigated variables in these studies and the effect size reported for them were extracted and analysed. Findings – In the 29 studies, more than 60 variables have been studied in relation to security policy compliance and incompliance. Unfortunately, no clear winners can be found among the variables or the theories they are drawn from. Each of the variables only explains a small part of the variation in people's behaviour and when a variable has been investigated in multiple studies the findings often show a considerable variation. Research limitations/implications – It is possible that the disparate findings of the reviewed studies can be explained by the sampling methods used in the studies, the treatment/control of extraneous variables and interplay between variables. These aspects ought to be addressed in future research efforts. Practical implications – For decision makers who seek guidance on how to best achieve compliance with their information security policies should recognize that a large number of variables probably influence employees' compliance. In addition, both their influence strength and interplay are uncertain and largely unknown. Originality/value – This is the first systematic review of research on variables that influence compliance with information security policies of organizations.
Article
Full-text available
Recent academic investigations of computer security policy violations have largely focused on nonmalicious noncompliance due to poor training, low employee motivation, weak affective commitment, or individual oversight. Established theoretical foundations applied to this domain have related to protection motivation, deterrence, planned behavior, self-efficacy, individual adoption factors, organizational commitment, and other individual cognitive factors. But another class of violation demands greater research emphasis: the intentional commission of computer security policy violation, or insider computer abuse. Whether motivated by greed, disgruntlement, or other psychological processes, this act has the greatest potential for loss and damage to the employer. We argue the focus must include not only the act and its immediate antecedents of intention (to commit computer abuse) and deterrence (of the crime), but also phenomena which temporally precede these areas. Specifically, we assert the need to consider the thought processes of the potential offender and how these are influenced by the organizational context, prior to deterrence. We believe the interplay between thought processes and this context may significantly impact the efficacy of IS security controls, specifically deterrence safeguards. Through this focus, we extend the Straub and Welke (1998) security action cycle framework and propose three areas worthy of empirical investigation--techniques of neutralization (rationalization), expressive/instrumental criminal motivations, and disgruntlement as a result of perceptions of organizational injustice--and propose questions for future research in these areas.
Article
Full-text available
Past research on information technology (IT) security training and awareness has focused on informing employees about security policies and formal sanctions for violating those policies. However, research suggests that deterrent sanctions may not be the most powerful influencer of employee violations. Often, employees use rationalizations, termed neutralization techniques, to overcome the effects of deterrence when deciding whether or not to violate a policy. Therefore, neutralization techniques often are stronger than sanctions in predicting employee behavior. For this study, we examine “denial of injury,” “metaphor of the ledger,” and “defense of necessity” as relevant justifications for violating password policies that are commonly used in organizations as used in (Siponen and Vance, 2010). Initial research on neutralization in IS security has shown that results are consistent regardless of which type of neutralization is considered (Siponen and Vance, 2010). In this study, we investigate whether IT security communication focused on mitigating neutralization, rather than deterrent sanctions, can reduce intentions to violate security policies. Additionally, considering the effects of message framing in persuading individuals against security policy violations are largely unexamined, we predict that negatively-framed communication will be more persuasive than positively-framed communication. We test our hypotheses using the factorial survey method. Our results suggest that security communication and training that focuses on neutralization techniques is just as effective as communication that focuses on deterrent sanctions in persuading employees not to violate policies, and that both types of framing are equally effective.
Article
Full-text available
Software piracy is a major economic concern for organizations. Previous research indicates that neutralization, a form of rationalization, can help explain software piracy intentions. However, a knowledge gap exists in our understanding of which neutralization techniques most influence software piracy intention. To address this gap, we developed a model that explains the effects of neutralization techniques on software piracy intention. We included different types of deterrents (formal sanctions, shame, and moral belief) in our model because individuals may use neutralization techniques to mitigate feelings of guilt and shame, which, subsequently, reduce the deterrent effect. Our empirical results (for 183 people surveyed) showed that appeal to higher loyalties and condemn the condemners strongly predict software piracy intentions. In addition, informal deterrents such as shame and moral beliefs are strong predictors. These findings suggest that anti-piracy efforts should involve educational intervention aimed at addressing these two neutralization techniques rather than relying on formal sanctions.
Article
Full-text available
The prediction of future events and trends was the purview of fortune tellers and science writers; however futuristic studies are now an acceptable form of sociological research including workplace dynamics. The nuclear industry is also affected by workplace trends which currently indicate that there will be fewer jobs and individuals who are employed will be required to have greater technical skills. This reshaping of the workforce is partially due to an aging workforce and diversity within the work environment. The reshaping brings with it the need for greater productivity and employee expectations for increased pay and/or benefits. If employee satisfaction is not realized there is a real possibility of disgruntled employees who then become a potential insider risk to the organization. Typically this is an individual who has been employed for several years, becomes dissatisfied with the job, or some other aspect of their life. If the dissatisfaction is directly related to work the individual may retaliate in a destructive manner. Perceived inequities are a major factor and directly related to situational pressures, opportunity, and personal integrity. It is known that the greatest losses within an organization are attributed to employees working alone or in a conspiracy with fellow employees who engage in theft and other fraudulent activities. In the nuclear industry this threat is intensified by the nature of the work, the materials employees come in contact with and the potential of an occurrence that could adversely affect a large geographic region and/or the security of a country. The paper will address motivating factors, recommendations, and include a profile discussion of a possible disgruntled employee.
Article
Full-text available
There is an increasing movement towards emergent organizations and an adaptation of Web-based information systems (IS). Such trends raise new requirements for security policy development. One such requirement is that information security policy formulation must become federated and emergent. However, existing security policy approaches do not pay much attention to policy formulation at all – much less IS policy formulation for emergent organizations. To improve the situation, an information security meta-policy is put forth. The meta-policy establishes how policies are created, implemented and enforced in order to assure that all policies in the organization have features to ensure swift implementation and timely, ongoing validation.
Article
Full-text available
Social exchange theory (SET) is one the most influential conceptual paradigms in organizational behavior. Despite its usefulness, theoretical ambiguities within SET remain. As a consequence, tests of the model, as well as its applications, tend to rely on an incompletely specified set of ideas. The authors address conceptual difficulties and highlight areas in need of additional research. In so doing, they pay special attention to four issues: (a) the roots of the conceptual ambiguities, (b) norms and rules of exchange, (c) nature of the resources being exchanged, and (d) social exchange relationships.
Article
Full-text available
The unpredictability of the business environment drives organizations to make rapid business decisions with little preparation. Exploiting sudden business opportunities may require a temporary violation of predefined information systems (IS) security policies. Existing research on IS security policies pays little attention to how such exceptional situations should be handled. We argue that normative theories from philosophy offer insights on how such situations can be resolved. Accordingly, this paper advances six design theories (the conservative-deontological, liberal-intuitive, prima-facie, virtue, utilitarian and universalizability theories) and outlines the use of their distinctive application principles in guiding the application of IS security policies. Based on the testable design product hypotheses of the six design theories, we derive a theoretical model to explain the influence of the different normative theories on the “success” of IS security policies and guidelines.
Article
Full-text available
Social exchange (P. Blau, 1964) and the norm of reciprocity (A. W. Gouldner, 1960) have been used to explain the relationship of perceived organizational support and leader–member exchange with employee attitudes and behavior. Recent empirical research suggests that individuals engage in different reciprocation efforts depending on the exchange partner (e.g., B. L. McNeely and B. M. Meglino; see record 1995-15542-001). The purpose of the present study was to further investigate these relationships by examining the relative contribution of indicators of employee–organization exchange and subordinate–supervisor exchange. Structural equation modeling was used to compare nested models. Results indicate that perceived organizational support is associated with organizational commitment, whereas leader–member exchange is associated with citizenship and in-role behavior. (PsycINFO Database Record (c) 2012 APA, all rights reserved)
Article
Full-text available
This study investigated the relationship between role stress, service capability, and job performance in 318 salespeople employed by travel agents in Taiwan. There was a negative relationship between role ambiguity and job performance, and a positive relationship between role conflict and performance outcomes. Moreover, the relation between role stress and job performance varied with the service capability of the salesperson. Service capability moderated the relationship between role ambiguity, performance behavior, and performance outcomes. This sends an important message to the Taiwan travel-agent industry: that resources should be directed at improving the service skills of salespeople. The results of this study constitute useful reference information for optimizing the application of organizational management and human resources. (PsycINFO Database Record (c) 2012 APA, all rights reserved)
Article
Full-text available
Despite considerable interest in the study of job satisfaction and dissatisfaction, our understanding of these phenomena has not advanced at a pace commensurate with research efforts. It is argued that a major reason for this lack of progress is the implicit conception of causality accepted by most psychologists. It is called the policy of “correlation without explanation.” The present approach to the topic of job attitudes emphasizes a more conceptual approach to the problem. Using Rand's theory of emotions as a starting point, the concepts of satisfaction, dissatisfaction, value, emotion, and appraisal, and their interrelationships are discussed. The present theory of job satisfaction is contrasted with previous theories. Data illustrating an approach to satisfaction based on the present theory are given. Other issues discussed are: value hierarchies; the dynamic character of values; overall job satisfaction; the Herzberg two-factor theory; the measurement of satisfaction and values; and rational vs. irrational values.
Article
Full-text available
This study offers a new theoretical perspective on the unique nature and function of job satisfaction change, or systematic improvement or decline in job satisfaction over time. Using four diverse samples, we show that differences in the extent to which job satisfaction systematically improves or declines account for change in employees' "turnover intentions" left unexplained by absolute (average) levels of job satisfaction. Further, we show that future-oriented work expectations partially mediate this relationship, and organizational tenure moderates the relationship between job satisfaction change and future-oriented work expectations. These findings provide new insights into the dynamic processes leading to turnover decisions.
Article
Full-text available
Accompanying the explosive growth of information technology is the increasing frequency of antisocial and criminal behavior on the Internet. Online software piracy is one such behavior, and this study approaches the phenomenon through the theoretical framework of neutralization theory. The suitability and applicability of nine techniques of neutralization in determining the act is tested via logistic regression analyses on cross-sectional data collected from a sample of university students in the United States. Generally speaking, neutralization was found to be weakly related to experience with online software piracy; other elements which appear more salient are suggested and discussed in conclusion.
Article
Full-text available
Enterprises establish computer security policies to ensure the security of information resources; however, if employees and end-users of organisational information systems (IS) are not keen or are unwilling to follow security policies, then these efforts are in vain. Our study is informed by the literature on IS adoption, protection-motivation theory, deterrence theory, and organisational behaviour, and is motivated by the fundamental premise that the adoption of information security practices and policies is affected by organisational, environmental, and behavioural factors. We develop an Integrated Protection Motivation and Deterrence model of security policy compliance under the umbrella of Taylor-Todd's Decomposed Theory of Planned Behaviour. Furthermore, we evaluate the effect of organisational commitment on employee security compliance intentions. Finally, we empirically test the theoretical model with a data set representing the survey responses of 312 employees from 78 organisations. Our results suggest that (a) threat perceptions about the severity of breaches and response perceptions of response efficacy, self-efficacy, and response costs are likely to affect policy attitudes; (b) organisational commitment and social influence have a significant impact on compliance intentions; and (c) resource availability is a significant factor in enhancing self-efficacy, which in turn, is a significant predictor of policy compliance intentions. We find that employees in our sample underestimate the probability of security breaches.
Article
Full-text available
Modern global economic and political conditions, technological infrastructure, and socio-cultural developments all contribute to an increasingly turbulent and dynamic environment for organizations, which maintain information systems (IS) for use in business, government, and other domains. As our institutions (economic, political, military, legal, social) become increasingly global and inter-connected; as we rely more on automated control systems to provide us with energy and services; and as we establish internet-based mechanisms for coordinating this global interaction, we introduce greater vulnerability to our systems and processes. This increased dependence on cyberspace also inflates our vulnerability – isolation is no longer an option. Perhaps no aspect of this phenomenon is as alarming and challenging as the need to understand and address the various risks to the security of the IS on which we depend.
Article
Full-text available
Employee noncompliance with information systems security policies is a key concern for organizations. If users do not comply with IS security policies, security solutions lose their efficacy. Of the different IS security policy compliance approaches, training is the most commonly suggested in the literature. Yet, few of the existing studies about training to promote IS policy compliance utilize theory to explain what learning principles affect user compliance with IS security policies, or offer empirical evidence of their practical effectiveness. Consequently, there is a need for IS security training approaches that are theory-based and empirically evaluated. Accordingly, we propose a training program based on two theories: the universal constructive instructional theory and the elaboration likelihood model. We then validate the training program for IS security policy compliance training through an action research project. The action research intervention suggests that the theory-based training achieved positive results and was practical to deploy. Moreover, the intervention suggests that information security training should utilize contents and methods that activate and motivate the learners to systematic cognitive processing of information they receive during the training. In addition, the action research study made clear that a continuous communication process was also required to improve user IS security policy compliance. The findings of this study offer new insights for scholars and practitioners involved in IS security policy compliance.
Article
Full-text available
Despite the fact that validating the measures of constructs is critical to building cumulative knowledge in MIS and the behavioral sciences, the process of scale development and validation continues to be a challenging activity. Undoubtedly, part of the problem is that many of the scale development procedures advocated in the literature are limited by the fact that they (1) fail to adequately discuss how to develop appropriate conceptual definitions of the focal construct, (2) often fail to properly specify the measurement model that relates the latent construct to its indicators, and (3) underutilize techniques that provide evidence that the set of items used to represent the focal construct actually measures what it purports to measure. Therefore, the purpose of the present paper is to integrate new and existing techniques into a comprehensive set of recommendations that can be used to give researchers in MIS and the behavioral sciences a framework for developing valid measures. First, we briefly elaborate upon some of the limitations of current scale development practices. Following this, we discuss each of the steps in the scale development process while paying particular attention to the differences that are required when one is attempting to develop scales for constructs with formative indicators as opposed to constructs with reflective indicators. Finally, we discuss several things that should be done after the initial development of a scale to examine its generalizability and to enhance its usefulness.
Article
Full-text available
Intentional insider misuse of information systems resources (i.e., IS misuse) represents a significant threat to organizations. For example, industry statistics suggest that between 50%--75% of security incidents originate from within an organization. Because of the large number of misuse incidents, it has become important to understand how to reduce such behavior. General deterrence theory suggests that certain controls can serve as deterrent mechanisms by increasing the perceived threat of punishment for IS misuse. This paper presents an extended deterrence theory model that combines work from criminology, social psychology, and information systems. The model posits that user awareness of security countermeasures directly influences the perceived certainty and severity of organizational sanctions associated with IS misuse, which leads to reduced IS misuse intention. The model is then tested on 269 computer users from eight different companies. The results suggest that three practices deter IS misuse: user awareness of security policies; security education, training, and awareness (SETA) programs; and computer monitoring. The results also suggest that perceived severity of sanctions is more effective in reducing IS misuse than certainty of sanctions. Further, there is evidence that the impact of sanction perceptions vary based on one's level of morality. Implications for the research and practice of IS security are discussed.
Article
The use of temporary employees in the information systems field continues at a high rate. In order to maintain a quality work environment, an organization must effectively manage both the temporary and permanent work force. A model of satisfaction is constructed based on previous literature and focus groups in three organization that proposes links to satisfaction from the job characteristics of dependence, autonomy, task interdependence, and management support. A survey of employees in public sector and non-profit organizations revealed that both permanent and temporary employees related management support to satisfaction, temporary employees related task interdependence to satisfaction, and permanent employees related job involvement to satisfaction. Follow-up interviews revealed satisfaction of the permanent employees to be negatively impacted by perceived workload imbalances.
Article
Working in a stressful environment not only increases the risk of physical illness or distress, but also increases the likelihood of workplace accidents. While legislation provides some guidelines for risk assessment of physical hazards, there remains limited guidance on the risks of psychosocial hazards, such as occupational stress. This book takes the risk management approach to stress evaluation in the workplace, offering practical guidelines for the audit, assessment and mitigation of workplace stressors. Based on research and case studies, this book provides a comprehensive source of theoretical and practical information for students and practitioners alike. It includes chapters on: environmental stress factors psychological stress factors work-related accidents job stress evaluation methods With its up-to-date approach to a fascinating area of study, this is key reading for all students of organizational psychology and those responsible for workplace safety.
Article
Interest in the problem of method biases has a long history in the behavioral sciences. Despite this, a comprehensive summary of the potential sources of method biases and how to control for them does not exist. Therefore, the purpose of this article is to examine the extent to which method biases influence behavioral research results, identify potential sources of method biases, discuss the cognitive processes through which method biases influence responses to measures, evaluate the many different procedural and statistical techniques that can be used to control method biases, and provide recommendations for how to select appropriate procedural and statistical remedies for different types of research settings.
Article
We use coping theory to explore an underlying relationship between employee stress caused by burdensome, complex, and ambiguous information security requirements (termed "security-related stress" or SRS) and deliberate information security policy (ISP) violations. Results from a survey of 539 employee users suggest that SRS engenders an emotion-focused coping response in the form of moral disengagement from ISP violations, which in turn increases one's susceptibility to this behavior. Our multidimensional view of SRS—comprised of security-related overload, complexity, and uncertainty—offers a new perspective on the workplace environment factors that foster noncompliant user behavior and inspire cognitive rationalizations of such behavior. The study extends technostress research to the information systems security domain and provides a theoretical framework for the influence of SRS on user behavior. For practitioners, the results highlight the incidence of SRS in organizations and suggest potential mechanisms to counter the stressful effects of information security requirements.
Purpose – The purpose of this paper is to examine the influence of security-related and employment relationship factors on employees’ security compliance decisions. A major challenge for organizations is encouraging employee compliance with security policies, procedures and guidelines. Specifically, we predict that security culture, job satisfaction and perceived organizational support have a positive effect on employees’ security compliance intentions. Design/methodology/approach – This study used a survey approach for data collection. Data were collected using two online surveys that were administered at separate points in time. Findings – Our results provide empirical support for security culture as a driver of employees’ security compliance in the workplace. Another finding is that an employee’s feeling of job satisfaction influences his/her security compliance intention, although this relationship appears to be contingent on the employee’s position, tenure and industry. Surprisingly, we also found a negative relationship between perceived organizational support and security compliance intention. Originality/value – Our results provide one of the few empirical validations of security culture, and we recognize its multidimensional nature as conceptualized through top management commitment to security (TMCS), security communication and computer monitoring. We also extend security compliance research by considering the influence of employment relationship factors drawn from the organizational behavior literature.
Article
The development of a usable scale for the measurement of the Sykes-Matza concept of neutralization was accomplished through a seven-item set which meets the criterion of a Guttman quasi-scale, and which has utility with both white and Black delinquent boys, the coefficient of reproducibility remaining sufficiently high for each group. The data indicated a slightly higher incidence of neutralization among the Black than among the white youth. The sources of neutralization may be a blameworthy society, characterized by social injustice, racism, ghettos, and the like. The scale requires refinement and application with other types of samples.
Article
While the unique characteristics of the industrial salesman's role has stimulated much recent research, this uniqueness requires the development and use of occupation-specific measurement instruments. A job satisfaction measure specifically designed for industrial salesmen is presented together with norms, a detailed description of the methodology employed, and techniques to evaluate the new instrument's factor structure, reliability, and construct validity.
Article
Studied changes across time in measures of organizational commitment and job satisfaction as each related to subsequent turnover among 60 recently employed psychiatric technician trainees. A longitudinal study across a 101/2-mo period was conducted, with attitude measures (Organizational Commitment Questionnaire and Job Descriptive Index) collected at 4 points in time. Results of a discriminant analysis indicate that significant relationships existed between certain attitudes held by employees and turnover. Relationships between attitudes and turnover were found in the last 2 time periods only, suggesting that such relationships are strongest at points in time closest to when an individual leaves the organization. Organizational commitment discriminated better between stayers and leavers than did the various components of job satisfaction. (36 ref) (PsycINFO Database Record (c) 2012 APA, all rights reserved)
Article
This research asks whether codes of ethics affect computer abuse judgments and intentions of information systems (IS) employees. Codes of ethics examined include both company codes of ethics and those written specifically to deal with IS issues. In addition, since the intent of codes of ethics is to clarify responsibility and deter unethical behavior, both the psychological trait of responsibility denial and its moderating effect on codes was studied. While company codes did not affect the computer abuse judgments and intentions of all IS personnel, they did affect those IS personnel who tend to deny responsibility, thus suggesting that company codes may clarify responsibility and reduce rationalizations for some people. Unlike company codes, IS-specific codes of ethics had a direct effect on computer sabotage judgments and intentions, but had no differential effect on those high in responsibility denial. Finally, responsibility denial was directly related to all computer abuse judgments and intentions studied. Overall, codes had little effect on computer abuse judgments and intentions relative to the psychological trait of responsibility denial.
Article
In this article, we investigate the relationships between unethical behaviors from the viewpoint of information security and organizational commitment by using micro data collected from the survey conducted at March 2012. As a result, first, it is found that heightening the degree of organizational commitment (OC) does not exclusively deter all unethical behaviors, but that at least organizational commitment deters the intention to access non-work-related Website in the workplace. In addition, it is confirmed that the effects of OC toward the intention of the non-work-related Website access in the workplace according to the organizational attributes are different. In the organizations whose non-work-related Website access in the workplace is prohibited as a rule, heightening the degree of OC is able to reduce the respondents who access non-work-related Website in their workplace. Second, it is found that based on TPB and TRA, the attitude and risk assessment toward the intention of unethical behaviors have an influence on the behaviors.
Article
English Job stress and perceived inequity are revealed as correlates of burnout among school social workers in Hong Kong. The findings do not support the expectation that burnout is general, in spite of the government’s reforms in the social welfare services. A sense of personal accomplishment may serve as a mediator. However, the respondents suffer from role strain and identity confusion due to lack of communication among schools authorities, students and parents. French Cet article décrit comment la conjugaison du stress au travail et inéquités perçues sont liées au `burnout' chez les travailleurs sociaux en milieu scolaire à Hong Kong. Les résultats ne semblent pas confirmer la croyance que le `burnout' existe de façon généralisée malgré les changements observables introduits par le gouvernement en vue d'améliorer l'efficacité des coûts des services de bien-être social. Un sentiment d'accomplissement personnel sert possiblement de médiation efficace. Les répondants souffrent néanmoins de tensions face à leur rôle et de confusion identitaire dues à l'incompréhension du rôle du travailleur social scolaire par les autorités scolaires, les étudiants et les parents. Spanish Este trabajo describe el agotamiento en el trabajo y la percepción de inequidad como correlatos del descontento entre los trabajadores sociales de la escuela en Hong Kong. Los hallazgos no parecen apoyar la expectativa de que el descontento exista como patrón general a pesar de los cambios observables introducidos por el gobierno en los servicios de bienestar social. Un sentido de realización personal puede servir como ,mediador efectivo. Sin embargo los entre,vistados padecen una tensión de rol y confusión de identidad que proviene de la falta de comunicación entre autoridades de la escuela, los estudiantes y los padres de familia.
Article
Neutralization theory was proposed by Sykes and Matza (1957) as a theory of juvenile delinquency. Its major propositions are: (1) Delinquents maintain moral commitment to conventional norms, and (2) the ability to neutralize moral commitment facilitates juvenile delinquency. The present research attempts to evaluate neutralization theory for predicting variation in self‐reported expected illegal behavior in a random sample of 350 adults. Data analysis indicates that (1) neutralization is conceptually and empirically distinct from moral commitment, and (2) the interaction between moral commitment and neutralization significantly explains expected involvement in future deviance.
Article
In their 1957 article, Sykes and Matza overstated the similarities between the value systems of delinquents and nondelinquents, and subsequent theorists have treated neutralization as a theoretical counterpoint to subcultural perspectives on delinquency. To overcome this artificial and unproductive dichotomization, a revision of neutralization theory is proposed that makes it compatible with subcultural interpretations of delinquency. Prior neutralization research is flawed because it fails to (1) establish the correct causal order between excuse acceptance and delinquency and (2) con trol for youths' moral evaluations of delinquent behavior. This paper presents the results of a two-wave panel study designed to overcome these shortcomings. For several forms of minor deviance, excuse acceptance is found to be related to subsequent behavior in the manner predicted by the theory. Controlling for moral evaluations and prior behavior, these relationships hold primarily for youths who disapprove of the behavior in question (as expected) but who have previously engaged in that behavior (contrary to expectation). Theoretical im plications of these findings are explored.
Article
The abstract for this document is available on CSA Illumina.To view the Abstract, click the Abstract button above the document title.
Article
The literature indicates that dysfunctional individual and organizational consequences result from the existence of role conflict and role ambiguity in complex organizations. Yet, systematic measurement and empirical testing of these role constructs is lacking. This study describes the development and testing of questionnaire measures of role conflict and ambiguity. Analyses of responses of managers show these two constructs to be factorially identifiable and independent. Derived measures of role conflict and ambiguity tend to correlate in two samples in expected directions with measures of organizational and managerial practices and leader behavior, and with member satisfaction, anxiety, and propensity to leave the organization.
Article
Purpose – The purpose of this paper is to explore the role played by the human resource management (HRM) function in strategic organizational change initiatives. The objectives of the paper are to assess the extent to which the HRM function is perceived by senior managers to have contributed to the strategic organizational change agenda during a period of rapid change, and identify major challenges HRM professionals face as facilitators of strategic change management initiatives in contexts of this nature. Design/methodology/approach – The research objectives were addressed using literature-based evidence and primary interview data obtained from qualitative in-depth interviews with the directors and deputy directors of a public sector banking institution in Malaysia. Findings – In addition to identifying positive perceptions of the HRM function, the findings raise issues about the strategic focus, independence, credibility, and leadership strategies associated with the HR function's attempts to engage with strategic change initiatives. The findings also reveal the respondents' views about the extent to which HRM activities have or should have ethical, spiritual, and religious foci. Practical implications – The implications of the research findings for HRM are discussed with reference to issues such as: the transfer of Western-originating change management approaches to non-Western settings; the need for organizational change outcomes (including wider societal objectives) to be delineated clearly with reference to organizational change initiatives; and the close association between ethics, spirituality, and HRM in certain Asian contexts. Originality/value – The paper offers a valuable insight into the role of the HRM function in organizational change interventions with specific reference to the context of Malaysia.
Article
Role theory concerns one of the most important features of social life, characteristic behavior patterns or roles. It explains roles by presuming that persons are members of social positions and hold expectations for their own behaviors and those of other persons. Its vocabulary and concerns are popular among social scientists and practitioners, and role concepts have generated a lot of research. At least five perspectives may be discriminated in recent work within the field: functional, symbolic interactionist, structural, organizational, and cognitive role theory. Much of role research reflects practical concerns and derived concepts, and research on four such concepts is reviewed: consensus, conformity, role conflict, and role taking. Recent developments suggest both centrifugal and integrative forces within the role field. The former reflect differing perspectival commitments of scholars, confusions and disagreements over use of role concepts, and the fact that role theory is used to analyze various f...
Article
In the past 2 decades, the importance of role ambiguity as an organizational variable has been well established. Recently, researchers have suggested that the lack of an instrument capable of measuring different facets of ambiguity may have impeded both theory development and application of research results. This article presents the development of an instrument capable of tapping 3 distinct aspects of job ambiguity (work method, scheduling, and performance criteria). Data relevant to the reliability, validity, and importance of the job ambiguity measures were gathered in a series of 4 studies. The results of several statistical analyses suggest that the 3 job ambiguity scales are reliable, valid, and meaningful. (PsycINFO Database Record (c) 2012 APA, all rights reserved)
Article
Much attention has been devoted to how technological advancements have created a brave new workplace, revolutionzing the ways in which work is being carried out, and how employees can improve their productivity and efficiency. However, the advent of technology has also opened up new avenues and opportunities for individuals to misbehave. This study focused on cyberloafing—the act of employees using their companies' internet access for personal purposes during work hours. Cyberloafing, thus, represents a form of production deviance. Using the theoretical frameworks offered by social exchange, organizational justice and neutralization, we examined the often-neglected dark side of the internet and the role that neutralization techniques play in facilitating this misbehavior at the workplace. Specifically, we developed a model which suggested that when individuals perceived their organizations to be distributively, procedurally and interactionally unjust, they were likely to invoke the metaphor of the ledger as a neutralization technique to legitimize their subsequent engagement in the act of cyberloafing. Data were collected with the use of an electronic questionnaire and focus group interviews from 188 working adults with access to the internet at the workplace. Results of structural equation modelling provided empirical support for all of our hypotheses. Implications of our findings for organizational internet policies are discussed. Copyright
Article
This exploratory study examines if salespersons' job satisfaction, life satisfaction, performance, and turnover intention exhibit cyclical behaviors with three distinct phases, triphasic, due to increasing levels of role ambiguity, role conflict, job stress, and work–family conflict. This perspective is compared with corresponding linear, quadratic, and interactive relationships.
Article
Many information security specialists believe that promoting good end user behaviors and constraining bad end user behaviors provide one important method for making information security effective within organizations. Because of the important of end user security-related behaviors, having a systematic viewpoint on the different kinds of behavior that end users enact could provide helpful benefits for managers, auditors, information technologists, and others with an interest in assessing and/or influencing end user behavior. In the present article, we describe our efforts to work with subject matter experts to develop a taxonomy of end user security-related behaviors, test the consistency of that taxonomy, and use behaviors from that taxonomy to conduct a U.S. survey of an important set of end user behaviors. We interviewed 110 individuals who possessed knowledge of end user security-related behaviors, conducted a behavior rating exercise with 49 information technology subject matter experts, and ran a U.S. survey of 1167 end users to obtain self-reports of their password-related behaviors. Results suggested that six categories of end user security-related behaviors appeared to fit well on a two-dimensional map where one dimension captured the level of technical knowledge needed to enact the behavior and another dimension captured the intentionality of the behavior (including malicious, neutral, and benevolent intentions). Our U.S. survey of non-malicious, low technical knowledge behaviors related to password creation and sharing showed that password “hygiene” was generally poor but varied substantially across different organization types (e.g., military organizations versus telecommunications companies). Further, we documented evidence that good password hygiene was related to training, awareness, monitoring, and motivation.
Article
The present study investigated variables that moderated the relationship between role ambiguity and self-efficacy. Results of a field study found support for the moderating role of learning goal orientation, such that the relationship between role ambiguity and self-efficacy was weaker when learning goal orientation was high. In addition, we found that procedural justice moderated the role ambiguity—self-efficacy relationship, such that the relationship was stronger when procedural justice was high. However, contrary to our prediction, avoiding goal orientation did not interact with role ambiguity to predict self-efficacy. Implications of these findings for theory and practice are discussed.
Article
End users are said to be "the weakest link" in information systems (IS) security management in the workplace. They often knowingly engage in certain insecure uses of IS and violate security policies without malicious intentions. Few studies, however, have examined end user motivation to engage in such behavior. To fill this research gap, in the present study we propose and test empirically a nonmalicious security violation (NMSV) model with data from a survey of end users at work. The results suggest that utilitarian outcomes (relative advantage for job performance, perceived security risk), normative outcomes (workgroup norms), and self-identity outcomes (perceived identity match) are key determinants of end user intentions to engage in NMSVs. In contrast, the influences of attitudes toward security policy and perceived sanctions are not significant. This study makes several significant contributions to research on security-related behavior by (1) highlighting the importance of job performance goals and security risk perceptions on shaping user attitudes, (2) demonstrating the effect of workgroup norms on both user attitudes and behavioral intentions, (3) introducing and testing the effect of perceived identity match on user attitudes and behavioral intentions, and (4) identifying nonlinear relationships between constructs. This study also informs security management practices on the importance of linking security and business objectives, obtaining user buy-in of security measures, and cultivating a culture of secure behavior at local workgroup levels in organizations.
Article
Many organizations recognize that their employees, who are often considered the weakest link in information security, can also be great assets in the effort to reduce risk related to information security. Since employees who comply with the information security rules and regulations of the organization are the key to strengthening information security, understanding compliance behavior is crucial for organizations that want to leverage their human capital. This research identifies the antecedents of employee compliance with the information security policy (ISP) of an organization. Specifically, we investigate the rationality-based factors that drive an employee to comply with requirements of the ISP with regard to protecting the organization's information and technology resources. Drawing on the theory of planned behavior, we posit that, along with normative belief and self-efficacy, an employee's attitude toward compliance determines intention to comply with the ISP. As a key contribution, we posit that an employee's attitude is influenced by benefit of compliance, cost of compliance, and cost of noncompliance, which are beliefs about the overall assessment of consequences of compliance or noncompliance. We then postulate that these beliefs are shaped by the employee's outcome beliefs concerning the events that follow compliance or noncompliance: benefit of compliance is shaped by intrinsic benefit, safety of resources, and rewards, while cost of compliance is shaped by work impediment; and cost of noncompliance is shaped by intrinsic cost, vulnerability of resources, and sanctions. We also investigate the impact of information security awareness (ISA) on outcome beliefs and an employee's attitude toward compliance with the ISP. Our results show that an employee's intention to comply with the ISP is significantly influenced by attitude, normative beliefs, and self-efficacy to comply. Outcome beliefs significantly affect beliefs about overall assessment of consequences, and they, in turn, significantly affect an employee's attitude. Furthermore, ISA positively affects both attitude and outcome beliefs. As the importance of employees' following their organizations' information security rules and regulations increases, our study sheds light on the role of ISA and compliance-related beliefs in an organization's efforts to encourage compliance.
Article
Current studies on compliance with security policies have largely ignored the impact of the perceived benefits of deviant behavior, personal norms, and organizational context. Drawing on the literature in criminology, this paper applies rational choice theory to examine how employees' intention to comply with Internet use policy is driven by cost–benefit assessments, personal norms and organizational context factors. The results indicate that employees' compliance intention is the result of competing influences of perceived benefits, formal sanctions, and security risks. Furthermore, the effect of sanction severity is found to be moderated by personal norms.
Article
In this study, the Organizational Commitment Questionnaire and self-report measures of work experiences were completed by newly hired university graduates 1, 6 and 11 months after starting employment. The time-lagged influence of work experiences on commitment, and of commitment on work experiences, was examined using structural regression analyses. The results revealed effects of work experiences in the first month of employment on commitment measured after 6 and 11 months. The strongest and most consistent effects were obtained for confirmation of pre-entry expectations and the opportunity for self-expression. Some, albeit weaker, evidence was also provided for time-lagged effects of commitment on perceived work experiences, particularly in the 6-11-month lag. Implications for theory and research concerning the development of commitment are discussed. [ABSTRACT FROM AUTHOR] Copyright of Journal of Occupational Psychology is the property of British Psychological Society and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)
Article
This paper summarizes a stream of research aimed at developing and validating a measure of employee commitment to work organizations. The instrument, developed by Porter and his colleagues, is called the Organizational Commitment Questionnaire (OCQ). Based on a series of studies among 2563 employees in nine divergent organizations, satisfactory test-retest reliabilities and internal consistency reliabilities were found. In addition, cross-validated evidence of acceptable levels of predictive, convergent, and discriminant validity emerged for the instrument. Norms for males and females are presented based on the available sample. Possible instrument limitations and future research needs on the measurement and study of organizational commitment are reviewed