Information security policy noncompliance: An integrative social influence model

Gwebu, Kholekile L.; Wang, Jing; Hu, Michael Y.

doi:10.1111/isj.12257

Cited by 39 publications

(17 citation statements)

References 105 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Research showing how employees can influence the effectiveness of their respective organizations' cybersecurity efforts is well documented (Crossler et al, 2013;Warkentin & Willison, 2009). In fact, a substantial body of literature has examined the detrimental impacts of employee behavior like computer abuse (Lee et al, 2004;Straub & Nance, 1990;Willison & Warkentin, 2013), noncompliance with information security policies (ISPs; Gwebu et al, 2020;Kajtazi et al, 2018;Lowry & Moody, 2015), and shadow IT utilization (Silic & Back, 2014;Zimmermann & Rentrop, 2014). Conversely, research has also shown how employees can act as "protective stewards" of sensitive organizational assets as they actively attempt to defend their organizations from threats (Burns et al, 2018;Posey et al, 2013Posey et al, , 2015.…”

Section: Introductionmentioning

confidence: 99%

Phishing for Long Tails: Examining Organizational Repeat Clickers and Protective Stewards

et al. 2021

View full text Add to dashboard Cite

Organizational cybersecurity efforts depend largely on the employees who reside within organizational walls. These individuals are central to the effectiveness of organizational actions to protect sensitive assets, and research has shown that they can be detrimental (e.g., sabotage and computer abuse) as well as beneficial (e.g., protective motivated behaviors) to their organizations. One major context where employees affect their organizations is phishing via email systems, which is a common attack vector used by external actors to penetrate organizational networks, steal employee credentials, and create other forms of harm. In analyzing the behavior of more than 6,000 employees at a large university in the Southeast United States during 20 mock phishing campaigns over a 19-month period, this research effort makes several contributions. First, employees’ negative behaviors like clicking links and then entering data are evaluated alongside the positive behaviors of reporting the suspected phishing attempts to the proper organizational representatives. The analysis displays evidence of both repeat clicker and repeat reporter phenomena and their frequency and Pareto distributions across the study time frame. Second, we find that employees can be categorized according to one of the four unique clusters with respect to their behavioral responses to phishing attacks—“Gaffes,” “Beacons,” “Spectators,” and “Gushers.” While each of the clusters exhibits some level of phishing failures and reports, significant variation exists among the employee classifications. Our findings are helpful in driving a new and more holistic stream of research in the realm of all forms of employee responses to phishing attacks, and we provide avenues for such future research.

show abstract

Section: Introductionmentioning

confidence: 99%

Phishing for Long Tails: Examining Organizational Repeat Clickers and Protective Stewards

et al. 2021

View full text Add to dashboard Cite

show abstract

“…Most researchers provided solutions for noncompliant behavior with criminological theories (for instance, crime pattern theory, social control theory, deterrence theory) [39,51,52]. Furthermore, some researchers provided solutions with deterrence or punishments to insiders [23,34].…”

Section: Information Security Behavior and Noncompliance Towards Information Security Policiesmentioning

confidence: 99%

“…An ethical work climate, neutralization, and beliefs (i.e., about the perceived cost of compliance, the perceived cost of noncompliance, and the benefits of compliance) interact towards employees' noncompliance behavior with ISP, as demonstrated in detail by [51]. These researchers presented a framework based on social information processing theory.…”

Section: Neutralization Srs and Noncompliancementioning

confidence: 99%

See 1 more Smart Citation

Information Security Behavior and Information Security Policy Compliance: A Systematic Literature Review for Identifying the Transformation Process from Noncompliance to Compliance

et al. 2021

View full text Add to dashboard Cite

A grave concern to an organization’s information security is employees’ behavior when they do not value information security policy compliance (ISPC). Most ISPC studies evaluate compliance and noncompliance behaviors separately. However, the literature lacks a comprehensive understanding of the factors that transform the employees’ behavior from noncompliance to compliance. Therefore, we conducted a systematic literature review (SLR), highlighting the studies done concerning information security behavior (ISB) towards ISPC in multiple settings: research frameworks, research designs, and research methodologies over the last decade. We found that ISPC research focused more on compliance behaviors than noncompliance behaviors. Value conflicts, security-related stress, and neutralization, among many other factors, provided significant evidence towards noncompliance. At the same time, internal/external and protection motivations proved positively significant towards compliance behaviors. Employees perceive internal and external motivations from their social circle, management behaviors, and organizational culture to adopt security-aware behaviors. Deterrence techniques, management behaviors, culture, and information security awareness play a vital role in transforming employees’ noncompliance into compliance behaviors. This SLR’s motivation is to synthesize the literature on ISPC and ISB, identifying the behavioral transformation process from noncompliance to compliance. This SLR contributes to information system security literature by providing a behavior transformation process model based on the existing ISPC literature.

show abstract

“…In this issue of the ISJ, we present six articles. In the first article, Gwebu, Wang, and Hu () draw on Social Information Processing Theory to bring the different lines of ISP (non)compliance studies under a common umbrella. Thus, the research provides a richer and more realistic conceptualization of how beliefs, neutralization, and ethical work climate may interact and intervene to complicate the belief–noncompliance relationship.…”

mentioning

confidence: 99%

Research contributions: The role of the iconoclast

Davison

2019

Information Systems Journal

View full text Add to dashboard Cite

The nature of "normal" research, as practiced by the vast majority of researchers, is that it is incremental. Research designs typically build on the work of prior research. Existing standards of rigour are, more or less, upheld. Findings conform, to a greater or lesser extent, with what was predicted. There is nothing inherently wrong with this process, yet the incremental nature of research designs tends to lead to incremental contributions. With time, and considerable effort, these findings can accumulate into something more substantial, but it tends to be a slow and drawn-out process. Is this the best way to build knowledge in a time of rapid technological change? Occasionally a more radically innovative contribution is developed. It may take the form of a new theory that departs in some significant way from prior work. It may be a new method, tool, or technique that goes beyond the mere tweaking of earlier methods, tools, and techniques. In more revolutionary forms, the new contribution may be so novel, so groundbreaking, that it destroys the very foundations of earlier work, setting out a new paradigm for future work (Kuhn, 1962). This revolutionary approach to research is sparked by a person sometimes referred to as an iconoclast. Iconoclasts are, probably fortunately, few and far between. Fortunately, because too much destruction means too little accumulation of knowledge and experience, too little repetition of what works before it is overthrown, and too much risk that faulty paradigms will emerge and consume our limited attention. Pagel (2012) observes that copying is an excellent survival technique: we do not all need to be iconoclastic innovators. Berns (2010, pp. 5-6) defines an iconoclast as "a person who does something that others say can't be done," noting that the Nobel prize is "the crown-jewel of paradigm-shifting iconoclastic thinking." In order to do what others say cannot be done, the budding iconoclast must both be familiar with prior work and yet also embrace novelty and even "alien thinking" (cf. Davison, 2017). The act of embracing novelty requires challenging the current state of the art, developing a compelling new narrative and design, and then putting that design into practice, demonstrating its superiority over earlier instantiations. This kind of work takes many years or lifetimes: iconoclasts start the process, but their work needs to be accepted and mainstreamed by many others for the new ideas to be more widely accepted. Novelty often inspires fear because we tend to shun unfamiliar things. Fear thus acts as an inhibitor of novelty. In the context of academic research, there are three specific fears: fear of uncertainty, fear of failure, and fear of public ridicule (Berns, 2010). First, the fear of uncertainty is often rooted in cultural norms, whether of societies or professional associations. For instance, we may be uncertain as to whether we have expressed a new idea in a logical and convincing way; if our supporting arguments are strong enough; if a particular course of acti...

show abstract

Information security policy noncompliance: An integrative social influence model

Cited by 39 publications

References 105 publications

Phishing for Long Tails: Examining Organizational Repeat Clickers and Protective Stewards

Phishing for Long Tails: Examining Organizational Repeat Clickers and Protective Stewards

Information Security Behavior and Information Security Policy Compliance: A Systematic Literature Review for Identifying the Transformation Process from Noncompliance to Compliance

Research contributions: The role of the iconoclast

Contact Info

Product

Resources

About