Escalation of commitment and information security: theories and implications

Purpose This study aims to explore the challenges that the escalation of commitment poses to information security. Design/methodology/approach Two distinct scenarios of escalation behavior are presented based on literature review. Psychological, organizational and economic theories on escalation of commitment are reviewed and applied to the area of information security. Findings Escalation of commitment involves continuation of a course of action after receiving negative information about it. In the information security compliance context, escalation affects a firm when an employee decides to break the firm’s information security policy to complete a failing task. In the information security investment context, escalation occurs if a manager continues investment in policies and solutions that are ineffective because of psychological, organizational or economic factors. Both of these types of escalation may be prevented with de-escalation techniques including a change in management or rotation of duties, monitoring, auditing and governance mechanisms. Practical implications Implications of escalation of commitment behavior for information security decision-makers and for future research are discussed. Originality/value This study complements the literature by establishing the context of escalation of commitment in decisions related to information security and reviewing managerial and economic theories on escalation of commitment.

Download Full-text

The hunt for computerized support in information security policy management

Information and Computer Security ◽

10.1108/ics-07-2019-0079 ◽

2020 ◽

Vol 28 (2) ◽

pp. 215-259 ◽

Cited By ~ 1

Author(s):

Elham Rostami ◽

Fredrik Karlsson ◽

Ella Kolkowska

Keyword(s):

Information Security ◽

Research Methods ◽

Security Policy ◽

Critical Discussion ◽

Future Research ◽

Management Process ◽

Management Research ◽

Information Security Policy ◽

Content Type ◽

Literature Reviews

Purpose The purpose of this paper is to survey existing information security policy (ISP) management research to scrutinise the extent to which manual and computerised support has been suggested, and the way in which the suggested support has been brought about. Design/methodology/approach The results are based on a literature review of ISP management research published between 1990 and 2017. Findings Existing research has focused mostly on manual support for managing ISPs. Very few papers have considered computerised support. The entire complexity of the ISP management process has received little attention. Existing research has not focused much on the interaction between the different ISP management phases. Few research methods have been used extensively and intervention-oriented research is rare. Research limitations/implications Future research should to a larger extent address the interaction between the ISP management phases, apply more intervention research to develop computerised support for ISP management, investigate to what extent computerised support can enhance integration of ISP management phases and reduce the complexity of such a management process. Practical implications The limited focus on computerised support for ISP management affects the kind of advice and artefacts the research community can offer to practitioners. Originality/value Today, there are no literature reviews on to what extent computerised support the ISP management process. Findings on how the complexity of ISP management has been addressed and the research methods used extend beyond the existing knowledge base, allowing for a critical discussion of existing research and future research needs.

Download Full-text

Building an awareness-centered information security policy compliance model

Industrial Management & Data Systems ◽

10.1108/imds-07-2019-0412 ◽

2019 ◽

Vol 120 (1) ◽

pp. 231-247 ◽

Cited By ~ 1

Author(s):

Alex Koohang ◽

Jonathan Anderson ◽

Jeretta Horn Nord ◽

Joanna Paliszkiewicz

Keyword(s):

Information Security ◽

Security Policy ◽

Path Modeling ◽

Information Security Policy ◽

Content Type ◽

Security Issues ◽

Compliance Model ◽

Security Compliance ◽

Trusting Beliefs ◽

Practical Implications

Purpose The purpose of this paper is to build an awareness-centered information security policy (ISP) compliance model, asserting that awareness is the key to ISP compliance and that awareness depends upon several variables that influence successful ISP compliance. Design/methodology/approach The authors built a model with seven constructs, i.e., leadership, trusting beliefs, information security issues awareness (ISIA), ISP awareness, understanding resource vulnerability, self-efficacy (SE) and intention to comply. Seven hypotheses were stated. A sample of 285 non-management employees was used from various organizations in the USA. The authors used path modeling to analyze the data. Findings The findings indicated that IS awareness depends on effective organizational leadership and elevated employees’ trusting beliefs. The understanding of resource vulnerability (URV) and SE are influenced by IS awareness resulting from effective leadership and elevated employees’ trusting beliefs which guide employees to comply with ISP requirements. Practical implications Practical implications were aimed at organizations embracing an awareness-centered information security compliance program to secure organizations’ assets against threats by implementing various security education and training awareness programs. Originality/value This paper asserts that awareness is central to ISP compliance. Leadership and trusting beliefs variables play significant roles in the information security awareness which in turn positively affect employees’ URV and SE variables leading employees to comply with the ISP requirements.

Download Full-text

Understanding employees' information security identities: an interpretive narrative approach

Information Technology and People ◽

10.1108/itp-04-2020-0197 ◽

2021 ◽

Vol ahead-of-print (ahead-of-print) ◽

Author(s):

Jeffrey D. Wall ◽

Prashant Palvia

Keyword(s):

Information Security ◽

Narrative Analysis ◽

Life Experiences ◽

Qualitative Interviews ◽

Situational Factors ◽

Future Research ◽

Content Type ◽

Security Compliance ◽

And Control ◽

Over Time

PurposeThe authors seek to understand the formation of control- and security-related identities among organizational employees through and interpretive narrative analysis. The authors also seek to identify how the identities form over time and across contexts. Several identities are identified as well as the changes that may occur in the identities.Design/methodology/approachFew interpretive or critical studies exist in behavioral information security research to represent employee perspectives of power and control. Using qualitative interviews and narrative analysis of the interview transcripts, this paper analyzes the security- and control-related identities and values that employees adopt in organizational settings.FindingsTwo major categories of behavioral security compliance identities were identified: compliant and noncompliant. Specific identities within the compliant category included: faithful follower vs the reasoned follower, and other-preserving versus the self-preserving identities. The noncompliant category included: anti-authority identity, utilitarian identity, trusting identity and unaware identity. Furthermore, three patterns of identity changes were observed.Research limitations/implicationsThe authors’ narrative stories suggest that employee identities are complex and multi-faceted, and that they may be fluid and adaptive to situational factors. Future research should avoid assumptions that all employees are the same or that employee beliefs remain constant over time or in different contexts. Identities are also strongly rooted in individuals' rearing and other life experiences. Thus, security control is far broader than is studied in behavioral studies. The authors find that history matters and should be examined carefully.Practical implicationsThe authors’ study provides insights that managers can use to enhance security initiatives. It is clear that different employees build different control-related identities. Managers must understand that their employees are unique and will not all respond to policies, punishments, and other forms of control in the same way. The narratives also suggest that many organizations lack appropriate programs to enhance employees' awareness of security issues.Originality/valueThe authors’ narrative analysis suggests that employee security identities are complex and multi-faceted, and that they are fluid and adaptive to situational factors. Research should avoid assumptions that all employees are the same or that their beliefs remain constant over time or in different contexts. Identities are also strongly rooted in individuals' rearing and other life experiences. Their history matters and should be examined carefully.

Download Full-text

Productivity vs security: mitigating conflicting goals in organizations

Information and Computer Security ◽

10.1108/ics-03-2017-0014 ◽

2017 ◽

Vol 25 (2) ◽

pp. 137-151 ◽

Cited By ~ 1

Author(s):

Peter Mayer ◽

Nina Gerber ◽

Ronja McDermott ◽

Melanie Volkamer ◽

Joachim Vogt

Keyword(s):

Information Security ◽

Goal Setting ◽

Security Policy ◽

Negative Effects ◽

Content Type ◽

Factors Affecting ◽

Positive Effects ◽

Survey Results ◽

Security Compliance ◽

Reported Data

Purpose This paper aims to contribute to the understanding of goal setting in organizations, especially regarding the mitigation of conflicting productivity and security goals. Design/methodology/approach This paper describes the results of a survey with 200 German employees regarding the effects of goal setting on employees’ security compliance. Based on the survey results, a concept for setting information security goals in organizations building on actionable behavioral recommendations from information security awareness materials is developed. This concept was evaluated in three small- to medium-sized organizations (SMEs) with overall 90 employees. Findings The survey results revealed that the presence of rewards for productivity goal achievement is strongly associated with a decrease in security compliance. The evaluation of the goal setting concept indicates that setting their own information security goals is welcomed by employees. Research limitations/implications Both studies rely on self-reported data and are, therefore, likely to contain some kind of bias. Practical implications Goal setting in organizations has to accommodate for situations, where productivity goals constrain security policy compliance. Introducing the proposed goal setting concept based on relevant actionable behavioral recommendations can help mitigate issues in such situations. Originality/value This work furthers the understanding of the factors affecting employee security compliance. Furthermore, the proposed concept can help maximizing the positive effects of goal setting in organizations by mitigating the negative effects through the introduction of meaningful and actionable information security goals.

Download Full-text

Escalation of commitment as an antecedent to noncompliance with information security policy

Information and Computer Security ◽

10.1108/ics-09-2017-0066 ◽

2018 ◽

Vol 26 (2) ◽

pp. 171-193 ◽

Cited By ~ 6

Author(s):

Miranda Kajtazi ◽

Hasan Cavusoglu ◽

Izak Benbasat ◽

Darek Haftor

Keyword(s):

Information Security ◽

Risk Perceptions ◽

Security Policy ◽

Sunk Costs ◽

Survey Method ◽

Task Completion ◽

Escalation Of Commitment ◽

Value Conflicts ◽

Information Security Policy ◽

Content Type

PurposeThis study aims to identify antecedents to noncompliance behavior influenced by decision contexts where investments in time, effort and resources are devoted to a task – referred to as a task unlikely to be completed without violating the organization’s information security policy (ISP).Design/methodology/approachAn empirical test of the suggested relationships in the proposed model was conducted through a field study using the survey method for data collection. Pre-tests, pre-study, main study and a follow-up study compose the frame of our methodology where more than 500 respondents are involved across different organizations.FindingsThe results confirm that the antecedents that explain the escalation of commitment behavior in terms of the effect of lost assets, such as time, effort and other resources, give us a new lens to understand noncompliance behavior; employees seem to escalate their commitments to the completion of their tasks at the expense of becoming noncompliant with ISP.Research limitations/implicationsOne of the key areas that requires further attention from this study is to better understand the role of risk perceptions on employee behavior when dealing with value conflicts. Depending on how risk-averse or risk seeking an employee is, the model showed no significant support in either case to influence their noncompliance behavior. The authors therefore argue that employees' noncompliance may be influenced by more powerful beliefs, such as self-justification and sunk costs.Practical implicationsThe results show that when employees are caught in tasks undergoing difficulties, they are more likely to increase noncompliance behavior. By understanding better how project obstacles result in such tasks, security managers can define new mechanisms to counter employees’ shift from compliance to noncompliance.Social implicationsApart from encouraging compliance with enforcement mechanisms (using direct behavioral controls like sanctions or rewards), indirect behavior controls may also encourage compliance. The authors suggest that the ISPs should state that the organization would take positive actions toward task completion and help their employees to resolve their problems quickly.Originality/valueThis study is the first to tackle escalation of commitment theories and use antecedents that explain the effect of lost assets, such as time, effort and other resources can also explain noncompliance with ISP in terms of the value conflicts, where employees would often choose to forego compliance at the expense of finishing their tasks.

Download Full-text

The effect of perceived organizational culture on employees’ information security compliance

Information and Computer Security ◽

10.1108/ics-06-2021-0073 ◽

2021 ◽

Vol ahead-of-print (ahead-of-print) ◽

Author(s):

Martin Karlsson ◽

Fredrik Karlsson ◽

Joachim Åström ◽

Thomas Denk

Keyword(s):

Organizational Culture ◽

Information Security ◽

Security Policy ◽

Organizational Cultures ◽

Policy Compliance ◽

Information Security Policy ◽

Content Type ◽

Security Compliance ◽

Information Security Policy Compliance ◽

Security Policy Compliance

Purpose This paper aims to investigate the connection between different perceived organizational cultures and information security policy compliance among white-collar workers. Design/methodology/approach The survey using the Organizational Culture Assessment Instrument was sent to white-collar workers in Sweden (n = 674), asking about compliance with information security policies. The survey instrument is an operationalization of the Competing Values Framework that distinguishes between four different types of organizational culture: clan, adhocracy, market and bureaucracy. Findings The results indicate that organizational cultures with an internal focus are positively related to employees’ information security policy compliance. Differences in organizational culture with regards to control and flexibility seem to have less effect. The analysis shows that a bureaucratic form of organizational culture is most fruitful for fostering employees’ information security policy compliance. Research limitations/implications The results suggest that differences in organizational culture are important for employees’ information security policy compliance. This justifies further investigating the mechanisms linking organizational culture to information security compliance. Practical implications Practitioners should be aware that the different organizational cultures do matter for employees’ information security compliance. In businesses and the public sector, the authors see a development toward customer orientation and marketization, i.e. the opposite an internal focus, that may have negative ramifications for the information security of organizations. Originality/value Few information security policy compliance studies exist on the consequences of different organizational/information cultures.

Download Full-text

Factors Influencing Information Security Policy Compliance Behavior

10.4018/978-1-6684-3698-1.ch010 ◽

2022 ◽

pp. 213-232

Author(s):

Kwame Simpe Ofori ◽

Hod Anyigba ◽

George Oppong Appiagyei Ampong ◽

Osaretin Kayode Omoregie ◽

Makafui Nyamadi ◽

...

Keyword(s):

Information Security ◽

Security Policy ◽

Future Research ◽

General Deterrence ◽

Security Education ◽

Weakest Link ◽

Compliance Behavior ◽

Security Compliance ◽

Information Security Policy Compliance ◽

Security Policy Compliance

One of the major concerns of organizations in today's networked world is to unravel how employees comply with information security policies (ISPs) since the internal employee has been identified as the weakest link in security policy breaches. A number of studies have examined ISP compliance from the perspective of deterrence; however, there have been mixed results. The study seeks to examine information security compliance from the perspective of the general deterrence theory (GDT) and information security climate (ISC). Data was collected from 329 employees drawn from the five top-performing banks in Ghana and analyzed with PLS-SEM. Results from the study show that security education training and awareness, top-management's commitment for information security, and peer non-compliance behavior affect the information security climate in an organization. Information security climate, punishment severity, and certainty of deterrent were also found to influence employees' intention to comply with ISP. The implications, limitations, and directions for future research are discussed.

Download Full-text

Factors Influencing Information Security Policy Compliance Behavior

Modern Theories and Practices for Cyber Ethics and Security Compliance - Advances in Information Security, Privacy, and Ethics ◽

10.4018/978-1-7998-3149-5.ch010 ◽

2020 ◽

pp. 152-171

Author(s):

Kwame Simpe Ofori ◽

Hod Anyigba ◽

George Oppong Appiagyei Ampong ◽

Osaretin Kayode Omoregie ◽

Makafui Nyamadi ◽

...

Keyword(s):

Information Security ◽

Security Policy ◽

Future Research ◽

General Deterrence ◽

Security Education ◽

Weakest Link ◽

Compliance Behavior ◽

Security Compliance ◽

Information Security Policy Compliance ◽

Security Policy Compliance

Download Full-text

Variables influencing information security policy compliance

Information Management & Computer Security ◽

10.1108/imcs-08-2012-0045 ◽

2014 ◽

Vol 22 (1) ◽

pp. 42-75 ◽

Cited By ~ 78

Author(s):

Teodor Sommestad ◽

Jonas Hallberg ◽

Kristoffer Lundholm ◽

Johan Bengtsson

Keyword(s):

Systematic Review ◽

Information Security ◽

Security Policy ◽

Empirical Studies ◽

Security Policies ◽

Future Research ◽

Policy Compliance ◽

Content Type ◽

Information Security Policy Compliance ◽

Security Policy Compliance

Purpose – The purpose of this paper is to identify variables that influence compliance with information security policies of organizations and to identify how important these variables are. Design/methodology/approach – A systematic review of empirical studies described in extant literature is performed. This review found 29 studies meeting its inclusion criterion. The investigated variables in these studies and the effect size reported for them were extracted and analysed. Findings – In the 29 studies, more than 60 variables have been studied in relation to security policy compliance and incompliance. Unfortunately, no clear winners can be found among the variables or the theories they are drawn from. Each of the variables only explains a small part of the variation in people's behaviour and when a variable has been investigated in multiple studies the findings often show a considerable variation. Research limitations/implications – It is possible that the disparate findings of the reviewed studies can be explained by the sampling methods used in the studies, the treatment/control of extraneous variables and interplay between variables. These aspects ought to be addressed in future research efforts. Practical implications – For decision makers who seek guidance on how to best achieve compliance with their information security policies should recognize that a large number of variables probably influence employees' compliance. In addition, both their influence strength and interplay are uncertain and largely unknown. Originality/value – This is the first systematic review of research on variables that influence compliance with information security policies of organizations.

Download Full-text

An examination of factors that influence the number of information security policy violations in Qatari organizations

Information and Computer Security ◽

10.1108/ics-03-2014-0018 ◽

2015 ◽

Vol 23 (1) ◽

pp. 102-118 ◽

Cited By ~ 10

Author(s):

Hasan M. Al-Mukahal ◽

Khaled Alshare

Keyword(s):

Information Security ◽

Work Environment ◽

Security Policy ◽

Moderating Effect ◽

Cultural Dimensions ◽

Future Research ◽

Information Security Policy ◽

Content Type ◽

The Impact ◽

Practical Implications

Purpose – This paper aims to investigate factors that impact the number of information security policy violations in Qatari organizations and to examine the moderating effect of Hofstede’s cultural dimensions on the relationships between the independent factors and the number of information security policy violations. Design/methodology/approach – Grounded in related theories from the fields of criminology, behavioral psychology and theory of planned behavior, two components that affect the number of information security policy violations were identified. A quantitative approach was used by developing a questionnaire survey to collect the data. The research model was tested using 234 employees from different Qatari organizations. Findings – The results of the study indicate that trust, the impact of implementing information security policy on work environment and the clarity of the scope of the information security policy were significant factors in predicting the number of information security policy violations. The findings also reveal that cultural dimensions such as uncertainty avoidance and collectivism moderate the relationships between trust, clarity of policy scope and impact of information security policy on work environment and the number information security policy violations. Research limitations/implications – The generalizability of the results is limited because the sample of the study was drawn from only one developing country. Therefore, a plausible future research could be testing the proposed model in many developing and developed countries. Practical implications – The paper includes practical implications for developing and implementing security measures and policies in diversified work environments. Originality/value – This study fulfils a gap in investigating the factors that influence the number of information security policy violations and the moderating effect of cultural dimensions in developing countries such as Qatar.

Download Full-text