Cheng et al., 2013: Understanding the Violation of IS Security Policy in Organizations: An Integrated Model Based on Social Control and Deterrence Theory

Topic:

Employees’ social bonding is found to have mixed impacts on the employee’s intention to violate ISSP. Social pressures exerted by subjective norms and co-worker behaviours also significantly influence employees’ ISSP violation intentions. In analyzing the formal sanctions, the perceived severity of sanctions was found to be significant while, perceived certainty of those sanctions was not.

Survey with four scenarios: (1) copying organization’s sensitive data, (2) workstation logout, (3) sharing passwords, (4) reading confidential files. The first three scenarios, coping organizational sensitive data, without workstation logout, and sharing passwords were taken from the research by siponen_neutralization_2010. Except the name of the character was changed to a Chinese name, all the remaining aspects are the same as those of Siponen and Vance. The scenario of reading confidential files is provided in Appendix A., 185 responses, 3 scenarios from siponen_neutralization_2010, 1 new one in appendix

Constructs in this publication:

Construct	Cites	Category	Questions given?	Content validity	Pretests	Response type	Notes
ISSP Violation intention	NEW		yes	no	pilot	The response scale ranged from 1 (“no chance at all”) to 7 (“100 per cent chance”).
Perceived certainty	D'Arcy et al., 2009, Li et al., 2010, Siponen, 2010	Formal control	yes	no	pilot
Perceived severity	D'Arcy et al., 2009, Li et al., 2010, Siponen, 2010	Formal control	yes	no	pilot
Attachment to immediate supervisor	Lee et al., 2004, Chapple et al., 2005	Social bond	yes	no	pilot	7-point Likert scale ranging from Strongly Disagree to Strongly Agree.
Attachment to co-workers	Lee et al., 2004, Chapple et al., 2005	Social bond	yes	no	pilot	7-point Likert scale ranging from Strongly Disagree to Strongly Agree.
Attachment to job	Lee et al., 2004, Chapple et al., 2005	Social bond	yes	no	pilot	7-point Likert scale ranging from Strongly Disagree to Strongly Agree.
Attachment to organization	Lee et al., 2004, Chapple et al., 2005	Social bond	yes	no	pilot	7-point Likert scale ranging from Strongly Disagree to Strongly Agree.
Commitment	Lee et al., 2004, Chapple et al., 2005	Social bond	yes	no	pilot	7-point Likert scale ranging from Strongly Disagree to Strongly Agree.
Involvement	Lee et al., 2004, Chapple et al., 2005	Social bond	yes	no	pilot	7-point Likert scale ranging from Strongly Disagree to Strongly Agree.
Belief	Lee et al., 2004, Chapple et al., 2005	Social bond	yes	no	pilot	7-point Likert scale ranging from Strongly Disagree to Strongly Agree.
Subjective norm	Herath, 2009	Informal control	yes	no	pilot
Co-worker behaviour	Herath, 2009	Informal control	yes	no	pilot

This publication is cited by the following publications:

• Sohrabi Safa et al., 2016: Information security knowledge sharing
• Sohrabi Safa et al., 2016: Information security collaboration
• Sohrabi Safa et al., 2016: Information security intervention
• Sohrabi Safa et al., 2016: Information security experience
• Sohrabi Safa et al., 2016: Attachment
• Sohrabi Safa et al., 2016: Commitment
• Sohrabi Safa et al., 2016: Personal norms
• Sohrabi Safa et al., 2016: Attitude towards compliance with ISOP
• Sohrabi Safa et al., 2016: ISOP compliance behavioural intentions

Citation:

Lijiao Cheng, Ying Li, Wenli Li, Eric Holm, and Qingguo Zhai. Understanding the violation of IS security policy in organizations: An integrated model based on social control and deterrence theory. Computers & Security, 39:447–459, November 2013. doi:10.1016/j.cose.2013.09.009.

Bibtex

@article{cheng_understanding_2013,
 abstract = {It is widely agreed that a large amount of information systems (IS) security incidents occur in the workplace because employees subvert existing IS Security Policy (ISSP). In order to understand the factors that constrain employees from deviance and violation of the organizational ISSP, past work has traditionally viewed this issue through the lens of formal deterrence mechanisms; we postulated that we could better explain employees' ISSP violation behaviours through considering both formal and informal control factors as well as through considering existing deterrence theory. We therefore developed a theoretical model based on both deterrence and social bond theories rooted in a social control perspective to better understand employee behaviour in this context. The model is validated using survey data of 185 employees. Our empirical results highlight that both formal and informal controls have a significant effect on employees' ISSP violation intentions. To be specific, employees' social bonding is found to have mixed impacts on the employee's intention to violate ISSP. Social pressures exerted by subjective norms and co-worker behaviours also significantly influence employees' ISSP violation intentions. In analyzing the formal sanctions, the perceived severity of sanctions was found to be significant while, perceived certainty of those sanctions was not. We discuss the key implications of our findings for managers and researchers and the implications for professional practice.},
 author = {Cheng, Lijiao and Li, Ying and Li, Wenli and Holm, Eric and Zhai, Qingguo},
 doi = {10.1016/j.cose.2013.09.009},
 issn = {0167-4048},
 journal = {Computers \& Security},
 keywords = {IS security policy,Violation intention,General deterrence theory,Social bond theory,Social control mechanisms},
 month = {November},
 pages = {447-459},
 shorttitle = {Understanding the Violation of {{IS}} Security Policy in Organizations},
 title = {Understanding the Violation of {{IS}} Security Policy in Organizations: {{An}} Integrated Model Based on Social Control and Deterrence Theory},
 volume = {39},
 year = {2013}
}

---