Guo et al., 2011: Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model

Topic:

Users often knowingly engage in certain insecure uses of IS and violate security policies without malicious intentions. n the present study we propose and test empirically a nonmalicious security violation (NMSV) model with data from a survey of end users at work. The results suggest that utilitarian outcomes (relative advantage for job performance, perceived security risk), normative outcomes (workgroup norms), and self-identity outcomes (perceived identity match) are key determinants of end user intentions to engage in NMSVs. In contrast, the influences of attitudes toward security policy and perceived sanctions are not significant. This study makes several significant contributions to research on security-related behavior by (1) highlighting the importance of job performance goals and security risk perceptions on shaping user attitudes, (2) demonstrating the effect of workgroup norms on both user attitudes and behavioral intentions, (3) introducing and testing the effect of perceived identity match on user attitudes and behavioral intentions, and (4) identifying nonlinear relationships between constructs.

survey with 4 scenarios, 306 responses, all scenarios in appendix

Constructs in this publication:

Construct	Cites	Category	Questions given?	Content validity	Pretests	Response type	Notes
Perceived Identity Match	Triandis, 1977		yes	based on expert interviews	pilot	various
Attitude Toward Security Policy	NEW		yes	based on expert interviews	pilot	various
Perceived Security Risk of NMSV	NEW		yes	based on expert interviews	pilot	various
Relative Advantage for Job Performance	Moore, 1991		yes	based on expert interviews	pilot	various
Perceived Sanctions	D'Arcy et al., 2009		yes	based on expert interviews	pilot	various
Workgroup Norm	NEW		yes	based on expert interviews	pilot	various
Attitude Toward NMSV	Ajzen, 2006		yes	based on expert interviews	pilot	various
NMSV Intention	NEW		yes	based on expert interviews	pilot	various

This publication is cited by the following publications:

• Sommestad et al., 2014: Attitude toward security policy
• Sommestad et al., 2014: Attitude toward misuse
• Sommestad et al., 2014: Intention to misuse
• Sommestad et al., 2014: Normative beliefs
• Sommestad et al., 2014: Perceived identity match
• Sommestad et al., 2014: Perceived severity of sanctions
• Sommestad et al., 2014: Perceived security risk
• Sommestad et al., 2014: Response cost
• Vance et al., 2014: Perceived security risk of malware

Citation:

Ken H. Guo, Yufei Yuan, Norman P. Archer, and Catherine E. Connelly. Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model. Journal of Management Information Systems, 28(2):203–236, October 2011. doi:10.2753/MIS0742-1222280208.

Bibtex

@article{guo_understanding_2011,
 author = {Guo, Ken H. and Yuan, Yufei and Archer, Norman P. and Connelly, Catherine E.},
 doi = {10.2753/MIS0742-1222280208},
 issn = {0742-1222},
 journal = {Journal of Management Information Systems},
 month = {October},
 number = {2},
 pages = {203-236},
 shorttitle = {Understanding {{Nonmalicious Security Violations}} in the {{Workplace}}},
 title = {Understanding {{Nonmalicious Security Violations}} in the {{Workplace}}: {{A Composite Behavior Model}}},
 volume = {28},
 year = {2011}
}

---