0000000000821460
AUTHOR
Anthony Vance
Effects of Sanctions, Moral Beliefs, and Neutralization on Information Security Policy Violations Across Cultures
A principal concern of organizations is the failure of employees to comply with information security policies (ISPs). Deterrence theory is one of the most frequently used theories for examining ISP violations, yet studies using this theory have produced mixed results. Past research has indicated that cultural differences may be one reason for these inconsistent findings and have hence called for cross-cultural research on deterrence in information security. To address this gap, we formulated a model including deterrence, moral beliefs, shame, and neutralization techniques and tested it with the employees from 48 countries working for a large multinational company. peerReviewed
Guidelines for improving the contextual relevance of field surveys: the case of information security policy violations
The information systems (IS) field continues to debate the relative importance of rigor and relevance in its research. While the pursuit of rigor in research is important, we argue that further effort is needed to improve practical relevance, not only in terms of topics, but also by ensuring contextual relevance. While content validity is often performed rigorously, validated survey instruments may still lack contextual relevance and be out of touch with practice. We argue that IS behavioral research can improve its practical relevance without loss of rigor by carefully addressing a number of contextual issues in instrumentation design. In this opinion article, we outline five guidelines – …
New insights into the problem of software piracy: The effects of neutralization, shame, and moral beliefs
Software piracy is a major economic concern for organizations. Previous research indicates that neutralization, a form of rationalization, can help explain software piracy intentions. However, a knowledge gap exists in our understanding of which neutralization techniques most influence software piracy intention. To address this gap, we developed a model that explains the effects of neutralization techniques on software piracy intention. We included different types of deterrents (formal sanctions, shame, and moral belief) in our model because individuals may use neutralization techniques to mitigate feelings of guilt and shame, which, subsequently, reduce the deterrent effect. Our empirical …
Can individuals’ neutralization techniques be overcome? A field experiment on password policy
Individuals’ lack of adherence to password security policy is a persistent problem for organizations. This problem is especially worrisome because passwords remain the primary authentication mechanism for information systems, and the number of passwords has been increasing. For these reasons, determining methods to improve individuals’ adherence to password-security policies constitutes an important issue for organizations. Extant research has shown that individuals use neutralization techniques, i.e., types of rationalizations, to disregard organizational information-security policies. What has not been determined from extant information security research is whether these neutralizations c…
Effects of sanctions, moral beliefs, and neutralization on information security policy violations across cultures
Abstract A principal concern of organizations is the failure of employees to comply with information security policies (ISPs). Deterrence theory is one of the most frequently used theories for examining ISP violations, yet studies using this theory have produced mixed results. Past research has indicated that cultural differences may be one reason for these inconsistent findings and have hence called for cross-cultural research on deterrence in information security. To address this gap, we formulated a model including deterrence, moral beliefs, shame, and neutralization techniques and tested it with the employees from 48 countries working for a large multinational company.
Common Misunderstandings of Deterrence Theory in Information Systems Research and Future Research Directions
In the 1980s, information systems (IS) borrowed deterrence theory (DT) from the field of criminology to explain information security behaviors (or intention). Today, DT is among the most commonly used theories in IS security research. Our review of IS research applying DT highlights that many fundamental assumptions of DT are unrecognized and therefore unexamined. This may have resulted in misunderstandings and conceptual confusions regarding some of the basic concepts of DT. For example, some IS studies confuse general deterrence with specific deterrence or do not recognize the difference between the two. Moreover, these fundamental assumptions, when directly examined, may provide importan…
IS Security Policy Violations
Employee violations of IS security policies are reported as a key concern for organizations. Although behavioral research on IS security has received increasing attention from IS scholars, little empirical research has examined this problem. To address this research gap, the authors test a model based on Rational Choice Theory RCT-a prominent criminological theory not yet applied in IS-which explains, in terms of a utilitarian calculation, an individual's decision to commit a violation. Empirical results show that the effects of informal sanctions, moral beliefs, and perceived benefits convincingly explain employee IS security policy violations, while the effect of formal sanctions is insig…