Article Preview
TopIntroduction
In 2015, organizations in the United Kingdom (UK) reported a 36% increase of employee-related information security (InfoSec) breaches compared with the previous year (PwC, 2015b); and insider threats constitute the highest number of InfoSec incidents globally (PwC, 2015a). Nonetheless, although organizations have implemented InfoSec policy (ISP) (Guo, Yuan, Archer, & Connelly, 2011), users’ resistance to ISP is among the major reasons for ISP’s failure (Kolkowska & Dhillon, 2013) which is a notable problem for organizations (Posey, Roberts, Lowry, Bennett, & Courtney, 2013). Employees disregarded the ISP because they felt that the ISP is a nuisance (Renaud, 2012), they prioritize other work tasks, and the ISP is poorly understood (PwC, 2015b). Also, ISP non-compliance behaviors could be due to employees’ dissatisfaction with the ISP (Hedström, Karlsson, & Kolkowska, 2013), negligence or ignorance (Siponen & Vance, 2010).
Thus, the domains of InfoSec and ISP non-compliance have received substantial attention from researchers and practitioners. Among the behavioral theories applied to address ISP non-compliance include deterrence theory (D’Arcy & Hovav, 2009; Herath & Rao, 2009), the theory of planned behavior (Bulgurcu, Cavusoglu, & Benbasat, 2010; Cox, 2012), and social action theory (Hedström et al., 2013). Further, there are research investigating user ISP non-compliance behaviors from ethical (Myyry, Siponen, Pahnila, Vartiainen, & Vance, 2009) and rational choice perspectives (Bulgurcu et al., 2010; Vance & Siponen, 2012).
While extant research offers insights on the InfoSec contravention, they leave an incomplete understanding of the ISP infringement issues. First, despite having identified factors of ISP compliance behaviors, research highlighting ISP non-compliance behaviors is scant (Guo et al., 2011; Workman, Bommer, & Straub, 2008). Moreover, these two types of behaviors are qualitatively dissimilar and therefore, their respective antecedents might differ (Guo et al., 2011). Adhering rules or policy could simply be based on normative beliefs regulating what people ought to do without requiring the users to over analyze (Cox, 2012). However, to perform counter-normative actions, users might deliberate about rule-breaking and find relevant excuses (Blanton & Christie, 2003). Furthermore, Wall et al. (2013) claim that habitual behavior, being routine and automatic, is imperative in mitigating ISP non-compliance. In contrast, users might think twice before committing the ISP non-compliance action because they know that it is unlawful. Hence, it is more worthwhile to investigate why users are ISP non-compliant rather than why they are ISP-compliant (Guo et al., 2011; Vance & Siponen, 2012). This is even more so since intentional negligence of ISP is one of the most common security-related behaviors among users. Investigating the ISP non-compliance phenomenon is more pragmatic and interesting because unexpected deviant actions have greater “informational value” than normative behaviors (Barlow, Warkentin, Ormond, & Dennis, 2013; Blanton & Christie, 2003); while extending our understanding on ISP non-compliance motivation or rationalization (Siponen & Vance, 2010).