Article Preview
TopIntroduction
Viruses, data breaches, software piracy, computer fraud and other illegal or unacceptable behaviors related to security and privacy of computers and information systems have been reported extensively by the popular press. These events and behaviors have caused great losses to individuals, organizations, and society. For example, software piracy has been on the rise in the past decade, causing companies billions of dollars in losses. Furthermore, a report by the Identity Theft Resource Center (ITRC 2014) indicated that the number of U.S. data breaches reached a record high of 783 in 2014, which increased by 27.5% from 2013. Primary causes of data breach incidents include hacking, data on the move, insider theft, accidental exposure, and subcontractor/third party. In particular, Lynn (2009) reported that 42 percent of the companies considered laid-off employees as the biggest threat to their data security. Due to the financial losses and reputational damage to organizations caused by various computer-related illegal or unacceptable behaviors, organizations have invested heavily in the implementation of various security measures such as security policies, security training, and security auditing to reduce or prevent these behaviors by their employees or external parties.
However, the effectiveness of these security measures not only depends on the supporting technologies but also relies on the behaviors of human agents such as individuals who access and use IT resources (Stanton, Stam, Mastrangelo, & Jolton, 2005). Therefore, a systematic understanding of individual behavior, especially individual decision making in situations involving conflicting interests, can help information security managers better assess security risks and more effectively design and implement security measures.
Many scholars have examined individuals’ ethical attitudes and unethical behaviors in various contexts (Singhapakdi, Vitell, & Kraft, 1996; Leonard, Cronan, & Kreie, 2004) and have identified a number of factors (e.g., individual characteristics, issue characteristics, organizational characteristics) that influence ethical judgment and decisions (O’Fallon & Butterfield, 2003). Although many empirical studies have confirmed that magnitude of consequences does influence how people judge behaviors that already took place and led to certain consequences, relatively fewer studies have investigated behavioral intentions in ethical dilemmas involving conflicting interests where the action in question has not occurred and the consequences of the action cannot be known in advance. We argue that in these situations whether information about possible consequences (positive and negative) is available to individuals influences their decision making process and behavioral intentions. The informational aspect of decision-making in such dilemmas has been under-investigated in the literature. To address this gap in the literature, this study focuses on the availability of information related to not only possible benefits but also possible harms that may result from an unethical action. In addition, given the unprecedented importance of understanding and preventing inappropriate behaviors in today’s IT-embedded environment, we conduct this study in the IT context by taking into consideration the different types of IT resources involved in these dilemmas. In particular, considering the increasing number of incidences involving inappropriate actions related to computer software and data, we focus on ethical dilemmas involving software and data.
The research questions that we pose in this study are: (1) how does information about potential outcomes influence the individual’s behavioral intention in ethical dilemmas involving conflicting interests? (2) Does the impact of information about potential outcomes differ in dilemmas involving data versus those involving software products? (3) Does the impact of information about potential outcomes differ among individuals with a different ethical ideology?
In the next section, we review the existing literature on individual decision-making in ethical dilemmas in general and IT-related ethical dilemmas, and then develop research hypotheses. Section III presents the details of our research methodology. We then summarize the empirical analysis and results in Section IV, and the post-hoc analysis results in Section V. We conclude by discussing contributions, limitations and future research.