Article Preview
TopIntroduction
We recall the insightful remarks of information security:
“Systems are particularly prone to failure when the person guarding them is not the person who suffers when they fail.” (Anderson & Moore, 2006, p. 610)
Believers advocate that most information security breaches stem from employees’ negligence or ignorance of the proper use of information resources (Vroom & von Solms, 2004). Given that employees are the Achilles’ heel of security control, policy makers believe that information security policy (ISP) is crucial to guiding employees (insiders) to make proper use of information assets within organizations. ISP embraces internally-prescribed regulations and rules on making proper use and avoiding improper use, as well as punishments on illicit use, of information assets using the approach from self-control and rational choice (Bulgurcu, Cavusoglu, & Benbasat, 2010). Early security-related literature indicates that deterrence, control, and punishment mechanisms are effective in mitigating the violation of ISP within organizations (Straub & Nance, 1990). However, punishments might not guarantee employees’ full compliance with ISP (Herath & Rao, 2009). Non-compliance with ISP is not completely preventable by fear of sanctions due to the phenomenon that employees tend to rationalize their neutralization behaviour (Siponen & Vance, 2010; Teh, Ahmed, & D’Arcy, 2015). Computer monitoring and auditing are useful tools to mitigate the abuse of organizational information assets (Urbaczewski & Jessup, 2002). However, reliance on technological tools is not completely sufficient to prevent intended or unintended violation of ISP in the workplace (Choobineh et al., 2007; Siponen, 2005). Safeguard regulations for risk management and security control are ongoing and enduring appeals in security practices given the upward trend in the breach cost (Bagchi & Udo, 2013). Most studies of ISP compliance conducted in Western countries and only few studies conducted in the China business context (Cheng et al., 2013). Our study of ISP compliance underlying China business, referring to those Chinese employees in China, can provide a thoughtful view from the Western context.
The negative effect or “dark side” of the use of information technologies (IT) or information systems (IS), such as techno-overload and techno-insecurity in the misuse (D’Arcy et al., 2014), never disappear in security practices. For example, the use of the Internet or social media makes users on the edge of potential invasion of privacy and fear of cybercrime (Kim et al., 2011). Information security stress becomes a techno-stress that employees believe they suffer more risks than the employer (Lee, Lee, & Kim, 2016). Considering employees as the breaches of security control, ISP supervisors often play the win-or-lose game by using the blame of non-compliance and credit of compliance from the control-centric perspective, i.e., the employer’s control over fear appeals and rational choices. Hence, employees cannot avoid the “dark side” of security control, such as technological invasion for monitoring personal boundaries or freedom of information use either inside or outside the workplace (Tarafdar, Gupta, & Turel, 2013). The “dark side” phenomena of IT-enabled security monitoring, such as fragile privacy and depressed freedom (Lowry & Moody, 2015; Posey et al., 2011), are extended threats that put employees’ stress on fear in the new age of surveillance cameras everywhere. We consider such “dark side” phenomena of information security control as imposed inevitable barriers that aggregately discourage employees from developing compliance behaviour and even cause emotional backlash against the security policy.