Article Preview
TopIntroduction
Security breaches in organizations are a serious concern. Most of the security incidents are a result of employees’ noncompliance (Stanton, Stam, Mastrangelo, & Jolton, 2005). In a context where the users may be using their personal mobile devices for work as well as personal use, this study examines individual responses to non-compliant mobile device usage behaviors by their fellow users, such as using unsecure wireless connections for work related purposes to understand the intentions of people, as bystanders, to take action against unsecure mobile device usage practices. In the absence of effectively acting against those unsecure usage practices, there may be a serious threat to IS security of the organization as well as that of personal devices and data of several other users in a BYOD context.
Past research used several behavioral approaches to study the compliance behaviors of employees and users of technology (Anandarajan, Paravastu, Arinze, & D’Ovidio, 2012; Cheng, Li, Li, Holm, & Zhai, 2013; Lim, 2014; Myyry, Siponen, Pahnila, Vartiainen, & Vance, 2009; M. Siponen & Vance, 2010; Sousa, MacDonald, & Fougere, 2012). These approaches are valuable, but do not address the important aspect of how employees as individual IT users in an organization can be a resource in preserving information systems (IS) security and ensuring compliance. This is a significant gap because employees can potentially act as guardians against violations by other employees, as well as protect themselves against IS security threats. To address this gap, this study uses bystander theory (Darley & Latane, 1968; Fischer, Krueger, et al., 2011; Latané & Darley, 1968, 1969) in the context of IS security and constructs from protection motivation theory (PMT) (Anandarajan, et al., 2012; Johnston & Warkentin, 2010; Ronald W. Rogers, 1975). Bystander theory (Darley & Latane, 1968; Latané & Darley, 1968) provides an insight into individual behaviors in situations of threat to others. Bystander theory suggests that those present at the time of an emergency are less willing to help a victim in the presence of other bystanders, and provides a theoretical framework to understand the facilitating and inhibiting conditions for bystander help. Protection motivation theory (Ronald W. Rogers, 1975; Ronald. W. Rogers, 1983) provides a framework for understanding how user’s perceptions about the severity and vulnerability of threats influence user intentions and actions towards protecting themselves. PMT is considered appropriate for information systems security context for understanding of how individuals respond to IS security threats.
Applicability of PMT to the Context of Non-Compliant Mobile Device Usage
An essential condition for application of PMT is the existence of a perceived threat in order for the individual to be motivated to take protective measures (Johnston & Warkentin, 2010). In the context of this study, the users of mobiles devices have both their personal data as well as work related data because many users own the device and also use it for both personal and work purposes. Therefore, any unsecure use by a user whether for personal or work purposes may also threaten the safety of personal data of individual users. These perceptions of threat to their personal data or device in which they have a vested ownership interest. This in turn appeals to their fears motivating them to take protective action such as securing their own devices, usage behaviors (Dang-Pham & Pittayachawan, 2015). Therefore, in a BYOD context of this study where non-compliant usage behaviors of other users are perceived as a threat to their own data security, PMT is considered an appropriate and applicable.