Article Preview
Top1. Introduction
Most studies in information systems field have primarily focused on technical issues concerning the design and implementation of security subsystems (Choo, 2011). Some of the study in this area includes computer security behaviors (Stanton, 2005). However, the respondents in these studies are typically IT administrators or top-level managers (Dhillon & Torkzadeh, 2006) rather than representatives from the end-user community. The fact that the respondents in prior studies were largely those responsible for setting up and running technical security initiatives raises the question of whether or not their views are likely to be representative of the organization as a whole (Finch et al., 2003).
Recently information security turns to be one of the global problems of humanity getting more and sociological, political, and human character, since necessity to protect a person and a whole society in information sphere increases (Skorodumov et al., 2015). Employees act not always desirably regarding information technology or information systems (Warkentin et al., 2009). Several scholars have established classifications of employee security behavior (Guo, 2013; Padayachee, 2012; Stanton et al., 2005). In this research context, the author regards this undesirable employee security behavior as workplace deviance.
Robinson and Bennett (1995) defined workplace deviance as a voluntary behavior engaged by employee that is contrary to the significant organizational norms and it is considered as a threat to the well-being of an organization and/or its members. Workplace deviant behaviors include employee using organization’s phone to make personal calls, coming to the office very late and leaving early, using organization’s vehicle for personal use, taking unnecessary breaks by employee, delivering poor quality work, employee engaging in sick leave even though they are not, and employee falsifying receipts in order to get reimbursed for more money than the actual amount he spent (Bechtoldt et al., 2007; Robinson & Bennett, 1995).
Therefore, undesirable employee security behavior such as computer abuse behavior can be a kind of workplace deviance, where an employee doesn’t act compliant with information security policies of an organization prescribing rules, for example about handling e-mails, passwords or data in a way, which ensures security in an organization. Computer abuse has been defined as ‘the unauthorized and deliberate misuse of assets of the local organization information system by individuals associated with the organization’ (Straub, 1990), otherwise known as organizational insider. Computer abuse has also been termed internal computer abuse to differentiate it from abuse external to an organization (e.g., hacking), but I use the former term for concision. Computer abuse is not just an ‘IT problem’; it is also an organization-wide problem because insiders represent a severe threat to organizational information resources that cannot be controlled by technology and the threat of punishment alone (D'Arcy et al., 2009; Siponen et al., 2009; Dhillon & Torkzadeh, 2006). Computer abuse is a form of organizational deviance; thus, many security professionals view it as more detrimental to organizational security than external attacks (Loch et al., 1992). This study only includes organizational computer abuse.