Antecedent factors of violation of information security rules

Cappellozza, Alexandre; Moraes, Gustavo Hermínio Salati Marcondes de; Perez, Gilberto; Simões, Alessandra Lourenço

doi:10.1108/RAUSP-02-2021-0022

Acessibilidade / Reportar erro

Brasil

Español English

sumário « anterior atual seguinte »

Sumário

Research Paper • RAUSP 57 (1) • Jan-Mar 2022 • https://doi.org/10.1108/RAUSP-02-2021-0022 copy

Antecedent factors of violation of information security rules

Authorship SCIMAGO INSTITUTIONS RANKINGS

Abstract

Purpose

This paper aims to investigate the influence of moral disengagement, perceived penalty, negative experiences and turnover intention on the intention to violate the established security rules.

Design/methodology/approach

The method used involves two stages of analysis, using techniques of structural equation modeling and artificial intelligence with neural networks, based on information collected from 318 workers of organizational information systems.

Findings

The model provides a reasonable prediction regarding the intention to violate information security policies (ISP). The results revealed that the relationships of moral disengagement and perceived penalty significantly influence such an intention.

Research limitations/implications

This research presents a multi-analytical approach that expands the robustness of the results by the complementarity of each analysis technique. In addition, it offers scientific evidence of the factors that reinforce the cognitive processes that involve workers’ decision-making in security breaches.

Practical implications

The practical recommendation is to improve organizational communication to mitigate information security vulnerabilities in several ways, namely, training actions that simulate daily work routines; exposing the consequences of policy violations; disseminating internal newsletters with examples of inappropriate behavior.

Social implications

Results indicate that information security does not depend on the employees’ commitment to the organization; system vulnerabilities can be explored even by employees committed to the companies.

Originality/value

The study expands the knowledge about the individual factors that make information security in companies vulnerable, one of the few in the literature which aims to offer an in-depth perspective on which individual antecedent factors affect the violation of ISP.

Keywords
Security; Technology; Violation of information security; Moral disengagement; Information; Structural equation modeling; Neural networks

Constructs	MD	PP	TI	PI	INT
MD	0.921
PP	−0.363	0.867
TI	0.081	−0.117	0.943
PI	−0.124	0.107	−0.008	0.767
INT	0.545	−0.529	0.164	−0.073	0.965
Composite reliability	0.944	0.924	0.960	0.736	0.964
AVE	0.849	0.751	0.889	0.588	0.931
R ²	–	–	–	–	0.431

Path	Sample mean	SD	t statistics	p values
PI → INT	−0.002	0.048	0.367	0.714
TI → INT	0.090	0.047	1.856	0.063
MD → INT	0.404	0.051	7.962	0.000
PP → INT	−0.372	0.052	7.109	0.000

Neural network	Nodes		Training		Test
Neural network	Layer 1	Layer 2	n	RMSE	n	RMSE
1	1	3	281	0.18	37	0.22
2	2	3	288	0.20	30	0.14
3	3	3	288	0.19	30	0.17
4	4	3	283	0.19	35	0.19
5	5	3	277	0.19	41	0.16
6	6	3	287	0.21	31	0.19
7	7	3	278	0.21	40	0.17
8	8	3	287	0.19	31	0.17
9	9	3	280	0.18	38	0.20
10	10	3	222	0.17	64	0.22
Mean				0.19		0.18
SD				0.01		0.03

Neural network	Nodes		Normalized importance (%)
Neural network	Layer 1	Layer 2	MD	PP	TI	R² (%)
1	1	3	100.00	94.80	9.20	43.00
2	2	3	100.00	97.10	33.50	36.00
3	3	3	100.00	83.30	13.40	42.00
4	4	3	100.00	95.30	16.90	43.00
5	5	3	100.00	93.40	13.90	43.00
6	6	3	93.00	100.00	6.30	32.00
7	7	3	100.00	99.40	33.50	31.00
8	8	3	100.00	91.30	14.90	44.00
9	9	3	100.00	85.60	19.20	44.00
10	10	3	100.00	86.30	18.60	42.00
Mean			99.30	92.65	17.94	40.00
SD			2.21	5.88	9.10	5.03

Construct	Item
Intention to violate information security policies	How likely is it that you would have done the same as Jim in that situation?
Intention to violate information security policies	I could see myself sharing the password as Jim did
Perceived penalty	What is the likelihood that Jim would be formally punished?
	Jim would be reprimanded at some point for sharing the password
	Jim would receive harsh sanctions for sharing the password
	If punished, Jim’s punishment would be immediate
Turnover intention	I think about leaving the company where I work
	I plan to leave the company where I work
	I want to leave the company where I work
Moral disengagement	Sharing a password really would not hurt the organization
	Giving a password to a coworker if he/she needs it does not really do any harm
	It is okay to share a password because no direct damage is done to the company
Privacy invasion	I have already been a victim of the invasion of the privacy of my personal data
	Recently, I have heard or read, about the misuse of personal data
	I see news of data leaks from companies
Common method bias	I like outside activities better than inside activities (r = 0.08^NS)
	I like to meet my friends at a restaurant more than at home (r = 0.01^NS)
	I exercise every day (r = −0.07^NS)
	Jim is an employee in your organization. One day while Jim is out of the office on
Information security policies	A sick day, one of his coworkers needs a file on Jim’s computer. The coworker is of
Violation scenario	equal rank and performs job functions similar to Jim’s. The coworker calls Jim and
	asks for the password. Although Jim knows that your organization has a policy that
(Vignette)	passwords must not be shared, he shares his password with the coworker

Universidade de São Paulo Avenida Professor Luciano Gualberto, 908, sala F184, CEP: 05508-900, São Paulo , SP - Brasil, Telefone: (11) 3818-4002 - São Paulo - SP - Brazil
E-mail: rausp@usp.br

Acompanhe os números deste periódico no seu leitor de RSS

[1] *Corresponding author Alexandre Cappellozza can be contacted at: alexandre.cappellozza@mackenzie.br