Professional Documents
Culture Documents
2021
Yan Chen
Florida International University, yachen@fiu.edu
Recommended Citation
Li, Han; Luo, Xin (Robert); and Chen, Yan (2021) "Understanding Information Security Policy Violation from
a Situational Action Perspective," Journal of the Association for Information Systems, 22(3), .
DOI: 10.17705/1jais.00678
Available at: https://aisel.aisnet.org/jais/vol22/iss3/5
This material is brought to you by the AIS Journals at AIS Electronic Library (AISeL). It has been accepted for
inclusion in Journal of the Association for Information Systems by an authorized administrator of AIS Electronic
Library (AISeL). For more information, please contact elibrary@aisnet.org.
Journal of the Association for Information Systems (2021) 22(3), 739-772
doi: 10.17705/1jais.00678
RESEARCH ARTICLE
ISSN 1536-9323
Abstract
Patrick Y. K. Chau was the accepting senior editor. This research article was submitted on April 26, 2019 and
underwent three revisions.
unintentional actions (malicious or nonmalicious)
1 Introduction (Privacyrights, 2018). According to recent surveys,
Data protection has become increasingly challenging 28% of data breaches and security incidents involved
for organizations because of rising regulatory insiders (Verizon), and 90% of organizations reported
obligations and the complexities involved in protecting being concerned about security risks from both
data (Luo et al., 2020). A 2016 survey reported that malicious and nonmalicious insiders (CA Technology,
76% of information risk executives believe it is harder 2018). To combat and deter insider threats,
or significantly harder to prevent data breaches than it organizations have implemented information security
was in the past (CEB, 2016). Insiders have long policies (ISPs) that delineate rules and guidelines for
contributed to the challenge of achieving information appropriate security behaviors and consequences of
systems security in organizations (van Zadelhoff, ISP violation. However, despite the pervasive
2016), evidenced by the many security incidents and deployment of ISPs, insider threats remain prevalent in
data breaches originating with insiders’ intentional or organizations.
739
ISP Violations from a Situational Action Perspective
One potential reason for ISP ineffectiveness suggested al., 2015, Siponen et al., 2010). As a result,
by security practitioners is that employees’ compliance explanations/predictors for complying with one policy
is situational (Pritz, 2019). Employees often face value (e.g., password policy compliance) are the same as those
contradictions caused by siloed work environments, for complying with another policy (e.g., internet use
frictions, and turf wars between security, IT, and policy compliance) (see the literature summary in
functional units in their daily practice, and may need to Appendix A for details). Such an invariant and
make difficult decisions regarding ISP compliance. A situationless approach may limit the practical
2017 survey reported that 72% of employees admit that applicability of research findings for organizations
they would be willing to violate an ISP to share sensitive, facing specific compliance/noncompliance issues
confidential company data under certain circumstances regarding a specific policy. This type of approach may
(Dell, 2017). Situational compliance is a serious issue in also hinder theory contextualization endeavors to
security practice that warrants further research identify boundary conditions, thus potentially giving rise
investigation. to conflicting findings in the ISP compliance literature
(Karjalainen et al., 2019).
A number of IS studies have investigated the antecedents
and consequences of insider ISP violation (Barlow et al., Motivated by these issues, we investigate the context of
2018, Bulgurcu et al., 2010, D’Arcy et al., 2009, Herath insider threats concerning a specific ISP vis-à-vis a
& Rao, 2009a, Lowry et al., 2015a, Moody et al., 2018, specific violation situation. We postulate that individual
Pahnila et al., 2007). Collectively, these insightful employees form ISP violation intentions based on how
studies lay a solid foundation for understanding insider they perceive a violation situation and the consequences
threats; however, contradictory findings and existing of their actions in that situation. We follow the theory
research gaps demonstrate the need to further explore the contextualization guidelines offered by Hong et al. (2014)
issue of ISP compliance. Specifically, we seek to address to further develop a situational action theory (SAT) for
two unresolved contradictions identified in two recent different violation situations. More specifically, our
meta-analysis studies (Cram et al., 2019, Moody et al., model is built upon the fundamental tenets of SAT,
2018). One contradiction involves the role of moral adapted to the current research context: (1) acts of ISP
consideration, which, while not included in Moody et violation are moral actions that depend on the moral
al.’s (2018) unified model of security policy compliance, judgment of a violation situation, (2) controls (self-
is a key predictor of ISP compliance in many other control and external control) impact acts of ISP violation,
studies (see Cram et al. 2019 and Appendix A). The other (3) morality interacts with controls and influences acts of
contradiction relates to the mixed findings about the ISP violation, and (4) acts of ISP violation represent
effect of deterrence on ISP compliance (see Appendix A outcomes of the situational convergence of individuals
for details). We suspect that these conflicting findings and environments (Wikström, 2006, Wikström &
regarding the role of moral consideration and the effect Svensson, 2010). Additionally, as an extension to SAT,
of deterrence are likely attributable to differences across this study also examines the antecedents of moral
violation situations. judgment in the model.
Criminology defines a situation as “the particulars of a This study makes significant contributions to the
social setting” in which the action taker is involved literature related to employee violation of ISPs. We make
(Wikström & Svensson, 2010, p. 396). In this study, we an initial attempt to contextualize SAT to study ISP
specifically refer to the situation as the particular setting violation, thus helping to develop a situation-based
in which an employee makes a policy violation decision. understanding of the effect of moral judgment,
Prior studies in criminology suggest that conditions may deterrence, and self-control on ISP violation in different
vary across violation types and violation situations situations. Our study resonates with the recent research
(Wikström, 2009, Wikström and Svensson, 2010). call for IS research that is more context specific,
Organization literature also suggests that the particularly in terms of studies that investigate variant
effectiveness of internal rules “depends upon both the explanations across different situations (Hong et al.,
situation being studied and the types of rules that are the 2014, Karjalainen et al., 2019). To the best of our
focus of concern” (Tyler et al., 2007, p. 467). knowledge, this study is the first to investigate the
situational morality and violation circumstance (i.e.,
Despite recognizing the importance of violation
harmfulness) of ISP violation. Our study thus enhances
situations in criminology literature, the extant IS
the understanding of the inconsistent effect of deterrence
literature largely relies on “static, invariant explanations”
and highlights differences in moral consideration by
of ISP compliance behaviors and assumes that such
demonstrating that these things are contingent upon
behaviors are invariant across situations (Karjalainen et
specific violation situations. Moreover, our study has
al., 2019, p. 688). Under this assumption, prior IS
practical implications for organizations regarding the
research has studied ISP violation primarily at a high
design and deployment of situation-based security
level of abstraction by simply defining the concept of ISP
awareness and ethics training programs intended to more
that pertains to no specific security rules and procedures
effectively deal with different violation situations.
(Chen et al., 2015, D’Arcy and Greene, 2014, Posey et
740
Journal of the Association for Information Systems
741
ISP Violations from a Situational Action Perspective
Table 1: Summary of Theory Contextualization per the Guidelines by Hong et al. (2014)
Step Mapping guidelines (Hong et al., 2014) Outcomes of each step Adaption of SAT
Step 1 Guidelines 1&2: Identify a general Selected SAT as the general theory to
theory and use it as the basis to guide examine ISP violations because SAT
the theory contextualization. aims to explain moral actions and
crimes.
Step 2 Guideline 3: Thorough evaluation of Identified 1) four context-specific Perceived harmfulness and
the context to identify context-specific factors – i.e., personal moral beliefs, cognitive moral development
factors and salient individual factors perceived sanction certainty, were identified as the additional
that are relevant to the context. perceived sanction severity, and factors beyond the core
perceived harmfulness, and 2) two constructs of SAT.
salient individual difference factors
relevant to the moral context of ISP
violations – i.e., self-control and
cognitive moral development.
Step 3 Guideline 4: Modeling context- Modeled perceived harmfulness and Extended SAT with two context-
specific factors. cognitive moral development as the specific antecedents
direct antecedents of the core
constructs of SAT.
Step 4 Guideline 5: Examination of the Modeled personal moral beliefs as a
interplay between the IT artifact and moderator that conditions the effect
other factors of self-control and deterrence on ISP
violations.
Step 5 Guideline 6: Examinations of Tested alternative models and found a Enriched SAT with additional
alternative context-specific models direct impact of perceived direct predictors of moral
harmfulness and cognitive moral actions.
development in the scenario of
personal internet use at work.
742
Journal of the Association for Information Systems
This study attempts to fill this research gap by self-centeredness, and a quick temper (Gottfredson &
investigating how the evaluation of the harmfulness of Hirschi, 1990, Grasmick et al., 1993). There is
a specific deviant act impacts moral beliefs or ethical substantial empirical support implicating low self-
judgment about the act. Inflicting harm on others is a control as the direct or indirect cause of deviant
core concern among all moral norms (Rosas, 2013). behaviors in a variety of social and organizational
Therefore, in this study, we expect perceived settings (Higgins et al., 2006, Hu et al., 2011, Nagin
harmfulness to play a vital role in shaping moral & Paternoster, 1993, Wright, 2004). Pratt and Cullen
beliefs, while its effect may vary depending on the (2000) conducted a meta-analysis providing
situation. consistent support for low self-control as a direct
predictor of crimes and other deviant acts such as
3 Research Model drug use and speeding. Hu et al. (2015) offer
neurological evidence that those with low self-control
The research model is shown in Figure 1. In line with
have lower levels of neural recruitment compared to
SAT (Wikström 2006), we postulate that personal
those with high self-control when making decisions
moral beliefs on rule breaking along with self-control
related to ISP violation. Huggins et al. (2006) find
and deterrence are the three major forces influencing
that low self-control exerts both a direct and indirect
employee intention to violate organizational ISPs. The
influence on college students’ intention to perform
effects of self-control and deterrence are contingent on
software piracy.
the level of moral beliefs. The model also suggests that
moral beliefs are shaped by both the perception of SAT postulates that the ability to exercise self-control
situational harmfulness and one’s general level of determines whether or not an individual will act on
cognitive moral development. desires or impulsivity and carry out a rule-breaking
alternative when exposed to a conducive situation
3.1 Self-Control (Wikström, 2009). In terms of ISP violation, we thus
According to Gottfredson and Hirschi (1990), people predict that employees with high levels of self-control
differ in their levels of self-control. Those who lack are more likely to overcome the temptation of gaining
self-control are more likely to commit deviant acts; personal benefits by violating ISPs. Likewise, we
low self-control is even sometimes defined as an argue that employees with low levels of self-control
individual’s propensity to commit deviant acts are more likely to violate ISPs. Therefore, we
(Gottfredson & Hirschi, 1990). Gottfredson and hypothesize.
Hirschi identify six descriptive elements of low self-
H1: High levels of self-control are negatively
control: impulsivity or the tendency to seek
associated with employees’ ISP violation
immediate gratification, a preference for thrilling or
risk-seeking behaviors, simple task orientation, a intentions.
preference for physical rather than mental activities,
743
ISP Violations from a Situational Action Perspective
744
Journal of the Association for Information Systems
745
ISP Violations from a Situational Action Perspective
(2004). Perceived harmfulness consisted of two items Johnston et al., 2016, Johnston et al., 2015, Myyry et
by Rosenmerkel (2001). Cognitive moral development al., 2009, Siponen and Vance, 2010). Each scenario
was measured using the social reflection measure depicts a situation constituting of a specific ISP and a
developed by Gibbs et al. (1992). All these instruments specific compliance-decision situation that is often
were operationalized as reflective constructs using 7- faced by employees (Guo & Yuan, 2012). More
point scales. The detailed measures for each construct specifically, our scenarios vary in key factors, such as
are available in Appendix B. harmfulness, malicious/nonmalicious/altruistic intent,
and moral gravity, and thus differ in decision
4.2 Study Design, Procedure, and complexity. For example, the complexity of the
Participants scenario of selling confidential consumer data for
We relied on the scenario-based approach to test the personal financial benefit is lowest among the three
situational effect of our research model following the scenarios because employees tend to have a consistent
typical practice in criminology and IS security studies. view on the immorality, malicious intent, and
In criminology literature, the scenario-based approach harmfulness of such an act. The decision complexity
is considered more reliable for studying illicit activities for the other two scenarios is relatively high because
than self-reported measures directly asking whether of the inherent moral contradictions (e.g., helping
the subjects have committed certain crimes. The IS people versus violating a policy) and opinion
security literature suggests that the scenario approach differences related to the scenarios (e.g., employees
is useful for studying ISP violations for three main may have different views on harms inflicted by sharing
reasons. First, as prior research has pointed out, passwords with colleagues, compared to the
“scenarios can enhance the realism of decision-making importance of maintaining workplace relationships).
situations by providing contextual detail while Table 2 shows the details of the three scenarios.
simultaneously ensuring the uniformity of these details
across respondents” (Vance et al., 2015, p. 353). Three question blocks are used as containers for
Second, individuals are more likely to honestly express scenario-specific questions with one block for each
their intentions concerning hypothetical scenarios; scenario. Each subject was assigned all three blocks
thus, the scenario-based approach can help overcome but in random order, meaning that each subject
the difficulty of employees being unwilling to admit answered scenario-specific questions related to all
their actual deviant behaviors (D’Arcy et al., 2014, Hu three scenarios. The scenario-specific questions
et al., 2011, Johnston et al., 2015, Vance et al., 2015). included aspects related to scenario realism, personal
Third, because of secrecy related to deviant behaviors, moral beliefs, sanction certainty, sanction severity,
organizations may not have data that can truly capture perceived harmfulness, and intention to violate the
employees’ ISP violations. Even if organizations have ISP. After going through these scenario-specific
collected such data, they may not be willing to share questions, subjects then answered questions that
the data with researchers because of concerns about measured individual differences in self-control and
legal liability or organizational reputation. For these cognitive moral development as well as questions on
reasons, the scenario-based approach is increasingly their demographic profile.
used in ISP compliance/violation research (see
Appendices A and C). The research model was tested using data collected
from subjects on an industrial panel operated by
Extant ISP compliance research suggests that Qualtrics.com. The Qualtrics panelists were from
researchers should review the literature and industrial many different organizations and industries, were
practice to design relevant and realistic scenarios (see randomly contacted by Qualtrics to participate in this
Appendix C for details) that describe common study, and remained anonymous to the researchers.
phenomena so that respondents can see themselves Qualtrics relies on sophisticated digital fingerprinting
facing similar situations when making compliance technology to ensure that no two responses are from
decisions. Scenarios are not meant to be exhaustive but the same subject.
illustrative to focus on the key factors of research
interest. Thus, as shown in Appendix C, scenarios of We collected a total of 265 usable responses. As shown
extant studies vary in two to four key factors specific in Table 3, the subjects work in different roles
to the topic of study. including managers, professionals (IT/business), and
administrative staff. 37.3% of the survey respondents
Following these literature suggestions, we designed were male and 62.6% are female. Their average age
three fictitious scenarios involving ISP violations, was in the range of 35-44, and the majority of them
including sharing a password to help a colleague for reported more than 5 years of internet use. The
work purposes, personal internet use at work to distribution of the firm size showed a good spread of
alleviate boredom, and selling confidential consumer small, medium, and large firms.
data for personal financial benefit (D’Arcy et al., 2014,
746
Journal of the Association for Information Systems
We also checked and analyzed the realism of the three 5.1 Measurement Model
scenarios. The percent of subjects who somewhat Before testing the research hypotheses, we first
disagreed to strongly disagreed that the scenario was evaluated the measurement quality of all scales based
realistic was 21%, 12%, and 40% for sharing on the convergent validity, reliability, and discriminant
passwords, personal internet use at work, and selling validity of each of the three situation-specific models
confidential data scenarios, respectively. Thus, a (based on the three scenarios). Convergent validity is
majority of the subjects did accept the realism of the established if items load significantly on their
three scenarios. corresponding latent constructs and have loadings of
0.6 or higher (Gefen & Straub, 2005). To ensure the
5 Data Analysis measurement quality of each model, we dropped items
We used partial least squares (PLS), a component- with loadings below 0.6 specific to each model. All
based structural equation modeling (SEM) approach, remaining items were found to have significant
to test the model. Specifically, SmartPLS was used to loadings. Table 4 shows the loadings and cross-
analyze the reliability and validity of our measurement loadings of the remaining items. The following
model and test the research hypotheses. Since our analysis is based on the remaining items shown in
research model consists of interaction terms, PLS is Table 4.
particularly suitable for our study for two reasons: (1) Reliability was assessed using composite reliability
PLS is more amenable for handling complex research (CR) and average variance extracted (AVE). All scales
models than covariance-based SEM techniques, and are reliable, as their CR values are above the 0.7
(2) PLS does not assume a multivariate normal threshold and AVE values are above the 0.5 threshold
distribution and interval scale. recommended by Bagozzi et al. (1988).
747
ISP Violations from a Situational Action Perspective
Table 4a: Loadings, Composite Reliability (CR) and Average Variance Extracted (AVE) of Measurement
Instruments in the Sharing Passwords Scenario.
Loadings/cross-loadings
Constructs/items 1 2 3 4 5 6 7
1. INT INT1 0.97 -0.78 -0.56 -0.41 -0.47 -0.37 -0.22
CR = 0.97 INT2 0.97 -0.75 -0.53 -0.36 -0.41 -0.39 -0.20
AVE = 0.95
2. MB MB1 -0.82 0.91 0.60 0.33 0.45 0.34 0.17
CR = 0.90 MB2 -0.60 0.90 0.40 0.21 0.37 0.28 0.22
AVE = 0.81
3. HM HM1 -0.56 0.57 0.96 0.43 0.54 0.18 0.12
CR = 0.96 HM2 -0.52 0.50 0.96 0.46 0.54 0.14 0.12
AVE = 0.93
4. CTT CTT1 -0.37 0.29 0.45 0.96 0.69 0.05 0.10
CR = 0.96 CTT2 -0.39 0.29 0.44 0.97 0.65 0.10 0.09
AVE = 0.93
5. SVR SVR1 -0.44 0.46 0.54 0.68 0.98 0.08 0.14
CR = 0.98 SVR2 -0.44 0.43 0.55 0.68 0.98 0.06 0.12
AVE = 0.96
6. SC SC1 -0.26 0.25 0.10 0.05 0.07 0.77 0.19
CR = 0.86 SC2 -0.21 0.18 0.04 -0.03 -0.05 0.67 0.25
AVE = 0.52 SC3 -0.32 0.27 0.07 -0.02 -0.02 0.68 0.36
SC4 -0.28 0.26 0.19 0.08 0.07 0.76 0.24
SC5 -0.36 0.30 0.21 0.08 0.08 0.79 0.33
SC8 -0.24 0.21 0.11 0.18 0.15 0.63 0.17
7. CMD CMD1 -0.15 0.11 0.09 0.05 0.05 0.30 0.75
CR = 0.93 CMD3 -0.13 0.11 0.02 0.03 0.03 0.30 0.84
AVE = 0.58 CMD4 -0.21 0.20 0.13 0.15 0.17 0.29 0.85
CMD5 -0.11 0.12 0.07 0.09 0.14 0.20 0.79
CMD6 -0.11 0.13 0.02 0.01 0.02 0.24 0.78
CMD7 -0.15 0.22 0.12 0.09 0.12 0.22 0.72
CMD9 -0.17 0.18 0.10 0.03 0.03 0.32 0.74
CMD10 -0.26 0.23 0.19 0.13 0.17 0.39 0.78
CMD11 -0.22 0.20 0.16 0.10 0.16 0.21 0.65
Note: INT = violation intention; MB = personal moral beliefs; HM = perceived harmfulness; CTT = perceived sanction certainty; SVR =
perceived sanction severity; SC = self-control; CMD = cognitive moral development.
Table 4b: Loadings, Composite Reliability (CR) and Average Variance Extracted (AVE) of Measurement
Instruments in The Personal Internet Use at Work Scenario.
Loadings/cross-loadings
Constructs/items 1 2 3 4 5 6 7
1. INT INT1 0.99 -0.73 -0.56 -0.32 -0.39 -0.30 -0.23
CR = 0.99 INT2 0.99 -0.75 -0.57 -0.32 -0.40 -0.29 -0.24
AVE = 0.97
2. MB MB1 -0.78 0.90 0.58 0.38 0.41 0.25 0.23
CR = 0.88 MB2 -0.55 0.88 0.44 0.25 0.41 0.13 0.10
AVE = 0.78
3. HM HM1 -0.58 0.58 0.98 0.50 0.59 0.05 0.09
CR = 0.98 HM2 -0.55 0.56 0.98 0.50 0.59 0.04 0.08
AVE = 0.97
4. CTT CTT1 -0.31 0.35 0.50 0.95 0.67 0.01 0.11
CR = 0.95 CTT2 -0.32 0.33 0.47 0.96 0.60 0.03 0.09
AVE = 0.91
5. SVR SVR1 -0.40 0.47 0.58 0.64 0.98 0.01 0.00
CR = 0.98 SVR2 -0.39 0.43 0.58 0.66 0.98 -0.01 0.00
AVE = 0.95
6. SC SC1 -0.19 0.10 -0.08 -0.07 -0.10 0.72 0.19
CR = 0.87 SC4 -0.25 0.18 0.04 0.00 -0.02 0.77 0.24
AVE = 0.53 SC5 -0.24 0.17 0.02 -0.04 -0.08 0.80 0.32
SC7 -0.23 0.19 0.15 0.15 0.14 0.64 0.11
748
Journal of the Association for Information Systems
Table 4c: Loadings, Composite Reliability (CR) and Average Variance Extracted (AVE) of Measurement
Instruments in the Selling Confidential Data Scenario.
Loadings/cross-loadings
Constructs/items 1 2 3 4 5 6 7
1. INT INT1 0.99 -0.73 -0.36 -0.08 -0.40 -0.46 -0.33
CR = 0.99 INT2 0.99 -0.71 -0.41 -0.12 -0.40 -0.46 -0.38
AVE = 0.97
2. MB MB1 -0.73 0.90 0.30 0.08 0.34 0.36 0.32
CR = 0.88 MB2 -0.56 0.88 0.20 -0.03 0.23 0.39 0.30
AVE = 0.78
3. HM HM1 -0.34 0.25 0.95 0.16 0.37 0.25 0.27
CR = 0.98 HM2 -0.40 0.30 0.95 0.23 0.42 0.27 0.33
AVE = 0.97
4. CTT CTT1 -0.07 0.03 0.18 0.96 0.43 0.10 0.20
CR = 0.95 CTT2 -0.12 0.03 0.21 0.96 0.47 0.17 0.23
AVE = 0.91
5. SVR SVR1 -0.38 0.30 0.40 0.45 0.96 0.25 0.43
CR = 0.98 SVR2 -0.40 0.32 0.41 0.45 0.96 0.25 0.43
AVE = 0.95
6. SC SC1 -0.29 0.33 0.17 0.10 0.15 0.77 0.19
CR = 0.87 SC2 -0.32 0.25 0.17 0.04 0.16 0.69 0.25
AVE = 0.53 SC3 -0.44 0.34 0.22 0.11 0.25 0.69 0.36
SC4 -0.29 0.30 0.21 0.10 0.17 0.75 0.24
SC5 -0.41 0.34 0.22 0.13 0.20 0.78 0.32
SC8 -0.26 0.23 0.18 0.14 0.20 0.63 0.17
7. CMD CMD1 -0.28 0.34 0.24 0.10 0.33 0.30 0.77
CR = 0.93 CMD2 -0.15 0.17 0.19 0.10 0.22 0.18 0.64
AVE = 0.56 CMD3 -0.34 0.30 0.30 0.13 0.37 0.30 0.85
CMD4 -0.29 0.29 0.21 0.24 0.37 0.29 0.85
CMD5 -0.19 0.15 0.18 0.20 0.35 0.20 0.78
CMD6 -0.33 0.31 0.24 0.11 0.40 0.24 0.78
CMD7 -0.24 0.26 0.23 0.12 0.29 0.22 0.72
CMD9 -0.33 0.33 0.33 0.19 0.37 0.32 0.74
CMD10 -0.30 0.26 0.25 0.28 0.32 0.39 0.76
CMD11 -0.24 0.21 0.19 0.22 0.31 0.21 0.62
749
ISP Violations from a Situational Action Perspective
750
Journal of the Association for Information Systems
Self-Control
-0.14***
Cognitive Moral Violation
Development 0.16*** Intention
-0.66***
Moral Belief R2 = 63%
R2 = 37%
0.57***
-0.03
Harmfulness
Sanction
Certainty -0.09
Control Variables:
Age
Sanction Gender*
Severity Prior Violation**
Self-Control
-0.09*
Cognitive Moral Violation
0.09* Intention
Development 0.30***
Moral Belief -0.56*** R2 = 67%
R2 = 17%
0.19**
0.20**
Harmfulness 0.01
Sanction
Certainty Control Variables:
-0.11** Age
Sanction Gender
Severity Prior Violation
Note: Completely standardized estimates; controlled for covariates in the research models; insignificant interactions
were not dropped; *p < 0.05, **p < 0.01, ***p<0.001.)
751
ISP Violations from a Situational Action Perspective
Figure 3. The Moderation Effect of Moral Beliefs on the Relationships between the Two Types of Controls
and Violation Intention
752
Journal of the Association for Information Systems
Regarding a more serious violation (i.e., selling regarding the extent of harmfulness; thus, their moral
confidential data), sanction severity was the primary beliefs are more dependent on their cognitive moral
source of deterrence; even if the chances of being development. Overall, these findings show that
caught doing this act are low, the potential punishment increasing the harmfulness perception is a key to
would be severe. The effects of both sanction severity deterring less serious deviant behaviors, while
and sanction certainty were negligible in the personal fostering employees’ moral development is necessary
internet use at work scenario; even if they do get to combat more severe deviant acts.
caught, employees likely do not expect significant
Additionally, following the sixth guideline of theory
sanctions in response to this very common workplace
contextualization by Hong et al. (2014), we tested an
behavior. In sum, the findings related to the situational
alternative model, which included two additional
effect of deterrence in this study address a recent call
direct links from perceived harmfulness and cognitive
for research exploring the complexity of deterrence
moral development to ISP violation intentions. We
that evidences its situational influence in
found that the two direct paths are significant (p-value
organizational rule violations and crimes (Willison,
< 0.05) in the scenario of personal internet use at work
Lowry et al., 2018).
but not in the other scenarios. Therefore, the effects of
Our results confirm that there are situational differences perceived harmfulness and cognitive moral
in the moderating role of moral beliefs. In particular, development are fully mediated in the scenarios of
moral beliefs partially moderate the impact of formal sharing a password with a colleague and selling
sanctions on violation intention only in the sharing confidential firm data but are partially mediated for the
passwords and selling confidential data scenarios, while scenario of personal internet use at work. The
the moderating effect on the link between self-control differences in these two direct paths across the three
and violation intention is significant only in the selling scenarios suggest that their effects are situational and
confidential data scenario. Our findings along with the conditional upon contextual factors such as the type of
illustration in Figure 3 support consistent interaction deviant act.
patterns such that control mechanisms influence
To gain a more detailed understanding of ISP violation
employees’ violation decisions only when they have
in different scenarios, we conducted multigroup
relatively weak moral beliefs against a severe deviant
analysis (MGA) using the PLS-MGA method
act (i.e., selling confidential data) or a deviant act
proposed by Henseler et al. (2009), which is a non-
triggering contradictory beliefs (i.e., sharing passwords
parametric test that can give a conservative estimate of
to help a colleague versus violating an ISP).
group differences. The path coefficients were
Conversely, under the influence of strong moral beliefs,
compared between a pair of scenarios using 5,000
employees are more likely to voluntarily follow ISPs
bootstrapping samples. As reported in Appendix D, we
and are less likely to be influenced by self-control and
found that the negative impact of perceived sanction
external deterrence.
probability on violation intention in the sharing
Furthermore, our results support our extension of SAT passwords scenario is significantly stronger than that
with two contextual antecedents: cognitive moral in the other two scenarios. This finding is in line with
development and perceived harmfulness. The results our earlier argument that deterrence likely plays a
show that while both cognitive moral development and stronger role in deviant acts performed with an
perceived harmfulness help increase moral beliefs altruistic purpose.
against deviant acts, there are situational differences in
With respect to the impact of moral beliefs on violation
their effects. In the sharing passwords and personal
intention, it is significantly stronger in the sharing
internet use at work scenarios, perceived harmfulness
passwords scenario than the selling confidential data
plays a far more important role in shaping moral beliefs
scenario. Therefore, despite the dominant role of moral
than moral development. However, in the selling
beliefs in all three scenarios, its impact is particularly
confidential data scenario, moral development had a
salient for deviant acts with an altruistic purpose and
stronger impact on moral beliefs than perceived
relatively weaker in situations involving more serious
harmfulness. One possible explanation may be the
crimes such as selling corporate confidential data. This
extent of conflicting views among employees on the
indicates that when facing a situation with a stronger
potential harm of a certain deviant act. Sharing
moral conflict (i.e., helping a colleague versus
passwords to help someone at work or surfing the
violating the ISP), moral beliefs play a stronger role in
internet at work to refresh the mind may not be
determining ISP violation behavior. Cognitive moral
perceived by all employees as potentially harmful acts
development was also found to have significant group
or serious security threats. Thus, whether employees
differences. In particular, it has a much stronger impact
perceive the act to be harmful is likely to be a primary
in the selling confidential data scenario than in the
driver for shaping different levels of moral beliefs. On
other two scenarios. Therefore, cognitive moral
the other hand, for serious e-crimes with malicious
development appears to play a more important role in
intent, employees tend to have a uniform view
shaping situational moral beliefs for serious crimes.
753
ISP Violations from a Situational Action Perspective
754
Journal of the Association for Information Systems
Second, we note that moral beliefs, self-control, and design to manipulate the moral reasoning process to
deterrence do not have the same effect on violation verify the causality. Another limitation of this study is
intention across the three scenarios. Given the finding related to the use of the scenario approach and the
that moral beliefs are the dominant driver in all three limited number of scenarios considered in this study.
scenarios, organizations should give top priority to The intention reported based on our scenarios might
providing ethical training to help guide their employees not fully reflect employees’ actual violation behaviors.
toward developing appropriate moral beliefs. Such Also, the findings may not be extensible to other
ethical training should be designed to address scenarios or situations. Future research could seek to
contradictions in compliance; for instance, targeting acquire and study data concerning various actual
situations in which employees’ moral beliefs may be violations. Moreover, our study only focuses on formal
contrary ISP rules. Moreover, our results suggest that sanctions. We did not include sanction celerity as the
cognitive moral development is another important lever third dimension of deterrence because of the difficulty
that organizations could use to align employee moral of measurement and its limited contribution to theory
reasoning with ISP rules. Since moral development (e.g., D’Arcy & Herath 2011a, Willison, Warkentin et
involves a process of long-term progression, employers al. 2018). Nevertheless, the view of deterrence in our
should screen and select individuals with high levels of study is limited. Future studies could explore the
morality to fill critical positions related to managing and complexity of deterrence (e.g., formal vs. informal,
securing corporate confidential data. absolute, and restrictive) and its situational variance in
violation decisions (Willison, Lowry et al., 2018).
Third, per deterrence theory, formal sanctions are
Finally, in this study, we mainly examine three
needed both to deter intentional offenders and to inform
situational factors, self-control, deterrence, and
benign employees about the boundaries of security
perceived harmfulness. We encourage researchers to
behaviors. However, our study found that the effect of
explore other situational factors and their interactions.
deterrence was only partially supported in two scenarios
(the sharing passwords and selling confidential data 8 Conclusions
scenarios). In addition, we found the effect of deterrence
was either associated with perceived sanction Insider threats from violating ISPs are increasingly
probability or perceived sanction severity but not both, prevalent. They expose organizations to potentially
depending on the scenario. Our findings suggest that devastating risks. Prior IS research has studied ISP
organizations should take employees’ sanction violation mainly at a high level of abstraction and thus
expectations regarding different situations into lacks a deeper understanding of employees’ ISP
consideration when designing and deploying security violation intentions in particular situations. This study
policies and corresponding enforcement schemes. applies the situational perspective and contextualizes
Additionally, practitioners such as SETA training situational action theory (SAT) to examine situational
consultants and designers, chief information security moral reasoning and its impact on ISP violation
officers (CISOs), and information security managers, intention and the process through which control-based
can utilize our model to identify improper expectations mechanisms take effect. The situational perspective
regarding the compliance of a specific ISP and correct offered by SAT enhances the understanding of insider
them via situation-based SETA training. threats and suggests the important role of employee
moral beliefs as both a direct driver and a moderator
Furthermore, based on our research findings, we suggest adjusting the effect of deterrence and self-control on
some actionable steps that CISOs and information ISP violation intention. The empirical findings of this
security managers in organizations can use to design study could help organizations better design their
their SETA training on a specific ISP: (1) categorize SETA and ethical training programs by integrating
violation cases pertaining to the ISP, (2) identify moral situational elements to improve the alignment between
conflicts and the source of conflicts, (3) compare ISP ISPs and employees’ moral beliefs. In summary, this
violation cases between situations involving high and study fulfills the research gaps we have identified. It
low levels of moral conflict, (4) investigate the effect of confirms that compliance is situational and there are
current controls in the cases, (5) design the SETA contextual factors affecting compliance, it proposes
training for the ISP based on our research model and the and validates a new theoretical model remedying the
findings from Steps 1-4, and (6) refine the training based issue that extant IS literature largely relies on “static,
on new cases by repeating Steps 1-5. invariant explanations” of ISP compliance, it helps
Finally, we would like to point out some potential address the inconsistent role of morality in ISP
limitations of our study. Similar to other cross- compliance literature, and it offers greater insight into
sectional survey studies, this study measures the inconsistent effect of deterrence, especially
exogenous and endogenous variables at the same time, regarding its effect in different situations. Since the
preventing us from confirmatively establishing situations and situational factors examined in our study
causality. Future studies could diversify the are limited, our study also opens a new avenue of
methodological approach to adopt an experimental research to further explore ISP compliance.
755
ISP Violations from a Situational Action Perspective
756
Journal of the Association for Information Systems
Goo, J., Yim, M.-S., & Kim, D. J. (2014). A path to application of Situational Action Theory to
successful management of employee security shoplifting. Deviant Behavior, 37(3), 315-331.
compliance: An empirical study of information
Hollinger, R. C., & Clark, J. P. (1983). Deterrence in
security climate. IEEE Transactions on
the workplace: Perceived certainty, perceived
Professional Communication, 57(4), 286-308.
severity, and employee theft. Social Forces,
Gottfredson, M. R., & Hirschi, T. (1990). A general 62(2), 398-418.
theory of crime. Stanford University Press.
Hong, W. Y., Chan, F. K. Y., Thong, J. Y. L.,
Grasmick, H. G., Tittle, C. R., Robert, J., Bursik, J., & Chasalow, L. C., & Dhillon, G. (2014). A
Arneklev, B. (1993). Testing the core empirical Framework and guidelines for context-specific
implications of Gottfredson and Hirschi's theorizing in information systems research.
general thoery of crime. Journal of Research in Information Systems Research, 25(1), 111-136.
Crime and Delinquency, 30(1), 5-29.
Hovav, A., & D’Arcy, J. (2012). Applying an extended
Greenberg, J. (2002). Who stole the money, and when? model of deterrence across cultures: An
Individual and situational determinants of investigation of information systems misuse in
employee theft. Organizational Behavior and the US and South Korea. Information &
Human Decision Processes, 89(1), 985-1003. Management, 49(2), 99-110.
Guo, K., & Yuan, Y. (2012). The effects of multilevel Hu, Q., Dinev, T., Hart, P., & Cooke, D. (2012).
sanctions on information security violations: A Managing employee compliance with
mediating model. Information & Management, information security policies: The critical role
49(6), 320-326. of top management and organizational culture,
Decision Sciences,43(4), 615-660.
Guo, K. H., Yuan, Y., Archer, N. P., & Connelly, C. E.
(2011). Understanding nonmalicious security Hu, Q., West, R., & Smarandescu, L. (2015). The role
violations in the workplace: a composite of self-control in information security
behavior model. Journal of Management violations: Insights from a cognitive
Information Systems, 28(2), 203–236. neuroscience perspective, Journal of
Management Information Systems, 31(4), 6-48.
Han, J., Kim, Y. J., & Kim, H. (2017). An integrative
model of information security policy Hu, Q., Xu, Z., Dinev, T., & Ling, H. (2011). Does
compliance with psychological contract: deterrence work in reducing information
Examining a bilateral perspective. Computers security policy abuse by employees?
& Security, 66, 52-65. Communications of the ACM, 54(6), 54-60.
Henseler, J., Ringle, C. M., & Sinkovics, R. R. (2009). Hwang, I., Kim, D., Kim, T., & Kim, S. (2017). Why
The use of partial least squares path modeling not comply with information security? An
in international marketing. In New challenges empirical approach for the causes of non-
to international marketing (pp. 277-319). compliance. Online Information Review, 41(1),
Emerald Group Publishing. 2-18.
Herath, T., & Rao, H. R. (2009). Encouraging Ifinedo, P. (2012). Understanding information systems
information security behaviors in security policy compliance: An integration of
organizations: Role of penalties, pressures and the theory of planned behavior and the
perceived effectiveness. Decision support protection motivation theory. Computers &
Systems, 47(2), 154-165. Security, 31(1), 83-95.
Herath, T., & Rao, H. R. (2009). Protection motivation Ifinedo, P. (2014). Information systems security policy
and deterrence: a framework for security policy compliance: An empirical study of the effects
compliance in organisations. European Journal of socialisation, influence, and cognition.
of Information Systems, 18(2), 106-125. Information & Management, 51(1), 69-79.
Higgins, G. E., Fell, B. D., & Wilson, A. L. (2006). Ifinedo, P. (2016). Critical times for organizations:
Digital piracy: Assessing the contributions of what should be done to curb workers’
an integrated self-control theory and social noncompliance with IS security policy
learning theory usig structural equation guidelines? Information Systems Management,
modeling. Criminal Justice Studies, 19(1), 3- 33(1), 30-41.
22.
Johns, G. (2006). The essential impact of context on
Hirtenlehner, H., & Hardie, B. (2016). On the organizational behavior. Academy of
conditional relevance of controls: An Management Review, 31(2), 386-408.
757
ISP Violations from a Situational Action Perspective
Johnston, A. C., Warkentin, M., McBride, M., & Lowry, P. B., & Moody, G. D. (2015). Proposing the
Carter, L. (2016). Dispositional and situational control-reactance compliance model (CRCM)
factors: influences on information security to explain opposing motivations to comply with
policy violations. European Journal of organisational information security policies.
Information Systems, 25(3), 231-251. Information Systems Journal, 25(5), 433-463.
Johnston, A. C., Warkentin, M., & Siponen, M. (2015). Lowry, P. B., Posey, C., Bennett, R. J., & Roberts, T.
An enhanced fear appeal rhetorical framework: L. (2015). Leveraging fairness and reactance
Leveraging threats to the human asset through theories to deter reactive computer abuse
sanctioning rhetoric. MIS Quarterly, 39(1), following enhanced organisational information
113-134. security policies: An empirical study of the
influence of counterfactual reasoning and
Karjalainen, M., Sarker, S., & Siponen, M. (2019).
organisational trust. Information Systems
Toward a theory of information systems
Journal, 25(3), 193-273.
security behaviors of organizational
employees: A dialectical process perspective. Luo, X., Li, H., Hu, Q., & Xu, H. (2020). Why
information systems research, 30(2), 687-704. individual employees commit malicious
computer abuses: A routine activity theory
Kim, J. J., Park, E. H. E., & Baskerville, R. L. (2016).
perspective. Journal of the Association for
A model of emotion and computer abuse.
Information Systems, 21(6), 1552-1593
Information & Management, 53(1), 91-108.
Mello, J. P. (2017). Security awareness training
Kohlberg, L. (1969). Stage and Sequence: The
explosion. https://cybersecurityventures.com/
cognitive development approach to
security-awareness-training-report/
socialization. In D. A. Goslin (Ed.), Handbook
of socialization theory (pp. 347-480). Rand Moody, G. D., Siponen, M., & Pahnila, S. (2018).
McNally. Toward a unified model of information security
policy compliance. MIS Quarterly, 42(1), 285-
Lee, S. M., Lee, S.-G., & Yoo, S. (2004). An
311.
integrative model of computer abuse based on
social control and general deterrence theories. Moquin, R., & Wakefield, R. L. (2016). The roles of
Information & Management, 41(6), 707-718. awareness, sanctions, and ethics in software
compliance. Journal of Computer Information
Li, H., Luo, X. R., Zhang, J., & Sarathy, R. (2018).
Systems, 56(3), 261-270.
Self-control, organizational context, and
rational choice in internet abuses at work. Myyry, L., Siponen, M., Pahnila, S., Vartiainen, T., &
Information & Management, 55(3), 358-367. Vance, A. (2009). What levels of moral
reasoning and values explain adherence to
Li, H., Sarathy, R., Zhang, J., & Luo, X. (2014).
information security rules? An empirical study.
Exploring the effects of organizational justice,
European Journal of Information Systems,
personal ethics and sanction on internet use
18(2), 126-139.
policy compliance. Information Systems
Journal, 24(6), 479-502. Nagin, D. S. (1998). Criminal deterrence research at
the outset oof the twenty-first century. Crime
Li, H., Zhang, J., & Sarathy, R. (2010). Understanding
and Justice, 23(1), 1-42.
compliance with internet use policy from the
perspective of rational choice theory. Decision Nagin, D. S., & Paternoster, R. (1993). Enduring
Support Systems, 48(4), 635-645. individual differences and rational choice
theories of crime. Law & Society Review, 27(3),
Liang, H. G., Xue, Y. J., & Wu, L. S. (2013). Ensuring
467-496.
employees’ IT compliance: Carrot or stick?
Information Systems Research, 24(2), 279-294. Pahnila, S., Siponen, M., & Mahmood, A. (2007).
Employees’ behavior toward IS security policy
Lindell, M. K., & Whitney, D. J. (2001). Accounting
compliance. Proceedings of the 40th Hawaii
for common method variance in cross-sectional
International Conference on System Sciences.
research designs. Journal of Applied
Psychology, 86(1), 114-121. Paternoster, R., & Simpson, S. (1996). Sanction threats
and appeals to morality: Testing a rational
Lowry, P. B., Gaskin, J. E., & Moody, G. D. (2015).
choice model of corporate crime. Law &
Proposing the multimotive information systems
Society Review, 30(3), 549-583.
continuance model (MISC) to better explain
end-user system evaluations and continuance Peace, A. G., Galletta, D., & Thong, J. (2003).
intentions. Journal of the Association for Software piracy in the workplace: A model and
Information Systems, 16(7), 515-579.
758
Journal of the Association for Information Systems
empirical test. Journal of Management in organizations. Computers & Security, 56, 70-
Information Systems, 20(1), 153-177. 82.
Ponemon. (2019). The cost of cybercrime: Ninth Schoepfer, A., Carmichael, S., & Piquero, N. L.
annual cost of cybercrime study. (2007). Do perceptions of punishment vary
https://www.accenture.com/t00010101t000000 between white-collar and street crimes?
z__w__/nz-en/_acnmedia/pdf-96/accenture- Journal of Criminal Justice, 35(2), 151-163.
2019-cost-of-cybercrime-study-final.pdf
Seddon, P. B., Calvert, C., & Yang, S. (2010). A multi-
Posey, C., Bennett, R. J., & Roberts, T. L. (2011). project model of key factors affecting
Understanding the mindset of the abusive organizational benefits from enterprise
insider: An examination of insiders’ causal systems. MIS Quarterly, 34(2), 305-328.
reasoning following internal security changes.
Shepherd, M. M., & Mejias, R. J. (2016). Nontechnical
Computers & Security, 30(6-7), 486-497.
deterrence effects of mild and severe internet
Posey, C., Roberts, T. L., & Lowry, P. B. (2015). The use policy reminders in reducing employee
Impact of Organizational commitment on internet abuse. International Journal of
insiders' motivation to protect organizational Human-Computer Interaction, 32(7), 557-567.
information assets. Journal of Management
Siponen, M., Mahmood, M. A., & Pahnila, S. (2014).
Information Systems, 32(4), 179-214.
Employees’ adherence to information security
Posey, C., Roberts, T. L., Lowry, P. B., & Hightower, policies: An exploratory field study.
R. T. (2014). Bridging the divide: A qualitative Information & Management, 51(2), 217-224.
comparison of information security thought
Siponen, M., Pahnila, S., & Mahmood, M. A. (2010).
patterns between information security
Compliance with information security policies:
professionals and ordinary organizational
An empirical investigation. Computer, 43(2),
insiders. Information & Management, 51(5),
64-71.
551-567.
Siponen, M., & Vance, A. (2010). Neutralization: New
Pratt, T. C., & Cullen, F. T. (2000). The empirical
insights into the problem of employee
status of Gottfredson and Hirschi’s general
information systems security policy violations.
theory of crime: A meta-analysis. Criminology,
MIS Quarterly, 34(3), 487-502.
38(3), 931-964.
Son, J.-Y., & Park, J. (2016). Procedural justice to
Pratt, T. C., Cullen, F. T., Blevins, K. R., Daigle, L. E.,
enhance compliance with non-work-related
& Madensen, T. D. (2006). The Empirical Status
computing (NWRC) rules: Its determinants and
of Deterrence Theory: A Meta-Analysis. In F. T.
interaction with privacy concerns. International
Cullen, J. P. Wright, & K. R. Blevins (Eds.),
Journal of Information Management, 36(3),
Taking stock: The status of criminological theory
309-321.
(pp. 367-395). Transaction
Straub, D. W. (1990). Effective IS Security: An
Pritz, A. (2019). Top 5 solutions to reduce “cyber
empirical study. Information Systems Research,
friction.” CSO. https://www.csoonline.com/
1(3), 255-276.
article/3356449/top-5-solutions-to-reduce-
cyber-friction.html Trevino, L. K. (1986). Ethical decision making in
organizations: A person-situation interactionist
Privacyrights. (2019). Data breaches. https://www.
model. Academy of Management Review, 11(3),
privacyrights.org/data-breaches
601-617.
Rosas, A. (2013). Harm, reciprocity and the moral
Trevino, L. K., & Youngblood, S. A. (1990). Bad
domain. In V. Karakostas & D. Dieks (Eds.),
apples in bad barrels: a causal analysis of
EPSA11 Perspectives and Foundational
ethical decision-making behaviour. Journal of
Problems in Philosophy of Science. The
Applied Psychology, 75(4), 378-385.
European Philosophy of Science Association
Proceedings (vol. 2, pp. 493-502). Springer. Tyler, T. R., Callahan, P. E., & Frost, J. (2007). Armed,
and dangerous (?): Motivating rule adherence
Rosenmerkel, S. P. (2001). Wrongfulness and
among agents of social control. Law & Society
harmfulness as components of seriousness of
Review, 41(2), 457-492.
white-collar offenses. Journal of Contemporary
Criminal Justice, 17(4), 308-327. van Zadelhoff, M. (2016). The biggest cybersecurity
threats are inside your company. Harvard
Safa, N. S., Von Solms, R., & Furnell, S. (2016).
Business Review. https://hbr.org/2016/09/the-
Information security policy compliance model
759
ISP Violations from a Situational Action Perspective
760
Journal of the Association for Information Systems
761
ISP Violations from a Situational Action Perspective
Bulgurcu et al. Survey Theory of Intention to Supported. Normative beliefs No, ISP is a high-level abstract concept,
(2010) planned comply Sanction as a (No) and no specific ISPs were examined in
behavior, single construct different situations.
rational choice was used and its
theory, effect was
deterrence significant.
theory
Chan et al. (2005) Survey NA Compliant NA No (No) No, ISP is a high-level abstract concept,
behavior and no specific ISPs were examined in
different situations.
Chen et al. (2012) Experiment Compliance Intention to Supported. No (No) No, sample ISPs were provided to
using theory, general comply respondents for their understanding of the
scenarios deterrence abstract concept of ISP. Scenarios were
theory used but aggregately analyzed.
Cheng et al. Survey General ISP violation Partially No (No) No, ISP is a high-level abstract concept,
(2013) deterrence Intention supported: only and no specific ISPs were examined in
theory, social the effect of different situations. Scenarios were used
bond theory, perceived but aggregately analyzed.
social control severity was
mechanisms significant.
D’Arcy & Hovav Survey General IS misuse Partially No (No) No, ISP is a high-level abstract concept,
(2007) using deterrence intentions. supported: the and no specific ISPs were examined in
scenarios theory awareness of different situations. Scenarios were used
computer but aggregately analyzed.
monitoring was
used and its
effect was
significant.
D’Arcy & Survey General Technology Supported. Moral beliefs No, ISP is a high-level abstract concept,
Devaraj (2012) using deterrence misuse Sanction as a (No) and no specific ISPs were examined in
scenarios theory intentions single construct different situations. Scenarios were used
(perceived but aggregately analyzed.
severity *
perceived
certainty) was
used and its
effect was
significant.
D’Arcy & Greene Survey Social exchange Compliance NA No (No) No, ISP is a high-level abstract concept,
(2014) theory intention and no specific ISPs were examined in
different situations.
D’Arcy et al. Survey General IS misuse Partially No (No) No, ISP is a high-level abstract concept,
(2009) using deterrence intention supported: only and no specific ISPs were examined in
scenarios theory the effect of different situations. Scenarios were used
perceived but aggregately analyzed.
severity was
significant
D’Arcy et al. Survey Coping theory, ISP violation No Moral No, ISP is a high-level abstract concept,
(2014) using moral intention disengagement and no specific ISPs were examined in
scenarios disengagement (No) different situations. Scenarios were used
theory, social but aggregately analyzed.
cognitive theory
Flowerday & Survey NA Policy NA No (No) No, ISP is a high-level abstract concept,
Tuyikeze (2016) compliance and no specific ISPs were examined in
different situations.
Foth (2016) Survey Theory of Intention to Partially No (No) No, ISP is a high-level abstract concept,
planned comply supported: only and no specific ISPs were examined in
behavior, the effect of different situations.
general perceived
deterrence certainty was
theory significant
762
Journal of the Association for Information Systems
Goo et al. (2014) Survey Safety climate Compliance NA No (No) No, ISP is a high-level abstract concept,
and intention and no specific ISPs were examined in
performance different situations. Scenarios were used
model but aggregately analyzed.
Guo & Yuan Survey Deterrence Compliance No supported No (No) No, ISP is a high-level abstract concept,
(2012) using theory, social intention and no specific ISPs were examined in
scenarios cognitive theory different situations. Scenarios were used
but aggregately analyzed.
Guo et al. (2011) Survey Composite Nonmalicious No supported Workgroup norm No, ISP is a high-level abstract concept,
using behavior model security (No) and no specific ISPs were examined in
scenarios violation different situations. Scenarios were used
intention but aggregately analyzed.
Han et al. (2017) Survey Rational choice Compliance NA No (No) No, ISP is a high-level abstract concept,
theory intention and no specific ISPs were examined in
different situations.
Herath & Rao Survey General Compliance Partially Descriptive norm No, ISP is a high-level abstract concept,
(2009b) deterrence intention supported: only (No) and no specific ISPs were examined in
theory, the effect of different situations.
protection detection
motivation certainty was
theory, theory significant.
of planned
behavior
Herath & Rao Survey General Compliance Partially Normative beliefs No, ISP is a high-level abstract concept,
(2009a) deterrence Intention supported: only (No) and no specific ISPs were examined in
theory, agency the effect of different situations.
theory detection
certainty was
significant.
Hovav & D’Arcy Survey Deterrence IS misuse Partially Moral beliefs No, ISP is a high-level abstract concept,
(2012) using theory intention supported: the (No) and no specific ISPs were examined in
scenarios effect of different situations. Scenarios were used
perceived but aggregately analyzed.
severity was
only supported
for the US
sample and the
effect of
perceived
certainty was
only support for
the Korean
sample.
Hu et al. (2011) Survey Deterrence Behavior Partially Moral beliefs No, ISP is a high-level abstract concept,
using theory, rational Intention supported. An (No) and no specific ISPs were examined in
scenarios choice theory, indirect effect different situations. Scenarios were used
self-control of deterrence but aggregately analyzed.
theory was found.
Hu et al. (2012) Survey Theory of Compliance NA No (No) No, ISP is a high-level abstract concept,
planned intention and no specific ISPs were examined in
behavior different situations.
Hwang et al. Survey NA Compliance NA No (No) No, ISP is a high-level abstract concept,
(2017) Intention and no specific ISPs were examined in
different situations.
Ifinedo (2012) Survey Theory of Compliance NA No (No) No, ISP is a high-level abstract concept,
planned Intention and no specific ISPs were examined in
behavior, different situations.
protection
763
ISP Violations from a Situational Action Perspective
motivation
theory
Ifinedo (2014) Survey Theory of Compliance NA Personal norms No, ISP is a high-level abstract concept,
planned Intention (No) and no specific ISPs were examined in
behavior, social different situations.
cognitive
theory, social
bond theory
Ifinedo (2016) Survey General Compliance Partially No (No) No, ISP is a high-level abstract concept,
deterrence Intention supported: only and no specific ISPs were examined in
theory, rational the effect of different situations.
choice theory, sanction
organizational severity was
climate supported.
perspective
Johnston et al. Survey Protection Intention to Not supported No (No) No, different sanction situations were
(2016) using motivation violate ISP manipulated via scenarios, but aggregately
scenarios theory, general analyzed.
deterrence
theory
Kim et al. (2016) Survey Abuse Abuse intent NA Moral beliefs No, different abuse opportunities were
using opportunity (No) manipulated via scenarios, but aggregately
scenarios structure, analyzed.
emotion process
model
Lee et al. (2004) Survey General Intention to Not supported. Norms (No) No, ISP is a high-level abstract concept,
deterrence abuse and no specific ISPs were examined in
theory, social different situations.
control theory,
theory of
planned
behavior
Li et al. (2010) Survey Rational choice Compliance Partially Personal norms Partially, only the internet use policy and
theory intention supported: only and organizational corresponding compliance intention were
the effect of norms (Yes) investigated, but no specific
sanction compliance/violation situations were
probability was examined.
supported.
Li et al. (2014) Survey Organizational Compliance Partially Personal norms No, only the internet use policy and
justice intention supported: only (No) corresponding compliance intention were
the effect of investigated, but no specific
sanction compliance/violation situations were
certainty was examined.
supported.
Li et al. (2018) Survey Rational choice Compliance Weakly No (No) No, only the internet use policy and
theory, self- intention supported. A corresponding compliance intention were
control theory weak effect investigated, but no specific
(p<0.1) of compliance/violation situations were
deterrence, as a examined.
single construct,
was found.
Liang et al. Survey Control theory, IT NA No (No) No, ERP policy and corresponding
(2013) regulatory focus compliance compliance behavior were investigated, but
theory behavior no specific compliance/violation situations
were examined.
Lowry & Moody Experiment Organizational Intent to NA No (No) No, different organizational control
(2015) using control theory, comply situations were manipulated via scenarios,
scenarios reactance theory but aggregately analyzed.
764
Journal of the Association for Information Systems
Lowry, Moody et Survey Fairness theory, Computer NA No (No) No, ISP is a high-level abstract concept,
al. (2015) reactance theory abuse and no specific ISPs were examined in
different situations.
Moquin & Survey Protection Compliance Not directly Normative beliefs No, ISP is a high-level abstract concept,
Wakefield (2016) motivation behavior validated (No) and no specific ISPs were examined in
theory, theory different situations
of planned
behavior
Myyry et al. Survey Theory of Compliance NA Moral reasoning No, ISP is a high-level abstract concept. A
(2009) using cognitive moral with ISP factors (No) password sharing scenario was used to
scenarios development, represent the concept of ISP violation.
theory of
motivational
types of values
Posey et al. Survey Causal Computer NA No (No) No, ISP is a high-level abstract concept,
(2011) reasoning abuse and no specific ISPs were examined in
theory, different situations
attribution
theory
Posey et al. Interview/ Protection Protection NA No (No) No, ISP is a high-level abstract concept,
(2014) 22 insiders motivation motivation and no specific ISPs were examined in
and 11 IT theory different situations
professional
s
Posey et al. Survey Protection Protection NA No (No) No, ISP is a high-level abstract concept,
(2015) Motivation motivation and no specific ISPs were examined in
Theory and past different situations
motivated
behaviors
Safa et al. (2016) Survey Social bond Compliance NA Personal norms No, ISP is a high-level abstract concept,
theory, intention (No) and no specific ISPs were examined in
involvement different situations
theory
Shepherd & Experiment General Internet abuse Not directly No (No) Partially, acceptable use policies (AUP)
Mejias (2016) deterrence validated were used as exemplar policy for internet
theory, rational abuse, but no situational factors were
choice theory, examined.
agency theory
Siponen & Vance Survey Neutralization Intention to Not supported. No (No) No, ISP is a high-level abstract concept.
(2010) using theory, general violate ISP The effect of Scenarios were used but aggregately
scenarios deterrence formal analyzed
theory sanctions, as a
single construct,
was not
significant.
Siponen et al. Survey Protection Actual Supported. The Normative beliefs No, ISP is a high-level abstract concept,
(2010) motivation compliance effect of (No) and no specific ISPs were examined in
theory, with ISP deterrence, as a different situations
deterrence single construct,
theory, theory was significant.
of reasoned
action,
innovation
diffusion theory
Siponen et al. Survey Protection Actual NA Normative beliefs No, ISP is a high-level abstract concept,
(2014) motivation compliance (No) and no specific ISPs were examined in
theory, theory with ISP different situations
of reasoned
action,
cognitive
evaluation
765
ISP Violations from a Situational Action Perspective
theory
Son (2011) Survey General Compliance Not supported. No (No) No, ISP is a high-level abstract concept,
deterrence behavior and no specific ISPs were examined in
theory, intrinsic different situations
and extrinsic
motivation
models
Son & Park Survey Procedural Compliance Partially Moral beliefs No, ISP is a high-level abstract concept,
(2016) justice intention supported. Only (No) and no specific ISPs were examined in
deterrent different situations
certainty was
significant
Straub (1990) Survey General Computer Supported No (No) No, ISP is a high-level abstract concept.
deterrence abuse Although data related to specific types of
theory abuse was collected, but aggregately
analyzed
Vance & Siponen Survey Rational choice Intention to Not supported. Moral beliefs No, ISP is a high-level abstract concept,
(2012) using theory violate ISP The effect of (No) and no specific ISPs were examined in
scenarios formal different situations. Scenarios were used
sanctions, as a but aggregately analyzed.
single construct,
was not
significant.
Vance et al. Survey Accountability Intention to Supported. The No (No) Partially, access policy as an exemplar
(2013) using theory commit effect of policy was used to policy violations, and
scenarios access policy awareness of different violation scenarios were used.
violations deterrence was However, the data were aggregately
significant. analyzed.
Vance et al. Survey Accountability Intention to Supported. The No (No) Partially, access policy as an exemplar
(2015) using theory violate access effect of policy was used to policy violations, and
scenarios policy awareness of different violation scenarios were used.
deterrence was However, the data were aggregately
significant. analyzed.
Warkentin et al. Survey Social learning Behavior NA No (No) No, ISP is a high-level abstract concept,
(2011) theory Intent and no specific ISPs were examined in
different situations
Xue et al. (2011) Survey Technology Compliance NA No (No) No, ISP is a high-level abstract concept,
acceptance intention and no specific ISPs were examined in
model, justice different situations
theory
Yazdanmehr & Survey Norm activation ISP Supported. The Personal norms, No, ISP is a high-level abstract concept,
Wang (2016) theory, social compliance effect of descriptive norms, and no specific ISPs were examined in
norms theory behavior deterrence, as a and injunctive different situations
single construct, norms (Yes)
was significant.
Zhang et al. Survey Risk behavioral NA No (No) No, ISP is a high-level abstract concept,
(2009) compensation intention and no specific ISPs were examined in
theory, theory different situations
of planned
behavior
766
Journal of the Association for Information Systems
CTT2 If I did what Taylor decided to do in the above scenario, I would probably be 1 2 3 4 5 6 7
caught. (1-strongly disagree, 4-not sure either way, 7-strongly agree)
SVR2 If caught doing what Taylor decided to do in the above scenario, I would be 1 2 3 4 5 6 7
severely punished by my company. (1-strongly disagree, 4-not sure either
way, 7-strongly agree)
SC2 I don’t devote much thought and effort to preparing for the future. 1 2 3 4 5 6 7
767
ISP Violations from a Situational Action Perspective
CMD2 How important is it for people to keep promises, if they can, to someone 1 2 3 4 5 6 7
they hardly know?
CMD3 How important is it for parents to keep promises, if they can, to their 1 2 3 4 5 6 7
children?
CMD4 In general, how important is it for people to tell the truth? 1 2 3 4 5 6 7
CMD5 Think about when you’ve helped your mother or father. How important is 1 2 3 4 5 6 7
it for children to help their parents?
CMD6 Let’s say a friend of yours needs help and may even die, and you’re the only 1 2 3 4 5 6 7
person who can save him or her. How important is it for a person (without
losing his or her own life) to save the life of a friend?
CMD7 How important is it for a person (without losing his or her own life) to save 1 2 3 4 5 6 7
the life of a stranger?
CMD8 How important is it for a person to live even if that person doesn’t want to? 1 2 3 4 5 6 7
CMD9 How important is it for people not to take things that belong to other people? 1 2 3 4 5 6 7
Note: *Personal moral beliefs and self-control were reverse coded in the data analysis.
768
Journal of the Association for Information Systems
769
ISP Violations from a Situational Action Perspective
Lowry & Moody (2015) Reviewed the academic and The scenarios varied in the √ √
practitioner literature. experimental factors:
controlling language and
formal control.
Myyry et al. (2009) Followed the method in the No details provided. A √
literature. password sharing scenario
was used.
Siponen & Vance (2010) Developed the scenarios based on The study selected the top √
the input from 54 information three violation scenarios
security professionals. from a list of identified
violation scenarios and
manipulated the
experimental factors
(identifiability, evaluation,
and social presence) based
on the three scenarios.
Vance & Siponen (2012) Developed the scenarios based on The study selected the top √
the input from 54 information three violations from a list
security professionals of identified violation
scenarios.
Vance et al. (2013) Developed the scenarios based on The study selected the top √
the literature and the input of two three violation scenarios
system managers and five from a list of identified
employees violation scenarios and
manipulated the
experimental factors
(identifiability, evaluation,
and social presence) based
on the three scenarios.
Vance et al. (2015) Developed the scenarios by The scenarios varied in the √
consulting the FERPA compliance experimental factors:
officer in the university. identifiability, expectation
of evaluation, awareness of
monitoring, and social
presence.
Note: S1: sharing passwords scenario, S2: personal use of the internet at workplace scenario, S3: unauthorized disclosure of commercial secret
scenario; √: the paper uses a similar scenario and thus supports our scenario design.
770
Journal of the Association for Information Systems
771
ISP Violations from a Situational Action Perspective
Copyright © 2021 by the Association for Information Systems. Permission to make digital or hard copies of all or part
of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for
profit or commercial advantage and that copies bear this notice and full citation on the first page. Copyright for
components of this work owned by others than the Association for Information Systems must be honored. Abstracting
with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists requires prior
specific permission and/or fee. Request permission to publish from: AIS Administrative Office, P.O. Box 2712 Atlanta,
GA, 30301-2712 Attn: Reprints, or via email from publications@aisnet.org.
772