Journal of the Association for Information Systems

Volume 22 Issue 3 Article 5

2021

Understanding Information Security Policy Violation from a

Situational Action Perspective
Han Li
University of New Mexico, hanli@unm.edu

Xin (Robert) Luo

University of New Mexico, xinluo@unm.edu

Yan Chen
Florida International University, yachen@fiu.edu

Follow this and additional works at: https://aisel.aisnet.org/jais

Recommended Citation
Li, Han; Luo, Xin (Robert); and Chen, Yan (2021) "Understanding Information Security Policy Violation from
a Situational Action Perspective," Journal of the Association for Information Systems, 22(3), .
DOI: 10.17705/1jais.00678
Available at: https://aisel.aisnet.org/jais/vol22/iss3/5

This material is brought to you by the AIS Journals at AIS Electronic Library (AISeL). It has been accepted for
inclusion in Journal of the Association for Information Systems by an authorized administrator of AIS Electronic
Library (AISeL). For more information, please contact elibrary@aisnet.org.
 Journal of the Association for Information Systems (2021) 22(3), 739-772
doi: 10.17705/1jais.00678

RESEARCH ARTICLE

ISSN 1536-9323

Understanding Information Security Policy Violation from

a Situational Action Perspective

Han Li1, Xin (Robert) Luo2, Yan Chen3

1
Anderson School of Management, The University of New Mexico, USA, hanli@unm.edu
2
Corresponding author, Anderson School of Management, The University of New Mexico, USA, xinluo@unm.edu
3
College of Business, Florida International University, USA, yachen@fiu.edu

Abstract

Insiders’ negligence or abuse is regarded as a leading cause of information security breaches in

organizations. As most of the extant studies have largely examined insider threats at a high level of
abstraction, the role of situational moral reasoning for information security policy (ISP) violations
in specific situations has received little attention. To advance this line of research, this paper opens
up a potentially fruitful path for IS researchers by applying situational action theory (SAT) to
contextually examine why employees violate ISPs in particular situations. We consider the violations
of password security policy, internet use policy, and confidential data security policy, and examine
specific violation intents ranging from altruistic to malicious. The results support most of the
assertions derived from SAT. We found situational moral beliefs to be the predominant driver for
ISP violations across three situations in an organizational setting. However, the moderation effect of
moral beliefs was only significant in situations involving sharing passwords and selling confidential
data. Sanction certainty and sanction severity were also found to have different effects across
situations. We conclude by presenting implications for IS security practitioners and suggestions for
future research.

Keywords: Insider Threats, Situational Action Theory, Morality, Self-Control, Deterrence,

Cognitive Moral Development

Patrick Y. K. Chau was the accepting senior editor. This research article was submitted on April 26, 2019 and
underwent three revisions.
1 Introduction
Data protection has become increasingly challenging
for organizations because of rising regulatory
obligations and the complexities involved in protecting
data (Luo et al., 2020). A 2016 survey reported that
76% of information risk executives believe it is harder
or significantly harder to prevent data breaches than it
was in the past (CEB, 2016). Insiders have long
contributed to the challenge of achieving information
systems security in organizations (van Zadelhoff,
2016), evidenced by the many security incidents and
data breaches originating with insiders’ intentional or
unintentional actions (malicious or nonmalicious)
(Privacyrights, 2018). According to recent surveys,
28% of data breaches and security incidents involved
insiders (Verizon), and 90% of organizations reported
being concerned about security risks from both
malicious and nonmalicious insiders (CA Technology,
2018). To combat and deter insider threats,
organizations have implemented information security
policies (ISPs) that delineate rules and guidelines for
appropriate security behaviors and consequences of
ISP violation. However, despite the pervasive
deployment of ISPs, insider threats remain prevalent in
organizations.

739

One potential reason for ISP ineffectiveness suggested
by security practitioners is that employees’ compliance
is situational (Pritz, 2019). Employees often face value
contradictions caused by siloed work environments,
frictions, and turf wars between security, IT, and
functional units in their daily practice, and may need to
make difficult decisions regarding ISP compliance. A
2017 survey reported that 72% of employees admit that
they would be willing to violate an ISP to share sensitive,
confidential company data under certain circumstances
(Dell, 2017). Situational compliance is a serious issue in
security practice that warrants further research
investigation.
A number of IS studies have investigated the antecedents
and consequences of insider ISP violation (Barlow et al.,
2018, Bulgurcu et al., 2010, D’Arcy et al., 2009, Herath
& Rao, 2009a, Lowry et al., 2015a, Moody et al., 2018,
Pahnila et al., 2007). Collectively, these insightful
studies lay a solid foundation for understanding insider
threats; however, contradictory findings and existing
research gaps demonstrate the need to further explore the
issue of ISP compliance. Specifically, we seek to address
two unresolved contradictions identified in two recent
meta-analysis studies (Cram et al., 2019, Moody et al.,
2018). One contradiction involves the role of moral
consideration, which, while not included in Moody et
al.’s (2018) unified model of security policy compliance,
is a key predictor of ISP compliance in many other
studies (see Cram et al. 2019 and Appendix A). The other
contradiction relates to the mixed findings about the
effect of deterrence on ISP compliance (see Appendix A
for details). We suspect that these conflicting findings
regarding the role of moral consideration and the effect
of deterrence are likely attributable to differences across
violation situations.
Criminology defines a situation as “the particulars of a
social setting” in which the action taker is involved
(Wikström & Svensson, 2010, p. 396). In this study, we
specifically refer to the situation as the particular setting
in which an employee makes a policy violation decision.
Prior studies in criminology suggest that conditions may
vary across violation types and violation situations
(Wikström, 2009, Wikström and Svensson, 2010).
Organization literature also suggests that the
effectiveness of internal rules “depends upon both the
situation being studied and the types of rules that are the
focus of concern” (Tyler et al., 2007, p. 467).
Despite recognizing the importance of violation
situations in criminology literature, the extant IS
literature largely relies on “static, invariant explanations”
of ISP compliance behaviors and assumes that such
behaviors are invariant across situations (Karjalainen et
al., 2019, p. 688). Under this assumption, prior IS
research has studied ISP violation primarily at a high
level of abstraction by simply defining the concept of ISP
that pertains to no specific security rules and procedures
(Chen et al., 2015, D’Arcy and Greene, 2014, Posey et
740
ISP Violations from a Situational Action Perspective
al., 2015, Siponen et al., 2010). As a result,
explanations/predictors for complying with one policy
(e.g., password policy compliance) are the same as those
for complying with another policy (e.g., internet use
policy compliance) (see the literature summary in
Appendix A for details). Such an invariant and
situationless approach may limit the practical
applicability of research findings for organizations
facing specific compliance/noncompliance issues
regarding a specific policy. This type of approach may
also hinder theory contextualization endeavors to
identify boundary conditions, thus potentially giving rise
to conflicting findings in the ISP compliance literature
(Karjalainen et al., 2019).
Motivated by these issues, we investigate the context of
insider threats concerning a specific ISP vis-à-vis a
specific violation situation. We postulate that individual
employees form ISP violation intentions based on how
they perceive a violation situation and the consequences
of their actions in that situation. We follow the theory
contextualization guidelines offered by Hong et al. (2014)
to further develop a situational action theory (SAT) for
different violation situations. More specifically, our
model is built upon the fundamental tenets of SAT,
adapted to the current research context: (1) acts of ISP
violation are moral actions that depend on the moral
judgment of a violation situation, (2) controls (self-
control and external control) impact acts of ISP violation,
(3) morality interacts with controls and influences acts of
ISP violation, and (4) acts of ISP violation represent
outcomes of the situational convergence of individuals
and environments (Wikström, 2006, Wikström &
Svensson, 2010). Additionally, as an extension to SAT,
this study also examines the antecedents of moral
judgment in the model.
This study makes significant contributions to the
literature related to employee violation of ISPs. We make
an initial attempt to contextualize SAT to study ISP
violation, thus helping to develop a situation-based
understanding of the effect of moral judgment,
deterrence, and self-control on ISP violation in different
situations. Our study resonates with the recent research
call for IS research that is more context specific,
particularly in terms of studies that investigate variant
explanations across different situations (Hong et al.,
2014, Karjalainen et al., 2019). To the best of our
knowledge, this study is the first to investigate the
situational morality and violation circumstance (i.e.,
harmfulness) of ISP violation. Our study thus enhances
the understanding of the inconsistent effect of deterrence
and highlights differences in moral consideration by
demonstrating that these things are contingent upon
specific violation situations. Moreover, our study has
practical implications for organizations regarding the
design and deployment of situation-based security
awareness and ethics training programs intended to more
effectively deal with different violation situations.
Journal of the Association for Information Systems
2 Theoretical Foundation
2.1 Situational Action Theory
Situational action theory (SAT) was originally
proposed by Wikström (2006) to explain why people
commit crimes or break rules defined by laws and
regulations. SAT was later developed into a general
theory of moral actions to explain violations of a wide
spectrum of rules involving drug use, street fighting by
youths, and skipping ahead in a queue (Gallupe &
Baron, 2014, Wikström, 2009). SAT is a relatively new
general theory of moral action and crime that aims to
explain moral action and crime by integrating
situational moral reasoning with personal and
environmental factors.
SAT submits that “the situation represents neither the
person nor the setting” but the convergence of the two
such that “a person’s particular action propensities are
triggered by specific features of a setting” (Wikström
& Treiber, 2015, p. 429). In other words, rule-breaking
behaviors are situational because they are determined
by how a person is morally triggered by specific
features of a setting (Wikström & Svensson, 2010,
Wikström & Treiber, 2015). For example, whether or
not a person gets in a bar fight depends on how that
person morally interprets such behavior and the
specific situation that brings one to that point (e.g.,
being drunk or in a bad mood). By the same token,
whether or not an employee violates a specific ISP
depends on the general morality of that individual as
well as the conditions of the specific situation (e.g.,
selling the company’s data because of being fired or
being asked by a close friend to violate the ISP).
SAT makes three key assertions. First, an individual’s
morality is the fundamental driver for deviant
behaviors (Wikström, 2009, Wikström & Svensson,
2010). Moral rules delineate whether a certain action
is morally right or wrong. Individuals conduct
situational moral judgment and form moral beliefs
about the appropriateness of their action alternatives
(e.g., violation versus compliance). Individuals with
moral beliefs consistent with following rules will be
motivated to follow the organizational ISP. Those with
very high levels of morality will not even consider the
deviant act as a choice of action. In essence, SAT
posits that moral beliefs determine whether an
individual will commit a deviant action.
Second, SAT asserts that internal and external controls
influence how individuals choose between action
alternatives, including rule-breaking actions
(Wikström, 2009; Wikström & Svensson, 2010).
Internal control refers to self-control, the ability to
process choices to either break a rule or abide by it.
External control refers to deterrence, including formal
and informal social controls. SAT posits that the effect
of controls takes place only when there exists a conflict
between a rule and one’s own moral beliefs
(Wikström, 2009; Wikström & Svensson, 2010). In
other words, the effect of controls is conditional upon
one’s personal moral beliefs. Therefore, SAT
emphasizes the role of personal morality in deviant
acts but also the interaction between morality and
controls (self-control and deterrence).
Third, SAT maintains that environmental factors
influence deviant acts in a moral context.
Environmental factors in a moral context entail but are
not limited to the “moral rules that apply to the setting
and their levels of enforcement” (Wikström &
Svensson, 2010, p. 397). When exposed to different
environments, the same individual may act differently
in terms of rule-breaking actions. Thus, crimes and
rule-breaking acts are governed by a “situational
mechanism that links individuals and environments to
their actions” (Wikström & Svensson, 2010, p. 397).
To the best of our knowledge, SAT has not been
applied to the context of ISP violation. Our study
represents an initial endeavor to extend the theory to
explain insider security threats in terms of ISP
violations in organizations. We consider acts of ISP
violation to be rule-breaking actions that involve the
conflict between the obligation to follow
organizational rules and one’s own moral judgment
(Myyry et al., 2009). Thus, we posit that ISP violations
depend on the person and the situation—namely, how
the person morally interprets the situation and
responds to it (Wikström, 2009, Wikström &
Svensson, 2010).
To better understand situational differences in ISP
violations, we contextualize SAT in this study by
following the research guidance offered by theory
contextualization (Hong et al., 2014). Theory
contextualization submits that a context consists of
“situational opportunities and constraints that affect
the occurrence and meaning of organizational
behavior” (Johns, 2006, p. 386). In this study, we view
a violation situation as a specific instantiation of the
context of an ISP violation, constituting a specific ISP
and a situational moral dilemma. Through theory
contextualization, we enrich SAT with context-
specific antecedents and moderators. Table 1
summarizes the steps of theory contextualization, the
guidelines established by Hong et al. (2014) used in the
steps, the specific outcomes of each step, and the
resulting adaption of SAT for our study. In addition to
the activities summarized in Table 1, we also tested the
research model under three different ISP violation
situational scenarios, i.e., sharing passwords with a
colleague, personal internet use at work, and selling
confidential firm data (for details, please see Section
4). The three scenarios provide further contextual
richness, which contributes to the understanding of
ISP violation.
741
 ISP Violations from a Situational Action Perspective

Table 1: Summary of Theory Contextualization per the Guidelines by Hong et al. (2014)
Step Mapping guidelines (Hong et al., 2014) Outcomes of each step Adaption of SAT

Step 1 Guidelines 1&2: Identify a general
theory and use it as the basis to guide
the theory contextualization.
Step 2 Guideline 3: Thorough evaluation of
the context to identify context-specific
factors and salient individual factors
that are relevant to the context.
Step 3 Guideline 4: Modeling context-
specific factors.
Step 4 Guideline 5: Examination of the
interplay between the IT artifact and
other factors
Step 5 Guideline 6: Examinations of
alternative context-specific models
Selected SAT as the general theory to
examine ISP violations because SAT
aims to explain moral actions and
crimes.
Identified 1) four context-specific Perceived harmfulness and
factors – i.e., personal moral beliefs, cognitive moral development
perceived sanction certainty, were identified as the additional
perceived sanction severity, and factors beyond the core
perceived harmfulness, and 2) two constructs of SAT.
salient individual difference factors
relevant to the moral context of ISP
violations – i.e., self-control and
cognitive moral development.
Modeled perceived harmfulness and Extended SAT with two context-
cognitive moral development as the specific antecedents
direct antecedents of the core
constructs of SAT.
Modeled personal moral beliefs as a
moderator that conditions the effect
of self-control and deterrence on ISP
violations.
Tested alternative models and found a Enriched SAT with additional
direct impact of perceived direct predictors of moral
harmfulness and cognitive moral actions.
development in the scenario of
personal internet use at work.

cognitive moral development influences his or her moral

2.2 Antecedents to Personal Moral
Beliefs
The ethics and morality literature considers personal
moral beliefs to be influenced jointly by individual
differences and situational factors (Trevino &
Youngblood, 1990). Among individual differences,
cognitive moral development is the root personal factor
influencing ethical decision-making (Kohlberg, 1969).
Kohlberg (1969) posited a hierarchical continuum of six
stages of cognitive moral development. Individuals
develop morality from a low moral development stage
to a high moral development stage in an irreversible
fashion. For those at a relatively low level of moral
development, external formal punishment instead of
morality tends to be what drives them to obey rules
(Trevino, 1986). With progress in moral development,
individuals internalize the moral standards of important
others or the group they belong to and then tend to
voluntarily follow societal or organizational rules.
Ultimately, individuals may attain a stage at which they
uphold their moral principles regardless of others’ moral
values and standards (Kohlberg, 1969, Trevino, 1986).
Individual employees come to the workplace with a
particular level of cognitive moral development and
make moral judgments accordingly. In other words,
according to this theory, an employees’ stage of
reasoning in organizations.
Nevertheless, individuals conduct moral reasoning not
solely based on the personal moral principles they have
developed; rather, they are also influenced by
situational factors (e.g., the context of rule violation).
To further this line of thinking, we adopt the multiple-
influence perspective proposed by Trevino (1986) but
focus on perceived harmfulness of the deviant act as
one type of situational factor. Prior research has shown
that perceived harmfulness is very situation dependent
(Rosenmerkel, 2001). In criminology, the harmfulness
judgment measures the moral gravity of a crime and
allows people “to develop their own sense of
background into the particular offense” (Rosenmerkel,
2001, p. 311). In the current research context,
perceived harmfulness shows how individual
employees develop their own sense of the seriousness
of a violation situation. Perceived harmfulness could
also be considered to be a proxy for an employee’s
understanding of the varied situational background of
committing deviant acts, such as the types of assets
(sensitive vs. nonsensitive) and intent of the deviant act
(altruistic/nonmalicious vs. malicious). Little, if any,
existing research has examined whether employees
perceive the properties of deviant acts differently and
form their moral judgment accordingly.

742
Journal of the Association for Information Systems
This study attempts to fill this research gap by
investigating how the evaluation of the harmfulness of
a specific deviant act impacts moral beliefs or ethical
judgment about the act. Inflicting harm on others is a
core concern among all moral norms (Rosas, 2013).
Therefore, in this study, we expect perceived
harmfulness to play a vital role in shaping moral
beliefs, while its effect may vary depending on the
situation.
3 Research Model
The research model is shown in Figure 1. In line with
SAT (Wikström 2006), we postulate that personal
moral beliefs on rule breaking along with self-control
and deterrence are the three major forces influencing
employee intention to violate organizational ISPs. The
effects of self-control and deterrence are contingent on
the level of moral beliefs. The model also suggests that
moral beliefs are shaped by both the perception of
situational harmfulness and one’s general level of
cognitive moral development.
3.1 Self-Control
According to Gottfredson and Hirschi (1990), people
differ in their levels of self-control. Those who lack
self-control are more likely to commit deviant acts;
low self-control is even sometimes defined as an
individual’s propensity to commit deviant acts
(Gottfredson & Hirschi, 1990). Gottfredson and
Hirschi identify six descriptive elements of low self-
control: impulsivity or the tendency to seek
immediate gratification, a preference for thrilling or
risk-seeking behaviors, simple task orientation, a
preference for physical rather than mental activities,
Figure 1. Research Model
self-centeredness, and a quick temper (Gottfredson &
Hirschi, 1990, Grasmick et al., 1993). There is
substantial empirical support implicating low self-
control as the direct or indirect cause of deviant
behaviors in a variety of social and organizational
settings (Higgins et al., 2006, Hu et al., 2011, Nagin
& Paternoster, 1993, Wright, 2004). Pratt and Cullen
(2000) conducted a meta-analysis providing
consistent support for low self-control as a direct
predictor of crimes and other deviant acts such as
drug use and speeding. Hu et al. (2015) offer
neurological evidence that those with low self-control
have lower levels of neural recruitment compared to
those with high self-control when making decisions
related to ISP violation. Huggins et al. (2006) find
that low self-control exerts both a direct and indirect
influence on college students’ intention to perform
software piracy.
SAT postulates that the ability to exercise self-control
determines whether or not an individual will act on
desires or impulsivity and carry out a rule-breaking
alternative when exposed to a conducive situation
(Wikström, 2009). In terms of ISP violation, we thus
predict that employees with high levels of self-control
are more likely to overcome the temptation of gaining
personal benefits by violating ISPs. Likewise, we
argue that employees with low levels of self-control
are more likely to violate ISPs. Therefore, we
hypothesize.
H1: High levels of self-control are negatively
associated with employees’ ISP violation
intentions.
743

3.2 Deterrence
Deterrence, also called formal sanctioning, has been
widely examined as a means of inhibiting individuals
from engaging in deviant acts in various contexts such
as tax compliance (Wenzel, 2004), street crime
(Schoepfer et al., 2007), and employee offense
(Hollinger & Clark, 1983). At its core, the deterrence
research assumes that individuals are rational actors
who will factor costs and risks into their decisions to
commit deviant acts. The deterrence doctrine is also a
key pillar of IS security research, with deterrence theory
being the most cited theory in this research stream
(D’Arcy & Herath, 2011). Recent IS research suggests
that deterrence is a complex concept (Johnston et al.,
2015, Willison, Lowry et al., 2018). In this study, we
focus on formal deterrence because informal deterrence
consists of moral elements such as guilt and shame
(Johnston et al., 2015) and may thus have a confounding
effect with moral judgment.
Deterrence consists of two key dimensions: perceived
sanction certainty (or detection probability) and
perceived sanction severity (Johnston et al., 2016,
Straub, 1990, Willison, Warkentin et al., 2018b). The
former represents the perceived probability of being
caught for performing an illicit act, whereas the latter
refers to the perceived severity of formal punishment.
General deterrence theory posits that individuals are
more effectively deterred by sanctions perceived to be
more severe when there is a higher probability of being
caught. High sanction certainty and sanction severity
likely increase the costs associated with violating an
ISP, thus reducing the appeal of a deviant act for a
potential offender. Therefore,
H2a: Perceived sanction certainty is negatively
associated with employees’ ISP violation
intentions.
H2b: Perceived sanction severity is negatively
associated with employees’ ISP violation
intentions.
3.3 Personal Moral Beliefs
Personal moral beliefs reflect one’s ethical judgment
about the appropriateness of a particular behavior within
a particular context (D’Arcy & Herath, 2011). It is
generally recognized that employees engage in moral
reasoning when committing ethical or unethical acts
(Myyry et al., 2009). Strong evidence exists supporting
the inhibiting role of moral beliefs on various deviant
acts committed by employees (Pratt et al., 2006).
Furthermore, SAT suggests that personal moral beliefs
(morality) represent a “fundamental individual causal
factor” motivating individuals not to engage in deviant
acts and that only those with low levels of morality
perceive deviant acts to be viable alternatives in a moral
context (Wikström & Svensson, 2010). In other words,
744
ISP Violations from a Situational Action Perspective
morality serves as a moral filter that determines which
action alternatives do not conflict with the moral norms
of the setting. Thus, employees with high levels of
morality are more likely to support moral norms in ISPs
and less likely to perceive ISP violations as a viable
alternative. Hence, we hypothesize:
H3: Strong moral beliefs are negatively associated with
employees’ ISP violation intentions.
SAT postulates that self-control is exercised when a
discrepancy exists between an individual’s desires and
moral rules (Wikström & Svensson, 2010). In the
current research context, when an employee has low
levels of morality, the employee will be less likely to
perceive a moral issue associated with violating an ISP
for personal gain. Consequently, the employee’s ability
to exercise self-control tends to play a stronger role in
ISP violation decisions. In contrast, an employee with
high levels of morality would tend to view moral
actions, i.e., compliance with organizational rules, as the
only viable alternative, and would thus require less self-
control to resist the temptation of violating an ISP for
personal gain, making the effect of self-control on ISP
violation less important in this context. Thus, we
hypothesize:
H4: Strong moral beliefs positively moderate the
relationship between employees’ self-control and
their ISP violation intentions.
SAT also suggests that moral beliefs may moderate the
impact of deterrence on deviant acts. Among individuals
with high levels of morality, the effect of deterrence may
become superfluous because deviant acts are not
included in the range of their perceived action
alternatives. As such, we expect that the deterrent effect
associated with the threat of formal sanctions exerts a
stronger influence on those with low levels of personal
morality (Hirtenlehner & Hardie, 2016, Wikström &
Svensson, 2010). The interaction between deterrence
and moral beliefs has received some empirical support
in different disciplines, including IS (D’Arcy et al.,
2009, Paternoster & Simpson, 1996, Wenzel, 2004). For
example, Paternoster and Simpson (1996) found that
sanction threats have salient effects primarily among
individuals with weak moral beliefs prohibiting illegal
behaviors. Those with strong moral beliefs in this regard
would consider illegal behaviors to be beyond the sphere
of their contemplation, making formal sanctions
irrelevant. Therefore,
H5a: Strong moral beliefs positively moderate the
relationship between perceived sanction
certainty and employees’ ISP violation
intentions.
H5b: Strong moral beliefs positively moderate the
relationship between perceived sanction severity
and employees’ ISP violation intentions.
Journal of the Association for Information Systems
3.4 Cognitive Moral Development
Cognitive moral development, as one type of individual
characteristic, is developed in progressive stages
(Kohlberg, 1969), reflecting the cognitive processes
individuals use in resolving ethical dilemmas. Those
progressive stages can be categorized into three levels
of moral reasoning. The first level is preconventional,
typified by people who are highly self-interested and
primarily concerned with external rewards and
punishments. The second level is conventional,
characterizing individuals who internalize the rules and
regulations of their social environment to meet the
expectations of relevant others. The last level is
postconventional. At this level, people rely on universal
principles such as justice and right vs. wrong to assess
appropriate action (Greenberg, 2002). The level of one’s
cognitive moral development influences how an individual
thinks about what is right or wrong in terms of a deviant
act. People at advanced levels of moral development tend
to make decisions based on their moral code (Trevino &
Youngblood, 1990). Therefore, we hypothesize.
H6: Employee cognitive moral development is
positively associated with strong moral beliefs.
3.5 Perceived Harmfulness
Beyond its root in moral development at the personal
level, the formation of moral beliefs also involves the
situational evaluation of particular deviant acts
(Trevino, 1986). Crimes and deviant acts have their own
characteristics and people’s perceptions of them are also
different (Rosenmerkel, 2001). For example, so-called
white-collar crimes may harm others nonphysically,
whereas gangsters’ street fights clearly inflict physical
harm on others. When performing moral judgments,
individuals may perceive nonviolent crimes as less
harmful than clearly violent acts (Rosenmerkel, 2001).
In situations involving ethical dilemmas, harmfulness
(the overall negative consequences of a particular crime
or deviant act) is one of the core norms that people
consider when forming their moral beliefs regarding the
appropriateness of a deviant act. For example, computer
crime offenders often deny the harmfulness of their
crimes to justify their actions, thus embracing their acts
as appropriate and forming weak moral beliefs (van
Zadelhoff, 2016). The extent of harmfulness inflicted by
a deviant act varies in different situations. For example,
an employee might perceive less harm to be associated
with sharing a password to help a colleague perform a
work task than sharing a password with a former
colleague now working at a different company. We
anticipate that an employee is more likely to view a
deviant act as inappropriate, i.e., form strong moral
beliefs against it if the employee believes the act could
be harmful to others. Therefore, we hypothesize:
H7: Perceived harmfulness is positively associated with
strong moral beliefs.
3.6 Control Variables
Besides the above core constructs, we controlled for
three factors that may influence ISP compliance: age,
gender, and prior computer or information security
violations. For example, older people have been found
to be more compliant in the context of tax law
compliance (Wenzel, 2005) and internet use policy
compliance (Li et al., 2014), and it has been shown that
women are more compliant with ISPs than men
(Herath & Rao, 2009a); prior offense history may also
serve as an indicator for the likelihood of future
violations.
3.7 Situational Differences
One core tenet of SAT is that crimes or deviant acts are
contextual or situational. The influence of controls and
moral judgment on decisions varies across situations
(e.g., type of deviant acts, personal intent, potential
gains or harms, opportunities offered by a deviant act,
etc.). Internal and external controls may or may not be
effective to uphold moral rules embedded in policies
or laws in a specific situation (Hirtenlehner & Hardie,
2016, Wikström, 2009, Wikström and Svensson,
2010). For example, deterrence has received mixed
support for combatting IS abuses and software piracy
in organizations (D’Arcy et al., 2009, Hu et al., 2011,
Vance and Siponen, 2012). Deterrence measures were
found to reduce IS resource misuse in the studies by
Straub (1990) and D’Arcy et al. (2009) while some
other studies failed to verify the deterrent effect (Hu et
al., 2011, Siponen and Vance, 2010). The mixed effect
of deterrence may be attributable to the effect of
situational factors that are largely ignored by extant IS
security studies. This view aligns to a certain extent
with Nagin’s (1998) contention that individuals may
form sanction threat perceptions that are unique to
distinct crime types. Thus, in this study, we validate
the research model in three different situations. Each
presents a different violation scenario for a specific
policy. The design of the scenarios is detailed in the
next section.
4 Research Methodology
4.1 Variable Measurement
To increase measurement reliability and validity, all
constructs were measured using existing scales in the
literature with slight rewording when needed to refer
to the specific violation situations addressed in our
research scenarios. Violation intention was measured
using two items by D’Arcy et al. (2009). Self-control
(SC) was measured using a short form of the low self-
control scale created by Wikstrom and Svensson
(2010). Sanction certainty and sanction severity were
gauged using scales by Peace et al. (2003). Personal
moral beliefs followed those developed by Wenzel
745

(2004). Perceived harmfulness consisted of two items
by Rosenmerkel (2001). Cognitive moral development
was measured using the social reflection measure
developed by Gibbs et al. (1992). All these instruments
were operationalized as reflective constructs using 7-
point scales. The detailed measures for each construct
are available in Appendix B.
4.2 Study Design, Procedure, and
Participants
We relied on the scenario-based approach to test the
situational effect of our research model following the
typical practice in criminology and IS security studies.
In criminology literature, the scenario-based approach
is considered more reliable for studying illicit activities
than self-reported measures directly asking whether
the subjects have committed certain crimes. The IS
security literature suggests that the scenario approach
is useful for studying ISP violations for three main
reasons. First, as prior research has pointed out,
“scenarios can enhance the realism of decision-making
situations by providing contextual detail while
simultaneously ensuring the uniformity of these details
across respondents” (Vance et al., 2015, p. 353).
Second, individuals are more likely to honestly express
their intentions concerning hypothetical scenarios;
thus, the scenario-based approach can help overcome
the difficulty of employees being unwilling to admit
their actual deviant behaviors (D’Arcy et al., 2014, Hu
et al., 2011, Johnston et al., 2015, Vance et al., 2015).
Third, because of secrecy related to deviant behaviors,
organizations may not have data that can truly capture
employees’ ISP violations. Even if organizations have
collected such data, they may not be willing to share
the data with researchers because of concerns about
legal liability or organizational reputation. For these
reasons, the scenario-based approach is increasingly
used in ISP compliance/violation research (see
Appendices A and C).
Extant ISP compliance research suggests that
researchers should review the literature and industrial
practice to design relevant and realistic scenarios (see
Appendix C for details) that describe common
phenomena so that respondents can see themselves
facing similar situations when making compliance
decisions. Scenarios are not meant to be exhaustive but
illustrative to focus on the key factors of research
interest. Thus, as shown in Appendix C, scenarios of
extant studies vary in two to four key factors specific
to the topic of study.
Following these literature suggestions, we designed
three fictitious scenarios involving ISP violations,
including sharing a password to help a colleague for
work purposes, personal internet use at work to
alleviate boredom, and selling confidential consumer
data for personal financial benefit (D’Arcy et al., 2014,
746
ISP Violations from a Situational Action Perspective
Johnston et al., 2016, Johnston et al., 2015, Myyry et
al., 2009, Siponen and Vance, 2010). Each scenario
depicts a situation constituting of a specific ISP and a
specific compliance-decision situation that is often
faced by employees (Guo & Yuan, 2012). More
specifically, our scenarios vary in key factors, such as
harmfulness, malicious/nonmalicious/altruistic intent,
and moral gravity, and thus differ in decision
complexity. For example, the complexity of the
scenario of selling confidential consumer data for
personal financial benefit is lowest among the three
scenarios because employees tend to have a consistent
view on the immorality, malicious intent, and
harmfulness of such an act. The decision complexity
for the other two scenarios is relatively high because
of the inherent moral contradictions (e.g., helping
people versus violating a policy) and opinion
differences related to the scenarios (e.g., employees
may have different views on harms inflicted by sharing
passwords with colleagues, compared to the
importance of maintaining workplace relationships).
Table 2 shows the details of the three scenarios.
Three question blocks are used as containers for
scenario-specific questions with one block for each
scenario. Each subject was assigned all three blocks
but in random order, meaning that each subject
answered scenario-specific questions related to all
three scenarios. The scenario-specific questions
included aspects related to scenario realism, personal
moral beliefs, sanction certainty, sanction severity,
perceived harmfulness, and intention to violate the
ISP. After going through these scenario-specific
questions, subjects then answered questions that
measured individual differences in self-control and
cognitive moral development as well as questions on
their demographic profile.
The research model was tested using data collected
from subjects on an industrial panel operated by
Qualtrics.com. The Qualtrics panelists were from
many different organizations and industries, were
randomly contacted by Qualtrics to participate in this
study, and remained anonymous to the researchers.
Qualtrics relies on sophisticated digital fingerprinting
technology to ensure that no two responses are from
the same subject.
We collected a total of 265 usable responses. As shown
in Table 3, the subjects work in different roles
including managers, professionals (IT/business), and
administrative staff. 37.3% of the survey respondents
were male and 62.6% are female. Their average age
was in the range of 35-44, and the majority of them
reported more than 5 years of internet use. The
distribution of the firm size showed a good spread of
small, medium, and large firms.
Journal of the Association for Information Systems

Table 2: Three Scenarios

Background scenario
Assume Taylor is a middle-level manager in your company. He was given a unique login ID/password to access the company’s
confidential data such as customer and client records, sales and purchase agreements, business plans, etc. He has received the
awareness training on information security policies (ISPs) such as confidential data security policy, password security policy,
and internet use policy. Taylor knows that some employees have been reprimanded or terminated for violation of ISPs in your
company.
Each subject was required to go through all three security violation scenarios below.

Sharing passwords scenario

Recently, one of Taylor’s colleagues had his account locked out and could not access his account before the account manager is
back from vacation. He called Taylor and asked for Taylor’s password. Taylor expects that sharing his password could save your
company a lot of time and money. So, Taylor decided to share his password with the colleague.

Personal internet use at work scenario

Sometimes, Taylor feels bored during working hours in the company. To refresh his mind, he decided to check his personal
email or browse the internet during working hours.

Unauthorized disclosure of commercial secret scenario

Taylor’s salary has been frozen for years and he believes that he deserves to be paid more. Recently, a close friend of Taylor
who works for a different company contacted Taylor and asked for a copy of the confidential customer data of your company.
The friend promised to pay for the data. Taylor decided to copy and sell the data to his friend.

Table 3: Demographic Characteristics

Employee characteristics Firm size
Gender Age (year) Internet exp. (year) (# of employees)
Male 37.4% < 24 4.5% 1-5 7.9% 1-100 32.1%
Female 62.6% 25-34 26.8% 6-10 16.6% 100-250 13.6%
35-44 24.9% 11-15 31.7% 251-500 12.1%
45-54 29.1% >15 43.8% 501-1,000 9.4%
55-64 13.6% 1,001-5,000 9.8%
65+ 1.13% 5,000+ 23.0%

We also checked and analyzed the realism of the three
scenarios. The percent of subjects who somewhat
disagreed to strongly disagreed that the scenario was
realistic was 21%, 12%, and 40% for sharing
passwords, personal internet use at work, and selling
confidential data scenarios, respectively. Thus, a
majority of the subjects did accept the realism of the
three scenarios.
5 Data Analysis
We used partial least squares (PLS), a component-
based structural equation modeling (SEM) approach,
to test the model. Specifically, SmartPLS was used to
analyze the reliability and validity of our measurement
model and test the research hypotheses. Since our
research model consists of interaction terms, PLS is
particularly suitable for our study for two reasons: (1)
PLS is more amenable for handling complex research
models than covariance-based SEM techniques, and
(2) PLS does not assume a multivariate normal
distribution and interval scale.
5.1 Measurement Model
Before testing the research hypotheses, we first
evaluated the measurement quality of all scales based
on the convergent validity, reliability, and discriminant
validity of each of the three situation-specific models
(based on the three scenarios). Convergent validity is
established if items load significantly on their
corresponding latent constructs and have loadings of
0.6 or higher (Gefen & Straub, 2005). To ensure the
measurement quality of each model, we dropped items
with loadings below 0.6 specific to each model. All
remaining items were found to have significant
loadings. Table 4 shows the loadings and cross-
loadings of the remaining items. The following
analysis is based on the remaining items shown in
Table 4.
Reliability was assessed using composite reliability
(CR) and average variance extracted (AVE). All scales
are reliable, as their CR values are above the 0.7
threshold and AVE values are above the 0.5 threshold
recommended by Bagozzi et al. (1988).

747
 ISP Violations from a Situational Action Perspective

Table 4a: Loadings, Composite Reliability (CR) and Average Variance Extracted (AVE) of Measurement
Instruments in the Sharing Passwords Scenario.
Loadings/cross-loadings
Constructs/items 1 2 3 4 5 6 7
1. INT INT1 0.97 -0.78 -0.56 -0.41 -0.47 -0.37 -0.22
CR = 0.97 INT2 0.97 -0.75 -0.53 -0.36 -0.41 -0.39 -0.20
AVE = 0.95
2. MB MB1 -0.82 0.91 0.60 0.33 0.45 0.34 0.17
CR = 0.90 MB2 -0.60 0.90 0.40 0.21 0.37 0.28 0.22
AVE = 0.81
3. HM HM1 -0.56 0.57 0.96 0.43 0.54 0.18 0.12
CR = 0.96 HM2 -0.52 0.50 0.96 0.46 0.54 0.14 0.12
AVE = 0.93
4. CTT CTT1 -0.37 0.29 0.45 0.96 0.69 0.05 0.10
CR = 0.96 CTT2 -0.39 0.29 0.44 0.97 0.65 0.10 0.09
AVE = 0.93
5. SVR SVR1 -0.44 0.46 0.54 0.68 0.98 0.08 0.14
CR = 0.98 SVR2 -0.44 0.43 0.55 0.68 0.98 0.06 0.12
AVE = 0.96
6. SC SC1 -0.26 0.25 0.10 0.05 0.07 0.77 0.19
CR = 0.86 SC2 -0.21 0.18 0.04 -0.03 -0.05 0.67 0.25
AVE = 0.52 SC3 -0.32 0.27 0.07 -0.02 -0.02 0.68 0.36
SC4 -0.28 0.26 0.19 0.08 0.07 0.76 0.24
SC5 -0.36 0.30 0.21 0.08 0.08 0.79 0.33
SC8 -0.24 0.21 0.11 0.18 0.15 0.63 0.17
7. CMD CMD1 -0.15 0.11 0.09 0.05 0.05 0.30 0.75
CR = 0.93 CMD3 -0.13 0.11 0.02 0.03 0.03 0.30 0.84
AVE = 0.58 CMD4 -0.21 0.20 0.13 0.15 0.17 0.29 0.85
CMD5 -0.11 0.12 0.07 0.09 0.14 0.20 0.79
CMD6 -0.11 0.13 0.02 0.01 0.02 0.24 0.78
CMD7 -0.15 0.22 0.12 0.09 0.12 0.22 0.72
CMD9 -0.17 0.18 0.10 0.03 0.03 0.32 0.74
CMD10 -0.26 0.23 0.19 0.13 0.17 0.39 0.78
CMD11 -0.22 0.20 0.16 0.10 0.16 0.21 0.65
Note: INT = violation intention; MB = personal moral beliefs; HM = perceived harmfulness; CTT = perceived sanction certainty; SVR =
perceived sanction severity; SC = self-control; CMD = cognitive moral development.

Table 4b: Loadings, Composite Reliability (CR) and Average Variance Extracted (AVE) of Measurement
Instruments in The Personal Internet Use at Work Scenario.
Loadings/cross-loadings
Constructs/items 1 2 3 4 5 6 7
1. INT INT1 0.99 -0.73 -0.56 -0.32 -0.39 -0.30 -0.23
CR = 0.99 INT2 0.99 -0.75 -0.57 -0.32 -0.40 -0.29 -0.24
AVE = 0.97
2. MB MB1 -0.78 0.90 0.58 0.38 0.41 0.25 0.23
CR = 0.88 MB2 -0.55 0.88 0.44 0.25 0.41 0.13 0.10
AVE = 0.78
3. HM HM1 -0.58 0.58 0.98 0.50 0.59 0.05 0.09
CR = 0.98 HM2 -0.55 0.56 0.98 0.50 0.59 0.04 0.08
AVE = 0.97
4. CTT CTT1 -0.31 0.35 0.50 0.95 0.67 0.01 0.11
CR = 0.95 CTT2 -0.32 0.33 0.47 0.96 0.60 0.03 0.09
AVE = 0.91
5. SVR SVR1 -0.40 0.47 0.58 0.64 0.98 0.01 0.00
CR = 0.98 SVR2 -0.39 0.43 0.58 0.66 0.98 -0.01 0.00
AVE = 0.95
6. SC SC1 -0.19 0.10 -0.08 -0.07 -0.10 0.72 0.19
CR = 0.87 SC4 -0.25 0.18 0.04 0.00 -0.02 0.77 0.24
AVE = 0.53 SC5 -0.24 0.17 0.02 -0.04 -0.08 0.80 0.32
SC7 -0.23 0.19 0.15 0.15 0.14 0.64 0.11

748
Journal of the Association for Information Systems

SC8 -0.16 0.13 0.03 0.09 0.02 0.73 0.18

SC9 -0.24 0.20 0.05 -0.01 0.05 0.69 0.13
7. CMD CMD1 -0.19 0.15 0.08 0.02 -0.08 0.24 0.77
CR = 0.93 CMD2 -0.15 0.07 0.11 0.13 0.03 0.14 0.64
AVE = 0.56 CMD3 -0.17 0.11 0.02 0.05 -0.04 0.22 0.84
CMD4 -0.22 0.19 0.11 0.10 0.01 0.22 0.85
CMD5 -0.20 0.17 0.13 0.17 0.09 0.14 0.79
CMD6 -0.17 0.08 -0.03 -0.01 -0.10 0.16 0.78
CMD7 -0.17 0.15 0.03 0.04 0.01 0.14 0.71
CMD9 -0.15 0.13 0.05 0.08 0.00 0.23 0.73
CMD10 -0.25 0.24 0.13 0.13 0.07 0.34 0.77
CMD11 -0.10 0.11 0.03 0.09 0.00 0.19 0.62

Table 4c: Loadings, Composite Reliability (CR) and Average Variance Extracted (AVE) of Measurement
Instruments in the Selling Confidential Data Scenario.
Loadings/cross-loadings
Constructs/items 1 2 3 4 5 6 7
1. INT INT1 0.99 -0.73 -0.36 -0.08 -0.40 -0.46 -0.33
CR = 0.99 INT2 0.99 -0.71 -0.41 -0.12 -0.40 -0.46 -0.38
AVE = 0.97
2. MB MB1 -0.73 0.90 0.30 0.08 0.34 0.36 0.32
CR = 0.88 MB2 -0.56 0.88 0.20 -0.03 0.23 0.39 0.30
AVE = 0.78
3. HM HM1 -0.34 0.25 0.95 0.16 0.37 0.25 0.27
CR = 0.98 HM2 -0.40 0.30 0.95 0.23 0.42 0.27 0.33
AVE = 0.97
4. CTT CTT1 -0.07 0.03 0.18 0.96 0.43 0.10 0.20
CR = 0.95 CTT2 -0.12 0.03 0.21 0.96 0.47 0.17 0.23
AVE = 0.91
5. SVR SVR1 -0.38 0.30 0.40 0.45 0.96 0.25 0.43
CR = 0.98 SVR2 -0.40 0.32 0.41 0.45 0.96 0.25 0.43
AVE = 0.95
6. SC SC1 -0.29 0.33 0.17 0.10 0.15 0.77 0.19
CR = 0.87 SC2 -0.32 0.25 0.17 0.04 0.16 0.69 0.25
AVE = 0.53 SC3 -0.44 0.34 0.22 0.11 0.25 0.69 0.36
SC4 -0.29 0.30 0.21 0.10 0.17 0.75 0.24
SC5 -0.41 0.34 0.22 0.13 0.20 0.78 0.32
SC8 -0.26 0.23 0.18 0.14 0.20 0.63 0.17
7. CMD CMD1 -0.28 0.34 0.24 0.10 0.33 0.30 0.77
CR = 0.93 CMD2 -0.15 0.17 0.19 0.10 0.22 0.18 0.64
AVE = 0.56 CMD3 -0.34 0.30 0.30 0.13 0.37 0.30 0.85
CMD4 -0.29 0.29 0.21 0.24 0.37 0.29 0.85
CMD5 -0.19 0.15 0.18 0.20 0.35 0.20 0.78
CMD6 -0.33 0.31 0.24 0.11 0.40 0.24 0.78
CMD7 -0.24 0.26 0.23 0.12 0.29 0.22 0.72
CMD9 -0.33 0.33 0.33 0.19 0.37 0.32 0.74
CMD10 -0.30 0.26 0.25 0.28 0.32 0.39 0.76
CMD11 -0.24 0.21 0.19 0.22 0.31 0.21 0.62

Table 5: Discriminant Validity of Measurement Models

Sharing passwords Personal internet use at work Selling confidential data
1 2 3 4 5 6 7 1 2 3 4 5 6 7 1 2 3 4 5 6 7
1 INT 0.97 0.99 0.99
2 MB -0.80 0.90 -0.76 0.88 -0.74 0.89
3 HM -0.56 0.57 0.96 -0.57 0.58 0.98 -0.39 0.29 0.95
4 CTT -0.37 0.29 0.44 0.96 -0.33 0.36 0.51 0.95 -0.11 0.04 0.21 0.96
5 SVR -0.45 0.46 0.56 0.71 0.98 -0.40 0.46 0.60 0.67 0.98 -0.40 0.33 0.42 0.47 0.96
6 SC -0.40 0.35 0.18 0.07 0.07 0.72 -0.31 0.23 0.05 0.03 0.00 0.73 -0.48 0.42 0.28 0.15 0.27 0.72
7 CMD -0.23 0.23 0.15 0.12 0.15 0.37 0.76 -0.25 0.21 0.10 0.11 0.01 0.27 0.75 -0.37 0.37 0.32 0.22 0.45 0.38 0.75
Note: The square root of AVE is in bold font.

749

We then checked discriminant validity based on the
loading and cross-loading matrix (Table 4) and the
correlation matrix (Table 5), as suggested by Fornell
and Larcker (1981). All items were found to load
higher on their corresponding latent constructs than on
other ones (Table 4). Each construct’s interconstruct
correlations with other latent constructs are below the
square root of the AVE of the construct (Table 5).
Therefore, our measurement model has the reliability
and validity necessary for testing our research
hypotheses.
Similar to other cross-sectional studies, common
method variance (CMV) may bias the results of our
study. To test the extent of CMV, we applied the
marker-variable technique suggested by Lindell and
Whitney (2001). We used the second-smallest positive
correlation among all the indicators as a more
conservative estimate of the influence of CMV (or rm),
which is 0.006 (between CTT2 and CMD6), 0.006
(between SVR1 and CMD9), 0.02 (between CTT2 and
MB2), respectively for the sharing passwords, personal
internet use at work, and selling confidential data
scenarios. We then computed CMV-adjusted
correlations among latent constructs by partialing out
rm from the correlations in Table 5. After adjustment,
all correlations are slightly different from the original
values, but maintain the same statistical significance,
suggesting that CMV is not a concern for this study.
5.2 Hypotheses Testing
Figure 2 summarizes the results of hypothesis testing
with the completely standardized path coefficients and
their significance levels shown on each path of each
situation-specific model. The significance level was
determined based on t-statistics computed from 5,000-
sample bootstrapping. R2 values are provided in the
boxes of the endogenous variables. Overall, the models
could explain 63% to 71% of the variation in violation
intention and 17% to 37% of the variation in moral
beliefs.
In terms of the hypotheses concerning the direct
relationships, the impact of self-control (H1) is
significant (p < 0.05) in all three scenarios. Sanction
certainty (H2a) is only significant in the sharing
passwords scenario (p < 0.01) while sanction severity
(H2b) is only significant in the selling confidential data
scenario (p < 0.01). The path coefficient between
moral beliefs and violation intention (H3) is the largest
and highly significant in all three scenarios (p < 0.001).
Both cognitive moral development and harmfulness
have a significant impact on moral beliefs in all three
scenarios (H6 and H7, p < 0.01).
Concerning the interaction effect between moral
beliefs and the two types of controls, i.e., self-control
and deterrence, we found that moral beliefs interacted
with sanction certainty in the sharing passwords
750
ISP Violations from a Situational Action Perspective
scenario (H5a, p < 0.001) and with self-control (H4, p
< 0.05) and sanction severity (H5b, p < 0.01) in the
selling confidential data scenario. We did not find any
interaction effect in the personal internet use scenario.
We further analyzed the patterns of these interactions
using graphs (shown in Figure 3). The line at the
bottom (solid line) corresponds to strong moral
beliefs, which is one standard deviation above the
mean. The line on the top (dash line) represents weak
moral beliefs, which is one standard deviation below
the mean. The dotted line shows the mean of moral
beliefs. The patterns of interactions are fairly
consistent in Figures 3(a), 3(b), and 3(c), showing
that sanctions and self-control significantly decrease
violation intention only when subjects have weak
moral beliefs (See the dash lines in Figure 3). The
patterns of interaction are consistent with our
arguments in the research model section.
Among the three control variables, prior violation
significantly increased future violation intention in the
scenarios of sharing passwords and personal internet use
at work. Gender was only significant in the personal
internet use at work scenario, with women having higher
intentions to violate internet use policies than men. Age
is not significant across all three scenarios.
6 Discussion
We drew upon situational action theory to investigate
the effect of situational moral reasoning, deterrence,
and self-control on the violation intention of specific
types of ISPs. The results not only support our
contextualization of SAT but, more importantly, show
situational differences across the three scenarios.
While we found that employee self-control and moral
beliefs are two important factors that reduced ISP
violation intention across the three scenarios, their
effects are different across the scenarios. Specifically,
we note the relatively weak effects of moral beliefs and
self-control for a serious ISP violation (i.e., the selling
confidential data scenario) when comparing the
magnitude of standardized path coefficients in the
three scenarios. However, for a less serious deviant act
(i.e., personal internet use at work), we found that
employees exercised self-control and strong personal
morals in their choice to not violate the ISP.
Moreover, we found situational differences in the
deterrence effect of formal sanctions on ISP violation
intention. In particular, the deterrence effect is largely
exerted through sanction certainty in the sharing
passwords scenario and through sanction severity in
the selling confidential information scenario. Sharing
a password with a colleague to get the job done has an
altruistic purpose, thus motivating the ISP violation.
Although employees may still weigh their chances of
being caught, they probably would not expect a high
level of sanction severity for this behavior.
Journal of the Association for Information Systems

(a) Sharing passwords

Self-Control
-0.15**
Cognitive Moral Violation
Development Moral Belief Intention
0.15*** -0.71*** R2 = 71%
R2 = 35% 0.15***
0.55*** -0.17**
Sanction
Harmfulness Certainty 0.00
Control Variables:
Age
Sanction
Gender
Severity
Prior violation*

(b) Personal Internet use at Work

Self-Control
-0.14***
Cognitive Moral Violation
Development 0.16*** Intention
-0.66***
Moral Belief R2 = 63%
R2 = 37%
0.57***
-0.03
Harmfulness
Sanction
Certainty -0.09
Control Variables:
Age
Sanction Gender*
Severity Prior Violation**

(c) Selling Confidential Data

Self-Control
-0.09*
Cognitive Moral Violation
0.09* Intention
Development 0.30***
Moral Belief -0.56*** R2 = 67%
R2 = 17%
0.19**
0.20**
Harmfulness 0.01
Sanction
Certainty Control Variables:
-0.11** Age
Sanction Gender
Severity Prior Violation

Note: Completely standardized estimates; controlled for covariates in the research models; insignificant interactions
were not dropped; *p < 0.05, **p < 0.01, ***p<0.001.)

Figure 2. Results of Testing Hypotheses for Each of the Three Scenarios.

751
 ISP Violations from a Situational Action Perspective

(a) Sharing passwords scenario.

(b) Selling confidential data scenario

(c) Selling confidential data scenario

Figure 3. The Moderation Effect of Moral Beliefs on the Relationships between the Two Types of Controls
and Violation Intention

752
Journal of the Association for Information Systems
Regarding a more serious violation (i.e., selling
confidential data), sanction severity was the primary
source of deterrence; even if the chances of being
caught doing this act are low, the potential punishment
would be severe. The effects of both sanction severity
and sanction certainty were negligible in the personal
internet use at work scenario; even if they do get
caught, employees likely do not expect significant
sanctions in response to this very common workplace
behavior. In sum, the findings related to the situational
effect of deterrence in this study address a recent call
for research exploring the complexity of deterrence
that evidences its situational influence in
organizational rule violations and crimes (Willison,
Lowry et al., 2018).
Our results confirm that there are situational differences
in the moderating role of moral beliefs. In particular,
moral beliefs partially moderate the impact of formal
sanctions on violation intention only in the sharing
passwords and selling confidential data scenarios, while
the moderating effect on the link between self-control
and violation intention is significant only in the selling
confidential data scenario. Our findings along with the
illustration in Figure 3 support consistent interaction
patterns such that control mechanisms influence
employees’ violation decisions only when they have
relatively weak moral beliefs against a severe deviant
act (i.e., selling confidential data) or a deviant act
triggering contradictory beliefs (i.e., sharing passwords
to help a colleague versus violating an ISP).
Conversely, under the influence of strong moral beliefs,
employees are more likely to voluntarily follow ISPs
and are less likely to be influenced by self-control and
external deterrence.
Furthermore, our results support our extension of SAT
with two contextual antecedents: cognitive moral
development and perceived harmfulness. The results
show that while both cognitive moral development and
perceived harmfulness help increase moral beliefs
against deviant acts, there are situational differences in
their effects. In the sharing passwords and personal
internet use at work scenarios, perceived harmfulness
plays a far more important role in shaping moral beliefs
than moral development. However, in the selling
confidential data scenario, moral development had a
stronger impact on moral beliefs than perceived
harmfulness. One possible explanation may be the
extent of conflicting views among employees on the
potential harm of a certain deviant act. Sharing
passwords to help someone at work or surfing the
internet at work to refresh the mind may not be
perceived by all employees as potentially harmful acts
or serious security threats. Thus, whether employees
perceive the act to be harmful is likely to be a primary
driver for shaping different levels of moral beliefs. On
the other hand, for serious e-crimes with malicious
intent, employees tend to have a uniform view
regarding the extent of harmfulness; thus, their moral
beliefs are more dependent on their cognitive moral
development. Overall, these findings show that
increasing the harmfulness perception is a key to
deterring less serious deviant behaviors, while
fostering employees’ moral development is necessary
to combat more severe deviant acts.
Additionally, following the sixth guideline of theory
contextualization by Hong et al. (2014), we tested an
alternative model, which included two additional
direct links from perceived harmfulness and cognitive
moral development to ISP violation intentions. We
found that the two direct paths are significant (p-value
< 0.05) in the scenario of personal internet use at work
but not in the other scenarios. Therefore, the effects of
perceived harmfulness and cognitive moral
development are fully mediated in the scenarios of
sharing a password with a colleague and selling
confidential firm data but are partially mediated for the
scenario of personal internet use at work. The
differences in these two direct paths across the three
scenarios suggest that their effects are situational and
conditional upon contextual factors such as the type of
deviant act.
To gain a more detailed understanding of ISP violation
in different scenarios, we conducted multigroup
analysis (MGA) using the PLS-MGA method
proposed by Henseler et al. (2009), which is a non-
parametric test that can give a conservative estimate of
group differences. The path coefficients were
compared between a pair of scenarios using 5,000
bootstrapping samples. As reported in Appendix D, we
found that the negative impact of perceived sanction
probability on violation intention in the sharing
passwords scenario is significantly stronger than that
in the other two scenarios. This finding is in line with
our earlier argument that deterrence likely plays a
stronger role in deviant acts performed with an
altruistic purpose.
With respect to the impact of moral beliefs on violation
intention, it is significantly stronger in the sharing
passwords scenario than the selling confidential data
scenario. Therefore, despite the dominant role of moral
beliefs in all three scenarios, its impact is particularly
salient for deviant acts with an altruistic purpose and
relatively weaker in situations involving more serious
crimes such as selling corporate confidential data. This
indicates that when facing a situation with a stronger
moral conflict (i.e., helping a colleague versus
violating the ISP), moral beliefs play a stronger role in
determining ISP violation behavior. Cognitive moral
development was also found to have significant group
differences. In particular, it has a much stronger impact
in the selling confidential data scenario than in the
other two scenarios. Therefore, cognitive moral
development appears to play a more important role in
shaping situational moral beliefs for serious crimes.
753

7 Contributions
This study advances the theoretical understanding of
situational ISP violation and provides insights for
organizations dealing with different compliance
situations. It makes several significant theoretical and
practical contributions that are elaborated below.
7.1 Contributions to Theory
The findings of this study provide several important
contributions to IS security research. First, to the best
of our knowledge, this is the first study applying
situational action theory to IS security research. Our
study verifies the importance of taking a situational
perspective by considering the specific types of ISP
violations and the specific intent of employees ranging
from altruistic to malicious. This perspective allows us
to examine the effect of situational factors that may not
be revealed when ISP violations are examined at a high
level of abstraction with no situational specifics. Such
a situational approach helps increase the explanatory
efficacy of the research model. In our case, our
research model has a much higher R2 (ranging from
0.63 to 0.71) than prior studies in explaining deviant IS
security behaviors such as D’Arcy et al. (2009) (R2 =
0.30), Siponen and Vance (2010) (R2=0.47), and Hu et
al. (2011) (R2=0.34).
This study contributes to the situational theory
building in IS security research. In essence, this
research is among the first to pursue this direction by
capturing more context-specific and situation-based
dynamics in the relationship between ISP violation
intention and its predictors via contextualizing SAT.
Our work proposes a new research avenue on ISP
compliance/violation and resonates with a research call
for complementing static approaches of IS research
with context-specific and situation-based approaches
(Hong et al., 2014, Karjalainen et al., 2019).
The situational perspective offered by SAT also
provides us with new insights into the process of how
moral judgment influences ISP violation. In particular,
we identify the central role of moral beliefs in the
decision to violate the moral rules embedded in ISPs.
Moral beliefs about a certain deviant act represent the
primary driver underlying ISP violation intention. Our
findings also reveal the relatively consistent effect of
self-control on violation intention and show that moral
beliefs influence this relationship only in more serious
violation situations. Therefore, our study underscores
the importance of future research to find mechanisms to
increase employees’ level of self-control under various
ISP violation situations and to examine conflicts
between employees’ moral beliefs and ISPs and the
sources behind conflicts. Our study lays a theoretical
foundation for such future endeavors and opens new
avenues for further exploration of self-control and
situational moral judgment in ISP compliance.
754
ISP Violations from a Situational Action Perspective
Third, our study provides further insights into the
effect of deterrence in the literature (D’Arcy & Herath,
2011). We discovered that the effect of formal
sanctions vary across the three scenarios. These
findings suggest the importance of future studies to
examine the effect of formal sanctions in the context
of situational moral reasoning about specific deviant
acts. These findings also suggest that the complexity
of formal sanctions warrant additional research
(Willison, Lowry et al., 2018).
Fourth, the findings of our study shed important light
on how employees form moral beliefs about the
appropriateness of certain deviant acts. Beyond the
general moral development level attained over time,
employees also examine the specific characteristics of
a deviant act to judge whether it is right or wrong to
perform the act. In this study, we demonstrate that
perceived harmfulness is a significant factor that
influences moral beliefs across all three scenarios and
its effect seems to be particularly salient when
employees do not have a uniform view about the extent
of harmfulness. Beyond perceived harmfulness, it
would be interesting to explore other situational levers
influencing employee moral reasoning in the area of
ISP compliance in future studies.
Based on the above discussion, we conclude that
situational action theory provides a much-needed new
perspective for understanding ISP violation. Through
this novel theoretical lens and the contextualization of
SAT, this study not only unveils and emphasizes the
process of situational moral reasoning but also
delineates the conditions under which internal and
external controls are factored into employee decisions.
7.2 Implications for Practice
This study offers important implications for companies
to effectively design and deploy ISPs and
corresponding security education, training, and
awareness (SETA) programs. First, the findings of our
study suggest that it is important to incorporate
situational cues into the design of ISP training
programs. SETA programs developed at a high level of
abstraction with no targeted ISP may have limited
practical applicability. Such programs should be
designed to address different violation situations of
ISPs by considering situational elements such as the
intent of violation, characteristics of the deviant act,
perceptions related to deterrence, and the morality of a
particular violation situation. More specifically, an
organization may identify common ISP violation
situations, use our model to discover salient situational
factors, and design a SETA program accordingly. Such
a scenario-based and situation-oriented SETA program
could be more effective since it incorporates
situational findings and targets specific situations.
Journal of the Association for Information Systems
Second, we note that moral beliefs, self-control, and
deterrence do not have the same effect on violation
intention across the three scenarios. Given the finding
that moral beliefs are the dominant driver in all three
scenarios, organizations should give top priority to
providing ethical training to help guide their employees
toward developing appropriate moral beliefs. Such
ethical training should be designed to address
contradictions in compliance; for instance, targeting
situations in which employees’ moral beliefs may be
contrary ISP rules. Moreover, our results suggest that
cognitive moral development is another important lever
that organizations could use to align employee moral
reasoning with ISP rules. Since moral development
involves a process of long-term progression, employers
should screen and select individuals with high levels of
morality to fill critical positions related to managing and
securing corporate confidential data.
Third, per deterrence theory, formal sanctions are
needed both to deter intentional offenders and to inform
benign employees about the boundaries of security
behaviors. However, our study found that the effect of
deterrence was only partially supported in two scenarios
(the sharing passwords and selling confidential data
scenarios). In addition, we found the effect of deterrence
was either associated with perceived sanction
probability or perceived sanction severity but not both,
depending on the scenario. Our findings suggest that
organizations should take employees’ sanction
expectations regarding different situations into
consideration when designing and deploying security
policies and corresponding enforcement schemes.
Additionally, practitioners such as SETA training
consultants and designers, chief information security
officers (CISOs), and information security managers,
can utilize our model to identify improper expectations
regarding the compliance of a specific ISP and correct
them via situation-based SETA training.
Furthermore, based on our research findings, we suggest
some actionable steps that CISOs and information
security managers in organizations can use to design
their SETA training on a specific ISP: (1) categorize
violation cases pertaining to the ISP, (2) identify moral
conflicts and the source of conflicts, (3) compare ISP
violation cases between situations involving high and
low levels of moral conflict, (4) investigate the effect of
current controls in the cases, (5) design the SETA
training for the ISP based on our research model and the
findings from Steps 1-4, and (6) refine the training based
on new cases by repeating Steps 1-5.
Finally, we would like to point out some potential
limitations of our study. Similar to other cross-
sectional survey studies, this study measures
exogenous and endogenous variables at the same time,
preventing us from confirmatively establishing
causality. Future studies could diversify the
methodological approach to adopt an experimental
design to manipulate the moral reasoning process to
verify the causality. Another limitation of this study is
related to the use of the scenario approach and the
limited number of scenarios considered in this study.
The intention reported based on our scenarios might
not fully reflect employees’ actual violation behaviors.
Also, the findings may not be extensible to other
scenarios or situations. Future research could seek to
acquire and study data concerning various actual
violations. Moreover, our study only focuses on formal
sanctions. We did not include sanction celerity as the
third dimension of deterrence because of the difficulty
of measurement and its limited contribution to theory
(e.g., D’Arcy & Herath 2011a, Willison, Warkentin et
al. 2018). Nevertheless, the view of deterrence in our
study is limited. Future studies could explore the
complexity of deterrence (e.g., formal vs. informal,
absolute, and restrictive) and its situational variance in
violation decisions (Willison, Lowry et al., 2018).
Finally, in this study, we mainly examine three
situational factors, self-control, deterrence, and
perceived harmfulness. We encourage researchers to
explore other situational factors and their interactions.
8 Conclusions
Insider threats from violating ISPs are increasingly
prevalent. They expose organizations to potentially
devastating risks. Prior IS research has studied ISP
violation mainly at a high level of abstraction and thus
lacks a deeper understanding of employees’ ISP
violation intentions in particular situations. This study
applies the situational perspective and contextualizes
situational action theory (SAT) to examine situational
moral reasoning and its impact on ISP violation
intention and the process through which control-based
mechanisms take effect. The situational perspective
offered by SAT enhances the understanding of insider
threats and suggests the important role of employee
moral beliefs as both a direct driver and a moderator
adjusting the effect of deterrence and self-control on
ISP violation intention. The empirical findings of this
study could help organizations better design their
SETA and ethical training programs by integrating
situational elements to improve the alignment between
ISPs and employees’ moral beliefs. In summary, this
study fulfills the research gaps we have identified. It
confirms that compliance is situational and there are
contextual factors affecting compliance, it proposes
and validates a new theoretical model remedying the
issue that extant IS literature largely relies on “static,
invariant explanations” of ISP compliance, it helps
address the inconsistent role of morality in ISP
compliance literature, and it offers greater insight into
the inconsistent effect of deterrence, especially
regarding its effect in different situations. Since the
situations and situational factors examined in our study
are limited, our study also opens a new avenue of
research to further explore ISP compliance.
755

References
Al-Mukahal, H. M., & Alshare, K. (2015). An
examination of factors that influence the
number of information security policy
violations in Qatari organizations. Information
& Computer Security, 23(1), 102-118.
Aurigemma, S., & Leonard, L. (2015). The Influence
of Employee Affective Organizational
Commitment on Security Policy Attitudes and
Compliance Intentions. Journal of Information
System Security, 11(3), 201-222.
Bagozzi, R. P., & Yi, Y. (1988). On the evaluation of
structural equation models. Journal of the
Academy of Marketing Science, 16(1), 74-94.
Barlow, J. B., Warkentin, M., Ormond, D., & Dennis,
A. R. (2018). Don’t even think about it! The
effects of antineutralization, informational, and
normative communication on information
security compliance. Journal of Association of
Information Systems, 19(8), 689-715.
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010).
Information security policy compliance: An
empirical study of rational-based beliefs and
information security awareness. MIS Quarterly,
34(3), 523-548.
CA Technology (2018). 2018 Insider threat report.
https://www.ca.com/content/dam/ca/us/files/eb
ook/insider-threat-report.pdf
CEB (2016). Managing the hidden causes of data
breaches. https://www.cebglobal.com/content/
dam/cebglobal/us/EN/top-insights/executive-
guidance/pdfs/eg2016q3-managing-the-
hidden-causes-of-data-breaches.pdf
Chan, M., Woon, I., & Kankanhalli, A. (2005).
Perceptions of information security in the
workplace: linking information security climate
to compliant behavior. Journal of information
privacy and security, 1(3), 18-41.
Cheng, L., Li, Y., Li, W., Holm, E., & Zhai, Q. (2013).
Understanding the violation of IS security
policy in organizations: An integrated model
based on social control and deterrence theory.
Computers & Security, 39, 447-459.
Cram, W. A., D'Arcy, J., & Proudfoot, J. G. (2019).
Seeing the Forest and the Trees: A Meta-
Analysis of the Antecedents to Information
Security Policy Compliance. MIS Quarterly,
43(2), 525-554.
D’Arcy, J., & Devaraj, S. (2012). Employee misuse of
information technology resources: testing a
contemporary deterrence model. Decision
Sciences, 43(6), 1091-1124.
756
ISP Violations from a Situational Action Perspective
D’Arcy, J., & Greene, G. (2014). Security culture and
the employment relationship as drivers of
employees’ security compliance. Information
Management & Computer Security, 22(5), 474-
489.
D’Arcy, J., & Herath, T. (2011). A review and analysis
of deterrence theory in the IS security: Making
sense of the disparate findings literature.
European Journal of Information Systems,
20(6), 643-658.
D’Arcy, J., Herath, T., & Shoss, M. K. (2014).
Understanding employee responses to stressful
information security requirements: A coping
perspective. Journal of Management
Information Systems, 31(2), 285-318.
D’Arcy, J., Hovav, A., & Galletta, D. (2009). User
Awareness of Security Countermeasures and Its
Impact on Information Systems Misuse: A
Deterrence Approach. Information Systems
Research, 20(1), 79-98.
D’Arcy, J., & Hovav, A. (2007). Deterring internal
information systems use. Communications of
the ACM, 50(10, 113-117.
Dell (2017). Dell End-Use Security Survey 2017.
https://www.dellemc.com/hy-am/collaterals/
unauth/analyst-reports/dell-end-user-security-
survey-2017.pdf
Flowerday, S. V., & Tuyikeze, T. (2016). Information
security policy development and
implementation: The what, how and who.
Computers & Security, 61, 169-183.
Fornell, C., & Larcker, D. (1981). Evaluating
structural equation models with unobservable
variables and measurement error. Journal of
Marketing Research, 18(1), 39-50.
Foth, M. (2016). Factors influencing the intention to
comply with data protection regulations in
hospitals: based on gender differences in
behaviour and deterrence. European Journal of
Information Systems, 25(2), 91-109.
Gallupe, O., & Baron, S. W. (2014). Morality, self-
control, deterrence, and drug use: Street youths
and situational action theory. Crime &
Delinquency, 60(2), 284 -305.
Gefen, D., & Straub, D. (2005). A practical guide to
factorial validity using PLS-Graph: Tutorial
and annotated example. Communications of the
Association for Information Systems, 16(5), 91-
109.
Gibbs, J. C., Basinger, K. S., & Fuller, D. (1992).
Moral maturity: Measuring the development of
sociomoral reflection. Lawrence Erlbaum
Associates.
Journal of the Association for Information Systems
Goo, J., Yim, M.-S., & Kim, D. J. (2014). A path to
successful management of employee security
compliance: An empirical study of information
security climate. IEEE Transactions on
Professional Communication, 57(4), 286-308.
Gottfredson, M. R., & Hirschi, T. (1990). A general
theory of crime. Stanford University Press.
Grasmick, H. G., Tittle, C. R., Robert, J., Bursik, J., &
Arneklev, B. (1993). Testing the core empirical
implications of Gottfredson and Hirschi's
general thoery of crime. Journal of Research in
Crime and Delinquency, 30(1), 5-29.
Greenberg, J. (2002). Who stole the money, and when?
Individual and situational determinants of
employee theft. Organizational Behavior and
Human Decision Processes, 89(1), 985-1003.
Guo, K., & Yuan, Y. (2012). The effects of multilevel
sanctions on information security violations: A
mediating model. Information & Management,
49(6), 320-326.
Guo, K. H., Yuan, Y., Archer, N. P., & Connelly, C. E.
(2011). Understanding nonmalicious security
violations in the workplace: a composite
behavior model. Journal of Management
Information Systems, 28(2), 203–236.
Han, J., Kim, Y. J., & Kim, H. (2017). An integrative
model of information security policy
compliance with psychological contract:
Examining a bilateral perspective. Computers
& Security, 66, 52-65.
Henseler, J., Ringle, C. M., & Sinkovics, R. R. (2009).
The use of partial least squares path modeling
in international marketing. In New challenges
to international marketing (pp. 277-319).
Emerald Group Publishing.
Herath, T., & Rao, H. R. (2009). Encouraging
information security behaviors in
organizations: Role of penalties, pressures and
perceived effectiveness. Decision support
Systems, 47(2), 154-165.
Herath, T., & Rao, H. R. (2009). Protection motivation
and deterrence: a framework for security policy
compliance in organisations. European Journal
of Information Systems, 18(2), 106-125.
Higgins, G. E., Fell, B. D., & Wilson, A. L. (2006).
Digital piracy: Assessing the contributions of
an integrated self-control theory and social
learning theory usig structural equation
modeling. Criminal Justice Studies, 19(1), 3-
22.
Hirtenlehner, H., & Hardie, B. (2016). On the
conditional relevance of controls: An
application of Situational Action Theory to
shoplifting. Deviant Behavior, 37(3), 315-331.
Hollinger, R. C., & Clark, J. P. (1983). Deterrence in
the workplace: Perceived certainty, perceived
severity, and employee theft. Social Forces,
62(2), 398-418.
Hong, W. Y., Chan, F. K. Y., Thong, J. Y. L.,
Chasalow, L. C., & Dhillon, G. (2014). A
Framework and guidelines for context-specific
theorizing in information systems research.
Information Systems Research, 25(1), 111-136.
Hovav, A., & D’Arcy, J. (2012). Applying an extended
model of deterrence across cultures: An
investigation of information systems misuse in
the US and South Korea. Information &
Management, 49(2), 99-110.
Hu, Q., Dinev, T., Hart, P., & Cooke, D. (2012).
Managing employee compliance with
information security policies: The critical role
of top management and organizational culture,
Decision Sciences,43(4), 615-660.
Hu, Q., West, R., & Smarandescu, L. (2015). The role
of self-control in information security
violations: Insights from a cognitive
neuroscience perspective, Journal of
Management Information Systems, 31(4), 6-48.
Hu, Q., Xu, Z., Dinev, T., & Ling, H. (2011). Does
deterrence work in reducing information
security policy abuse by employees?
Communications of the ACM, 54(6), 54-60.
Hwang, I., Kim, D., Kim, T., & Kim, S. (2017). Why
not comply with information security? An
empirical approach for the causes of non-
compliance. Online Information Review, 41(1),
2-18.
Ifinedo, P. (2012). Understanding information systems
security policy compliance: An integration of
the theory of planned behavior and the
protection motivation theory. Computers &
Security, 31(1), 83-95.
Ifinedo, P. (2014). Information systems security policy
compliance: An empirical study of the effects
of socialisation, influence, and cognition.
Information & Management, 51(1), 69-79.
Ifinedo, P. (2016). Critical times for organizations:
what should be done to curb workers’
noncompliance with IS security policy
guidelines? Information Systems Management,
33(1), 30-41.
Johns, G. (2006). The essential impact of context on
organizational behavior. Academy of
Management Review, 31(2), 386-408.
757

Johnston, A. C., Warkentin, M., McBride, M., &
Carter, L. (2016). Dispositional and situational
factors: influences on information security
policy violations. European Journal of
Information Systems, 25(3), 231-251.
Johnston, A. C., Warkentin, M., & Siponen, M. (2015).
An enhanced fear appeal rhetorical framework:
Leveraging threats to the human asset through
sanctioning rhetoric. MIS Quarterly, 39(1),
113-134.
Karjalainen, M., Sarker, S., & Siponen, M. (2019).
Toward a theory of information systems
security behaviors of organizational
employees: A dialectical process perspective.
information systems research, 30(2), 687-704.
Kim, J. J., Park, E. H. E., & Baskerville, R. L. (2016).
A model of emotion and computer abuse.
Information & Management, 53(1), 91-108.
Kohlberg, L. (1969). Stage and Sequence: The
cognitive development approach to
socialization. In D. A. Goslin (Ed.), Handbook
of socialization theory (pp. 347-480). Rand
McNally.
Lee, S. M., Lee, S.-G., & Yoo, S. (2004). An
integrative model of computer abuse based on
social control and general deterrence theories.
Information & Management, 41(6), 707-718.
Li, H., Luo, X. R., Zhang, J., & Sarathy, R. (2018).
Self-control, organizational context, and
rational choice in internet abuses at work.
Information & Management, 55(3), 358-367.
Li, H., Sarathy, R., Zhang, J., & Luo, X. (2014).
Exploring the effects of organizational justice,
personal ethics and sanction on internet use
policy compliance. Information Systems
Journal, 24(6), 479-502.
Li, H., Zhang, J., & Sarathy, R. (2010). Understanding
compliance with internet use policy from the
perspective of rational choice theory. Decision
Support Systems, 48(4), 635-645.
Liang, H. G., Xue, Y. J., & Wu, L. S. (2013). Ensuring
employees’ IT compliance: Carrot or stick?
Information Systems Research, 24(2), 279-294.
Lindell, M. K., & Whitney, D. J. (2001). Accounting
for common method variance in cross-sectional
research designs. Journal of Applied
Psychology, 86(1), 114-121.
Lowry, P. B., Gaskin, J. E., & Moody, G. D. (2015).
Proposing the multimotive information systems
continuance model (MISC) to better explain
end-user system evaluations and continuance
intentions. Journal of the Association for
Information Systems, 16(7), 515-579.
758
ISP Violations from a Situational Action Perspective
Lowry, P. B., & Moody, G. D. (2015). Proposing the
control-reactance compliance model (CRCM)
to explain opposing motivations to comply with
organisational information security policies.
Information Systems Journal, 25(5), 433-463.
Lowry, P. B., Posey, C., Bennett, R. J., & Roberts, T.
L. (2015). Leveraging fairness and reactance
theories to deter reactive computer abuse
following enhanced organisational information
security policies: An empirical study of the
influence of counterfactual reasoning and
organisational trust. Information Systems
Journal, 25(3), 193-273.
Luo, X., Li, H., Hu, Q., & Xu, H. (2020). Why
individual employees commit malicious
computer abuses: A routine activity theory
perspective. Journal of the Association for
Information Systems, 21(6), 1552-1593
Mello, J. P. (2017). Security awareness training
explosion. https://cybersecurityventures.com/
security-awareness-training-report/
Moody, G. D., Siponen, M., & Pahnila, S. (2018).
Toward a unified model of information security
policy compliance. MIS Quarterly, 42(1), 285-
311.
Moquin, R., & Wakefield, R. L. (2016). The roles of
awareness, sanctions, and ethics in software
compliance. Journal of Computer Information
Systems, 56(3), 261-270.
Myyry, L., Siponen, M., Pahnila, S., Vartiainen, T., &
Vance, A. (2009). What levels of moral
reasoning and values explain adherence to
information security rules? An empirical study.
European Journal of Information Systems,
18(2), 126-139.
Nagin, D. S. (1998). Criminal deterrence research at
the outset oof the twenty-first century. Crime
and Justice, 23(1), 1-42.
Nagin, D. S., & Paternoster, R. (1993). Enduring
individual differences and rational choice
theories of crime. Law & Society Review, 27(3),
467-496.
Pahnila, S., Siponen, M., & Mahmood, A. (2007).
Employees’ behavior toward IS security policy
compliance. Proceedings of the 40th Hawaii
International Conference on System Sciences.
Paternoster, R., & Simpson, S. (1996). Sanction threats
and appeals to morality: Testing a rational
choice model of corporate crime. Law &
Society Review, 30(3), 549-583.
Peace, A. G., Galletta, D., & Thong, J. (2003).
Software piracy in the workplace: A model and
Journal of the Association for Information Systems

empirical test. Journal of Management in organizations. Computers & Security, 56, 70-
Information Systems, 20(1), 153-177. 82.
Ponemon. (2019). The cost of cybercrime: Ninth Schoepfer, A., Carmichael, S., & Piquero, N. L.
annual cost of cybercrime study. (2007). Do perceptions of punishment vary
https://www.accenture.com/t00010101t000000 between white-collar and street crimes?
z__w__/nz-en/_acnmedia/pdf-96/accenture- Journal of Criminal Justice, 35(2), 151-163.
2019-cost-of-cybercrime-study-final.pdf
Seddon, P. B., Calvert, C., & Yang, S. (2010). A multi-
Posey, C., Bennett, R. J., & Roberts, T. L. (2011). project model of key factors affecting
Understanding the mindset of the abusive organizational benefits from enterprise
insider: An examination of insiders’ causal systems. MIS Quarterly, 34(2), 305-328.
reasoning following internal security changes.
Shepherd, M. M., & Mejias, R. J. (2016). Nontechnical
Computers & Security, 30(6-7), 486-497.
deterrence effects of mild and severe internet
Posey, C., Roberts, T. L., & Lowry, P. B. (2015). The use policy reminders in reducing employee
Impact of Organizational commitment on internet abuse. International Journal of
insiders' motivation to protect organizational Human-Computer Interaction, 32(7), 557-567.
information assets. Journal of Management
Siponen, M., Mahmood, M. A., & Pahnila, S. (2014).
Information Systems, 32(4), 179-214.
Employees’ adherence to information security
Posey, C., Roberts, T. L., Lowry, P. B., & Hightower, policies: An exploratory field study.
R. T. (2014). Bridging the divide: A qualitative Information & Management, 51(2), 217-224.
comparison of information security thought
Siponen, M., Pahnila, S., & Mahmood, M. A. (2010).
patterns between information security
Compliance with information security policies:
professionals and ordinary organizational
An empirical investigation. Computer, 43(2),
insiders. Information & Management, 51(5),
64-71.
551-567.
Siponen, M., & Vance, A. (2010). Neutralization: New
Pratt, T. C., & Cullen, F. T. (2000). The empirical
insights into the problem of employee
status of Gottfredson and Hirschi’s general
information systems security policy violations.
theory of crime: A meta-analysis. Criminology,
MIS Quarterly, 34(3), 487-502.
38(3), 931-964.
Son, J.-Y., & Park, J. (2016). Procedural justice to
Pratt, T. C., Cullen, F. T., Blevins, K. R., Daigle, L. E.,
enhance compliance with non-work-related
& Madensen, T. D. (2006). The Empirical Status
computing (NWRC) rules: Its determinants and
of Deterrence Theory: A Meta-Analysis. In F. T.
interaction with privacy concerns. International
Cullen, J. P. Wright, & K. R. Blevins (Eds.),
Journal of Information Management, 36(3),
Taking stock: The status of criminological theory
309-321.
(pp. 367-395). Transaction
Straub, D. W. (1990). Effective IS Security: An
Pritz, A. (2019). Top 5 solutions to reduce “cyber
empirical study. Information Systems Research,
friction.” CSO. https://www.csoonline.com/
1(3), 255-276.
article/3356449/top-5-solutions-to-reduce-
cyber-friction.html Trevino, L. K. (1986). Ethical decision making in
organizations: A person-situation interactionist
Privacyrights. (2019). Data breaches. https://www.
model. Academy of Management Review, 11(3),
privacyrights.org/data-breaches
601-617.
Rosas, A. (2013). Harm, reciprocity and the moral
Trevino, L. K., & Youngblood, S. A. (1990). Bad
domain. In V. Karakostas & D. Dieks (Eds.),
apples in bad barrels: a causal analysis of
EPSA11 Perspectives and Foundational
ethical decision-making behaviour. Journal of
Problems in Philosophy of Science. The
Applied Psychology, 75(4), 378-385.
European Philosophy of Science Association
Proceedings (vol. 2, pp. 493-502). Springer. Tyler, T. R., Callahan, P. E., & Frost, J. (2007). Armed,
and dangerous (?): Motivating rule adherence
Rosenmerkel, S. P. (2001). Wrongfulness and
among agents of social control. Law & Society
harmfulness as components of seriousness of
Review, 41(2), 457-492.
white-collar offenses. Journal of Contemporary
Criminal Justice, 17(4), 308-327. van Zadelhoff, M. (2016). The biggest cybersecurity
threats are inside your company. Harvard
Safa, N. S., Von Solms, R., & Furnell, S. (2016).
Business Review. https://hbr.org/2016/09/the-
Information security policy compliance model

759
 ISP Violations from a Situational Action Perspective

biggest-cybersecurity-threats-are-inside-your- Wikström, P.-O. H., & Svensson, R. (2010). When

company does self-control matter? The interaction
between morality and self-control in crime
Vance, A., Lowry, P. B., & Eggett, D. (2013). Using
causation. European Journal of Criminology,
accountability to reduce access policy
7(5), 395-410.
violations in information systems. Journal of
Management Information Systems, 29(4), 263- Wikström, P.-O. H., & Treiber, K. (2015). Situational
289. theory: The importance of interactions and
action mechanisms in the explanation of crime.
Vance, A., Lowry, P. B., & Eggett, D. (2015).
In A. R. Piquero The handbook of
Increasing accountability through user-
criminological theory (pp. 415-444). Wiley.
interface design artifacts: A new approach to
addressing the problem of access-policy Willison, R., Lowry, P. B., & Paternoster, R. (2018). A
violations. MIS Quarterly, 39(2), 345-366. tale of two deterrents: Considering the role of
absolute and restrictive deterrence in inspiring
Vance, A., & Siponen, M. T. (2012). IS security policy
new directions in behavioral and organizational
violations: A rational choice perspective.
security. Journal of the Association for
Journal of Organizational and End User
Information Systems, 19(12), 1187-1216.
Computing, 24(1), 21-41.
Willison, R., Warkentin, M., & Johnston, A. C. (2018).
Verizon. (2018). 2018 data breach investigations
Examining employee computer abuse
report. ttps://enterprise.verizon.com/resources/
intentions: Insights from justice, deterrence and
reports/DBIR_2018_Report_execsummary.pdf
neutralization perspectives. Information
Warkentin, M., Johnston, A. C., & Shropshire, J. Systems Journal, 28(2), 266-293.
(2011). The influence of the informal social
Wright, B. R. E. (2004). Does the perceived risk of
learning environment on information privacy
punishment deter criminally prone individuals?
policy compliance efficacy and intention.
Rational choice, self-control, and crime.
European Journal of Information Systems,
Journal of Research in Crime and Delinquency,
20(3), 267-284.
41(2), 180-213.
Wenzel, M. (2004). The social side of sanctions:
Xue, Y. J., Liang, H. G., & Wu, L. S. (2011).
Personal and social norms as moderators of
Punishment, justice, and compliance in
deterrence. Law and Human Behavior, 28(5),
mandatory IT settings. Information Systems
547-567.
Research, 22(2), 400-414.
Wenzel, M. (2005). Motivation or rationalization? https://doi.org/10.1287/isre.1090.0266
Causal relations between ethics, norms and tax
Yazdanmehr, A., & Wang, J. (2016). Employees’
compliance. Journal of Economic Psychology,
information security policy compliance: A
26, 491-508.
norm activation perspective. Decision Support
Wikström, P.-O. H. (2006). Individuals, settings, and Systems, 92, 36-46.
acts of crime: Situational mechanisms and the
Zhang, J., Reithel, B. J., & Li, H. (2009). Impact of
explanation of crime. In P.-O. H. Wikström &
perceived technical protection on security
R. Sampson (Eds.), The explanation of crime:
behaviors. Information Management &
Context, mechanisms and development (pp. 61-
Computer Security, 17(4), 330-340.
107). Cambridge University Press.
Wikström, P.-O. H. (2009). Violence as situattional
action. International Journal of Conflict and
Violence, 3(1), 75-96.

760
Journal of the Association for Information Systems

Appendix A: IS Research on ISP Compliance/Violation

Employees continue to be a root cause of intentional or accidental data breaches, inflicting the greatest negative impact
on organizations (Ponemon, 2019). As a result, organizations have been increasingly investing in cybersecurity
awareness training to deter insider issues and ISP violations. A Gartner study forecasted an explosion of security
awareness training market that could reach $10 billion by 2027 (Mello, 2017). For the same reason, ISP
compliance/violation has been a focus of IS security research, as shown in Table A1. Nevertheless, as summarized in
the last column of Table A.1, the majority of IS research in this area studies ISP violation/compliance predominantly
at a high level of abstraction in which ISPs are an abstract concept concerning security rules and procedures (Chen et
al. 2015, D’Arcy and Greene 2014, Posey et al. 2015, Siponen et al. 2010). Violation/compliance intentions and
behaviors examined in those studies are not based on respondents’ interpretations of a specific ISP in a specific
situation. Even when the scenarios are examined, they are aggregately interpreted without scenario-based specifics.
This approach could limit not only the theoretical development from a static, invariant perspective (Karjalainen et al.,
2019) but also the practical applicability of research findings across situations.
Moreover, literature evidence shows that moral beliefs held by employees shape their rule adherence behavior (see
Table A1). A decision of ISP violation can be understood as a moral conflict between one’s moral obligation to follow
the organizational rule and one’s own moral judgment (Myyry et al., 2009). Some example instances of this include
sharing a password with co-workers and justifying this behavior with the need to get a job done and maintain workplace
relationships, and surfing the internet for pleasure with the excuse that no harm is done. Moreover, SAT suggests that
moral judgment is situational. Nevertheless, there is a paucity of IS research examining how moral judgment differs
in different ISP violations and how it interacts with organizational controls and one’s own self-control (see Table A.1).
More research needs to be devoted to ISP compliance from a situation-based perspective (Karjalainen et al., 2019).
Deterrence is a major mechanism that organizations use to promote ISP compliance and deter ISP violations.
Nevertheless, our literature review shows that findings on the effect of deterrence are mixed (see Table A.1). For
example, D’Arcy and Herath (2011) suggest that deterrent mechanisms might only deter more severe violation
behaviors (e.g., computer sabotage). Similarly, Johnston et al. (2016) argue that threat appeals are effective only when
the security threat is personally relevant and significant. On the other hand, many studies argue that deterrence in terms
of perceived sanction severity and perceived sanction certainty has significant effects on employees’ compliance with
ISPs. Recent IS research acknowledges the complexity of its effect and calls for more research to study its assumptions
and its contextualization (Willison, Lowry et al. 2018). A situation-based perspective may offer a more in-depth
understating of deterrence.
Table A1. Summary of IS Research on ISP Compliance/Violation
Paper Method Main Theory Compliance Support of Moral factors Study ISP violation/compliance in
behavior effect of (study specific situations?
deterrence interaction?)
Al-Mukahal & Survey Deterrence # of ISP Not directly No (No) No, ISP is a high-level abstract concept,
Alshare (2015) theory, violations tested and no specific ISPs were examined in
neutralization different situations.
theory, theory
of planned
behavior
Aurigemma and Survey Affective ISP NA No (No) No, ISP is a high-level abstract concept,
Leonard (2015) organizational compliance and no specific ISPs were examined in
commitment, intention different situations.
theory of
planned
behavior,
rational choice
theory
Boss et al. (2009) Survey Social influence Precaution NA No (No) No, ISP is a high-level abstract concept,
theory, taking and no specific ISPs were examined in
organismic different situations.
integration
theory, agency
theory, control
theory

761
 ISP Violations from a Situational Action Perspective

Bulgurcu et al. Survey Theory of Intention to Supported. Normative beliefs No, ISP is a high-level abstract concept,
(2010) planned comply Sanction as a (No) and no specific ISPs were examined in
behavior, single construct different situations.
rational choice was used and its
theory, effect was
deterrence significant.
theory
Chan et al. (2005) Survey NA Compliant NA No (No) No, ISP is a high-level abstract concept,
behavior and no specific ISPs were examined in
different situations.
Chen et al. (2012) Experiment Compliance Intention to Supported. No (No) No, sample ISPs were provided to
using theory, general comply respondents for their understanding of the
scenarios deterrence abstract concept of ISP. Scenarios were
theory used but aggregately analyzed.
Cheng et al. Survey General ISP violation Partially No (No) No, ISP is a high-level abstract concept,
(2013) deterrence Intention supported: only and no specific ISPs were examined in
theory, social the effect of different situations. Scenarios were used
bond theory, perceived but aggregately analyzed.
social control severity was
mechanisms significant.
D’Arcy & Hovav Survey General IS misuse Partially No (No) No, ISP is a high-level abstract concept,
(2007) using deterrence intentions. supported: the and no specific ISPs were examined in
scenarios theory awareness of different situations. Scenarios were used
computer but aggregately analyzed.
monitoring was
used and its
effect was
significant.
D’Arcy & Survey General Technology Supported. Moral beliefs No, ISP is a high-level abstract concept,
Devaraj (2012) using deterrence misuse Sanction as a (No) and no specific ISPs were examined in
scenarios theory intentions single construct different situations. Scenarios were used
(perceived but aggregately analyzed.
severity *
perceived
certainty) was
used and its
effect was
significant.
D’Arcy & Greene Survey Social exchange Compliance NA No (No) No, ISP is a high-level abstract concept,
(2014) theory intention and no specific ISPs were examined in
different situations.
D’Arcy et al. Survey General IS misuse Partially No (No) No, ISP is a high-level abstract concept,
(2009) using deterrence intention supported: only and no specific ISPs were examined in
scenarios theory the effect of different situations. Scenarios were used
perceived but aggregately analyzed.
severity was
significant
D’Arcy et al. Survey Coping theory, ISP violation No Moral No, ISP is a high-level abstract concept,
(2014) using moral intention disengagement and no specific ISPs were examined in
scenarios disengagement (No) different situations. Scenarios were used
theory, social but aggregately analyzed.
cognitive theory
Flowerday & Survey NA Policy NA No (No) No, ISP is a high-level abstract concept,
Tuyikeze (2016) compliance and no specific ISPs were examined in
different situations.
Foth (2016) Survey Theory of Intention to Partially No (No) No, ISP is a high-level abstract concept,
planned comply supported: only and no specific ISPs were examined in
behavior, the effect of different situations.
general perceived
deterrence certainty was
theory significant

762
Journal of the Association for Information Systems

Goo et al. (2014) Survey Safety climate Compliance NA No (No) No, ISP is a high-level abstract concept,
and intention and no specific ISPs were examined in
performance different situations. Scenarios were used
model but aggregately analyzed.

Guo & Yuan Survey Deterrence Compliance No supported No (No) No, ISP is a high-level abstract concept,
(2012) using theory, social intention and no specific ISPs were examined in
scenarios cognitive theory different situations. Scenarios were used
but aggregately analyzed.
Guo et al. (2011) Survey Composite Nonmalicious No supported Workgroup norm No, ISP is a high-level abstract concept,
using behavior model security (No) and no specific ISPs were examined in
scenarios violation different situations. Scenarios were used
intention but aggregately analyzed.

Han et al. (2017) Survey Rational choice Compliance NA No (No) No, ISP is a high-level abstract concept,
theory intention and no specific ISPs were examined in
different situations.
Herath & Rao Survey General Compliance Partially Descriptive norm No, ISP is a high-level abstract concept,
(2009b) deterrence intention supported: only (No) and no specific ISPs were examined in
theory, the effect of different situations.
protection detection
motivation certainty was
theory, theory significant.
of planned
behavior
Herath & Rao Survey General Compliance Partially Normative beliefs No, ISP is a high-level abstract concept,
(2009a) deterrence Intention supported: only (No) and no specific ISPs were examined in
theory, agency the effect of different situations.
theory detection
certainty was
significant.
Hovav & D’Arcy Survey Deterrence IS misuse Partially Moral beliefs No, ISP is a high-level abstract concept,
(2012) using theory intention supported: the (No) and no specific ISPs were examined in
scenarios effect of different situations. Scenarios were used
perceived but aggregately analyzed.
severity was
only supported
for the US
sample and the
effect of
perceived
certainty was
only support for
the Korean
sample.
Hu et al. (2011) Survey Deterrence Behavior Partially Moral beliefs No, ISP is a high-level abstract concept,
using theory, rational Intention supported. An (No) and no specific ISPs were examined in
scenarios choice theory, indirect effect different situations. Scenarios were used
self-control of deterrence but aggregately analyzed.
theory was found.

Hu et al. (2012) Survey Theory of Compliance NA No (No) No, ISP is a high-level abstract concept,
planned intention and no specific ISPs were examined in
behavior different situations.

Hwang et al. Survey NA Compliance NA No (No) No, ISP is a high-level abstract concept,
(2017) Intention and no specific ISPs were examined in
different situations.

Ifinedo (2012) Survey Theory of Compliance NA No (No) No, ISP is a high-level abstract concept,
planned Intention and no specific ISPs were examined in
behavior, different situations.
protection

763
 ISP Violations from a Situational Action Perspective

motivation
theory

Ifinedo (2014) Survey Theory of Compliance NA Personal norms No, ISP is a high-level abstract concept,
planned Intention (No) and no specific ISPs were examined in
behavior, social different situations.
cognitive
theory, social
bond theory
Ifinedo (2016) Survey General Compliance Partially No (No) No, ISP is a high-level abstract concept,
deterrence Intention supported: only and no specific ISPs were examined in
theory, rational the effect of different situations.
choice theory, sanction
organizational severity was
climate supported.
perspective
Johnston et al. Survey Protection Intention to Not supported No (No) No, different sanction situations were
(2016) using motivation violate ISP manipulated via scenarios, but aggregately
scenarios theory, general analyzed.
deterrence
theory
Kim et al. (2016) Survey Abuse Abuse intent NA Moral beliefs No, different abuse opportunities were
using opportunity (No) manipulated via scenarios, but aggregately
scenarios structure, analyzed.
emotion process
model
Lee et al. (2004) Survey General Intention to Not supported. Norms (No) No, ISP is a high-level abstract concept,
deterrence abuse and no specific ISPs were examined in
theory, social different situations.
control theory,
theory of
planned
behavior
Li et al. (2010) Survey Rational choice Compliance Partially Personal norms Partially, only the internet use policy and
theory intention supported: only and organizational corresponding compliance intention were
the effect of norms (Yes) investigated, but no specific
sanction compliance/violation situations were
probability was examined.
supported.
Li et al. (2014) Survey Organizational Compliance Partially Personal norms No, only the internet use policy and
justice intention supported: only (No) corresponding compliance intention were
the effect of investigated, but no specific
sanction compliance/violation situations were
certainty was examined.
supported.
Li et al. (2018) Survey Rational choice Compliance Weakly No (No) No, only the internet use policy and
theory, self- intention supported. A corresponding compliance intention were
control theory weak effect investigated, but no specific
(p<0.1) of compliance/violation situations were
deterrence, as a examined.
single construct,
was found.
Liang et al. Survey Control theory, IT NA No (No) No, ERP policy and corresponding
(2013) regulatory focus compliance compliance behavior were investigated, but
theory behavior no specific compliance/violation situations
were examined.
Lowry & Moody Experiment Organizational Intent to NA No (No) No, different organizational control
(2015) using control theory, comply situations were manipulated via scenarios,
scenarios reactance theory but aggregately analyzed.

764
Journal of the Association for Information Systems

Lowry, Moody et Survey Fairness theory, Computer NA No (No) No, ISP is a high-level abstract concept,
al. (2015) reactance theory abuse and no specific ISPs were examined in
different situations.

Moquin & Survey Protection Compliance Not directly Normative beliefs No, ISP is a high-level abstract concept,
Wakefield (2016) motivation behavior validated (No) and no specific ISPs were examined in
theory, theory different situations
of planned
behavior

Myyry et al. Survey Theory of Compliance NA Moral reasoning No, ISP is a high-level abstract concept. A
(2009) using cognitive moral with ISP factors (No) password sharing scenario was used to
scenarios development, represent the concept of ISP violation.
theory of
motivational
types of values
Posey et al. Survey Causal Computer NA No (No) No, ISP is a high-level abstract concept,
(2011) reasoning abuse and no specific ISPs were examined in
theory, different situations
attribution
theory
Posey et al. Interview/ Protection Protection NA No (No) No, ISP is a high-level abstract concept,
(2014) 22 insiders motivation motivation and no specific ISPs were examined in
and 11 IT theory different situations
professional
s
Posey et al. Survey Protection Protection NA No (No) No, ISP is a high-level abstract concept,
(2015) Motivation motivation and no specific ISPs were examined in
Theory and past different situations
motivated
behaviors
Safa et al. (2016) Survey Social bond Compliance NA Personal norms No, ISP is a high-level abstract concept,
theory, intention (No) and no specific ISPs were examined in
involvement different situations
theory
Shepherd & Experiment General Internet abuse Not directly No (No) Partially, acceptable use policies (AUP)
Mejias (2016) deterrence validated were used as exemplar policy for internet
theory, rational abuse, but no situational factors were
choice theory, examined.
agency theory
Siponen & Vance Survey Neutralization Intention to Not supported. No (No) No, ISP is a high-level abstract concept.
(2010) using theory, general violate ISP The effect of Scenarios were used but aggregately
scenarios deterrence formal analyzed
theory sanctions, as a
single construct,
was not
significant.
Siponen et al. Survey Protection Actual Supported. The Normative beliefs No, ISP is a high-level abstract concept,
(2010) motivation compliance effect of (No) and no specific ISPs were examined in
theory, with ISP deterrence, as a different situations
deterrence single construct,
theory, theory was significant.
of reasoned
action,
innovation
diffusion theory
Siponen et al. Survey Protection Actual NA Normative beliefs No, ISP is a high-level abstract concept,
(2014) motivation compliance (No) and no specific ISPs were examined in
theory, theory with ISP different situations
of reasoned
action,
cognitive
evaluation

765
 ISP Violations from a Situational Action Perspective

theory

Son (2011) Survey General Compliance Not supported. No (No) No, ISP is a high-level abstract concept,
deterrence behavior and no specific ISPs were examined in
theory, intrinsic different situations
and extrinsic
motivation
models
Son & Park Survey Procedural Compliance Partially Moral beliefs No, ISP is a high-level abstract concept,
(2016) justice intention supported. Only (No) and no specific ISPs were examined in
deterrent different situations
certainty was
significant
Straub (1990) Survey General Computer Supported No (No) No, ISP is a high-level abstract concept.
deterrence abuse Although data related to specific types of
theory abuse was collected, but aggregately
analyzed
Vance & Siponen Survey Rational choice Intention to Not supported. Moral beliefs No, ISP is a high-level abstract concept,
(2012) using theory violate ISP The effect of (No) and no specific ISPs were examined in
scenarios formal different situations. Scenarios were used
sanctions, as a but aggregately analyzed.
single construct,
was not
significant.
Vance et al. Survey Accountability Intention to Supported. The No (No) Partially, access policy as an exemplar
(2013) using theory commit effect of policy was used to policy violations, and
scenarios access policy awareness of different violation scenarios were used.
violations deterrence was However, the data were aggregately
significant. analyzed.
Vance et al. Survey Accountability Intention to Supported. The No (No) Partially, access policy as an exemplar
(2015) using theory violate access effect of policy was used to policy violations, and
scenarios policy awareness of different violation scenarios were used.
deterrence was However, the data were aggregately
significant. analyzed.
Warkentin et al. Survey Social learning Behavior NA No (No) No, ISP is a high-level abstract concept,
(2011) theory Intent and no specific ISPs were examined in
different situations
Xue et al. (2011) Survey Technology Compliance NA No (No) No, ISP is a high-level abstract concept,
acceptance intention and no specific ISPs were examined in
model, justice different situations
theory
Yazdanmehr & Survey Norm activation ISP Supported. The Personal norms, No, ISP is a high-level abstract concept,
Wang (2016) theory, social compliance effect of descriptive norms, and no specific ISPs were examined in
norms theory behavior deterrence, as a and injunctive different situations
single construct, norms (Yes)
was significant.
Zhang et al. Survey Risk behavioral NA No (No) No, ISP is a high-level abstract concept,
(2009) compensation intention and no specific ISPs were examined in
theory, theory different situations
of planned
behavior

766
Journal of the Association for Information Systems

Appendix B: Survey Instrument

Section I: Scenario-specific questions

If you were Taylor and in the same situation as he is,
Violation Intention (INT) (D'Arcy et al., 2009)
INT1 It is likely that I would have made the same decision as what Taylor did if I 1 2 3 4 5 6 7
were in the same situation (1-strongly disagree, 4-not sure either way, 7-
strongly agree)
INT2 I could see myself making the same decision as what Taylor did if I were in 1 2 3 4 5 6 7
the same situation. (1-strongly disagree, 4-not sure either way, 7-strongly
agree)
Realism (RC)
RC How realistic do you think this scenario is in your company? 1 2 3 4 5 6 7
(1- highly unrealistic, 4-not sure either way, 7-highly realistic)
Moral Beliefs (MB)* (Wenzel, 2004)
MB1 To me, it is acceptable to do what Taylor decided to do if I were in that 1 2 3 4 5 6 7
situation. (1-strongly disagree, 4-not sure either way, 7-strongly agree)

MB2 To me, it would be a trivial offense to do what Taylor decided to do if I were 1 2 3 4 5 6 7

in the same situation. (1-strongly disagree, 4-not sure either way, 7-strongly
agree)
Perceived Harmfulness (HM) (Rosenmerkel, 2001)
HM1 I think it is harmful to do what Taylor decided to do if I were in the same 1 2 3 4 5 6 7
situation. (1-strongly disagree, 4-not sure either way, 7-strongly agree)

HM2 I believe it is damaging to do what Taylor decided to do if I were in the same 1 2 3 4 5 6 7

situation. (1-strongly disagree, 4-not sure either way, 7-strongly agree)

Sanction Certainty (CTT) (Peace et al., 2003)

CTT1 If I did what Taylor decided to do in the above scenario, the probability that I 1 2 3 4 5 6 7
would be caught is (1-very low, 7-very high).

CTT2 If I did what Taylor decided to do in the above scenario, I would probably be 1 2 3 4 5 6 7
caught. (1-strongly disagree, 4-not sure either way, 7-strongly agree)

Sanction Severity (SVR) (Peace et al., 2003)

SVR1 If caught doing what Taylor decided to do in the above scenario, I think the 1 2 3 4 5 6 7
punishment would be (1-very low, 7-very high).

SVR2 If caught doing what Taylor decided to do in the above scenario, I would be 1 2 3 4 5 6 7
severely punished by my company. (1-strongly disagree, 4-not sure either
way, 7-strongly agree)

Section II: Individual Propensity

Self-Control (SC)* (Wikström and Svensson, 2010)
(1-strongly disagree, 4-not sure either way, 7-strongly agree)
SC1 I often act on the spur of the moment without stopping to think. 1 2 3 4 5 6 7

SC2 I don’t devote much thought and effort to preparing for the future. 1 2 3 4 5 6 7

767
 ISP Violations from a Situational Action Perspective

SC3 I never think about what will happen to me in the future. 1 2 3 4 5 6 7

SC4 Sometimes I will take a risk just for the fun of it. 1 2 3 4 5 6 7
SC5 I sometimes find it exciting to do things for which I might get in trouble. 1 2 3 4 5 6 7
SC6 I frequently avoid things that I know will be difficult. 1 2 3 4 5 6 7
SC7 I easily get bored with things 1 2 3 4 5 6 7
SC8 I lose my temper pretty easily. 1 2 3 4 5 6 7
Cognitive Moral Development (MD) (Gibbs et al., 1992)
(1-not important, 4-neutral, 7-very important)
CMD1 How important is it for people to keep promises, if they can, to friends? 1 2 3 4 5 6 7

CMD2 How important is it for people to keep promises, if they can, to someone 1 2 3 4 5 6 7
they hardly know?
CMD3 How important is it for parents to keep promises, if they can, to their 1 2 3 4 5 6 7
children?
CMD4 In general, how important is it for people to tell the truth? 1 2 3 4 5 6 7

CMD5 Think about when you’ve helped your mother or father. How important is 1 2 3 4 5 6 7
it for children to help their parents?
CMD6 Let’s say a friend of yours needs help and may even die, and you’re the only 1 2 3 4 5 6 7
person who can save him or her. How important is it for a person (without
losing his or her own life) to save the life of a friend?
CMD7 How important is it for a person (without losing his or her own life) to save 1 2 3 4 5 6 7
the life of a stranger?
CMD8 How important is it for a person to live even if that person doesn’t want to? 1 2 3 4 5 6 7
CMD9 How important is it for people not to take things that belong to other people? 1 2 3 4 5 6 7

CMD10 How important is it for people to obey the law? 1 2 3 4 5 6 7

CMD11 How important is it for judges to send people who break the law to jail? 1 2 3 4 5 6 7

Note: *Personal moral beliefs and self-control were reverse coded in the data analysis.

768
Journal of the Association for Information Systems
Appendix C: Literature Summary and Support for Scenario Design
Paper Scenarios development
Chen et al. (2012) Surveyed the ISP practices and IS
literature to create the scenarios and
conducted a pilot test of the
scenarios among industry
professionals and experts.
D’Arcy & Hovav (2007) No details provided.
D’Arcy & Devaraj (2012) Borrowed the scenarios from
previous research and conducted a
pilot test using a panel to ensure the
realism of the scenarios.
D’Arcy et al. (2009) Borrowed the scenarios from
previous research and conducted a
pre-test among MBA students to
ensure the realism of the scenarios.
D’Arcy et al. (2014) Reviewed the industry and IS
security literature to create scenarios
and tested the realism of the
scenarios among six security
practitioners and four IS faculty
members.
Guo & Yuan (2012) Surveyed the IS literature and
interview IS practitioners and
academic experts to create the
scenarios.
Guo et al. (2011) Surveyed the IS literature and
interview IS practitioners and
academic experts.
Hovav & D’Arcy (2012) Adopted the scenarios from a
previous study.
Hu et al. (2011) Surveyed the IS literature to create
the scenarios and tested the realism
of the scenarios among the
respondents.
Johnston et al. (2016) Followed the scenario design
guideline, developed a set of 64
scenarios, and tested their relevance
and realism using a panel.
Kim et al. (2016) Developed the background scenario The scenarios varied in the
based on real cases that occurred in experimental factors: liberty
the company. and facilitation, which share
a background scenario of a
disgruntled employee.
Scenarios manipulated Literature
factors support
S1 S2 S3
The scenarios varied in the
experimental factors:
punishment, reward, and
certainty of control.
The scenarios varied in the √ √ √
risk levels of misuse
behavior (from low-risk to
high-risk behavior)
The scenarios varied in the √ √ √
risk levels of misuse
behavior (from low-risk to
high-risk behavior)
The scenarios varied in the √ √
risk levels of misuse
behavior (from low-risk to
high-risk behavior)
No details provided. The √ √
scenarios depicted common
and relevant ISP violation
behaviors.
The scenarios depicted the
ISP violation behaviors
related to the topic of the
study (user authentication
and access control).
The scenarios depicted the
ISP violation behaviors
related to the topic of the
study (user authentication
and access control)
The scenarios varied in the √ √
risk levels of misuse
behavior (from low-risk to
high-risk behavior)
No details provided. The √
scenarios depicted
unauthorized access
behaviors.
No details provided. The
scenarios depicted common
and relevant ISP violation
behaviors.
769
 ISP Violations from a Situational Action Perspective
Lowry & Moody (2015) Reviewed the academic and
practitioner literature.
Myyry et al. (2009) Followed the method in the
literature.
Siponen & Vance (2010) Developed the scenarios based on
the input from 54 information
security professionals.
Vance & Siponen (2012) Developed the scenarios based on
the input from 54 information
security professionals
Vance et al. (2013) Developed the scenarios based on
the literature and the input of two
system managers and five
employees
Vance et al. (2015) Developed the scenarios by
consulting the FERPA compliance
officer in the university.
Note: S1: sharing passwords scenario, S2: personal use of the internet at workplace scenario, S3: unauthorized disclosure of commercial secret
scenario; √: the paper uses a similar scenario and thus supports our scenario design.
770
The scenarios varied in the √ √
experimental factors:
controlling language and
formal control.
No details provided. A √
password sharing scenario
was used.
The study selected the top √
three violation scenarios
from a list of identified
violation scenarios and
manipulated the
experimental factors
(identifiability, evaluation,
and social presence) based
on the three scenarios.
The study selected the top √
three violations from a list
of identified violation
scenarios.
The study selected the top √
three violation scenarios
from a list of identified
violation scenarios and
manipulated the
experimental factors
(identifiability, evaluation,
and social presence) based
on the three scenarios.
The scenarios varied in the √
experimental factors:
identifiability, expectation
of evaluation, awareness of
monitoring, and social
presence.
Journal of the Association for Information Systems

Appendix D: Group Analysis of Path Models of Three Scenarios

Difference in path coefficient (Δβ) Significance of difference
Path
P-I P-C I-C P vs. I P vs. C I vs. C
H1: SC →INT -0.013 -0.038 -0.051 0.612 0.284 0.187
H2a: CTT → INT -0.157 -0.191 -0.034 0.025 0.008 0.331
H2b: SVR → INT 0.091 0.117 0.026 0.849 0.925 0.624
H3: MB → INT -0.063 -0.166 -0.103 0.193 0.044 0.122
H6: CMD → MB -0.004 -0.149 -0.145 0.452 0.028 0.029
H7: HM → MB -0.018 0.355 0.373 0.427 1.000 1.000
Age → INT -0.017 -0.023 -0.006 0.384 0.340 0.453
Gender → INT -0.098 0.011 0.109 0.029 0.565 0.976
Prior violation → INT -0.052 0.006 0.058 0.170 0.568 0.807
Note: P = sharing passwords, I = personal internet use at work, C = selling confidential data. Bolded p-values are significant (< 0.05). In the
PLS-MGA analysis, we only compared the path coefficients of those main effects since those nonsignificant interaction terms were dropped in
the path modeling and the interaction effect was very situational across three scenarios. In addition, comparing the path coefficients of a two-way
interaction term (such as MB*SC) between two scenarios is equivalent to examining a three-way interaction (such as MB*SC*Scenario), which
is difficult to interpret.

771
 ISP Violations from a Situational Action Perspective

About the Authors

Han Li is an associate professor of MIS and information assurance at the University of New Mexico, USA. She
received her doctorate in management information systems from Oklahoma State University. She has published in
Journal of the Association for Information Systems, Decision Sciences, Decision Support Systems, Operations
Research, European Journal of Information Systems, Information Systems Journal, European Journal of Operational
Research, Journal of Organizational and End User Computing, Journal of Computer Information Systems, DataBase
Management, Information Management & Computer Security, Information Systems Management and Journal of
Information Privacy and Security. She is an associate editor for Journal of Electronic Commerce Research. Her current
research interests include Heath IT, privacy and confidentiality, data and information security and the adoption and
post-adoption of information technology.
Xin (Robert) Luo is Endowed Regent’s Professor and full professor of MIS and information assurance in the Anderson
School of Management at the University of New Mexico, USA. He received his PhD in MIS from Mississippi State
University, USA. He has published research papers in leading journals including Information Systems Research,
Journal of the Association for Information Systems, European Journal of Information Systems, Information Systems
Journal, Journal of Strategic Information Systems, Decision Sciences, Decision Support Systems, Information &
Management, and IEEE Transactions on Engineering Management. He has served as an ad hoc associate editor for
MIS Quarterly and is an associate editor for Journal of the Association for Information Systems, Decision Sciences,
Information & Management, Electronic Commerce Research, and Journal of Electronic Commerce Research. He sits
on the editorial board of Organizational Cybersecurity Journal. His research interests center around information
assurance, innovative technologies for strategic decision-making, and global IT management. He is the co-editor of
International Journal of Accounting and Information Management.
Yan Chen is an associate professor at the Florida International University. She received her PhD in management
information systems from the University of Wisconsin–Milwaukee. Her research focuses on information security
management, online fraud, information privacy, and social media. She has published more than 30 research papers in
refereed academic journals and conference proceedings, including Information & Management, Journal of
Management Information Systems, Journal of the Association for Information Systems, MIS Quarterly, and others. She
is a recipient of research scholarships and best paper award nominees, and a member of the Association for Information
Systems. She has served as a reviewer for many IS journals and conferences, including Decision Sciences, Information
& Management, Information Systems Research, Journal of Management Information Systems, Journal of the
Association for Information Systems, MIS Quarterly, and others.

Copyright © 2021 by the Association for Information Systems. Permission to make digital or hard copies of all or part
of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for
profit or commercial advantage and that copies bear this notice and full citation on the first page. Copyright for
components of this work owned by others than the Association for Information Systems must be honored. Abstracting
with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists requires prior
specific permission and/or fee. Request permission to publish from: AIS Administrative Office, P.O. Box 2712 Atlanta,
GA, 30301-2712 Attn: Reprints, or via email from publications@aisnet.org.

772