A Study of the Contributions of Attitude, Computer Security Policy Awareness, and Computer Self-Efficacy to the Employees' Computer Abuse Intention in Business Environments

Blanke, Sandra Jetton

01 January 2008

While computer technology is generally intended to increase employee productivity and effectiveness that same computer technology may be used in negative ways that reduces productivity and increases cost in the business environment. Computer abuse has occurred in the past 12 months in more than half of the business environments surveyed by the Computer Security Institute. To date, research results still indicate that employee computer abuse is problematic and continues to significantly increase. It is estimated American businesses will lose $63 billion each year due to employees' computer abuse on the Internet. This study was a predictive study that attempted to predict employees' computer abuse intention (CAI) in the business environment based on the contribution of attitude (ATT), computer security policy awareness (CSPA), and computer self-efficacy (CSE). Working professionals from the south central United States were surveyed to determine their ATT toward computer abuse, CSPA, and CSE, as well as their intention to commit computer abuse in the business environment. A theoretical model was proposed, and two statistical methods were used to formulate models and test predictive power: Multiple Linear Regression (MLR) and Ordinal Logistic Regression (OLR). It was predicted that ATT, CSPA, and CSE will have a significant impact on employee's CAI. Results demonstrated that ATT was a significant predictor in predicting employee CAI on both the MLR and OLR regression models. CSE was a significant predictor on the MLR model only. CSPA was not found to be a significant predictor of CAI on either regression models. There are two main contributions of this study. First, to develop and empirically validate models for predicting employee's CAI in the business environment. Second, to investigate the most significant construct of the three constructs studied that contribute to the employee's CAI in the business environment.

Attitude

Computer abuse

Computer crime

Computer security policies

Computer Self Efficacy

Internet abuse

Computer Sciences

Why do employees violate is security policies?:insights from multiple theoretical perspectives

Vance, A. (Anthony)

12 October 2010

Abstract Employee violations of IS security policies is recognized as a key concern for organizations. Although interest in IS security has risen in recent years, little empirical research has examined this problem. To address this research gap, this dissertation identifies deliberate IS security policy violations as a phenomenon unique from other forms of computer abuse. To better understand this phenomenon, three guidelines for researching deliberate IS security violations are proposed. An analysis of previous behavioral IS security literature shows that no existing study meets more than one of these guidelines. Using these guidelines as a basis, this dissertation examines IS security policy violations using three theoretical models drawn from the following perspectives: neutralization theory, rational choice theory, and protection motivation theory. Three field studies involving surveys of 1,423 professional respondents belonging to 7 organizations across 47 countries were performed for empirical testing of the models. The findings of these studies identify several factors that strongly predict intentions to violate IS security policies. These results significantly increase our understanding of why employees choose to violate IS security policies and provide empirically-grounded implications for how practitioners can improve employee IS security policy compliance.

computer abuse

deterrence theory

information security

information security policy

neutralization theory

protection motivation theory

rational choice theory