Applying Push-Pull-Mooring model to investigate non-malicious workarounds behavior

Aljohani, Nawaf Rasheed

08 August 2023

More than half of the violations of information systems security policies are initiated by non-malicious activities of insiders. To investigate these non-malicious activities, we utilized the theory of workaround and argued that the application of neutralization techniques impacts the use of workarounds. We built our model using three theories: the theory of workaround, push-pull-mooring theory, and techniques of neutralization. We identified the elements of workarounds related to non-malicious violations and proposed a theoretical perspective using the push-pull-mooring theory to investigate non-malicious workarounds empirically. We propose that non-malicious activities of insiders can be seen as a switching behavior, with push factors such as system dissatisfaction and time pressure, and pull factors such as convenience and alternative attractiveness. The mooring factors in our model are techniques of neutralization, including denial of injury, denial of responsibility, and defense of necessity. We employed the scenario-based factorial survey method to mitigate the effect of social desirability bias. Our mixed model analysis indicates that time pressure, convenience, denial of injury, and defense of necessity significantly impact an individual's likelihood of engaging in non-malicious workarounds. Additionally, the relative weight analysis of our model shows that convenience and time pressure explain most of the variance in our model.

Insider

non-malicious

threat

workaround

push-pull-mooring

techniques of neutralization

factorial survey method

Time Orientation, Rational Choice and Deterrence: an Information Systems Perspective

Pope, Michael Brian

17 August 2013

The present study examines General Deterrence Theory (GDT) and its "parent," Rational Choice Theory (RCT), in an information security setting, assessing the behavioral intent to violate organizational policy under varying levels of certainty, severity and celerity of negative sanction. Also assessed is the individual computer user's time orientation, as measured by the Consideration of Future Consequences (CFC) instrument (Strathman et. al, 1994). How does rational consideration of violation rewards influence the impact of sanctions on individuals? How does time orientation impact intent to violate security policy? How do these operate in an IS context? These questions are examined by assessing the responses of university students (N = 443) to experimental manipulations of sanctions and rewards. Answering vignettes with the factorial survey method, intent to violate is assessed in a setting of Internet piracy of electronic textbooks while being monitored by computer security systems. Findings show that, although traditional GDT variables and reward impact intent to violate, CFC does not cause the hypothesized moderating effect on these variables. However, post-hoc analysis reveals a direct effect of time orientation on behavioral intent, as well as a weak moderating effect opposite of the hypotheses, indicating increased time orientation positively moderates, rather than negatively moderates, the impact of reward on intent to violate. Implications for theory and practice, and future research directions, are discussed.

ebooks

copyright infringement

criminal sanctions

piracy

factorial survey method

computer crime

organizational justice

workplace deviance

consideration of future consequences

business information systems

differential deterrence

management information systems

information security

time orientation

time preference

time perspective

general deterrence theory

rational choice theory

computer security