Although information security is important to all organizations, little
behavioral research has been carried out in this area. Particularly lacking is research
on negative forms of behavior involved in information security. The aim of this thesis
is to fill this research gap by conducting three related studies on information security
deviant behavior (ISDB), which refers to the voluntary behavior of employees within
organizations that differs markedly from the information security norms of the
organizations and that is normally considered by other employees to be wrong.
Prior research work on this topic is insufficient, and the information security
deviance concept remains unclear. This thesis explores the topic by considering three
fundamental research questions: 1) What is ISDB? 2) How can ISDB be measured? 3)
Why do employees commit ISDB?
Study I addresses the first question—“What is ISDB?”—by identifying and
organizing ISDB using a typology. A four-step method, comprising content analysis,
multidimensional scaling, expert judgmental analysis, and empirical testing, is
proposed for the development of typologies, which can fulfill the criteria for being a
theory. The findings of this study suggest that ISDB can be organized into four ideal
types that are interrelated along two dimensions—severity and frequency. Four
constructs are identified from this typology. They are resource misuse (“high
frequency, high severity” deviance), security carelessness (“high frequency, low
severity” deviance), access control deviance (“low frequency, low severity” deviance),
and system protection deviance (“low frequency, high severity” deviance). Study I not
only develops an organized and theoretical framework for systematic research on
ISDB and constitutes a critical starting point for the development of measures of the
behavior, but also makes an important theoretical contribution by demonstrating the
development of a typology, which is a unique form of theory building for an
underdeveloped topic.
Study II focuses on the second research question—“How can ISDB be
measured?”—by developing valid and reliable scales to measure ISDB. My target is
to develop scales to measure commonly found types of ISDB using an empirical
method. Accordingly, the two “low frequency” types of deviance, access control and
system protection deviance, are omitted from consideration. A rigorous measurement
development process which includes three surveys and a number of tests is adopted. A
four-item scale of resource misuse and a three-item scale of security carelessness are
developed. The development of these two scales makes an important contribution to
future ISDB research by providing a means to measure two types of information
security deviance, thus facilitating the empirical study of ISDB.
Study III is aimed at answering the third research question—“Why do
employees commit ISDB?”—through construction of a causal model. Rather than
consider “intention” as existing behavioral research on information security
commonly does, Study III investigates actual behavior and employs resource misuse
(“high frequency, high severity” deviance) as the dependent variable. Data from a
Web-based survey are analyzed using the partial least squares approach. Considering
the dual-process approach in the theory of planned behavior, the findings suggest that
resource misuse may be both an intentional type of behavior and an unreasoned action.
Perceived behavioral control influences employees’ resource misuse actions via their
desires or intentions, whereas attitude toward resource misuse affects these actions via
employees’ desires alone. Subjective norm is found not to affect employees’ resource
misuse via either desires or intentions. In terms of the theoretical contributions, Study
III takes steps to consider information security deviance by incorporating the
dual-process approach and the theory of planned behavior. In terms of managerial
significance, the results of Study III can help managers to better understand why
employees commit resource misuse.
In conclusion, this thesis provides a number of significant insights into ISDB
and useful guidelines for further research on the topic. In addition, the findings of the
three studies can help managers to develop better company strategies and policies to
reduce internal security threats. / published_or_final_version / Business / Doctoral / Doctor of Philosophy
Identifer | oai:union.ndltd.org:HKU/oai:hub.hku.hk:10722/183045 |
Date | January 2012 |
Creators | Chu, Man-ying., 朱文英. |
Publisher | The University of Hong Kong (Pokfulam, Hong Kong) |
Source Sets | Hong Kong University Theses |
Language | English |
Detected Language | English |
Type | PG_Thesis |
Source | http://hub.hku.hk/bib/B48079613 |
Rights | The author retains all proprietary rights, (such as patent rights) and the right to use in future works., Creative Commons: Attribution 3.0 Hong Kong License |
Relation | HKU Theses Online (HKUTO) |
Page generated in 0.0011 seconds