Return to search

Information security deviant behavior: its typology, measures, and causes

Although information security is important to all organizations, little

behavioral research has been carried out in this area. Particularly lacking is research

on negative forms of behavior involved in information security. The aim of this thesis

is to fill this research gap by conducting three related studies on information security

deviant behavior (ISDB), which refers to the voluntary behavior of employees within

organizations that differs markedly from the information security norms of the

organizations and that is normally considered by other employees to be wrong.

Prior research work on this topic is insufficient, and the information security

deviance concept remains unclear. This thesis explores the topic by considering three

fundamental research questions: 1) What is ISDB? 2) How can ISDB be measured? 3)

Why do employees commit ISDB?

Study I addresses the first question—“What is ISDB?”—by identifying and

organizing ISDB using a typology. A four-step method, comprising content analysis,

multidimensional scaling, expert judgmental analysis, and empirical testing, is

proposed for the development of typologies, which can fulfill the criteria for being a

theory. The findings of this study suggest that ISDB can be organized into four ideal

types that are interrelated along two dimensions—severity and frequency. Four

constructs are identified from this typology. They are resource misuse (“high

frequency, high severity” deviance), security carelessness (“high frequency, low

severity” deviance), access control deviance (“low frequency, low severity” deviance),

and system protection deviance (“low frequency, high severity” deviance). Study I not

only develops an organized and theoretical framework for systematic research on

ISDB and constitutes a critical starting point for the development of measures of the

behavior, but also makes an important theoretical contribution by demonstrating the

development of a typology, which is a unique form of theory building for an

underdeveloped topic.

Study II focuses on the second research question—“How can ISDB be

measured?”—by developing valid and reliable scales to measure ISDB. My target is

to develop scales to measure commonly found types of ISDB using an empirical

method. Accordingly, the two “low frequency” types of deviance, access control and

system protection deviance, are omitted from consideration. A rigorous measurement

development process which includes three surveys and a number of tests is adopted. A

four-item scale of resource misuse and a three-item scale of security carelessness are

developed. The development of these two scales makes an important contribution to

future ISDB research by providing a means to measure two types of information

security deviance, thus facilitating the empirical study of ISDB.

Study III is aimed at answering the third research question—“Why do

employees commit ISDB?”—through construction of a causal model. Rather than

consider “intention” as existing behavioral research on information security

commonly does, Study III investigates actual behavior and employs resource misuse

(“high frequency, high severity” deviance) as the dependent variable. Data from a

Web-based survey are analyzed using the partial least squares approach. Considering

the dual-process approach in the theory of planned behavior, the findings suggest that

resource misuse may be both an intentional type of behavior and an unreasoned action.

Perceived behavioral control influences employees’ resource misuse actions via their

desires or intentions, whereas attitude toward resource misuse affects these actions via

employees’ desires alone. Subjective norm is found not to affect employees’ resource

misuse via either desires or intentions. In terms of the theoretical contributions, Study

III takes steps to consider information security deviance by incorporating the

dual-process approach and the theory of planned behavior. In terms of managerial

significance, the results of Study III can help managers to better understand why

employees commit resource misuse.

In conclusion, this thesis provides a number of significant insights into ISDB

and useful guidelines for further research on the topic. In addition, the findings of the

three studies can help managers to develop better company strategies and policies to

reduce internal security threats. / published_or_final_version / Business / Doctoral / Doctor of Philosophy

  1. 10.5353/th_b4807961
  2. b4807961
Identiferoai:union.ndltd.org:HKU/oai:hub.hku.hk:10722/183045
Date January 2012
CreatorsChu, Man-ying., 朱文英.
PublisherThe University of Hong Kong (Pokfulam, Hong Kong)
Source SetsHong Kong University Theses
LanguageEnglish
Detected LanguageEnglish
TypePG_Thesis
Sourcehttp://hub.hku.hk/bib/B48079613
RightsThe author retains all proprietary rights, (such as patent rights) and the right to use in future works., Creative Commons: Attribution 3.0 Hong Kong License
RelationHKU Theses Online (HKUTO)

Page generated in 0.0011 seconds