Development and validation of instruments of information security deviant behavior
Introduction
Information security deviant behavior (ISDB) of employees, such as leaving removable storage devices unattended and using untrusted applications at work, is a serious threat to organizations. A recent survey reported that 63% of interviewed information security professionals deemed employees to be a high concern for organizations; the percentage was higher than that of hackers (55%) or organized crime (38%) [24]. ISDB also results in serious financial losses for organizations, with a 2009 security survey reporting the average annual such losses arising from security incidents to be US$234,244 per company [59]. A quarter of respondents to this survey believed that at least 60% of these financial losses stem from insiders' actions.
Despite the increasing prevalence and high associated costs of ISDB in the workplace, our understanding of this topic remains limited and fragmented [30], [64], [78]. The lack of instruments to measure ISDB presents a barrier to our understanding of the relationship between ISDB and correlated constructs and the development of theories and frameworks to tackle security problems [48]. In order to understand ISDB, it is important to develop reliable and valid instruments to measure it. This study aims to fill this research gap by developing instruments for the measurement of ISDB under a rigorous instrument development process. The instruments developed are useful for researchers to investigate the different properties of such behavior.
The remainder of this paper is organized as follows. We review related studies and discuss the background theory in Section 2, and then describe how we used a four-stage process to develop the instruments for ISDB in 3 Instrument development, 4 Stage IV: instrument validity. Section 3 focuses on the domain specification, instrument development and instrument refinement while Section 4 focuses on the instrument validity. Finally, we discuss the implications of the findings and draw our conclusion in Section 5.
Section snippets
Information security deviant behavior
Workplace deviant behavior is not a new concept. A number of studies in sociology, psychology, and organizational behavior have attempted to study acts related to workplace deviant behavior and used different terminologies to denote the behavior. Examples include antisocial behavior [26], counterproductive workplace behavior [44], organizational misbehavior [74], organizational retaliation behavior [65], workplace aggression [47], and workplace deviance [60]. Regardless of the different
Instrument development
Churchill [14] provided a methodological guide used in instrument development and recommended a paradigm for instrument development comprising three stages: 1) definition and specification of the construct domain, 2) generation of items for the specified domain, and 3) instrument refinement. Many MIS research that addressed instrument development and process highlighted the importance of instrument validation (e.g., Refs. [35], [69]) and therefore, suggested that instrument development usually
Stage IV: instrument validity
Straub [69] suggested that instrument validity can be further demonstrated in confirmatory empirical research. Accordingly, we conducted another survey (Survey 3) to assess the reliability and validity of the two instruments developed in Survey 2, again adopting a web-based survey platform. The quality control methods were similar to those used for Survey 2 and described in Section 3.3. Respondents were asked to indicate on seven-point Likert scales the frequency with which they were engaged in
Conclusion and implications
There is a lack of empirical studies on the ISDB and therefore, previous discussion on the topic was described as “fragmented” and “incomplete” ([78], pp. 412). The paper adopted a rigorous instrument development process to distinguish between resource misuse and security carelessness, two commonly found types of ISDB, and to develop valid and reliable instruments for them. Past research has paid very little attention to the identification and measurement of ISDB, instead employing hypothetical
Amanda M. Y. Chu is a Visiting Fellow at the City University of Hong Kong. She obtained her Ph.D. in MIS from the University of Hong Kong and her MBA degree from the Chinese University of Hong Kong. Her current research interest focuses on behavioral aspects of information security. She presented her research at the Doctoral Consortium of the 2010 Pacific Asia Conference on Information Systems and received the best dissertation proposal award. Prior to her Ph.D. studies, Amanda was a consultant
References (81)
- et al.
A web-based multi-perspective decision support system for information security planning
Decision Support Systems
(2010) End-user security culture: a lesson that will never be learnt?
Computer Fraud & Security
(2008)- et al.
Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness
Decision Support Systems
(2009) - et al.
Security versus convenience? An experimental study of user misperceptions of wireless internet service quality
Decision Support Systems
(2012) - et al.
Efficiency of critical incident management systems: instrument development and validation
Decision Support Systems
(2007) - et al.
Why there aren't more information security research studies
Information & Management
(2004) - et al.
Knowledge sharing and investment decisions in information security
Decision Support Systems
(2011) - et al.
Workplace violence and workplace aggression: evidence concerning specific forms, potential causes, and preferred targets
Journal of Management
(1998) - et al.
Studying users' computer security behavior: a health belief perspective
Decision Support Systems
(2009) - et al.
Explaining non-work-related computing in the workplace: a comparison of alternative models
Information & Management
(2008)
The human factor in security
Computers & Security
Security lapses and the omission of information security measures: a threat control model and empirical test
Computers in Human Behavior
Structural modeling in practice: a review and recommended two-step approach
Psychological Bulletin
Social Learning Theory
Development of a measure of workplace deviance
Journal of Applied Psychology
Comparative fit indexes in structural models
Psychological Bulletin
Significance tests and goodness of fit in the analysis of covariance structures
Psychological Bulletin
Non-work related computing (NWRC)
Communications of the ACM
Behavioral intention formation in knowledge sharing: examining the roles of extrinsic motivators, socia-psychological forces, and organizational climate
MIS Quarterly
The scree test for the number of factors
Multivariate Behavioral Research
Predicting unethical behavior: a comparison of the theory of reasoned action and the theory of planned behavior
Journal of Business Ethics
Piracy in cyber space: consumer complicity, pirates and enterprise enforcement
Enterprise Information Systems
To purchase or to pirate software: an empirical study
Journal of Management Information Systems
Taking industry seriously in information systems research
MIS Quarterly
Information security deviant behavior: its typology, measures, and causes
A paradigm for developing better measures of marketing constructs
Journal of Marketing Research
SAS Institute, SAS/STAT 9.1: User's Guide
On the dimensionality of organizational justice: a construct validation of a measure
Journal of Applied Psychology
Deterring internal information systems misuse
Communications of the ACM
User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach
Information Systems Research
Working Knowledge
Scale Development: Theory and Applications
The application of exploratory factor analysis in applied psychology: a critical review and analysis
Personnel Psychology
Are work stressors related to employee substance use? The importance of temporal context in assessments of alcohol and illicit drug use
Journal of Applied Psychology
The 2011 (ISC)2 Global Information Security Workforce Study
Antisocial Behavior in Organizations
Practice exchange in a best practice marketplace
Lying in organizations: theory, research and future directions
Understanding nonmalicious security violations in the workplace: a composite behavior model
Journal of Management Information Systems
Cutoff criteria for fit indexes in covariance structure analysis: conventional criteria versus new alternatives
Structural Equation Modeling
Cited by (36)
Discovering dynamic adverse behavior of policyholders in the life insurance industry
2021, Technological Forecasting and Social ChangeCitation Excerpt :High-risk policyholders deliberately provide false information to the insurer to escape higher premiums, or to avoid being excluded for eligibility (Islam et al., 2020a; Riddel and Hales, 2018). Existing studies on the AS of the policyholder demonstrate that AB policyholders are better informed about the market likelihood, and use information to select their insurance plans (Chau et al., 2013; Chu and Chau, 2014; Sengupta and Rooj, 2019). Additionally, the psychological disorder of the individual can have a deleterious effect on AS behavior.
A taxonomy of cybercrime: Theory and design
2020, International Journal of Accounting Information SystemsCitation Excerpt :Their results suggest implications for managing security threats through informal sanctions. Examples of similar research include Chu and Chau (2014), Vance et al. (2012, 2013), Banerjee et al. (1998), and Guo and Yuan (2012). While these, and similar studies, do not directly address taxonomic design for cybercrime, they provide useful evidence to classify security acts in a taxonomy.
Evaluating information security core human error causes (IS-CHEC) technique in public sector and comparison with the private sector
2019, International Journal of Medical InformaticsCitation Excerpt :Current human factors information security research places an imbalanced focus on intentional actions rather than unintentional human error [14]. Published information systems human behavior related research predominantly addresses the problem of intentional violations and non-compliances [15–39] resulting in proportionally limited work relating to unintentional human error [40–42]. Therefore there are limited published related works researching human error as it affects information security.
Finding the weakest links in the weakest link: How well do undergraduate students make cybersecurity judgment?
2018, Computers in Human BehaviorCitation Excerpt :Answering this question can also advance the understanding of the complexity of the weakest link phenomenon. Fourth, recent research has suggested that it is important to develop strong cybersecurity awareness (Arachchilage & Love, 2014; Ben-Asher & Gonzalez, 2015; Bulgurcu et al., 2010; D'Arcy et al., 2009; Happ, Melzer, & Steffgen, 2016; McGraw, Yan, Weller, & Bumgardner, 2014; Parsons et al., 2017) and foster good cybersecurity behavior (Chu & Chau, 2014; Cox, 2012; Norberg, Horne, & Horne, 2007; van Schaik et al., 2017; Workman, Bommer, & Straub, 2009). However, while the process of achieving effective cybersecurity among ordinary users starts with awareness and ends with changes in behavior, this process involves an important mediating factor of cybersecurity judgement and decision making (Roghanizad & Neufeld, 2015; Rosoff, Cui, & John, 2013; Yan & Gozu, 2012).
In with the old to catalyze the new: A prescriptive framework for ICT research
2021, Industrial and Organizational Psychology
Amanda M. Y. Chu is a Visiting Fellow at the City University of Hong Kong. She obtained her Ph.D. in MIS from the University of Hong Kong and her MBA degree from the Chinese University of Hong Kong. Her current research interest focuses on behavioral aspects of information security. She presented her research at the Doctoral Consortium of the 2010 Pacific Asia Conference on Information Systems and received the best dissertation proposal award. Prior to her Ph.D. studies, Amanda was a consultant in information systems for over 8 years.
Patrick Y. K. Chau is Padma and Hari Harilela Professor in Strategic Information Management at the Faculty of Business and Economics of The University of Hong Kong. He received his Ph.D. in business administration from the Richard Ivey School of Business at the University of Western Ontario, Canada. His research interests include IS/IT adoption and implementation, information presentation, knowledge management and IT outsourcing. He has published papers in journals like MIS Quarterly, Communications of the ACM, Journal of the AIS, Journal of Management Information Systems, Decision Sciences, Information and Management, Decision Support Systems, and Journal of Global Information Management, among others.