Elsevier

Decision Support Systems

Volume 66, October 2014, Pages 93-101
Decision Support Systems

Development and validation of instruments of information security deviant behavior

https://doi.org/10.1016/j.dss.2014.06.008Get rights and content

Highlights

  • We investigate an underdeveloped topic — information security deviant behavior.

  • We develop and validate two instruments of ISDB using an empirical method.

  • A four-stage rigorous instrument development process is adopted.

Abstract

Information security deviant behavior (ISDB) of employees is a serious threat to organizations. However, not much empirical research on ISDB has been carried out. This paper attempts to develop and validate instruments of ISDB using an empirical method. Two instruments of ISDB are proposed and tested, including a four-item instrument of resource misuse (ISDB that is related to the misuse of information systems resources) and a three-item instrument of security carelessness (ISDB that is related to the employees' omissive activities when using computers or handling data). A rigorous instrument development process which includes three surveys and addresses six crucial measurement properties (content analysis, factorial validity, reliability, convergent validity, discriminant validity, and nomological validity) is adopted. The implications of these two instruments for future empirical studies on ISDB are discussed.

Introduction

Information security deviant behavior (ISDB) of employees, such as leaving removable storage devices unattended and using untrusted applications at work, is a serious threat to organizations. A recent survey reported that 63% of interviewed information security professionals deemed employees to be a high concern for organizations; the percentage was higher than that of hackers (55%) or organized crime (38%) [24]. ISDB also results in serious financial losses for organizations, with a 2009 security survey reporting the average annual such losses arising from security incidents to be US$234,244 per company [59]. A quarter of respondents to this survey believed that at least 60% of these financial losses stem from insiders' actions.

Despite the increasing prevalence and high associated costs of ISDB in the workplace, our understanding of this topic remains limited and fragmented [30], [64], [78]. The lack of instruments to measure ISDB presents a barrier to our understanding of the relationship between ISDB and correlated constructs and the development of theories and frameworks to tackle security problems [48]. In order to understand ISDB, it is important to develop reliable and valid instruments to measure it. This study aims to fill this research gap by developing instruments for the measurement of ISDB under a rigorous instrument development process. The instruments developed are useful for researchers to investigate the different properties of such behavior.

The remainder of this paper is organized as follows. We review related studies and discuss the background theory in Section 2, and then describe how we used a four-stage process to develop the instruments for ISDB in 3 Instrument development, 4 Stage IV: instrument validity. Section 3 focuses on the domain specification, instrument development and instrument refinement while Section 4 focuses on the instrument validity. Finally, we discuss the implications of the findings and draw our conclusion in Section 5.

Section snippets

Information security deviant behavior

Workplace deviant behavior is not a new concept. A number of studies in sociology, psychology, and organizational behavior have attempted to study acts related to workplace deviant behavior and used different terminologies to denote the behavior. Examples include antisocial behavior [26], counterproductive workplace behavior [44], organizational misbehavior [74], organizational retaliation behavior [65], workplace aggression [47], and workplace deviance [60]. Regardless of the different

Instrument development

Churchill [14] provided a methodological guide used in instrument development and recommended a paradigm for instrument development comprising three stages: 1) definition and specification of the construct domain, 2) generation of items for the specified domain, and 3) instrument refinement. Many MIS research that addressed instrument development and process highlighted the importance of instrument validation (e.g., Refs. [35], [69]) and therefore, suggested that instrument development usually

Stage IV: instrument validity

Straub [69] suggested that instrument validity can be further demonstrated in confirmatory empirical research. Accordingly, we conducted another survey (Survey 3) to assess the reliability and validity of the two instruments developed in Survey 2, again adopting a web-based survey platform. The quality control methods were similar to those used for Survey 2 and described in Section 3.3. Respondents were asked to indicate on seven-point Likert scales the frequency with which they were engaged in

Conclusion and implications

There is a lack of empirical studies on the ISDB and therefore, previous discussion on the topic was described as “fragmented” and “incomplete” ([78], pp. 412). The paper adopted a rigorous instrument development process to distinguish between resource misuse and security carelessness, two commonly found types of ISDB, and to develop valid and reliable instruments for them. Past research has paid very little attention to the identification and measurement of ISDB, instead employing hypothetical

Amanda M. Y. Chu is a Visiting Fellow at the City University of Hong Kong. She obtained her Ph.D. in MIS from the University of Hong Kong and her MBA degree from the Chinese University of Hong Kong. Her current research interest focuses on behavioral aspects of information security. She presented her research at the Doctoral Consortium of the 2010 Pacific Asia Conference on Information Systems and received the best dissertation proposal award. Prior to her Ph.D. studies, Amanda was a consultant

References (81)

  • E. Schultz

    The human factor in security

    Computers & Security

    (2005)
  • M. Workman et al.

    Security lapses and the omission of information security measures: a threat control model and empirical test

    Computers in Human Behavior

    (2008)
  • J.C. Anderson et al.

    Structural modeling in practice: a review and recommended two-step approach

    Psychological Bulletin

    (1988)
  • A. Bandura

    Social Learning Theory

    (1977)
  • R.J. Bennett et al.

    Development of a measure of workplace deviance

    Journal of Applied Psychology

    (2000)
  • P.M. Bentler

    Comparative fit indexes in structural models

    Psychological Bulletin

    (1990)
  • P.M. Bentler et al.

    Significance tests and goodness of fit in the analysis of covariance structures

    Psychological Bulletin

    (1980)
  • G.-W. Bock et al.

    Non-work related computing (NWRC)

    Communications of the ACM

    (2009)
  • G.-W. Bock et al.

    Behavioral intention formation in knowledge sharing: examining the roles of extrinsic motivators, socia-psychological forces, and organizational climate

    MIS Quarterly

    (2005)
  • R.B. Cattell

    The scree test for the number of factors

    Multivariate Behavioral Research

    (1966)
  • M.K. Chang

    Predicting unethical behavior: a comparison of the theory of reasoned action and the theory of planned behavior

    Journal of Business Ethics

    (1988)
  • P.E. Chaudhry et al.

    Piracy in cyber space: consumer complicity, pirates and enterprise enforcement

    Enterprise Information Systems

    (2011)
  • H.K. Cheng et al.

    To purchase or to pirate software: an empirical study

    Journal of Management Information Systems

    (1997)
  • M.W. Chiasson et al.

    Taking industry seriously in information systems research

    MIS Quarterly

    (2005)
  • M.Y. Chu

    Information security deviant behavior: its typology, measures, and causes

    (2012)
  • G.A. Churchill

    A paradigm for developing better measures of marketing constructs

    Journal of Marketing Research

    (1979)
  • V. Clark

    SAS Institute, SAS/STAT 9.1: User's Guide

    (2004)
  • J.A. Colquitt

    On the dimensionality of organizational justice: a construct validation of a measure

    Journal of Applied Psychology

    (2001)
  • J. D'Arcy et al.

    Deterring internal information systems misuse

    Communications of the ACM

    (2007)
  • J. D'Arcy et al.

    User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach

    Information Systems Research

    (2009)
  • T.H. Davenport et al.

    Working Knowledge

    (1998)
  • R. DeVellis

    Scale Development: Theory and Applications

    (1991)
  • J.K. Ford et al.

    The application of exploratory factor analysis in applied psychology: a critical review and analysis

    Personnel Psychology

    (1986)
  • M.R. Frone

    Are work stressors related to employee substance use? The importance of temporal context in assessments of alcohol and illicit drug use

    Journal of Applied Psychology

    (2008)
  • Frost et al.

    The 2011 (ISC)2 Global Information Security Workforce Study

    (2011)
  • R.A. Giacalone et al.

    Antisocial Behavior in Organizations

    (1997)
  • M. Gibbert et al.

    Practice exchange in a best practice marketplace

  • S. Grover

    Lying in organizations: theory, research and future directions

  • K.H. Guo et al.

    Understanding nonmalicious security violations in the workplace: a composite behavior model

    Journal of Management Information Systems

    (2011)
  • L.-t. Hu et al.

    Cutoff criteria for fit indexes in covariance structure analysis: conventional criteria versus new alternatives

    Structural Equation Modeling

    (1999)

    • Cited by (36)

    • A systematic literature review of cybersecurity scales assessing information security awareness

      2023, Heliyon

    • Discovering dynamic adverse behavior of policyholders in the life insurance industry

      2021, Technological Forecasting and Social Change
      Citation Excerpt :

      High-risk policyholders deliberately provide false information to the insurer to escape higher premiums, or to avoid being excluded for eligibility (Islam et al., 2020a; Riddel and Hales, 2018). Existing studies on the AS of the policyholder demonstrate that AB policyholders are better informed about the market likelihood, and use information to select their insurance plans (Chau et al., 2013; Chu and Chau, 2014; Sengupta and Rooj, 2019). Additionally, the psychological disorder of the individual can have a deleterious effect on AS behavior.

    • A taxonomy of cybercrime: Theory and design

      2020, International Journal of Accounting Information Systems
      Citation Excerpt :

      Their results suggest implications for managing security threats through informal sanctions. Examples of similar research include Chu and Chau (2014), Vance et al. (2012, 2013), Banerjee et al. (1998), and Guo and Yuan (2012). While these, and similar studies, do not directly address taxonomic design for cybercrime, they provide useful evidence to classify security acts in a taxonomy.

    • Evaluating information security core human error causes (IS-CHEC) technique in public sector and comparison with the private sector

      2019, International Journal of Medical Informatics
      Citation Excerpt :

      Current human factors information security research places an imbalanced focus on intentional actions rather than unintentional human error [14]. Published information systems human behavior related research predominantly addresses the problem of intentional violations and non-compliances [15–39] resulting in proportionally limited work relating to unintentional human error [40–42]. Therefore there are limited published related works researching human error as it affects information security.

    • Finding the weakest links in the weakest link: How well do undergraduate students make cybersecurity judgment?

      2018, Computers in Human Behavior
      Citation Excerpt :

      Answering this question can also advance the understanding of the complexity of the weakest link phenomenon. Fourth, recent research has suggested that it is important to develop strong cybersecurity awareness (Arachchilage & Love, 2014; Ben-Asher & Gonzalez, 2015; Bulgurcu et al., 2010; D'Arcy et al., 2009; Happ, Melzer, & Steffgen, 2016; McGraw, Yan, Weller, & Bumgardner, 2014; Parsons et al., 2017) and foster good cybersecurity behavior (Chu & Chau, 2014; Cox, 2012; Norberg, Horne, & Horne, 2007; van Schaik et al., 2017; Workman, Bommer, & Straub, 2009). However, while the process of achieving effective cybersecurity among ordinary users starts with awareness and ends with changes in behavior, this process involves an important mediating factor of cybersecurity judgement and decision making (Roghanizad & Neufeld, 2015; Rosoff, Cui, & John, 2013; Yan & Gozu, 2012).

    • In with the old to catalyze the new: A prescriptive framework for ICT research

      2021, Industrial and Organizational Psychology
    View all citing articles on Scopus

    Amanda M. Y. Chu is a Visiting Fellow at the City University of Hong Kong. She obtained her Ph.D. in MIS from the University of Hong Kong and her MBA degree from the Chinese University of Hong Kong. Her current research interest focuses on behavioral aspects of information security. She presented her research at the Doctoral Consortium of the 2010 Pacific Asia Conference on Information Systems and received the best dissertation proposal award. Prior to her Ph.D. studies, Amanda was a consultant in information systems for over 8 years.

    Patrick Y. K. Chau is Padma and Hari Harilela Professor in Strategic Information Management at the Faculty of Business and Economics of The University of Hong Kong. He received his Ph.D. in business administration from the Richard Ivey School of Business at the University of Western Ontario, Canada. His research interests include IS/IT adoption and implementation, information presentation, knowledge management and IT outsourcing. He has published papers in journals like MIS Quarterly, Communications of the ACM, Journal of the AIS, Journal of Management Information Systems, Decision Sciences, Information and Management, Decision Support Systems, and Journal of Global Information Management, among others.

    View full text
    Copyright © 2014 Elsevier B.V. All rights reserved.