Dysfunctional information system behaviors are not all created the same: Challenges to the generalizability of security-based researchInformation & Management

About

Authors
Hadrian Geri Djajadikerta, Saiyidi Mat Roni, Terri Trireksani
Year
2015
DOI
10.1016/j.im.2015.07.008
Subject
Information Systems and Management / Management Information Systems / Information Systems

Similar

Rape in marriage

Authors:
Lee H. Bowker, o̊Dean of the Graduate School and Research
1983

Max born medal and prize

Authors:
The Institute of Physics
1979

Accurate grinding of the profiles of small form cutters

Authors:
The Taylor-Hobson Research Laboratory
1928

Prevention of backlash in gearing

Authors:
The Taylor-Hobson Research Laboratory
1927

Text

Accepted Manuscript

Title: Dysfunctional information system behaviors are not all created the same: Challenges to the generalizability of security-based research

Author: Hadrian Geri Djajadikerta Saiyidi Mat Roni Terri

Trireksani

PII: S0378-7206(15)00076-2

DOI: http://dx.doi.org/doi:10.1016/j.im.2015.07.008

Reference: INFMAN 2829

To appear in: INFMAN

Received date: 12-4-2014

Revised date: 5-6-2015

Accepted date: 15-7-2015

Please cite this article as: H.G. Djajadikerta, S. Mat Roni, T. Trireksani, Dysfunctional information system behaviors are not all created the same: Challenges to the generalizability of security-based research, Information and Management (2015), http://dx.doi.org/10.1016/j.im.2015.07.008

This is a PDF file of an unedited manuscript that has been accepted for publication.

As a service to our customers we are providing this early version of the manuscript.

The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.

Page 1 of 44

Ac ce pte d M an us cri pt

Dysfunctional information system behaviors are not all created the same: Challenges to the generalizability of security-based research

Highlights:  We use a four-quadrant insider dysfunctional information system behavior taxonomy.  We analyze intentions underlying behaviors among different dysfunctional behaviors.  The intentions vary among dysfunctional information system behaviors.  The causal links between behavioral intentions and their predictors vary.  We address methodological concerns in the insider dysfunctional behaviors literature.

Highlights (for review)

Page 2 of 44

Ac ce pte d M an us cri pt

Dysfunctional information system behaviors are not all created the same: Challenges to the generalizability of security-based research

Hadrian Geri DJAJADIKERTA 

School of Business, Edith Cowan University, Australia 270 Joondalup Drive, Joondalup WA 6027, Australia h.djajadikerta@ecu.edu.au

Saiyidi MAT RONI

School of Business, Edith Cowan University, Australia 270 Joondalup Drive, Joondalup WA 6027, Australia m.matroni@ecu.edu.au

Terri TRIREKSANI

School of Management and Governance, Murdoch University, Australia 90 South Street. Murdoch WA 6150, Australia t.trireksani@murdoch.edu.au 

Corresponding author

Address: Edith Cowan University, 270 Joondalup Drive, Joondalup WA 6027, Australia.

Tel.: +61 8 6304 5353

Email addresses: h.djajadikerta@ecu.edu.au (H.G. Djajadikerta) *Title Page

Page 3 of 44

Ac ce pte d M an us cri pt 1

Dysfunctional information system behaviors are not all created the same: Challenges to the generalizability of security-based research

ABSTRACT

Conflicting findings in the existing studies on insider dysfunctional information system (IS) behaviors have led some researchers to raise methodological concerns that samples in these studies are aggregated or disaggregated without sufficient attempt to differentiate their fundamental differences. Using a four-quadrant behavior taxonomy, this study investigates different types of dysfunctional information system behaviors to determine if, among them, there are any differences in behavioral intentions and in the causal links between these intentions and their predictor variables. The results show that both the intentions and the causal links between these intentions and their predictors vary among the four behavior categories.

Keywords:

Dysfunctional behavior taxonomy

Theory of planned behavior

Behavioral intention

Structural equation modelling

Partial least square

Vignettes

Page 4 of 44

Ac ce pte d M an us cri pt 2 1. Introduction

Information system (IS) security risks posed by inappropriate actions of individual members of an organization have been a topic of interest in a vast amount of literature [1-3].

These individuals are insiders who sit behind the organizational firewall and are empowered with escalated user privileges [4]. They have a dual role in information security systems, both as allies and as a source of threats [5]. Studies have suggested that within the information security chain, insiders remain the weakest link in the effort to secure organizational IS assets [2, 3, 6, 7]. Some surveys and investigations have also shown that despite rapid advancement in protection technologies as well as IS security policies and procedures, IS security breaches remain significant and they are substantially linked to actions of insiders [8, 9].

The call for more studies on the behavioral aspects of IS security has long been voiced [4], and some significant studies exist in this area. The existing studies in the IS security area that look into the behavioral aspects of the insiders have provided insights into the effects of insiders‟ dysfunctional behaviors on organizational IS assets. These can be seen in valuable work on IS security compliance/non-compliance behaviors [10-20] including motivations to comply with IS security policies [21-24], IS misuse [2, 25-31], and studies on computer abuse [32-34]. These IS security studies, however, have largely focused on nonmalicious and policy non-compliance behaviors [4, 7]. This leads to a further need for more studies into a broader range of actions that pose various levels of risk to organizational IS assets.

The following are some examples of the above studies. Myyry, Siponen, Pahnila,

Vartiainen, and Vance [15] aimed to explain employees‟ IS non-compliance in terms of moral reasoning and values. Hu, Xu, Dinev, and Ling [16] described and tested a model of information security policy violation based on multiple criminological perspectives. Ifinedo [21] integrated social bonding, social influence, and cognitive processing perspectives to

Page 5 of 44

Ac ce pte d M an us cri pt 3 understand employees‟ IS security policy compliance behaviors. Son [23] tried to explain why employees do or do not follow IS security rules using an intrinsic motivation model.