Elsevier

Computers & Security

Volume 87, November 2019, 101397
Computers & Security

Do I really belong?: Impact of employment status on information security policy compliance

https://doi.org/10.1016/j.cose.2018.09.005Get rights and content

Abstract

With recent incidents of temporary employees such as seasonal employees, contractors, and subcontractors engaging in information security violations, once again the focus lies on motivating the people within the “organization's wall” to comply with information security. This research paper studies the impact of employment status on organizational commitment and perceived organizational support of employees and how those will affect behavioral intention to comply with Information Security Policies (ISP). Employment status, specifically permanent versus temporary status, can result in different levels of organizational commitment and perceived organizational support. The result of the study supports the notion that the effect of organizational commitment and perceived organizational support on behavioral intention to use ISP will be stronger among permanent employees. The research also found that perceived response cost of performing a behavior would negatively impact intention to comply with ISP.

Introduction

The trends of globalization and inter-connection have led to heavy reliance on information system (IS) and Internet-based mechanisms. The growing dependence on computerized information systems to take advantage of globalization and the competitive economic environment has also brought attention to the probable security threats. It is important to mention that such security threat is usually an ‘insider's job’ as these ‘trusted agents’ have access privileges and intimate knowledge of organizational process (Johnston & Warkentin, 2010) and may account up to half of the intrusions and security violations (Richardson, 2007). There has been a dramatic increase in security breaches through intentional and unintentional insider threats as 53% of the respondents experienced malicious insider attacks in 2012 as opposed to 49% in 2007 and 36% in 2004 (Anon, 2013a). The harm to the IS from an organizational member can be a deliberate effort by a disgruntled employee or a passive noncompliance with security policies as a result of carelessness or poor training (Willison & Warkentin, 2013). Previous literature has discussed the impact of individual factors such as the role of personality (e.g., McBride, Carter, & Warkentin, 2012), habit (e.g., Limayem, Hirt, & Cheung, 2007), self-efficacy (e.g., Compeau & Higgins, 1995) etc. on information security compliance of employees. However, the study of contextual factors to understand the compliance or noncompliance of ISP is limited. Contextual factors, such as employee's position in the organization, characteristics of the position, and the opportunities provided by it, largely determine employees’ intentions to comply or non-comply with ISP (D’ Arcy & Herath, 2011). Based on this research gap, this current paper will study the differences that employment status may have on ISP compliance.

The emergence of new technologies, the growth of the service economy and the trend of unstable global demand-supply have forced firms to increase the flexibility of their labor force. Indeed, the success of many firms at present are closely tied with the ability to rapidly change the number and mix of employee skills (Moorman & Harland, 2002). However, labor forces with different employee positions bring different stakes and level of commitment. This is particularly true with temporary employees who have little reason to be committed towards their organization as it is often a mere economic exchange for a pre-mentioned time frame. The case of Donald Sachtleben leaking classified information about upgraded underwear bomb involved in foiled Yemeni terror plot; the example of Aaron Alexis, the alleged gunman in Washington Navy Yard shooting; the instance where employee of Colorado Community Health Alliance leaked health-care data of 1900 patients of Department of Health Care Policy and Financing, Colorado; the example of Brian Howard, a contracted employee assigned to Federal Aviation Administration who set fire to the radar center in Chicago; and the case of National Security Agency (NSA) information leaker Edward Snowden all have one thing in common – they all worked as temporary employee, freelancers, or federal contractor and leaked sensitive information. Such temporary employees, contractors, and freelancers are said to be one of the major contributing factors in data breaches (Goldman, 2014). Indeed, nearly half of the data breaches involve third party vendors or contractors (Wright, 2013). It is astounding to see that almost 30% of the workforces in the US intelligence agencies are contractors (Priest & Arkin, 2010). Out of 1.4 million people who held a top-secret authorization for some form of US national intelligence, only half of those were direct government employees; more than 480,000 contractors held top-secret credentials while almost 135,000 were categorized as “other” (Colarusso, 2013). Similarly, companies like Wal-Mart to General Motors are increasingly turning to temps workers, freelancers, contract workers, and consultants’ numbers approach 17 million in recent time (Anon, 2013b). Such employees have tenuous ties to companies that pay them. The lack of commitment and organizational citizenship behavior (OCB) on the part of these temporary contract workers have been suggested in ISO17799, the dominant managerial standard for IS security management (Theoharidou et al., 2005). Previous studies show that contractors are calculating, emotionally-detached, and an opportunistic workforce that is self-interested (Williamson, 1991). Research also shows that as independent contractors usually have the absence of a written restrictive agreement with the employers, they have more leeway in taking advantage of loopholes in the organization (Slaughter & Ang, 1996). The importance of adding non-disclosure clauses to contracts of temporary employees or segregating their duties from critical information oriented task has been highly recommended (Theoharidou et al., 2005). Despite detailed study of employment position and its impact on organizations in management literature, the study of the role of employment positions in ISP compliance has been very limited.

This paper focuses on how employment position such as contract/part-time or permanent shapes OCB of employees and affects their perception of severity, certainty, and celerity of punishment. It is important to analyze how the level of commitment, job attitude, fairness and perceived organizational support differs in employees with different employment positions and how it would affect the ISP compliance in an organization. Also, employees in different positions perceive the threat of punishment in different ways. Thus, the general deterrence requires motivating employees holding certain positions to comply with ISP may not similarly motivate employees in other employment positions.

We begin this paper with the review of relevant literature related to ISP compliance, employment positions, and employee citizenship behavior to develop a theoretical foundation for constructing a theoretical model which can be empirically tested. In the process, we discuss how this study is theoretically driven by Social Exchange Theory and further informed by the literature on Dual Labor Market Theory and Organizational Support Theory. The relationships between the constructs in our research model are guided by these theories. The next section will discuss the detail of instrument development and validation. Then the paper presents structural model testing based on hypotheses developed. The final section of the paper will provide a discussion of our findings, implications for theory and practice, and conclude by discussing avenues for future research.

Section snippets

Literature review

The development of multiple forms of employment like permanent and contingent workers has brought into attention the need to handle different employee relationship within the organization. Temporary workers are those contingent workers and on-call workers who do not expect their jobs to last for a longer time (not more than one year) and may not have an implicit or explicit contract for ongoing employment (Anon, 2005). Permanent workers are those workers who do not fall within the contingent

Theory for the study

This study is theoretically driven by Social Exchange Theory and further informed by the literature on Dual Labor Market Theory and Organizational Support Theory. Thus, the relationships within the conceptual model are motivated by these three theories.

Social Exchange Theory advocates that the exchange relationship between two parties often goes beyond economic exchange and includes social exchange (Blau, 1964). This theory has further been expanded on the organizational studies front by

Instrumentation

Validated scales that were used in prior research were adapted to the context of this study to measure the constructs through a five-point Likert scale. The items for measuring OC were adopted from Hearth and Rao (2003) and Allen and Meyer (1990). The items for measuring BINT are adapted from Venkatesh et al. (2003). The items for POS were adapted from Eisenberger et al. (1986) and Rhoades and Eisenberger (2002). The items for RC were adapted from Bulgurcu et al. (2010). The questionnaire was

Instrument validation

To measure the instrument validation and test the structural model, this research paper used Partial Least Squares (PLS) through SmartPLS (Ringle, Wende, & Will, 2005). The data were divided into two sets based on employment status. To assess the reflective constructs in the measurement model for both data sets, a test of individual item reliability, convergent validity, discriminant validity and construct reliability was performed.

The data (for both forms of employment status) were first

Key findings

The finding of this study shows that the perceived response cost has a significant impact on the intention to comply with security policies. This basically suggests that the costs individuals perceive to comply with information security policy are significant enough to make an important difference on whether to comply with the organization's security policy or not. This finding is in line with the previous research as those studies (Herath and Rao, 2009b, Siponen and Vance, 2010). Our research

Shwadhin Sharma is an Assistant Professor in the College of Business at California State University Monterey Bay. His research interests are in the areas of technical and behavioral aspects of consumptions of technology and education. He actively pursues research areas such as privacy and security, electronic commerce and social commerce, big data analytics, the role of dispositional factors in IT, and IT adoption, and discontinuation. He has taught classes such as “Database Management”,

References (64)

  • Key findings from the 2013 US State of Cybercrime Survey

    (2013)
  • US companies increasingly turning to temporary workers to fill positions

    (2013)
  • P.M. Blau

    Exchange and power in social life

    (1964)
  • J. Blusiewicz

    The case of Edward Snowden: a different path

    Cornell Int Aff Rev

    (2014)
  • B. Bulgurcu et al.

    Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness

    MIS Q

    (2010)
  • L. Colarusso

    How did Edward Snowden, a contractor, get access to classified data? - The Daily Beast

    The Daily Beast

    (2013)
  • D.R. Compeau et al.

    Computer self-efficacy: development of a measure and initial test

    MIS Q.

    (1995)
  • J.A. Coyle‐Shapiro et al.

    Contingent and non‐contingent working in local government: contrasting psychological contracts

    Publ Admin

    (2002)
  • J. D'Arcy et al.

    The multifaceted nature of security culture and its influence on end user behavior

  • J. D'Arcy et al.

    The multifaceted nature of security culture and its influence on end user behavior

  • J. D'Arcy et al.

    A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings

    Eur J Inf Syst

    (2011)
  • P. Doeringer et al.

    Internal labor markets and manpower adjustment

    (1971)
  • V.L. Dyne et al.

    Organizational citizenship behavior of contingent workers in Singapore

    Acad Manag J

    (1998)
  • R. Eisenberger

    Perceived organizational support

    J Appl Psychol

    (1986)
  • R. Eisenberger

    Perceived organizational support. The employment relationship: Examining psychological and contextual perspectives

    (2004)
  • R. Eisenberger

    Reciprocation of perceived organizational support

    J Appl Psychol

    (2001)
  • J.F. Geary

    Employment flexibility and human resource management: the case of three American electronics plants

    Work. Employ Soc

    (1992)
  • J. Goldman

    Survey: 20 percent of employees have stolen corporate data

  • Guest, D., & Clinton, M. Temporary employment contracts, workers’ well-being and behaviour: evidence from the UK, 2006,...
  • M. Heller

    Temporary workers cause access management troubles over the holidays

    TechTarget

    (2015)
  • T. Herath et al.

    Protection motivation and deterrence: a framework for security policy compliance in organisations

    Eur J Inf Syst

    (2009)
  • J.F. Hill

    The growth of data localization post-snowden: analysis and recommendations for us policymakers and business leaders

  • Cited by (33)

    • The valued coexistence of protection motivation and stewardship in information security behaviors

      2023, Computers and Security
      Citation Excerpt :

      When one is emotionally attached to something, they feel a responsibility to protect the object. Since information resources are a core component of today's organizations’ well-being and activities (Kappelman et al., 2017), it follows that an individual's commitment to the organization will influence their protection of information resources (Posey et al., 2015; Sharma and Warkentin, 2019); and thus, lessen their inclination to violate ISPs. H12: Organizational commitment will have a negative relationship with intention to violate security policies.

    • Organizational and team culture as antecedents of protection motivation among IT employees

      2022, Computers and Security
      Citation Excerpt :

      When the culture of the organization involves developing information security policies by taking inputs from employees, focusing on security policies as a part of the mission, and creating consistent but adaptable values and rules, employees go above and beyond to perform their responsibilities. Employees who find the organization's culture positive are ready to spend more time and effort to show their commitment to the information security policy (Sharma and Warkentin, 2019). A strong organizational culture increases the commitment of the employees toward the existing beliefs.

    • Voluntary and instrumental information security policy compliance: an integrated view of prosocial motivation, self-regulation and deterrence

      2022, Computers and Security
      Citation Excerpt :

      We conducted our main data collection through Amazon's Mechanical Turk™ (MTurk). To ensure the quality of survey responses, we followed the methodological recommendations on MTurk data collection (Goodman et al., 2013; Lowry et al., 2016a) and the data collection practice from large diverse samples of organizations (Sharma and Warkentin, 2019; Yazdanmehr and Wang, 2016; Yazdanmehr et al., 2020). Two pre-survey screening questions were used to filter out participants who were (1) not aware of any ISPs in their organizations and (2) not from an organization in the US.

    View all citing articles on Scopus

    Shwadhin Sharma is an Assistant Professor in the College of Business at California State University Monterey Bay. His research interests are in the areas of technical and behavioral aspects of consumptions of technology and education. He actively pursues research areas such as privacy and security, electronic commerce and social commerce, big data analytics, the role of dispositional factors in IT, and IT adoption, and discontinuation. He has taught classes such as “Database Management”, “Business Intelligence for Managers”, “Emerging technologies and Business Models”, “Management Information Systems”, and “Computer Information Systems” to the name a few. He has published his research in journals such as Journal of Computer Information Systems, Government Information Quarterly, Electronic Commerce Research and Applications and Computers & Security and several academic conferences. He serves on the editorial board of two Journals and has served as a reviewer for several reputed journals and conferences. Dr. Sharma also serves as the Resource/Listserv chair for SIG Decision Support and Analytics (SIGDSA) group which is a reputed chapter with Association of Information Systems. He has co-chaired a mini-track on “Social Network Analytics in Big Data Environment” in AMCIS 2016.

    Merrill Warkentin is the James J. Rouse Professor of Information Systems in the College of Business at Mississippi State University. His research, primarily on the impacts of organizational, contextual, and dispositional influences on individual behaviors in the context of information security and privacy and in social media, has appeared in MIS Quarterly, Journal of MIS, Journal of the AIS, European Journal of Information Systems, Information Systems Journal, Decision Sciences, Information & Management, and others. He is the author of 80 peer-reviewed journal articles and the author or editor of seven books. He was the Program Co-Chair for the 2016 AMCIS Conference, and he serves (or has served) as AssociateEditor for MIS Quarterly, Information Systems Research, Decision Sciences, European Journal of Information Systems, Information & Management, and other journals. His work has been funded by NATO, NSF, NSA, DoD, Homeland Security, IBM, and others

    View full text