Do I really belong?: Impact of employment status on information security policy compliance
Introduction
The trends of globalization and inter-connection have led to heavy reliance on information system (IS) and Internet-based mechanisms. The growing dependence on computerized information systems to take advantage of globalization and the competitive economic environment has also brought attention to the probable security threats. It is important to mention that such security threat is usually an ‘insider's job’ as these ‘trusted agents’ have access privileges and intimate knowledge of organizational process (Johnston & Warkentin, 2010) and may account up to half of the intrusions and security violations (Richardson, 2007). There has been a dramatic increase in security breaches through intentional and unintentional insider threats as 53% of the respondents experienced malicious insider attacks in 2012 as opposed to 49% in 2007 and 36% in 2004 (Anon, 2013a). The harm to the IS from an organizational member can be a deliberate effort by a disgruntled employee or a passive noncompliance with security policies as a result of carelessness or poor training (Willison & Warkentin, 2013). Previous literature has discussed the impact of individual factors such as the role of personality (e.g., McBride, Carter, & Warkentin, 2012), habit (e.g., Limayem, Hirt, & Cheung, 2007), self-efficacy (e.g., Compeau & Higgins, 1995) etc. on information security compliance of employees. However, the study of contextual factors to understand the compliance or noncompliance of ISP is limited. Contextual factors, such as employee's position in the organization, characteristics of the position, and the opportunities provided by it, largely determine employees’ intentions to comply or non-comply with ISP (D’ Arcy & Herath, 2011). Based on this research gap, this current paper will study the differences that employment status may have on ISP compliance.
The emergence of new technologies, the growth of the service economy and the trend of unstable global demand-supply have forced firms to increase the flexibility of their labor force. Indeed, the success of many firms at present are closely tied with the ability to rapidly change the number and mix of employee skills (Moorman & Harland, 2002). However, labor forces with different employee positions bring different stakes and level of commitment. This is particularly true with temporary employees who have little reason to be committed towards their organization as it is often a mere economic exchange for a pre-mentioned time frame. The case of Donald Sachtleben leaking classified information about upgraded underwear bomb involved in foiled Yemeni terror plot; the example of Aaron Alexis, the alleged gunman in Washington Navy Yard shooting; the instance where employee of Colorado Community Health Alliance leaked health-care data of 1900 patients of Department of Health Care Policy and Financing, Colorado; the example of Brian Howard, a contracted employee assigned to Federal Aviation Administration who set fire to the radar center in Chicago; and the case of National Security Agency (NSA) information leaker Edward Snowden all have one thing in common – they all worked as temporary employee, freelancers, or federal contractor and leaked sensitive information. Such temporary employees, contractors, and freelancers are said to be one of the major contributing factors in data breaches (Goldman, 2014). Indeed, nearly half of the data breaches involve third party vendors or contractors (Wright, 2013). It is astounding to see that almost 30% of the workforces in the US intelligence agencies are contractors (Priest & Arkin, 2010). Out of 1.4 million people who held a top-secret authorization for some form of US national intelligence, only half of those were direct government employees; more than 480,000 contractors held top-secret credentials while almost 135,000 were categorized as “other” (Colarusso, 2013). Similarly, companies like Wal-Mart to General Motors are increasingly turning to temps workers, freelancers, contract workers, and consultants’ numbers approach 17 million in recent time (Anon, 2013b). Such employees have tenuous ties to companies that pay them. The lack of commitment and organizational citizenship behavior (OCB) on the part of these temporary contract workers have been suggested in ISO17799, the dominant managerial standard for IS security management (Theoharidou et al., 2005). Previous studies show that contractors are calculating, emotionally-detached, and an opportunistic workforce that is self-interested (Williamson, 1991). Research also shows that as independent contractors usually have the absence of a written restrictive agreement with the employers, they have more leeway in taking advantage of loopholes in the organization (Slaughter & Ang, 1996). The importance of adding non-disclosure clauses to contracts of temporary employees or segregating their duties from critical information oriented task has been highly recommended (Theoharidou et al., 2005). Despite detailed study of employment position and its impact on organizations in management literature, the study of the role of employment positions in ISP compliance has been very limited.
This paper focuses on how employment position such as contract/part-time or permanent shapes OCB of employees and affects their perception of severity, certainty, and celerity of punishment. It is important to analyze how the level of commitment, job attitude, fairness and perceived organizational support differs in employees with different employment positions and how it would affect the ISP compliance in an organization. Also, employees in different positions perceive the threat of punishment in different ways. Thus, the general deterrence requires motivating employees holding certain positions to comply with ISP may not similarly motivate employees in other employment positions.
We begin this paper with the review of relevant literature related to ISP compliance, employment positions, and employee citizenship behavior to develop a theoretical foundation for constructing a theoretical model which can be empirically tested. In the process, we discuss how this study is theoretically driven by Social Exchange Theory and further informed by the literature on Dual Labor Market Theory and Organizational Support Theory. The relationships between the constructs in our research model are guided by these theories. The next section will discuss the detail of instrument development and validation. Then the paper presents structural model testing based on hypotheses developed. The final section of the paper will provide a discussion of our findings, implications for theory and practice, and conclude by discussing avenues for future research.
Section snippets
Literature review
The development of multiple forms of employment like permanent and contingent workers has brought into attention the need to handle different employee relationship within the organization. Temporary workers are those contingent workers and on-call workers who do not expect their jobs to last for a longer time (not more than one year) and may not have an implicit or explicit contract for ongoing employment (Anon, 2005). Permanent workers are those workers who do not fall within the contingent
Theory for the study
This study is theoretically driven by Social Exchange Theory and further informed by the literature on Dual Labor Market Theory and Organizational Support Theory. Thus, the relationships within the conceptual model are motivated by these three theories.
Social Exchange Theory advocates that the exchange relationship between two parties often goes beyond economic exchange and includes social exchange (Blau, 1964). This theory has further been expanded on the organizational studies front by
Instrumentation
Validated scales that were used in prior research were adapted to the context of this study to measure the constructs through a five-point Likert scale. The items for measuring OC were adopted from Hearth and Rao (2003) and Allen and Meyer (1990). The items for measuring BINT are adapted from Venkatesh et al. (2003). The items for POS were adapted from Eisenberger et al. (1986) and Rhoades and Eisenberger (2002). The items for RC were adapted from Bulgurcu et al. (2010). The questionnaire was
Instrument validation
To measure the instrument validation and test the structural model, this research paper used Partial Least Squares (PLS) through SmartPLS (Ringle, Wende, & Will, 2005). The data were divided into two sets based on employment status. To assess the reflective constructs in the measurement model for both data sets, a test of individual item reliability, convergent validity, discriminant validity and construct reliability was performed.
The data (for both forms of employment status) were first
Key findings
The finding of this study shows that the perceived response cost has a significant impact on the intention to comply with security policies. This basically suggests that the costs individuals perceive to comply with information security policy are significant enough to make an important difference on whether to comply with the organization's security policy or not. This finding is in line with the previous research as those studies (Herath and Rao, 2009b, Siponen and Vance, 2010). Our research
Shwadhin Sharma is an Assistant Professor in the College of Business at California State University Monterey Bay. His research interests are in the areas of technical and behavioral aspects of consumptions of technology and education. He actively pursues research areas such as privacy and security, electronic commerce and social commerce, big data analytics, the role of dispositional factors in IT, and IT adoption, and discontinuation. He has taught classes such as “Database Management”,
References (64)
- et al.
The role of perceived organizational support and supportive human resource practices in the turnover process
J Manag
(2003) Does the form of employment make a difference?-Commitment of traditional, temporary, and self-employed workers
J Vocat Beha
(2008)- et al.
Assessing the impact of security culture and the employee-organization relationship on IS security compliance
- et al.
Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness
Decis Support Syst
(2009) - et al.
The impact of collectivism and psychological ownership on protection motivation: a cross-cultural examination
Comput Secur
(2018) Affective, continuance, and normative commitment to the organization: a meta-analysis of antecedents, correlates and consequences
J Vocat Behav
(2002)- et al.
Commitment in the workplace towards a general model
Hum Resour Manag Rev
(2001) - et al.
Personality, attitudes, and intentions: Predicting initial adoption of information security behavior
Computers & Security
(2015) The insider threat to information systems and the effectiveness of ISO17799
Comput Secur
(2005)Contingent and alternative employment arrangements
United States Department of Labor
(2005)
Key findings from the 2013 US State of Cybercrime Survey
US companies increasingly turning to temporary workers to fill positions
Exchange and power in social life
The case of Edward Snowden: a different path
Cornell Int Aff Rev
Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness
MIS Q
How did Edward Snowden, a contractor, get access to classified data? - The Daily Beast
The Daily Beast
Computer self-efficacy: development of a measure and initial test
MIS Q.
Contingent and non‐contingent working in local government: contrasting psychological contracts
Publ Admin
The multifaceted nature of security culture and its influence on end user behavior
The multifaceted nature of security culture and its influence on end user behavior
A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings
Eur J Inf Syst
Internal labor markets and manpower adjustment
Organizational citizenship behavior of contingent workers in Singapore
Acad Manag J
Perceived organizational support
J Appl Psychol
Perceived organizational support. The employment relationship: Examining psychological and contextual perspectives
Reciprocation of perceived organizational support
J Appl Psychol
Employment flexibility and human resource management: the case of three American electronics plants
Work. Employ Soc
Survey: 20 percent of employees have stolen corporate data
Temporary workers cause access management troubles over the holidays
TechTarget
Protection motivation and deterrence: a framework for security policy compliance in organisations
Eur J Inf Syst
The growth of data localization post-snowden: analysis and recommendations for us policymakers and business leaders
Cited by (33)
VISTA: An inclusive insider threat taxonomy, with mitigation strategies
2024, Information and ManagementThe valued coexistence of protection motivation and stewardship in information security behaviors
2023, Computers and SecurityCitation Excerpt :When one is emotionally attached to something, they feel a responsibility to protect the object. Since information resources are a core component of today's organizations’ well-being and activities (Kappelman et al., 2017), it follows that an individual's commitment to the organization will influence their protection of information resources (Posey et al., 2015; Sharma and Warkentin, 2019); and thus, lessen their inclination to violate ISPs. H12: Organizational commitment will have a negative relationship with intention to violate security policies.
Organizational and team culture as antecedents of protection motivation among IT employees
2022, Computers and SecurityCitation Excerpt :When the culture of the organization involves developing information security policies by taking inputs from employees, focusing on security policies as a part of the mission, and creating consistent but adaptable values and rules, employees go above and beyond to perform their responsibilities. Employees who find the organization's culture positive are ready to spend more time and effort to show their commitment to the information security policy (Sharma and Warkentin, 2019). A strong organizational culture increases the commitment of the employees toward the existing beliefs.
Voluntary and instrumental information security policy compliance: an integrated view of prosocial motivation, self-regulation and deterrence
2022, Computers and SecurityCitation Excerpt :We conducted our main data collection through Amazon's Mechanical Turk™ (MTurk). To ensure the quality of survey responses, we followed the methodological recommendations on MTurk data collection (Goodman et al., 2013; Lowry et al., 2016a) and the data collection practice from large diverse samples of organizations (Sharma and Warkentin, 2019; Yazdanmehr and Wang, 2016; Yazdanmehr et al., 2020). Two pre-survey screening questions were used to filter out participants who were (1) not aware of any ISPs in their organizations and (2) not from an organization in the US.
Shwadhin Sharma is an Assistant Professor in the College of Business at California State University Monterey Bay. His research interests are in the areas of technical and behavioral aspects of consumptions of technology and education. He actively pursues research areas such as privacy and security, electronic commerce and social commerce, big data analytics, the role of dispositional factors in IT, and IT adoption, and discontinuation. He has taught classes such as “Database Management”, “Business Intelligence for Managers”, “Emerging technologies and Business Models”, “Management Information Systems”, and “Computer Information Systems” to the name a few. He has published his research in journals such as Journal of Computer Information Systems, Government Information Quarterly, Electronic Commerce Research and Applications and Computers & Security and several academic conferences. He serves on the editorial board of two Journals and has served as a reviewer for several reputed journals and conferences. Dr. Sharma also serves as the Resource/Listserv chair for SIG Decision Support and Analytics (SIGDSA) group which is a reputed chapter with Association of Information Systems. He has co-chaired a mini-track on “Social Network Analytics in Big Data Environment” in AMCIS 2016.
Merrill Warkentin is the James J. Rouse Professor of Information Systems in the College of Business at Mississippi State University. His research, primarily on the impacts of organizational, contextual, and dispositional influences on individual behaviors in the context of information security and privacy and in social media, has appeared in MIS Quarterly, Journal of MIS, Journal of the AIS, European Journal of Information Systems, Information Systems Journal, Decision Sciences, Information & Management, and others. He is the author of 80 peer-reviewed journal articles and the author or editor of seven books. He was the Program Co-Chair for the 2016 AMCIS Conference, and he serves (or has served) as AssociateEditor for MIS Quarterly, Information Systems Research, Decision Sciences, European Journal of Information Systems, Information & Management, and other journals. His work has been funded by NATO, NSF, NSA, DoD, Homeland Security, IBM, and others