| 1. |
- Kajtazi, Miranda, 1983-, et al.
(författare)
-
Information Security Policy Compliance : An Empirical Study on Escalation of Commitment
- 2013
-
Ingår i: 19th Americas Conference on Information Systems (AMCIS 2013). - Red Hook, N.Y. : Curran Associates, Inc.. - 9781629933948 ; , s. 2011-2020
-
Konferensbidrag (refereegranskat)abstract
- This study aims to facilitate a new understanding on employees’ attitude towards compliance with the requirements of their information security policy (ISPs) through the lens of escalation. Escalation presents a situation in which employees must decide whether to persist in or withdraw from a non-performing task. Drawing on the Theory of Planned Behavior (TPB) and Agency Theory, our model delineates three mediating factors in explaining attitude: work impediment, information asymmetry, and safety of resources. We also propose information security awareness as an independent variable having an indirect effect on attitude through mediating factors. The proposed model is tested using the data collected from 376 employees working in the banking industry. The results of the PLS analyses show that while information asymmetry and safety of resources have significant impacts on attitude, work impediment does not. The results also show that ISA has significant impact on all three mediating factors.
|
|
| 2. |
- Kajtazi, Miranda, 1983-, et al.
(författare)
-
Guilt Proneness as a Mechanism Towards Information Security Policy Compliance
- 2013
-
Ingår i: Proceedings of the 24th Australasian Conference on Information Systems. - : Royal Melbourne Institute of Technology (RMIT). - 9780992449506
-
Konferensbidrag (refereegranskat)abstract
- In this paper, we develop a theoretical framework for understanding the role guilt proneness plays in the Information Security Policy (ISP) compliance. We define guilt proneness as an emotional personality trait indicative of a predisposition to experience a negative feeling about ISP violation. We develop a research model based on the theory of planned behaviour, guilt proneness theory and rational choice theory to explain employees’ intentions to comply with ISPs by incorporating the guilt proneness as a moderator between benefit of compliance and benefit of violation as perceived by employees and their attitude towards compliance. Identifying the roles of predispositions like guilt proneness in the ISP compliance will have interesting theoretical and practical implications in the area of information security.
|
|
| 3. |
- Kajtazi, Miranda, 1983-, et al.
(författare)
-
Assessing Self-Justification as an Antecedent of Noncompliance with Information Security Policies
- 2013
-
Ingår i: Proceedings of the 24th Australasian Conference on Information Systems. - : Royal Melbourne Institute of Technology (RMIT). - 9780992449506 ; , s. 1-12
-
Konferensbidrag (refereegranskat)abstract
- This paper aims to extend our knowledge about employees’ noncompliance with Information Security Policies (ISPs), focusing on employees’ self-justification as a result of escalation of commitment that may trigger noncompliance behaviour. Escalation presents a situation when employees must decide whether to persist or withdraw from nonperforming tasks at work. Drawing on self-justification theory and prospect theory, our model presents two escalation factors in explaining employee’s willingness to engage in noncompliance behaviour with ISPs: self-justification and risk perceptions. We also propose that perceived benefits of noncompliance and perceived costs of compliance, at the intersection of cognitive and emotional driven acts influence self-justification. The model is tested based on 376 respondents from banking industry. The results show that while self-justification has a significant impact on willingness, risk perceptions do not moderate their relation. We suggest that future research should explore the roles of self-justification in noncompliance to a greater extent.
|
|
| 4. |
- Kajtazi, Miranda, 1983-, et al.
(författare)
-
Escalation of commitment as an antecedent to noncompliance with information security policy
- 2018
-
Ingår i: Information and Computer Security. - : Emerald Group Publishing Limited. - 2056-4961. ; 26:2, s. 171-193
-
Tidskriftsartikel (refereegranskat)abstract
- Purpose: This study aims to identify antecedents to noncompliance behavior influenced by decision contexts where investments in time, effort and resources are devoted to a task - referred to as a task unlikely to be completed without violating the organization's information security policy (ISP).Design/methodology/approach: An empirical test of the suggested relationships in the proposed model was conducted through a field study using the survey method for data collection. Pre-tests, pre-study, main study and a follow-up study compose the frame of our methodology where more than 500 respondents are involved across different organizations.Findings: The results confirm that the antecedents that explain the escalation of commitment behavior in terms of the effect of lost assets, such as time, effort and other resources, give us a new lens to understand noncompliance behavior; employees seem to escalate their commitments to the completion of their tasks at the expense of becoming noncompliant with ISP.Research limitations/implications: One of the key areas that requires further attention from this study is to better understand the role of risk perceptions on employee behavior when dealing with value conflicts. Depending on how risk-averse or risk seeking an employee is, the model showed no significant support in either case to influence their noncompliance behavior. The authors therefore argue that employees' noncompliance may be influenced by more powerful beliefs, such as self-justification and sunk costs.Practical implications: The results show that when employees are caught in tasks undergoing difficulties, they are more likely to increase noncompliance behavior. By understanding better how project obstacles result in such tasks, security managers can define new mechanisms to counter employees' shift from compliance to noncompliance.Social implications: Apart from encouraging compliance with enforcement mechanisms (using direct behavioral controls like sanctions or rewards), indirect behavior controls may also encourage compliance. The authors suggest that the ISPs should state that the organization would take positive actions toward task completion and help their employees to resolve their problems quickly.Originality/value: This study is the first to tackle escalation of commitment theories and use antecedents that explain the effect of lost assets, such as time, effort and other resources can also explain noncompliance with ISP in terms of the value conflicts, where employees would often choose to forego compliance at the expense of finishing their tasks.
|
|
| 5. |
- Kajtazi, Miranda, 1983-, et al.
(författare)
-
Assessing Sunk Cost Effect on Employees'€™ Intentions to Violate Information Security Policies in Organizations
- 2014
-
Ingår i: Proceedings of the 47th Annual Hawaii International Conference on System Sciences. - : IEEE. - 9781479925049 ; , s. 3169-3177
-
Konferensbidrag (refereegranskat)abstract
- It has been widely known that employees pose insider threats to the information and technology resources of an organization. In this paper, we develop a model to explain insiders' intentional violation of the requirements of an information security policy. We propose sunk cost as a mediating factor. We test our research model on data collected from three information-intensive organizations in banking and pharmaceutical industries (n=502). Our results show that sunk cost acts as a mediator between the proposed antecedents of sunk cost (i.e., completion effect and goal in congruency) and intentions to violate the ISP. We discuss the implications of our results for developing theory and for re-designing current security agendas that could help improve compliance behavior in the future.
|
|
| 6. |
- Kajtazi, Miranda, 1983-
(författare)
-
Assessing Escalation of Commitment as an Antecedent of Noncompliance with Information Security Policy
- 2013
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- For organizations, emphasizing investments in security technology has become the norm. Trending security technologies are important for an organization’s information security strategy. Organizations commonly use such technologies to enforce information security policy (ISP) compliance on the part of their employees, to ensure the security of their information resources. Yet, it seems that employees frequently establish rules of their own for complying with the ISP. Questioning this concern, the present dissertation addresses employees’ violation of information security rules and regulations. The motivation is based on the concern that information security policy noncompliance is largely influenced by escalation of commitment. Escalation is a phenomenon that explains how employees in organizations often get involved in nonperforming tasks, commonly reflecting the tendency of persistence, when investments of resources have been initiated. This dissertation develops an integrated model based on Self-Justification theory, Prospect theory, and Approach Avoidance theory, that centres on two main factors of noncompliance, namely self-justification and sunk costs. These factors act as mediating mechanisms to explain the dependent factor of the willingness to engage in noncompliant behaviour. The theoretical model is empirically tested with a data set that represents responses from 639 respondents across 27 organizations using the scenario-based survey approach. The results of this dissertation present a dual outcome. For theory, our theoretical framework not only enriches the literature on information security by proving that escalation behaviour is an antecedent of noncompliance, but also generates new insights about the escalation of commitment literature. The findings suggest that employees’ cognitive traits are escalation’s main antecedents that present the necessary stimulation to violate an ISP, while employees’ emotional traits do not influence such stimulation when overpowered by cognitive traits. Our results also suggest that employees engaged in nonperforming tasks often become noncompliant, even though they were complying before. In principle, the findings show that employees prioritize the completion of their tasks, rather than their commitment to comply with the ISP, and thus become noncompliant. In practice, our results show that employees’ willingness to engage in noncompliant behaviour is largely influenced by self-justification and sunk costs. The main results suggest that (a) self-justification is largely driven by the benefits of noncompliance outweighing the costs of compliance; (b) sunk costs are largely driven by the completion effect; (c) the benefit of noncompliance is a significant factor in self-justification, partially mediated by its influence on the willingness to engage in noncompliance; and (d) the completion effect is a significant factor in the sunk costs, fully mediated by its influence on the willingness to engage in noncompliance. This dissertation advocates that further research is needed to account for and explain noncompliant behaviour by utilizing escalation theories in more depth, and that such an account requires an innovative and empirically driven effort.
|
|
| 7. |
- Kajtazi, Miranda, 1983-, et al.
(författare)
-
New Insights Into Understanding Manager’s Intentions to Overlook ISP Violation in Organizations through Escalation of Commitment Factors
- 2015
-
Ingår i: Proceedings of the Ninth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2015). - Pöymouth : Plymouth University. - 9781841023885
-
Konferensbidrag (refereegranskat)abstract
- This paper addresses managers’ intentions to overlook their employees’ Information Security Policy (ISP) violation, in circumstances when on-going projects have to be completed and delivered even if ISP violation must take place to do so. The motivation is based on the concern that ISP violation can be influenced by escalation of commitment factors. Escalation is a phenomenon that explains how employees in organizations often get involved in nonperforming projects, commonly reflecting the tendency of persistence, when investments of resources have been initiated. We develop a theoretical understanding based on Escalation of Commitment theory that centres on two main factors of noncompliance, namely completion effect and sunk costs. We tested our theoretical concepts in a pilot study, based on qualitative and quantitative data received from 16 respondents from the IT – industry, each representing one respondent from the management level. The results show that while some managers are very strict about not accepting any form of ISP violation in their organization, their beliefs start to change when they realize that such form of violation may occur when their employees are closer to completion of a project. Our in-depth interviews with 3 respondents in the follow-up study, confirm the tension created between compliance with the ISP and the completion of the project. The results indicate that the larger the investments of time, efforts and money in a project, the more the managers consider that violation is acceptable
|
|
