The extant literature analyzing information system security policy violations has primarily focused on accidental or non-malicious noncompliance behavior. The focus is typically on the direct antecedents of behavioral intention, and researchers have applied theories related to planned behavior, adoption, protection motivation, and other cognitive processes. But another class of violation demands greater research emphasis--the intentional commission of computer security policy violation, or computer abuse. Whether motivated by greed, disgruntlement, or other psychological process, this act has the greatest potential for loss and damage to the employer. We argue the focus must include not only the act and its immediate antecedents, but also the cognitive processes leading to the formation of abuse intention, including the motivations and decision processes that may lead up to intention. By presenting three specific examples of how the organization can expand its zone of control further back in time ('to the left of bang'), our framework extends the Straub and Welke (1998) security action cycle. We present the Extended Security Action Cycle, a new theoretic model for illustrating potential organizational impacts on the formation of employees' intention to commit computer abuse within the organization. Implications for practitioners and academic researchers are presented, including guidelines for establishing trust with employees that will foster positive perceptions of organizational justice.
|Publication status||Published - Oct 2010|
|Event||The Dewald Roode Workshop on Information Systems Security Research, IFIP - Boston, USA|
Duration: 1 Oct 2010 → …
|Conference||The Dewald Roode Workshop on Information Systems Security Research, IFIP|
|Period||1/10/10 → …|