Data breaches continue to surge worldwide, exposing customer data and individuals’ social security and bank account numbers.Not only do they pose a major privacy concern, but the average cost of a data breach in 2020 was $3.86 million, according to the Ponemon Institute. A large number of breaches occur at the user level, some stemming from noncompliance with corporate information security policies.To better help organizations understand why their users choose not to follow these policies, Khole Gwebu and Jing Wang, associate professors of decision sciences at Paul College, looked at what prompts employees to engage in non-compliant actions in a study recently published in the highly regarded Information Systems Journal.
Their study builds upon existing work that suggests employees face simultaneous—even conflicting— messages about the importance of following corporate information security policies. For example, an employee might bring a laptop home to meet a tight deadline or share their passwords with coworkers, justifying their noncompliance because they believe it saved their firm time or money. In this study, Gwebu and Wang broadened their research to look at the organizational ethical forces that drive employees to neutralize their guilt and violate such policies in the first place.
“This research seeks to understand how organizations can create the right conditions to prevent employees from prioritizing other work demands over information security policies,” Wang says. “Specifically, we focus on ethical work climate, employees’ beliefs towards their organizations’ information security policies, and neutralization/justification for deviant behaviors to investigate how these factors interact to jointly explain employees’ noncompliance behaviors towards information security policies.”
An important conclusion that Wang and Gwebu draw from their study is that an ethical work climate provides the basis upon which individuals construct their beliefs and neutralization reasoning, and organizations that put ethics in the forefront should experience better ISP compliance.
“An ethical work climate needs to be transformed and internalized with individuals’ cognitive system before it can exert influence on behavior,” the study reveals.
Gwebu and Wang surveyed a panel of more than 400 people representing diverse organizations nationwide, probing their understanding of information security policies and their responses to them. They determined that neutralization (or justification for noncompliance), perceived cost of compliance, and perceived cost of noncompliance were all found to significantly impact noncompliance. The researchers then divided respondents’ work environments into three distinct categories: egoistic, benevolent, or principled. Egoistic work environments hold organizational and individual interests in higher esteem, whereas principled ones prioritize laws and policies— proving to be the most compliant workplaces when it comes to following information security policies. Benevolent organizations that favor organizational cooperation can have both positive and negative impacts on information security compliance, Gwebu says.
For example, an employee may feel torn about sharing her printer password with a colleague who might ask for it in order to quickly print a document. In benevolent work environments, workers are interested in taking care of their colleagues and might make a choice to violate a policy to do so.
"A benevolent climate could have unintended negative consequences on the perceived cost of compliance and neutralization,” he says. In other words, the culture might find it more costly to impact an employee’s performance rather than follow security policies aimed to protect data security. Although Gwebu and Wang are not suggesting that organizations refrain from nurturing a benevolent climate—given that such a climate’s positive impacts likely far outweigh any potential negative consequences—managers do need to be aware of any unintended behaviors such a climate might foster.
Wang says the study has practical implications because it uncovers some of the frameworks that may predict noncompliance before it occurs. This can help organizations rethink their own enforcement of ISPs and what they can do to reinforce compliance. For example, fostering an ethical climate that prevents employees from justifying their behaviors and implementing consistent training programs are two measures companies can take to develop a more ISP compliant culture.
RECENT SELECTED PUBLICATIONS
Gwebu, K., Wang, J., Hu, M. Y. (2020). Information security policy noncompliance: An integrative social influence model. Information Systems Journal, 30(2).
Gwebu, K. L., Wang, J., & Wang, L. (2018). The Role of Corporate Reputation and Crisis Response Strategies in Data Breach Management. Journal of Management Information Systems, 35(2).