Asia pacific journal of information systems

The Korea Society of Management Information Systems (한국경영정보학회)
권호 표지
DOI QR코드

DOI QR Code

A Moral-Belief Model for Deterring Non-Work-Related Computing in Organizations

  • Received : 2019.05.23
  • Accepted : 2019.08.17
  • Published : 2019.12.31
Download PDF
⟨ Previous Next ⟩

Abstract

Negative consequences incurred from employees' non-work-related computing (NWRC) have been one of the security-related issues in information intensive organizations. While most studies have focused on the factors that motivate employees to engage in NWRC, this study examines the mediating effect of moral beliefs on the relationship between sanctions and NWRC using a moral beliefs-based model. The research model posits that the formal (i.e., punishment severity and detection certainty) and informal sanctions (subjective norms and descriptive norms) enhance employees' moral beliefs against NWRC intention. From a cross-sectional scenario-based survey involving 176 employees working at banks in Mongolia, our results indicate that moral beliefs fully mediate the relationship between detection certainty/subjective norms and NWRC intention and act as a partial mediator in the relationship between descriptive norms and NWRC. The findings from this study present empirical evidence that both informal and formal sanctions could be an effective deterrent for NWRC intention through employees' moral beliefs.

Keywords

Acknowledgement

This research was based on the thesis of Master Tserendulam Munkh-Erdene.

References

  1. Ajzen, I. (1991). The theory of planned behavior. Organizational Behavior and Human Decision Processes. https://doi.org/10.1016/0749-5978(91)90020-T 
  2. Bachman, R., Paternoster, R., and Ward, S. (1992). The rationality of sexual offending: Testing a deterrence/rational choice conception of sexual assault. Law and Society Review, 26(2), 343-372.  https://doi.org/10.2307/3053901
  3. Baron, R. M., and Kenny, D. A. (1986). The moderator-mediator variable distinction in social psychological research: Conceptual, strategic, and statistical considerations. Journal of Personality and Social Psychology, 51(6), 1173-1182.  https://doi.org/10.1037/0022-3514.51.6.1173
  4. Bock, G. W., and Ho, S. L. (2009). Non-work related computing (NWRC). Communications of the ACM, 52(4), 124-128.  https://doi.org/10.1145/1498765.1498799
  5. Chatterjee, S., Sarker, S., and Valacich, J. S. (2015). The behavioral roots of information systems security. Journal of Management Information Systems, 31(4), 49-87.  https://doi.org/10.1080/07421222.2014.1001257
  6. Chen, Y., Ramamurthy, K., and Wen, K.-W. (2012). Organizations' information security policy compliance: stick or carrot approach? Journal of Management Information Systems, 29(3), 157-188.  https://doi.org/10.2753/MIS0742-1222290305
  7. Cheng, L., Li, W., Zhai, Q., and Smyth, R. (2014). Understanding personal use of the Internet at work: An integrated model of neutralization techniques and general deterrence theory. Computers in Human Behavior, 38, 220-228.  https://doi.org/10.1016/j.chb.2014.05.043
  8. Cheng, L., Li, Y., Li, W., Holm, E., and Zhai, Q. (2013). Understanding the violation of IS security policy in organizations: An integrated model based on social control and deterrence theory. Computers and Security, 39(PART B), 447-459.  https://doi.org/10.1016/j.cose.2013.09.009
  9. Chin, W. W. (1998). The partial least squares approach to structural equation modeling. Modern Methods for Business Research, 295(2), 295-336. 
  10. Chin, W. W., Marcolin, B. L., and Newsted, P. R. (2003). A partial least squares latent variable modeling approach for measuring interaction effects: Results from a Monte Carlo simulation study and an electronic-mail emotion/adoption study. Information Systems Research, 14(2), 189-217.  https://doi.org/10.1287/isre.14.2.189.16018
  11. Cialdini, R. B., and Trost, M. R. (1998). Social influence: Social norms, conformity and compliance. In and G. L. D. T. Gilbert, S. T. Fiske (Ed.), The handbook of social psychology (pp. 151-192). New York, NY, US: McGraw-Hill. 
  12. Cohen, J. (1992). Statistical power analysis. Current Directions in Psychological Science, 1(3), 98-101.  https://doi.org/10.1111/1467-8721.ep10768783
  13. D'Arcy, J., and Devaraj, S. (2012). Employee misuse of information technology resources: Testing a contemporary deterrence model. Decision Sciences, 43(6), 1091-1124.  https://doi.org/10.1111/j.1540-5915.2012.00383.x
  14. D'Arcy, J., and Herath, T. (2011). A review and analysis of deterrence theory in the is security literature: Making sense of the disparate findings. European Journal of Information Systems, 20(6), 643-658.  https://doi.org/10.1057/ejis.2011.23
  15. D'Arcy, J., Hovav, A., and Galletta, D. (2009). User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research, 20(1), 79-98.  https://doi.org/10.1287/isre.1070.0160
  16. D'Arcy, J., and Lowry, P. B. (2017). Cognitive-affective drivers of employees' daily compliance with information security policies: A multilevel, longitudinal study. Information Systems Journal, 1-27. 
  17. Everton, W. J., Mastrangelo, P. M., and Jolton, J. A. (2005). Personality correlates of employees' personal use of work computers. CyberPsychology and Behavior, 8(2), 143-153.  https://doi.org/10.1089/cpb.2005.8.143
  18. Gibbs, J. P. (1975). Crime, punishment, and deterrence. New York, NY, US: Elsevier. 
  19. Guo, K. H., Yuan, Y., Archer, N. P., and Connelly, C. E. (2011). Understanding nonmalicious security violations in the workplace: A composite behavior model. Journal of Management Information Systems, 28(2), 203-236.  https://doi.org/10.2753/MIS0742-1222280208
  20. Hair, J. J., Black, W. C., Babin, B. J., and Anderson, R. E. (2009). Multivariate data analysis (7th ed.). Englewood Cliffs: Prentice Hall. 
  21. Hayes, A. F. (2013). Introduction to mediation, moderation, and conditional process analysis: a regression based approach (1st ed.). New York, NY, US: The Guilford Press. 
  22. Herath, T., and Rao, H. R. (2009a). Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems, 47(2), 154-165.  https://doi.org/10.1016/j.dss.2009.02.005
  23. Herath, T., and Rao, H. R. (2009b). Protection motivation and deterrence: A framework for security policy compliance in organisations. European Journal of Information Systems, 18(August 2008), 106-125.  https://doi.org/10.1057/ejis.2009.6
  24. Hu, Q., Xu, Z., Dinev, T., and Ling, H. (2011). Does deterrence work in reducing information security policy abuse by employees? Communications of the ACM, 54(6), 54. 
  25. Hunt, S. D., and Vitell, S. (1986). A general theory of marketing ethics. Journal of Macromarketing, 6(1), 5-16.  https://doi.org/10.1177/027614678600600103
  26. Khansa, L., Kuem, J., Siponen, M., and Kim, S. S. (2017). To cyberloaf or not to cyberloaf: The impact of the announcement of formal organizational controls. Journal of Management Information Systems, 34(1), 141-176.  https://doi.org/10.1080/07421222.2017.1297173
  27. Kim, S. J., and Byrne, S. (2011). Conceptualizing personal web usage in work contexts: A preliminary framework. Computers in Human Behavior, 27(6), 2271-2283.  https://doi.org/10.1016/j.chb.2011.07.006
  28. Kuem, J., and Siponen, M. (2014). Short-time non-work-related computing and creative performance. In 47th Hawaii International Conference on System Sciences (HICSS) (pp. 3215-3223). 
  29. Lau, V. C., Au, W. T., and Ho, J. M. (2003). A qualitative and quantitative review of antecedents of counterproductive behavior in organizations. Journal of Business and Psychology, 18(1), 73-99.  https://doi.org/10.1023/A:1025035004930
  30. Li, H., Sarathy, R., Zhang, J., and Luo, X. (2014). Exploring the effects of organizational justice, personal ethics and sanction on internet use policy compliance. Information Systems Journal, 24(6), 479-502. https://doi.org/10.1111/isj.12037 
  31. Li, H., Zhang, J., and Sarathy, R. (2010). Understanding compliance with internet use policy from the perspective of rational choice theory. Decision Support Systems, 48(4), 635-645.  https://doi.org/10.1016/j.dss.2009.12.005
  32. Liang, H., Saraf, N., Hu, Q., and Xue, Y. (2007). Assimilation of enterprise systems: The effect of institutional pressures and the mediating role of top management. MIS Quarterly, 31(1), 59-87.  https://doi.org/10.2307/25148781
  33. Lim, V. K. G. (2005). The moderating effect of neutralization technique on organizational justice and cyberloafing. In PACIS2005. 
  34. Lim, V. K. G., and Chen, D. J. Q. (2012). Cyberloafing at the workplace: Gain or drain on work? Behaviour and Information Technology, 31(4), 343-353.  https://doi.org/10.1080/01449290903353054
  35. Lindell, M. K., and Whitney, D. J. (2001). Accounting for common method variance in cross-sectional research design. Journal of Applied Psychology, 86(1), 114-121.  https://doi.org/10.1037/0021-9010.86.1.114
  36. Magnuson, M. J., and Dundes, L. (2008). Gender differences in "social portraits" reflected in MySpace profiles. CyberPsychology and Behavior, 11(2), 239-241.  https://doi.org/10.1089/cpb.2007.0089
  37. Malhotra, N. K., Kim, S. S., and Patil, A. (2006). Common method variance in IS research: A comparison of alternative approaches and a reanalysis of past research. Management Science, 52(12), 1865-1883.  https://doi.org/10.1287/mnsc.1060.0597
  38. Moody, G. D., Siponen, M., and Pahnila, S. (2018). Toward a unified model of information security policy compliance. MIS Quarterly, 42(1), 285-311.  https://doi.org/10.25300/MISQ/2018/13853
  39. Moores, T. T., and Chang, J. C. J. (2006). Ethical decision making in software piracy: Initial development and test of a four-component model. MIS Quarterly, 30(1), 167-180.  https://doi.org/10.2307/25148722
  40. Nagin, D. S., and Pogarsky, G. (2001). Integrating celerity, impulsivity, and extralegal sanction threats into a model of general deterrence: Theory and evidence. Criminology, 39(4), 865-892.  https://doi.org/10.1111/j.1745-9125.2001.tb00943.x
  41. Paternoster, R., and Simpson, S. (1996). Sanction threats and appeals to morality: Testing a rational choice model of corporate crime. Law and Society Review, 30(3), 549-583.  https://doi.org/10.2307/3054128
  42. Peace, A. G., Dennis, F. G., and Thong, J. Y. L. (2003). Software piracy in the workplace: A model and empirical test. Journal of Management Information Systems, 20(1), 153-177.  https://doi.org/10.1080/07421222.2003.11045759
  43. Pee, L. G., Woon, I. M. Y., and Kankanhalli, A. (2008). Explaining non-work-related computing in the workplace: A comparison of alternative models. Information and Management, 45(2), 120-130.  https://doi.org/10.1016/j.im.2008.01.004
  44. Podsakoff, P. M., MacKenzie, S. B., Lee, J. Y., and Podsakoff, N. P. (2003). Common method biases in behavioral research: A critical review of the literature and recommended remedies. Journal of Applied Psychology, 88(5), 879-903.  https://doi.org/10.1037/0021-9010.88.5.879
  45. Schoepfer, A., and Piquero, A. R. (2006). Self-control, moral beliefs, and criminal activity. Deviant Behavior, 27(1), 51-71.  https://doi.org/10.1080/016396290968326
  46. Sheeran, P., and Orbell, S. (1999). Augmenting the theory of planned behavior: Roles for anticipated regret and descriptive norms. Journal of Applied Social Psychology, 29(10), 2107-2142.  https://doi.org/10.1111/j.1559-1816.1999.tb02298.x
  47. Siponen, M., and Vance, A. (2010). Neutralization: new insights into the problem of employee information systems security policy violations1. MIS Quarterly, 34(3), 487-502.  https://doi.org/10.2307/25750688
  48. Statista. (2015). Increased risk of cyber breach or insider threat according to executives worldwide as of September 2015, by industry. Retrieved from https://www.statista.com/statistics/594093/risk-of-cyber-breach-misuse-by-industry/ 
  49. Straub, D. W. (1990). Effective IS security: An empirical study. Information Systems Research, 1(3), 255-276.  https://doi.org/10.1287/isre.1.3.255
  50. Strelan, P., and Boeckmann, R. J. (2006). Why drug testing in elite sport does not work: Perceptual deterrence theory and the role of personal moral beliefs. Journal of Applied Social Psychology, 36(12), 2909-2934.  https://doi.org/10.1111/j.0021-9029.2006.00135.x
  51. Thong, J. Y., and Yap, C. S. (1998). Testing an ethical decision-making theory: The case of soft lifting. Journal of Management Information Systems, 15(1), 213-237.  https://doi.org/10.1080/07421222.1998.11518203
  52. Tyler, T. R. (2006). Psychological perspectives on legitimacy and legitimation. Annual Review of Psychology. https://doi.org/10.1146/annurev.psych.57.102904.190038 
  53. Tyler, T. R., and Blader, S. L. (2005). Can businesses effectively regulate employee conduct? The antecedents of rule following in work settings. Academy of Management Journal, 48(6), 1143-1158.  https://doi.org/10.5465/amj.2005.19573114
  54. Tyler, T. R., and Darley, J. M. (2000). Building a law-abiding society: Taking public views about morality and the legitimacy of legal authorities into account when formulating substantive law. Hofstra Law Review, 28, 707-739. 
  55. Vitak, J., Crouse, J., and LaRose, R. (2011). Personal Internet use at work: Understanding cyberslacking. Computers in Human Behavior, 27(5), 1751-1759.  https://doi.org/10.1016/j.chb.2011.03.002
  56. Willison, R., and Warkentin, M. (2013). Beyond deterrence: An expanded view of employee computer abuse. MIS Quarterly, 37(1), 1-20.  https://doi.org/10.25300/MISQ/2013/37.1.01
  57. World Economic Forum. (2018). The global risks report 2018, 13th edition. Cologny/Geneva Switzerland. https://doi.org/978-1-944835-15-6 
  58. Xu, B., Xu, Z., and Li, D. (2016). Internet aggression in online communities: a contemporary deterrence perspective. Information Systems Journal, 26(6), 641-667.  https://doi.org/10.1111/isj.12077
  59. Yazdanmehr, A., and Wang, J. (2016). Employees' information security policy compliance: A norm activation perspective. Decision Support Systems, 92, 36-46. https://doi.org/10.1016/j.dss.2016.09.009