Options
Insights into Understanding Employees' Compliance with IT Security Policies in the Shadow IT Context
Type
fundamental research project
Start Date
15 January 2015
End Date
14 January 2016
Status
completed
Keywords
Shadow IT
software
organisational IT
shadow systems
information security
neutralization theory
employee compliance
Description
Employees' compliance with IT security policies represents a major concern for organizations where this insider threat is currently identified as top source of organizational data breaches. This is quite concerning knowing that over half of all IS security breaches are caused by the lack of employees' IT security compliance It is estimated that an insider attack costs a company approximately $412,000 per incident and approximately $15 million in annual losses per company. Deterrence theory, a prominent theory from the criminology field, explained that the use of sanctions could be an efficient technique to deal with the employees' negligence or ignorance of the IT security policies. However, violation of IT security policies may not always be well explained by fear of sanctions as employees may use techniques of neutralization which suggest that an employee that performs a deviant action will justify its behavior by the argument that no damage will really be done. This led to the birth of the Shadow IT phenomenon which empowered employees by providing them tools, services and systems not authorized by the IT department. Shadow IT represents all hardware, software, or any other solutions used by employees inside of the organizational ecosystem which did not receive any formal IT department approval (Silic & Back, 2014). In light of the Shadow IT phenomenon, the subsequent paradoxical question addressed by Sykes and Matza (1957) is "why does delinquency occur if there is a commitment to the usages of conformity?". While the neutralization theory does provide good theoretical foundation to better scope and understand the insider threat, we are still lacking empirical research in this area that would be connected to specific forms of the computer abuse.
What types of insider violations are practiced, which neutralization technique is used, what is the overall effect on deterrence and under which conditions? All these questions are currently unanswered. According to (Willison & Warkentin, 2013) these questions are very relevant as "research addressing these areas would not only broaden our understanding of employee computer abuse, but also provide a firm basis for contemplating intervention strategies". Our study aims to address these questions and extend the current theoretical understanding of employee's compliance with IT security policies in the Shadow IT context. Based on the preliminary studies we conducted and supported by the neutralization theory, we aim to answer the following research questions:
- Which rationalizations are associated with the Shadow IT specific form of a deviant act?
- Are neutralization techniques good predictors of employee's intention to be non-compliant in the Shadow IT context?
With our study we aim to advance the current understanding from theoretical and practical standpoints by publishing our work in high-ranking international journals.
What types of insider violations are practiced, which neutralization technique is used, what is the overall effect on deterrence and under which conditions? All these questions are currently unanswered. According to (Willison & Warkentin, 2013) these questions are very relevant as "research addressing these areas would not only broaden our understanding of employee computer abuse, but also provide a firm basis for contemplating intervention strategies". Our study aims to address these questions and extend the current theoretical understanding of employee's compliance with IT security policies in the Shadow IT context. Based on the preliminary studies we conducted and supported by the neutralization theory, we aim to answer the following research questions:
- Which rationalizations are associated with the Shadow IT specific form of a deviant act?
- Are neutralization techniques good predictors of employee's intention to be non-compliant in the Shadow IT context?
With our study we aim to advance the current understanding from theoretical and practical standpoints by publishing our work in high-ranking international journals.
Leader contributor(s)
Funder(s)
Topic(s)
IT Security Compliance
Neutralization Theory
Employee Compliance
Shadow IT
Method(s)
Structural Equation Modelling
Surveys
Range
School
Range (De)
School
Division(s)
Eprints ID
239365