Insights into Understanding Employees' Compliance with IT Security Policies in the Shadow IT Context


Employees' compliance with IT security policies represents a major concern for organizations where this insider threat is currently identified as top source of organizational data breaches. This is quite concerning knowing that over half of all IS security breaches are caused by the lack of employees' IT security compliance It is estimated that an insider attack costs a company approximately $412,000 per incident and approximately $15 million in annual losses per company. Deterrence theory, a prominent theory from the criminology field, explained that the use of sanctions could be an efficient technique to deal with the employees' negligence or ignorance of the IT security policies. However, violation of IT security policies may not always be well explained by fear of sanctions as employees may use techniques of neutralization which suggest that an employee that performs a deviant action will justify its behavior by the argument that no damage will really be done. This led to the birth of the Shadow IT phenomenon which empowered employees by providing them tools, services and systems not authorized by the IT department. Shadow IT represents all hardware, software, or any other solutions used by employees inside of the organizational ecosystem which did not receive any formal IT department approval (Silic & Back, 2014). In light of the Shadow IT phenomenon, the subsequent paradoxical question addressed by Sykes and Matza (1957) is "why does delinquency occur if there is a commitment to the usages of conformity?". While the neutralization theory does provide good theoretical foundation to better scope and understand the insider threat, we are still lacking empirical research in this area that would be connected to specific forms of the computer abuse.

What types of insider violations are practiced, which neutralization technique is used, what is the overall effect on deterrence and under which conditions? All these questions are currently unanswered. According to (Willison & Warkentin, 2013) these questions are very relevant as "research addressing these areas would not only broaden our understanding of employee computer abuse, but also provide a firm basis for contemplating intervention strategies". Our study aims to address these questions and extend the current theoretical understanding of employee's compliance with IT security policies in the Shadow IT context. Based on the preliminary studies we conducted and supported by the neutralization theory, we aim to answer the following research questions:
- Which rationalizations are associated with the Shadow IT specific form of a deviant act?
- Are neutralization techniques good predictors of employee's intention to be non-compliant in the Shadow IT context?

With our study we aim to advance the current understanding from theoretical and practical standpoints by publishing our work in high-ranking international journals.

Additional Informationsunspecified
Commencement Date15 January 2015
Contributors Silic, Mario (Project Manager) & Back, Andrea (Project Manager)
Datestamp 27 Oct 2016 13:57
Institute/School IWI - Institute of Information Management
?? 2439 ??
?? Inst IWI AB ??
Completion Date 14 January 2016
Publications Silic, Mario & Back, Andrea: Identification and Importance of the Technological Risks of Open Source Software in the Enterprise Adoption Context. 2015. - 12th International Conference on Wirtschaftsinformatik (WI 2015). - Osnabrück.
Silic, Mario & Back, Andrea: Atos: Towards Zero Email Company. The Case Centre (UK), 2015.
Silic, Mario; Back, Andrea & Silic, Dario: Atos - Towards Zero Email Company. 2015. - 23rd European Conference on Information Systems (ECIS) 2015. - Münster.
Silic, Mario; Back, Andrea & Silic, Dario (2015) Email: from hero to zero - the beginning of the end? Journal of Information Technology Teaching Cases, 5 (2). 84-91.
Silic, Mario; Barlow, Jordan & Ormond, Dustin: Warning! A Comprehensive Model of the Effects of Digital Information Security Warning Messages. 2015. - 2015 Dewald Roode Workshop on Information Systems Security Research, IFIP WG8.11/WG11.13. - Delaware, USA.
Silic, Mario; Back, Andrea & Silic, Dario (2015) Taxonomy of technological risks of open source software in the enterprise adoption context. Information & Computer Security, 23 (5). 570-583. ISSN 2056-4961
Silic, Mario & Back, Andrea (2016) The Influence of Risk Factors in Decision-Making Process for Open Source Software Adoption. International Journal of Information Technology and Decision Making, 15 (1). 151-185. ISSN 0219-6220
Silic, Mario & Back, Andrea (2016) The dark side of social networking sites : Understanding phishing risks. Computers in Human Behavior, 60 35-43. ISSN 0747-5632
HSG Profile Area SoM - Business Innovation
Keywords Shadow IT, software, organisational IT, shadow systems, information security, neutralization theory, employee compliance
Methods Structural Equation Modelling, Surveys
Funders HSG – Grundlagenforschungsfonds (GFF)
Id 239365
Project Range School
Project Status completed
Subjects other research area
Topics IT Security Compliance, Neutralization Theory, Employee Compliance, Shadow IT
Project Type fundamental research project
Edit Item Edit Item