File Download
  Links for fulltext
     (May Require Subscription)
Supplementary

postgraduate thesis: Information security deviant behavior: its typology, measures, and causes

TitleInformation security deviant behavior: its typology, measures, and causes
Authors
Issue Date2012
PublisherThe University of Hong Kong (Pokfulam, Hong Kong)
Citation
Chu, M. [朱文英]. (2012). Information security deviant behavior : its typology, measures, and causes. (Thesis). University of Hong Kong, Pokfulam, Hong Kong SAR. Retrieved from http://dx.doi.org/10.5353/th_b4807961
AbstractAlthough information security is important to all organizations, little behavioral research has been carried out in this area. Particularly lacking is research on negative forms of behavior involved in information security. The aim of this thesis is to fill this research gap by conducting three related studies on information security deviant behavior (ISDB), which refers to the voluntary behavior of employees within organizations that differs markedly from the information security norms of the organizations and that is normally considered by other employees to be wrong. Prior research work on this topic is insufficient, and the information security deviance concept remains unclear. This thesis explores the topic by considering three fundamental research questions: 1) What is ISDB? 2) How can ISDB be measured? 3) Why do employees commit ISDB? Study I addresses the first question—“What is ISDB?”—by identifying and organizing ISDB using a typology. A four-step method, comprising content analysis, multidimensional scaling, expert judgmental analysis, and empirical testing, is proposed for the development of typologies, which can fulfill the criteria for being a theory. The findings of this study suggest that ISDB can be organized into four ideal types that are interrelated along two dimensions—severity and frequency. Four constructs are identified from this typology. They are resource misuse (“high frequency, high severity” deviance), security carelessness (“high frequency, low severity” deviance), access control deviance (“low frequency, low severity” deviance), and system protection deviance (“low frequency, high severity” deviance). Study I not only develops an organized and theoretical framework for systematic research on ISDB and constitutes a critical starting point for the development of measures of the behavior, but also makes an important theoretical contribution by demonstrating the development of a typology, which is a unique form of theory building for an underdeveloped topic. Study II focuses on the second research question—“How can ISDB be measured?”—by developing valid and reliable scales to measure ISDB. My target is to develop scales to measure commonly found types of ISDB using an empirical method. Accordingly, the two “low frequency” types of deviance, access control and system protection deviance, are omitted from consideration. A rigorous measurement development process which includes three surveys and a number of tests is adopted. A four-item scale of resource misuse and a three-item scale of security carelessness are developed. The development of these two scales makes an important contribution to future ISDB research by providing a means to measure two types of information security deviance, thus facilitating the empirical study of ISDB. Study III is aimed at answering the third research question—“Why do employees commit ISDB?”—through construction of a causal model. Rather than consider “intention” as existing behavioral research on information security commonly does, Study III investigates actual behavior and employs resource misuse (“high frequency, high severity” deviance) as the dependent variable. Data from a Web-based survey are analyzed using the partial least squares approach. Considering the dual-process approach in the theory of planned behavior, the findings suggest that resource misuse may be both an intentional type of behavior and an unreasoned action. Perceived behavioral control influences employees’ resource misuse actions via their desires or intentions, whereas attitude toward resource misuse affects these actions via employees’ desires alone. Subjective norm is found not to affect employees’ resource misuse via either desires or intentions. In terms of the theoretical contributions, Study III takes steps to consider information security deviance by incorporating the dual-process approach and the theory of planned behavior. In terms of managerial significance, the results of Study III can help managers to better understand why employees commit resource misuse. In conclusion, this thesis provides a number of significant insights into ISDB and useful guidelines for further research on the topic. In addition, the findings of the three studies can help managers to develop better company strategies and policies to reduce internal security threats.
DegreeDoctor of Philosophy
SubjectComputer security.
Deviant behavior.
Dept/ProgramBusiness

 

DC FieldValueLanguage
dc.contributor.authorChu, Man-ying.-
dc.contributor.author朱文英.-
dc.date.issued2012-
dc.identifier.citationChu, M. [朱文英]. (2012). Information security deviant behavior : its typology, measures, and causes. (Thesis). University of Hong Kong, Pokfulam, Hong Kong SAR. Retrieved from http://dx.doi.org/10.5353/th_b4807961-
dc.description.abstractAlthough information security is important to all organizations, little behavioral research has been carried out in this area. Particularly lacking is research on negative forms of behavior involved in information security. The aim of this thesis is to fill this research gap by conducting three related studies on information security deviant behavior (ISDB), which refers to the voluntary behavior of employees within organizations that differs markedly from the information security norms of the organizations and that is normally considered by other employees to be wrong. Prior research work on this topic is insufficient, and the information security deviance concept remains unclear. This thesis explores the topic by considering three fundamental research questions: 1) What is ISDB? 2) How can ISDB be measured? 3) Why do employees commit ISDB? Study I addresses the first question—“What is ISDB?”—by identifying and organizing ISDB using a typology. A four-step method, comprising content analysis, multidimensional scaling, expert judgmental analysis, and empirical testing, is proposed for the development of typologies, which can fulfill the criteria for being a theory. The findings of this study suggest that ISDB can be organized into four ideal types that are interrelated along two dimensions—severity and frequency. Four constructs are identified from this typology. They are resource misuse (“high frequency, high severity” deviance), security carelessness (“high frequency, low severity” deviance), access control deviance (“low frequency, low severity” deviance), and system protection deviance (“low frequency, high severity” deviance). Study I not only develops an organized and theoretical framework for systematic research on ISDB and constitutes a critical starting point for the development of measures of the behavior, but also makes an important theoretical contribution by demonstrating the development of a typology, which is a unique form of theory building for an underdeveloped topic. Study II focuses on the second research question—“How can ISDB be measured?”—by developing valid and reliable scales to measure ISDB. My target is to develop scales to measure commonly found types of ISDB using an empirical method. Accordingly, the two “low frequency” types of deviance, access control and system protection deviance, are omitted from consideration. A rigorous measurement development process which includes three surveys and a number of tests is adopted. A four-item scale of resource misuse and a three-item scale of security carelessness are developed. The development of these two scales makes an important contribution to future ISDB research by providing a means to measure two types of information security deviance, thus facilitating the empirical study of ISDB. Study III is aimed at answering the third research question—“Why do employees commit ISDB?”—through construction of a causal model. Rather than consider “intention” as existing behavioral research on information security commonly does, Study III investigates actual behavior and employs resource misuse (“high frequency, high severity” deviance) as the dependent variable. Data from a Web-based survey are analyzed using the partial least squares approach. Considering the dual-process approach in the theory of planned behavior, the findings suggest that resource misuse may be both an intentional type of behavior and an unreasoned action. Perceived behavioral control influences employees’ resource misuse actions via their desires or intentions, whereas attitude toward resource misuse affects these actions via employees’ desires alone. Subjective norm is found not to affect employees’ resource misuse via either desires or intentions. In terms of the theoretical contributions, Study III takes steps to consider information security deviance by incorporating the dual-process approach and the theory of planned behavior. In terms of managerial significance, the results of Study III can help managers to better understand why employees commit resource misuse. In conclusion, this thesis provides a number of significant insights into ISDB and useful guidelines for further research on the topic. In addition, the findings of the three studies can help managers to develop better company strategies and policies to reduce internal security threats.-
dc.languageeng-
dc.publisherThe University of Hong Kong (Pokfulam, Hong Kong)-
dc.relation.ispartofHKU Theses Online (HKUTO)-
dc.rightsThe author retains all proprietary rights, (such as patent rights) and the right to use in future works.-
dc.rightsCreative Commons: Attribution 3.0 Hong Kong License-
dc.source.urihttp://hub.hku.hk/bib/B48079613-
dc.subject.lcshComputer security.-
dc.subject.lcshDeviant behavior.-
dc.titleInformation security deviant behavior: its typology, measures, and causes-
dc.typePG_Thesis-
dc.identifier.hkulb4807961-
dc.description.thesisnameDoctor of Philosophy-
dc.description.thesislevelDoctoral-
dc.description.thesisdisciplineBusiness-
dc.description.naturepublished_or_final_version-
dc.identifier.doi10.5353/th_b4807961-
dc.date.hkucongregation2012-

Export via OAI-PMH Interface in XML Formats


OR


Export to Other Non-XML Formats