File Download

There are no files associated with this item.

  Links for fulltext
     (May Require Subscription)
Supplementary

Article: Organizational violations of externally governed privacyand security rules: Explaining and predicting selective violations under conditions of strain and excess

TitleOrganizational violations of externally governed privacyand security rules: Explaining and predicting selective violations under conditions of strain and excess
Authors
KeywordsPolicy violations
PCI DSS
Organizational security
Organizational privacy
Selective organizational rule violations model (SORVM)
HIPAA
Theory building
SOIPSVM
Information abuse
Selective organizational information privacy and security violations model (SOIPSVM)
Security
Rule violations
Privacy
Issue Date2016
Citation
Journal of the Association of Information Systems, 2016, v. 17, n. 1, p. 39-76 How to Cite?
Abstract© 2016 by the Association for Information Systems.Privacy and security concerns are pervasive because of the ease of access to information. Recurrent negative cases in the popular press attest to the failure of current privacy regulations to keep consumer and protected health information sufficiently secure in today’s climate of increased IT use. One reason for such failure is that organizations violate these regulations for multiple reasons. To address this issue, we propose a theoretical model to explain the likelihood that organizations will select an externally governed privacy or security rule for violation in response to organizational strain or slack resources. Our proposed theoretical model, the selective organizational information privacy and security violations model (SOIPSVM), explains how organizational structures and processes, along with characteristics of regulatory rules, alter perceptions of risk when an organization’s performance does not match its aspiration levels and, thereby, affects the likelihood of rule violations. Importantly, we contextualize SOIPSVM to organizational privacy and security violations. SOIPSVM builds on and extends the selective organizational rule violations model (SORVM), which posits that organizational rule violations are selective. SOIPSVM provides at least four contributions to the privacy and security literature that can further guide empirical research and practice. First, SOIPSVM introduces the concept of selectivity in rule violations to privacy and security research. This concept can improve privacy and security research by showing that organizational violations of privacy and security rules are dynamic and selective yet influenced by external forces. Second, SOIPSVM extends the boundaries of SORVM, which is limited to explaining the behavior of organizations under strain, such as economic hardship. We contribute to the theory of selective deviance by proposing that selectivity extends to organizations with slack resources. Third, we address ideas of non-economic risk and strain in addition to economic risk and strain. Thus, SOIPSVM explains organizational rule-violating behavior as an attempt to protect core organizational values from external entities that pressure organizations to change their values to comply with rules. Fourth, we broaden the theoretical scope of two important constructs (namely, structural secrecy and procedural emphasis) to improve the model’s explanatory power. Fifth, we identify important elements of rule enforcement by drawing from the tenets of general deterrence theory. We also discuss how one can study constructs from general deterrence theory at the organizational level. To conclude, we offer recommendations for the structuring of organizations and external regulations to decrease organizational rule violations, which often lead to the abuse of consumer information.
Persistent Identifierhttp://hdl.handle.net/10722/233867
ISSN
2015 Impact Factor: 1.79
2015 SCImago Journal Rankings: 1.786

 

DC FieldValueLanguage
dc.contributor.authorWall, Jeffrey D.-
dc.contributor.authorLowry, Paul Benjamin-
dc.contributor.authorBarlow, Jordan B.-
dc.date.accessioned2016-09-27T07:21:51Z-
dc.date.available2016-09-27T07:21:51Z-
dc.date.issued2016-
dc.identifier.citationJournal of the Association of Information Systems, 2016, v. 17, n. 1, p. 39-76-
dc.identifier.issn1536-9323-
dc.identifier.urihttp://hdl.handle.net/10722/233867-
dc.description.abstract© 2016 by the Association for Information Systems.Privacy and security concerns are pervasive because of the ease of access to information. Recurrent negative cases in the popular press attest to the failure of current privacy regulations to keep consumer and protected health information sufficiently secure in today’s climate of increased IT use. One reason for such failure is that organizations violate these regulations for multiple reasons. To address this issue, we propose a theoretical model to explain the likelihood that organizations will select an externally governed privacy or security rule for violation in response to organizational strain or slack resources. Our proposed theoretical model, the selective organizational information privacy and security violations model (SOIPSVM), explains how organizational structures and processes, along with characteristics of regulatory rules, alter perceptions of risk when an organization’s performance does not match its aspiration levels and, thereby, affects the likelihood of rule violations. Importantly, we contextualize SOIPSVM to organizational privacy and security violations. SOIPSVM builds on and extends the selective organizational rule violations model (SORVM), which posits that organizational rule violations are selective. SOIPSVM provides at least four contributions to the privacy and security literature that can further guide empirical research and practice. First, SOIPSVM introduces the concept of selectivity in rule violations to privacy and security research. This concept can improve privacy and security research by showing that organizational violations of privacy and security rules are dynamic and selective yet influenced by external forces. Second, SOIPSVM extends the boundaries of SORVM, which is limited to explaining the behavior of organizations under strain, such as economic hardship. We contribute to the theory of selective deviance by proposing that selectivity extends to organizations with slack resources. Third, we address ideas of non-economic risk and strain in addition to economic risk and strain. Thus, SOIPSVM explains organizational rule-violating behavior as an attempt to protect core organizational values from external entities that pressure organizations to change their values to comply with rules. Fourth, we broaden the theoretical scope of two important constructs (namely, structural secrecy and procedural emphasis) to improve the model’s explanatory power. Fifth, we identify important elements of rule enforcement by drawing from the tenets of general deterrence theory. We also discuss how one can study constructs from general deterrence theory at the organizational level. To conclude, we offer recommendations for the structuring of organizations and external regulations to decrease organizational rule violations, which often lead to the abuse of consumer information.-
dc.languageeng-
dc.relation.ispartofJournal of the Association of Information Systems-
dc.subjectPolicy violations-
dc.subjectPCI DSS-
dc.subjectOrganizational security-
dc.subjectOrganizational privacy-
dc.subjectSelective organizational rule violations model (SORVM)-
dc.subjectHIPAA-
dc.subjectTheory building-
dc.subjectSOIPSVM-
dc.subjectInformation abuse-
dc.subjectSelective organizational information privacy and security violations model (SOIPSVM)-
dc.subjectSecurity-
dc.subjectRule violations-
dc.subjectPrivacy-
dc.titleOrganizational violations of externally governed privacyand security rules: Explaining and predicting selective violations under conditions of strain and excess-
dc.typeArticle-
dc.description.natureLink_to_subscribed_fulltext-
dc.identifier.scopuseid_2-s2.0-84956972597-
dc.identifier.volume17-
dc.identifier.issue1-
dc.identifier.spage39-
dc.identifier.epage76-
dc.identifier.eissn1558-3457-

Export via OAI-PMH Interface in XML Formats


OR


Export to Other Non-XML Formats