File Download
Supplementary
-
Citations:
- Appears in Collections:
postgraduate thesis: Information security deviant behavior: its typology, measures, and causes
| Title | Information security deviant behavior: its typology, measures, and causes |
|---|---|
| Authors | |
| Issue Date | 2012 |
| Publisher | The University of Hong Kong (Pokfulam, Hong Kong) |
| Citation | Chu, M. [朱文英]. (2012). Information security deviant behavior : its typology, measures, and causes. (Thesis). University of Hong Kong, Pokfulam, Hong Kong SAR. Retrieved from http://dx.doi.org/10.5353/th_b4807961 |
| Abstract | Although information security is important to all organizations, little
behavioral research has been carried out in this area. Particularly lacking is research
on negative forms of behavior involved in information security. The aim of this thesis
is to fill this research gap by conducting three related studies on information security
deviant behavior (ISDB), which refers to the voluntary behavior of employees within
organizations that differs markedly from the information security norms of the
organizations and that is normally considered by other employees to be wrong.
Prior research work on this topic is insufficient, and the information security
deviance concept remains unclear. This thesis explores the topic by considering three
fundamental research questions: 1) What is ISDB? 2) How can ISDB be measured? 3)
Why do employees commit ISDB?
Study I addresses the first question—“What is ISDB?”—by identifying and
organizing ISDB using a typology. A four-step method, comprising content analysis,
multidimensional scaling, expert judgmental analysis, and empirical testing, is
proposed for the development of typologies, which can fulfill the criteria for being a
theory. The findings of this study suggest that ISDB can be organized into four ideal
types that are interrelated along two dimensions—severity and frequency. Four
constructs are identified from this typology. They are resource misuse (“high
frequency, high severity” deviance), security carelessness (“high frequency, low
severity” deviance), access control deviance (“low frequency, low severity” deviance),
and system protection deviance (“low frequency, high severity” deviance). Study I not
only develops an organized and theoretical framework for systematic research on
ISDB and constitutes a critical starting point for the development of measures of the
behavior, but also makes an important theoretical contribution by demonstrating the
development of a typology, which is a unique form of theory building for an
underdeveloped topic.
Study II focuses on the second research question—“How can ISDB be
measured?”—by developing valid and reliable scales to measure ISDB. My target is
to develop scales to measure commonly found types of ISDB using an empirical
method. Accordingly, the two “low frequency” types of deviance, access control and
system protection deviance, are omitted from consideration. A rigorous measurement
development process which includes three surveys and a number of tests is adopted. A
four-item scale of resource misuse and a three-item scale of security carelessness are
developed. The development of these two scales makes an important contribution to
future ISDB research by providing a means to measure two types of information
security deviance, thus facilitating the empirical study of ISDB.
Study III is aimed at answering the third research question—“Why do
employees commit ISDB?”—through construction of a causal model. Rather than
consider “intention” as existing behavioral research on information security
commonly does, Study III investigates actual behavior and employs resource misuse
(“high frequency, high severity” deviance) as the dependent variable. Data from a
Web-based survey are analyzed using the partial least squares approach. Considering
the dual-process approach in the theory of planned behavior, the findings suggest that
resource misuse may be both an intentional type of behavior and an unreasoned action.
Perceived behavioral control influences employees’ resource misuse actions via their
desires or intentions, whereas attitude toward resource misuse affects these actions via
employees’ desires alone. Subjective norm is found not to affect employees’ resource
misuse via either desires or intentions. In terms of the theoretical contributions, Study
III takes steps to consider information security deviance by incorporating the
dual-process approach and the theory of planned behavior. In terms of managerial
significance, the results of Study III can help managers to better understand why
employees commit resource misuse.
In conclusion, this thesis provides a number of significant insights into ISDB
and useful guidelines for further research on the topic. In addition, the findings of the
three studies can help managers to develop better company strategies and policies to
reduce internal security threats. |
| Degree | Doctor of Philosophy |
| Subject | Computer security. Deviant behavior. |
| Dept/Program | Business |
| Persistent Identifier | http://hdl.handle.net/10722/183045 |
| HKU Library Item ID | b4807961 |
| DC Field | Value | Language |
|---|---|---|
| dc.contributor.author | Chu, Man-ying. | - |
| dc.contributor.author | 朱文英. | - |
| dc.date.issued | 2012 | - |
| dc.identifier.citation | Chu, M. [朱文英]. (2012). Information security deviant behavior : its typology, measures, and causes. (Thesis). University of Hong Kong, Pokfulam, Hong Kong SAR. Retrieved from http://dx.doi.org/10.5353/th_b4807961 | - |
| dc.identifier.uri | http://hdl.handle.net/10722/183045 | - |
| dc.description.abstract | Although information security is important to all organizations, little behavioral research has been carried out in this area. Particularly lacking is research on negative forms of behavior involved in information security. The aim of this thesis is to fill this research gap by conducting three related studies on information security deviant behavior (ISDB), which refers to the voluntary behavior of employees within organizations that differs markedly from the information security norms of the organizations and that is normally considered by other employees to be wrong. Prior research work on this topic is insufficient, and the information security deviance concept remains unclear. This thesis explores the topic by considering three fundamental research questions: 1) What is ISDB? 2) How can ISDB be measured? 3) Why do employees commit ISDB? Study I addresses the first question—“What is ISDB?”—by identifying and organizing ISDB using a typology. A four-step method, comprising content analysis, multidimensional scaling, expert judgmental analysis, and empirical testing, is proposed for the development of typologies, which can fulfill the criteria for being a theory. The findings of this study suggest that ISDB can be organized into four ideal types that are interrelated along two dimensions—severity and frequency. Four constructs are identified from this typology. They are resource misuse (“high frequency, high severity” deviance), security carelessness (“high frequency, low severity” deviance), access control deviance (“low frequency, low severity” deviance), and system protection deviance (“low frequency, high severity” deviance). Study I not only develops an organized and theoretical framework for systematic research on ISDB and constitutes a critical starting point for the development of measures of the behavior, but also makes an important theoretical contribution by demonstrating the development of a typology, which is a unique form of theory building for an underdeveloped topic. Study II focuses on the second research question—“How can ISDB be measured?”—by developing valid and reliable scales to measure ISDB. My target is to develop scales to measure commonly found types of ISDB using an empirical method. Accordingly, the two “low frequency” types of deviance, access control and system protection deviance, are omitted from consideration. A rigorous measurement development process which includes three surveys and a number of tests is adopted. A four-item scale of resource misuse and a three-item scale of security carelessness are developed. The development of these two scales makes an important contribution to future ISDB research by providing a means to measure two types of information security deviance, thus facilitating the empirical study of ISDB. Study III is aimed at answering the third research question—“Why do employees commit ISDB?”—through construction of a causal model. Rather than consider “intention” as existing behavioral research on information security commonly does, Study III investigates actual behavior and employs resource misuse (“high frequency, high severity” deviance) as the dependent variable. Data from a Web-based survey are analyzed using the partial least squares approach. Considering the dual-process approach in the theory of planned behavior, the findings suggest that resource misuse may be both an intentional type of behavior and an unreasoned action. Perceived behavioral control influences employees’ resource misuse actions via their desires or intentions, whereas attitude toward resource misuse affects these actions via employees’ desires alone. Subjective norm is found not to affect employees’ resource misuse via either desires or intentions. In terms of the theoretical contributions, Study III takes steps to consider information security deviance by incorporating the dual-process approach and the theory of planned behavior. In terms of managerial significance, the results of Study III can help managers to better understand why employees commit resource misuse. In conclusion, this thesis provides a number of significant insights into ISDB and useful guidelines for further research on the topic. In addition, the findings of the three studies can help managers to develop better company strategies and policies to reduce internal security threats. | - |
| dc.language | eng | - |
| dc.publisher | The University of Hong Kong (Pokfulam, Hong Kong) | - |
| dc.relation.ispartof | HKU Theses Online (HKUTO) | - |
| dc.rights | The author retains all proprietary rights, (such as patent rights) and the right to use in future works. | - |
| dc.rights | This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License. | - |
| dc.source.uri | http://hub.hku.hk/bib/B48079613 | - |
| dc.subject.lcsh | Computer security. | - |
| dc.subject.lcsh | Deviant behavior. | - |
| dc.title | Information security deviant behavior: its typology, measures, and causes | - |
| dc.type | PG_Thesis | - |
| dc.identifier.hkul | b4807961 | - |
| dc.description.thesisname | Doctor of Philosophy | - |
| dc.description.thesislevel | Doctoral | - |
| dc.description.thesisdiscipline | Business | - |
| dc.description.nature | published_or_final_version | - |
| dc.identifier.doi | 10.5353/th_b4807961 | - |
| dc.date.hkucongregation | 2012 | - |
| dc.identifier.mmsid | 991033635299703414 | - |