Knowledge that Transforms

To make high-quality research more accessible and easier to explore.

Neutralization: New Insights into the Problem of Employee Information Systems Security Policy Violations1

MIS Quarterly 2010 34(3), 487-502
Employees’ failure to comply with information systems security policies is a major concern for information technology security managers. In efforts to understand this problem, IS security researchers have traditionally viewed violations of IS security policies through the lens of deterrence theory. In this article, we show that neutralization theory, a theory prominent in Criminology but not yet applied in the context of IS, provides a compelling explanation for IS security policy violations and offers new insight into how employees rationalize this behavior. In doing so, we propose a theoretical model in which the effects of neutralization techniques are tested alongside those of sanctions described by deterrence theory. Our empirical results highlight neutralization as an important factor to take into account with regard to developing and implementing organizational security policies and practices.

Information Systems and Environmentally Sustainable Development: Energy Informatics and New Directions for the IS Community1

MIS Quarterly 2010 34(1), 23-38
While many corporations and Information Systems units recognize that environmental sustainability is an urgent problem to address, the IS academic community has been slow to acknowledge the problem and take action. We propose ways for the IS community to engage in the development of environmentally sustainable business practices. Specifially, as IS researchers, educators, journal editors, and association leaders, we need to demonstrate how the transformative power of IS can be leveraged to create an ecologically sustainable society. In this Issues and Opinions piece, we advocate a research agenda to establish a new subfield of energy informatics, which applies information systems thinking and skills to increase energy efficiency. We also articulate how IS scholars can incorporate environmental sustainability as an underlying foundation in their teaching, and how IS leaders can embrace environmental sustainability in their core principles and foster changes that reduce the environmental impact of our community.

Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study1

MIS Quarterly 2010 34(4), 757-778
Employee noncompliance with information systems security policies is a key concern for organizations. If users do not comply with IS security policies, security solutions lose their efficacy. Of the different IS security policy compliance approaches, training is the most commonly suggested in the literature. Yet, few of the existing studies about training to promote IS policy compliance utilize theory to explain what learning principles affect user compliance with IS security policies, or offer empirical evidence of their practical effectiveness. Consequently, there is a need for IS security training approaches that are theory-based and empirically evaluated. Accordingly, we propose a training program based on two theories: the universal constructive instructional theory and the elaboration likelihood model. We then validate the training program for IS security policy compliance training through an action research project. The action research intervention suggests that the theory-based training achieved positive results and was practical to deploy. Moreover, the intervention suggests that information security training should utilize contents and methods that activate and motivate the learners to systematic cognitive processing of information they receive during the training. In addition, the action research study made clear that a continuous communication process was also required to improve user IS security policy compliance. The findings of this study offer new insights for scholars and practitioners involved in IS security policy compliance.

Expectation Disconfirmation and Technology Adoption: Polynomial Modeling and Response Surface Analysis1

MIS Quarterly 2010 34(2), 281-303
Individual-level information systems adoption research has recently seen the introduction of expectation–disconfirmation theory (EDT) to explain how and why user reactions change over time. This prior research has produced valuable insights into the phenomenon of technology adoption beyond traditional models, such as the technology acceptance model. First, we identify gaps in EDT research that present potential opportunities for advances—specifically, we discuss methodological and analytical limitations in EDT research in information systems and present polynomial modeling and response surface methodology as solutions. Second, we draw from research on cognitive dissonance, realistic job preview, and prospect theory to present a polynomial model of expectation– disconfirmation in information systems. Finally, we test our model using data gathered over a period of 6 months among 1,143 employees being introduced to a new technology. The results confirmed our hypotheses that disconfirmation in general was bad, as evidenced by low behavioral intention to continue using a system for both positive and negative disconfirmation, thus supporting the need for a polynomial model to understand expectation disconfirmation in information systems.

Information Systems Innovation for Environmental Sustainability1

MIS Quarterly 2010 34(1), 1-22
Human life is dependent upon the natural environment, which, most would agree, is rapidly degrading. Business enterprises are a dominant form of social organization and contribute to the worsening, and enhancement, of the natural environment. Scholars in the administrative sciences examine questions spanning organizations and the natural environment but have largely omitted the information systems perspective. We develop a research agenda on information systems innovation for environmental sustainability that demonstrates the critical role that IS can play in shaping beliefs about the environment, in enabling and transforming sustainable processes and practices in organizations, and in improving environmental and economic performance. The belief–action–outcome (BAO) framework and associated research agenda provide the basis for a new discourse on IS for environmental sustainability.

Are There Neural Gender Differences in Online Trust? An fMRI Study on the Perceived Trustworthiness of eBay Offers1

MIS Quarterly 2010 34(2), 397-428
Research provides increasing evidence that women and men differ in their decisions to trust. However, information systems research does not satisfactorily explain why these gender differences exist. One possible reason is that, surprisingly, theoretical concepts often do not address the most obvious factor that influences human behavior: biology. Given the essential role of biological factors—and specifically those of the brain—in decisions to trust, the biological influences should naturally include those related to gender. As trust considerations in economic decision making have become increasingly complex with the expansion of Internet use, understanding the related biological/brain functions and the involvement of gender provides a range of valuable insights. To show empirically that online trust is associated with activity changes in certain brain areas, we used functional magnetic resonance imaging (fMRI). In a laboratory experiment, we captured the brain activity of 10 female and 10 male participants simultaneous to decisions on trustworthiness of eBay offers. We found that most of the brain areas that encode trustworthiness differ between women and men. Moreover, we found that women activated more brain areas than did men. These results confirm the empathizing– systemizing theory, which predicts gender differences in neural information processing modes. In demonstrating that perceived trustworthiness of Internet offers is affected by neurobiology, our study has major implications for both IS research and management. We confirm the value of a category of research heretofore neglected in IS research and practice, and argue that future IS research investigating human behavior should consider the role of biological factors. In practice, biological factors are a significant consideration for management, marketing, and engineering attempts to influence behavior.

User Participation in Information Systems Security Risk Management1

MIS Quarterly 2010 34(3), 503-522
This paper examines user participation in information systems security risk management and its influence in the context of regulatory compliance via a multi-method study at the organizational level. First, eleven informants across five organizations were interviewed to gain an understanding of the types of activities and security controls in which users participated as part of Sarbanes-Oxley compliance, along with associated outcomes. A research model was developed based on the findings of the qualitative study and extant user participation theories in the systems development literature. Analysis of the data collected in a questionnaire survey of 228 members of ISACA, a professional association specialized in information technology governance, audit, and security, supported the research model. The findings of the two studies converged and indicated that user participation contributed to improved security control performance through greater awareness, greater alignment between IS security risk management and the business environment, and improved control development. While the IS security literature often portrays users as the weak link in security, the current study suggests that users may be an important resource to IS security by providing needed business knowledge that contributes to more effective security measures. User participation is also a means to engage users in protecting sensitive information in their business processes.

What Does the Brain Tell Us About Trust and Distrust? Evidence from a Functional Neuroimaging Study

MIS Quarterly 2010 34(2), 373-396
Determining whom to trust and whom to distrust is a major decision in impersonal IT-enabled exchanges. Despite the potential role of both trust and distrust in impersonal exchanges, the information systems literature has primarily focused on trust, alas paying relatively little attention to distrust. Given the importance of studying both trust and distrust, this study aims to shed light on the nature, dimensionality, distinction, and relationship, and relative effects of trust and distrust on economic outcomes in the context of impersonal IT-enabled exchanges between buyers and sellers in online marketplaces. This study uses functional neuroimaging (fMRI) tools to complement psychometric measures of trust and distrust by observing the location, timing, and level of brain activity that underlies trust and distrust and their underlying dimensions. The neural correlates of trust and distrust are identified when subjects interact with four experimentally manipulated seller profiles that differ on their level of trust and distrust. The results show that trust and distrust activate different brain areas and have different effects, helping explain why trust and distrust are distinct constructs associated with different neurological processes. Implications for the nature, distinction and relationship, dimensionality, and effects of trust and distrust are discussed.

Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness1

MIS Quarterly 2010 34(3), 523-548
Many organizations recognize that their employees, who are often considered the weakest link in information security, can also be great assets in the effort to reduce risk related to information security. Since employees who comply with the information security rules and regulations of the organization are the key to strengthening information security, understanding compliance behavior is crucial for organizations that want to leverage their human capital. This research identifies the antecedents of employee compliance with the information security policy (ISP) of an organization. Specifically, we investigate the rationality-based factors that drive an employee to comply with requirements of the ISP with regard to protecting the organization’s information and technology resources. Drawing on the theory of planned behavior, we posit that, along with normative belief and self-efficacy, an employee’s attitude toward compliance determines intention to comply with the ISP. As a key contribution, we posit that an employee’s attitude is influenced by benefit of compliance, cost of compliance, and cost of noncompliance, which are beliefs about the overall assessment of consequences of compliance or noncompliance. We then postulate that these beliefs are shaped by the employee’s outcome beliefs concerning the events that follow compliance or noncompliance: benefit of compliance is shaped by intrinsic benefit, safety of resources, and rewards, while cost of compliance is shaped by work impediment; and cost of noncompliance is shaped by intrinsic cost, vulnerability of resources, and sanctions. We also investigate the impact of information security awareness (ISA) on outcome beliefs and an employee’s attitude toward compliance with the ISP. Our results show that an employee’s intention to comply with the ISP is significantly influenced by attitude, normative beliefs, and self-efficacy to comply. Outcome beliefs significantly affect beliefs about overall assessment of consequences, and they, in turn, significantly affect an employee’s attitude. Furthermore, ISA positively affects both attitude and outcome beliefs. As the importance of employees’ following their organizations’ information security rules and regulations increases, our study sheds light on the role of ISA and compliance-related beliefs in an organization’s efforts to encourage compliance.

Fear Appeals and Information Security Behaviors: An Empirical Study1

MIS Quarterly 2010 34(3), 549-566
Information technology executives strive to align the actions of end users with the desired security posture of management and of the firm through persuasive communication. In many cases, some element of fear is incorporated within these communications. However, within the context of computer security and information assurance, it is not yet clear how these fear-inducing arguments, known as fear appeals, will ultimately impact the actions of end users. The purpose of this study is to investigate the influence of fear appeals on the compliance of end users with recommendations to enact specific individual computer security actions toward the mitigation of threats. An examination was performed that culminated in the development and testing of a conceptual model representing an infusion of technology adoption and fear appeal theories. Results of the study suggest that fear appeals do impact end user behavioral intentions to comply with recommended individual acts of security, but the impact is not uniform across all end users. It is determined in part by perceptions of self-efficacy, response efficacy, threat severity, and social influence. The findings of this research contribute to information systems security research, human–computer interaction, and organizational communication by revealing a new paradigm in which IT users form perceptions of the technology, not on the basis of performance gains, but on the basis of utility for threat mitigation.