An Empirical Study of Employee’s Deviant Behavior for Improving Efficiency of Information Security Governance

Hye Jung Kim, Joong Ho Ahn


For the continuous information security governance, we have to focus on not just technical aspects like access control and DRM, but informal level management like information security(IS) behavior, culture, and personal value. But there are few informal level studies, while many formal level studies of IS governance or technical means. This study is an empirical test that how IS culture, normal beliefs, personal behavior and value affect employee’s deviant behavior. And we define a lack of an awareness of value and importance on IS regulations in organizations as “Information Security Anomie” with the concept of anomie, a viewpoint on social organization.

Full Text:



Anderson, C., “Creating conscientious cybercitizen : An examination of home computer user attitudes and intentions towards security,” Conference on Information Systems Technology(CIST)/ INFORMS, San Francisco, California. 2005.

Ardichvili, A., Page, V., and Wentling, T., “Motivation and barriers to participation in virtual knowledge-sharing communities of practice,” Journal of Knowledge Management, Vol. 7, No. 1, pp. 64-77, 2003.

Bagozzi, R. P. and Yi, Y., “On the evaluation of structural equation models,” Journal of the Academy of Marketing Science, Vol. 16, No. 2, pp. 74-94, 1988.

Campbell, J. P., Dunnette, M. D., Lawler, E. E. III., and Weick, K, Jr., Managerial behavior, performance and effectiveness, McGraw-Hill, New York, 1970.

Campbell, J. P. and Beaty, E. E., Organizational Climate : Its Measurement and Relationship to Work Group Performance. Paper presented at the Annual meeting of the American Psychological Association, Washington D. C., 1971.

Chan, M., Woon, I., and Kankanhalli, A., “Perceptions of information security at the workplace : Linking information security climate to Compliant Behavior,” Journal of Information Privacy and Security, Vol. 1, No. 3, pp. 18-41, 2005.

Chin, W. W., “Issues and opinion on structural equation modeling,” MIS Quarterly, Vol. 22, No. 1, pp. pp.vii-xvi, 1998.

Chin, W. W., Marcolin, B. L., and Newsted, P. R., “A partial least squares latent variable modeling approach for measuring interaction effects : Results from a monte carlo simulation study and voice mail emotion/adoption study,” Paper presented at the Proceedings of the Seventeenth International Conference on Information Systems, Cleveland, Ohio, 1996.

Cialdini, R. B., Reno, R. R., and Kallgren, C. A., “A focus theory of normative conduct : Recycling the concept of norms to reduce littering in public places,” Journal of Personality and Social Psychology, Vol. 58, No. 6, pp. 1015-1026, 1990.

Cloward, R. A., “Illegitimate means, anomie, and deviant behavior,” Americal Sociological Review, Vol. 24, No. 2, pp. 164-176, 1959.

Cohen, J., Statistical power analysis for the behavioral sciences (2nd ed.). Hillsdale, NJ : Lawrence Erlbaum, 1988.

Cotterman, W. and Senn, J., Challenges and strategies for research in information systems development, John Wiley & Sons, 1992.

Culnan, M., Bentley survey on consumers and internet security : Summary of findings,, 2004.

Dhillon, G. and Backhouse, J., “Current directions in IS security research : Towards socio-organizational perspectives,” Information Systems Journal, Vol. 11, No.

, pp. 127-153, 2001.

Dinev, T., Goo, J., Hu, Q., Nam, K., “User behavior toward preventive technologies cultural differences between the United States and South Korea,” ECIS 2006 Proceedings. Paper 9., 2006.

Durbin, R., “Deviant behavior and social structure : Continuities in social theory,” American Sociological Review, Vol. 24, No. 2, pp. 147-164, 1959.

Fornell, C. and Larcker, D. F., “Evaluating structural equation models with unobservable variables and measurement error,” Journal of Marketing Research, Vol. 18, No. 1, pp. 39-50, 1981.

Gordineer, J., “Blended threats : A new era in anti-virus protection,” Information Systems Security, Vol. 12, No. 3, pp. 45-47, 2003.

Hayes, B. E., Perander, J., Smecko, T., and Trask, J., “Measuring perceptions of workplace safety : Development and validation of work safety scale,” Journal of Safety Research Vol. 29, No. 3, pp. 145-161, 1998.

Herath, T. and Rao H. R, “Encouraging information security behaviors in organizations : Role of penalties, pressures and perceived effectiveness,” Decision Support Systems, Vol. 47, pp. 154-165, 2009.

Kankanhalli, A., Teo, H. –H., Tan, B. C. Y., and Wei, K. -K., “An integrative study of information systems security effectiveness,” International Journal of Information Management, Vol. 23, No. 2, pp. 139-154, 2003.

Kreps, D. M., “The interaction between norms and economic incentives,” AEA Papers and Proceedings, 1997.

Lee, S. J., Yoo, W. J., Jung, D. W., and Lee, D. M., “The effects of entrepreneurship and leadership of small and medium companies on organizational effectiveness : Focusing on the effect of Anomie,” Journal of the Korea Management Engineers Society, Vol. 15, No. 2. pp. 159-176, 2010.

McCoy, B., Stephens, G., and Stevens K. J., “An investigation of the impact of corporate culture on employee information systems security behavior,” ACIS Proceedings, 2009.

Merton, R. K., “Social conformity, deviation, and opportunity structure : A comment on the contributions of Durbin and Cloward,” American Sociological Review, Vol. 24, No. 2, pp. 177-189, 1959.

Mishra, S. and Dhillon, G., “Information systems security governance research : A behavioral perspective,” 1st Annual Symposium on Information Assurance, Academic Track of 9th Annual NYS Cyber Security Conference, New York, USA, 2007.

Neal, A. and Griffin, M. A., “Perceptions of safety at work : Developing a model to link organizational safety climate and individual behavior,” Paper presented to the 12th Annual Conference of the Society for Industrial and Organizational Psychology, St. Louis, MO, 1997.

Park, J. K., Kim, B. S., and Cho, S. W., “Primary factors affecting corporate employees’ attitudes toward Information Security,” Korean Management Review, Vol. 40, No. 4, pp. 955-985, 2011.

Post, G. V. and Kagan, A., “Evaluating information security tradeoffs : Restructuring access can interfere with user tasks,” Computers and Security, Vol. 26, No. 3, pp. 229-237, 2007.

Schnake, M. E., “An Empirical assessment of the effects of affective response in the measurement of organizational climate,” Personnel Psychology, Vol. 36, No. 4, pp. 791-804, 1983.

Schneider, E. K., The Hadley circulation of the Earth’s atmosphere. Ph.D thesis, Harvard University, 1975.

Sheeran, P. and Orbell, S., “Augmenting the theory of planned behavior : Roles for anticipated regret and descriptive norms,” Journal of Applied Social Pshchology, Vol. 29, No. 10, pp. 2107-2142, 1999.

Susan Kusmaski and Thomas Kusmaski, Values-Based Leadership, Hakjisa, 2000.

Sutinen, J. G. and Kuperan, K., “A socioeconomic theory of regulatory compliance,” International Journal of Social Economics, Vol. 26, No. 1/2/3, pp. 174-193, 1999.

Tenenhaus, M., Vinzi, V. E., Chatelin, Y.-M., and Lauro, C., “PLS path modeling,” Computational Statistics and Data Analysis, Vol. 48, No. 1, pp. 159-205, 2005.

Thompson, R. L., Higgins, C. A., and Howell, J. M., “Influence of experience on personal computer utilization,” Journal of Management Information Systems, Vol. 11, No. 1, pp. 167-187, 1994.

Van de Ven, Andrew H., Ferry, D. L., Measuring and assessing organizations. NY : John Wiley, 1980.

Venkatesh, V. and Brown, S., “A longitudinal investigation of personal computers in homes : Adoption determinants and emerging challenges,” MIS Quarterly, Vol. 25, No. 1, pp. 71-102, 2001.

Venkatesh, V., Morris, M. G., Davis, G. B., and Davis, F. D., “User acceptance of information technology : Toward a unified view,” MIS Quarterly, Vol. 27, No. 3, pp. 425-478, 2003.

Vroom, C. and von Solms, R., “Towards information security behavioral compliance,” Computers and Security, Vol. 23, No. 3, pp. 191-198, 2004.

Wasko, M. M. and Faraj, S., “It is what one does : Why people participate and help others in electronic communities of practices,” Journal of Strategic Information Systems, Vol. 9, pp. 155-173, 2000


  • There are currently no refbacks.