An exploratory examination of organizational insiders’ descriptive and normative perceptions of cyber-relevant rights and responsibilities

Within the field of organizational cybersecurity, much attention has been given to insider compliance and non-compliance with the information security policies (ISPs) set forth by their organizations. Most of these efforts apply theoretical foundations based on self-interest, personal incentive, and...

Full description

Saved in:
Bibliographic Details
Published in:Computers & security 2020-12, Vol.99, p.102038, Article 102038
Main Authors: Posey, Clay, Folger, Robert
Format: Article
Language:English
Subjects:
Deonance theory
Information security policy (ISP) compliance
Moral obligations
Normative assessment
Organizational insider
Organizational security
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Within the field of organizational cybersecurity, much attention has been given to insider compliance and non-compliance with the information security policies (ISPs) set forth by their organizations. Most of these efforts apply theoretical foundations based on self-interest, personal incentive, and cost-benefit calculations to explain compliance and non-compliance motives. We take a different approach to understand insiders’ ISP compliance by exploring how insiders view their rights and responsibilities related to security-relevant behaviors. Relying on Deonance Theory, we assess the extent to which insiders categorize a wide variety of behaviors that are or can be implemented in corporate ISPs according to several deontic conditional operators (e.g., nature of perceived requiredness). These operators form the basis for a rights and responsibility framework. We find that out of 38 unique security-relevant behaviors, 22 exhibit one or more forms of potential moral “gray area” patterns. Among these patterns, significant differences between insiders’ descriptive (i.e., “is”) and normative (i.e., “should be”) assessments of rights and responsibilities perceptions are particularly interesting. Our findings shed additional light on insiders’ compliance with organizational ISPs when those ISPs place increased restrictions on what the insider must or must not do.
ISSN:0167-4048
1872-6208
DOI:10.1016/j.cose.2020.102038