Advanced

Escalation of commitment as an antecedent to noncompliance with information security policy

Kajtazi, Miranda LU ; Cavusoglu, Hasan ; Benbasat, Izak and Haftor, Darek (2018) In Information and Computer Security 26(2). p.171-193
Abstract

Purpose: This study aims to identify antecedents to noncompliance behavior influenced by decision contexts where investments in time, effort and resources are devoted to a task – referred to as a task unlikely to be completed without violating the organization’s information security policy (ISP). Design/methodology/approach: An empirical test of the suggested relationships in the proposed model was conducted through a field study using the survey method for data collection. Pre-tests, pre-study, main study and a follow-up study compose the frame of our methodology where more than 500 respondents are involved across different organizations. Findings: The results confirm that the antecedents that explain the escalation of commitment... (More)

Purpose: This study aims to identify antecedents to noncompliance behavior influenced by decision contexts where investments in time, effort and resources are devoted to a task – referred to as a task unlikely to be completed without violating the organization’s information security policy (ISP). Design/methodology/approach: An empirical test of the suggested relationships in the proposed model was conducted through a field study using the survey method for data collection. Pre-tests, pre-study, main study and a follow-up study compose the frame of our methodology where more than 500 respondents are involved across different organizations. Findings: The results confirm that the antecedents that explain the escalation of commitment behavior in terms of the effect of lost assets, such as time, effort and other resources, give us a new lens to understand noncompliance behavior; employees seem to escalate their commitments to the completion of their tasks at the expense of becoming noncompliant with ISP. Research limitations/implications: One of the key areas that requires further attention from this study is to better understand the role of risk perceptions on employee behavior when dealing with value conflicts. Depending on how risk-averse or risk seeking an employee is, the model showed no significant support in either case to influence their noncompliance behavior. The authors therefore argue that employees' noncompliance may be influenced by more powerful beliefs, such as self-justification and sunk costs. Practical implications: The results show that when employees are caught in tasks undergoing difficulties, they are more likely to increase noncompliance behavior. By understanding better how project obstacles result in such tasks, security managers can define new mechanisms to counter employees’ shift from compliance to noncompliance. Social implications: Apart from encouraging compliance with enforcement mechanisms (using direct behavioral controls like sanctions or rewards), indirect behavior controls may also encourage compliance. The authors suggest that the ISPs should state that the organization would take positive actions toward task completion and help their employees to resolve their problems quickly. Originality/value: This study is the first to tackle escalation of commitment theories and use antecedents that explain the effect of lost assets, such as time, effort and other resources can also explain noncompliance with ISP in terms of the value conflicts, where employees would often choose to forego compliance at the expense of finishing their tasks.

(Less)
Please use this url to cite or link to this publication:
author
organization
publishing date
type
Contribution to journal
publication status
published
subject
keywords
Approach avoidance theory, Employee’s noncompliance behaviour, Escalation of commitment behaviour, Information security policy, Prospect theory, Self-justification theory
in
Information and Computer Security
volume
26
issue
2
pages
23 pages
publisher
Emerald Group Publishing Limited
external identifiers
  • scopus:85049889835
ISSN
2056-4961
DOI
10.1108/ICS-09-2017-0066
language
English
LU publication?
yes
id
89cb1339-0973-450f-a073-294215262601
date added to LUP
2018-08-02 13:35:37
date last changed
2020-06-24 05:12:29
@article{89cb1339-0973-450f-a073-294215262601,
  abstract     = {<p>Purpose: This study aims to identify antecedents to noncompliance behavior influenced by decision contexts where investments in time, effort and resources are devoted to a task – referred to as a task unlikely to be completed without violating the organization’s information security policy (ISP). Design/methodology/approach: An empirical test of the suggested relationships in the proposed model was conducted through a field study using the survey method for data collection. Pre-tests, pre-study, main study and a follow-up study compose the frame of our methodology where more than 500 respondents are involved across different organizations. Findings: The results confirm that the antecedents that explain the escalation of commitment behavior in terms of the effect of lost assets, such as time, effort and other resources, give us a new lens to understand noncompliance behavior; employees seem to escalate their commitments to the completion of their tasks at the expense of becoming noncompliant with ISP. Research limitations/implications: One of the key areas that requires further attention from this study is to better understand the role of risk perceptions on employee behavior when dealing with value conflicts. Depending on how risk-averse or risk seeking an employee is, the model showed no significant support in either case to influence their noncompliance behavior. The authors therefore argue that employees' noncompliance may be influenced by more powerful beliefs, such as self-justification and sunk costs. Practical implications: The results show that when employees are caught in tasks undergoing difficulties, they are more likely to increase noncompliance behavior. By understanding better how project obstacles result in such tasks, security managers can define new mechanisms to counter employees’ shift from compliance to noncompliance. Social implications: Apart from encouraging compliance with enforcement mechanisms (using direct behavioral controls like sanctions or rewards), indirect behavior controls may also encourage compliance. The authors suggest that the ISPs should state that the organization would take positive actions toward task completion and help their employees to resolve their problems quickly. Originality/value: This study is the first to tackle escalation of commitment theories and use antecedents that explain the effect of lost assets, such as time, effort and other resources can also explain noncompliance with ISP in terms of the value conflicts, where employees would often choose to forego compliance at the expense of finishing their tasks.</p>},
  author       = {Kajtazi, Miranda and Cavusoglu, Hasan and Benbasat, Izak and Haftor, Darek},
  issn         = {2056-4961},
  language     = {eng},
  month        = {06},
  number       = {2},
  pages        = {171--193},
  publisher    = {Emerald Group Publishing Limited},
  series       = {Information and Computer Security},
  title        = {Escalation of commitment as an antecedent to noncompliance with information security policy},
  url          = {http://dx.doi.org/10.1108/ICS-09-2017-0066},
  doi          = {10.1108/ICS-09-2017-0066},
  volume       = {26},
  year         = {2018},
}