Don't make excuses! 2012-09-22 ifip presentation
-
Upload
jordan-barlow -
Category
Business
-
view
83 -
download
1
Transcript of Don't make excuses! 2012-09-22 ifip presentation
Framing IT Security Training to Reduce Policy Violation
Don’t Make Excuses!
Jordan Barlow, Merrill Warkentin, Dustin Ormond, Alan DennisSeptember 22, 2012
Background
• IT security policy violations remain pervasive• SETA focused on awareness and consequences• People still justify bad behavior
• Perhaps SETA should be framed to focus more on justification behaviors!
2
Research Question
3
Does proper framing during IT security training decrease employee intentions to violate security policy?
Neutralization and deterrence
• Deterrence and neutralization theories• Three types of neutralization for this study
– “Defense of necessity”– “Denial of injury”– “Metaphor of the ledger”
4
Hypotheses
• H1a. Use of the “defense of necessity” neutralization technique is positively associated with intentions to violate IT security policies.
• H1b. Use of the “denial of injury” neutralization technique is positively associated with intentions to violate IT security policies.
• H1c. Use of the “metaphor of the ledger” neutralization technique is positively associated with intentions to violate IT security policies.
5
Training on deterrence
• Typical SETA programs focus on deterrence– I.e., “This is the policy; this is the punishment.”– Presenting negative consequences is persuasive
• “A major reason for initiating this training…is to convince potential abusers that the company is serious about security and will not take intentional breaches of this security lightly.” (Straub & Welke 1998)
6
Training not to neutralize
• Neutralization is a more powerful predictor of IT security violations than presence of sanctions (Siponen and Vance 2010)
• Because neutralization is powerful in changing employee intentions, training should combat this tendency.
• Example for training materials: “Some people may be tempted to rationalize reasons to violate the policy. Justification is not okay because...”
7
Hypotheses
• H1a/b/c. The use of neutralization techniques is positively associated with intentions to violate IT security policies.
• H2. Employees receiving training focused on addressing neutralization techniques are less likely to form intentions to violate IT security policies than employees receiving training focused on deterrent sanctions.
8
Framing effects
• Framing can have a powerful effect on individual attitudes and behavior
• Research on framing theory includes three types of framing – we focus on ‘goal framing’
• Explaining negative consequences is more persuasive than explaining positive benefits
• Example
9
Hypotheses
• H1a/b/c. The use of neutralization techniques is positively associated with intentions to violate IT security policies.
• H2. Employees receiving training focused on addressing neutralization techniques are less likely to form intentions to violate IT security policies than employees receiving training focused on deterrent sanctions.
• H3. Employees receiving training that is negatively framed (i.e., consequence-based) are less likely to form intentions to violate IT security policies than employees receiving training that is positively framed (i.e., benefits-based).
10
Methodology
• Design: Factorial survey method• Participants: Qualtrics panel respondents
– Experience using computers at workplaces with policies
• Task: Respond to 4 scenarios each
11
Scenarios / Treatments
• Introduction• 1 of 3 training focus treatments• 1 of 3 framing treatments• Situation where employee considers violation• 1 of 4 neutralization treatments• Statement of violation
(see handout for details)
12
Procedures
• Random set of 4 (out of 36 possible) scenarios• Manipulation check questions
– One each for focus, framing, neutralization
• Realism check• Attention check
13
Usable Responses
• Total individuals completing survey: 90• 90 x 4 scenarios each = 360• 360 - 103 with incorrect responses to
manipulation check or attention questions = 257
14
Results
15
Estimate Std. Error Z p
(Intercept) -1.095 1.305 -0.84 0.401
Defense of Necessity 1.026 0.360 2.85 0.004
Denial of Injury 0.433 0.315 1.38 0.168
Metaphor of the Ledger -0.295 0.351 -0.84 0.400
Focus: Neutralization* -0.908 0.248 -3.66 <0.001
Focus: Deterrence* -0.777 0.246 -3.16 0.002
Framing: Negative -0.140 0.226 -0.62 0.536
Framing: Positive -0.300 0.282 -1.06 0.288
Statisticallysignificantparametersshown in blue(p < 0.01)
*Follow-up contrast: χ2 = 0.41, p = 0.521
Results of Repeated-Measures Logistic Regression
Summary of hypotheses (n = 257)
H1a. Defense of necessity Intentions to violate Supported*
H1b. Denial of injury Intentions to violate Not supported
H1c. Metaphor of the ledger Intentions to violate Not supported
H2. Intentions to violate after neutralization training < intentions to violate after deterrence training
Not supported
H3. Intentions to violate after negative training < intentions to violate after positive training
Not supported
16
*p = 0.004
Interpretation
• H1: Neutralization techniques– Not all equal– Training based on specific techniques
• H2: Training focus– Deterrence and neutralization both effective
• H3: Positive or negative framing– No difference
17
Conclusion
• Neutralization affects intentions to violate IT security policies.
• Focusing training on neutralization is just as powerful as focusing on deterrence for reducing these intentions.
• More research is needed on how to tailor training to combat specific types of neutralization.
18
Your turn to talk
How can we improve the theory and methods for our next round of data collection?
19
21
Demographic Information
GenderFemale 51 (56.7%)Male 39 (43.3%)Age18-29 21 (23.3%)30-39 25 (27.8%)40-49 20 (22.2%)50-59 16 (17.8%)60+ 8 (8.9%)Years of Work Experience0-4 6 (6.7%)5-9 22 (24.4%)10-19 19 (21.1%)20+ 43 (47.8%)Level of Education CompletedSome high school 1 (1.3%)High school 20 (22.2%)
Undergraduate degree 43 (47.8%)
Graduate degree 26 (28.9%)
Items: Filter questions
• Have you held a job in a workplace that had guidelines, work rules, or policies for employees?– Yes/No
• Have you held a job in which you used a computer for your work?– Yes/No
22
Items: Manipulation ChecksIn this scenario, the training material clearly states that:
a. employees should never rationalize sharing passwords.
b. employees will be reprimanded for sharing passwords.
c. The training material does not specify either of the above statements.
According to this scenario, the company motivates it employees to comply in the training material by:
a. stressing the consequences of sharing passwords.
b. encouraging employee support to ensure safety and security of the company.
c. The training material does not use either of the above techniques.
How does Sam justify sharing his password in this scenario?
a. The scenario does not state that he justifies his behavior.
b. He believes that no harm will result from sharing his password.
c. He believes that sharing his password is necessary for the success of his department.
d. He believes that because he has been a good employee for many years he can share his password.
23
Items: DV, Realism, Attention
• 5-point Likert from SD to SA• Intention to violate (3 items)
– In this situation, I would do the same as [Sam].– If I were [Sam], I would have also shared my password.– I think I would do what [Sam] did if this happened to me.
• Realism (1 item)– I could imagine a similar scenario taking place at work.
• Attention (1 item)– Please select [SD/D/A/SA] for this question.
24
Choice of statistical technique
• Rossi and Anderson (1982) suggest OLS regression, but note any multivariate technique will work
• OLS regression assumptions not met– Normality– Independence of errors
• DV categorized into those with some intentions (avg DV score > 3) and those with no intentions (avg DV score <= 3)
25
Results
27
Estimate Std. Error Z p
Order* 0.655 0.222 2.95 0.003
Realism 0.111 0.231 0.48 0.630
Gender -0.144 0.435 -0.33 0.741
Age -0.237 0.295 -0.80 0.422
Work Experience 0.087 0.405 0.21 0.831
Education 0.541 0.321 1.69 0.092
Control variables:
Only order wassignificant.
(People hadhigher intentionson first scenariothan later ones)
References• Rossi, P. H., and Anderson, A. B. 1982. "The factorial survey approach: An
introduction," in: Measuring Social Judgments: The Factorial Survey Approach, P.H. Rossi and S.L. Nock (eds.), Sage, Beverly Hills, CA, USA, pp. 15-67.
• Siponen, M., and Vance, A. 2010. "Neutralization: New insights into the problem of employee information systems security policy violations," MIS Quarterly (34:3), pp. 487-502.
• Straub, D. W., and Welke, R. J. 1998. "Coping with systems risk: Security planning models for management decision making," MIS Quarterly (22:4), pp. 441-469.
• Warkentin, M., Johnston, A. C., and Shropshire, J. 2011. "The influence of the informal social learning environment on information privacy policy compliance efficacy and intention," European Journal of Information Systems (20:3), pp. 267-284.
• Willison, R., and Warkentin, M. 2012. "Beyond deterrence: An expanded view of employee computer abuse," MIS Quarterly (forthcoming).
28