Framing IT Security Training to Reduce Policy Violation

Don’t Make Excuses!

Jordan Barlow, Merrill Warkentin, Dustin Ormond, Alan DennisSeptember 22, 2012

Background

• IT security policy violations remain pervasive• SETA focused on awareness and consequences• People still justify bad behavior

• Perhaps SETA should be framed to focus more on justification behaviors!

2

Research Question

3

Does proper framing during IT security training decrease employee intentions to violate security policy?

Neutralization and deterrence

• Deterrence and neutralization theories• Three types of neutralization for this study

– “Defense of necessity”– “Denial of injury”– “Metaphor of the ledger”

4

Hypotheses

• H1a. Use of the “defense of necessity” neutralization technique is positively associated with intentions to violate IT security policies.

• H1b. Use of the “denial of injury” neutralization technique is positively associated with intentions to violate IT security policies.

• H1c. Use of the “metaphor of the ledger” neutralization technique is positively associated with intentions to violate IT security policies.

5

Training on deterrence

• Typical SETA programs focus on deterrence– I.e., “This is the policy; this is the punishment.”– Presenting negative consequences is persuasive

• “A major reason for initiating this training…is to convince potential abusers that the company is serious about security and will not take intentional breaches of this security lightly.” (Straub & Welke 1998)

6

Training not to neutralize

• Neutralization is a more powerful predictor of IT security violations than presence of sanctions (Siponen and Vance 2010)

• Because neutralization is powerful in changing employee intentions, training should combat this tendency.

• Example for training materials: “Some people may be tempted to rationalize reasons to violate the policy. Justification is not okay because...”

7

Hypotheses

• H1a/b/c. The use of neutralization techniques is positively associated with intentions to violate IT security policies.

• H2. Employees receiving training focused on addressing neutralization techniques are less likely to form intentions to violate IT security policies than employees receiving training focused on deterrent sanctions.

8

Framing effects

• Framing can have a powerful effect on individual attitudes and behavior

• Research on framing theory includes three types of framing – we focus on ‘goal framing’

• Explaining negative consequences is more persuasive than explaining positive benefits

• Example

9

Hypotheses

• H1a/b/c. The use of neutralization techniques is positively associated with intentions to violate IT security policies.

• H2. Employees receiving training focused on addressing neutralization techniques are less likely to form intentions to violate IT security policies than employees receiving training focused on deterrent sanctions.

• H3. Employees receiving training that is negatively framed (i.e., consequence-based) are less likely to form intentions to violate IT security policies than employees receiving training that is positively framed (i.e., benefits-based).

10

Methodology

• Design: Factorial survey method• Participants: Qualtrics panel respondents

– Experience using computers at workplaces with policies

• Task: Respond to 4 scenarios each

11

Scenarios / Treatments

• Introduction• 1 of 3 training focus treatments• 1 of 3 framing treatments• Situation where employee considers violation• 1 of 4 neutralization treatments• Statement of violation

(see handout for details)

12

Procedures

• Random set of 4 (out of 36 possible) scenarios• Manipulation check questions

– One each for focus, framing, neutralization

• Realism check• Attention check

13

Usable Responses

• Total individuals completing survey: 90• 90 x 4 scenarios each = 360• 360 - 103 with incorrect responses to

manipulation check or attention questions = 257

14

Results

15

  Estimate Std. Error Z p

(Intercept) -1.095 1.305 -0.84 0.401

Defense of Necessity 1.026 0.360 2.85 0.004

Denial of Injury 0.433 0.315 1.38 0.168

Metaphor of the Ledger -0.295 0.351 -0.84 0.400

Focus: Neutralization* -0.908 0.248 -3.66 <0.001

Focus: Deterrence* -0.777 0.246 -3.16 0.002

Framing: Negative -0.140 0.226 -0.62 0.536

Framing: Positive -0.300 0.282 -1.06 0.288

Statisticallysignificantparametersshown in blue(p < 0.01)

*Follow-up contrast: χ2 = 0.41, p = 0.521

Results of Repeated-Measures Logistic Regression

Summary of hypotheses (n = 257)

H1a. Defense of necessity Intentions to violate Supported*

H1b. Denial of injury Intentions to violate Not supported

H1c. Metaphor of the ledger Intentions to violate Not supported

H2. Intentions to violate after neutralization training < intentions to violate after deterrence training

Not supported

H3. Intentions to violate after negative training < intentions to violate after positive training

Not supported

16

*p = 0.004

Interpretation

• H1: Neutralization techniques– Not all equal– Training based on specific techniques

• H2: Training focus– Deterrence and neutralization both effective

• H3: Positive or negative framing– No difference

17

Conclusion

• Neutralization affects intentions to violate IT security policies.

• Focusing training on neutralization is just as powerful as focusing on deterrence for reducing these intentions.

• More research is needed on how to tailor training to combat specific types of neutralization.

18

Your turn to talk

How can we improve the theory and methods for our next round of data collection?

19

20

END OF PRESENTATION SLIDES

-----------------------

SUPPLEMENTAL SLIDES FOLLOW

21

Demographic Information

GenderFemale 51 (56.7%)Male 39 (43.3%)Age18-29 21 (23.3%)30-39 25 (27.8%)40-49 20 (22.2%)50-59 16 (17.8%)60+ 8 (8.9%)Years of Work Experience0-4 6 (6.7%)5-9 22 (24.4%)10-19 19 (21.1%)20+ 43 (47.8%)Level of Education CompletedSome high school 1 (1.3%)High school 20 (22.2%)

Undergraduate degree 43 (47.8%)

Graduate degree 26 (28.9%)

Items: Filter questions

• Have you held a job in a workplace that had guidelines, work rules, or policies for employees?– Yes/No

• Have you held a job in which you used a computer for your work?– Yes/No

22

Items: Manipulation ChecksIn this scenario, the training material clearly states that:

a. employees should never rationalize sharing passwords.

b. employees will be reprimanded for sharing passwords.

c. The training material does not specify either of the above statements.

 

According to this scenario, the company motivates it employees to comply in the training material by:

a. stressing the consequences of sharing passwords.

b. encouraging employee support to ensure safety and security of the company.

c. The training material does not use either of the above techniques.

 

How does Sam justify sharing his password in this scenario?

a. The scenario does not state that he justifies his behavior.

b. He believes that no harm will result from sharing his password.

c. He believes that sharing his password is necessary for the success of his department.

d. He believes that because he has been a good employee for many years he can share his password.

23

Items: DV, Realism, Attention

• 5-point Likert from SD to SA• Intention to violate (3 items)

– In this situation, I would do the same as [Sam].– If I were [Sam], I would have also shared my password.– I think I would do what [Sam] did if this happened to me.

• Realism (1 item)– I could imagine a similar scenario taking place at work.

• Attention (1 item)– Please select [SD/D/A/SA] for this question.

24

Choice of statistical technique

• Rossi and Anderson (1982) suggest OLS regression, but note any multivariate technique will work

• OLS regression assumptions not met– Normality– Independence of errors

• DV categorized into those with some intentions (avg DV score > 3) and those with no intentions (avg DV score <= 3)

25

Distribution of DV

26

Results

27

  Estimate Std. Error Z p

Order* 0.655 0.222 2.95 0.003

Realism 0.111 0.231 0.48 0.630

Gender -0.144 0.435 -0.33 0.741

Age -0.237 0.295 -0.80 0.422

Work Experience 0.087 0.405 0.21 0.831

Education 0.541 0.321 1.69 0.092

Control variables:

Only order wassignificant.

(People hadhigher intentionson first scenariothan later ones)

References• Rossi, P. H., and Anderson, A. B. 1982. "The factorial survey approach: An

introduction," in: Measuring Social Judgments: The Factorial Survey Approach, P.H. Rossi and S.L. Nock (eds.), Sage, Beverly Hills, CA, USA, pp. 15-67.

• Siponen, M., and Vance, A. 2010. "Neutralization: New insights into the problem of employee information systems security policy violations," MIS Quarterly (34:3), pp. 487-502.

• Straub, D. W., and Welke, R. J. 1998. "Coping with systems risk: Security planning models for management decision making," MIS Quarterly (22:4), pp. 441-469.

• Warkentin, M., Johnston, A. C., and Shropshire, J. 2011. "The influence of the informal social learning environment on information privacy policy compliance efficacy and intention," European Journal of Information Systems (20:3), pp. 267-284.

• Willison, R., and Warkentin, M. 2012. "Beyond deterrence: An expanded view of employee computer abuse," MIS Quarterly (forthcoming).

28