Data breaches come at a high cost – both financially and ethically. This study explores current literature on why employees fail to follow security compliance procedures, how companies approach compliance, and current best practices. A narrative literature review is used to inform current practitioners and researchers in order to avoid pitfalls in compliance research and practice. The results suggest that the practices of deterrence and fear appeals no longer have the desired effect and that CEO behavior and mixed approaches using both rewards and punishment improve compliance.
2. Have You Ever?
• Downloaded a file that may not be safe
• Clicked OK to a warning prompt without
reading it
• Opened an email attachment from a person
you may not have known or expected
• Given your password to a coworker so they
could access your PC/email for you
• Gotten up and not locked your computer
behind you
• Kept a list of passwords on paper in your desk
3. Ethical Dilemmas
• Employees put others’ in harms way
• Organizations fail
• Customers/constituents’ information is used inappropriately
• Identity theft
• Loss of public trust or loss of business
4. Data Breaches1
• Average cost of data breaches in 2014 -
$5.6 million per organization
• 31% of breaches were due to employee
negligence (2nd only to external attacks)
• Strong security posture/response plan
reduced costs significantly
• More customers are terminating
relationships with breached companies
• Public Sector organizations are more likely
to have a breach
44%
31%
25%
Reasons for Breach
Malicious/Criminal
Attack
System Glitch
Human Error
5. Definition
• Organizational Security Policy
– also known as an information
security policy, is defined as a
formal policy in place that
defines access, use, integrity,
confidentiality, compliance, and
availability of data and
information within an
organization.
• Old Dominion University
Security Compliance Policy
http://occs.odu.edu/policies
6. Research Questions
• Why do employees fail to comply with organizational policies?
• What theories and practices are informing organizations’ approaches to
compliance?
• New Approaches: What does a successful policy look like?
7. Research Methods
• Narrative Literature Review
• Search Terms
• Abstract Summaries
• Exclusionary Terms
• Final Literature List
Narrative literature reviews “provide
information for decision makers and are
used by researchers to identify and avoid
pitfalls in previous research”2.
9. Results – Why Employees Fail to Comply
• Organizational Reasons
• Culture
• Structure
• Control Measures
• CEO Behavior
• Punishment or Praise in the
Extreme
• Personal Reasons
• Values
• Honesty/Integrity
• Morality
• Job Satisfaction
• Decoupling
• Moral Balance/Moral
Licensing Theory
• Coping Theory
10. Theories Explaining Compliance Failure
• Moral Licensing Theory –
Moral Balance3
• Decoupling or Moral
Disengagement4,5,6
• Coping Theory6
Immoral
Behavior
Praiseworthy
Behavior
Moral Licensing
11. Results – Theories and Practices for Compliance
• Fear Appeals7
• Deterrence Theory5,7
• Compliance Theory5
• Codes of Ethics7
12. New Approaches
• Make it Personal
• Economics/Valuable to Comply
• Rewards System
• Peer Pressure and Loss of Regard
• CEOs Set the Tone
• Value Congruence
• Change the environment
CEO
Economics/
Value
Personal
Environment
14. Limitations
• No inter-rater reliability
• No critical assessment of the methods used
• Limited scope of articles reviewed
15. Conclusion
• Compliance is ethically necessary both to the organization and the
individual
• Employee error is the second leading cause of non-compliance
• Deterrence alone has not been effective enough at reducing non-
compliance/on the opposite end, reward/praise alone appears to
have the same effect
• Mixed approaches that incorporate deterrence, rewards, and
education coupled with CEO behavior appear to be more effective
at increasing compliance
• Equally important is hiring employees with both value congruence
and positive personal values
• Change the environment
16. References
1"2014 Cost of Data Breach Study: United States." 2014 Cost of Data Breach Study:
United States. Ponemon Institute; IBM, 02 May 2014.
2Green, Bart N., Claire D. Johnson, and Alan Adams. "Writing Narrative Literature Reviews for Peer-reviewed Journals: Secrets of the
Trade."Journal of Chiropractic Medicine 5.3 (2006): 101-17.
3Klotz, A. C., and M. C. Bolino. "Citizenship and Counterproductive Work Behavior: A Moral Licensing View." Academy of
Management Review38.2 (2013): 292-306.
4Culnan, Mary J., and Cynthia C. Williams. "HOW ETHICS CAN ENHANCE ORGANIZATIONAL PRIVACY: LESSONS FROM THE
CHOICEPOINT AND TJX DATA BREACHES." MIS Quarterly 33.4 (2009): 673-87.
5Chen, Yan, K. Ramamurthy, and Kuang-Wei Wen. "Organizations' Information Security Policy Compliance: Stick or Carrot
Approach?"Journal of Management Information Systems 29.3 (2012): 157-88.
6D'Arcy, John, Tejaswini Herath, and Mindy K. Shoss. "Understanding Employee Responses To Stressful Information Security
Requirements: A Coping Perspective." Journal Of Management Information Systems 31.2 (2014): 285-318.Business Source
Complete. Web. 3 Apr. 2015.
7Johnston, Allen C., Merrill Warkentin, and Mikko Siponen. "An Enhanced Fear Appeal Rhetorical Framework: Leveraging Threats to
the Human Asset Through Sanctioning Rhetoric." MIS Quarterly 39.1 (2015): 113-34.
Editor's Notes
Think about your own organization. The work you do and interactions with your co-workers. Have you ever done any of these? Why?
Typical reasons include:
To get the job done
Up against a deadline
Learned behavior
No one reads that stuff
Forgetful behavior
Often, we just don’t think about the consequences of these actions. They get low priority in our day to day work lives. We’ve also been conditioned to just click off the boxes by the way applications are created. Rarely do we get negative feedback from clicking on a warning box to make it go away.
These behaviors do pose ethical issues however. And they do have consequences – both for the employee and the organization. Many we just don’t think about at the time. But what if our actions allow access to confidential, personal, or sensitive data? We’ve seen the results – organizations fail, personal data is used in identity theft situations or other inappropriate ways.
For public organizations in particular, if we fail to follow security compliance policies, our actions may lead to a loss of public trust should anything bad happen.
And bad things do happen. In a recent study by the Ponemon Institute, the average data breach has been shown to cost the organization around 5.6 million dollars. Astoundingly, 31% of those breaches were due to employee negligence within the organization. This could be unintentional or intentional on the employee’s part.
How do we reduce human negligence and error? For that, we turn to an organization’s security policy. Organizations use security policies to describe appropriate behavior with regard to information and for explaining what to do during a breach or other issue. For this research, I defined Organizational Security Policy as follows:
You can see an example of such a policy here at ODU. This policy is very detailed, providing specifics for each of the items within the definition.
We know we have a problem with data breaches and we know that employee negligence plays a major role. So, I wanted to explore this issue further as to the why and what theories are informing organizations’ approach to compliance.
First I asked the question, why do employees fail to comply with policies?
Second, I searched for current theories on how organizations approach compliance.
Finally, looking at the most recent research, I gleaned some of the aspects of a successful policy.
I approached this research from a narrative review of the literature. The use of a narrative literature review is an appropriate research design when one wishes to synthesize current literature and provide guidance to decision makers and other researchers. Additionally, this was an exploratory paper, meant to inform both my classmates and myself on a topic of interest related to ethics.
I searched the university’s online libraries database using such keywords as organizational ethics, individual ethics, organizational culture, compliance and motivation
I ended up with about 50 quality articles to review. While summarizing abstracts, I discovered a more specific topic – employee compliance with organizational policies. Using this topic, I then whittled the articles down to those after 2005 dealing specifically with employee compliance. This gave me a final list of eleven articles to review.
As I am the IT Director for a non-profit, I was specifically interested in security compliance, but did not limit my articles to only that because the intent of this research is to discover reasons why employees fail to comply and approaches to improve compliance. Perhaps there were approaches in other types of policy compliance literature that could be adapted to security compliance.
Now we turn to the results of the narrative review. First, the literature indicated a mix of obvious and not so obvious reasons for employee non-compliance. They typically fell into two categories – organizational reasons and personal reasons.
Organizationally, as we’ve learned in here, sometimes the culture or structure of the organization develops in such a way that employees have difficulty complying. If the organization has onerous control measures in place, employees may circumvent. A more interesting one was that of CEO behavior. It appeared in several of the articles. There seems to be statistically significant evidence that CEO behavior plays an important role in employee behavior. If employees perceive the CEO not complying or not communicating the importance of compliance, they may follow suit. Finally, anything in the extreme appears to lead to non-compliance. If the organization only punishes bad behavior or only praises good behavior, employees may not comply with policies. Yes, even constant positive feedback can cause an employee to do bad behaviors. More on that in a few.
Personal Reasons include what we think it may include – values, integrity, personal morality, job satisfaction. The last three however help us to understand this phenomenon quite a bit more.
Moral licensing theory is one possible explanation for employee non-compliance. This theory states that an individual has a moral balance he or she tries to keep. Thus, if the employee engages in morally praiseworthy behaviors, they often grant themselves moral license to engage immorally in a subconscious effort to keep that internal moral balance. Going back to the idea that praise in the extreme, we can see this theory in action. Granting employees only praise and positive feedback can lead to negative work behavior in order to maintain that balance.
Decoupling or moral disengagement was probably the most prominent in the literature. Decoupling is the act of separating the personal from the organizational. Or in the case of organizations, not treating private matters as the personal items they are. Managers and employees tend to shift responsibility to the organization, making it impersonal to them. Another aspect of decoupling is economic – for private organizations particularly. Employees who do not see a personal economic value in following compliance procedures tend to separate out their actions from “bad actions” that do have economic consequences for them (loss of job for instance).
Coping theory suggests that as compliance policies have become onerous, complex, and punitive, employees engage in unethical behavior in order to cope with the stress associated with security compliance.
Fear appeals and deterrence dominated security compliance approaches during the time personal computing became mainstream.
Fear appeals, according to Johnston, etal, are messages that intend to manipulate behavior by attaching threats to an individual’s health, safety, or things. The idea is that through fear, organizations can get employees to comply due to perceived consequences.
Deterrence theory suggests that individuals weigh the benefits and the risks in committing a crime or break the rules. For example, if the risk of getting caught is high, individuals are less likely to break the rule. Organizations attempt to make the risks outweigh the benefits through punitive measures, applied consistently and quickly. Recently, deterrence theory has incorporated the loss of esteem among peers that leads to guilt or shame in the cost/benefit ratios.
Compliance theory refers to members of an organization acting as per their directives. These directives come backed by three types of controls:
Coercive (threats, punishment, stick approaches)
Remunerative (economic incentives, or carrot approaches)
Normative (symbolic, moral reasoning, values of compliance)
I added Codes of Ethics here because in some of the research, it was demonstrated that general organizational codes of ethics do not affect employees’ judgments or intentions to commit computer abuse. Specific ethics codes dealing with information security only showed mixed results.
Research suggests that organizational leaders make it personal and economic to comply. This reduces the issue of decoupling and moral disengagement. And while punishment or rewards are not enough alone, together they tend to have a better effect. Further, CEOs set the tone. In several instances, it was found that CEO behavior went a long way to employee compliance. This is no easy task – oftentimes the divide between CEO and front line employees is large. It will take a lot of specific communications and visible behavior changes at the CEO level.
Of course, hiring employees with similar values and strong character will lead to improved compliance as well.
Finally, from a technical standpoint, change the environment. If security compliance is burdensome and complex, make it less so. Sometimes it isn’t the people that are the problem but the environment in which they work. Give them the proper tools that allows them to accomplish their tasks with less stress and it is suggested that non-compliance will be reduced.
I work in an organization that is heavier on the older generation. Their usage and experience with computing differs wildly from that of Millennials for example. Social media is a whole new area of security risk that many barely understand.
While some of the research touched on different sectors, this is an area that appears to be lacking. Since values and motivators are sometimes different between public and private organizations, perhaps security compliance approaches need to be different.
Finally, what kinds of reward systems are out there? What has been shown to work? The research makes mention of these only theoretically. Some concrete ideas were merit pay, bonuses, or promotions. What about other approaches? Perhaps less monetized or tied completely to the job?
I was the only reviewer of the articles. There was no other researcher to improve the choice to include or exclude the articles in the review.
While I reviewed the methods used in each article, I did not assess their worth or limitations in this project.
Of course due to time and research paper constraints, the scope of the articles reviewed was limited.