research-article

Rethinking the Prevailing Security Paradigm: Can User Empowerment with Traceability Reduce the Rate of Security Policy Circumvention?

Authors:

Steven AlterAuthors Info & Claims

ACM SIGMIS Database: the DATABASE for Advances in Information Systems, Volume 49, Issue 3

Pages 54 - 77

https://doi.org/10.1145/3242734.3242739

Published: 25 July 2018 Publication History

Abstract

Information leakage is a major concern for organizations. As information travels through the organization's eco-system, perimeter-based defense is no longer sufficient. Rather, organizations are implementing data-centric solutions that persist throughout the information life-cycle regardless of its location. Enterprise rights management (ERM) systems are an example of persistent data-centric security. ERM defines specific access rules as an instantiation of organizational information security policies and has been suggested as means of role-based access permissions control. Yet, evidence shows that employees often circumvent or work around organizational security rules and policies since these controls hinder task-performance. In this exploratory case study, we use the theory of workarounds as a lens to examine users' workaround behavior. We introduce an empowerment-based ERM system highlighting users' permission to override provisionally assigned access rules. The concept of empowered security policies is novel and presents a shift in the current security compliance paradigm. Subsequently, we compare users' compliance intention between empowered ERM users and conventional ERM users. Our descriptive results indicate that circumventing intention is lower while perceived responsibility and task-performance benefits are higher for the empowered ERM users than for the conventional ERM users. Compliance intention is higher for conventional ERM users than for empowered ERM users.

References

[1]

Ajzen, I. (1991). The theory of planned behavior. Organizational Behavior and Human Decision Processes, 50(2), 179--211.

[2]

Alter, S. (2014). Theory of workarounds. Communications of the Association for Information Systems, 34, 1041--1066.

[3]

Alter, S. (2015). Beneficial noncompliance and detrimental compliance: Expected paths to unintended consequences. In Proceedings of the 21st Americas Conference on Information Systems (pp. 1--12), Puerto Rico.

[4]

Argyris, C. (1991). Teaching smart people how to learn. Harvard Business Review, 69(3), 99--109.

[5]

Arnab, A., & Hutchison, A. (2004). Digital rights management-An overview of current challenges and solutions. Proceedings of the 4th Information Security South Africa (pp. 1--15), Midrand, South Africa.

[6]

Ash, J. S., Berg, M., & Coiera, E. (2004). Some unintended consequences of information technology in health care: The nature of patient care information system-related errors. Journal of the American Medical Informatics Association, 11(2), 104--112.

[7]

Bayuk, J. (2009). Data-centric security. Computer Fraud & Security, 3, 7--11.

[8]

Bilger, M., O'Connor, L., Schunter, M., Swimmer, M., & Zunic, N. (2006). Data-centric security. IBM Corporation. Retrieved from http://www-935.ibm.com/services/us/cio/risk/gov_wp_data_centric. pdf

[9]

Boss, S. R., Galletta, D. F., Lowry, P. B., Moody, G. D., & Polak, P. (2015). What do users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors. MIS Quarterly, 39(4), 837--864.

Digital Library

[10]

Campion, M. A., Medsker, G. J., & Higgs, A. C. (1993). Relations between work group characteristics and effectiveness: Implications for designing effective work groups. Personnel Psychology, 46(4), 823--847.

[11]

Cho, K. (2011). Enterprise digital rights management {PowerPoint slides}. Provided by Fasoo during the interview process.

[12]

Cisco. (2008). Data leakage worldwide: The effectiveness of security policies. CISCO. Retrieved from http://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/data-loss-prevention/white_paper_c11--503131.pdf

[13]

Conger, J. A., & Kanungo, R. N. (1988). The empowerment process: Integrating theory and practice. Academy of Management Review, 13(3), 471--482.

[14]

D'Ailly, H. (2004). The role of choice in children's learning: A distinctive cultural and gender difference in efficacy, interest, and effort. Canadian Journal of Behavioural Science / Revue Canadienne des Sciences du Comportement, 36(1), 17--29.

[15]

D'Arcy, J., Hovav, A., & Galletta, D. (2009). User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research, 20(1), 79--98.

Digital Library

[16]

D'Arcy, J., Herath, T., & Shoss, M. K. (2014). Understanding employee responses to stressful information security requirements: A coping perspective. Journal of Management Information Systems, 31(2), 285--318.

[17]

Eisenhardt, K. M. (1989). Building theories from case study research. Academy of Management Review, 14(4), 532--550.

[18]

Eylon, D., & Au, K. Y. (1999). Exploring empowerment cross-cultural differences along the power distance dimension. International Journal of Intercultural Relations, 23(3), 373--385.

[19]

Ferneley, E. H., & Sobreperez, P. (2006). Resist, comply or workaround? An examination of different facets of user engagement with information systems. European Journal of Information Systems, 15(4), 345--356.

[20]

Fishbein, M., & Ajzen, I. (1975). Belief, attitude, intention and behavior: An introduction to theory and research. Reading, MA: Addison-Wesley Publishing Co.

[21]

Gasser, L. (1986). The integration of computing and routine work. ACM Transactions on Information Systems (TOIS), 4(3), 205--225.

Digital Library

[22]

Grandison, T., Bilger, M., O'Connor, L., Graf, M., Swimmer, M., Schunter, M., & Zunic, N. (2007). Elevating the discussion on security management: The data centric paradigm. Proceedings of the Second IEEE/IFIP International Workshop on Business-Driven IT Management (pp. 84--93), Munich, Germany.

[23]

Hennessy, S., Lauer, G., Zunic, N., Gerber, B., & Nelson, A. (2009). Data-centric security: Integrating data privacy and data security. IBM Journal of Research and Development, 53(2), 1--12.

Digital Library

[24]

Hovav, A., & Putri, F. F. (2016). This is my device! Why should I follow your rules? Employees' compliance with BYOD security policy. Pervasive and Mobile Computing, 32, 35--49.

[25]

Johnston, A. C., & Warkentin, M. (2010). Fear appeals and information security behaviors: An empirical study. MIS Quarterly, 34(3), 549--566.

[26]

Kobayashi, M., Fussell, S. R., Xiao, Y., & Seagull, F. J. (2005). Work coordination, workflow, and workarounds in a medical context. Proceedings of the CHI'05 Extended Abstracts on Human Factors in Computing Systems (pp. 1561--1564), Portland, USA.

Digital Library

[27]

Koppel, R., Smith, S., Blythe, J., & Kothari, V. (2015). Workarounds to computer access in healthcare organizations: You want my password or a dead patient? Studies in Health Technology and Informatics, 208, 215--220.

[28]

Lawton, R. (1998). Not working to rule: Understanding procedural violations at work. Safety Science, 28(2), 77--95.

[29]

Lowry, P. B., & Moody, G. D. (2015). Proposing the control-reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policies. Information Systems Journal, 25(5), 433--463.

Digital Library

[30]

Lowry, P. B., Posey, C., Bennett, R. J., & Roberts, T. L. (2015). Leveraging fairness and reactance theories to deter reactive computer abuse following enhanced organisational information security policies: An empirical study of the influence of counterfactual reasoning and organisational trust. Information Systems Journal, 25(3), 193--230.

Digital Library

[31]

Morin, J. H. (2008). Exception based enterprise rights management: Towards a paradigm shift in information security and policy management. International Journal on Advances in Systems and Measurements, 1(1), 40--49.

[32]

Morin, J. H. (2014). La responsabilité numérique: Restaurer la confiance à l'ère du numérique. FYP Edition, France.

[33]

Morin, J., & Pawlak, M. (2007). From digital rights management to enterprise rights and policy management: Challenges and opportunities (pp. 169--188). Hershey, PA: IGI Global.

[34]

Mulligan, D. K, Han, J., & Burstein, A. J. (2003). How DRM-based content delivery systems disrupt expectations of personal use. Proceedings of the 3rd ACM workshop on Digital Rights Management (pp. 1--14), Washington DC, USA.

Digital Library

[35]

Park, J., Sandhu, R., & Schifalacqua, J. (2000). Security architectures for controlled digital informaiton dissemination. Proceedings of the 16th Comptuer Security Applications Conference (pp. 224--233), New Orleans, USA.

Digital Library

[36]

Posey, C., Bennett, R. J., & Roberts, T. L. (2011). Understanding the mindset of the abusive insider: An examination of insiders' causal reasoning following internal security changes. Computers & Security, 30(6), 486--497.

Digital Library

[37]

Posey, C., Roberts, T. L., & Lowry, P. B. (2015). The impact of organizational commitment on insiders' motivation to protect organizational information assets. Journal of Management Information Systems, 32(4), 179--214.

[38]

Post, G. V., & Kagan, A. (2007). Evaluating information security tradeoffs: Restricting access can interfere with user tasks. Computers & Security, 26(3), 229--237.

Digital Library

[39]

Puhakainen, P. (2006). A design theory for information security awareness. Oulu, Finland: University of Oulu Press.

[40]

Siponen, M., Mahmood, M. A., & Pahnila, S. (2009). Technical opinion: Are employees putting your company at risk by not following information security policies? Communications of the ACM, 52(12), 145--147.

Digital Library

[41]

Spreitzer, G. M. (1995). Psychological empowerment in the workplace: Dimensions, measurement, and validation. Academy of Management Journal, 38(5), 1442--1465.

[42]

Sweeney, J. C., & Soutar, G. N. (2001). Consumer perceived value: The development of a multiple item scale. Journal of Retailing, 77(2), 203--220.

[43]

Van Beek, M. H. (2007). Comparison of enterprise digital rights management systems. Advice report, Aia Software. Retrieved from http://www.cs.ru.nl/mtl/scripties/2007/MartijnVanBeekScriptie.pdf

[44]

West, R. (2008). The psychology of security. Communications of the ACM, 51(4), 34--40.

Digital Library

[45]

Willison, R., & Warkentin, M. (2013). Beyond deterrence: An expanded view of employee computer abuse. MIS Quarterly, 37(1), 1--20.

Digital Library

[46]

Workman, M., Bommer, W. H., & Straub, D. (2008). Security lapses and the omission of information security measures: A threat control model and empirical test. Computers in Human Behavior, 24(6), 2799--2816.

Digital Library

[47]

Workman, M. (2009). A field study of corporate employee monitoring: Attitudes, absenteeism, and the moderating influences of procedural justice perceptions. Information and Organization, 19(4), 218--232.

Digital Library

[48]

Wood, C. C. (2000). An unappreciated reason why information security policies fail. Computer Fraud & Security, 10(1), 13--14.

Cited By

Greulich MLins SPienta DThatcher JSunyaev A(2024)Exploring Contrasting Effects of Trust in Organizational Security Practices and Protective Structures on Employees’ Security-Related Precaution TakingInformation Systems Research10.1287/isre.2021.052835:4(1586-1608)Online publication date: Dec-2024
https://doi.org/10.1287/isre.2021.0528
Niemimaa M(2024)Incorrect compliance and correct noncompliance with information security policiesComputers and Security10.1016/j.cose.2024.103986145:COnline publication date: 1-Oct-2024
https://dl.acm.org/doi/10.1016/j.cose.2024.103986
Baltuttis DTeubner T(2024)Effects of visual risk indicators on phishing detection behaviorComputers and Security10.1016/j.cose.2024.103940144:COnline publication date: 18-Oct-2024
https://dl.acm.org/doi/10.1016/j.cose.2024.103940
Show More Cited By

Index Terms

Rethinking the Prevailing Security Paradigm: Can User Empowerment with Traceability Reduce the Rate of Security Policy Circumvention?
1. Security and privacy
  1. Security services
    1. Access control
    2. Digital rights management

Recommendations

Employees' adherence to information security policies: An exploratory field study

The key threat to information security comes from employees who do not comply with information security policies. We developed a new multi-theory based model that explained employees' adherence to security policies. The paradigm combines elements from ...
Motivating IS security compliance: Insights from Habit and Protection Motivation Theory

Employees' failure to comply with IS security procedures is a key concern for organizations today. A number of socio-cognitive theories have been used to explain this. However, prior studies have not examined the influence of past and automatic behavior ...
Security Policy Compliance: User Acceptance Perspective
HICSS '12: Proceedings of the 2012 45th Hawaii International Conference on System Sciences

Information security policy compliance is one of the key concerns that face organizations today. Although, technical and procedural security measures help improve information security, there is an increased need to accommodate human, social and ...

Comments

Information & Contributors

Information

Published In

cover image ACM SIGMIS Database: the DATABASE for Advances in Information Systems

ACM SIGMIS Database: the DATABASE for Advances in Information Systems Volume 49, Issue 3

August 2018

115 pages

ISSN:0095-0033

EISSN:1532-0936

DOI:10.1145/3242734

Editors:
Stacie Petter
Baylor University, Waco, TX
,
Tom Stafford
Louisiana Tech University, Ruston, LA
,
Xihui "Paul" Zhang
Northern Alabama University, Florence, AL
,
Heidi Seward
Baylor University, Waco, TX

Issue’s Table of Contents

Copyright © 2018 Copyright is held by the owner/author(s).

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 July 2018

Published in SIGMIS Volume 49, Issue 3

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Korea University Business School

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
338
Total Downloads

Downloads (Last 12 months)51
Downloads (Last 6 weeks)4

Reflects downloads up to 27 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Greulich MLins SPienta DThatcher JSunyaev A(2024)Exploring Contrasting Effects of Trust in Organizational Security Practices and Protective Structures on Employees’ Security-Related Precaution TakingInformation Systems Research10.1287/isre.2021.052835:4(1586-1608)Online publication date: Dec-2024
https://doi.org/10.1287/isre.2021.0528
Niemimaa M(2024)Incorrect compliance and correct noncompliance with information security policiesComputers and Security10.1016/j.cose.2024.103986145:COnline publication date: 1-Oct-2024
https://dl.acm.org/doi/10.1016/j.cose.2024.103986
Baltuttis DTeubner T(2024)Effects of visual risk indicators on phishing detection behaviorComputers and Security10.1016/j.cose.2024.103940144:COnline publication date: 18-Oct-2024
https://dl.acm.org/doi/10.1016/j.cose.2024.103940
Jeon SSon IHan J(2022)Understanding employee's emotional reactions to ISSP compliance: focus on frustration from security requirementsBehaviour & Information Technology10.1080/0144929X.2022.210951242:13(2093-2110)Online publication date: 11-Aug-2022
https://doi.org/10.1080/0144929X.2022.2109512
Kang MHovav ALee EUm SKim H(2022)Development of methods for identifying an appropriate benchmarking peer to establish information security policyExpert Systems with Applications: An International Journal10.1016/j.eswa.2022.117028201:COnline publication date: 1-Sep-2022
https://dl.acm.org/doi/10.1016/j.eswa.2022.117028
Hovav AGnizy IHan J(2021)The effects of cyber regulations and security policies on organizational outcomes: a knowledge management perspectiveEuropean Journal of Information Systems10.1080/0960085X.2021.190818432:2(154-172)Online publication date: 4-Apr-2021
https://doi.org/10.1080/0960085X.2021.1908184
Wang R(2021)Optimization of Computer Network Database Security Management Technology in the Era of Big DataCyber Security Intelligence and Analytics10.1007/978-3-030-70042-3_19(134-142)Online publication date: 11-Mar-2021
https://doi.org/10.1007/978-3-030-70042-3_19
Simon TVenard B(2020)Technical codes’potentialities in cybersecurity. A contextual approach on the ethics of small digital organizations in France2020 International Conference on Cyber Security and Protection of Digital Services (Cyber Security)10.1109/CyberSecurity49315.2020.9138895(1-8)Online publication date: Jun-2020
https://doi.org/10.1109/CyberSecurity49315.2020.9138895
Jeon SSon IHan J(2020)Exploring the role of intrinsic motivation in ISSP compliance: enterprise digital rights management system caseInformation Technology & People10.1108/ITP-05-2018-0256ahead-of-print:ahead-of-printOnline publication date: 11-May-2020
https://doi.org/10.1108/ITP-05-2018-0256
Sadok MAlter SBednar P(2020)It is not my job: exploring the disconnect between corporate security policies and actual security practices in SMEsInformation & Computer Security10.1108/ICS-01-2019-0010ahead-of-print:ahead-of-printOnline publication date: 4-Jun-2020
https://doi.org/10.1108/ICS-01-2019-0010
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Issue’s Table of Contents