Skip to main content
NCBI home page
Elsevier - PMC COVID-19 Collection logoLink to Elsevier - PMC COVID-19 Collection
. 2023 Apr 7;130:103253. doi: 10.1016/j.cose.2023.103253

The impact of work pressure and work completion justification on intentional nonmalicious information security policy violation intention

Randi Jiang a, Jianru Zhang b,
PMCID: PMC10079594  PMID: 37091524

Abstract

As businesses have had to change how they operate due to the coronavirus pandemic, the need for remote work has risen. With the continuous advancements in technology and increases in typical job demands, employees need to increase their work productivity beyond regular work hours in the office. This type of work environment creates even more opportunities for security breaches due to employees intentionally violating information security policy violations. Although explicitly prohibited by information security policies (ISP), organizations have observed that employees bring critical data out of the office to complete their work responsibilities remotely. Consequently, developing a deeper understanding of how work pressure may influence employees to violate ISPs intentionally is crucial for organizations to protect their critical information better. Based upon the fraud triangle theory, this study proposes the opportunity to copy critical data, work pressure, and work completion justification as the primary motivational factors behind why employees copy critical company data to unsecured storage devices to work at home. A survey was conducted of 207 employees from a marketing research firm. The results suggest that opportunity, work pressure, and work completion justification are positively related to nonmalicious ISP violation intentions. Furthermore, the interaction effect between work completion justification and work pressure on the ISP violation intention is significant and positive. This study provides new insights into our understanding of the roles of work pressure and work completion justification on intentional nonmalicious ISP violation behaviors.

Keywords: Fraud triangle, Information security policy violations, Work completion justification, Work pressure, Intentional nonmalicious violations

1. Introduction

Copying critical company data, such as sensitive employee details, e-mails, corporate documents, third-party sensitive data, company directories, and business calendars, to portable storage devices (PSD, including USB drives, PDAs, and smartphones) or cloud storage devices has become increasingly common in organizations. Consequently, organizations have raised concerns about the potential of data leakage due to the lack of security when using these unsecured storage devices (Gorge, 2005; Safa and Maple, 2016; Schatz and Bashroush, 2016). To avoid this threat of unwanted data leakage and related information security problems, organizations often develop specific information security policies (ISPs) to prohibit employees from copying and bringing home critical company data (Tetmeyer and Saiedian, 2010; White et al., 2017). A common organizational ISP may be worded to explicitly prohibit the use of portable media devices, such as unsecured USB drives, to be used on secure work computers (Conner and Coviello, 2004; Gorge, 2005; Lee et al., 2009). However, employees’ actual security behavior regarding copying critical company data often deviates from the recommended behavior in the ISP.

The copying of critical company data behavior can be further distinguished, if an employee copies critical data for a financial benefit (i.e., insider trading, leaking sensitive information); this specific violating behavior is considered to be intentional and malicious (Harrington, 1996; Posey et al., 2011a; Willison and Warkentin, 2013; Willison et al., 2018). In stark contrast to copying critical data for financial gain, when an employee violates the ISP and copies critical company data for the purpose of continuing to work outside of regular work hours and the office (e.g., working at home), the violating behavior may be intentional but is not malicious (D'Arcy et al., 2014).

Such nonmalicious security violations are often committed to support an employee's work completion motivation (Guo et al., 2011). As employees become increasingly overwhelmed by their workload, finishing their work during traditional working hours has become more challenging. Thus, a conflict exists between ISP compliance and timely work completion (Doargajudhur and Dell, 2020; Guo et al., 2011; Lee et al., 2016; Siponen and Vance, 2010). Scholars have recognized the positive relationship between work pressure and ISP violation and have explored more details about factors that could influence such a relationship. For example, Trang and Nastjuk (2021) found punishment policies from an organization can mitigate the positive relationship between work stress elicited by time constraints and ISP noncompliance, while a reward policy had an insignificant effect on such a relationship. In addition to external factors (e.g., organization policies), employees’ violation behaviors triggered by work pressure may also be influenced by themselves. In particular, such a violation is generally motivated by an individual's attitude toward whether work completion and performance are superior to information security (Guo et al., 2011). Studies have observed that employees who bring critical company data to work outside of the office and during regular work hours justified their violating behaviors as an approach to work with higher efficiency and flexibility so that they may better complete their work within deadlines (Kirlappos et al., 2013; Zimmermann and Renaud, 2019). The work completion justification for violating ISPs is prevalent and non-negligible in the contemporary workplace. Thus, it is crucial to investigate the influence of such a justification on the relationship between work pressure and ISP violation. Unfortunately, there is still limited research examining the role of such a justification factor in the context of ISP violations (Guo et al., 2011; Trang and Nastjuk, 2021).

Previous information security research and literature have focused on employees’ ISP intentional but nonmalicious violating behavior (Cuganesan et al., 2018; D'Arcy et al., 2009; Herath and Rao, 2009b; Hooper and Blunt, 2020; Hu et al., 2011; Zhen et al., 2021). These studies have provided essential insights into the general factors behind intentional ISP violating behavior. For example, Cuganesan et al. (2018) stressed the importance of employees’ attitudes towards information security while considering information security management from an ‘employee-centric’ perspective. Zhen et al. (2021) validated employees’ emotions’ as a significant role in their intention to violate general ISP policies. Nevertheless, researchers have called on exploring the antecedents that focus on specific ISP violating behavior because this can provide a more in-depth understanding into specific actionable implications for the practices (Johnston et al., 2019; Moody et al., 2018; Vance et al., 2019).

To respond to this call and fill the literature gap discussed above, we employed the fraud triangle theory (FTT) (Cressey, 1953) for this study to consider work completion justification as a core theoretical position to investigate its effect on ISP intentional but nonmalicious violation – i.e., bringing critical data to unsecured storage devices to work at home. As a dominant framework in auditing and forensic accounting, the FTT has become entrenched in the formal ethical standards of professional associations around the globe (Murphy and Free, 2015). The three perceived factors of the fraud triangle are opportunity, pressure, and rationalization. Opportunity is defined as engaging in fraudulent activity when employees perceive control weaknesses and the ability to commit a fraudulent act without detection is high. At the same time, the likelihood of being caught is low (Dorminey et al., 2012). Pressure to commit fraudulent behavior can be categorized into personal, employment, and external pressures (Albrecht and Albrecht, 1982). Rationalization occurs when individuals who commit fraud desire to do so without incurring negative self-perceptions. As a result, they will typically seek to rationalize their fraudulent actions to themselves (Dorminey et al., 2012). Prior research studies have found that when all three factors are present, the higher the likelihood of fraudulent behavior in an organization (Dorminey et al., 2012, 2010; Ramamoorti, 2008).

In the context of this study, the absence of an opportunity is defined as the lack of any channel or interface for employees to copy company data. For example, the computer in an organization may be programmed so that critical data can only be stored and accessed, not copied. Therefore, the perception of an opportunity to copy critical data will be the first antecedent of intentional data-copying behavior. Work pressure is operationalized as the second dimension of pressure in the fraud triangle, which may give employees an incentive to commit ISP violations. Work completion justification acts as a proxy of rationalization in the fraud triangle and plays a role in rationalizing employees’ intentional nonmalicious ISP violations. With these three factors, we explore the impact of work completion justification on an individual's intention to copy company data to unsecured storage devices to complete their work at home.

We argue that work completion justification stands at the center of the fraud triangle because studies show that people first justify their behavior before conducting any action (Bulgurcu et al., 2010; Myyry et al., 2009; Posey et al., 2011; Wall and Buche, 2017). Prior research points out that the main reason for noncompliance with security policies is that the ISP conflict with work productivity (Kirlappos et al., 2013; Zimmermann and Renaud, 2019). Therefore, compared to the other two factors (opportunity and work pressure) in the fraud triangle, the subjective factor of work completion justification, which rationalizes the conflict between ISP violations and work, may magnify the incentive role of opportunity and work pressure on the ISP violation intention. That is, under the same work pressure and opportunity levels, a more substantial work completion justification will increase employees’ intent to violate specific ISP policies.

According to the FTT, a survey study was conducted to test the effects of opportunity, work pressure, and work completion justification on intentional nonmalicious ISP violations by employees. Further, we test the moderating effects of work completion justification on the relationship between the other two antecedents and intentional nonmalicious ISP violations. The results showed that opportunity, work pressure, and work completion justification were positively related to intentional nonmalicious ISP violations. The results also show the moderating effect of work completion justification on the relationship between work pressure and ISP violation intention was significant and positive. These findings provide important contributions to the intentional nonmalicious ISP violation study and the FTT by: 1) applying the FTT to extend our knowledge on the role of work pressure and work completion justification on nonmalicious ISP violating behaviors; 2) proposing and validating the moderating effect of work completion justification on the relationship between work pressure and intentional nonmalicious ISP violations to fill the research gap on the interaction among fraud triangle components.

The remainder of the paper is organized as follows. First, we present an outline of previous research on information security along with a hypothesis based on a theoretical model of the fraud triangle that examines employees’ behavior of copying critical company data to unsecured storage devices to work from home. Following the description of the model discussion, we discuss the data analysis using Partial Least Square (PLS). Finally, we will discuss the findings, contributions, implications, limitations, and future directions for research.

2. Information Security and theoretical background

A recent survey indicated that 63% of security professionals believe that insider employees will present a more significant threat to their data than external factors (Knorr, 2021). Employees may try to forego security procedures that hinder the completion of their jobs (Barlow et al., 2013; Post and Kagan, 2007). As the complexity of information systems grows, organizations risk having their systems compromised by both the intentional and unintentional acts of organization employees.

To address these issues, Kelloway et al. (2002) suggest that counterproductive behaviors (i.e., undesirable corporate conduct) and organizational citizenship (i.e., complying with ISPs) behaviors are empirically distinct. General management studies traditionally focus on general policies that govern employee citizenship behavior in the workplace. Information security literature, on the other hand, focuses on a specific set of policies—ISPs—that govern how employees behave to deal with counterproductive security issues. More specifically, prior information security research examined three main types of ISP violations caused by insiders. The first is an unintentional ISP violation, an act by employees who perform their duties according to company policies and are not intentionally subverting controls to engage in violating behaviors (Loch et al., 1992; Taylor, 2006). These violations have no self-benefit for the employee. The second type of ISP violation is classified as an intentional nonmalicious ISP security violation (Guo et al., 2011). These intentional yet nonmalicious ISP violations are conceptualized as self-benefitting actions that carry neither financial gain nor malicious intent (Siponen and Vance, 2010). Hence, these nonmalicious but intentional violations are considered voluntary, even though the ISPs define what employees are allowed to do or not to do (Guo et al., 2011). These nonmalicious yet intentional violations may leave organizations more susceptible to information security breaches. The third category of ISP violations is computer abuse. Computer abuse is considered a malicious and intentional violation, defined as the unauthorised and deliberate misuse of local organizational information systems, including violations related to hardware, programs, data, and computer services (Dhillon, 1999; Straub, 1990). We present Table 1 to highlight the main differences among the three main classifications of ISP violations caused by internal users.

Table 1.

Differences between the three main classifications of ISP violations.

Concepts Key Differences Examples References
Unintentional security violations Unintentional, nonmalicious, no financial gain, no self-benefits Accidental data entry, accidental destruction of data (Loch et al., 1992; Taylor, 2006)
Intentional, nonmalicious security violations Intentional and conscious decision to violate, self- benefits without malicious intent; voluntary rule breaking Copying of critical data to unsecured USB drives, sharing passwords, failing to log off computer, delaying security patch updates, (Guo et al., 2011; Siponen and Vance, 2010)
copying critical data to bring home to complete work (Guo, 2013; Siponen and Vance, 2010)
Intentional, malicious computer abuse Intentional, illegal, unethical, malicious, financial, and personal self-benefits Revealing confidential information to outsiders that may harm an organization, writing viruses, pirating software (D'Arcy et al., 2009; Straub Jr, 1990; Willison and Warkentin, 2013)
Open in a new tab

In the context of copying critical data to unsecured storage devices to continue working at home, employees may not consider their violating behavior unethical, which poses doubt regarding the ethical perspectives on this violating behavior. Prior literature has examined how employees justify their violating behavior due to stress levels. The literature has provided sources of stress originating from the ISP, including burdensome, complex, and ambiguous information security requirements as organizations continue to require mandatory compliance (Mamonov and Benbunan-Fich, 2018; Renaud, 2011; Yee, 2004). However, to further understand the behavior behind why an employee would willingly copy critical data from the organization to continue their work at home, it is necessary to shift the focus from the ISP to other factors, such as those related to the work.

Several theories investigate the antecedents of employees’ deviant behaviors, such as the deterrence theory, neutralization theory, situational crime prevention theory, and FTT. The differences among these theories are summarized in Table 2 . Specifically, the deterrence theory argues that illicit behavior can be controlled by threats of sanctions, such as economic sanctions or social pressures (D'Arcy et al., 2009; Gibbs, 1968; Herath and Rao, 2009b). The deterrence theory helps explain why users comply with security rules on computer use, but it does not explain why users break the rules (Guo, 2013). The neutralization theory provides a critical perspective on how employees justify their ISP violation behaviors. It introduces several neutralization techniques (e.g., the defense of necessity) that employees may use to rationalize or neutralize the wrongness of violation ISPs (Siponen and Vance, 2010; Vance et al., 2020). However, these neutralization techniques could be further explored against other motivational factors that could affect individuals violating ISPs. The situational crime prevention theory focuses on restricting the opportunity of crime to prevent the crime (Clarke, 1980; Huisman and van Erp, 2013) and proposes that organizations must implement different preventative measures for each situation (Clarke, 1980). However, scholars pointed out that the theory fails to identify the root causes of a crime which makes it difficult for scholars to explore the social or psychological factors that motivate offenders when performing the crime (Wortley, 2010).

Table 2.

Summary of relevant theories.

Theory Theoretical Focus Application Difference from the Fraud Triangle Theory
Deterrence Theory
(Gibbs, 1968)		 Sanctions with severity,
certainty
and celerity		 How punishments can be used to deter noncompliance towards organizational ISP's (Bulgurcu et al., 2010) Deterrence Theory help explain why users comply with security rules (e.g., controlled by the social pressure), but insufficient to explain why users break rules or engage in intentional but nonmalicious behavior (Guo, 2013).
The FTT could help explain why individuals commit fraud with additional factors such as rationalization and opportunity.
Neutralization Theory
(Sykes and Matza, 1957)		 Various Neutralization techniques How individual's rationalize deviant acts as outlined by organizational ISP's (Siponen and Vance, 2010) Neutralization Theory mainly focuses on studying neutralization techniques, while the FTT focuses on rationalization (the use of neutralization techniques (Lokanan, 2018; Murphy and Dacin, 2011)), as well as other two factors. Therefore, it may offer a more comprehensive perspective to study intentional but nonmalicious behavior.
Situational Crime Prevention
(Clarke, 1980)		 Opportunity with specific circumstances Having organizations follow implementations of company ISPs. This reduces the opportunity for employees to deploy techniques that target specific forms of ISP violations
 Situational Crime Prevention theory stresses the focus on restricting the opportunity of crime to prevent the crime (Huisman and van Erp, 2013). While the FTT also takes opportunity as one of three key factors that result in fraud. Thus, the FTT can be a more comprehensive perspective to study intentional but nonmalicious behavior.
Fraud Triangle Theory
(Sutherland et al., 1992)
 Pressure, opportunity and rationalization The likelihood of fraud (i.e. a violation of trust) is high when these factors are present The FTT incorporates these three theories' perspectives under the specific context to understand the likelihood of employees committing an intentional but nonmalicous ISP violation.
Open in a new tab

The three theories mentioned mainly focus on a single factor, i.e., the pressure of deterrence theory, neutralization techniques of the neutralization theory, and opportunity of the situational crime prevention theory. On the other hand, the FTT incorporates key factors of all three theories. The FTT proposes three factors (i.e., pressure, opportunity, and rationalization) that affect an individual when committing fraud (Sutherland et al., 1992). Therefore, this study is based on the FTT because it offers a theoretical framework to investigate further the relationship between factors (Schnatterly et al., 2018), which allows us to add knowledge to intentional but nonmalicious violation behavior in the information security literature.

2.1. Fraud triangle theory

The fraud triangle has enhanced professionals' abilities to prevent, deter, detect, investigate, and remediate fraud (Dorminey et al., 2010). Literature on the fraud triangle has slowly multiplied over the last decade, and its concepts have gradually been applied to a wide array of disciplines (Cressey, 1954; Huber et al., 2015; Lou and Wang, 2009; Morales et al., 2014; Schuchter and Levi, 2016). First, it provides a reason for individuals to commit a violation of trust, either by incentive or pressure. Second, it describes the circumstance of fraud in which there is a perception of opportunity, such as the absence or ineffectiveness of controls. Perceived opportunity is the perception (1) that a control weakness is present and, importantly, (2) that the likelihood of being caught is remote. Therefore, perceived opportunity requires both the ability to commit the act and the likelihood of doing so without detection (Hollinger and Clark, 1983). Third, it describes the self-rationalization for committing a fraudulent act. Some individuals possess an attitude, character, or set of ethical values that allow them to knowingly and intentionally commit a dishonest act. However, even so-called “honest” individuals can commit fraud in an environment that imposes sufficient pressure. Rationalization attempts to reduce the cognitive dissonance within the individual (Ramamoorti, 2008; Ramamoorti et al., 2009). The higher the incentive or pressure, the more likely an individual will be able to rationalize the acceptability of committing fraud (Morales et al., 2014). Likewise, the greater the perceived opportunity or the more intense the pressure, the less rationalization it takes to motivate someone to commit fraud (Albrecht et al., 1984).

In this study, we propose that the three points of the fraud triangle may capture the necessary antecedents to provide a more refined insight into our understanding of intentional yet nonmalicious ISP violations, that is, copying critical data from the organization to unsecured storage devices to work on at home. We present Fig. 1 as the representation of the Fraud Triangle Theory (Cressey, 1953).

Fig. 1.

Fig. 1

Open in a new tab

The Fraud Triangle.

The specific constructs examined in this study are described in the following sections.

2.1.1. Opportunity

We present opportunity as the second most crucial factor when considering the likelihood of an intentional but nonmalicious ISP violation. The reasoning is opportunity has been assumed to be necessary (if not sufficient) for the employees to commit fraud in the FTT (Schuchter and Levi, 2016). This factor has been found to influence an individual's intention to violate ISPs. For example, Ruankaew (2016) found existing opportunities in organizations significantly impact an individual's decision to commit fraud. The situational crime prevention theory pays full attention to the opportunity of crime in the specific context and focuses on restricting the opportunity to prevent the crime (Clarke, 1980; Huisman and van Erp, 2013). Opportunities can be real or not; once an individual believes that such opportunities exist, an individual may take advantage to engage in fraudulent activities (Albrecht et al., 2006). In the context of this study, opportunities arise for violating ISP, specifically for copying company data when there is an absence of controls, ineffective controls, or the ability to override controls (Dorminey et al., 2012; Kassem and Higson, 2012). Critical data is data that would incur significant losses if lost or compromised, perhaps even threatening an organization's survival (Banham, 2017). As technology advances and employees need to be mobile in completing their work, opportunities to copy critical data to an unsecured device can be bountiful even by employees not actively seeking to violate ISP. For example, workplace ISP regarding copying critical data to work on at home may involve perceptions of what is required, forbidden, and discretionary (Posey and Folger, 2020). Individuals may recognize these opportunities as an effort to form beliefs that a course of action could lead to benefits, such as the convenience of continuing work from home to meet work deadlines (Shepherd et al., 2007). Therefore, based on existing ISP violation literature and the scenario we focused on, opportunity in our research context is developed as the opportunity to copy critical data from work systems in the company.

2.1.2. Pressure

The FTT places pressure as the first factor to consider when examining the likelihood of an individual committing a violation of trust. Specific examples include the financial pressure to push the employees to commit fraud (Cavanaugh et al., 2000). In the ISP violation literature, pressure or stress has been also widely found as an important antecedent of ISP violation behavior. Some scholars focused on the stress that will deter the violation behavior, such as social pressure (Cheng et al., 2013), while others concentrate on stress that could lead to higher ISP non-compliant behaviors, such as technostress (Nasirpouri Shadbad and Biros, 2022). Based on the FTT and the scenario (i.e., copying critical data to unsecured storage devices to work at home), we propose that work pressure as one key source of the pressure/stress to motivate the violation behavior instead of compliance behavior (Trang and Nastjuk, 2021). Both technostress and work pressure are believed to account for ISP violations. However, work pressure generally comes from challenges in the workplace (e.g., an overloaded workload or overly complex tasks, etc.). In contrast, technostress generally comes from challenges of work instruments, such as mastering new technology. In this study, we focus on the amount of work given to employees that lead to stress. Employees who face unreasonable work deadlines or are given a large number of responsibilities with unmanageable expectations are considered to be experiencing work-related stress (Syrek et al., 2013; Trang and Nastjuk, 2021).

Work pressure has been defined as the extent to which the job performance required of an employee is excessive or overloading (Iverson and Maguire, 2000). A sizable body of research demonstrates a relationship between performance goals and employee performance (Deci, 1972; Guzzo, 1979; Latham et al., 1978; Locke et al., 1981). When the performance goals or objectives become too challenging, this can become a source of work pressure. Recent information security research has emphasized the need for more research to explore the relationship between work stress in the context of information technology (IT) security behavior (Pham et al., 2016; Wall and Buche, 2017; Wall et al., 2021). In this study, we argue that understanding the role of work pressure perceptions is essential, especially in occurrences of intentional nonmalicious ISP violations (Andries et al., 1996; Carayon and Zijlstra, 1999; Dhillon et al., 2016).

2.1.3. Rationalization

In the FTT, whether employees could rationalize their fraud behavior may also determine the likelihood of committing fraudulent behavior (Morales et al., 2014). Rationalization has been regarded as an important perspective to understand how employees justify their ISP violation behaviors in the information security literature. For example, neutralization theory introduces several techniques (e.g., the defense of necessity) that employees may use to rationalize or neutralize the wrongness of violation ISPs (Siponen and Vance, 2010; Vance et al., 2020). Among these neutralization techniques, the ‘the defense of necessity’ is considered one of the most important ones in the workplace. In the context of ISP violation due to work overload, the defense of the necessity to complete work and meet deadlines is prevalent, which is conceptualized as work completion justification (D'Arcy et al., 2014). Usually, it is not a part of an employee's job performance evaluation to evaluate how well they have complied with an organization's ISP (Besnard and Arief, 2004). Therefore, individuals with a higher level of work completion believe that job performance (e.g., finishing their allocated work on time) is more important than complying with ISP. As employees are more concerned with their job performance, they may intentionally choose to bypass security measures if doing so can help them complete their work and improve their job evaluations (Guo et al., 2011; Post and Kagan, 2007).

In this study, we argue that although perceived work pressure may exist along with an opportunity and a work rationalization to commit an intentional ISP violation, these factors will not equally affect the employee when committing an intentional ISP violation. Opportunity presents the gateway to commit an intentional ISP violation, while work pressure may further draw an employee towards the violation. However, based on the nature of an intentional but nonmalicious ISP violation, we recognize the work justification rationalization will strengthen the resolve to commit an intentional but nonmalicious ISP violation. We present Fig. 2 as how we have adapted the Fraud Triangle Theory to the specific context of an intentional but nonmalicious ISP violation (i.e., copying critical data to unsecured storage devices to work at home).

Fig. 2.

Fig. 2

Open in a new tab

Application of the Fraud Triangle to ISP Violation.

We present Table 3 to summarize the constructs used in this study.

Table 3.

Constructs used in this study.

Construct Name Definition
Opportunity of Copying Critical Data The opportunities arise for violating ISP specifically for copying company data when there is an absence of controls, ineffective controls, or the ability to override controls (Dorminey et al., 2012; Kassem and Higson, 2012).
Work Pressure The performance required in a job is excessive or overloading (Iverson and Maguire, 2000).
Work Completion Justification Reconstructing harmful ISP violations (i.e. copying critical company data to unsecured storage devices from work to home) as necessary to complete their work and meet deadlines (D'Arcy et al., 2014).
Intentional Nonmalicious ISP Violation Intention The extent to which an employee will engage in voluntary ISP violating behavior with neither malicious intent nor financial gain (i.e., copying critical company data to unsecured storage devices to work from home) (Guo et al., 2011)
Open in a new tab

Extant studies mainly investigate the effect of each fraud triangle element separately on an individual's intention to commit fraud (Lou and Wang, 2009; Owusu et al., 2021). In our research context, the intentional nonmalicious ISP violation is usually attributed to the employee's demanding work requirements and insufficient work hours (Doargajudhur and Dell, 2020; Guo et al., 2011; Siponen and Vance, 2010). Therefore, due to a subjective judgment of an individual's priority to work completion or ISP compliance (D'Arcy et al., 2014; Guo et al., 2011), work completion justification not only directly influences one's ISP violation intentions, but also becomes an important rationalization factor for the belief of the necessity to violate the ISP to complete work. Thus, it ultimately alters an individual's willingness to violate the ISP when considering the opportunity of copying critical data and work pressure.

In summary using the three factors in the FTT as a theoretical framework, this study attempts to explain how opportunity, work pressure, and work justification may influence employees to knowingly commit intentional nonmalicious ISP violations (i.e., copying critical data to unsecured storage devices to work from home. We explore how and if employees perceive the opportunity to copy critical data from work to home along with an employee's level of work pressure placed upon themselves with various levels of work justification will further enhance their intention to copy critical data to an unsecured storage device to work from home. The specific hypotheses examined in the study are shown in Fig. 3 and developed in the following section.

Fig. 3.

Fig. 3

Open in a new tab

Research Model.

3. Research hypothesis

The U.S. audit standard defines opportunity as when “circumstances exist, for example, the absence of controls, ineffective controls, or the ability of management to override controls – that provide an opportunity for fraud to be perpetrated” (PCAOB, 2015, AU 316.07). Opportunities for the commission of these internal controls violations are likely to manifest themselves when employees sense that they might safely circumvent internal IT security controls to benefit themselves (Lou and Wang, 2009; Schnatterly et al., 2018). Opportunity in the context of ISP violations refers to the organization's environmental conditions that facilitate opportunity by ineffective protection of the organization's critical data. Therefore, information security management within an organization involves specific responsibilities. These responsibilities for information security management are reflected in the creation of explicit (ISPs) and implicit understandings of what is required or prohibited of employees and perceptions of what can be done (Posey and Folger, 2020).

Thus, the intention to violate the specific ISP of copying critical data from the company to unsecured storage devices to work at home partially results from an employee's perception of what is allowed and the ease of circumstances to commit these violations. Therefore, the following hypothesis has been drawn out:

H1: The opportunity of copying critical data is positively associated with nonmalicious ISP violation intentions, that is, copying critical company data to unsecured storage devices to work from home.

Work-related pressure is most prevalent when employees apply the pressure on themselves. A recent study by Staples Business Advantage (White, 2016) found that over 75% of employees work more than 40 h a week. Tight deadlines and a lack of conventional working hours to finish their responsibilities cause employees to bring their work home. This type of work pressure introduces security risks as the relentless pressure to perform work may result in employees taking risks to respond to this pressure (Allam et al., 2014). Work-related pressure may cause employees to feel like they cannot finish their assigned tasks on time while maintaining a good quality of work. Thus, this perception of work pressure raises the risk of broken commitments to organizational ISP, such as copying critical company data to unsecured storage devices to finish their work from home. Therefore, the following hypothesis has been drawn out:

H2: Work pressure is positively associated with nonmalicious ISP violation intentions, that is, copying critical company data to unsecured storage devices to work from home

Work completion justification reflects the extent to which employees will justify actions that help them complete their required tasks. Individuals with high work completion justification value a sense of work completion over ISP compliance. An employee who rationalizes their behavior using this defense of work completion as necessary will engage in behaviors that are not necessarily aligned with ISP compliance (D'Arcy et al., 2014). For example, prior research has reported employee claims of a lack of time to comply with ISPs due to tight work deadlines (Puhakainen, 2006).

Therefore, when security requirements are perceived as impediments that adversely affect work efficiency or effectiveness, individuals with a high work completion justification approach will replace any feelings of guilt with the belief that violating the ISP was necessary, leading to a weakened attitude toward ISP compliance (Bulgurcu et al., 2010; D'Arcy and Lowry, 2019; Piquero et al., 2005). Therefore, the following hypothesis has been drawn out:

H3: Work completion justification is positively associated with nonmalicious ISP violation intentions, that is, copying critical company data to unsecured storage devices to work from home.

Driven by work pressure, work completion justification alters an individual's attitude toward ISP violations. When facing excessive work tasks, employees with a higher work justification will care less about the appropriateness or legality of their work behaviors to get the job done (D'Arcy et al., 2014). For example, employees may intentionally choose to bypass security measures if doing so can help them complete their work and improve job evaluations (Guo et al., 2011; Post and Kagan, 2007). In our research context, when facing the same level of work pressure, employees with the work justification mindset are more likely to copy critical data to unsecured storage devices from work to home to complete their responsibilities in a timely manner (Siponen and Vance, 2010). Therefore, the following hypothesis has been drawn out:

H4: Work completion justification positively moderates the relationship between work pressure and nonmalicious ISP violation intentions, that is, copying critical company data to unsecured storage devices to work from home.

Scholars found that when employees are placed in a situation that requires them to choose between compliance with or violation of an ISP, employees first consider information about the situation, behavioral norms of others, and potential reasons to rationalize away the need for compliance (Barlow et al., 2013). Thus, when individuals perceive work completion as crucial, they may consider that more important than fully complying with the ISP and that it is ultimately acceptable to violate ISPs to finish assigned work (Guo et al., 2011; Post and Kagan, 2007). Hence, when the opportunity is presented (e.g., interpretation of the ISP), those with a higher level of work completion justification would be more likely to violate the ISP policy than those with lower levels of work completion justification. Thus, the employee might be more likely to act upon the presented opportunity to facilitate the work completion. Therefore, the following hypothesis has been drawn out:

H5: Work completion justification positively moderates the relationship between opportunity of copying critical data and nonmalicious ISP violation intention, that is, copying critical company data to unsecured storage devices to work from home.

4. Methodology

4.1. Construct measurement

The measurement items adopted in this study were adapted from existing validated and well-tested scales in the extant literature. Specifically, The opportunities arise for violating ISP's specifically for copying company data when there is an absence of controls, ineffective controls, or the ability to override controls (Dorminey et al., 2012; Kassem and Higson, 2012), three items adapted from Pratt and Cullen (2000) were used to measure the construct. Work pressure refers to the extent to which the job performance required for a job is excessive or overloading (Iverson and Maguire, 2000); two items of the construct were adapted from Stanton et al. (2001). Work completion justification is derived from D'Arcy et al. (2014), which is defined as reconstructing harmful ISP violations (i.e. copying critical company data to unsecured storage devices to work from home) as a necessity to complete work and meet deadlines; three items were adapted from D'Arcy et al. (2014). Nonmalicious ISP violation intention refers to the extent an employee will engage in voluntary ISP violating behavior with neither malicious intent nor financial gain (i.e. copying critical data to unsecured storage devices to work on at home) (Guo et al., 2011); two items are adapted from D'Arcy et al. (2009). In addition to using previously validated questions, all measures were pretested by two business professors with expertise in survey research and ten professionals with ISP experience. The objective of the pretest was to ensure that the measures were meaningful and that they unambiguously captured the domain of each construct. Based on detailed interviews with each participant, appropriate changes were then made to the measures.

In the survey design, we faithfully followed Siponen and Vance (2014)’s guidelines to increase the contextual relevance of field survey research. Specifically, we present a scenario (i.e., copying company data to an unsecured storage device to work from home) to guide our respondents to properly contextualize and comprehend our research boundaries. Then, we ask respondents to respond to the measurement items. Therefore, the items for opportunity, work pressure, and work completion justification can be interpreted to the specific context of copying company data to an unsecured storage device to work from home. As for the level of specificity and generalizability for instrumentation (Siponen and Vance, 2014), we used the level of “specific to context” to specify the violation type (i.e., intentional but non malicious violation) and the context (i.e., copying company data to unsecured storage devices from work systems), but do not specify the type of systems. The level of “specific to context” is used as we assume that the context is a boundary condition. Employees adopt different volitional security behaviors in an overtime work context than a timely workday exit.

All measures were then pilot tested in a survey with a small portion of targeted samples before the full survey was conducted, which resulted only in minor changes to the wording. The reliability and exploratory factor analyses for each set of measures were performed. The validity and reliability of the adapted measures fulfilled the necessary requirements, which indicated all measures were clear and relevant to the targeted samples, as well as captured the intended concepts. Administration of the survey of the target sample frame then proceeded. All scales used in the study are presented in Appendix A. All items were measured with 5-point Likert scales in the questionnaire, ranging from “strongly disagree” to “strongly agree.”

4.1.1. Control variables

To consider rival explanations of intentional ISP violations, we implemented several control variables in this study. Based on prior research (Posey et al., 2011b; Zhen et al., 2021), we recognized that the behavioral intention to commit intentional nonmalicious ISP violations might also be influenced by respondents’ characteristics, such as gender, education, and computer skills, as well as their perception of monitoring within an organization.

4.2 Data collection

A marketing research firm was contracted to gather targeted participants for the survey. Increasingly used in IS research (Ayyagari et al., 2011; Bulgurcu et al., 2010), external panelists have certain advantages over traditional methods. First, panels guarantee respondent anonymity, which encourages honest responses to questions (e.g., IS security) that may have more socially desirable responses. Second, external panels contain respondents from a wide range of industries and positions to generalize a study that adopts a quantitative model conceptualization and testing approach. The marketing research firm was instructed to collect responses from employed professionals with positions requiring significant levels of computer use. The research firm paid participants a small amount ($10) for their participation. In the questionnaire, the targeted samples were first asked to indicate their experiences using computers in the company. If an individual had little use of a computer in their daily work, that person was excluded from further consideration. The questionnaire then asked respondents their perceptions regarding opportunity, idealism, and work-related pressure in terms of the following information security policies and intentional ISP violations.

A total of 574-panel members accepted the invitation to participate in the survey by viewing the consent agreement and clicking past the first page. After excluding incomplete responses, a data set of 207 responses was included in the analyses. Table 4 shows the demographics of these respondents. All employees sampled were required to have significant use of a computer in the completion of their daily work tasks. Sample demographics reveal that 62 percent were female with high levels of education (71 percent with at least a bachelor's degree).

Table 4.

Sample distribution by classification.

Gender Count Education Count
Female 128 High-school 29
Male 79 2 year degree 30
4 year degree 92
Professional Degree 53
Doctorate 3
Total 207 Total 207
Open in a new tab

5. Data analysis and results

In our study, we selected the partial least squares (PLS) regression and Smart PLS 3.0 tool to perform the test. PLS is a component-based structural equation modeling technique that facilitates simultaneous tests of measurement models and structural models. PLS is suited for our research because it does not require multivariate normality of the data (Teo et al., 2003), and it is suitable for testing nonlinear effects, such as moderation (Chin, 1998; Chin et al., 2003). PLS was employed to both validate the measurement instrument and test the research model.

5.1 Measurement validation

The research model was tested using PLS. PLS is a component-based structural equation modeling technique that facilitates simultaneous tests of measurement models and structural models and is particularly suitable for testing nonlinear effects such as moderation (Chin, 1998; Chin et al., 2003). PLS is well suited for the predictive nature of this study and adequately assessed the relative influence of the fraud triangle on the likelihood of an intentional nonmalicious ISP violation. Further, the use of PLS is appropriate mainly because of the early theoretical development nature of the study (Gefen et al., 2011). PLS was employed to both validate the measurement instrument and test the research model.

We assessed measurement validity in three ways. First, convergent validity was assessed by examining the factor loadings and how each item was related to its corresponding construct. Convergent validity is considered satisfactory if the factor loading of a measure is 0.7 or higher. All factor loadings were above the cutoff point of 0.70 with a t-value higher than 1.96. The measures loaded on their appropriate factors, and there was no evidence of significant cross-loading. Average variance extracted (AVE) was also examined to evaluate convergent validity. AVE is greater than 0.5, establishing convergent validity. As a result, each construct had an AVE greater than 0.5, suggesting that the measures exhibited adequate convergent validity (Hair et al., 2011)

Second, the reliability of the measures was examined through composite reliability (C.R.). The C.R. of construct was greater than 0.7, a common threshold for signifying satisfactory construct reliability (Hair et al., 2011). According to the results, the minimum C.R. values exceed the recommended threshold of 0.7, indicating acceptable reliability of the measures. These tables are presented in Tables 5 and 6 .

Table 5.

Measurement quality indicators.

Construct Measurement items Loadings AVE Composite
Reliability		 Cronbach's Alpha
Opportunity Opp1 .828 0.650 0.848 0.732
Opp2 .819
Opp3 .769
Work Pressure Press1 .958 0.902 0.948 0.892
Press2 .941
Work Completion Justification WCJ1 .950 0.905 0.966 0.947
WCJ2 .957
WCJ3 .947
Intentional Nonmalicious ISP Violation Intention INV1 .980 0.957 0.978 0.955
INV2 .977
Open in a new tab

Table 6.

Correlation analysis of latent variables.

Mean Std. 1. 2. 3. 4.
1. Opportunity 2.205 0.937 0.806
2. Work Pressure 2.721 1.137 0.212 0.950
3. Work Completion Justification 1.778 1.000 0.437 0.190 0.951
4. Intentional Nonmalicious ISP Violation Intention 2.070 1.119 0.384 0.269 0.556 0.978
Open in a new tab

Third, discriminant validity is verified by the difference between the AVE of a construct and its correlation with other constructs. For adequate discriminant validity, the square roots of the AVE of any construct should be greater than the correlation between constructs, signifying that the diagonal elements should be greater than corresponding off-diagonal ones (Fornell and Larcker, 1981). As a result, the criterion for sufficient discriminant validity was also met in this study.

Lastly, we employed Harman's one-factor test to determine whether there was a common method bias issue. The results showed that no factor accounted for over half of the variance, suggesting that common method bias was not a severe problem (Podsakoff et al., 2003). The variance inflation factor (VIF) was calculated to all have values below 3.3, indicating the lack of a multicollinearity issue (Diamantopoulos and Winklhofer, 2001).

5.2. Structural model

The proposed hypotheses were tested through the examination of the structural model. For increased robustness and statistical validity, a bootstrap resampling procedure was used with 2000 resamples. The standardized PLS path coefficients for testing the structural model are shown in Fig. 4 and Table 7 . The model accounts for a significant portion of the variance in intentional ISP violations (R2 = 38.3 percent). Overall, PLS analyses confirm that the fraud triangle significantly influences intentional ISP violation. More specifically, opportunity (path coefficient = 0.155, p < 0.05), work pressure (path coefficient = 0.180, p < 0.01), and work completion justification (path coefficient = 0.439, p < 0.01) had significant, positive effects on intentional ISP violation, in support of H1, H2, and H3.

Fig. 4.

Fig. 4

Open in a new tab

Research model with results.

Table 7.

Regression results.

Intentional Nonmalicious ISP Violation
Control variables
Computer skill −0.004
Education −0.042
Gender 0.016
Monitoring −0.088
Independent variables
Opportunity 0.155*
Work pressure 0.180**
Work completion justification (WJ) 0.439**
Interactive effect
Opportunity*WJ −0.059
Work pressure*WJ 0.156*
R2 0.383
Open in a new tab

Note: **P<0.05, ** P<0.01.

We followed the steps proposed by Aiken and West (Aiken et al., 1991) to examine the moderation hypotheses. The interaction terms were mean-centered before creating the interaction variables to reduce the potential for collinearity (Chin et al., 2003). Work completion justification positively moderated the positive effect of work pressure on intentional ISP (path coefficient = 0.156, p < 0.05). Therefore, H4 was supported. However, work completion justification had an insignificant moderating effect on the relationship between opportunity and intentional ISP violation (path coefficient = −0.059, p > 0.05). Therefore, H5 was not supported.

An interaction plot for the moderating effect of work completion justification on the relationship between work pressure and ISP violation intention is presented in Fig. 5 . The interaction plot reveals that the relationship between work pressure and intentional ISP violation was strengthened with a significantly positive effect on work completion justification.

Fig. 5.

Fig. 5

Open in a new tab

Interaction Plots.

6. Discussion and implication

This study is motivated by a desire to understand different possible motivations for intentional and nonmalicious ISP violations, especially in the action of bringing critical data to unsecured storage devices to work on at home. Specifically, this study examines how the three factors of the fraud triangle (opportunity, work pressure, and work completion justification) affect an individual's intention to copy and bring critical company data home due to their desire to complete their assigned workload. Based on a survey of 207 business professionals in the U.S, the results indicate that the opportunity to copy critical data, work pressure, and work completion justification, as expected, had a significant positive relationship with ISP violation intentions. Furthermore, the results reveal that work completion justification positively influences the impact of work pressure on ISP violation intentions. Nevertheless, the results also show that the moderating effect of work completion justification on the relationship between opportunity and ISP violation intention was not significant. The potential explanation for this might be that, on the one hand, the opportunity is often determined by organizational-level factors. For example, the computer in an organization may be programmed so that critical data can only be stored and accessed, not copied, while the extend of work pressure is more related to an individual's personal situation. Therefore, the opportunity is controlled by the organizational policy on data copying, which is not necessarily altered by individual's will. On the other hand, work completion justification reflects the trade-off between work completion and ISP compliance (D'Arcy et al., 2014), while opportunity does not reflect an individual's consideration of the work aspect. Therefore, work completion justification could not alter the influence of opportunity on ISP violation intentions. As discussed in the following section, these findings provide new insights into our understanding of employee copying critical data behavior and its implications for researchers and practitioners.

6.1. Implications for research

First, the result of this study contributes to the FTT by discovering the positive moderating role of work completion justification on the relationship between work pressure and nonmalicious ISP violation intention. Most extant studies separately investigated the effect of each fraud triangle factor on an individual act of fraud (Lou and Wang, 2009; Owusu et al., 2021). Therefore, our research fills the gap in the literature by focusing on the interaction among the fraud triangle factors. (Schnatterly et al., 2018). This study also contextualizes the FTT in understanding an employee's intentional nonmalicious ISP violations to investigate the interaction among the fraud triangle factors (Schnatterly et al., 2018). The results indicate that work completion justification, which acts as a proxy for rationalization in the fraud triangle factors, reflects an individual's trade-off between work completion and ISP compliance. This justification can influence an individual's intention and significantly alter the relationship between their work pressure level and violation intention.

Second, the result of this study contributes to the information security research by validating the motivational factors of non-ethical ISP violations. Extant research mainly focuses on ethical ISP violations that have personal or financial gain. Therefore, researchers have developed strong ethical insights toward ISP compliance such as (Chia and Lim, 2000; Robin et al., 1996), enforcing a code of ethics (Harrington, 1996), and implementing ethical decision-making aids (Bulgurcu et al., 2010). However, by empirically testing the motivational factors behind employees’ non-ethical ISP violation intentions, this study opens an avenue of research to examine employees' nonmalicious intentions (especially nonethical issues) to understand their perspectives on ISP compliance better.

Third, the result of this study makes contribution to the information security research by enhancing the understanding of the role of work completion justification on employees' ISP violating behaviors (Abramis, 1994; Fisher, 2001; Jamal, 1984; Motowidlo et al., 1986). It has been argued that work completion justification enforces an individual's concept of self-identity (Lee et al., 2006). In the context of an organization, completing assigned work becomes a stable self-concept for employees that can encourage them to engage in behaviors consistent with this bottom line. Employees tend to avoid behaviors that are inconsistent with their organizational self-identity. Therefore, when employees feel that ISPs could not help them complete business tasks or even hinder their productivity, employees will more likely engage in behaviors that violate organizational ISPs (Guo, 2013; Guo et al., 2011; Siponen and Iivari, 2006). This study validates the significant influence of work completion is an important decision factor when employees are concerned with security policies that may hinder their workload. This study presents the argument that ISPs may need to be reconsidered to reduce the conflict of accepting the need for additional security policies to prevent catastrophic organizational ISP violations. Future research may further explore the design and creation of ISPs to consider employees’ work productivity and job demands, especially in the demanding business environment of this post-COVID-19 world.

6.2. Implications for practice

First, our study found that opportunity positively influences the intention to violate ISP. The finding suggests that information security management should pay more attention to the source of risk. Information security management could explore avenues that further monitor and restrict employees from bringing work home to eliminate this specific ISP violation (Herath and Rao, 2009a; Li et al., 2021; Lowry et al., 2015). For example, high-tech companies may start directly using the workplace local area networks and remove all interfaces for copying critical company data to any type of portable media.

Second, the positive relationship between work pressure and ISP violation intentions suggests that companies should pay attention to the appropriateness of employee workloads. Employees are usually practical, caring more about completing their workload than complying with information security. With a heavy workload, they may bypass ISP to facilitate work completion (e.g., employees copying critical data to take out of the office to complete the work assigned to them). However, this could threaten the company's best interests (e.g., safe security measures to prevent information security breaches) even if employees are not violating ISP maliciously, such as for financial gain. Therefore, management could take measures, such as the timely reallocation of work according to conditions and progress, to avoid excessive work pressure on employees.

Last but not least, the positive effects of work completion justification on ISP violation intentions suggest that enterprises should strengthen information security training for employees to mitigate employee's justification, which could include consequences for violating policies and why violating behavior should not be justified (Barlow et al., 2013). More importantly, they should provide more management support to establish a culture that emphasizes the importance of information security as a measure of job performance (AlHogail, 2015; Cuganesan et al., 2018).

7. Limitations and future research

As with many other behavioral security research projects, this study is limited by the use of intention instead of actual behavior as the dependent variable. How intention translates to actual conduct is not completely clear, but the limited focus on intention is consistent with most information security studies (Paternoster, 2010).

A second limitation of this study is the consequence of using a scenario-based research design. As previous studies have explained, the participants in a study involving scenarios of policy violations may have already been involved in similar experiences. As a result, they may feel compelled to conceal their true intentions because they perceive this behavior as socially undesirable (Siponen and Vance, 2010; Willison et al., 2018). However, previous research suggests that the expected number of previous violators in a large sample pool (e.g., >150) was likely insufficient to skew the results of a study (Siponen and Vance, 2010; Willison et al., 2018). Due to the sample size used for the present study (i.e., 209), it is reasonable to infer the same expectation.

Third, the model focuses on a specific type of nonmalicious ISP violation intention as the ultimate dependent variable, thereby limiting the scope of the study. Future research should investigate different types of nonmalicious ISP violations, such as password sharing, avoidance of timely security patches, and victim-to-email phishing.

Last, given this study only focuses on one specific ISP violation scenario (i.e., copying critical company data to unsecured storage devices to work at home) to develop explicit insights, our findings on three factors resulting in ISP violation should be carefully considered when extending the results to other scenarios (Aurigemma et al., 2019). Future studies could extend our findings to a more general context of ISP violations. We only propose one way to describe a specific scenario. However, we recognize there can be various ways to describe the scenario of using unsecured storage devices to copy critical company data. For example, we describe the scenario as copying critical company data to an unencrypted USB drive to work at home, as an example to help respondents to comprehend our ISP violation context. There are variations of this scenario that could also be described as copying data to a personal cloud driver or sending data to a mobile phone, etc. In addition, we describe the scenario by creating a male character; however, the character could also be a female. This specific gender identification in our scenario description details may influence our findings. Future research could further examine these limitations to improve the robustness of our specific scenario-based findings.

8. Conclusion

Both scholars and managers have traditionally viewed ISP as guidelines– normative lists of actions that the employees should (or should not) perform (Hevner et al., 2004; Siponen and Iivari, 2006; Warman, 1992). However, the design of any ISP faces the underlying issue that not all policies and guidelines can address employee situations reasonably. Based upon the FTT, this study finds how opportunity, work pressure, and work completion justification are three antecedents that could lead to employees’ nonmalicious ISP violation intentions. Furthermore, individuals with higher levels of work completion justification will have significantly increased ISP violation intentions under the same levels of work pressure. The study results provide insights into specific intentional nonmalicious ISP-violating behaviors (i.e., copying critical company data to complete work at home), encourages future studies to examine this critical phenomenon, and offer even more detailed insights and actionable implications regarding the practice.

Credit authorship contribution statement

Randi Jiang: Conceptualization, Methodology Writing original draft.

Jianru Zhang: Formal analysis, Validation, Writing

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Biographies

Randi Jiang is an Assistant Professor in Accounting at Grand Valley State University. Her research focuses on how the implementation of accounting information systems can influence an employee's perception of their environment and influence individual's to commit information security policy violations. She has published her research in respected academic journals such as Communications of the Association for Information Systems and Industrial Management & Data Systems.

Jianru Zhang is an Assistant Professor in the School of Management, Xi'an Jiaotong University, China. His-research interests include R&D management, applications of enterprise social media. His-work has appeared in quality international journals, such as International Journal of Information Management and Industrial Management & Data Systems.

Appendix A. Measurement items

Constructs Items Reference
Opportunity to copy critical company data Opp1: Obtaining the information system credentials of other employees (e.g., copying critical data to an unsecured USB storage device) is easy.
Opp2: Having access to other employees' information systems (e.g. ability to copy critical data to an USB storage device) may provide a competitive edge.
Opp3: In general, there is an opportunity to exploit the company's information systems.		 (Pratt and Cullen, 2000)
Work Pressure GenPress1: Overall, I often feel stressed because of my work.
GenPress2: Overall, the work allocated to me causes me stress.		 (Stanton et al., 2001)
Work Completion Justification
 1. It is acceptable to violate certain information security policies for the purpose of completing work faster.
2. It is acceptable to violate certain information security policies if it helps you do your job more efficiently.
3. It is acceptable to violate certain information security policies when the work needs to be completed within a tight deadline.		 (D'Arcy et al., 2014)
Nonmalicious ISP Violation Intentions (Copying critical data home to complete work) Scenario: USB Copy Scenario
Chris is an accounting employee in your organization who is working on a report that requires the analysis of sensitive company financial data. He is extremely busy and wants to continue working on the report later that evening at home. Chris is aware of your company's policy prohibiting users from copying company data to portable media, such as USB storage devices, to avoid security problems. However, Chris copies several company files to his personal, unencrypted USB drive so that he can work on the report at home.
• How likely is it that you would have done the same as Chris in that situation?
• I could see myself copying the data, like Chris.		 (D'Arcy et al., 2009)
Open in a new tab

Notes: Data collected from general employees who use computers for their daily work tasks.

Data availability

  • Data will be made available on request.

References

  1. Abramis D.J. Work role ambiguity, job satisfaction, and job performance: meta-analyses and review. Psychol. Rep. 1994;75(3_suppl):1411–1433. [Google Scholar]
  2. Aiken L.S., West S.G., Reno R.R. Sage; 1991. Multiple regression: Testing and Interpreting Interactions. [Google Scholar]
  3. Albrecht S., Albrecht W.S. Prentice-Hall; Englewood Cliffs, NJ: 1982. How to Detect and Prevent Business Fraud. [Google Scholar]
  4. Albrecht W.S., Hill N.C., Albrecht C.C. The ethics development model applied to declining ethics in accounting. Austr. Account. Rev. 2006;16(38):30–40. doi: 10.1111/j.1835-2561.2006.tb00323.x. [DOI] [Google Scholar]
  5. Albrecht W.S., Howe K.R., Romney M.B. Institute of Internal Auditors Research Foundation; Altamonte Springs, FL: 1984. Deterring fraud: the Internal Auditor's Perspective. [Google Scholar]
  6. AlHogail A. Design and validation of information security culture framework. Comput. Human Behav. 2015;49:567–575. [Google Scholar]
  7. Allam S., Flowerday S.V., Flowerday E. Smartphone information security awareness: a victim of operational pressures. Comput. Secur. 2014;42:56–65. [Google Scholar]
  8. Andries F., Kompier M.A., Smulders P.G. Do you think that your health or safety are at risk because of your work? A large European study on psychological and physical work demands. Phys. Stresses Plants: Genes Their Prod. Tolerance, Proc. Workshop. 1996;10(2):104–118. [Google Scholar]
  9. Aurigemma S., Mattson T. Generally speaking, context matters: making the case for a change from universal to particular ISP research. J. Assoc. Inf. Syst. 2019;20(12):7. [Google Scholar]
  10. Ayyagari R., Grover V., Purvis R. Technostress: technological antecedents and implications. Mis. Q. 2011;35(4):831–858. 软件技术特点与压力的关系. [Google Scholar]
  11. Banham R. Cybersecurity threats proliferating for midsize and smaller businesses. J. Accountancy. 2017;224(1):75. [Google Scholar]
  12. Barlow J.B., Warkentin M., Ormond D., Dennis A.R. Don't make excuses! Discouraging neutralization to reduce IT policy violation. Comput. Secur. 2013;39:145–159. doi: 10.1016/j.cose.2013.05.006. [DOI] [Google Scholar]
  13. Besnard D., Arief B. Computer security impaired by legitimate users. Comput. Secur. 2004;23(3):253–264. [Google Scholar]
  14. Bulgurcu B., Cavusoglu H., Benbasat I. Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. Mis. Q. 2010;34(3):523–548. doi: 10.2307/25750690. [DOI] [Google Scholar]
  15. Carayon P., Zijlstra F. Relationship between job control, work pressure and strain: studies in the USA and in The Netherlands. Phys. Stresses Plants: Genes Their Prod. Tolerance, Proc. Workshop. 1999;13(1):32–48. [Google Scholar]
  16. Cavanaugh M.A., Boswell W.R., Roehling M.V., Boudreau J.W. An empirical examination of self-reported work stress among US managers. J. Appl. Psychol. 2000;85(1):65. doi: 10.1037/0021-9010.85.1.65. [DOI] [PubMed] [Google Scholar]
  17. Cheng L., Li Y., Li W., Holm E., Zhai Q. Understanding the violation of IS security policy in organizations: an integrated model based on social control and deterrence theory. Comput. Secur. 2013;39:447–459. doi: 10.1016/j.cose.2013.09.009. [DOI] [Google Scholar]
  18. Chia A., Lim S.M. The effects of issue characteristics on the recognition of moral issues. J. Bus. Ethics. 2000;27(3):255–269. [Google Scholar]
  19. Chin W.W. The partial least squares approach to structural equation modeling. Modern Methods Bus. Res. 1998;295(2):295–336. [Google Scholar]
  20. Chin W.W., Marcolin B.L., Newsted P.R. A partial least squares latent variable modeling approach for measuring interaction effects: results from a Monte Carlo simulation study and an electronic-mail emotion/adoption study. Inf. Syst. Res. 2003;14(2):189–217. [Google Scholar]
  21. Clarke R.V. Situational crime prevention: theory and practice. Brit. J. Criminol. 1980;20:136. [Google Scholar]
  22. Conner F.W., Coviello A.W. Information security governance: a call to action. Corporate Governance Task Force. 2004 [Google Scholar]
  23. Cressey, D.R. (1953). Other people's money; a study of the social psychology of embezzlement.
  24. Cressey D.R. The differential association theory and compulsive crimes. J. Crim. Law Criminol. Police Sci. 1954;45(1):29–40. [Google Scholar]
  25. Cuganesan S., Steele C., Hart A. How senior management and workplace norms influence information security attitudes and self-efficacy. Behav. Inf. Technol. 2018;37(1):50–65. doi: 10.1080/0144929X.2017.1397193. [DOI] [Google Scholar]
  26. D'Arcy J., Herath T., Shoss M.K. Understanding employee responses to stressful information security requirements: a coping perspective. J. Manage. Inf. Syst. 2014;31(2):285–318. [Google Scholar]
  27. D'Arcy J., Hovav A., Galletta D. User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Inf. Syst. Res. 2009;20(1):79–98. [Google Scholar]
  28. D'Arcy J., Lowry P.B. Cognitive-affective drivers of employees' daily compliance with information security policies: a multilevel, longitudinal study [https://doi.org/10.1111/isj.12173] Open Inf. Syst. J. 2019;29(1):43–69. doi: 10.1111/isj.12173. [DOI] [Google Scholar]
  29. Deci E.L. The effects of contingent and noncontingent rewards and controls on intrinsic motivation. Organ. Behav. Hum. Perform. 1972;8(2):217–229. [Google Scholar]
  30. Dhillon G. Managing and controlling computer misuse. Inf. Manage. Comput. Secur. 1999;7(4):171–175. [Google Scholar]
  31. Dhillon G., Oliveira T., Susarapu S., Caldeira M. Deciding between information security and usability: developing value based objectives. Comput. Human Behav. 2016;61:656–666. [Google Scholar]
  32. Diamantopoulos A., Winklhofer H.M. Index construction with formative indicators: an alternative to scale development. J. Market. Res. 2001;38(2):269–277. [Google Scholar]
  33. Doargajudhur M.S., Dell P. The effect of bring your own device (BYOD) adoption on work performance and motivation. Int. J. Comput., Inf., Syst. Sci., Eng. 2020;60(6):518–529. [Google Scholar]
  34. Dorminey J., Fleming A.S., Kranacher M.-.J., Riley R.A., Jr The evolution of fraud theory. Issues Account. Educ. 2012;27(2):555–579. [Google Scholar]
  35. Dorminey J.W., Fleming A.S., Kranacher M.-.J., Riley R.A., Jr Beyond the fraud triangle. J. Electron. Packag. 2010;80(7):17. [Google Scholar]
  36. Fisher R.T. Role stress, the type A behavior pattern, and external auditor job satisfaction and performance. Behav. Res. Account. 2001;13(1):143–170. [Google Scholar]
  37. Fornell C., Larcker D.F. Evaluating structural equation models with unobservable variables and measurement error. J. Market. Res. 1981;18(1):39–50. [Google Scholar]
  38. Gefen D., Rigdon E.E., Straub D. Editor's comments: an update and extension to SEM guidelines for administrative and social science research. MIS Q. 2011:iii–xiv. [Google Scholar]
  39. Gibbs J.P. Crime, punishment, and deterrence. Soc. Sci. Q. 1968:515–530. [Google Scholar]
  40. Gorge M. USB & other portable storage device usage: be aware of the risks to your corporate data in order to take pre-emptive and/or corrective action. Comput. Fraud Secur. 2005;(8):15–17. 2005. [Google Scholar]
  41. Guo K.H. Security-related behavior in using information systems in the workplace: a review and synthesis. Comput. Secur. 2013;32:242–251. [Google Scholar]
  42. Guo K.H., Yuan Y., Archer N.P., Connelly C.E. Understanding nonmalicious security violations in the workplace: a composite behavior model. J. Manage. Inf. Syst. 2011;28(2):203–236. [Google Scholar]
  43. Guzzo R.A. Types of rewards, cognitions, and work motivation. Acad. Manage. Rev. 1979;4(1):75–86. [Google Scholar]
  44. Hair J.F., Ringle C.M., Sarstedt M. PLS-SEM: indeed a silver bullet. J. Market. Theory Practice. 2011;19(2):139–152. [Google Scholar]
  45. Harrington S.J. The effect of codes of ethics and personal denial of responsibility on computer abuse judgments and intentions. MIS Q. 1996:257–278. [Google Scholar]
  46. Herath T., Rao H.R. Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness. Decis. Support Syst. 2009;47(2):154–165. [Google Scholar]
  47. Herath T., Rao H.R. Protection motivation and deterrence: a framework for security policy compliance in organisations. Eur. J. Inf. Syst. 2009;18(2):106–125. [Google Scholar]
  48. Hevner A.R., March S.T., Park J., Ram S. Design science in information systems research. MIS Q. 2004:75–105. [Google Scholar]
  49. Hollinger R., Clark J. DC Heath; Lexington, MA: 1983. Theft By Employees. [Google Scholar]
  50. Hooper V., Blunt C. Factors influencing the information security behaviour of IT employees. Behav. Inf. Technol. 2020;39(8):862–874. doi: 10.1080/0144929X.2019.1623322. [DOI] [Google Scholar]
  51. Hu Q., Xu Z., Dinev T., Ling H. Does deterrence work in reducing information security policy abuse by employees? Commun. ACM. 2011;54(6):54–60. [Google Scholar]
  52. Huber W.D., Mui G., Mailley J. A tale of two triangles: comparing the Fraud Triangle with criminology's Crime Triangle. Account. Res. J. 2015 [Google Scholar]
  53. Huisman W., van Erp J. Opportunities for environmental crime: a test of situational crime prevention theory. Br. J. Criminol. 2013;53(6):1178–1200. doi: 10.1093/bjc/azt036. [DOI] [Google Scholar]
  54. Iverson R.D., Maguire C. The relationship between job and life satisfaction: evidence from a remote mining community. Hum. Epidemiol. Anim. Lab. Correl. Chem. Carcinog. 2000;53(6):807–839. [Google Scholar]
  55. Jamal M. Job stress and job performance controversy: an empirical assessment. Organ. Behav. Hum. Perform. 1984;33(1):1–21. doi: 10.1016/0030-5073(84)90009-6. [DOI] [PubMed] [Google Scholar]
  56. Johnston A.C., Warkentin M., Dennis A.R., Siponen M. Speak their language: designing effective messages to improve employees’ information security decision making. Decis. Sci. 2019;50(2):245–284. [Google Scholar]
  57. Kassem R., Higson A. The new fraud triangle model. J. Emerg. Trends Econ. Manage. Sci. 2012;3(3):191–195. [Google Scholar]
  58. Kelloway E.K., Loughlin C., Barling J., Nault A. Self-reported counterproductive behaviors and organizational citizenship behaviors: separate but related constructs. Int. J. Sel. Assess. 2002;10(1–2):143–151. [Google Scholar]
  59. Kirlappos I., Beautement A., Sasse M.A. International Conference on Financial Cryptography and Data Security. 2013. Comply or Die” Is Dead: long live security-aware principal agents. [Google Scholar]
  60. Knorr, E. (2021). CSO global intelligence report: the state of cybersecurity in 2021. https://www.csoonline.com/article/3627274/cso-global-intelligence-report-the-state-of-cybersecurity-in-2021.html.
  61. Latham G.P., Mitchell T.R., Dossett D.L. Importance of participative goal setting and anticipated rewards on goal difficulty and job performance. J. Appl. Psychol. 1978;63(2):163. [Google Scholar]
  62. Lee C., Lee C.C., Kim S. Understanding information security stress: focusing on the type of information security compliance activity. Comput. Secur. 2016;59:60–70. doi: 10.1016/j.cose.2016.02.004. [DOI] [Google Scholar]
  63. Lee S.-.H., Kwak J., Lee I.-.Y. Proceedings of the 4th International Conference on Ubiquitous Information Technologies & Applications. 2009. The study on the security solutions of USB memory. [Google Scholar]
  64. Lee Y., Lee J., Lee Z. Social influence on technology acceptance behavior: self-identity theory perspective. ACM SIGMIS Database: DATABASE Adv. Inf. Syst. 2006;37(2–3):60–75. [Google Scholar]
  65. Li H., Luo X.R., Chen Y. Understanding information security policy violation from a situational action perspective. J. Assoc. Inf. Syst. 2021;22(3):5. [Google Scholar]
  66. Loch K.D., Carr H.H., Warkentin M.E. Threats to information systems: today's reality, yesterday's understanding. MIS Q. 1992:173–186. [Google Scholar]
  67. Locke E.A., Shaw K.N., Saari L.M., Latham G.P. Goal setting and task performance: 1969–1980. Psychol. Bull. 1981;90(1):125. [Google Scholar]
  68. Lokanan M. Informing the fraud triangle: insights from differential association theory. J. Theoret. Account. Res. 2018;14(1) [Google Scholar]
  69. Lou Y.-.I., Wang M.-.L. Fraud risk factor of the fraud triangle assessing the likelihood of fraudulent financial reporting. J. Bus. Econ. Res. (JBER) 2009;7(2) [Google Scholar]
  70. Lowry P.B., Posey C., Bennett R.J., Roberts T.L. Leveraging fairness and reactance theories to deter reactive computer abuse following enhanced organisational information security policies: an empirical study of the influence of counterfactual reasoning and organisational trust. Open Inf. Syst. J. 2015;25(3):193–273. [Google Scholar]
  71. Mamonov S., Benbunan-Fich R. The impact of information security threat awareness on privacy-protective behaviors. Comput. Human Behav. 2018;83:32–44. [Google Scholar]
  72. Moody G.D., Siponen M., Pahnila S. Toward a unified model of information security policy compliance. MIS Q. 2018;42(1) [Google Scholar]
  73. Morales J., Gendron Y., Guénin-Paracini H. The construction of the risky individual and vigilant organization: a genealogy of the fraud triangle. Account. Organiz. Soc. 2014;39(3):170–194. [Google Scholar]
  74. Motowidlo S.J., Packard J.S., Manning M.R. Occupational stress: its causes and consequences for job performance. J. Appl. Psychol. 1986;71(4):618. [PubMed] [Google Scholar]
  75. Murphy P.R., Dacin M.T. Psychological pathways to fraud: understanding and preventing fraud in organizations. J. Bus. Ethics. 2011;101(4):601–618. [Google Scholar]
  76. Murphy P.R., Free C. Broadening the fraud triangle: instrumental climate and fraud. Behav. Res. Account. 2015;28(1):41–56. [Google Scholar]
  77. Myyry L., Siponen M., Pahnila S., Vartiainen T., Vance A. What levels of moral reasoning and values explain adherence to information security rules? An empirical study. Eur. J. Inf. Syst. 2009;18(2):126–139. [Google Scholar]
  78. Nasirpouri Shadbad F., Biros D. Technostress and its influence on employee information security policy compliance. Inf. Technol. People. 2022;35(1):119–141. doi: 10.1108/ITP-09-2020-0610. [DOI] [Google Scholar]
  79. Owusu G.M.Y., Koomson T.A.A., Alipoe S.A., Kani Y.A. Examining the predictors of fraud in state-owned enterprises: an application of the fraud triangle theory. J. Money Launder. Control. 2021 doi: 10.1108/JMLC-05-2021-0053. ahead-of-print(ahead-of-print) [DOI] [Google Scholar]
  80. Paternoster R. How much do we really know about criminal deterrence. J. Crim. L. Criminology. 2010;100:765. [Google Scholar]
  81. Pham H.-.C., El-Den J., Richardson J. Stress-based security compliance model–an exploratory study. Inf. Comput. Secur. 2016 [Google Scholar]
  82. Piquero N.L., Tibbetts S.G., Blankenship M.B. examining the role of differential association and techniques of neutralization in explaining corporate crime. Deviant. Behav. 2005;26(2):159–188. doi: 10.1080/01639620590881930. [DOI] [Google Scholar]
  83. Podsakoff P.M., MacKenzie S.B., Lee J.-.Y., Podsakoff N.P. Common method biases in behavioral research: a critical review of the literature and recommended remedies. J. Appl. Psychol. 2003;88(5):879. doi: 10.1037/0021-9010.88.5.879. [DOI] [PubMed] [Google Scholar]
  84. Posey C., Bennett B., Roberts T., Lowry P.B. When computer monitoring backfires: invasion of privacy and organizational injustice as precursors to computer abuse. J. Inf. Syst. Secur. 2011;7(1):24–47. [Google Scholar]
  85. Posey C., Bennett R.J., Roberts T.L. Understanding the mindset of the abusive insider: an examination of insiders’ causal reasoning following internal security changes. Comput. Secur. 2011;30(6–7):486–497. [Google Scholar]
  86. Posey C., Bennett R.J., Roberts T.L., Lowry P.B. When computer monitoring backfires: privacy invasions and organizational injustice as precursors to computer abuse. J. Inf. Syst. Secur. 2011;7(1) [Google Scholar]
  87. Posey C., Folger R. An exploratory examination of organizational insiders’ descriptive and normative perceptions of cyber-relevant rights and responsibilities. Comput. Secur. 2020;99 [Google Scholar]
  88. Post G.V., Kagan A. Evaluating information security tradeoffs: restricting access can interfere with user tasks. Comput. Secur. 2007;26(3):229–237. doi: 10.1016/j.cose.2006.10.004. [DOI] [Google Scholar]
  89. Pratt T.C., Cullen F.T. The empirical status of Gottfredson and Hirschi's general theory of crime: a meta-analysis. Criminology. 2000;38(3):931–964. [Google Scholar]
  90. Puhakainen, P. (2006). A design theory for information security awareness.
  91. Ramamoorti S. The psychology and sociology of fraud: integrating the behavioral sciences component into fraud and forensic accounting curricula. Issues Account. Educ. 2008;23(4):521–533. [Google Scholar]
  92. Ramamoorti, S., Morrison, D., & Koletar, J.W. (2009). Bringing freud to fraud.
  93. Renaud K. Blaming noncompliance is too convenient: what really causes information breaches? IEEE Secur. Priv. 2011;10(3):57–63. [Google Scholar]
  94. Robin D.P., Reidenbach R.E., Forrest P. The perceived importance of an ethical issue as an influence on the ethical decision-making of ad managers. J. Bus. Res. 1996;35(1):17–28. [Google Scholar]
  95. Ruankaew T. Beyond the fraud diamond. Int. J. Bus. Manage. Econ. Res. (IJBMER) 2016;7(1):474–476. [Google Scholar]
  96. Safa N.S., Maple C. Human errors in the information security realm–and how to fix them. Comput. Fraud Secur. 2016;2016(9):17–20. [Google Scholar]
  97. Schatz, D., & Bashroush, R. (2016). The impact of repeated data breach events on organisations’ market value. Inf. Comput. Secur..
  98. Schnatterly K., Gangloff K.A., Tuschke A. CEO wrongdoing: a review of pressure, opportunity, and rationalization. J. Manage. 2018;44(6):2405–2432. doi: 10.1177/0149206318771177. [DOI] [Google Scholar]
  99. Schuchter A., Levi M. The fraud triangle revisited. Secur. J. 2016;29(2):107–121. doi: 10.1057/sj.2013.1. opportunity is necessary if not sufficient. [DOI] [Google Scholar]
  100. Shepherd D.A., McMullen J.S., Jennings P.D. The formation of opportunity beliefs: overcoming ignorance and reducing doubt. Strategic Entrepreneurship J. 2007;1(1–2):75–95. [Google Scholar]
  101. Siponen M., Iivari J. IS security design theory framework and six approaches to the application of ISPs and guidelines. J. Assoc. Inf. Syst. 2006;7(7):445–472. [Google Scholar]
  102. Siponen M., Vance A. Neutralization: new insights into the problem of employee information systems security policy violations. MIS Qu. 2010:487–502. [Google Scholar]
  103. Siponen M., Vance A. Guidelines for improving the contextual relevance of field surveys: the case of information security policy violations. Eur. J. Inf. Syst. 2014;23(3):289–305. [Google Scholar]
  104. Stanton J.M., Balzer W.K., Smith P.C., Parra L.F., Ironson G. A general measure of work stress: the stress in general scale. Educ. Psychol. Meas. 2001;61(5):866–888. [Google Scholar]
  105. Straub D.W., Jr Effective IS security: an empirical study. Inf. Syst. Res. 1990;1(3):255–276. [Google Scholar]
  106. Sutherland E.H., Cressey D.R., Luckenbill D.F. Altamira Press; 1992. Principles of Criminology. [Google Scholar]
  107. Sykes G.M., Matza D. Techniques of neutralization: a theory of delinquency. Am. Sociol. Rev. 1957;22(6):664–670. [Google Scholar]
  108. Syrek C.J., Apostel E., Antoni C.H. Stress in highly demanding IT jobs: transformational leadership moderates the impact of time pressure on exhaustion and work–life balance. J. Occup. Health Psychol. 2013;18(3):252. doi: 10.1037/a0033085. [DOI] [PubMed] [Google Scholar]
  109. Taylor R. ICIS 2006 Proceedings. 2006. Management perception of unintentional information security risks; p. 95. [Google Scholar]
  110. Teo H.H., Wei K.K., Benbasat I. Predicting intention to adopt interorganizational linkages: an institutional perspective. MIS Q. 2003;27(1):19–49. doi: 10.2307/30036518. [DOI] [Google Scholar]
  111. Tetmeyer A., Saiedian H. Security threats and mitigating risk for USB devices. IEEE Technol. Soc. Mag. 2010;29(4):44–49. [Google Scholar]
  112. Trang S., Nastjuk I. Examining the role of stress and information security policy design in information security compliance behaviour: an experimental study of in-task behaviour. Comput. Secur. 2021;104 [Google Scholar]
  113. Vance A., Siponen M.T., Straub D.W. Effects of sanctions, moral beliefs, and neutralization on information security policy violations across cultures. Inf. Manage. 2019 [Google Scholar]
  114. Vance A., Siponen M.T., Straub D.W. Effects of sanctions, moral beliefs, and neutralization on information security policy violations across cultures. Inf. Manage. 2020;57(4) [Google Scholar]
  115. Wall J.D., Buche M.W. To fear or not to fear? A critical review and analysis of fear appeals in the information security context. Commun. Assoc. Inf. Syst. 2017;41(1):13. [Google Scholar]
  116. Wall J.D., Palvia P., D'Arcy J. Theorizing the behavioral effects of control complementarity in security control portfolios. Inf. Syst. Front. 2021:1–22. [Google Scholar]
  117. Warman A.R. Organizational computer security policy: the reality. Eur. J. Inf. Syst. 1992;1(5):305–310. [Google Scholar]
  118. White G., Ekin T., Visinescu L. Analysis of protective behavior and security incidents for home computers. Int. J. Comput., Inf., Syst. Sci., Eng. 2017;57(4):353–363. [Google Scholar]
  119. White, S. (2016). Why your employees are overworked, burnt out, and unmotivated. https://www.cio.com/article/3097283/why-your-employees-are-overworked-burnt-out-and-unmotivated.html.
  120. Willison R., Warkentin M. Beyond deterrence: an expanded view of employee computer abuse. MIS Q. 2013:1–20. [Google Scholar]
  121. Willison R., Warkentin M., Johnston A.C. Examining employee computer abuse intentions: insights from justice, deterrence and neutralization perspectives. Open Inf. Syst. J. 2018;28(2):266–293. [Google Scholar]
  122. Wortley R. Critiques of situational crime prevention. Sage. 2010 [Google Scholar]
  123. Yee K.-.P. Aligning security and usability. IEEE Secur. Priv. 2004;2(5):48–55. [Google Scholar]
  124. Zhen J., Xie Z., Dong K., Chen L. Impact of negative emotions on violations of information security policy and possible mitigations. Behav. Inf. Technol. 2021:1–13. doi: 10.1080/0144929X.2021.1921029. [DOI] [Google Scholar]
  125. Zimmermann V., Renaud K. Moving from a ‘human-as-problem” to a ‘human-as-solution” cybersecurity mindset. Int. J. Hum. Comput. Stud. 2019;131:169–187. [Google Scholar]

Associated Data

This section collects any data citations, data availability statements, or supplementary materials included in this article.

Data Availability Statement

  • Data will be made available on request.

Articles from Computers & Security are provided here courtesy of Elsevier

RESOURCES