Determinants Of Adverse Usage Of Information Systems Assets: A Study Of Antecedents Of IS Exploit In Organizations

Information systems assets are vital to the functioning and survival of organizations. Therefore, organizations expend many resources in protecting these assets. Organizations spent resources on technologies, policies, procedures, guidelines, user awareness, education, training and other protection mechanisms. Advancing technology and complexity of organizations make the protection of these assets a continuing challenge. Studies show that in spite of these efforts, the main reason for security failures in organizations is due to human behavior (Stanton et al. 2004).

This study speaks for an enhanced behavioral model for the adverse usage of IS assets and addresses the factors that influence these behaviors. The presented model uses extended higher order conceptualization of the three basic constructs of the theory of planned behavior to study the adverse usage of IS assets. Instead of using a single IS misuse variable, it includes a category of behaviors related to adverse usage of IS assets. The factors considered in this study are Attitude (Affective, Cognitive); Social Influence (Subjective norm, Descriptive norm), Perceived Behavioral Control (Self-efficacy, Controllability); Moral Norms; Organizational Commitment; Job Satisfaction; and Influence Mechanisms (Likelihood of Detection, Security Awareness).

This study is expected to contribute to theory, methodology and practice. To the best of our knowledge, this is the first study that conceptualize and empirically measure a category of behaviors related to adverse usage of IS assets instead of studying a single behavior. It is the first attempt in IS to conceptualize and empirically test all the three basic variables of the theory of planned behavior as higher order constructs. From a managerial perspective, this study determines the factors that can predict the intention of employees towards adverse usage of IS assets and can directly or indirectly impact the information security of an organization. It also tests the role of various influence mechanisms to control the behavior related to information security. The results indicate that organizations should make major investments in education, training and awareness programs to enhance their security. The results of this study will help the managers to develop actions and strategies to deal with issues related to such behaviors in organizations.