Abstract

Information security policy (ISP) violations have become a serious concern in organizations. Although prevention is the best option since it prevents ISP violations from occurring, incidents still occur. Such violations should be reported so that organizations can take immediate actions and reduce the negative impact. However, the current literature mainly focuses on factors that lead to violations of ISPs and our current understanding of what influences employees’ intention to report others’ ISP violations is limited. In this study, we attempt to fill this gap by conducting an explorative study to investigate the ISP violation reporting phenomenon. Six pilot interviews are conducted to investigate why or why not individuals report others’ ISP violations. Guided by literature on ISP violations and organizational citizenship behavior, our preliminary findings suggest that employees’ intention of reporting is motivated by the purpose and the consequence of the violation, as well as the severity of such consequences.

Share

COinS
 

Reporting Information Security Policy Violations – An Exploratory Study

Information security policy (ISP) violations have become a serious concern in organizations. Although prevention is the best option since it prevents ISP violations from occurring, incidents still occur. Such violations should be reported so that organizations can take immediate actions and reduce the negative impact. However, the current literature mainly focuses on factors that lead to violations of ISPs and our current understanding of what influences employees’ intention to report others’ ISP violations is limited. In this study, we attempt to fill this gap by conducting an explorative study to investigate the ISP violation reporting phenomenon. Six pilot interviews are conducted to investigate why or why not individuals report others’ ISP violations. Guided by literature on ISP violations and organizational citizenship behavior, our preliminary findings suggest that employees’ intention of reporting is motivated by the purpose and the consequence of the violation, as well as the severity of such consequences.