Information system security policy noncompliance: the role of situation-specific ethical orientation

Abstract

PurposeThis study examines how neutralization strategies affect the efficacy of information system security policies. This paper proposes that neutralization strategies used to rationalize security policy noncompliance range across ethical orientations, extending from those helping the greatest number of people (ethics of care) to those damaging the fewest (ethics of justice). The results show how noncompliance differs between genders based on those ethical orientations.Design/methodology/approachA survey was used to measure information system security policy noncompliance intentions across six different hypothetical scenarios involving neutralization techniques used to justify noncompliance. Data was gathered from students at a mid-western, comprehensive university in the United States.FindingsThe empirical analysis suggests that gender does play a role in information system security policy noncompliance. However, its significance is dependent upon the underlying neutralization method used to justify noncompliance. The role of reward and punishment is contingent on the situation-specific ethical orientation (SSEO) which in turn is a combination of internal ethical positioning based on one's gender and external ethical reasoning based on neutralization technique.Originality/valueThis study extends ethical decision-making theory by examining how the use of punishments and rewards might be more effective in security policy compliance based upon gender. Importantly, the study emphasizes the interplay between ethics, gender and neutralization techniques, as different ethical perspectives appeal differently based on gender.