Past research on information technology (IT) security training and awareness has focused on informing employees about security policies and formal sanctions for violating those policies. However, research suggests that deterrent sanctions may not be the most powerful influencer of employee violations. Often, employees use rationalizations, termed neutralization techniques, to overcome the effects of deterrence when deciding whether or not to violate a policy. Therefore, neutralization techniques often are stronger than sanctions in predicting employee behavior. For this study, we examine “denial of injury,” “metaphor of the ledger,” and “defense of necessity” as relevant justifications for violating password policies that are commonly used in organizations as used in (Siponen and Vance, 2010). Initial research on neutralization in IS security has shown that results are consistent regardless of which type of neutralization is considered (Siponen and Vance, 2010). In this study, we investigate whether IT security communication focused on mitigating neutralization, rather than deterrent sanctions, can reduce intentions to violate security policies. Additionally, considering the effects of message framing in persuading individuals against security policy violations are largely unexamined, we predict that negatively-framed communication will be more persuasive than positively-framed communication. We test our hypotheses using the factorial survey method. Our results suggest that security communication and training that focuses on neutralization techniques is just as effective as communication that focuses on deterrent sanctions in persuading employees not to violate policies, and that both types of framing are equally effective.
Read full abstract