Understanding Information Security Policy Violation from a Situational Action Perspective

Insiders' negligence or abuse is regarded as a leading cause of information security breaches in organizations. As most of the extant studies have largely examined insider threats at a high level of abstraction, the role of situational moral reasoning for information security policy (ISP) violations in specific situations has received little attention. To advance this line of research, this paper opens up a potentially fruitful path for IS researchers by applying situational action theory (SAT) to contextually examine why employees violate ISPs in particular situations. We consider the violations of password security policy, internet use policy, and confidential data security policy, and examine specific violation intents ranging from altruistic to malicious. The results support most of the assertions derived from SAT. We found situational moral beliefs to be the predominant driver for ISP violations across three situations in an organizational setting. However, the moderation effect of moral beliefs was only significant in situations involving sharing passwords and selling confidential data. Sanction certainty and sanction severity were also found to have different effects across situations. We conclude by presenting implications for IS security practitioners and suggestions for future research.