Informal control responses to information security policy violations: A factorial survey on insurance employees’ moral licensing of insider threats

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-06-16 DOI:10.1016/j.cose.2025.104575

Steffi Haag , Nils Siegfried , Nane Winkler

{"title":"Informal control responses to information security policy violations: A factorial survey on insurance employees’ moral licensing of insider threats","authors":"Steffi Haag , Nils Siegfried , Nane Winkler","doi":"10.1016/j.cose.2025.104575","DOIUrl":null,"url":null,"abstract":"<div><div>Most organizations implement information security policies (ISPs) to protect their data and systems. However, these policies are only effective if employees follow them—including reporting or discouraging violations by others. Beyond formal control mechanisms, informal controls play a crucial role in shaping employees’ responses to ISP violations. These informal controls can either reduce security risks by discouraging misconduct or, conversely, reinforce insider threats by signaling approval of violations. Despite their importance, little is known about how informal controls develop and function.</div><div>This study investigates key factors influencing employees’ informal control responses to non-malicious ISP violations, focusing on moral licensing—the tendency to permit rule-breaking based on a violator’s past behavior or status. Using a factorial survey of 1024 insurance sector employees and analyzing 4607 vignette-based observations through multilevel structural equation modeling, we find that employees are more likely to tolerate ISP violations when the violator has a history of compliance, possesses high task competence, holds a higher hierarchical status, or when the violation appears to benefit the team.</div><div>By emphasizing the human factor in information security, this study reveals how cognitive biases in informal controls can weaken ISP compliance and increase insider threats. The findings provide actionable recommendations for security managers, including strategies to align ISPs with organizational goals, engage influential employees, and enhance security training. Strengthening informal controls can help create a more secure and compliant workplace.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104575"},"PeriodicalIF":5.4000,"publicationDate":"2025-06-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825002640","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Most organizations implement information security policies (ISPs) to protect their data and systems. However, these policies are only effective if employees follow them—including reporting or discouraging violations by others. Beyond formal control mechanisms, informal controls play a crucial role in shaping employees’ responses to ISP violations. These informal controls can either reduce security risks by discouraging misconduct or, conversely, reinforce insider threats by signaling approval of violations. Despite their importance, little is known about how informal controls develop and function.

This study investigates key factors influencing employees’ informal control responses to non-malicious ISP violations, focusing on moral licensing—the tendency to permit rule-breaking based on a violator’s past behavior or status. Using a factorial survey of 1024 insurance sector employees and analyzing 4607 vignette-based observations through multilevel structural equation modeling, we find that employees are more likely to tolerate ISP violations when the violator has a history of compliance, possesses high task competence, holds a higher hierarchical status, or when the violation appears to benefit the team.

By emphasizing the human factor in information security, this study reveals how cognitive biases in informal controls can weaken ISP compliance and increase insider threats. The findings provide actionable recommendations for security managers, including strategies to align ISPs with organizational goals, engage influential employees, and enhance security training. Strengthening informal controls can help create a more secure and compliant workplace.

查看原文本刊更多论文

对违反信息安全政策的非正式控制反应：保险员工对内部威胁的道德许可的析因调查

大多数组织实施信息安全策略（isp）来保护他们的数据和系统。然而，这些政策只有在员工遵守的情况下才有效——包括报告或阻止他人的违规行为。在正式控制机制之外，非正式控制在塑造员工对ISP违规行为的反应方面发挥着至关重要的作用。这些非正式的控制可以通过阻止不当行为来降低安全风险，或者相反，通过批准违规行为来加强内部威胁。尽管它们很重要，但人们对非正式控制的发展和作用知之甚少。本研究调查了影响员工对非恶意ISP违规行为非正式控制反应的关键因素，重点关注道德许可——基于违规者过去的行为或地位而允许违规者违规的倾向。通过对1024名保险行业员工的因子调查，并通过多层次结构方程模型分析了4607个基于小图像的观察结果，我们发现，当违规者有合规历史、具有高任务能力、拥有较高的等级地位或违规行为似乎有利于团队时，员工更有可能容忍ISP违规行为。通过强调信息安全中的人为因素，本研究揭示了非正式控制中的认知偏差如何削弱ISP合规性并增加内部威胁。调查结果为安全管理人员提供了可操作的建议，包括使isp与组织目标保持一致的策略，吸引有影响力的员工，以及加强安全培训。加强非正式控制有助于创造一个更安全、更合规的工作场所。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.