research-article

The Organization Man and the Innovator: Theoretical Archetypes to Inform Behavioral Information Security Research

Authors:

Jeffrey D. Wall,

Rahul SinghAuthors Info & Claims

ACM SIGMIS Database: the DATABASE for Advances in Information Systems, Volume 49, Issue SI

Pages 67 - 80

https://doi.org/10.1145/3210530.3210536

Published: 25 April 2018 Publication History

Abstract

Behavioral information security research exhibits a preoccupation with security policy, bureaucratic control, and policy compliance and noncompliance. This preoccupation implicitly treats employees as the sociological archetype described by Whyte (1956), the Organization Man. In doing so, the literature has dedicated less time to the study of other archetypes. In this paper, we compare the Organization Man to the Innovator, an amalgam of the Bricoleur and Engineer archetypes identified by Levi-Strauss (1966). We posit that the Innovator archetype may be more prevalent during times of organizational strain and excess. We develop a theoretical framework to explain how situational factors, namely organizational strain and excess, affect individuals' risk perceptions and their willingness to adopt different archetypal personae (i.e., dispositional factors). The framework further suggests that each archetypal persona will behave differently to common security situations. Finally, the framework suggests that the organization's perceptions of employee behavior will provide a feedback loop that further affects the adoption of different archetypes.

References

[1]

Akers, R. L. (2009). Social learning and social structure: A general theory of crime and deviance. Brunswick, NJ: Transaction Publishers.

[2]

Barlow, J. B., Warkentin, M., Ormond, D.,&Dennis, A. R. (2012). Don't make excuses! Framing IT security training to reduce policy violation. Paper presented at the Dewald Roode Workshop on IS Security Research, IFIP WG 8.11 / 11.13, Provo, UT.

[3]

Boss, S. R., Galletta, D. F., Lowry, P. B., Moody, G. D.,&Polak, P. (2015). What do users have to fear? Using fear appeals to engender threats and fear that motivate protective behaviors in users. MIS Quarterly, 39(4), 837--864.

Digital Library

[4]

Boss, S. R., Kirsch, L. J., Angermeier, I., Shingler, R. A.,&Boss, W. R. (2009). If someone is watching, I'll do what I'm asked: Manditoriness, control, and information security. European Journal of Information Systems, 18, 151--164.

[5]

Bulgurcu, B., Cavusoglu, H.,&Benbasat, I. (2010). Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523--548.

[6]

Cardinal, L. B. (2001). Technological innovation in the pharmaceutical industry: The use of organizational control in managing research and development. Organization Science, 12, 19--36.

Digital Library

[7]

Carrier, L. M.,&Prashler, H. (1995). Attentional limits in memory retrieval. Journal of Experimental Psychology: Learning Memory and Cognition, 21(5), 1339--1348.

[8]

Cyert, R.,&March, J. G. (1963). A behavioral theory of the firm. Englewood Cliffs, NJ: Prentice Hall.

[9]

D'Arcy, J.,&Devaraj, S. (2012). Employee misuse of information technology resources: Testing a contemporary deterrence model. Decision Sciences, 43(6), 1091--1124.

[10]

D'Arcy, J.,&Greene, G. (2014). Security culture and the employment relationship as drivers of employees' security compliance. Information Management&Computer Security, 22(5), 474--489.

[11]

D'Arcy, J., Herath, T.,&Shoss, M. K. (2014). Understanding employee responses to stressful information security requirements: A coping perspective. Journal of Management Information Systems, 31(2), 285--318.

[12]

D'Arcy, J., Hovav, A.,&Galletta, D. (2009). User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research, 20(1), 79--98.

Digital Library

[13]

Deetz, S. (2003). Disciplinary power, conflict suppression and human resources management. In M. Alvesson&H. Willmott (Eds.), Studying Management Critically (pp. 23--45). Los Angeles, CA: Sage Publications.

[14]

French, E. B. (1967). The organization scientist: Myth or reality. Academy of Management Journal, 10(3), 269--273.

[15]

Guo, K. H. (2013). Security-related behavior in using information systems in the workplace: A review and synthesis. Computers&Security, 32, 242--251.

Digital Library

[16]

Guo, K. H., Yuan, Y., Archer, N. P.,&Connelly, C. E. (2011). Understanding nonmalicious security violations in the workplace: A composite behavior model. Journal of Management Information Systems, 28(2), 203--236.

Digital Library

[17]

Herath, T., Chen, R., Wang, J., Banjara, K., Wilbur, J.,&Rao, H. R. (2014). Security services as coping mechanisms: An investigation into user intention to adopt an email authentication service. Information Systems Journal, 1--24.

Digital Library

[18]

Herath, T.,&Rao, H. R. (2009). Protection motivation and deterrence: A framework for security policy compliance in organisations. European Journal of Information Systems, 18, 106--125.

[19]

Hu, S., Blettner, D.,&Bettis, R. A. (2011). Adaptive aspirations: Performance consequences of risk preferences at extremes and alternative references groups. Strategic Management Journal, 32(13), 1426--1436.

[20]

Johnston, A. C.,&Warkentin, M. (2010). Fear appeals and information security behaviors: An empirical study. MIS Quarterly, 34(3), 549--566.

[21]

Johnston, A. C., Warkentin, M., McBride, M.,&Carter, L. D. (2016). Dispositional and Situational Factors: Influences on IS Security Policy Violations. European Journal of Information Systems, 25(3), 231--251.

[22]

Johnston, A. C., Warkentin, M.,&Siponen, M. (2015). An enhanced fear appeal rhetorical framework: Leveraging threats to the human asset through sanctioning rhetoric. MIS Quarterly, 39(1), 113--134.

Digital Library

[23]

Kahneman, D.,&Tversky, A. (1979). Prospect theory: An analysis of decision under risk. Econometrica, 47, 263--291.

[24]

Kajzer, M., D'Arcy, J., Crowell, C. R., Striegel, A.,&Van Bruggen, D. (2014). An exploratory investigation of message-person congruence in information security awareness campaigns. Computers&Security, 43, 65--76.

[25]

Kroll-Smith, S., Jenkins, P.,&Baxter, V. (2007). The Bricoleur and the possibility of rescue: First-responders to the flooding of New Orleans. Journal of Public Management and Social Policy, 2007(Fall), 5--21.

[26]

Lehman, D. W.,&Ramanujam, R. (2009). Selectivity in organizational rule violations. Academy of Management Review, 34(4), 643--657.

[27]

Levi-Strauss, C. (1966). The Savage Mind. Chicago, IL: University of Chicago Press.

[28]

Lowry, P. B., Moody, G., Galletta, D.,&Vance, A. (2012). The drivers in the use of online whistle-blowing reporting systems. Journal of Management Information Systems, 30(1), 153--189.

[29]

Lowry, P. B.,&Moody, G. D. (2015). Proposing the control-reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policies. Information Systems Journal, 25, 433--463.

Digital Library

[30]

Lowry, P. B., Posey, C., Bennett, R. J.,&Roberts, T. L. (2015). Leveraging fairness and reactance theories to deter reactive computer abuse following enhanced organisational information security policies: An empirical study of the influence of counterfactual reasoning and organisational trust. Information Systems Journal, 25, 193--230.

Digital Library

[31]

Mainemelis, C. (2010). Stealing fire: Creative deviance in the evolution of new ideas. Academy of Management Review, 35(4), 558--578.

[32]

March, J. G. (1991). Exploration and exploitation in organizational learning. Organization Science, 2, 71--87.

Digital Library

[33]

March, J. G. (1997). How decisions happen in organizations. In Z. Shapira (Ed.), Organizational decision making (pp. 9--34). New York, NY: Cambridge University Press.

[34]

March, J. G.,&Simon, H. A. (1958). Organizations. New York, New York: Wiley.

[35]

Merton, R. K. (1938). Social structure and anomie. American Sociological Review, 3, 672--682.

[36]

Myyry, L., Siponen, M., Pahnila, S., Vartiainen, T.,&Vance, A. (2009). What levels of moral reasoning and values explain adherence to information security rules? An empirical study. European Journal of Information Systems, 18(2), 126--139.

[37]

Ocasio, W. (2002). Organizational power and dependence. Blackwell, UK: Oxford.

[38]

Posey, C., Roberts, T. L.,&Lowry, P. B. (2016). The impact of organizational commitment on insiders' motivation to protect organizational information assets. Journal of Management Information Systems, 32(4), 179--214.

[39]

Posey, C., Roberts, T. L., Lowry, P. B., Bennett, R. J.,&Courtney, J. (2013). Insiders' protection of organizational information assets: Development of a systematics-based taxonomy and theory of diversity for protection-motivated behaviors. MIS Quarterly, 37(4), 1189--1210.

Digital Library

[40]

Puhakainen, P.,&Siponen, M. (2010). Improving employees' compliance through information systems security training: An action research study. MIS Quarterly, 34(4), 757--778.

[41]

Randall, D. M. (1987). Commitment and the organization: The Organization Man revisited. Academy of Management Review, 12(3), 460--471.

[42]

Rosenfeld, S. N., Rus, I.,&Cukier, M. (2007). Archetypal behavior in computer security. Journal of Systems and Software, 80(10), 1594--1606.

Digital Library

[43]

Shropshire, J., Warkentin, M.,&Sharma, S. (2015). Personality, attitudes, and intentions: Predicting initial adoption of information security behavior. Computers&Security, 29(1), 177--191.

Digital Library

[44]

Singh, J. (1986). Performance, slack, and risk taking in organizational decision making. Academy of Management Journal, 29(3), 562--585.

[45]

Siponen, M.,&Vance, A. (2010). Neutralization: New insights into the problem of employee information systems security policy violations. MIS Quarterly, 34(3), 487--502.

[46]

Staggs, K. (2009). Build a cyber security incident response plan. Control Engineering, 56(12), 56.

[47]

Straub, D. W. J.,&Nance, W. D. (1990). Discovering and disciplining computer abuse in organizations: A field study. MIS Quarterly, 14(1), 45--60.

Digital Library

[48]

Symantec. (2017). Internet Security Threat Report (Vol. 22).

[49]

Vishwanath, A., Herath, T., Chen, R., Wang, J.,&Rao, H. R. (2011). Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model. Decision Support Systems, 51, 576--856.

Digital Library

[50]

Vroom, V. H. (1964). Work and Motivation. Oxford, UK: Wiley.

[51]

Wall, J. D., Lowry, P. B.,&Barlow, J. B. (2016). Organizational violations of externally governed privacy and security rules: Explaining and predicting selective violations under conditions of strain and excess. Journal of the Association for Information Systems, 17(1).

[52]

Wall, J. D., Palvia, P.,&Lowry, P. B. (2013). Control-related motivations and information security policy compliance: The role of autonomy and efficacy. Journal of Information Privacy and Security, 9(4), 52--79.

[53]

Wall, J. D., Stahl, B. C.,&Salam, A. F. (2015). Critical discourse analysis as a review methodology: An empirical example. Communications of the Association for Information Systems, 37(1), 257--285.

[54]

Warkentin, M.,&Willison, R. (2009). Behavioral and policy issues in information systems security: The insider threat. European Journal of Information Systems, 18, 101--105.

[55]

Whitman, M. E., Townsend, A. M.,&Alberts, R. J. (2001). Information systems security and the need for policy. In M. Khosrowpour (Ed.), Information Security Management: Global Challenges in the New Millennium (pp. 9--18). Hershey, PA: Idea Group Publishing.

[56]

Whyte, W. H. (1956). The Organization Man. Garden City, NY: Doubleday.

[57]

Willison, R.,&Warkentin, M. (2013). Beyond deterrence: An expanded view of employee computer abuse. MIS Quarterly, 37(1), 1--20.

Digital Library

[58]

Workman, M. (2008). Wisecrackers: A theory-grounded investigation of phishing and pretext social engineering threats to information security. Journal of the American Society for Information Science and Technology, 59(4), 662--674.

Digital Library

[59]

Workman, M.,&Gathegi, J. (2007). Punishment and ethics deterrents: a study of insider security contravention. Journal of the American Society for Information Science and Technology, 58(2), 212--222.

[60]

Xue, Y., Liang, H.,&Boulton, W. R. (2008). Information technology governance in information technology investment decision processes: The impact of investment characteristics, external environment, and internal context. MIS Quarterly, 32(1), 67--96.

Digital Library

Cited By

Wall JPalvia PD’Arcy J(2022)Theorizing the Behavioral Effects of Control Complementarity in Security Control PortfoliosInformation Systems Frontiers10.1007/s10796-021-10113-z24:2(637-658)Online publication date: 1-Apr-2022
https://dl.acm.org/doi/10.1007/s10796-021-10113-z
Wall JPalvia P(2021)Understanding employees' information security identities: an interpretive narrative approachInformation Technology & People10.1108/ITP-04-2020-0197ahead-of-print:ahead-of-printOnline publication date: 16-Feb-2021
https://doi.org/10.1108/ITP-04-2020-0197
Wall JWarkentin M(2019)Perceived argument quality's effect on threat and coping appraisals in fear appeals: An experiment and exploration of realism check heuristicsInformation & Management10.1016/j.im.2019.03.002Online publication date: Mar-2019
https://doi.org/10.1016/j.im.2019.03.002

Index Terms

The Organization Man and the Innovator: Theoretical Archetypes to Inform Behavioral Information Security Research
1. Applied computing
  1. Law, social and behavioral sciences
    1. Sociology
2. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Social aspects of security and privacy
  2. Intrusion/anomaly detection and malware mitigation
    1. Social engineering attacks

Recommendations

How Do New Ventures Evolve? An Inductive Study of Archetype Changes in Science-Based Ventures

This paper presents a process study on the evolution of new ventures. We adopt the theoretical lens of “archetypes,” which allows us to take a holistic perspective on new venture evolution and to provide rich insights into the interdependencies between ...
The Innovator's Way: Essential Practices for Successful Innovation
Organizational Adoption of Information Security Solutions: An Integrative Lens Based on Innovation Adoption and the Technology- Organization- Environment Framework

Information systems literature has cast organizational information security practices as a form of innovation. Using the notions of innovation adoption and diffusion of innovations, this paper develops an integrative model grounded in two theoretical ...

Comments

Information & Contributors

Information

Published In

cover image ACM SIGMIS Database: the DATABASE for Advances in Information Systems

ACM SIGMIS Database: the DATABASE for Advances in Information Systems Volume 49, Issue SI

April 2018

120 pages

ISSN:0095-0033

EISSN:1532-0936

DOI:10.1145/3210530

Editors:
Stacie Petter
Baylor University, Waco, TX
,
Tom Stafford
Louisiana Tech University, Ruston, LA
,
Xihui "Paul" Zhang
Northern Alabama University, Florence, AL
,
Heidi Seward
Baylor University, Waco, TX

Issue’s Table of Contents

Copyright © 2018 Authors.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 April 2018

Published in SIGMIS Volume 49, Issue SI

Check for updates

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
270
Total Downloads

Downloads (Last 12 months)28
Downloads (Last 6 weeks)2

Reflects downloads up to 15 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wall JPalvia PD’Arcy J(2022)Theorizing the Behavioral Effects of Control Complementarity in Security Control PortfoliosInformation Systems Frontiers10.1007/s10796-021-10113-z24:2(637-658)Online publication date: 1-Apr-2022
https://dl.acm.org/doi/10.1007/s10796-021-10113-z
Wall JPalvia P(2021)Understanding employees' information security identities: an interpretive narrative approachInformation Technology & People10.1108/ITP-04-2020-0197ahead-of-print:ahead-of-printOnline publication date: 16-Feb-2021
https://doi.org/10.1108/ITP-04-2020-0197
Wall JWarkentin M(2019)Perceived argument quality's effect on threat and coping appraisals in fear appeals: An experiment and exploration of realism check heuristicsInformation & Management10.1016/j.im.2019.03.002Online publication date: Mar-2019
https://doi.org/10.1016/j.im.2019.03.002

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents