1. Framing IT Security Training to Reduce Policy Violation
Don’t Make Excuses!
Jordan Barlow, Merrill Warkentin, Dustin Ormond, Alan Dennis
September 22, 2012

2. Background
• IT security policy violations remain pervasive
• SETA focused on awareness and consequences
• People still justify bad behavior
• Perhaps SETA should be framed to focus more
on justification behaviors!
2

3. Research Question
3
Does proper framing during IT security
training decrease employee intentions to
violate security policy?

4. Neutralization and deterrence
• Deterrence and neutralization theories
• Three types of neutralization for this study
– “Defense of necessity”
– “Denial of injury”
– “Metaphor of the ledger”
4

5. Hypotheses
• H1a. Use of the “defense of necessity”
neutralization technique is positively associated
with intentions to violate IT security policies.
• H1b. Use of the “denial of injury” neutralization
technique is positively associated with intentions
to violate IT security policies.
• H1c. Use of the “metaphor of the ledger”
neutralization technique is positively associated
with intentions to violate IT security policies.
5

6. Training on deterrence
• Typical SETA programs focus on deterrence
– I.e., “This is the policy; this is the punishment.”
– Presenting negative consequences is persuasive
• “A major reason for initiating this training…is to
convince potential abusers that the company is
serious about security and will not take
intentional breaches of this security lightly.”
(Straub & Welke 1998)
6

7. Training not to neutralize
• Neutralization is a more powerful predictor of IT
security violations than presence of sanctions
(Siponen and Vance 2010)
• Because neutralization is powerful in changing
employee intentions, training should combat this
tendency.
• Example for training materials: “Some people
may be tempted to rationalize reasons to violate
the policy. Justification is not okay because...”
7

8. Hypotheses
• H1a/b/c. The use of neutralization techniques is positively
associated with intentions to violate IT security policies.
• H2. Employees receiving training focused on addressing
neutralization techniques are less likely to form intentions
to violate IT security policies than employees receiving
training focused on deterrent sanctions.
8

9. Framing effects
• Framing can have a powerful effect on individual
attitudes and behavior
• Research on framing theory includes three types
of framing – we focus on ‘goal framing’
• Explaining negative consequences is more
persuasive than explaining positive benefits
• Example
9

10. Hypotheses
• H1a/b/c. The use of neutralization techniques is positively
associated with intentions to violate IT security policies.
• H2. Employees receiving training focused on addressing
neutralization techniques are less likely to form intentions
to violate IT security policies than employees receiving
training focused on deterrent sanctions.
• H3. Employees receiving training that is negatively
framed (i.e., consequence-based) are less likely to form
intentions to violate IT security policies than employees
receiving training that is positively framed (i.e., benefits-
based).
10

11. Methodology
• Design: Factorial survey method
• Participants: Qualtrics panel respondents
– Experience using computers at workplaces with
policies
• Task: Respond to 4 scenarios each
11

12. Scenarios / Treatments
• Introduction
• 1 of 3 training focus treatments
• 1 of 3 framing treatments
• Situation where employee considers violation
• 1 of 4 neutralization treatments
• Statement of violation
(see handout for details)
12

13. Procedures
• Random set of 4 (out of 36 possible) scenarios
• Manipulation check questions
– One each for focus, framing, neutralization
• Realism check
• Attention check
13

14. Usable Responses
• Total individuals completing survey: 90
• 90 x 4 scenarios each = 360
• 360 - 103 with incorrect responses to
manipulation check or attention questions = 257
14

15. Results
15
Estimate Std. Error Z p
(Intercept) -1.095 1.305 -0.84 0.401
Defense of Necessity 1.026 0.360 2.85 0.004
Denial of Injury 0.433 0.315 1.38 0.168
Metaphor of the Ledger -0.295 0.351 -0.84 0.400
Focus: Neutralization* -0.908 0.248 -3.66 <0.001
Focus: Deterrence* -0.777 0.246 -3.16 0.002
Framing: Negative -0.140 0.226 -0.62 0.536
Framing: Positive -0.300 0.282 -1.06 0.288
Statistically
significant
parameters
shown in blue
(p < 0.01)
*Follow-up contrast: χ2 = 0.41, p = 0.521

16. Results of Repeated-Measures Logistic Regression
Summary of hypotheses (n = 257)
H1a. Defense of necessity  Intentions to violate Supported*
H1b. Denial of injury  Intentions to violate Not supported
H1c. Metaphor of the ledger  Intentions to violate Not supported
H2. Intentions to violate after neutralization training < intentions to
violate after deterrence training
Not supported
H3. Intentions to violate after negative training < intentions to violate
after positive training
Not supported
16
*p = 0.004

17. Interpretation
• H1: Neutralization techniques
– Not all equal
– Training based on specific techniques
• H2: Training focus
– Deterrence and neutralization both effective
• H3: Positive or negative framing
– No difference
17

18. Conclusion
• Neutralization affects intentions to violate IT
security policies.
• Focusing training on neutralization is just as
powerful as focusing on deterrence for reducing
these intentions.
• More research is needed on how to tailor training
to combat specific types of neutralization.
18

19. Your turn to talk
How can we improve the theory
and methods for our next round
of data collection?
19

20. 20
END OF PRESENTATION SLIDES
-----------------------
SUPPLEMENTAL SLIDES
FOLLOW

21. 21
Demographic Information
Gender
Female 51 (56.7%)
Male 39 (43.3%)
Age
18-29 21 (23.3%)
30-39 25 (27.8%)
40-49 20 (22.2%)
50-59 16 (17.8%)
60+ 8 (8.9%)
Years of Work Experience
0-4 6 (6.7%)
5-9 22 (24.4%)
10-19 19 (21.1%)
20+ 43 (47.8%)
Level of Education Completed
Some high school 1 (1.3%)
High school 20 (22.2%)
Undergraduate degree 43 (47.8%)
Graduate degree 26 (28.9%)

22. Items: Filter questions
• Have you held a job in a workplace that had
guidelines, work rules, or policies for employees?
– Yes/No
• Have you held a job in which you used a
computer for your work?
– Yes/No
22

23. Items: Manipulation Checks
In this scenario, the training material clearly states that:
a. employees should never rationalize sharing passwords.
b. employees will be reprimanded for sharing passwords.
c. The training material does not specify either of the above statements.
According to this scenario, the company motivates it employees to comply in the training
material by:
a. stressing the consequences of sharing passwords.
b. encouraging employee support to ensure safety and security of the company.
c. The training material does not use either of the above techniques.
How does Sam justify sharing his password in this scenario?
a. The scenario does not state that he justifies his behavior.
b. He believes that no harm will result from sharing his password.
c. He believes that sharing his password is necessary for the success of his department.
d. He believes that because he has been a good employee for many years he can share
his password.
23

24. Items: DV, Realism, Attention
• 5-point Likert from SD to SA
• Intention to violate (3 items)
– In this situation, I would do the same as [Sam].
– If I were [Sam], I would have also shared my password.
– I think I would do what [Sam] did if this happened to me.
• Realism (1 item)
– I could imagine a similar scenario taking place at work.
• Attention (1 item)
– Please select [SD/D/A/SA] for this question.
24

25. Choice of statistical technique
• Rossi and Anderson (1982) suggest OLS
regression, but note any multivariate technique
will work
• OLS regression assumptions not met
– Normality
– Independence of errors
• DV categorized into those with some intentions
(avg DV score > 3) and those with no intentions
(avg DV score <= 3)
25

26. Distribution of DV
26

27. Results
27
Estimate Std. Error Z p
Order* 0.655 0.222 2.95 0.003
Realism 0.111 0.231 0.48 0.630
Gender -0.144 0.435 -0.33 0.741
Age -0.237 0.295 -0.80 0.422
Work Experience 0.087 0.405 0.21 0.831
Education 0.541 0.321 1.69 0.092
Control
variables:
Only order was
significant.
(People had
higher intentions
on first scenario
than later ones)

28. References
• Rossi, P. H., and Anderson, A. B. 1982. "The factorial survey approach: An
introduction," in: Measuring Social Judgments: The Factorial Survey
Approach, P.H. Rossi and S.L. Nock (eds.), Sage, Beverly Hills, CA, USA,
pp. 15-67.
• Siponen, M., and Vance, A. 2010. "Neutralization: New insights into the
problem of employee information systems security policy violations," MIS
Quarterly (34:3), pp. 487-502.
• Straub, D. W., and Welke, R. J. 1998. "Coping with systems risk: Security
planning models for management decision making," MIS Quarterly (22:4),
pp. 441-469.
• Warkentin, M., Johnston, A. C., and Shropshire, J. 2011. "The influence of
the informal social learning environment on information privacy policy
compliance efficacy and intention," European Journal of Information Systems
(20:3), pp. 267-284.
• Willison, R., and Warkentin, M. 2012. "Beyond deterrence: An expanded
view of employee computer abuse," MIS Quarterly (forthcoming).
28