ACM Digital Library home
ACM home
Advanced Search
research-article

The Organization Man and the Innovator: Theoretical Archetypes to Inform Behavioral Information Security Research

Authors Info & Claims
ACM SIGMIS Database: the DATABASE for Advances in Information SystemsVolume 49Issue SIApril 2018pp 67–80https://doi.org/10.1145/3210530.3210536
Published:25 April 2018Publication History
  • 3citation
  • 241
  • Downloads
Metrics
Total Citations3
Total Downloads241
Last 12 Months21
Last 6 weeks1
Skip Abstract Section

Abstract

Behavioral information security research exhibits a preoccupation with security policy, bureaucratic control, and policy compliance and noncompliance. This preoccupation implicitly treats employees as the sociological archetype described by Whyte (1956), the Organization Man. In doing so, the literature has dedicated less time to the study of other archetypes. In this paper, we compare the Organization Man to the Innovator, an amalgam of the Bricoleur and Engineer archetypes identified by Levi-Strauss (1966). We posit that the Innovator archetype may be more prevalent during times of organizational strain and excess. We develop a theoretical framework to explain how situational factors, namely organizational strain and excess, affect individuals' risk perceptions and their willingness to adopt different archetypal personae (i.e., dispositional factors). The framework further suggests that each archetypal persona will behave differently to common security situations. Finally, the framework suggests that the organization's perceptions of employee behavior will provide a feedback loop that further affects the adoption of different archetypes.

References

  1. Akers, R. L. (2009). Social learning and social structure: A general theory of crime and deviance. Brunswick, NJ: Transaction Publishers.Google ScholarGoogle Scholar
  2. Barlow, J. B., Warkentin, M., Ormond, D.,&Dennis, A. R. (2012). Don't make excuses! Framing IT security training to reduce policy violation. Paper presented at the Dewald Roode Workshop on IS Security Research, IFIP WG 8.11 / 11.13, Provo, UT.Google ScholarGoogle Scholar
  3. Boss, S. R., Galletta, D. F., Lowry, P. B., Moody, G. D.,&Polak, P. (2015). What do users have to fear? Using fear appeals to engender threats and fear that motivate protective behaviors in users. MIS Quarterly, 39(4), 837--864. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Boss, S. R., Kirsch, L. J., Angermeier, I., Shingler, R. A.,&Boss, W. R. (2009). If someone is watching, I'll do what I'm asked: Manditoriness, control, and information security. European Journal of Information Systems, 18, 151--164.Google ScholarGoogle ScholarCross RefCross Ref
  5. Bulgurcu, B., Cavusoglu, H.,&Benbasat, I. (2010). Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523--548. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Cardinal, L. B. (2001). Technological innovation in the pharmaceutical industry: The use of organizational control in managing research and development. Organization Science, 12, 19--36. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Carrier, L. M.,&Prashler, H. (1995). Attentional limits in memory retrieval. Journal of Experimental Psychology: Learning Memory and Cognition, 21(5), 1339--1348.Google ScholarGoogle ScholarCross RefCross Ref
  8. Cyert, R.,&March, J. G. (1963). A behavioral theory of the firm. Englewood Cliffs, NJ: Prentice Hall.Google ScholarGoogle Scholar
  9. D'Arcy, J.,&Devaraj, S. (2012). Employee misuse of information technology resources: Testing a contemporary deterrence model. Decision Sciences, 43(6), 1091--1124.Google ScholarGoogle ScholarCross RefCross Ref
  10. D'Arcy, J.,&Greene, G. (2014). Security culture and the employment relationship as drivers of employees' security compliance. Information Management&Computer Security, 22(5), 474--489.Google ScholarGoogle Scholar
  11. D'Arcy, J., Herath, T.,&Shoss, M. K. (2014). Understanding employee responses to stressful information security requirements: A coping perspective. Journal of Management Information Systems, 31(2), 285--318.Google ScholarGoogle ScholarCross RefCross Ref
  12. D'Arcy, J., Hovav, A.,&Galletta, D. (2009). User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research, 20(1), 79--98. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Deetz, S. (2003). Disciplinary power, conflict suppression and human resources management. In M. Alvesson&H. Willmott (Eds.), Studying Management Critically (pp. 23--45). Los Angeles, CA: Sage Publications.Google ScholarGoogle Scholar
  14. French, E. B. (1967). The organization scientist: Myth or reality. Academy of Management Journal, 10(3), 269--273.Google ScholarGoogle Scholar
  15. Guo, K. H. (2013). Security-related behavior in using information systems in the workplace: A review and synthesis. Computers&Security, 32, 242--251.Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Guo, K. H., Yuan, Y., Archer, N. P.,&Connelly, C. E. (2011). Understanding nonmalicious security violations in the workplace: A composite behavior model. Journal of Management Information Systems, 28(2), 203--236. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Herath, T., Chen, R., Wang, J., Banjara, K., Wilbur, J.,&Rao, H. R. (2014). Security services as coping mechanisms: An investigation into user intention to adopt an email authentication service. Information Systems Journal, 1--24. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Herath, T.,&Rao, H. R. (2009). Protection motivation and deterrence: A framework for security policy compliance in organisations. European Journal of Information Systems, 18, 106--125.Google ScholarGoogle ScholarCross RefCross Ref
  19. Hu, S., Blettner, D.,&Bettis, R. A. (2011). Adaptive aspirations: Performance consequences of risk preferences at extremes and alternative references groups. Strategic Management Journal, 32(13), 1426--1436.Google ScholarGoogle ScholarCross RefCross Ref
  20. Johnston, A. C.,&Warkentin, M. (2010). Fear appeals and information security behaviors: An empirical study. MIS Quarterly, 34(3), 549--566. Google ScholarGoogle ScholarCross RefCross Ref
  21. Johnston, A. C., Warkentin, M., McBride, M.,&Carter, L. D. (2016). Dispositional and Situational Factors: Influences on IS Security Policy Violations. European Journal of Information Systems, 25(3), 231--251.Google ScholarGoogle ScholarCross RefCross Ref
  22. Johnston, A. C., Warkentin, M.,&Siponen, M. (2015). An enhanced fear appeal rhetorical framework: Leveraging threats to the human asset through sanctioning rhetoric. MIS Quarterly, 39(1), 113--134. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Kahneman, D.,&Tversky, A. (1979). Prospect theory: An analysis of decision under risk. Econometrica, 47, 263--291.Google ScholarGoogle ScholarCross RefCross Ref
  24. Kajzer, M., D'Arcy, J., Crowell, C. R., Striegel, A.,&Van Bruggen, D. (2014). An exploratory investigation of message-person congruence in information security awareness campaigns. Computers&Security, 43, 65--76.Google ScholarGoogle Scholar
  25. Kroll-Smith, S., Jenkins, P.,&Baxter, V. (2007). The Bricoleur and the possibility of rescue: First-responders to the flooding of New Orleans. Journal of Public Management and Social Policy, 2007(Fall), 5--21.Google ScholarGoogle Scholar
  26. Lehman, D. W.,&Ramanujam, R. (2009). Selectivity in organizational rule violations. Academy of Management Review, 34(4), 643--657.Google ScholarGoogle Scholar
  27. Levi-Strauss, C. (1966). The Savage Mind. Chicago, IL: University of Chicago Press.Google ScholarGoogle Scholar
  28. Lowry, P. B., Moody, G., Galletta, D.,&Vance, A. (2012). The drivers in the use of online whistle-blowing reporting systems. Journal of Management Information Systems, 30(1), 153--189.Google ScholarGoogle ScholarCross RefCross Ref
  29. Lowry, P. B.,&Moody, G. D. (2015). Proposing the control-reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policies. Information Systems Journal, 25, 433--463. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Lowry, P. B., Posey, C., Bennett, R. J.,&Roberts, T. L. (2015). Leveraging fairness and reactance theories to deter reactive computer abuse following enhanced organisational information security policies: An empirical study of the influence of counterfactual reasoning and organisational trust. Information Systems Journal, 25, 193--230. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Mainemelis, C. (2010). Stealing fire: Creative deviance in the evolution of new ideas. Academy of Management Review, 35(4), 558--578.Google ScholarGoogle Scholar
  32. March, J. G. (1991). Exploration and exploitation in organizational learning. Organization Science, 2, 71--87. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. March, J. G. (1997). How decisions happen in organizations. In Z. Shapira (Ed.), Organizational decision making (pp. 9--34). New York, NY: Cambridge University Press.Google ScholarGoogle Scholar
  34. March, J. G.,&Simon, H. A. (1958). Organizations. New York, New York: Wiley.Google ScholarGoogle Scholar
  35. Merton, R. K. (1938). Social structure and anomie. American Sociological Review, 3, 672--682.Google ScholarGoogle ScholarCross RefCross Ref
  36. Myyry, L., Siponen, M., Pahnila, S., Vartiainen, T.,&Vance, A. (2009). What levels of moral reasoning and values explain adherence to information security rules? An empirical study. European Journal of Information Systems, 18(2), 126--139.Google ScholarGoogle ScholarCross RefCross Ref
  37. Ocasio, W. (2002). Organizational power and dependence. Blackwell, UK: Oxford.Google ScholarGoogle Scholar
  38. Posey, C., Roberts, T. L.,&Lowry, P. B. (2016). The impact of organizational commitment on insiders' motivation to protect organizational information assets. Journal of Management Information Systems, 32(4), 179--214.Google ScholarGoogle ScholarCross RefCross Ref
  39. Posey, C., Roberts, T. L., Lowry, P. B., Bennett, R. J.,&Courtney, J. (2013). Insiders' protection of organizational information assets: Development of a systematics-based taxonomy and theory of diversity for protection-motivated behaviors. MIS Quarterly, 37(4), 1189--1210. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Puhakainen, P.,&Siponen, M. (2010). Improving employees' compliance through information systems security training: An action research study. MIS Quarterly, 34(4), 757--778. Google ScholarGoogle ScholarCross RefCross Ref
  41. Randall, D. M. (1987). Commitment and the organization: The Organization Man revisited. Academy of Management Review, 12(3), 460--471.Google ScholarGoogle ScholarCross RefCross Ref
  42. Rosenfeld, S. N., Rus, I.,&Cukier, M. (2007). Archetypal behavior in computer security. Journal of Systems and Software, 80(10), 1594--1606. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Shropshire, J., Warkentin, M.,&Sharma, S. (2015). Personality, attitudes, and intentions: Predicting initial adoption of information security behavior. Computers&Security, 29(1), 177--191. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Singh, J. (1986). Performance, slack, and risk taking in organizational decision making. Academy of Management Journal, 29(3), 562--585.Google ScholarGoogle Scholar
  45. Siponen, M.,&Vance, A. (2010). Neutralization: New insights into the problem of employee information systems security policy violations. MIS Quarterly, 34(3), 487--502. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. Staggs, K. (2009). Build a cyber security incident response plan. Control Engineering, 56(12), 56.Google ScholarGoogle Scholar
  47. Straub, D. W. J.,&Nance, W. D. (1990). Discovering and disciplining computer abuse in organizations: A field study. MIS Quarterly, 14(1), 45--60. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Symantec. (2017). Internet Security Threat Report (Vol. 22).Google ScholarGoogle Scholar
  49. Vishwanath, A., Herath, T., Chen, R., Wang, J.,&Rao, H. R. (2011). Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model. Decision Support Systems, 51, 576--856. Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. Vroom, V. H. (1964). Work and Motivation. Oxford, UK: Wiley.Google ScholarGoogle Scholar
  51. Wall, J. D., Lowry, P. B.,&Barlow, J. B. (2016). Organizational violations of externally governed privacy and security rules: Explaining and predicting selective violations under conditions of strain and excess. Journal of the Association for Information Systems, 17(1).Google ScholarGoogle ScholarCross RefCross Ref
  52. Wall, J. D., Palvia, P.,&Lowry, P. B. (2013). Control-related motivations and information security policy compliance: The role of autonomy and efficacy. Journal of Information Privacy and Security, 9(4), 52--79.Google ScholarGoogle ScholarCross RefCross Ref
  53. Wall, J. D., Stahl, B. C.,&Salam, A. F. (2015). Critical discourse analysis as a review methodology: An empirical example. Communications of the Association for Information Systems, 37(1), 257--285.Google ScholarGoogle Scholar
  54. Warkentin, M.,&Willison, R. (2009). Behavioral and policy issues in information systems security: The insider threat. European Journal of Information Systems, 18, 101--105.Google ScholarGoogle ScholarCross RefCross Ref
  55. Whitman, M. E., Townsend, A. M.,&Alberts, R. J. (2001). Information systems security and the need for policy. In M. Khosrowpour (Ed.), Information Security Management: Global Challenges in the New Millennium (pp. 9--18). Hershey, PA: Idea Group Publishing.Google ScholarGoogle Scholar
  56. Whyte, W. H. (1956). The Organization Man. Garden City, NY: Doubleday.Google ScholarGoogle Scholar
  57. Willison, R.,&Warkentin, M. (2013). Beyond deterrence: An expanded view of employee computer abuse. MIS Quarterly, 37(1), 1--20. Google ScholarGoogle ScholarDigital LibraryDigital Library
  58. Workman, M. (2008). Wisecrackers: A theory-grounded investigation of phishing and pretext social engineering threats to information security. Journal of the American Society for Information Science and Technology, 59(4), 662--674. Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. Workman, M.,&Gathegi, J. (2007). Punishment and ethics deterrents: a study of insider security contravention. Journal of the American Society for Information Science and Technology, 58(2), 212--222. Google ScholarGoogle ScholarDigital LibraryDigital Library
  60. Xue, Y., Liang, H.,&Boulton, W. R. (2008). Information technology governance in information technology investment decision processes: The impact of investment characteristics, external environment, and internal context. MIS Quarterly, 32(1), 67--96. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. The Organization Man and the Innovator: Theoretical Archetypes to Inform Behavioral Information Security Research

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        Get this Article

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader
        View Issue’s Table of Contents
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!