oru.sePublikationer
Ändra sökning
Länk till posten
Permanent länk

Direktlänk
BETA
Kajtazi, Miranda
Publikationer (10 of 15) Visa alla publikationer
Kajtazi, M., Cavusoglu, H., Benbasat, I. & Haftor, D. (2018). Escalation of commitment as an antecedent to noncompliance with information security policy. Information and Computer Security, 26(2), 171-193
Öppna denna publikation i ny flik eller fönster >>Escalation of commitment as an antecedent to noncompliance with information security policy
2018 (Engelska)Ingår i: Information and Computer Security, ISSN 2056-4961, Vol. 26, nr 2, s. 171-193Artikel i tidskrift (Refereegranskat) Published
Abstract [en]

Purpose: This study aims to identify antecedents to noncompliance behavior influenced by decision contexts where investments in time, effort and resources are devoted to a task - referred to as a task unlikely to be completed without violating the organization's information security policy (ISP).

Design/methodology/approach: An empirical test of the suggested relationships in the proposed model was conducted through a field study using the survey method for data collection. Pre-tests, pre-study, main study and a follow-up study compose the frame of our methodology where more than 500 respondents are involved across different organizations.

Findings: The results confirm that the antecedents that explain the escalation of commitment behavior in terms of the effect of lost assets, such as time, effort and other resources, give us a new lens to understand noncompliance behavior; employees seem to escalate their commitments to the completion of their tasks at the expense of becoming noncompliant with ISP.

Research limitations/implications: One of the key areas that requires further attention from this study is to better understand the role of risk perceptions on employee behavior when dealing with value conflicts. Depending on how risk-averse or risk seeking an employee is, the model showed no significant support in either case to influence their noncompliance behavior. The authors therefore argue that employees' noncompliance may be influenced by more powerful beliefs, such as self-justification and sunk costs.

Practical implications: The results show that when employees are caught in tasks undergoing difficulties, they are more likely to increase noncompliance behavior. By understanding better how project obstacles result in such tasks, security managers can define new mechanisms to counter employees' shift from compliance to noncompliance.

Social implications: Apart from encouraging compliance with enforcement mechanisms (using direct behavioral controls like sanctions or rewards), indirect behavior controls may also encourage compliance. The authors suggest that the ISPs should state that the organization would take positive actions toward task completion and help their employees to resolve their problems quickly.

Originality/value: This study is the first to tackle escalation of commitment theories and use antecedents that explain the effect of lost assets, such as time, effort and other resources can also explain noncompliance with ISP in terms of the value conflicts, where employees would often choose to forego compliance at the expense of finishing their tasks.

Ort, förlag, år, upplaga, sidor
Emerald Group Publishing Limited, 2018
Nyckelord
Prospect theory, Information security policy, Approach avoidance theory, Employee's noncompliance behaviour, Escalation of commitment behaviour, Self-justification theory
Nationell ämneskategori
Datavetenskap (datalogi)
Identifikatorer
urn:nbn:se:oru:diva-68486 (URN)10.1108/ICS-09-2017-0066 (DOI)000439563900003 ()2-s2.0-85049889835 (Scopus ID)
Tillgänglig från: 2018-08-15 Skapad: 2018-08-15 Senast uppdaterad: 2018-09-13Bibliografiskt granskad
Sarkheyli, A., Alias, R. A., Carlsson, S. & Kajtazi, M. (2016). Conceptualizing knowledge risk governance as a moderator to potentially reduce the risks in knowledge sharing. In: Pacific Asia Conference on Information Systems, PACIS 2016: Proceedings. Paper presented at 20th Pacific Asia Conference on Information Systems (PACIS 2016), Chiayi, Taiwan, June 27 - July 1, 2016. Chiayi: College of Management, National Chung Cheng University
Öppna denna publikation i ny flik eller fönster >>Conceptualizing knowledge risk governance as a moderator to potentially reduce the risks in knowledge sharing
2016 (Engelska)Ingår i: Pacific Asia Conference on Information Systems, PACIS 2016: Proceedings, Chiayi: College of Management, National Chung Cheng University , 2016Konferensbidrag, Publicerat paper (Refereegranskat)
Abstract [en]

Recent developments in Knowledge Sharing (KS) have heightened the need for security. However, there has been little discussion about 'how to' integrate security into KS models effectively. This research addresses this gap by proposing a KS Risk Governance (KSRG) framework and research model based on the framework to integrate security into KS through Knowledge Risk Governance (KRG). The role of KRG in the model is identified as a moderator which would influence on the risks of KS. The potential constructs for the model are identified through literature review. Social Exchange Theory (SET) is selected as theoretical framework to describe the KS behaviour and identify the formative constructs of KRG. The results of this study indicate that (1) SET factors are positively associated with KS behaviour, (2) KRG moderated the relationship between the SET factors and KS behaviour and (3) KS via KRG as a moderating construct will reduce the risks of KS. Therefore, KSRG framework provides a helpful guideline for senior managers auditing their organization's current KS strategy and requirements for reduction of KS risks.

Ort, förlag, år, upplaga, sidor
Chiayi: College of Management, National Chung Cheng University, 2016
Nyckelord
Knowledge risk governance, Knowledge Sharing, Knowledge sharing risks, Social exchange theory
Nationell ämneskategori
Systemvetenskap, informationssystem och informatik med samhällsvetenskaplig inriktning
Identifikatorer
urn:nbn:se:oru:diva-62324 (URN)2-s2.0-85011115928 (Scopus ID)9789860491029 (ISBN)
Konferens
20th Pacific Asia Conference on Information Systems (PACIS 2016), Chiayi, Taiwan, June 27 - July 1, 2016
Tillgänglig från: 2017-11-13 Skapad: 2017-11-13 Senast uppdaterad: 2017-11-13Bibliografiskt granskad
Zec, M. & Kajtazi, M. (2015). Examining how IT Professionals in SMEs Take Decisions About Implementing Cyber Security Strategy. In: PROCEEDINGS OF 9TH EUROPEAN CONFERENCE ON IS MANAGEMENT AND EVALUATION (ECIME 2015): . Paper presented at 9th European Conference on Information Management and Evaluation (ECIME), Univ W England, Bristol, England, September 21-22, 2015 (pp. 231-239). Academic Conferences Limited
Öppna denna publikation i ny flik eller fönster >>Examining how IT Professionals in SMEs Take Decisions About Implementing Cyber Security Strategy
2015 (Engelska)Ingår i: PROCEEDINGS OF 9TH EUROPEAN CONFERENCE ON IS MANAGEMENT AND EVALUATION (ECIME 2015), Academic Conferences Limited, 2015, s. 231-239Konferensbidrag, Publicerat paper (Refereegranskat)
Abstract [en]

With the significant growth of cyber space, business organizations have become more alert than ever before that cyber security must be considered seriously and that there is a need to develop up-to-date security measures. It has become an increasing trend that cyber-attackers concentrate more on small and medium than on large enterprises, due to their known vulnerability towards cyber security. In exchange of successful cyber security measures in organizations, the security risks must be taken into consideration more closely that could be helpful for re-thinking their decision-making on cyber security. This article develops a theoretical framework on cyber security with three aspects taken in consideration: organizational, technological and psychological, that deserves the attention of IT professionals while and after creating cyber security measures in their SMEs. The first two aspects (organizational and technological) focus on understanding the IT professionals' decision-making process, while the third aspect (psychological) focuses on understanding the IT professionals' post decision-making reactions. Firstly, the organizational aspect presupposes that the ones who create cyber security measures are exposed to unclear and undefined decision processes and rights that lead to system vulnerabilities. Secondly, the technological aspect focuses on disclosing how many IT professionals in their organizations fail to meet foundational technological measures, such as the existence of Internet firewall, logs of system events, existence of hardware and software inventory list, data backup, antivirus software and password rules. Lastly, the psychological aspect, explains how post cyber security decisions made by IT professionals may have a contra-effect on the organization. Our data analyses collected based on interviews with IT professionals across 6 organizations (SMEs) show that cyber security is yet to be developed among SMEs, an issue that must not be taken lightly. Results show that the IT professionals in these organizations need to strengthen and develop their security thinking, in order to decrease the vulnerability of informational assets among SMEs. We believe that a perspective on understanding decision-making processes upon the cyber security measures by IT professionals in SMEs may bring a theoretical redirection in the literature, as well as an important feedback to practice.

Ort, förlag, år, upplaga, sidor
Academic Conferences Limited, 2015
Serie
Proceedings of the European Conference on Information Management and Evaluation, ISSN 2048-8912
Nyckelord
cyber security, SMEs, IT professionals, decision-making, security counter measures
Nationell ämneskategori
Systemvetenskap, informationssystem och informatik
Forskningsämne
Datavetenskap
Identifikatorer
urn:nbn:se:oru:diva-49725 (URN)000371980300028 ()2-s2.0-84994175636 (Scopus ID)978-1-910810-56-9 (ISBN)
Konferens
9th European Conference on Information Management and Evaluation (ECIME), Univ W England, Bristol, England, September 21-22, 2015
Tillgänglig från: 2016-04-08 Skapad: 2016-04-08 Senast uppdaterad: 2018-07-03Bibliografiskt granskad
Kajtazi, M., Kolkowska, E. & Bulgurcu, B. (2015). New Insights Into Understanding Manager’s Intentions to Overlook ISP Violation in Organizations through Escalation of Commitment Factors. In: Proceedings of the Ninth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2015): . Paper presented at Ninth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2015), Lesvos, Greece, July 1-3, 2015. Pöymouth: Plymouth University
Öppna denna publikation i ny flik eller fönster >>New Insights Into Understanding Manager’s Intentions to Overlook ISP Violation in Organizations through Escalation of Commitment Factors
2015 (Engelska)Ingår i: Proceedings of the Ninth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2015), Pöymouth: Plymouth University , 2015Konferensbidrag, Publicerat paper (Refereegranskat)
Abstract [en]

This paper addresses managers’ intentions to overlook their employees’ Information Security Policy (ISP) violation, in circumstances when on-going projects have to be completed and delivered even if ISP violation must take place to do so. The motivation is based on the concern that ISP violation can be influenced by escalation of commitment factors. Escalation is a phenomenon that explains how employees in organizations often get involved in nonperforming projects, commonly reflecting the tendency of persistence, when investments of resources have been initiated. We develop a theoretical understanding based on Escalation of Commitment theory that centres on two main factors of noncompliance, namely completion effect and sunk costs. We tested our theoretical concepts in a pilot study, based on qualitative and quantitative data received from 16 respondents from the IT – industry, each representing one respondent from the management level. The results show that while some managers are very strict about not accepting any form of ISP violation in their organization, their beliefs start to change when they realize that such form of violation may occur when their employees are closer to completion of a project. Our in-depth interviews with 3 respondents in the follow-up study, confirm the tension created between compliance with the ISP and the completion of the project. The results indicate that the larger the investments of time, efforts and money in a project, the more the managers consider that violation is acceptable

Ort, förlag, år, upplaga, sidor
Pöymouth: Plymouth University, 2015
Nyckelord
Escalation of commitment, ISP violation, IT-industry, completion effect, sunk costs
Nationell ämneskategori
Systemvetenskap, informationssystem och informatik
Forskningsämne
Informatik
Identifikatorer
urn:nbn:se:oru:diva-45574 (URN)2-s2.0-85026378315 (Scopus ID)978-1-84102-388-5 (ISBN)
Konferens
Ninth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2015), Lesvos, Greece, July 1-3, 2015
Tillgänglig från: 2015-08-17 Skapad: 2015-08-17 Senast uppdaterad: 2018-07-05Bibliografiskt granskad
Kajtazi, M. & Bulgurcu, B. (2014). A Theoretical Perspective on Rationalization of Insider Computer Abuse. In: : . Paper presented at 8th Annual SIGSEC Workshop on Information Security and Privacy. Auckland, New Zealand, December 13, 2014.
Öppna denna publikation i ny flik eller fönster >>A Theoretical Perspective on Rationalization of Insider Computer Abuse
2014 (Engelska)Konferensbidrag, Publicerat paper (Refereegranskat)
Nationell ämneskategori
Systemvetenskap, informationssystem och informatik
Forskningsämne
Informatik
Identifikatorer
urn:nbn:se:oru:diva-39208 (URN)
Konferens
8th Annual SIGSEC Workshop on Information Security and Privacy. Auckland, New Zealand, December 13, 2014
Tillgänglig från: 2014-12-02 Skapad: 2014-12-02 Senast uppdaterad: 2018-01-11Bibliografiskt granskad
Kajtazi, M., Bulgurcu, B., Cavusoglu, H. & Benbasat, I. (2014). Assessing Sunk Cost Effect on Employees'€™ Intentions to Violate Information Security Policies in Organizations. In: : . Paper presented at Proceedings of the 47th Annual Hawaii International Conference on System Sciences, 6-9 jan 2014 (pp. 3169-3177). IEEE
Öppna denna publikation i ny flik eller fönster >>Assessing Sunk Cost Effect on Employees'€™ Intentions to Violate Information Security Policies in Organizations
2014 (Engelska)Konferensbidrag, Publicerat paper (Refereegranskat)
Abstract [en]

It has been widely known that employees pose insider threats to the information and technology resources of an organization. In this paper, we develop a model to explain insiders' intentional violation of the requirements of an information security policy. We propose sunk cost as a mediating factor. We test our research model on data collected from three information-intensive organizations in banking and pharmaceutical industries (n=502). Our results show that sunk cost acts as a mediator between the proposed antecedents of sunk cost (i.e., completion effect and goal in congruency) and intentions to violate the ISP. We discuss the implications of our results for developing theory and for re-designing current security agendas that could help improve compliance behavior in the future.

Ort, förlag, år, upplaga, sidor
IEEE, 2014
Serie
Proceedings of the Annual Hawaii International Conference on System Sciences, ISSN 1060-3425
Nyckelord
Completion effect, goal incongruency, information security violation, insider threats, sunk cost
Nationell ämneskategori
Systemvetenskap, informationssystem och informatik
Identifikatorer
urn:nbn:se:oru:diva-39234 (URN)10.1109/HICSS.2014.393 (DOI)000343806603035 ()2-s2.0-84902267599 (Scopus ID)978-1-4799-2504-9 (ISBN)
Konferens
Proceedings of the 47th Annual Hawaii International Conference on System Sciences, 6-9 jan 2014
Anmärkning

Sponsored by:

University of Hawaii

Shidler College of Business

IEEE Computer  Society

Tillgänglig från: 2014-12-02 Skapad: 2014-12-02 Senast uppdaterad: 2019-03-29Bibliografiskt granskad
Kajtazi, M., Cavusoglu, H., Benbasat, I. & Haftor, D. (2013). Assessing Self-Justification as an Antecedent of Noncompliance with Information Security Policies. In: Proceedings of the 24th Australasian Conference on Information Systems: . Paper presented at 24th Australasian Conference on Information Systems (ACIS 2013), Information Systems: Transforming the Future, Melbourne, Australia, December 4-6, 2013 (pp. 1-12). Royal Melbourne Institute of Technology (RMIT)
Öppna denna publikation i ny flik eller fönster >>Assessing Self-Justification as an Antecedent of Noncompliance with Information Security Policies
2013 (Engelska)Ingår i: Proceedings of the 24th Australasian Conference on Information Systems, Royal Melbourne Institute of Technology (RMIT) , 2013, s. 1-12Konferensbidrag, Publicerat paper (Refereegranskat)
Abstract [en]

This paper aims to extend our knowledge about employees’ noncompliance with Information Security Policies (ISPs), focusing on employees’ self-justification as a result of escalation of commitment that may trigger noncompliance behaviour. Escalation presents a situation when employees must decide whether to persist or withdraw from nonperforming tasks at work. Drawing on self-justification theory and prospect theory, our model presents two escalation factors in explaining employee’s willingness to engage in noncompliance behaviour with ISPs: self-justification and risk perceptions. We also propose that perceived benefits of noncompliance and perceived costs of compliance, at the intersection of cognitive and emotional driven acts influence self-justification. The model is tested based on 376 respondents from banking industry. The results show that while self-justification has a significant impact on willingness, risk perceptions do not moderate their relation. We suggest that future research should explore the roles of self-justification in noncompliance to a greater extent.

Ort, förlag, år, upplaga, sidor
Royal Melbourne Institute of Technology (RMIT), 2013
Nyckelord
Escalation of commitment behaviour, information security policy, noncompliance behaviour, risk perceptions, self-justification
Nationell ämneskategori
Tvärvetenskapliga studier inom samhällsvetenskap Systemvetenskap, informationssystem och informatik med samhällsvetenskaplig inriktning
Forskningsämne
Data- och informationsvetenskap, Informatik
Identifikatorer
urn:nbn:se:oru:diva-62326 (URN)2-s2.0-84923879940 (Scopus ID)9780992449506 (ISBN)
Konferens
24th Australasian Conference on Information Systems (ACIS 2013), Information Systems: Transforming the Future, Melbourne, Australia, December 4-6, 2013
Tillgänglig från: 2015-02-13 Skapad: 2017-11-13 Senast uppdaterad: 2018-02-27Bibliografiskt granskad
Kajtazi, M. & Cavusoglu, H. (2013). Guilt Proneness as a Mechanism Towards Information Security Policy Compliance. In: Proceedings of the 24th Australasian Conference on Information Systems: . Paper presented at 24th Australasian Conference on Information Systems (ACIS 2013), Information Systems: Transforming the Future, Melbourne, Australia, December 4-6, 2013. Royal Melbourne Institute of Technology (RMIT)
Öppna denna publikation i ny flik eller fönster >>Guilt Proneness as a Mechanism Towards Information Security Policy Compliance
2013 (Engelska)Ingår i: Proceedings of the 24th Australasian Conference on Information Systems, Royal Melbourne Institute of Technology (RMIT) , 2013Konferensbidrag, Publicerat paper (Refereegranskat)
Abstract [en]

In this paper, we develop a theoretical framework for understanding the role guilt proneness plays in the Information Security Policy (ISP) compliance. We define guilt proneness as an emotional personality trait indicative of a predisposition to experience a negative feeling about ISP violation. We develop a research model based on the theory of planned behaviour, guilt proneness theory and rational choice theory to explain employees’ intentions to comply with ISPs by incorporating the guilt proneness as a moderator between benefit of compliance and benefit of violation as perceived by employees and their attitude towards compliance. Identifying the roles of predispositions like guilt proneness in the ISP compliance will have interesting theoretical and practical implications in the area of information security.

Ort, förlag, år, upplaga, sidor
Royal Melbourne Institute of Technology (RMIT), 2013
Nyckelord
Benefit of Compliance, Benefit of Violation, Compliance Behaviour, Information Security Policy, Guilt Proneness
Nationell ämneskategori
Systemvetenskap, informationssystem och informatik
Forskningsämne
Data- och informationsvetenskap, Informatik
Identifikatorer
urn:nbn:se:oru:diva-62327 (URN)2-s2.0-84923879943 (Scopus ID)9780992449506 (ISBN)
Konferens
24th Australasian Conference on Information Systems (ACIS 2013), Information Systems: Transforming the Future, Melbourne, Australia, December 4-6, 2013
Tillgänglig från: 2013-12-10 Skapad: 2017-11-13 Senast uppdaterad: 2018-02-27Bibliografiskt granskad
Kajtazi, M. & Bulgurcu, B. (2013). Information Security Policy Compliance: An Empirical Study on Escalation of Commitment. In: 19th Americas Conference on Information Systems (AMCIS 2013): Hyperconnected World : Anything Anywhere, Anytime. Paper presented at 19th Americas Conference on Information Systems, Chicago, Illinois, USA, August 15-17, 2013 (pp. 2011-2020). Red Hook, N.Y.: Curran Associates, Inc.
Öppna denna publikation i ny flik eller fönster >>Information Security Policy Compliance: An Empirical Study on Escalation of Commitment
2013 (Engelska)Ingår i: 19th Americas Conference on Information Systems (AMCIS 2013): Hyperconnected World : Anything Anywhere, Anytime, Red Hook, N.Y.: Curran Associates, Inc., 2013, s. 2011-2020Konferensbidrag, Publicerat paper (Refereegranskat)
Abstract [en]

This study aims to facilitate a new understanding on employees’ attitude towards compliance with the requirements of their information security policy (ISPs) through the lens of escalation. Escalation presents a situation in which employees must decide whether to persist in or withdraw from a non-performing task. Drawing on the Theory of Planned Behavior (TPB) and Agency Theory, our model delineates three mediating factors in explaining attitude: work impediment, information asymmetry, and safety of resources. We also propose information security awareness as an independent variable having an indirect effect on attitude through mediating factors. The proposed model is tested using the data collected from 376 employees working in the banking industry. The results of the PLS analyses show that while information asymmetry and safety of resources have significant impacts on attitude, work impediment does not. The results also show that ISA has significant impact on all three mediating factors.

Ort, förlag, år, upplaga, sidor
Red Hook, N.Y.: Curran Associates, Inc., 2013
Nyckelord
Agency theory; Compliance; Escalation of commitment; Information security; Information security awareness; Information security policy; Insiders
Nationell ämneskategori
Systemvetenskap, informationssystem och informatik
Forskningsämne
Data- och informationsvetenskap, Informatik
Identifikatorer
urn:nbn:se:oru:diva-62332 (URN)2-s2.0-84893234429 (Scopus ID)978-1-62993-394-8 (ISBN)
Konferens
19th Americas Conference on Information Systems, Chicago, Illinois, USA, August 15-17, 2013
Tillgänglig från: 2013-12-10 Skapad: 2017-11-13 Senast uppdaterad: 2018-05-29Bibliografiskt granskad
Haftor, D. & Kajtazi, M. (2012). Information Based Business Models: a Research Direction. In: Proceedings of the 9th International Conference in Business and Information (BAI 2012): . Paper presented at 9th International Conference in Business and Information (BAI 2012), Sapporo, Japan, July 3-5, 2012.
Öppna denna publikation i ny flik eller fönster >>Information Based Business Models: a Research Direction
2012 (Engelska)Ingår i: Proceedings of the 9th International Conference in Business and Information (BAI 2012), 2012Konferensbidrag, Muntlig presentation med publicerat abstract (Refereegranskat)
Nationell ämneskategori
Företagsekonomi
Forskningsämne
Ekonomi, Företagsekonomi
Identifikatorer
urn:nbn:se:oru:diva-62328 (URN)
Konferens
9th International Conference in Business and Information (BAI 2012), Sapporo, Japan, July 3-5, 2012
Tillgänglig från: 2013-08-14 Skapad: 2017-11-13 Senast uppdaterad: 2018-05-15Bibliografiskt granskad
Organisationer

Sök vidare i DiVA

Visa alla publikationer