oru.sePublications
Change search
Link to record
Permanent link

Direct link
BETA
Kajtazi, Miranda
Publications (10 of 15) Show all publications
Kajtazi, M., Cavusoglu, H., Benbasat, I. & Haftor, D. (2018). Escalation of commitment as an antecedent to noncompliance with information security policy. Information and Computer Security, 26(2), 171-193
Open this publication in new window or tab >>Escalation of commitment as an antecedent to noncompliance with information security policy
2018 (English)In: Information and Computer Security, ISSN 2056-4961, Vol. 26, no 2, p. 171-193Article in journal (Refereed) Published
Abstract [en]

Purpose: This study aims to identify antecedents to noncompliance behavior influenced by decision contexts where investments in time, effort and resources are devoted to a task - referred to as a task unlikely to be completed without violating the organization's information security policy (ISP).

Design/methodology/approach: An empirical test of the suggested relationships in the proposed model was conducted through a field study using the survey method for data collection. Pre-tests, pre-study, main study and a follow-up study compose the frame of our methodology where more than 500 respondents are involved across different organizations.

Findings: The results confirm that the antecedents that explain the escalation of commitment behavior in terms of the effect of lost assets, such as time, effort and other resources, give us a new lens to understand noncompliance behavior; employees seem to escalate their commitments to the completion of their tasks at the expense of becoming noncompliant with ISP.

Research limitations/implications: One of the key areas that requires further attention from this study is to better understand the role of risk perceptions on employee behavior when dealing with value conflicts. Depending on how risk-averse or risk seeking an employee is, the model showed no significant support in either case to influence their noncompliance behavior. The authors therefore argue that employees' noncompliance may be influenced by more powerful beliefs, such as self-justification and sunk costs.

Practical implications: The results show that when employees are caught in tasks undergoing difficulties, they are more likely to increase noncompliance behavior. By understanding better how project obstacles result in such tasks, security managers can define new mechanisms to counter employees' shift from compliance to noncompliance.

Social implications: Apart from encouraging compliance with enforcement mechanisms (using direct behavioral controls like sanctions or rewards), indirect behavior controls may also encourage compliance. The authors suggest that the ISPs should state that the organization would take positive actions toward task completion and help their employees to resolve their problems quickly.

Originality/value: This study is the first to tackle escalation of commitment theories and use antecedents that explain the effect of lost assets, such as time, effort and other resources can also explain noncompliance with ISP in terms of the value conflicts, where employees would often choose to forego compliance at the expense of finishing their tasks.

Place, publisher, year, edition, pages
Emerald Group Publishing Limited, 2018
Keywords
Prospect theory, Information security policy, Approach avoidance theory, Employee's noncompliance behaviour, Escalation of commitment behaviour, Self-justification theory
National Category
Computer Sciences
Identifiers
urn:nbn:se:oru:diva-68486 (URN)10.1108/ICS-09-2017-0066 (DOI)000439563900003 ()2-s2.0-85049889835 (Scopus ID)
Available from: 2018-08-15 Created: 2018-08-15 Last updated: 2018-09-13Bibliographically approved
Sarkheyli, A., Alias, R. A., Carlsson, S. & Kajtazi, M. (2016). Conceptualizing knowledge risk governance as a moderator to potentially reduce the risks in knowledge sharing. In: Pacific Asia Conference on Information Systems, PACIS 2016: Proceedings. Paper presented at 20th Pacific Asia Conference on Information Systems (PACIS 2016), Chiayi, Taiwan, June 27 - July 1, 2016. Chiayi: College of Management, National Chung Cheng University
Open this publication in new window or tab >>Conceptualizing knowledge risk governance as a moderator to potentially reduce the risks in knowledge sharing
2016 (English)In: Pacific Asia Conference on Information Systems, PACIS 2016: Proceedings, Chiayi: College of Management, National Chung Cheng University , 2016Conference paper, Published paper (Refereed)
Abstract [en]

Recent developments in Knowledge Sharing (KS) have heightened the need for security. However, there has been little discussion about 'how to' integrate security into KS models effectively. This research addresses this gap by proposing a KS Risk Governance (KSRG) framework and research model based on the framework to integrate security into KS through Knowledge Risk Governance (KRG). The role of KRG in the model is identified as a moderator which would influence on the risks of KS. The potential constructs for the model are identified through literature review. Social Exchange Theory (SET) is selected as theoretical framework to describe the KS behaviour and identify the formative constructs of KRG. The results of this study indicate that (1) SET factors are positively associated with KS behaviour, (2) KRG moderated the relationship between the SET factors and KS behaviour and (3) KS via KRG as a moderating construct will reduce the risks of KS. Therefore, KSRG framework provides a helpful guideline for senior managers auditing their organization's current KS strategy and requirements for reduction of KS risks.

Place, publisher, year, edition, pages
Chiayi: College of Management, National Chung Cheng University, 2016
Keywords
Knowledge risk governance, Knowledge Sharing, Knowledge sharing risks, Social exchange theory
National Category
Information Systems, Social aspects
Identifiers
urn:nbn:se:oru:diva-62324 (URN)2-s2.0-85011115928 (Scopus ID)9789860491029 (ISBN)
Conference
20th Pacific Asia Conference on Information Systems (PACIS 2016), Chiayi, Taiwan, June 27 - July 1, 2016
Available from: 2017-11-13 Created: 2017-11-13 Last updated: 2017-11-13Bibliographically approved
Zec, M. & Kajtazi, M. (2015). Examining how IT Professionals in SMEs Take Decisions About Implementing Cyber Security Strategy. In: PROCEEDINGS OF 9TH EUROPEAN CONFERENCE ON IS MANAGEMENT AND EVALUATION (ECIME 2015): . Paper presented at 9th European Conference on Information Management and Evaluation (ECIME), Univ W England, Bristol, England, September 21-22, 2015 (pp. 231-239). Academic Conferences Limited
Open this publication in new window or tab >>Examining how IT Professionals in SMEs Take Decisions About Implementing Cyber Security Strategy
2015 (English)In: PROCEEDINGS OF 9TH EUROPEAN CONFERENCE ON IS MANAGEMENT AND EVALUATION (ECIME 2015), Academic Conferences Limited, 2015, p. 231-239Conference paper, Published paper (Refereed)
Abstract [en]

With the significant growth of cyber space, business organizations have become more alert than ever before that cyber security must be considered seriously and that there is a need to develop up-to-date security measures. It has become an increasing trend that cyber-attackers concentrate more on small and medium than on large enterprises, due to their known vulnerability towards cyber security. In exchange of successful cyber security measures in organizations, the security risks must be taken into consideration more closely that could be helpful for re-thinking their decision-making on cyber security. This article develops a theoretical framework on cyber security with three aspects taken in consideration: organizational, technological and psychological, that deserves the attention of IT professionals while and after creating cyber security measures in their SMEs. The first two aspects (organizational and technological) focus on understanding the IT professionals' decision-making process, while the third aspect (psychological) focuses on understanding the IT professionals' post decision-making reactions. Firstly, the organizational aspect presupposes that the ones who create cyber security measures are exposed to unclear and undefined decision processes and rights that lead to system vulnerabilities. Secondly, the technological aspect focuses on disclosing how many IT professionals in their organizations fail to meet foundational technological measures, such as the existence of Internet firewall, logs of system events, existence of hardware and software inventory list, data backup, antivirus software and password rules. Lastly, the psychological aspect, explains how post cyber security decisions made by IT professionals may have a contra-effect on the organization. Our data analyses collected based on interviews with IT professionals across 6 organizations (SMEs) show that cyber security is yet to be developed among SMEs, an issue that must not be taken lightly. Results show that the IT professionals in these organizations need to strengthen and develop their security thinking, in order to decrease the vulnerability of informational assets among SMEs. We believe that a perspective on understanding decision-making processes upon the cyber security measures by IT professionals in SMEs may bring a theoretical redirection in the literature, as well as an important feedback to practice.

Place, publisher, year, edition, pages
Academic Conferences Limited, 2015
Series
Proceedings of the European Conference on Information Management and Evaluation, ISSN 2048-8912
Keywords
cyber security, SMEs, IT professionals, decision-making, security counter measures
National Category
Information Systems
Research subject
Computer Science
Identifiers
urn:nbn:se:oru:diva-49725 (URN)000371980300028 ()2-s2.0-84994175636 (Scopus ID)978-1-910810-56-9 (ISBN)
Conference
9th European Conference on Information Management and Evaluation (ECIME), Univ W England, Bristol, England, September 21-22, 2015
Available from: 2016-04-08 Created: 2016-04-08 Last updated: 2018-07-03Bibliographically approved
Kajtazi, M., Kolkowska, E. & Bulgurcu, B. (2015). New Insights Into Understanding Manager’s Intentions to Overlook ISP Violation in Organizations through Escalation of Commitment Factors. In: Proceedings of the Ninth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2015): . Paper presented at Ninth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2015), Lesvos, Greece, July 1-3, 2015. Pöymouth: Plymouth University
Open this publication in new window or tab >>New Insights Into Understanding Manager’s Intentions to Overlook ISP Violation in Organizations through Escalation of Commitment Factors
2015 (English)In: Proceedings of the Ninth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2015), Pöymouth: Plymouth University , 2015Conference paper, Published paper (Refereed)
Abstract [en]

This paper addresses managers’ intentions to overlook their employees’ Information Security Policy (ISP) violation, in circumstances when on-going projects have to be completed and delivered even if ISP violation must take place to do so. The motivation is based on the concern that ISP violation can be influenced by escalation of commitment factors. Escalation is a phenomenon that explains how employees in organizations often get involved in nonperforming projects, commonly reflecting the tendency of persistence, when investments of resources have been initiated. We develop a theoretical understanding based on Escalation of Commitment theory that centres on two main factors of noncompliance, namely completion effect and sunk costs. We tested our theoretical concepts in a pilot study, based on qualitative and quantitative data received from 16 respondents from the IT – industry, each representing one respondent from the management level. The results show that while some managers are very strict about not accepting any form of ISP violation in their organization, their beliefs start to change when they realize that such form of violation may occur when their employees are closer to completion of a project. Our in-depth interviews with 3 respondents in the follow-up study, confirm the tension created between compliance with the ISP and the completion of the project. The results indicate that the larger the investments of time, efforts and money in a project, the more the managers consider that violation is acceptable

Place, publisher, year, edition, pages
Pöymouth: Plymouth University, 2015
Keywords
Escalation of commitment, ISP violation, IT-industry, completion effect, sunk costs
National Category
Information Systems
Research subject
Informatics
Identifiers
urn:nbn:se:oru:diva-45574 (URN)2-s2.0-85026378315 (Scopus ID)978-1-84102-388-5 (ISBN)
Conference
Ninth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2015), Lesvos, Greece, July 1-3, 2015
Available from: 2015-08-17 Created: 2015-08-17 Last updated: 2018-07-05Bibliographically approved
Kajtazi, M. & Bulgurcu, B. (2014). A Theoretical Perspective on Rationalization of Insider Computer Abuse. In: : . Paper presented at 8th Annual SIGSEC Workshop on Information Security and Privacy. Auckland, New Zealand, December 13, 2014.
Open this publication in new window or tab >>A Theoretical Perspective on Rationalization of Insider Computer Abuse
2014 (English)Conference paper, Published paper (Refereed)
National Category
Information Systems
Research subject
Informatics
Identifiers
urn:nbn:se:oru:diva-39208 (URN)
Conference
8th Annual SIGSEC Workshop on Information Security and Privacy. Auckland, New Zealand, December 13, 2014
Available from: 2014-12-02 Created: 2014-12-02 Last updated: 2018-01-11Bibliographically approved
Kajtazi, M., Bulgurcu, B., Cavusoglu, H. & Benbasat, I. (2014). Assessing Sunk Cost Effect on Employees'€™ Intentions to Violate Information Security Policies in Organizations. In: : . Paper presented at Proceedings of the 47th Annual Hawaii International Conference on System Sciences, 6-9 jan 2014 (pp. 3169-3177). IEEE
Open this publication in new window or tab >>Assessing Sunk Cost Effect on Employees'€™ Intentions to Violate Information Security Policies in Organizations
2014 (English)Conference paper, Published paper (Refereed)
Abstract [en]

It has been widely known that employees pose insider threats to the information and technology resources of an organization. In this paper, we develop a model to explain insiders' intentional violation of the requirements of an information security policy. We propose sunk cost as a mediating factor. We test our research model on data collected from three information-intensive organizations in banking and pharmaceutical industries (n=502). Our results show that sunk cost acts as a mediator between the proposed antecedents of sunk cost (i.e., completion effect and goal in congruency) and intentions to violate the ISP. We discuss the implications of our results for developing theory and for re-designing current security agendas that could help improve compliance behavior in the future.

Place, publisher, year, edition, pages
IEEE, 2014
Series
Proceedings of the Annual Hawaii International Conference on System Sciences, ISSN 1060-3425
Keywords
Completion effect, goal incongruency, information security violation, insider threats, sunk cost
National Category
Information Systems
Identifiers
urn:nbn:se:oru:diva-39234 (URN)10.1109/HICSS.2014.393 (DOI)000343806603035 ()2-s2.0-84902267599 (Scopus ID)978-1-4799-2504-9 (ISBN)
Conference
Proceedings of the 47th Annual Hawaii International Conference on System Sciences, 6-9 jan 2014
Note

Sponsored by:

University of Hawaii

Shidler College of Business

IEEE Computer  Society

Available from: 2014-12-02 Created: 2014-12-02 Last updated: 2019-03-29Bibliographically approved
Kajtazi, M., Cavusoglu, H., Benbasat, I. & Haftor, D. (2013). Assessing Self-Justification as an Antecedent of Noncompliance with Information Security Policies. In: Proceedings of the 24th Australasian Conference on Information Systems: . Paper presented at 24th Australasian Conference on Information Systems (ACIS 2013), Information Systems: Transforming the Future, Melbourne, Australia, December 4-6, 2013 (pp. 1-12). Royal Melbourne Institute of Technology (RMIT)
Open this publication in new window or tab >>Assessing Self-Justification as an Antecedent of Noncompliance with Information Security Policies
2013 (English)In: Proceedings of the 24th Australasian Conference on Information Systems, Royal Melbourne Institute of Technology (RMIT) , 2013, p. 1-12Conference paper, Published paper (Refereed)
Abstract [en]

This paper aims to extend our knowledge about employees’ noncompliance with Information Security Policies (ISPs), focusing on employees’ self-justification as a result of escalation of commitment that may trigger noncompliance behaviour. Escalation presents a situation when employees must decide whether to persist or withdraw from nonperforming tasks at work. Drawing on self-justification theory and prospect theory, our model presents two escalation factors in explaining employee’s willingness to engage in noncompliance behaviour with ISPs: self-justification and risk perceptions. We also propose that perceived benefits of noncompliance and perceived costs of compliance, at the intersection of cognitive and emotional driven acts influence self-justification. The model is tested based on 376 respondents from banking industry. The results show that while self-justification has a significant impact on willingness, risk perceptions do not moderate their relation. We suggest that future research should explore the roles of self-justification in noncompliance to a greater extent.

Place, publisher, year, edition, pages
Royal Melbourne Institute of Technology (RMIT), 2013
Keywords
Escalation of commitment behaviour, information security policy, noncompliance behaviour, risk perceptions, self-justification
National Category
Social Sciences Interdisciplinary Information Systems, Social aspects
Research subject
Computer and Information Sciences Computer Science, Information Systems
Identifiers
urn:nbn:se:oru:diva-62326 (URN)2-s2.0-84923879940 (Scopus ID)9780992449506 (ISBN)
Conference
24th Australasian Conference on Information Systems (ACIS 2013), Information Systems: Transforming the Future, Melbourne, Australia, December 4-6, 2013
Available from: 2015-02-13 Created: 2017-11-13 Last updated: 2018-02-27Bibliographically approved
Kajtazi, M. & Cavusoglu, H. (2013). Guilt Proneness as a Mechanism Towards Information Security Policy Compliance. In: Proceedings of the 24th Australasian Conference on Information Systems: . Paper presented at 24th Australasian Conference on Information Systems (ACIS 2013), Information Systems: Transforming the Future, Melbourne, Australia, December 4-6, 2013. Royal Melbourne Institute of Technology (RMIT)
Open this publication in new window or tab >>Guilt Proneness as a Mechanism Towards Information Security Policy Compliance
2013 (English)In: Proceedings of the 24th Australasian Conference on Information Systems, Royal Melbourne Institute of Technology (RMIT) , 2013Conference paper, Published paper (Refereed)
Abstract [en]

In this paper, we develop a theoretical framework for understanding the role guilt proneness plays in the Information Security Policy (ISP) compliance. We define guilt proneness as an emotional personality trait indicative of a predisposition to experience a negative feeling about ISP violation. We develop a research model based on the theory of planned behaviour, guilt proneness theory and rational choice theory to explain employees’ intentions to comply with ISPs by incorporating the guilt proneness as a moderator between benefit of compliance and benefit of violation as perceived by employees and their attitude towards compliance. Identifying the roles of predispositions like guilt proneness in the ISP compliance will have interesting theoretical and practical implications in the area of information security.

Place, publisher, year, edition, pages
Royal Melbourne Institute of Technology (RMIT), 2013
Keywords
Benefit of Compliance, Benefit of Violation, Compliance Behaviour, Information Security Policy, Guilt Proneness
National Category
Information Systems
Research subject
Computer and Information Sciences Computer Science, Information Systems
Identifiers
urn:nbn:se:oru:diva-62327 (URN)2-s2.0-84923879943 (Scopus ID)9780992449506 (ISBN)
Conference
24th Australasian Conference on Information Systems (ACIS 2013), Information Systems: Transforming the Future, Melbourne, Australia, December 4-6, 2013
Available from: 2013-12-10 Created: 2017-11-13 Last updated: 2018-02-27Bibliographically approved
Kajtazi, M. & Bulgurcu, B. (2013). Information Security Policy Compliance: An Empirical Study on Escalation of Commitment. In: 19th Americas Conference on Information Systems (AMCIS 2013): Hyperconnected World : Anything Anywhere, Anytime. Paper presented at 19th Americas Conference on Information Systems, Chicago, Illinois, USA, August 15-17, 2013 (pp. 2011-2020). Red Hook, N.Y.: Curran Associates, Inc.
Open this publication in new window or tab >>Information Security Policy Compliance: An Empirical Study on Escalation of Commitment
2013 (English)In: 19th Americas Conference on Information Systems (AMCIS 2013): Hyperconnected World : Anything Anywhere, Anytime, Red Hook, N.Y.: Curran Associates, Inc., 2013, p. 2011-2020Conference paper, Published paper (Refereed)
Abstract [en]

This study aims to facilitate a new understanding on employees’ attitude towards compliance with the requirements of their information security policy (ISPs) through the lens of escalation. Escalation presents a situation in which employees must decide whether to persist in or withdraw from a non-performing task. Drawing on the Theory of Planned Behavior (TPB) and Agency Theory, our model delineates three mediating factors in explaining attitude: work impediment, information asymmetry, and safety of resources. We also propose information security awareness as an independent variable having an indirect effect on attitude through mediating factors. The proposed model is tested using the data collected from 376 employees working in the banking industry. The results of the PLS analyses show that while information asymmetry and safety of resources have significant impacts on attitude, work impediment does not. The results also show that ISA has significant impact on all three mediating factors.

Place, publisher, year, edition, pages
Red Hook, N.Y.: Curran Associates, Inc., 2013
Keywords
Agency theory; Compliance; Escalation of commitment; Information security; Information security awareness; Information security policy; Insiders
National Category
Information Systems
Research subject
Computer and Information Sciences Computer Science, Information Systems
Identifiers
urn:nbn:se:oru:diva-62332 (URN)2-s2.0-84893234429 (Scopus ID)978-1-62993-394-8 (ISBN)
Conference
19th Americas Conference on Information Systems, Chicago, Illinois, USA, August 15-17, 2013
Available from: 2013-12-10 Created: 2017-11-13 Last updated: 2018-05-29Bibliographically approved
Haftor, D. & Kajtazi, M. (2012). Information Based Business Models: a Research Direction. In: Proceedings of the 9th International Conference in Business and Information (BAI 2012): . Paper presented at 9th International Conference in Business and Information (BAI 2012), Sapporo, Japan, July 3-5, 2012.
Open this publication in new window or tab >>Information Based Business Models: a Research Direction
2012 (English)In: Proceedings of the 9th International Conference in Business and Information (BAI 2012), 2012Conference paper, Oral presentation with published abstract (Refereed)
National Category
Business Administration
Research subject
Economy, Business administration
Identifiers
urn:nbn:se:oru:diva-62328 (URN)
Conference
9th International Conference in Business and Information (BAI 2012), Sapporo, Japan, July 3-5, 2012
Available from: 2013-08-14 Created: 2017-11-13 Last updated: 2018-05-15Bibliographically approved
Organisations

Search in DiVA

Show all publications