Escalation of commitment and information security: theories and implications

Abstract

Purpose This study aims to explore the challenges that the escalation of commitment poses to information security. Design/methodology/approach Two distinct scenarios of escalation behavior are presented based on literature review. Psychological, organizational and economic theories on escalation of commitment are reviewed and applied to the area of information security. Findings Escalation of commitment involves continuation of a course of action after receiving negative information about it. In the information security compliance context, escalation affects a firm when an employee decides to break the firm’s information security policy to complete a failing task. In the information security investment context, escalation occurs if a manager continues investment in policies and solutions that are ineffective because of psychological, organizational or economic factors. Both of these types of escalation may be prevented with de-escalation techniques including a change in management or rotation of duties, monitoring, auditing and governance mechanisms. Practical implications Implications of escalation of commitment behavior for information security decision-makers and for future research are discussed. Originality/value This study complements the literature by establishing the context of escalation of commitment in decisions related to information security and reviewing managerial and economic theories on escalation of commitment.