Information protection behaviors: morality and organizational criticality

Abstract

Purpose Organizational insiders play a critical role in protecting sensitive information. Prior research finds that moral beliefs influence compliance decisions. Yet, it is less clear what factors influence moral beliefs and the conditions under which those factors have stronger/weaker effects. Using an ethical decision-making model and value congruence theory, this study aims to investigate how moral intensity and organizational criticality influence moral beliefs and intentions to perform information protection behaviors. Design/methodology/approach The hypotheses were tested using a scenario-based survey of 216 organizational insiders. Two of the scenarios depict low criticality information security protection behaviors and two depict high criticality behaviors. Findings A major finding is that users rely more on perceived social consensus and magnitude of consequences when organizational criticality is low and on temporal immediacy and proximity when criticality is high. In addition, the moral intensity dimensions explain more variance in moral beliefs when organizational criticality is low. Research limitations/implications The study is limited by its sample, which is organizational insiders at a mid-size university. It is also limited in that it only examined four of the six moral intensity dimensions. Practical implications The findings can guide management about which moral intensity dimensions are more important to focus on when remediating tone at the top and other leadership weaknesses relating to information security. Originality/value This study adds value by investigating the separate dimensions of moral intensity on information protection behaviors. It also is the first to examine moral intensity under conditions of low and high organizational criticality.