Professional Documents
Culture Documents
The Impact of Reward
The Impact of Reward
by
Charles A. Ogunnoiki
Doctor of Philosophy
Capella University
July 2019
ProQuest Number: 22617155
All rights reserved
INFORMATION TO ALL USERS
The quality of this reproduction is dependent upon the quality of the copy submitted.
In the unlikely event that the author did not send a complete manuscript
and there are missing pages, these will be noted. Also, if material had to be removed,
a note will indicate the deletion.
W
IE
EV
ProQuest 22617155
Published by ProQuest LLC (2019 ). Copyright of the Dissertation is held by the Author.
All rights reserved.
PR
This work is protected against unauthorized copying under Title 17, United States Code
Microform Edition © ProQuest LLC.
ProQuest LLC.
789 East Eisenhower Parkway
P.O. Box 1346
Ann Arbor, MI 48106 - 1346
© Charles A. Ogunnoiki, 2019
W
IE
EV
PR
iv
Abstract
information system security. Organizations establish information systems security policies and
procedures that end-users are expected to adhere to in keeping data secure. Additionally,
those policies. However, end-users fail to comply with information systems security policies and
compliance through various methods has become an accepted organizational practice. The
healthcare industry as the basis for this study, is unique in terms of its stringent information
examines the relationship between end-user compliance with established information systems
security policies and procedures, motivational factors established by health care organizations to
W
assure such compliance. Residents of the United States working in the healthcare field whose job
functions require access to sensitive information as well as the use of information technology
IE
knowledge for their day-to-day professional activities were studied. The data sample was
United States based on specific inclusion and exclusion criteria. A Pearson r correlation
coefficient was applied in the study to examine the relationship, if any, between the motivational
PR
factors of reward, penalty, security training programs (SETA), social pressures, and job
satisfaction (IV) and end-user information security behavior (DV) of healthcare employees in the
United States. The results indicated no correlation between any of the predictor variables and the
outcome variable. In other words, healthcare employees’ information security behavior in the
United States is not dependent on reward for compliance, penalty for noncompliance, security
education, training, and awareness (SETA) programs, social pressures from colleagues, or job
satisfaction. The findings from this study are in contrast with previous findings in this domain on
the factors responsible for end-user security behavior. Implications of the findings, practitioner
v
insight resulting from the findings, and recommendations for further research based on these
W
IE
EV
PR
vi
Dedication
(Deceased) and Felicia, my sweet wife Oluwakemi, and my ever understanding children
Abayomi, Toluwalase, and Enoch. Dad, even though you are gone, but the values you instilled in
me forever lives. You taught me the importance of education, and I can still vividly remember
what you told me when I was leaving the shores of Nigeria, “remember the son of whom you
are.” Up till today, that echoes in my ears, and I will forever hold on to it. Mom, a jewel of
inestimable value, thanks for your ceaseless prayers, love, and care. Truly, you are a mother, and
I am proud to be called your son. Through both of you, this day “I STAND TALL.”
To my wife Oluwakemi, you are genuinely a prayer warrior, and I cannot thank you
enough for all your support through thick and thin. You gave me the courage not to give up when
I was almost at that point, thank you ….we did it. Abayomi, Toluwalase, and Enoch, I thank you
W
all for your understanding and relentless patience. This journey would not have been possible
vii
Acknowledgments
Shardul Pandya, whose attention and dedication to my progress and success helped to make the
final quarter of this journey seamless. Dr. Shardul, you came at a time when I was frustrated and
ready to throw in the towel, and you picked me up. You gave me hope and faith that the end of
the journey was nearer than I anticipated. Those words gave me the needed strength to continue
and complete the journey. Thank you. I also extend my profound gratitude to my committee
members, Dr. Sharon Gagnon, and Dr. Shawon Rahman for their guidance through the research
process.
I will always appreciate the unwavering support of Dr. Jonathan Gehrz, who provided
significant assistance towards the end of this program, I sincerely appreciate all your help.
viii
Table of Contents
Acknowledgments................................................................................................ viii
Definition of Terms..................................................................................................9
W
Research Design.....................................................................................................12
Limitations ......................................................................................................14
EV
Introduction ............................................................................................................16
ix
Classification of End-Users Security Behaviors in the Health Care industry…....23
Reward ...................................................................................................................46
Summary ................................................................................................................47
Sample ............................................................................................................54
IE
Power Analysis ...............................................................................................55
Procedures ..............................................................................................................56
EV
Instruments .............................................................................................................59
Summary ................................................................................................................65
Background ............................................................................................................67
x
Data collection And Analysis ................................................................................69
Hypothesis Testing.................................................................................................86
Summary ................................................................................................................99
Limitations ...........................................................................................................110
REFERENCES ................................................................................................................114
IE
APPENDIX A. RESEARCH INSTRUMENT ...............................................................126
xi
List of Tables
Table 17. Bivariate Correlation of Reward and End-User Security Behaviors ..................... 87
Table 18. Bivariate Correlation of PunSev and End-User Security Behaviors ..................... 89
Table 19. Bivariate Correlation of DetCert and End-User Security Behaviors ..................... 90
Table 21. Bivariate Correlation of NormBel and End-User Security Behaviors ................... 94
Table 23. Bivariate Correlation of JobS and End-User Security Behaviors ........................... 97
xii
List of Figures
W
IE
EV
PR
xiii
CHAPTER 1. INTRODUCTION
play a critical and increasingly significant role in business operations by creating competitive
advantage, providing capabilities to improve business efficiency, and being useful in the rapidly
changing marketplace. Organizations are operating locally and globally through an organized
software, communications network, data resources, and policies and procedures. Employees and
business partners expend great resource for IT (Öğütçü, Testik, & Chouseinoglou, 2016;
Tarafdar, D’Arcy, Turel & Gupta, 2015) to store, retrieve, transform, and disseminate
W
information quickly and flawlessly through this information resource (Rodriguez, Busco, &
organizations rely on logical controls. Firewalls for perimeter defense, intrusion detection
assets from security threats are examples of such controls (Bulgurcu, Cavusoglu, & Benbasat,
2010; Posey, Roberts & Lowry, 2015). Although the controls can improve information security,
but there has been an increase in information security breaches due to end-user non-compliance
with security measures (Cavusoglu, Cavusoglu, Son, & Benbasat, 2015; Öğütçü et al., 2016). In
other words, the controls are not sufficient in providing adequate protection for organizational IS
assets. For this reason, there has been a shift in paradigm in the approach towards protecting
organizational information assets (Vance, Siponen, & Pahnila, 2012; Posey, Roberts, & Lowry,
1
According to Ifinedo (2014), organizational end-users are at the forefront of information
organizations paying attention to their end-users’ information security behaviors. Due to the
increased understanding of the critical role of the end-users to IS security, there is a significant
These policies and procedures assist in shaping end-users’ security behavior towards making a
breaches due to internal threats continue to rise even with the development of information
security policies, since end-users often do not readily adhere to organizational information
security policies and procedures (Siponen, Mahmood, & Pahnila, 2014; Moody, Siponen, &
Pahnila, 2018).
2014; Siponen et al., 2014; Safa, Von Solms, & Furnell, 2016). Öğütçü et al. (2016) also
IE
expressed that end-users’ noncompliant information security behavior leads to an information
asset vulnerability that could be exploited to cause potential security breaches in an organization.
EV
Information security breaches lead to potential financial losses for organizations, in addition to
significantly affecting the organization’s reputation (Safa & Ismail, 2013). Therefore, it is critical
PR
to understand the factors that motivate end-users to develop conscious security behaviors leading
to policy and procedure compliance. In this research, an integrative model based on reward,
penalty, security training programs, social pressures, and job satisfaction was developed to
The growth in information technology and its adoption by organizations for business
improvement initiatives are posing security challenges (Ifinedo, 2012). Annually, between two
and three percent of financial losses in organizations is due to security breaches (Veiga & Eloff,
2010). Thus, organizations allocate a significant amount in their budget for hardware and
2
software security infrastructure. Öğütçü et al. (2016) noted that IT infrastructures (Firewalls,
intrusion detection systems, intrusion prevention systems, routers, softwares, etc.) are one of the
investment” (Öğütçü et al., 2016, pg. 84) in security infrastructure, however, security breaches
continue to pose significant problems (Ifinedo, 2014; Ngoqo & Flowerday, 2015).
information assets, technologies alone are not enough. It is necessary to focus on the end- users'
role as well. End-users, either intentionally or unintentionally, are responsible for many of the
reported security incidents and breaches (Safa, Von Solms & Furnell, 2016; Soltanmohammadi,
molding or influencing security behaviors. These mechanisms involve the design and
W
development of information security policies and procedures that serve as guidelines
highlighting the roles and responsibilities of end-users towards the use of a company information
IE
system resource (Ifinedo, 2014; Moody et al. 2018).
However, the outcomes of implementing various security policies and procedures can be
EV
security policies continues to rise, leading to security breaches in organizations (Siponen et al.,
PR
2014; Ngoqo & Flowerday, 2015; Yoon, Hwang, & Kim, 2012; Lebek, Uffen, Breintner,
and enhancing security awareness behavior among end-users (Chen, Ramamurthy, & Wen, 2015,
Kim & Homan, 2012). Although these awareness programs sound promising, some research
studies reveal a contrary result due to their lack of proper implementation strategy (Haeussinger
Hence, this research study is significant, as it investigates and identifies factors that
influence end-user security behaviors, which may facilitate the development of strategies for
3
promoting appropriate security behavior. The research problem focuses on identifying ways to
security training programs (SETA), social pressures, and job satisfaction on end-users’
information security behavior. In limiting the scope of the study, the research will focus on the
United States Healthcare industry. Established within the body of this thesis were the rationales
The previous research literature on end-user information security behavior establishes the
Ramamurthy & Wen, 2015; Ifinedo, 2012; Sommestad, Hallberg, Lundholm & Bengtsson,
2014). In addition, we are aware that achieving the benefit of ISP depends solely on end-users’
adherence to these rules (Padayachee, 2012; Siponen et al., 2014). However, we do not know
W
how to motivate end-users to adopt security-conscious behavior by adhering to ISP (Padayachee,
2012). Therefore, the problem statement will focus on identifying the factors that motivate the
IE
end-users to adopt security-conscious behavior.
information security policy (ISP) is required to protect an organization’s information system and
other proprietary data (Chen, Ramamurthy & Wen, 2015; Ifinedo, 2012; Sommestad, Hallberg,
PR
Lundholm & Bengtsson, 2014). Additionally, we are aware that achieving the benefit of ISP
depends solely on end-users’ adherence to these policies (Padayachee, 2012; Siponen et al.,
2014). Therefore, end-users need to be motivated to adhere to the policies and procedures
(Padayachee, 2012; Safa, Von Solms & Furnell, 2016). Different motivation factors have been
presented and established by various organizations (Acuna 2016, Al-Mukahal, & Alshare, 2015).
However, we do not know the extent to which motivational factors predict end-user information
4
Purpose of the Study
examine the correlation of end-user security behaviors in adhering to security policy. The focus
of the study is also on determining the degree to which these factors predict end-user security
behaviors.
To limit the scope of the study within the confines of a doctoral dissertation, the
researcher will draw participants from the healthcare industry in the United States. In this
industry, employees who are privy to sensitive information are subject to security control
measures. These employees usually handle large volumes of confidential personal identifiable
information (PII) and are expected to uphold standards of integrity to protect the confidentiality,
integrity, and availability (CIA) of such data (Renaud & Goucher, 2012). Additionally, (a) the
healthcare industry is well known for its stringent security measures (Hovav & D’Arcy, 2012,
W
Burke,& Weill, 2018); and (b) the end-user security issues faced within this industry are on par
with other similar industries—such as finance and banking—where end-users within a working
IE
environment are responsible for maintaining and protecting customer centric sensitive
information (Cheng, Li, Li, Holm, & Zhai, 2013, Bélanger, Collignon, Enget &, Negangard,
EV
Information security is an organizational issue and an end-user problem that requires the
PR
attention of management or business decision makers. According to Safa et al. (2016), the
behaviors, mainly since the security of valuable assets depends on the end-users’ security
behavior. Safa et al., 2016 further posit that end-users’ behavior may stem from how individuals
feel about their job conditions, leading to job satisfaction, a reward for compliance, punishments
for noncompliance, social pressures from peers and the environment, and security training
In this context, this research (a) identifies the influence of end-users’ perception of
reward, penalty, security training programs, social pressures, and job satisfaction on information
5
security behavior in the US healthcare industry, and (b) determines the degree to which these
factors predict end-user security behaviors among end-users in the healthcare industry.
Understanding these factors will provide insight into management and decision-making process
within the industry when developing techniques that will directly impact end-users’ behavior in
integrity, and availability of the data is essential (Posey et al., 2015). The outcomes of this study
can provide healthcare organizations and business decision makers with information needed to
develop and design effective security policies, programs, and procedures that align with end-
users’ perceptions and needs. Also, the advancement of knowledge relating to the healthcare
W
industry end-users’ information security behavior is significant due to the disruptive nature of
behaviors in the healthcare industry, vis a vis their adherence to organizational information
EV
security policies and procedures. The healthcare industry was identified to limit the scope of this
industries faced with end-user information system security-related issues. The focus of the study
is to identify the best combination of reward, penalty, security education, training and awareness
programs (SETA), social pressures, and job satisfaction as predictors of end-users’ security
behavior in a healthcare organization. Finally, the result of this study can equip healthcare
organizations with strategies that better align end-users’ information security behavior with
This research study is of interest to academic scholars in the field of Information Systems
Security, practicing managers in the field of information systems security in the US Healthcare
6
Industry, and decision makers in various organizations where end-user computer security
behavior must align with their business operations. Research work on end-user security behavior
and factors responsible for end-users’ acceptance of information security policies are
increasingly popular research topics in the field of IS and IT (Siponen, Mahmood, & Pahnila,
2014; Teh, Ahmed, & D'Arcy, 2015; Safa, Von Solms, & Furnell, 2016), which lends towards
the significance of this study. Besides, the success of any information security policy is
dependent on end-users’ security behaviors (Furnell & Rajendran, 2012; Yoon & Kim, 2013).
The outcome of this study will provide practitioners with a suggestion for the design and
consistent delivery of effective information security education and awareness program, which
could provide values for organizations on how to better protect their valuable information assets
through information security compliance. This study will analyze the motivational factors such
as reward, penalty, security training programs, social pressures, and job satisfaction that may
W
have an impact on end-users’ information security behavior and the relevance that end-users’
information security behavior has on the success of protecting patient health care record in the
IE
healthcare industry.
In recent years, the study of end-user information security behavior has garnered
EV
researchers have drawn upon theories from different disciplines—such as criminology, social
PR
Uffen, Breitner, Neumann, & Hohler, 2014) explaining factors leading to end-users' security
behavior. Examples of such research literature documented in this domain include, but not
limited to Bulgurcu et al. (2010), D’Arcy et al. (2009), Herath & Roa, (2009), Ifinedo (2012),
Yoon, et al., (2012) and Nasir & Arshah (2018). Although this exhibit the interdisciplinary
nature of information security, according to Abraham (2011), “it detracts in providing a holistic
view of end-user information security behavior” (p. 1). The reason as highlighted by the same
author is that these literatures tend to study end-user security behavior from a micro perspective,
with emphasis on individual factors only. Supporting this argument, Lebek et al. (2014) claim
7
that constructs adopted in information security research are mainly from the theory of planned
behavior (TPB), theory of reasoned action (TRA), general deterrence theory (GDT), protection
motivation theory (PMT), and the technology acceptance model (TAM). Also, these studies only
less attention has been accorded to examining other motivational factors that may influence end-
user security behavior (Lebek et al., 2014), especially environmental and interpersonal factors,
which this study embraces by studying the impact of reward; penalty; security education,
training, and awareness programs; social pressures; and job satisfaction on end-users’
A large amount of research study in this domain has examined (D’Arcy., 2009) end-user
behavior towards information security in other disciplines, such as the banking industry, IT
organizations, and schools (e.g., Bulgurcu et al., 2010; D’Arcy et al., 2009; Herath & Roa, 2009;
W
Ifinedo, 2012; Yoon et al., 2012). However, research on studying the behavior towards
information security, with healthcare employees as the population is lacking (Bauer, Bernroider,
IE
& Chudzikowski, 2017). The healthcare industry is unique in that personnel employed in the
industry are required to adhere to HIPPA compliance regulations, but the individuals with access
EV
to sensitive information are themselves experts in their respective fields, such as medicine, and
have a professional interest in delivering the best in their respective crafts but not focused
PR
ensuring HIPPA compliance (Al-Mukahal, & Alshare, 2015; Bauer, Bernroider &
This research effort addresses security training program, penalties, job satisfaction,
reward, and social pressures as motivational factors that could help business managers/owners
information security policy compliance. Also, the findings of this study may provide the field of
Information Systems and the Organizational Behavior body of knowledge with empirical data for
future research.
8
Furthermore, the outcomes of this study can advance the understanding of end-user
security behaviors by expanding on the work of Herath and Rao (2009a), by examining the
relationship between the independent variables (reward, penalty, security training programs,
social pressures, and job satisfaction) and the dependent variable (end-user information security
behaviors) in the US Healthcare industry. The understanding of this relationship can help shed
light across organizations within and outside the US Healthcare industry, including the IS body
Research Questions
To what extent does the motivational factors of reward, penalty, security education,
training and awareness (SETA) programs, social pressures, and job satisfaction predict end-user
ResQ2. To what extent does penalty predict end-user security behaviors among
ResQ3. To what extent do security education, training and awareness (SETA) programs
ResQ4. To what extent do social pressures predict end-user security behaviors among
ResQ5. To what extent does job satisfaction predict end-user security behaviors among
Definition of Terms
Availability: This means that authorized individuals are granted timely and uninterrupted
9
Compliance: This is the act of conforming to or adhering to rules and regulations
Confidentiality: This offers a high level of assurance that information is only disclosed,
exposed or available to authorized individuals and systems. It ensures that authorized subjects
are granted the rights and privilege to objects based on a need to know (Whitman & Mattord,
2012).
Data Breach: An occurrence in which sensitive and confidential data are accessed
Compromised. The data may have been viewed or stolen either intentionally or unintentionally
End-Users: End-users are individuals who use information technology systems and
conventions, following email policies, scanning activity, and protecting access to electronic files
EV
Information security: This concept has been broadly described as the management and
PR
protection of an individual’s or a company’s information data or data assets (Cheng et al., 2013).
secure behavior have been offered in various literature. Definitions of information security
behaviors include, but are not limited to, password selection, data backup procedures, file access,
information sharing, and scanning activity (Shropshire et al., 2015). These behaviors also include
setting accounts to private, adding strangers as friends on social media sites, using friend service,
and using profile trackers (Henson, Reyns, & Fisher 2009). Also, writing down and sharing
passwords (Herath & Rao, 2009b) applying security patches and updates (Whitty, 2015),
10
unauthorized file sharing, device sharing (Hayden, 2009), and protection of laptops and external
storage devices, such as pen sticks, are other examples of information security behaviors
(Veltsos, 2012).
Information security awareness: Security awareness occurs when a user understands the
security policies, procedures, and practices and can apply them in the absence of guidance when
Information security education training: This process instructs users about their
responsibility to uphold the organization’s information system and security policies, procedures,
and practices.
Integrity: Nature of information that retains their veracity and can only be modified by
W
authorized subjects (Whitman & Mattord, 2014).
Job Satisfaction: This is an attitude exhibited by individuals towards their jobs based on
IE
their perceptions or their overall sense of well-being at work (Greene & D’Arcy, 2010; Aydogdu
Penalties: The deterrence theory of penalties/punishment can be traced to the early works
and Jeremy Bentham (1748–1832). The theory relies on three individual components: severity,
certainty, and celerity. The more severe a punishment, the more likely that a rationally
calculating human being will desist from criminal acts. To prevent crime, therefore, criminal law
must emphasize penalties to encourage citizens to obey the law. For this study, penalties are
investigated by two mechanisms, namely, perceived severity of the punishment / penalty and
Reward: This is the incentive or compensation received for complying with security
policies and procedure. According to Welschen, Todorova, and Mills (2013), this is a direct
incentive from performing an activity. The incentives come in the forms of wages,
11
compensation, bonuses, and praises, given to end-users for maintaining a certain level of
potential security risk, policies, and responsibilities. Furthermore, the program is aimed at
providing employees with the skills necessary to comply with organizational information
Crittenden & Crittenden, 2013). According to Herath and Rao (2009a), the two sources of social
pressures that could influence end-user information security behavior are normative beliefs and
peer behavior. The normative beliefs refer to the anticipated social pressures to perform the
behavior in question (Ajzen, 1991). Peer behavior refers to adopting the other individuals’
W
behavior based on conversation and observation (Herath & Rao, 2009a), with the belief that the
behavior seems sensible and acceptable (Cheng et al., 2013). For this study, peer behavior
IE
describes co-peers information security compliance or non-compliance behaviors.
Threat: An object, subject, or any other entity that is pervasive and has the potential to
EV
disrupt or cause an undesirable outcome for an organization’s information assets (Whitman &
Mattord, 2014).
PR
can be exploited, thereby rendering the system ineffective and insecure (Whitman & Mattord,
2012).
Research Design
survey study that utilizes objective methodologies to determining research questions, population
and sampling, data collection, the method of analysis, and understanding and interpretation of the
results. This research design was appropriate based on the post-positivist orientation of the
researcher, that the world is objective (Creswell, 2009; Salkind, 2010), and thereby seek out facts
12
Reproduced with permission of copyright owner. Further reproduction prohibited without permission.