The Roles of Ethics and Individual-Level Cultural Characteristics in Predicting Organizational Computer Abuse
Is Your Banker Leaking Your Personal Information? The Roles of Ethics and Individual-Level Cultural Characteristics in Predicting Organizational Computer Abuse
Paul Benjamin Lowry • Clay Posey •
Tom L. Roberts • Rebecca J. Bennett
Received: 29 November 2010 / Accepted: 3 April 2013 / Published online: 25 April 2013
� Springer Science+Business Media Dordrecht 2013
Abstract Computer abuse (CA) by employees is a criti-
cal concern for managers. Misuse of an organization’s
information assets leads to costly damage to an organiza-
tion’s reputation, decreases in sales, and impositions of
fines. We use this opportunity to introduce and expand the
theoretic framework proffered by Thong and Yap (1998) to
better understand the factors that lead individuals to com-
mit CA in organizations. The study uses a survey of 449
respondents from the banking, financial, and insurance
industries. Our results indicate that individuals who adhere
to a formalist ethical perspective are significantly less
likely to engage in CA activities than those following a
utilitarian ethical framework. In addition, the results provide
evidence that employees with individualistic natures are
linked to increased CA incidents, whereas collectivist ten-
dencies are associated with decreases in CA behaviors. Our
results also show that collectivism acts as a strong moderator
that further decreases the relationships between formalism
and CA, and utilitarianism and CA. Finally, we offer
detailed suggestions on how organizations and researchers
can leverage our findings to decrease CA occurrences.
Keywords Culture � Computer abuse � Deontological evaluations � Ethics � Formalism � Information security � Organizational security � Teleological evaluations � Utilitarianism � Collectivism � Individualism
Abbreviations
CA Computer abuse
CMD Cognitive moral development theory
IS Information systems
IT Information technology
Introduction
An organizational issue of increasing importance is
employees abusing their access to computers and organi-
zational information assets, a phenomenon known as
computer abuse (CA) (Posey et al. 2011; Straub 1990),
which spreads in scope and impact as technology is used
more widely. Straub (1990) formally defined CA as ‘‘the
unauthorized and deliberate misuse of assets of the local
organization information system by individuals’’ (p. 257).
CA is a critical problem requiring corporate leadership to
resolve (D’Arcy and Hovav 2007; Lee et al. 2004; Peace
et al. 2003; Posey et al. 2011): In one study, nearly half of
Electronic supplementary material The online version of this article (doi:10.1007/s10551-013-1705-3) contains supplementary material, which is available to authorized users.
P. B. Lowry (&) College of Business, City University of Hong Kong, P7912,
Academic Building I, 83 Tat Chee Avenue, Hong Kong, China
e-mail: Paul.Lowry.PhD@gmail.com
C. Posey
Information Systems, Statistics and Management Science,
Culverhouse College of Commerce, The University of Alabama,
Box 870226, Tuscaloosa, AL 35487, USA
e-mail: cposey@cba.ua.edu
T. L. Roberts � R. J. Bennett Department of Management and Information Systems, College
of Business, Louisiana Tech University, P.O. Box 10318,
Ruston, LA 71272, USA
e-mail: troberts@latech.edu
R. J. Bennett
e-mail: rbennett@latech.edu
123
J Bus Ethics (2014) 121:385–401
DOI 10.1007/s10551-013-1705-3
http://dx.doi.org/10.1007/s10551-013-1705-3
the participants involved were aware of CA in their orga-
nizations (Hilton 2000); in another, approximately 30 % of
business professionals admitted to pirating their employers’
software (Haines and Leonard 2007). Many organizations
have also had to discipline employees for downloading
pornography at work or abusing email (Haines and Leonard
2007). Disgruntled employees rank second to outside
hackers as sources of system attacks (Haines and Leonard
2007); clearly, internal CA is a critical problem facing
organizations today (D’Arcy and Hovav 2007; Lee et al.
2004; Peace et al. 2003; Posey et al. 2011).
The negative impact of CA can be accounted for in the
loss of hundreds of billions of dollars caused by lost effi-
ciency, software piracy, security leaks, privacy violations,
legal liabilities, and the like (Culnan and Williams 2009;
Douglas et al. 2007; Gan and Koh 2006; Moores and
Dhaliwal 2004; Siponen and Vartiainen 2007; Son and Kim
2008; Thong and Yap 1998). However, many of the cata-
strophic losses are hard to calculate as they can affect the
core of an organization’s business in complex and profound
ways (Wang et al. 2008) such as lost reputation, lost sales,
and legal liabilities (Son and Kim 2008).
The ethical and cultural issues surrounding CA are of
unprecedented importance to organizations and thus are
management not just technical issues (Posey et al. 2011;
Ransbotham and Mitra 2009). The many ethical gray areas
and issues surrounding CA are particularly problematic
(Calluzzo and Cante 2004) because such issues often
involve moral hazard.1 Moral hazard has increased as
computer use has increased (Tuttle et al. 1997) because of
the ability to hide privately held information or the often
inaccurate belief that one can hide such information. Even
when no moral hazard exists, many forms of CA do not
have clear right and wrong implications for the abusers,
and thus, they have no ethical or moral incentive to not
commit the abuse (Calluzzo and Cante 2004; Cohen and
Cornwell 1989). Therefore, CA has strong ethical and
cultural foundations.
Given the serious management and organizational
issues caused by CA, and its expansive interrelationship
with ethics and culture, the purpose of this paper is
twofold: (1) to examine the degree to which one’s dis-
position toward ethical formalism or utilitarianism affects
one’s propensity to commit CA and (2) to examine the
degree to which one’s individual-level characteristics of
collectivism and individual influence one’s propensity to
commit CA.
Background on Investigating Computer Abuse
in Organizations
Due to the growing importance of CA-related issues in the
ethical use of IS, researchers have investigated various
methods to address these issues. The most traditional
approach to preventing CA has been to try to directly block
negative employee behaviors with technical measures.
Some of these approaches have included authentication and
identification (Wang et al. 2009; Zviran and Erlich 2006),
passwords and pass phrases (Keith et al. 2009; Zhang et al.
2009), firewalls (Cavusoglu et al. 2009), intrusion detection
(Cavusoglu et al. 2009; Hansen et al. 2007; Ransbotham
and Mitra 2009), rights management, countermeasures
(Ransbotham and Mitra 2009), and system controls (Rao
et al. 2007). Additional approaches include the use of
policies and procedures, computer monitoring (Ariss
2002), audit trails, IT audits (Merhout and Havelka 2008),
IS risk analyses (Sutton et al. 2008), IS security counter-
measures (Hansen et al. 2007; Straub and Welke 1998),
and general violation-prevention strategies (D’Arcy et al.
2009).
Other approaches have innovatively coupled psychology
with traditional approaches. These integrated methods
include using fear appeals (Johnston and Warkentin 2010),
leveraging employee perceptions of IT policy so policies
appear more mandatory (Boss et al. 2009), countering
neutralization techniques (Siponen and Vance 2010), and
using general deterrence theory (Herath and Rao 2009b;
Lee et al. 2004; Straub 1990) or related penalty-oriented
techniques (Herath and Rao 2009a).
Although these approaches have shown some efficacy,
the results are highly mixed. We posit that one possible
reason is that such studies have largely ignored individual-
level ethical and cultural characteristics that likely impact
one’s decisions about various kinds of CA. Thus, we assert
that both considerations need further examination.
The Case for Studying Individual-Level Ethics
in Computer Abuse
Ethics have long been acknowledged as a key individual-
level consideration in IT use. IT studies have used ethics-
based approaches in reviewing situational ethics (Banerjee
et al. 1998), IT development (Chatterjee et al. 2009),
decision making and moral reasoning relating to IT use
(Calluzzo and Cante 2004; Cohen and Cornwell 1989;
Davison et al. 2009; Harrington 1996; Leonard and Cronan
2001; Leonard et al. 2004; Loch and Conger 1995; Myyry
et al. 2009; Smith and Hasnas 1999), and reporting or not
reporting bad IT news (Smith and Keil 2003; Smith et al.
2001). Yet little research addresses ethics and CA. The
1 Moral hazard occurs when there is ‘‘an incentive to act in one’s
self-interest in conflict with the organization’s overall goals while
being able to hide those actions through privately held information’’
(Tuttle et al. 1997, p. 7).
386 P. B. Lowry et al.
123
primary examples of ethics and CA studies include specific
contexts of software piracy (Gan and Koh 2006; Moores
and Chang 2006; Moores and Dhaliwal 2004) and avoiding
privacy violations (Culnan and Williams 2009), but no
studies have applied ethics to the broader construct of CA.
Furthermore, an opportunity exists in studying the effect
of ethical dispositions themselves. Haines and Leonard
(2007) noted two approaches to studying ethics: one based
on dispositions and traits and the other based on the deci-
sion-making process. The IT literature is replete with
studies that examine the decision-making process in rela-
tion to appropriate and inappropriate technology-based
individual behaviors, yet little research has been conducted
in terms of individual ethical dispositions and traits. For
example, Winter et al. (2004) studied on Machiavellianism
and ethical idealism. A much more common research
perspective on ethical dispositions and traits, which has
produced several promising non-technology-related studies
in the management literature (Brady and Dunn 1995; Brady
and Wheeler 1996; Hunt and Vitell 1986; Schminke et al.
1997), involves the study of formalism and utilitarianism.
The promise of studying the effects of individual ethical
dispositions on CA yields our first research question:
RQ1 In what way(s) do individuals’ ethical tendencies
toward formalism or utilitarianism predict the individuals
propensity to commit CA in the workplace?
The Case for Studying Individual-Level Cultural
Characteristics in Computer Abuse
Husted and Allen (2008) indicated that researchers still
understand little about how culture affects perception and
evaluation of abusive practices such as software piracy and
other behaviors. Worse still, how cultural dimensions
might affect CA more broadly—particularly culture at the
individual level—has yet to be fully examined. This limi-
tation is a glaring gap because increased globalization and
heterogeneity in organizations make cultural consider-
ations of ethical decisions all the more important, espe-
cially because cultural differences—primarily based on the
collectivism and individualism dimensions—have been
consistently shown to promote substantial differences in
ethical decision making (Bailey and Spicer 2007; Beekun
et al. 2008; Davison et al. 2009; Husted and Allen 2008;
Husted et al. 1996; Patel and Schaefe 2009; Ralston et al.
2008; Robertson and Crittenden 2002; Schlegelmilch and
Robertson 1995).
The few studies that have addressed forms of CA from a
cultural perspective have looked at software piracy at an
exploratory national culture level. For example, studies
have shown that software piracy is less frequent in the U.S.
than in Asia (Donaldson 1996; Swinyard et al. 1990).
Husted (2000) found that software piracy is correlated to
national GNP per capita, income inequality, and collec-
tivism. More recently, another study found substantial
differences in software piracy and related corruption
practices at the national culture level (Robertson et al.
2008). Davison et al. (2009) applied CMD theory to IT
professionals working in Japan and China, and showed that
the ethical reasoning in these two national cultures had
notable differences.
These studies suggest that the cultural dimensions of
collectivism and individualism may play a key role in
ethical decision making. The conceptualization of culture
on the national level conforms to the traditional view of
culture and is most often seen in studies comparing indi-
vidualistic societies (e.g., US) and collectivistic societies
(e.g., China) (Chen and Li 2005; Hofstede 1984, 1991,
2001; Tsui and Windsor 2001; Zhang et al. 2008). The
national-level perspective has been traditionally used in
ethics research. Some studies have shown that moral and
ethical reasoning differs across national cultures, but have
done so primarily as exploratory research without a strong
theoretic basis or explanation (Robertson et al. 2002; Tsui
and Windsor 2001). Other studies have proposed an even
stronger theoretic basis that national culture can be a
determinant of ethical differences (Robertson and Fadil
1999; Tavakoli et al. 2003; Vitell et al. 1993).
However, there are several research concerns about
national-level cultural studies, particularly in comparing
individualism and collectivism (e.g., Earley 1989; Fiske
2002; McCoy et al. 2005; Srite and Karahanna 2006; Tri-
andis and Gelfand 1998). The chief limitation of national-
level studies is that increasingly, in a globalized world,
national cultures are becoming highly heterogeneous, and
thus, multiple cultural perspectives can be found within
cultures (McCoy et al. 2005). Thus, applying national-level
cultural characteristics to predict an individual’s behavior
can result in inaccurate and misleading stereotyping and
can be too dichotomous (Triandis and Gelfand 1998).
For instance, a 2002 meta-analysis evaluating the con-
struct of individualism–collectivism across 82 studies
compared cross-national and within-United States studies
of individualism–collectivism and found that the Japanese
sample scored significantly lower on collectivism than the
U.S. sample did and that the Korean sample was not dif-
ferent from the U.S. sample (Oyserman et al. 2002). This,
of course, is consistent with Hofstede’s (1984, 2001) caveat
that national cultural values may change over time; how-
ever, it calls into question the methodology of assuming
that nations have the same culture now as they did 40 years
ago when Hofstede characterized them. Oyserman et al.’s
(2002) meta-analysis demonstrated a between-group effect
(for the U.S. samples) for ethnicity on individualism, with
Individual Ethics and Cultural Characteristics in Predicting Computer Abuse 387
123
European Americans the most individualistic; however, the
effect was present only in comparison with Asian Ameri-
can groups and that effect was small. Similarly, recent
research demonstrates that individuals hold nationally
espoused cultural values to vastly different degrees, and
thus, the individual level of measurement of analysis is
more accurate and appropriate (Srite and Karahanna 2006).
Importantly, using individual-level cultural measures for
predicting individual behavior helps researchers avoid
ecological fallacies widely found in cultural research. That
is, per Hofstede (2002), country scores should not be used
to predict individual behavior. ‘‘Doing so is to commit
ecological fallacy, which assumes that one can validly use
ecological correlations (which apply to collective entities
such as groups) to substitute for individual correlations’’
(Srite and Karahanna 2006, p. 681). Subsequent research
shows that it is valid to study culture at the national,
organizational, and individual levels, but that the key is
using the proper level of measurement (Fischer et al. 2005).
Consequently, for this study, rather than use a 40-year-
old assessment of between-country differences on indi-
vidualism–collectivism or using respondents’ ethnicity as a
proxy for individualism–collectivism, we followed the
approach of many other researchers and measured indi-
vidualism and collectivism directly, at the individual level
(Earley 1989; McCoy et al. 2005; Srite and Karahanna
2006; Triandis and Gelfand 1998). This decision leads to
our second and last research question:
RQ2 To what extent do individuals’ tendencies toward
collectivism or individualism predict individuals’ propen-
sity to commit CA in the workplace?
Theoretic Model and Hypotheses
The thrust of the theoretic work in ethics-based outcomes has
focused primarily on the decision-making process, with less
focus on how dispositions and traits affect the outcomes. One
notable exception to this gap was a study by Winter et al.
(2004) that reviewed IT ethics in terms of Machiavellianism
and ethical idealism and found that those who lean toward
Machiavellianism were more likely to violate intellectual
property and privacy rights than those with ethical idealism.
However, a more prominent and accepted theoretic per-
spective is a body of theory and research that shows that an
individual’s disposition toward a moral philosophy based on
deontological or teleological evaluation maps directly to
one’s ethical dispositions toward formalism and utilitarian-
ism, respectively (Brady and Dunn 1995; Brady and Wheeler
1996; Hunt and Vitell 1986; Schminke et al. 1997). Yet this
well-accepted theoretic approach has not been applied in a
CA context. We do so here.
When employees commit CA in the workplace, they
knowingly violate implicit or explicit ethical rules of
conduct. Ethics can be defined ‘‘as an inquiry into the
nature and grounds of morality where morality is taken to
mean moral judgments, standards, and rules of conduct’’
(Thong and Yap 1998, p. 215). Accordingly, we follow the
standard raised by other computer-based ethics studies in
conducting research based on moral philosophies (e.g.,
Gattiker and Kelley 1999; Thong and Yap 1998). The use
of moral philosophies can provide a systematic perspective
for assessing the ethical appropriateness of individual
behavior, also called normative ethics theory (Thong and
Yap 1998).
The post The Roles of Ethics and Individual-Level Cultural Characteristics in Predicting Organizational Computer Abuse appeared first on graduatepaperhelp.
"Looking for a Similar Assignment? Get Expert Help at an Amazing Discount!"