员工信息安全违规意愿的社会控制要素及实证研究

Accompanying the well-known benefits of the use of information technology (IT) and information systems (IS) in the workplace, simultaneously, employees' violations behavior has been facilitated by the applications. Previous studies on information security have highlighted human agents are the weakest link in the information defense and nearly 80% of security incidents originate from within an organization and cause enormous losses. Therefore, identifying what drives employees' violations of information security policies and understanding how organizations can reduce such behavior are critical to organizations' information security management. Along with some other social factors that relates to employees' violations of information security policies, the social bond and the deterrence mechanism are two important factors that determine the employees' intention to commit policies violation. The conceptual model of employees' policies violation is proposed from the perspective of social control and an integrated model is also put forward based on general deterrence theory(GDT) and social bond theory(SBT). We posit that employees' intention to engage in policies violation is determined by the deterrence factors(perceived certainty and severity of punishment), social control factors(organizational culture, family background, the attachment to community, friends and family, the belief, the involvement and the commitment) and social pressure(subjective norms). A survey of organizational employees will be conducted to test the proposed integrated model. The expected contribution of this research is twofold. Its theoretical contribution is the conceptualization and modeling of employees' violations of information security policies and the empirical investigation of the factors that lead to the intention to commit policies violation. Practically, the results of this research will help organizations better understand why employees often break security rules. Based on the results, they may implement relevant information security policies design, the recruitment of new staff, work assignment and measures to encourage employees to follow security rules or discourage them from engaging in policies violation.

信息技术和信息系统的应用为组织带来了巨大的收益，但同时也诱发了信息违规事件的频繁发生。研究表明，组织内部员工的行为已经成为组织信息管理中最薄弱的一环，接近80%的信息安全问题是由员工的违规行为所引起，并因此为组织带来了巨大的损失。员工的信息安全违规行为受诸多社会因素的制约。其中，社会纽带因素、威慑机制等对其违规意愿具有重要影响。此类因素具有客观性，有利于客观的解析违规行为发生的原因。本课题将据此探索违规发生的深层次原因，从社会控制视角建立员工信息安全违规意愿的概念模型，基于威慑理论、社会纽带理论建立整体模型，提出研究假设。通过实证方法阐明制度控制因素（如制度完备性、惩罚确定性和严厉性等）、社会纽带因素（如组织环境、家庭背景、社会依恋、承诺、信念等）、社会压力（如主观规范）等对员工违规意愿的影响；进而分析其对信息安全敏感岗位员工管理的启示，如招募、岗位安排、信息安全制度制定、守规行为引导等。

本研究主要结合现代信息技术和信息系统的应用中经常发生的信息违规事件这一背景，针对组织内部员工的隐私泄露、数据泄密、违规使用数据等信息安全违规行为展开研究。通过深入分析组织内部员工的信息安全违规事件的类别，探究其发生的根源。考虑员工的社会关系、人格特质和所处的组织环境，基于社会纽带理论、威慑机制、道德推脱、中和技术等分析员工的信息安全违规意愿，从社会控制视角建立员工信息安全违规意愿的概念模型，基于威慑理论、社会纽带理论建立整体模型。深入分析了否认责任、否认伤害、否认受害者、更高层次效忠、避免更多的伤害技术对泄露他人隐私意向的影响；考虑了人格特质中的神经质、开放性、外向性、尽责性和宜人性与泄露他人隐私之间具有相互关系。从犯罪学视角建立了员工互联网滥用行为模型；研究了信息安全遵从行为的激励机制，建立了惩罚的确定性与适度性模型；基于面子倾向的调节效应等研究了组织控制与信息安全制度遵守机制,从道德风险的委托人——代理人理论视角构建了信息安全伽罗瓦格图。.项目的研究获得了系列理论成果，截至2016年底已经在国内外重要期刊、学术会议发表论文20篇，其中SCI、SSCI、EI、CSSCI收录论文13篇。.项目的研究同时也得到了有关信息安全管理的启示，并在银行、电商、软件公司等组织中得到分享与认可，已经成为信息敏感岗位员工安排的重要参考。.同时，项目负责人作为大会主席举办了“第十届中国夏季信息系统研讨会（CSWIM 2016）”、作为论坛主席举办了“2016年中国信息系统协会博士生论坛”。课题组40余人次参加国内外信息管理研讨会。.另外，基于该项目的研究共计培养了专门从事信息安全管理的2名博士生、4名硕士生，并有3名研究生在读。