Author ORCID Identifier

https://orcid.org/0000-0002-3777-7142

Date of Award

11-2-2020

Degree Type

Dissertation

Degree Name

Doctor of Business Administration (DBA)

Department

Business

First Advisor

Lars Mathiassen, Ph.D.

Second Advisor

Richard Baskerville, Ph.D.

Third Advisor

Karen Loch, Ph.D.

Abstract

Current information security research has focused on security threats, prevention of incidents, and federal regulations for reporting incidents. However, we know little about how the behavior of information security professionals impacts security. Against this backdrop, this dissertation seeks to understand the drivers of tensions that information security professionals encounter in the performance of their job functions, which result in paradoxical tensions while reporting on the security of organizational assets. The findings of this study reveal how information security professionals respond to inherent tensions as they become salient, and how these salient tensions often become paradoxical in nature as they are dealt with as part of a security professional’s everyday lived experience. The findings highlight the actions undertaken by security professionals to resolve these paradoxical tensions and, in doing so, often engage in deviant behaviors that are contrary to organizational policy and industry or governmental regulations. These findings thus allow for an improved understanding of the motivations of an individual and assist with the creation of policies and management oversight activities that are intended to reduce the likelihood of information security professionals becoming insider threats to their organizations. To that end, an analytical framing combining paradox theory and deterrence theory as complementary theoretical lenses was adopted in this study. Following an interpretive phenomenological analysis methodology, a series of three in-depth interviews, each with eight information security professionals, was conducted. This methodological approach helped the participants to reflect on the drivers of tensions that they perceived as part of their lived experiences. The participants were selected from a range of industries and across a wide spectrum of experiences to capture a broad diversity of lived experiences. Hence, by determining how the drivers of tensions lead to paradoxical tensions that impact or guide the motivations and behaviors of information security professionals responsible for security reporting, the study seeks to contribute to behavioral information security knowledge in the areas of improvement of information security compliance, separation of insider deviant behavior from insider misbehavior, and understanding insider deviant behavior under duress.

DOI

https://doi.org/10.57709/20052768

File Upload Confirmation

1

Share

COinS