Organizational Violations of Externally Governed Privacy and Security Rules: Explaining and Predicting Selective Violations Under Conditions of Strain and Excess

Journal of the Association for Information Systems, vol. 17(1), pp. 39–76 ISSN: 1536-9323

66 Pages Posted: 28 May 2015 Last revised: 26 Jan 2016

See all articles by Jeffrey Wall

Jeffrey Wall

University of North Carolina (UNC) at Greensboro

Paul Benjamin Lowry

Virginia Polytechnic Institute & State University - Pamplin College of Business

Jordan B. Barlow

California State University, Fullerton - Mihaylo College of Business & Economics

Date Written: May 28, 2015

Abstract

Privacy and security concerns are pervasive because of the ease of access to information. Recurrent negative cases in the popular press attest to the failure of current privacy regulations to keep consumer and protected health information sufficiently secure in today’s climate of increased IT use. One reason for such failure is that organizations violate these regulations for multiple reasons. To address this issue, we propose a theoretical model to explain the likelihood that organizations will select an externally governed privacy or security rule for violation in response to organizational strain or slack resources. Our proposed theoretical model, the selective organizational information privacy and security violations model (SOIPSVM), explains how organizational structures and processes, along with characteristics of regulatory rules, alter perceptions of risk when an organization’s performance does not match its aspiration levels and thereby affects the likelihood of rule violations. Importantly, SOIPSVM is contextualized to organizational privacy and security violations. SOIPSVM builds on and extends the selective organizational rule violations model (SORVM), which posits that organizational rule violations are selective. SOIPSVM provides at least four contributions to the privacy and security literature that can further guide empirical research and practice. First, SOIPSVM introduces the concept of selectivity in rule violations to privacy and security research. This concept can improve privacy and security research by showing that organizational violations of privacy and security rules are dynamic and selective yet influenced by external forces. Second, SOIPSVM extends the boundaries of SORVM, which is limited to explaining the behavior of organizations under strain, such as economic hardship. We contribute to the theory of selective deviance by proposing that selectivity extends to organizations with slack resources. Third, we address ideas of non-economic risk and strain in addition to economic risk and strain. SOIPSVM thus explains organizational rule-violating behavior as an attempt to protect core organizational values from external entities that pressure organizations to change their values to comply with rules. Fourth, we broaden the theoretical scope of two important constructs, namely structural secrecy and procedural emphasis to improve the explanatory power of the model. Fifth, we identify important elements of rule enforcement by drawing from the tenets of general deterrence theory. We also discuss how constructs from general deterrence theory can be studied at the organizational level. To conclude, we offer recommendations for the structuring of organizations and external regulations to decrease organizational rule violations, which often lead to the abuse of consumer information.

Keywords: selective organizational information privacy and security violations model (SOIPSVM), privacy, security, theory building, organizational privacy, organizational security, rule violations, policy violations, information abuse, SOIPSVM, PCI DSS, HIPPA, selective organizational rule violations model

Suggested Citation

Wall, Jeffrey and Lowry, Paul Benjamin and Barlow, Jordan B., Organizational Violations of Externally Governed Privacy and Security Rules: Explaining and Predicting Selective Violations Under Conditions of Strain and Excess (May 28, 2015). Journal of the Association for Information Systems, vol. 17(1), pp. 39–76 ISSN: 1536-9323. Available at SSRN: https://ssrn.com/abstract=2611567

Jeffrey Wall

University of North Carolina (UNC) at Greensboro ( email )

Greensboro, NC 27412
United States

Paul Benjamin Lowry (Contact Author)

Virginia Polytechnic Institute & State University - Pamplin College of Business ( email )

1016 Pamplin Hall
Blacksburg, VA 24061
United States

Jordan B. Barlow

California State University, Fullerton - Mihaylo College of Business & Economics ( email )

P.O. Box 6848
Fullerton, CA CA 92834-6848
United States

Register to save articles to
your library

Register

Paper statistics

Downloads
359
rank
78,853
Abstract Views
1,232
PlumX Metrics