Mobile Edition
Print
Get the Mag
Weekly UpdatesAbstract
To advance our knowledge about Internet abuse in the workplace, this study examines how deterrence mechanisms commonly used within organizations impact individual decisions to abuse the Internet. The study uses a policy-capturing approach to test the relative degree of deterrence imposed by common components of Internet acceptable use policies (AUPs). The results provide evidence that an AUP that defines acceptable Internet usage, imposes potential sanctions, and implements detection (or monitoring) mechanisms is an important deterrent of Internet abuse. In addition, these mechanisms are most effective when they are actively enforced. The study provides valuable insights and considerations for drafting and implementing an AUP in an organization.
Keywords: Non-work-related computing, general deterrence theory, Internet abuse, Internet acceptable use policy, self-control
Introduction
The Internet and its associated technologies have created a revolutionary change in the way business information flows. With the click of a button, we can communicate, order products, or track competitor activities, among other things. However, the Internet can be misused. The U.S. Treasury Department found that non-work-related computing (NWRC), such as online shopping, checking personal finances, answering personal emails, and using chat rooms, accounted for 51 percent of an employee's time online (Davis, 2001). Urbaczewski and Jessup (2002) refer to the lost productivity that takes place directly after granting employees Internet access as a "productivity vacuum," where the easy access to non-work-related activities is too tempting for employees to resist. In addition to the lost productivity, misuse of the Internet can cause other problems such as security concerns and reduced bandwidth, along with legal issues such as racist, sexist, and offensive materials being transmitted via email (Case and Young, 2002a, 2002b). This gives management motivation to try to reduce or eliminate NWRC.
Some organizations try to curb NWRC by blocking access to unauthorized Internet sites; but due to the dynamic nature of the Internet, keeping a list of unauthorized sites updated can be difficult and time consuming. Instead, many organizations rely primarily on Internet acceptable use policies (AUPs). AUPs attempt to control NWRC by providing guidelines on appropriate computer use, and outline how the organization will monitor, enforce, and punish non-work-related activities (Lee and Lee, 2002; Woon and Pee, 2004). Despite the widespread use of AUPs (1), NWRC has continued to grow (Lee and Lee, 2002; Lee, Lim, and Wong, 2005; Urbaczewski and Jessup, 2002). In addition, managers encounter a catch-22 when introducing AUPs. Potential positive effects of AUPs, such as keeping employees on task, can be counteracted by reduced workplace satisfaction and trust (Urbaczewski and Jessup, 2002). Despite the high degree of abuse shown in many studies, employees often use the Internet for short personal tasks or during breaks, which are not detrimental to the organization and would be consumed by other non-work-related tasks if the Internet were not available (Urbaczewski and Jessup, 2002). Thus managers must make a decision about the amount of NWRC they are willing to tolerate to balance productivity and morale.
This paper helps resolve this paradox by providing insights into how effectively various components of an Internet acceptable use policy deters non-work-related computing. In other words, which components of an AUP give managers the most "bang-for-the-buck?" By using a multi-criteria decision-capturing approach (policy capturing), this study addresses these issues by examining how specific components of an AUP stack up against one another in deterring an employee's intention to perform NWRC.
Internet Acceptable Use Policy (AUP)
Organizations are concerned about the consequences of NWRC, including lost productivity, potential legal liability, and poor corporate image. Many are resorting to AUPs for deterrence (Case and Young, 2002a; Greenfield and Davis, 2002). Typical components of an AUP are:
1. an explanation of the scope of the AUP, (e.g. who and what does it apply to)
2. a statement defining appropriate use
3. examples of appropriate versus inappropriate use
4. a statement defining punishment for inappropriate use
5. a statement about the extent of monitoring, and
6. a signature of the reader acknowledging that they have received and understand the policy (Siau, Nah, & Teng, 2002)
Even though AUPs are widespread, most companies do not actively enforce their policy (Greenfield and Davis, 2002). Despite the lack of enforcement, the mere adoption of an AUP by an organization has been shown to mitigate NWRC behavior due to increased employee awareness of the policy (Harrington, 1996; Lee and Lee, 2002; Lee et al., 2005). However, as mentioned in the introduction, Urbaczewski and Jessup (2002) suggest that regardless of their potential benefits, AUPs can reduce workplace satisfaction and trust; this is particularly exacerbated by monitoring mechanisms. Thus, it is important that firms do not implement deterrence measures haphazardly and instead try to implement mechanisms that have the greatest ratio of deterrence to dissatisfaction. To this end, the current paper presents an exploratory study to answer the research question:
What is the relative impact of specific control mechanisms commonly found in AUPs on deterring NWRC?
AUPs from a General Deterrence Perspective
General deterrence theory (GDT) provides a theoretical foundation for proposing and evaluating deterrence components within an AUP, and based on GDT we are able to hypothesize the relative importance of several of the deterrence components. Under general deterrence theory, individuals make rational risk/reward decisions based on their expected gratification from taking advantage of opportunities, versus their perceptions of the likelihood and severity of potential consequences. GDT has long been the foundation for crime prevention. It provides insights on how security measures can discourage illicit behaviors. GDT has been used by criminologists to examine the effects of laws on crime, but it has only recently been used to look at workplace issues such as NWRC (Lee et al., 2005; Lee and Lee, 2002; Woon and Pee, 2004).
AUPs comply with GDT because they clarify unethical Internet use and raise employee consciousness to the potential for negative repercussions for abusive behavior. Specifically, AUPs explicate the potential severity of consequences, and by revealing the existence of security and detection systems, they create awareness to the likelihood of consequences coming about.
Researchers who have examined the impact of penalties on intentions to perform NWRC found that the mere awareness of others being reprimanded for performing NWRC reduced user intentions (Lee and Lee, 2002; and Woon and Pee, 2004). This is an intuitively logical finding and we conjecture that enforcement is the key determinant on deterring user intentions. Even when an individual is likely to get caught performing NWRC (for example, by detection systems) and potential ramifications are severe, those mechanisms will have relatively little salience without enforcement. This can be easily illustrated with a short analogy. Imagine that fines for highway speeding and the number of highway patrol officers are greatly increased. Yet you are not aware that the speed laws are ever enforced; everyone just gets a warning. Would you expect drivers to be compelled to comply with speed limits in this case? Probably not.
Kelman (1958) was one of the first to use this line of thinking. Kelman found that individual beliefs tend to change to conform with another party's rules when the other party is able to deliver punishment, is described to be socially acceptable, or is described to be highly credible. This has been extended to the business context by various authors (Tyler 2001; Tyler and Blader, 2005).
Based on this, we conjecture that the awareness that sanctions are being enforced will make the threat of sanctions more credible and increase perceptions about the likelihood of punishment, and will thus be the most salient deterrent on NWRC.
H1: Enforced sanctions will have the greatest degree of deterrence on NWRC.
Even without awareness of enforcement, we expect that the threat of sanctions will still have a relatively strong impact on deterring NWRC, particularly if the level of sanction is strong, such as getting fired. GDT suggests that individuals weigh potential sanctions against the gratification received from an illicit act. Thus, these sanctions are important in a decision maker's mental account. Based on this, we suggest that the threat of sanctions, regardless of whether or not a decision maker is aware of the sanctions being enforced, will have a high level of deterrence on NWRC as compared to other common components of an AUP.
H2: The threat of sanctions will have a high degree of deterrence on NWRC relative to other components of an AUP.
We also expect detection systems to have a strong affect. Detection systems increase perceptions of the likelihood of sanctions being enforced (Hollinger and Clark, 1983). Based on this we expect detection systems to have significant impact on deterring NWRC relative to other common components of an AUP.
H3: Detection systems will have a high degree of deterrence on NWRC relative to other components of an AUP.
Signing an Internet acceptable use policy may not link directly to general deterrence theory, but we expect it to enhance other control mechanisms. For instance, signing a statement saying that one has read and will comply with the AUP will make the individual more mindful of the AUP's components. Case and Young (2002b) found anecdotal evidence that deterrence will be enhanced when employees are required to sign a statement indicating that they agreed to comply with the AUP at their organization. They found that 60 percent of participants who were required to sign their Internet use policy felt the policy was an effective deterrent. However, since signing a statement does not deter non-work-related computing itself, we do not expect it to have a strong relative impact on NWRC.
FEED