Development and validation of instruments of information security deviant behavior Amanda M.Y. Chu a , Patrick Y.K. Chau b, ⁎ a Department of Management Sciences, The City University of Hong Kong, Hong Kong b Faculty of Business and Economics, The University of Hong Kong, Hong Kong abstract article info Article history: Received 11 July 2013 Received in revised form 6 June 2014 Accepted 10 June 2014 Available online 19 June 2014 Keywords: Information security Deviant behavior Instrument development Measurement Validity Reliability Information security deviant behavior (ISDB) of employees is a serious threat to organizations. However, not much empirical research on ISDB has been carried out. This paper attempts to develop and validate instruments of ISDB using an empirical method. Two instruments of ISDB are proposed and tested, including a four-item instrument of resource misuse (ISDB that is related to the misuse of information systems resources) and a three-item instrument of security carelessness (ISDB that is related to the employees' omissive activities when using computers or handling data). A rigorous instrument development process which includes three surveys and addresses six crucial measurement properties (content analysis, factorial validity, reliability, convergent validity, discriminant validity, and nomological validity) is adopted. The implications of these two instruments for future empirical studies on ISDB are discussed. © 2014 Elsevier B.V. All rights reserved. 1. Introduction Information security deviant behavior (ISDB) of employees, such as leaving removable storage devices unattended and using untrusted appli- cations at work, is a serious threat to organizations. A recent survey re- ported that 63% of interviewed information security professionals deemed employees to be a high concern for organizations; the percentage was higher than that of hackers (55%) or organized crime (38%) [24]. ISDB also results in serious financial losses for organizations, with a 2009 secu- rity survey reporting the average annual such losses arising from security incidents to be US$234,244 per company [59]. A quarter of respondents to this survey believed that at least 60% of these financial losses stem from insiders' actions. Despite the increasing prevalence and high associated costs of ISDB in the workplace, our understanding of this topic remains limited and fragmented [30,64,78]. The lack of instruments to measure ISDB pre- sents a barrier to our understanding of the relationship between ISDB and correlated constructs and the development of theories and frame- works to tackle security problems [48]. In order to understand ISDB, it is important to develop reliable and valid instruments to measure it. This study aims to fill this research gap by developing instruments for the measurement of ISDB under a rigorous instrument development process. The instruments developed are useful for researchers to inves- tigate the different properties of such behavior. The remainder of this paper is organized as follows. We review related studies and discuss the background theory in Section 2, and then describe how we used a four-stage process to develop the instru- ments for ISDB in Sections 3 and 4. Section 3 focuses on the domain specification, instrument development and instrument refinement while Section 4 focuses on the instrument validity. Finally, we discuss the implications of the findings and draw our conclusion in Section 5. 2. Background theory 2.1. Information security deviant behavior Workplace deviant behavior is not a new concept. A number of studies in sociology, psychology, and organizational behavior have attempted to study acts related to workplace deviant behavior and used different terminologies to denote the behavior. Examples include antisocial behavior [26], counterproductive workplace behavior [44], organizational misbehavior [74], organizational retaliation behavior [65], workplace aggression [47], and workplace deviance [60]. Regard- less of the different terminologies, prior literature tended to vary work- place deviant behavior based on its target — interpersonal deviance and organizational deviance. Table 1 summarizes the definitions of different terminologies used to describe the behavior and examples on interper- sonal deviance and organizational deviance in each terminology. Inter- personal deviance was further categorized into political deviance and personal aggression as well as organizational deviance into property de- viance and production deviance [60]. Decision Support Systems 66 (2014) 93–101 ⁎ Corresponding author. Tel.: +852 3917 1025. E-mail address: pchau@business.hku.hk (P.Y.K. Chau). http://dx.doi.org/10.1016/j.dss.2014.06.008 0167-9236/© 2014 Elsevier B.V. All rights reserved. Contents lists available at ScienceDirect Decision Support Systems journal homepage: www.elsevier.com/locate/dss