Information protection behaviors: morality and organizational criticality Nancy K. Lankton, Charles Stivason and Anil Gurung Marshall University, Harrisburg, Pennsylvania, USA Abstract Purpose – Organizational insiders play a critical role in protecting sensitive information. Prior research finds that moral beliefs influence compliance decisions. Yet, it is less clear what factors influence moral beliefs and the conditions under which those factors have stronger/weaker effects. Using an ethical decision-making model and value congruence theory, this study aims to investigate how moral intensity and organizational criticality influence moral beliefs and intentions to perform information protection behaviors. Design/methodology/approach – The hypotheses were tested using a scenario-based survey of 216 organizational insiders. Two of the scenarios depict low criticality information security protection behaviors and two depict high criticality behaviors. Findings – A major finding is that users rely more on perceived social consensus and magnitude of consequences when organizational criticality is low and on temporal immediacy and proximity when criticality is high. In addition, the moral intensity dimensions explain more variance in moral beliefs when organizational criticality is low. Research limitations/implications – The study is limited by its sample, which is organizational insiders at a mid-size university. It is also limited in that it only examined four of the six moral intensity dimensions. Practical implications – The findings can guide management about which moral intensity dimensions are more important to focus on when remediating tone at the top and other leadership weaknesses relating to information security. Originality/value – This study adds value by investigating the separate dimensions of moral intensity on information protection behaviors. It also is the first to examine moral intensity under conditions of low and high organizational criticality. Keywords Value congruence, Moral intensity, Ethical decision-making, Information protection behavior, Organizational criticality Paper type Research paper Introduction A recent survey finds that 90 per cent of organizations feel vulnerable to insider security breaches, with a majority reporting at least one insider breach in the previous 12 months (Schulze, 2018). Many insider incidents result from accidents, negligence or from not complying with policies (Heimer, 2018). In fact, while employees know that protecting data is important, they may not do so if it hinders their work (Masters, 2018). Insider incidents can cause a loss of competitive data or intellectual property, and can lead to decreases in productivity, damages to equipment and other assets, and additional costs to remediate systems and core business processes (Ponemon Institute, 2016). Some estimate that insider breaches cost from $100,000 to $500,000 or higher (Schulze, 2018). This makes understanding the information protection behaviors (IPBs) of organizational insiders a priority. ICS 27,3 468 Received 31 July 2018 Revised 29 October 2018 22 December 2018 Accepted 19 March 2019 Information & Computer Security Vol. 27 No. 3, 2019 pp. 468-488 © Emerald Publishing Limited 2056-4961 DOI 10.1108/ICS-07-2018-0092 The current issue and full text archive of this journal is available on Emerald Insight at: www.emeraldinsight.com/2056-4961.htm