Reaction of users as potential victims of information security breach
Suparak Janjarasjit
Mahasarakham Business School, Mahasarakham University, Mahasarakham, Thailand, and
Siew H. Chan
Department of Accounting and Law Mike Cottrell College of Business, University of North Georgia Dahlonega, Georgia, USA
Abstract
Purpose–The purpose of this study is to examine whether users’perceived moral affect explains the effect of perceived intensity of emotional distress on responsibility judgment of a perpetrator and company, respectively, in an ill and good intention breach.
Design/methodology/approach–Participants completed a questionnaire containing items measuring their perceived intensity of emotional distress, perceived moral affect and responsibility judgment of a perpetrator and company, respectively.
Findings– The results support the mediating hypothesis on responsibility judgment of a perpetrator regardless of intention. The mediating hypothesis is also supported in an ill intention breach in responsibility judgment of a company. However, the mediating effect is not observed in a good intention breach when users assess a company’s responsibility.
Originality/value–Thefindings support the notion that users use the consequentialism approach when assessing a perpetrator’s responsibility because they focus on the victims’emotional distress and discount a perpetrator’s intent, resulting in similar mediating effect of perceived moral affect in an ill and good intention breach. The results also indicate that perceived moral affect increases the negative effect of perceived intensity of emotional distress on responsibility judgment of a company, suggesting that users may exhibit empathetic feelings toward a company and perceive it as a victim of an ill intention breach. The lack of mediating effect in responsibility judgment of a company in a good intention breach may be attributed to the diminished effect of a perpetrator’s feelings of regret, sorrow, guilt and shame for causing emotional distress to the victims.
Keywords Intent, Moral intensity, Information security breach, Moral affect, Responsibility judgment
Paper typeResearch paper
1. Introduction
Previous research has examined hackers’responsibility judgment of an information security breach perpetuated either with a good or ill intention (Chan and Janjarasjit, 2019). The findings indicate that hackers’perceived moral affect (feelings of regret, sorrow, guilt and shame) explains the impact of perceived intensity of emotional distress on responsibility judgment of a perpetrator in an ill but not a good intention breach. This result can be attributed to hackers’perception of a good intention breach (e.g. improve systems security) as morally acceptable and explains their continued engagement in security breach (Chan and Janjarasjit, 2019). Extending the research ofChan and Janjarasjit (2019), this study examines users’reaction as potential victims of a security breach.
Users are considered as the weakest link in the information security chain (Kritzinger and von Solms, 2010;Schneier, 2000) because a perpetrator’s unauthorized access can be
Information security breach
187
Received 15 July 2020 Revised 25 August 2020 Accepted 12 September 2020
Information & Computer Security Vol. 29 No. 1, 2021 pp. 187-206
© Emerald Publishing Limited 2056-4961 DOI10.1108/ICS-07-2020-0118
The current issue and full text archive of this journal is available on Emerald Insight at:
https://www.emerald.com/insight/2056-4961.htm
conducted with ease when users engage in behaviors (Stantonet al., 2005) such as sharing passwords, forgetting to perform back-ups and leaving computer unattended (Barlowet al., 2013;Liet al., 2019). Hence, users play a significant role in preventing information security breach (Kritzinger and von Solms, 2010;Schneier, 2000). Awareness of information security issues may prompt users to implement online social networking security strategies (Molok et al., 2018) and acceptable use policy to improve information security (Dohertyet al., 2011).
Since users learn from past experiences and are aware of the need for engaging in information security protection behaviors (Ahmadet al., 2015;Liet al., 2019), they can be trained to take appropriate measures to protect confidential information especially when they realize that systems utilization is now a significant part of their daily lives. For example, online banking entails disclosure of personal information such as personal identification number, bank account number and credit card number. However, news about information security breach can increase users’concerns about unauthorized access and disclosure of personal information. Thus, users may perceive themselves as potential victims of an information security breach.
When hackers compromised the personal data of 500 million customers of Marriott, this became one of the most prominent information security incidents in recent years (Brewster, 2018). This incident was not thefirst time that Marriott’s system was breached. The hotel chain was a victim of unreported security breaches, including one that hit the company’s own cyber-incident response team (Brewster, 2018). Marriott’s data breaches prompted several government agencies to revise regulation to punish organizations that lose or misuse personal information (Brewster, 2018). The UK Information Commissioner’s Office found that Marriott failed to exercise sufficient due diligence and implement effective measures to secure its system (Whittaker, 2019). In response to the victims’class-action lawsuit against Marriott for failing to protect its customers’data, Marriott insisted that the breach did not cause any harmful consequences to its customers because the exposed data such as passport numbers could not be forged (Bronstad, 2019). Although the lawsuit is still ongoing, Marriott’s system was attacked again in 2020. Marriott announced that the login credentials of two employees were used to gain access to 5.2 million guest records (Coble, 2020). This series of repeated incidents prompts the public to question whether Marriott has taken reasonable steps to protect its customers’personal information and highlights the important role of users in information security (Cohen, 2020).
Information security breach initiated with either an ill (e.g. taking revenge or obtaining financial gain that causes harmful consequences to others) or good (e.g. improving systems security with no intention to cause harmful consequences to others) intention (Chiesaet al., 2009) is expected to elicit different user reactions. Users may consider an ill intention breach as immoral and a good intention breach as morally acceptable. An information security breach might also be perceived as immoral regardless of a perpetrator’s intent. Thus, the implications of a perpetrator’s intent in users’ reaction toward a security breach remain unclear. Researchers have debated for decades with few vague answers on whether a perpetrator’s intent or the harmful consequences of an act should be considered in responsibility judgment of the perpetrator (Cushman and Greene, 2011). Judgment of an act can trigger two different psychological processes of moral thinking: the consequentialism pattern that focuses on the consequences (e.g. emotional distress) and the deontological pattern that considers the costs (e.g. the victims’ emotional distress) and benefits (e.g.
protection of confidential data) of an act (Greenet al., 2008). Since users may engage in both psychological processes during evaluation of an act, moral affect and harmful consequences are pertinent in users’ responsibility judgment (Green et al., 2008). When users use the consequentialism pattern, they may focus on the victims’emotional distress and overlook a
ICS 29,1
188
perpetrator’s intent, leading to similar reaction toward a breach perpetuated with either an ill or good intention. If the deontological pattern is used, users might consider the degree of intensity of the victims’ emotional distress (cost) and a perpetrator’s intent such as improving systems security (benefit) when assessing responsibility for the breach. This study will shed light on whether users’reactions toward an ill and good intention breach differ because an ill intention breach is perceived as unlikely to result in beneficial outcomes, while a good intention breach is believed to entail potential benefits.
Users such as students and employees are required to adhere to university systems security policies. They might believe that their organizations try their best to protect personal information, especially when increased investment in systems security is expended to mitigate security vulnerabilities (Roumani et al., 2016). These users may feel that they observe the organizations’security policies and engage in improved information security protection behavior (Li et al., 2019). Since organizations are motivated to secure their systems and users perceive themselves as engaging in secured systems usage behavior, negative emotions such as anger might be elicited when a security breach occurs. Users may exhibit affective response toward a breach, consider the breach as immoral (Horberget al., 2009) and blame a perpetrator for engaging in the immoral act (Crockettet al., 2010). Hence, they might view an organization as a victim of the breach.
This study tests four mediating hypotheses to provide insight into whether users’ perceived moral affect explains the effect of perceived intensity of emotional distress on responsibility judgment of a perpetrator and company, respectively, for an in ill and good intention breaches. Participants completed a questionnaire containing items measuring their perceived intensity of emotional distress, perceived moral affect and responsibility judgment of a perpetrator and company, respectively. Analyses of the usable responses of 187 participants support the mediating hypotheses in the ill and good intention breaches in responsibility judgment of a perpetrator. However, perceived moral affect negatively mediates the effect of perceived intensity of emotional distress on responsibility judgment of a company in an ill intention breach. The mediating hypothesis is not supported in a good intention breach in users’responsibility judgment of a company.
Thefindings support the notion that users use the consequentialism approach when assessing a perpetrator’s responsibility because they focus on the victims’ emotional distress and discount a perpetrator’s intent, resulting in similar mediating effect of perceived moral affect in ill and good intention breaches. In contrast, hackers use the deontological approach in responsibility judgment of a perpetrator because they consider the degree of the victims’emotional distress and the perpetrator’s intent (Chan and Janjarasjit, 2019). Thus, hackers’ perceived moral affect does not explain the impact of perceived intensity of emotional distress on responsibility judgment of a perpetrator in a good intention breach because it is considered as morally acceptable (Chan and Janjarasjit, 2019). Thefindings also indicate that perceived moral affect negatively mediates the impact of perceived intensity of emotional distress on responsibility judgment of a company in an ill intention breach.
Specifically, perceived moral affect increases the negative effect of perceived intensity of emotional distress on responsibility judgment of a company, suggesting that users may exhibit empathetic feelings toward a company and perceive it as a victim of an ill intention breach. The lack of mediating effect in responsibility judgment of a company in a good intention breach may be attributed to the diminished effect of a perpetrator’s feelings of regret, sorrow, guilt and shame for causing emotional distress to the victims.
The remainder of this paper is organized as follows. Section 2 reviews the relevant literature and develops the hypotheses. Sections 3 and 4 explain the research method and
Information security breach
189
results. Finally, thefindings of this study, its limitations and suggestions for future research are discussed in Sections 5 and 6, respectively.
2. Theory 2.1 Moral intensity
Moral intensity theory posits that acceptability of an act depends on magnitude of consequences, probability of consequences, temporal immediacy, proximity, concentration of effect and social consensus (Jones, 1991;Robertsonet al., 2010;Shawver and Miller, 2017). Since all of these characteristics do not have to be present for assessment of moral intensity (Jordanet al., 2012;McMahon and Harvey, 2007;Robertson et al., 2010), this study focuses on magnitude of consequences, probability of consequences and temporal immediacy.
Magnitude of consequences refers to perceived severity of harmful consequences to the victims (Jones, 1991;Musbahet al., 2016;Stein and Ahmad, 2009). An act that results in death is perceived as more severe than an act that leads to a minor injury. Probability of consequences pertains to the likelihood that the victims actually experience the harmful consequences. Selling an alcohol beverage to a known alcoholic has a higher probability of harm than selling an alcohol beverage to a known non-alcoholic person. Temporal immediacy refers to perceived time distance between the occurrence of an act and the harmful consequences (Jones, 1991;Musbahet al., 2016;Stein and Ahmad, 2009). Perceived temporal immediacy is high when the victims are believed to suffer harmful consequences immediately after an act (Jones, 1991; Musbah et al., 2016; Stein and Ahmad, 2009).
Dismissing employees because of an economic crisis has greater temporal impact than reducing the employees’ work hours. High perceived magnitude of consequences, probability of consequences and temporal immediacy increase perceived intensity of harmful consequences to the victims. Individuals tend to judge an act as less morally acceptable when perceived intensity of harmful consequences is high (Decker and Calo, 2007).
The extent of perceived intensity of harmful consequences results in different perceptions of violation of moral beliefs, which in turn lead to different responses toward an act (Lowryet al., 2017;Schlenkeret al., 1994). Perceived intensity of harmful consequences is an important factor for assessing a perpetrator’s responsibility for an act (Hutcherson and Gross, 2011). High perceived intensity of harmful consequences increases perception of violation of a moral belief, which increases concerns about the victims’ well-being and motivates individuals to engage in a moral act to restore equity for the victims (Greenet al., 2008). Hence, individuals may evaluate a perpetrator’s responsibility based on perceived intensity of harmful consequences. For example, although some lies might lead to high perceived intensity of harmful consequences (e.g. causing injury to a victim), others might be perceived as innocuous (e.g. complimenting a colleague on her new dress when it seems to be out of fashion). A person telling a lie that causes high perceived intensity of harmful consequences is held responsible to a greater extent than an individual telling a lie that causes less severe harmful consequences.
2.2 Moral affect
Moral psychology research (Cohenet al., 2011;Haidt, 2003;Mullen and Skitka, 2006) asserts that the intrinsic connections between affect and morality influence moral judgment.
Evaluation of questionable acts that trigger moral affect such as feelings of regret, sorrow, guilt and shame (Dasboroughet al., 2019;Tangney, 1991) can result in negative judgment that motivates a person to help those in need (Cohenet al., 2011). Since individuals have
ICS 29,1
190
innate moral beliefs to promote harmonious interpersonal relationships (Goetzet al., 2010;
Stellaret al., 2014) and attenuate the consequences of harmful acts (Banduraet al., 2001), they become motivated to help others when they witness the victims suffering harmful consequences (Stellaret al., 2015).
Moral affect can motivate an individual to engage in altruistic behavior to prevent occurrence of a harmful act (Eisenberg, 2000). This motivation may be sufficient for helping someone at the expense of considerable effort and personal cost (Small and Loewenstein, 2003).
The impact of moral affect on altruistic behavior can emanate from self-oriented or other- oriented reaction, suggesting that a perpetrator and observer can both experience moral affect (Batson, 1990; Levine et al., 2018). The difference between self-oriented and other-oriented reaction is that observers might attend to information that a perpetrator overlooks (Epleyet al., 2006) possibly because of the observers’ lack of personal interests. Thus, an observer’s perception of a perpetrator’s moral affect can be considered as reliable (Savitskyet al., 2005).
Feelings of obligation to engage in altruistic behavior may cause individuals to punish a perpetrator for a harmful act (Carlsmithet al., 2002). However, such punishment might prevent attainment of potential beneficial outcomes. For example, a pharmaceutical company might stop producing a drug after a lawsuit even though the drug can cure some illnesses (Baron and Ritov, 1993; Sunstein, 2005). Since affective responses triggered during evaluation of the consequences of an act influence responsibility judgment (Greene et al., 2009; Haidt and Kesebir, 2010), questions of whether an act is unfair, impure or harmful and factors such as intent and environmental factors that prompt the violation must be considered (Rai and Fiske, 2011) to enhance understanding of a situation to arrive at accurate responsibility judgment.
2.3 Intent
Morality researchers (Inbaret al., 2012;Pizarro, 2010) assert that a perpetrator is believed to benefit from an act. Although a perpetrator may not have intention to cause harmful consequences, he or she is believed to put his or her self-interests above others. An act may be perceived as immoral when individuals believe that the victims suffer harmful consequences (Cushman, 2008).
Therefore, the act is perceived as wrongful and the perpetrator is held responsible for causing harmful consequences to the victims.
A perpetrator’s intent can trigger different responses toward an act (Mikhail, 2007).
Individuals cannot fathom an act with intent to cause harmful consequences to others (Haidt, 2007;Hauser, 2006) because they perceive such an act as supporting violence and violating moral beliefs (Rai and Fiske, 2011). An ill intention act encompasses the belief that the victims experience the harmful consequences (Cushman, 2008). However, responsibility judgment is challenging when a perpetrator engages in an act without intention to cause harmful consequences to others (Phillips and Shaw, 2015). Intentionality bias suggests that every act entails an intention (Rosset, 2008). For example, the initial response generated automatically at a non-conscious level of a house on fire is that the act is intentional.
However, this response may be altered after consideration of additional information such as human fallibility (e.g. forgetting to turn off a stove) and social norm (e.g. burning a house is undesirable) (Rosset, 2008). Since individuals may focus on the harmful consequences rather than a perpetrator’s intent, responsibility judgment of the perpetrator increases even though he or she might not have any intention to cause harmful consequences to others.
3. Hypotheses
An information security breach may cause the victims to feel disturbed and fearful of their personal information or identity being sold on dark Web, especially when a perpetrator
Information security breach
191
intentionally causes harmful consequences to the victims. Since users’personal and sensitive data are stored on systems, they may consider themselves as potential victims of a security breach. Evaluation of a breach initiated with an ill intention may cause users to portray themselves as potential victims and feel connected to the victims. Users may also experience emotional distress if confidentiality of their personal information is breached. The intensified emotional distress can result in increased empathy toward the victims and increased concern about the victims’well-being, which motivate users to act morally to restore equity for the victims, leading to judgment of increased responsibility of a perpetrator (Greenet al., 2008).
Further, the victims’ emotional distress might remind users that an ill intention breach undermines harmonious interpersonal relationships (Stellaret al., 2014). Users may believe that a perpetrator should exhibit feelings of regret, sorrow, guilt and shame for causing emotional distress to the victims (Dasboroughet al., 2019;Tangney, 1991), engage in helping behavior (Stellaret al., 2015). Subsequently, users may hold a perpetrator responsible for the act (Greenet al., 2008;Haidt and Kesebir, 2010). This leads to thefirst hypothesis:
H1a. Perceived moral affect mediates the effect of perceived intensity of emotional distress on responsibility judgment of a perpetrator in an ill intention breach.
When assessing a company’s responsibility for an ill intention security breach, users might believe that the company is committed to secure its systems to protect its customers’data and recognize that it is difficult for the company to prevent an ill intention breach. Thus, users may perceive the company as a victim of the security breach and empathize with the company. Although perceived intensity of emotional distress caused to the victims might be high, users are less likely to blame a company for an ill intention breach because it is beyond the control of the company, leading to judgment of decreased responsibility of the company.
This study postulates that perceived moral affect can facilitate understanding of the negative relationship between perceived intensity of emotional distress and responsibility judgment of a company. The next hypothesis addresses this issue:
H1b. Perceived moral affect mediates the effect of perceived intensity of emotional distress on responsibility judgment of a company in an ill intention breach.
In the case of a good intention breach where a perpetrator does not have intention to cause harmful consequences to others, intentionality bias (Rosset, 2008) may cause users to frame an act as intentional before they search for additional information such as human fallibility and social norm. Users may have negative perceptions of a perpetrator engaging in a security breach and consider the act as unacceptable regardless of intent. Since additional information might not alter the users’initial judgment, they may overlook a perpetrator’s good intent and focus instead on the consequences (Cushman, 2008; Inbar et al., 2012;
Pizarro, 2010; Phillips and Shaw, 2015). Users may believe that they have engaged in information security protection behavior and envision themselves as potential victims of a security breach regardless of a perpetrator’s intent. They might conclude that a perpetrator can alert a company of its systems vulnerabilities and provide suggestions for improving systems security rather than engage in a good intention breach. Users may not believe that a good intention breach results in beneficial outcomes because a breach entails harmful consequences. Evaluation of the breach and recognition of the victims’emotional distress can trigger emotional response such as the belief that a perpetrator should exhibit feelings of regret, sorrow, guilt and shame for causing emotional distress to the victims. This emotion can motivate users to engage in altruistic behavior to punish a perpetrator for the harmful
ICS 29,1
192
act (Carlsmith et al., 2002) despite his or her good intention, leading to increased responsibility judgment of a perpetrator. Therefore,
H2a. Perceived moral affect mediates the effect of perceived intensity of emotional distress on responsibility judgment of a perpetrator in a good intention breach.
Users may focus on perceived intensity of emotional distress caused to the victims rather than the nature of a good intention security breach and conclude that a perpetrator should exhibit feelings of regret, sorrow, guilt and shame for perpetuating the breach. Consistent with the arguments put forth inH1bfor an ill intention breach, users’perceived moral affect may influence the negative relationship between perceived intensity of emotional distress and responsibility judgment of a company in the case of a good intention breach as well.
Finally, the following hypothesis is introduced:
H2b. Perceived moral affect mediates the effect of perceived intensity of emotional distress on responsibility judgment of a company in a good intention breach.
The research model is presented inFigure 1.
4. Research method 4.1 Task
Using the research instrument of Chan and Janjarasjit (2019), participants responded to separate questions on ill and good intention information security breaches and provided demographic information. Each participant received a T-shirt for participating in this study.
4.2 Participants
The participants were 187 students and employees recruited from a university in the USA.
Their age ranged between 19 and 64 years and the mean was 30 years. About 46% were males and 41% were students. The age of participants with professional work experience ranged from 1 to 42 years and the mean was 8.7 years. About 10% worked in the technology industry, 85% worked in non-technology-related industry and 5% did not disclose the nature of their work. The participants’ demographic information (age, work experience, computer incident experience, jury experience and familiarity with security breach news) did not have an impact on responsibility judgment (dependent variable). Gender had an effect on responsibility judgment in the good intention security breach. Specifically, compared to females, males assigned higher responsibility to a perpetrator and company, respectively, for a good intention breach.
4.3 Variables
The items of each construct are presented inTable 1.
4.3.1 Perceived intensity of emotional distress (independent variable). Participants completed the three-item perceived intensity of emotional distress scale (seven-point scale with 1 =
Figure 1.
Research model
Perceived intensity of emotional distress
Perceived moral affect
Responsibility judgment of a perpetrator
Responsibility judgment of a company
Information security breach
193
strongly disagree and 7 = strongly agree) measuring magnitude, probability and temporal immediacy of consequences for the ill and good intention breaches (Chan and Janjarasjit, 2019).
4.3.2 Perceived moral affect (mediator).The four-item perceived moral affect scale (seven- point scale with 1 = strongly disagree and 7 = strongly agree) assessed the participants’ perceptions of whether the perpetrator should exhibit feelings of regret, sorrow, guilt and shame for engaging in an ill or good intention breach (Chan and Janjarasjit, 2019).
4.3.3 Responsibility judgment (dependent variable). Responsibility judgment of a perpetrator and company, respectively, in an ill or good intention breach was measured on a seven-point scale with 1 = strongly disagree and 7 = strongly agree.
5. Analysis
5.1 Measurement model
The varimax rotation in Mplus is used to test the measurement model to assess the psychometric properties of the latent variables of perceived intensity of emotional distress and perceived moral affect. The factor loadings of perceived intensity of emotional distress are acceptable for the ill (between 0.629 and 0.783,Table 2, Panel A) and good (between 0.704 and 0.878,Table 2, Panel B) intention breaches. The factor loadings of perceived moral affect for the ill (between 0.686 and 0.801,Table 2, Panel A) and good (between 0.730 and 0.939,Table 2, Panel B) intention breaches are also acceptable.
5.1.1 Reliability tests. Cronbach’s alpha and composite reliability of the items in the perceived intensity of emotional distress construct are 0.748 and 0.756 (Table 3, Panel A), respectively, for the ill intention breach, and 0.844 and 0.850 (Table 3, Panel B), respectively, for the good intention breach, suggesting acceptable reliability. Cronbach’s alpha and composite reliability of the items in the perceived moral affect construct are 0.845 and 0.847 (Table 3, Panel A), respectively, for the ill intention breach, and 0.917 and 0.919 (Table 3, Panel B), respectively, for the good intention breach, indicating acceptable reliability.
5.1.2 Validity tests.The convergent and discriminant validity of the perceived intensity of emotional distress and perceived moral affect constructs are tested. Adequate convergent validity indicates that the constructs should account for at least 0.5 of the average variance extracted (AVE) (Hairet al., 1998) . For discriminant validity, the squared root value of AVE of a construct should be greater than the value of its correlation with another latent construct (Hairet al., 1998). The AVEs of the perceived intensity of emotional distress construct are 0.500 and 0.651 (Table 3) for the ill and good intention breaches, respectively. Thus, the requirements of convergent validity are fulfilled.
The squared root values of the AVEs are greater than the correlation between the perceived intensity of emotional distress and perceived moral affect for the ill and good intention breaches, suggesting acceptable discriminant validity. The AVEs of the perceived moral affect construct are
Table 1.
Construct items
Constructs Item Measurement
Perceived intensity of emotional distress
Magnitude of consequences
The victims would suffer serious emotional distress as a result of the hacker’s action.
Probability of consequences
The victims would definitely suffer emotional distress as a result of the hacker’s action.
Temporal immediacy
The victims would immediately suffer emotional distress as a result of the hacker’s action.
Perceived moral affect Regret The hacker should regret the act.
Sorrow The hacker should feel sorry for the act Guilt The hacker should feel guilty about the act Shame The hacker should feel ashamed of the act.
ICS 29,1
194
0.583 and 0.736 (Table 3) for the ill and good intention breaches, respectively, indicating convergent validity. Further, the square root values of AVEs are greater than the correlation between the perceived intensity of emotional distress and perceived moral affect constructs, suggesting acceptable discriminant validity.
5.2 Results
The indirect effect function in Mplus is used to test whether perceived moral affect mediates the relationship between perceived intensity of emotional distress and responsibility judgment of a perpetrator and company, respectively.
In the case of an ill intention breach, perceived intensity of emotional distress has a significant positive effect on perceived moral affect (b= 0.380,p<0.01,Figure 2). Perceived moral affect also has a significant positive effect on responsibility judgment of a perpetrator (b = 0.794,p<0.01,Figure 2) and a significant negative effect on responsibility judgment
Table 2.
Factor loadings Items Perceived intensity of emotional distress Perceived moral affect
Panel A: ill intention breach
Magnitude of consequences 0.660 0.131
Probability of consequences 0.783 0.182
Temporal immediacy 0.629 0.123
Regret 0.063 0.686
Sorrow 0.159 0.787
Guilt 0.183 0.801
Shame 0.268 0.700
Panel B: good intention breach
Magnitude of consequences 0.745 0.287
Probability of consequences 0.878 0.327
Temporal immediacy 0.704 0.327
Regret 0.253 0.730
Sorrow 0.315 0.790
Guilt 0.375 0.799
Shame 0.359 0.939
Table 3.
Reliability, average variance extracted (AVE) and inter- construct correlations Constructs
Cronbach’s alpha
Composite reliability AVE
Inter-construct correlations Perceived intensity of
emotional distress
Perceived moral affect Panel A: ill intention breach
Perceived intensity of emotional distress
0.748 0.756 0.500 0.707*
Perceived moral affect 0.845 0.847 0.583 0.427 0.764*
Panel B: good intention breach
Perceived intensity of emotional distress
Perceived moral affect Perceived intensity of
emotional distress
0.844 0.850 0.651 0.807*
Perceived moral affect 0.917 0.919 0.736 0.694 0.858*
Note:*Square root of average variance extracted
Information security breach
195
of a company (b =0.361,p<0.05,Figure 2). The indirect effect of perceived intensity of emotional distress on responsibility judgment of a perpetrator (b = 0.302, p < 0.01, Figure 2) and company (b =0.137,p<0.05,Figure 2) are significant, while the direct effect of perceived intensity of emotional distress on responsibility judgment of a perpetrator (b= 0.192,p>0.05,Figure 2) and company (b=0.122,p>0.05,Figure 2) are not significant. The results suggest a full mediating effect and supportH1aandH1b.
In the case of a good intention breach, perceived intensity of emotional distress has a significant positive impact on perceived moral affect (b = 0.751,p<0.01,Figure 3) and perceived moral affect has a significant positive effect on responsibility judgment of a perpetrator (b = 0.839,p<0.01,Figure 3). The indirect effect of perceived intensity of emotional distress on responsibility judgment of a perpetrator (b = 0.630, p < 0.01, Figure 3) is significantly positive, while the direct effect of perceived intensity of emotional distress on responsibility judgment of a perpetrator (b =0.068,p>0.05,Figure 3) is not significant. The results indicate a full mediating effect, supportingH2a. However, perceived moral affect does not have a significant effect on responsibility judgment of a company (b= 0.131,p>0.05,Figure 3) and the mediating effect is not significant. Thus,H2b is not supported.
Table 4.
Summary of results of hypotheses
Hypothesis All users Students Employees
Panel A: ill intention breach
H1a: Intensity!moral affect!responsibilityPerpetrator
H1b: Intensity!moral affect!responsibilityCompany
Supported Supported
Supported Supported
Supported Not supported Panel B: good intention breach
H2a: Intensity!moral affect!responsibilityPerpetrator
H2b: Intensity!moral affect!responsibilityCompany
Supported Not supported
Supported Not supported
Supported Not supported
Figure 2.
Results of hypotheses (ill intention breach)
Responsibility judgment of a perpetrator
Responsibility judgment of a company 0.380***
0.794***
– 0.361**
0.192, ns
– 0.122, ns Mediating effect: 0.302***
Mediating effect: –0.137**
Perceived moral affect Perceived
intensity of emotional distress
Notes: ***p < 0.01, **p < 0.05, ns = not significant, two-tailed significance test
ICS 29,1
196
5.3 Additional analysis
Additional analysis is performed to provide insight into different user groups’ (i.e.
university students and employees) responsibility judgment of a perpetrator and company, respectively. In the case of an ill intention breach, students’perceived intensity of emotional distress has a significant effect on perceived moral affect (b= 0.457,p<0.01,Figure 4) and perceived moral affect has a significant impact on responsibility judgment of a perpetrator (b= 0.667,p<0.01,Figure 4) and a company (b=0.511,p<0.05,Figure 4). The indirect effect of students’perceived intensity of emotional distress on responsibility judgment of a perpetrator (b= 0.305,p<0.05,Figure 4) and company (b=0.233,p<0.05,Figure 4) are significant, while the direct effect of students’perceived intensity of emotional distress on responsibility judgment of a perpetrator (b= 0.055,p>0.05,Figure 4) and company (b = 0.209,p>0.05,Figure 4) are not significant. The results suggest that students’perceived moral affect fully mediates the effect of perceived intensity of emotional distress on
Figure 3 Results of hypotheses (good intention breach)
Responsibility judgment of a perpetrator
Responsibility judgment of a company 0.751***
0.839***
– 0.131, ns – 0.068, ns
0.397**
Mediating effect: 0.630***
Mediating effect: –0.098, ns Perceived
moral affect Perceived
intensity of emotional distress
Notes: ***p < 0.01, **p < 0.05, ns = not significant, two-tailed significance test
Figure 4 Additional analysis– students (ill intention breach)
Responsibility judgment of a perpetrator
Responsibility judgment of a company 0.457**
0.667***
– 0.511**
0.055, ns
– 0.209, ns Mediating effect: 0.305**
Mediating effect:– 0.233**
Perceived moral affect Perceived
intensity of emotional distress
Notes: ***p < 0.01, **p < 0.05, ns = not significant, two-tailed significance test
Information security breach
197
responsibility judgment of a perpetrator and company, respectively, in an ill intention breach.
In a good intention breach, students’ perceived intensity of emotional distress has a significant effect on perceived moral affect (b = 0.840,p<0.01,Figure 5) and perceived moral affect has a significant effect on responsibility judgment of a perpetrator (b = 0.661, p<0.05,Figure 5). The indirect effect of students’perceived intensity of emotional distress on responsibility judgment of a perpetrator (b = 0.555,p<0.01,Figure 5) is significant, while the direct effect of perceived intensity of emotional distress on responsibility judgment of a perpetrator (b =0.090,p>0.05,Figure 5) is not significant. Thus, students’perceived moral affect fully mediates the effect of perceived intensity of emotional distress on responsibility judgment of a perpetrator in a good intention breach. However, students’ perceived moral affect does not have a significant impact on responsibility judgment of a company (b =0.048,p>0.05,Figure 5) and the mediating effect is not significant. Hence, students’ perceived moral affect does not mediate the impact of perceived intensity of emotional distress on responsibility judgment of a company in a good intention breach.
In the case of an ill intention breach, employees’perceived intensity of emotional distress has a significant impact on perceived moral affect (b = 0.427, p< 0.01,Figure 6) and perceived moral affect has a significant effect on responsibility judgment of a perpetrator (b = 0.377,p< 0.01,Figure 6). The indirect effect of employees’perceived intensity of emotional distress on responsibility judgment of a perpetrator (b = 0.202, p < 0.05, Figure 6) is significant but the direct effect of perceived intensity of emotional distress on responsibility judgment of a perpetrator (b = 0.301,p<0.05,Figure 6) remains significant.
Thus, employees’perceived moral affect partially mediates the impact of perceived intensity of emotional distress on responsibility judgment of a perpetrator in an ill intention breach.
However, employees’ perceived moral affect does not have a significant impact on responsibility judgment of a company (b =0.124,p>0.05,Figure 6) and the mediating effect is not significant. Therefore, employees’perceived moral affect does not mediate the effect of perceived intensity of emotional distress on responsibility judgment of a company in an ill intention breach.
In a good intention breach, employees’perceived intensity of emotional distress has a significant impact on perceived moral affect (b = 0.740,p<0.01,Figure 7) and perceived moral affect has a significant impact on responsibility judgment of a perpetrator (b = 0.816,
Figure 5.
Additional analysis– students (good intention breach)
Responsibility judgment of a perpetrator
Responsibility judgment of a company 0.840***
0.661**
– 0.048, ns – 0.090, ns
0.145, ns Mediating effect: 0.555***
Mediating effect: –0.041, ns Perceived
moral affect Perceived
intensity of emotional
distress
Notes: ***p < 0.01, **p < 0.05, ns = not significant, two-tailed significance test
ICS 29,1
198
p < 0.01, Figure 7). The indirect effect of employees’ perceived intensity of emotional distress on responsibility judgment of a perpetrator (b = 0.604,p < 0.01, Figure 7) is significant, while the direct effect of perceived intensity of emotional distress on responsibility judgment of a perpetrator (b = 0.025,p>0.05,Figure 7) is not significant.
Hence, employees’perceived moral affect fully mediates the effect of perceived intensity of emotional distress on responsibility judgment of a perpetrator in a good intention breach.
However, employees’ perceived moral affect does not have a significant impact on responsibility judgment of a company (b =0.127,p>0.05) and the mediating effect is not significant. Therefore, employees’ perceived moral affect does not mediate the effect of perceived intensity of emotional distress on responsibility judgment of a company in a good intention breach.
The results of the hypotheses are summarized inTable 4.
6. Discussion
The results show that perceived moral affect explains the impact of perceived intensity of emotional distress on responsibility judgment of a perpetrator in the ill and good intention breaches. Users may consider the victim’s emotional distress and conclude that a perpetrator should exhibit feelings of regret, sorrow, guilt and shame for the breach and be held responsible ill or good intention. These results are consistent with prior research (Baumeister et al., 1994; de Hooge et al., 2011; Haidt, 2008; Ketelaar and Au, 2003), suggesting that users may assess increased responsibility against a perpetrator to restore equity for the victims. In a good intention breach, users might not believe that a security breach is the only way for improving systems security. They may also consider themselves as potential victims and focus on the victims’emotional distress and ignore the potential benefits of a good intention breach. Thesefindings corroborate prior research’s assertion that judgment relating to moral issues may not require consideration of a cost-benefit analysis because the act is perceived as wrongful (Baron and Spranca, 1997;Tetlocket al., 2000).
This studyfinds that users’perceived moral affect negatively mediates the impact of perceived intensity of emotional distress on responsibility judgment of a company in an ill intention breach.
That is, the negative relationship between perceived intensity of emotional distress and responsibility judgment of a company increases in the presence of perceived moral affect. This
Figure 6.
Additional analysis– employees (ill intention breach)
Responsibility judgment of a perpetrator
Responsibility judgment of a company 0.427***
0.377***
–0.124, ns 0.301**
–0.145, ns Mediating effect: 0.202**
Mediating effect: -0.075, ns Perceived
moral affect Perceived
intensity of emotional
distress
Notes: *** p < 0.01, ** p < 0.05, ns = not significant , two-tailed significance test
Information security breach
199
phenomenon can be attributed to users’belief that a perpetrator should exhibit feelings of regret, sorrow, guilt and shame for causing emotional distress to the victims. A company may be perceived as a victim because company personnel might experience emotional distress from an ill intention breach. This observation is consistent with the moral philosophy ofHume (1739/1969) suggesting that empathy motivates individuals to act in the interests of others (i.e. the company in this study) (Killen and Smetana, 2015), which leads to decreased judgment of responsibility of a company in an ill intention breach. Since a good intention breach might not elicit strong feelings of regret, sorrow, guilt and shame for the victims’emotional distress, perceived moral affect does not mediate the effect of perceived intensity of emotional distress on responsibility judgment of a company.
Additional analysis is conducted to provide insight into thefindings on two user groups’ (i.e. university students and employees) reactions toward an ill or good intention breach. The findings show that students and employees believe that a perpetrator should exhibit feelings of regret, sorrow, guilt and shame for the victims’emotional distress for an ill or good intention breach. Subsequently, increased responsibility judgment of the perpetrator is assessed regardless of intent. However, in the case of employees, the partial mediating effect of perceived moral affect suggests that other factors might explain the impact of perceived intensity of emotional distress on responsibility judgment of a perpetrator. Perceived moral affect does not explain the effect of perceived intensity of emotional distress on responsibility judgment of a company in a good intention breach for both user groups. In an ill intention breach, perceived moral affect explains the impact of perceived intensity of emotional distress on students’responsibility judgment of a company. The mediating effect of perceived moral affect is not observed for employees. The result is consistent with previous research (Cottingham, 2016;Toomey and Rudolph, 2018) suggesting that younger individuals (students) tend to exhibit stronger emotional responses to situations than older individuals (employees). As individuals get older, they learn how to regulate their emotional response better and this might explain the less emotional response observed in the older individuals (employees) in this study.
6.1 Implications for research
This study highlights the significance of a perpetrator’s intent on users’responsibility judgment of a perpetrator and company, respectively. Moral psychological theories (Bandura et al., 2001;
Figure 7.
Additional analysis– employees (good intention breach)
Responsibility judgment of a perpetrator
Responsibility judgment of a company 0.740***
0.816***
– 0.127, ns 0.025, ns
0.575**
Mediating effect: 0.604***
Mediating effect:– 0.094, ns Perceived
moral affect Perceived
intensity of emotional distress
Notes: ***p < 0.01, **p < 0.05, ns = not significant, two-tailed significance test
ICS 29,1
200
Greeneet al., 2009;Haidt and Kesebir, 2010) posit that users behave in accordance with their social moral beliefs to promote harmonious interpersonal relationships and mitigate the impact of harmful acts on responsibility judgment. Since users hold a perpetrator responsible for an ill or good intention security breach, thisfinding is consistent with the moral psychology literature. Users may assess increased responsibility against a perpetrator when a security breach violates moral beliefs (Rai and Fiske, 2011). User reaction toward a breach also highlights the consequentialism approach in moral decision-making (Greenet al., 2008), suggesting that a breach is wrongful despite the potential beneficial outcome of a good intention breach such as improving systems security.
Consistent with the moral psychology literature (Leyens et al., 2000;Ticeet al., 2001;
Valdesolo and DeSteno, 2006), this study finds that users may be able to regulate their emotions that influence their responsibility judgment of a company in an ill or good intention security breach. This result contradicts a real information security breach where Marriott’s customers blamed andfiled a class action lawsuit against the hotel. The observed differences in users’reactions toward the security breach in Marriott and in this study can be attributed to Marriott’s repeated breaches over the years compared to this study’s one- time breach. The users in this research might recognize that it is difficult for a company to implement a fool-proof systems security that attenuates responsibility judgment of a company, especially when the breach occurs for thefirst time. Users may expect a company to learn from past security breaches and take corrective measures to improve systems security. Marriott’s recurring security breaches might explain its customers’ increased responsibility judgment of the hotel viafiling of a class action lawsuit.
This study highlights an in-group effect (Leyenset al., 2000;Vauclair and Fischer, 2011) on user reaction toward a moral issue. Comparing the findings of this study with that of Chan and Janjarasjit (2019), user reaction toward an ill intention breach is similar to that of hackers. However, user reaction toward a good intention breach differs from that of hackers. Users may focus less on a perpetrator’s good intent and believe that a perpetrator should exhibit feelings of regret, sorrow, guilt and shame for causing emotional distress to the victims. Hence, users may perceive a breach as morally wrongful regardless of intent and hold a perpetrator responsible for the breach. In contrast, hackers may believe that it is acceptable for a perpetrator to engage in a good intention breach and they may overlook the victims’emotional distress that attenuates the mediating effect of perceived moral affect (Chan and Janjarasjit, 2019). Hackers may form an in-group connection to a perpetrator in a good intention breach because they understand the underlying reason for the act.
On the contrary, users may see themselves as potential victims of a breach and feel connected to the victims. Users may focus on the victims’emotional distress instead of a perpetrator’s good intent, leading to increased saliency of perceived moral affect and subsequent increased responsibility judgment of the perpetrator.
6.2 Implications for practice
Users may consider a company as a victim of a security breach and exhibit empathetic feelings toward the company when a breach occurs for thefirst time. This phenomenon may not be observed in a situation where a company experiences security breaches over a period of time. For example, a class action lawsuit wasfiled against Marriott after its customers realized that Marriott’s system was breached in 2014 (O’Flaherty, 2019), 2018 and again in 2020 (Coble, 2020). Although a company may be a victim of a security breach, customers expect the company to learn from previous incidents and take corrective measures to protect their personal data.
In-group versus out-group effects can also influence responsibility judgment of a perpetrator and company. Responsibility judgment is mitigated when perceptions of an in- group is formed (users may perceive themselves and the company as victims of a breach).
Information security breach
201
This phenomenon may be observed in the case where a company fails to implement effective systems security and is assessed similar responsibility as a perpetrator, especially in the case of a good intention breach. Increased awareness of the in-group effect can assist users to use appropriate strategies for arriving at accurate responsibility judgment. Additionally, systems security professionals can educate users about information security, threat and vulnerabilities, and security protection behaviors to promote a sustaining and secured information systems environment. This can increase the users’willingness to learn and engage in behaviors that improve systems security. Increased user awareness of systems security is essential for avoiding the perception of users as the weakest link in the information security chain (Schneier, 2000).
6.3 Limitations and future research
This study has some limitations. First, responsibility judgment of a perpetrator and company, respectively, are assessed using a single item. Future research can develop a multiple-item scale to measure responsibility judgment to test whether similarfindings are obtained. Further, this study uses the survey approach to test the hypotheses. Future research can manipulate the variables examined in this study and conduct an experiment to provide additional insight into the findings. Future work can also identify variables influencing user reactions toward recurring information security breaches. For example, research can investigate whether palliative (the effect of limiting indirect consequences) and containment (the confinement and limitation effect of direct consequences) measures (Bouaynayaet al., 2018) affect users’responsibility judgment. Another interesting research question is whether users’ responsibility judgment of a perpetrator and company, respectively, increases with increased security breaches. An experimental study can promote understanding of this issue. Additionally, research can test whether individual characteristics such as consideration of future consequences (Joireman et al., 2008;
Strathmanet al., 1994) can enhance understanding of thefindings. Finally, institution of an equitable responsibility judgment in a legal system may require strategies that elicit consideration of the consequences (Chan and Janjarasjit, 2019) to attenuate biased responsibility judgment. Future research can shed light on this issue.
References
Ahmad, A., Maynard, S.B. and Shanks, G. (2015),“A case analysis of information systems and security incident responses”,International Journal of Information Management, Vol. 35 No. 6, pp. 717-723.
Bandura, A., Caprara, G.V., Barbaranelli, C., Pastorelli, C. and Regalia, C. (2001),“Sociocognitive self- regulatory mechanisms governing transgressive behavior”,Journal of Personality and Social Psychology, Vol. 80 No. 1, pp. 125-135.
Barlow, J.B., Warkentin, M., Ormond, D. and Dennis, A.R. (2013),“Don’t make excuses! Discouraging neutralization to reduce IT policy”,Computers and Security, Vol. 39, pp. 145-159.
Baron, J. and Ritov, I. (1993),“Intuitions about penalties and compensation in the context of tort law”, Journal of Risk and Uncertainty, Vol. 7 No. 1, pp. 17-33.
Baron, J. and Spranca, M. (1997),“Protected values”,Organizational Behavior and Human Decision Processes, Vol. 70 No. 1, pp. 1-16.
Batson, C.D. (1990),“How social an animal? The human capacity for caring”,American Psychologist, Vol. 45 No. 3, pp. 336-346.
Baumeister, R.F., Stillwell, A.M. and Heatherton, T.F. (1994), “Guilt: an interpersonal approach”, Psychological Bulletin, Vol. 115 No. 2, pp. 243-267.
ICS 29,1
202
Bouaynaya, W., Lyu, H. and Zhang, Z. (2018), “Exploring risks transferred from cloud-based information systems: a quantitative and longitudinal model”,Sensors, Vol. 18 No. 10.
Brewster, T. (2018),“Revealed: Marriott’s 500 million hack came after a string of security breaches”, available at:www.forbes.com/sites/thomasbrewster/2018/12/03/revealed-marriotts-500-million- hack-came-after-a-string-of-security-breaches/#34639cdc546f
Bronstad, A. (2019),“Marriott moves to dismiss data breach lawsuit, says passport numbers useless to hackers”, available at: www.law.com/2019/09/24/marriott-moves-to-dismiss-data-breach- lawsuit-says-passport-numbers-useless-to-hackers/
Carlsmith, K.M., Darley, J.M. and Robinson, P.H. (2002),“Why do we punish? Deterrence and just deserts as motives for punishment”,Journal of Personality and Social Psychology, Vol. 83 No. 2, pp. 284-299.
Chan, S.H. and Janjarasjit, S. (2019), “Insight into hackers’ reaction toward information security breach”,International Journal of Information Management, Vol. 49, pp. 388-396.
Chiesa, R., Ducci, S. and Ciappi, S. (2009),Profiling Hackers, CRC Press, New York, NY.
Coble, S. (2020),“New Marriott data breach affects 5.2 million guests”, available at:www.infosecurity- magazine.com/news/new-marriott-data-breach-affects/
Cohen, S. (2020),“Marriott data breach class action allowed to proceed”, available at:https://topclassactions.
com/lawsuit-settlements/data-breach/marriott-data-breach-class-action-allowed-to-proceed/
Cohen, T.R., Wolf, S.T., Panter, A.T. and Insko, C.A. (2011),“Introducing the GASP scale: a new measure of guilt and shame proneness”,Journal of Personality and Social Psychology, Vol. 100 No. 5, pp. 947-966.
Cottingham, M.D. (2016),“Theorizing emotional Capital”,Theory and Society, Vol. 45 No. 5, pp. 451-470.
Crockett, M.J., Clark, L., Hauser, M.D. and Robbins, T.W. (2010),“Serotonin selectivity influences moral judgment and behavior through effects on harm aversion”,Proceedings of the National Academy of Sciences of Sciences, Vol. 107 No. 40, pp. 17433-17438.
Cushman, F. (2008),“Crime and punishment: distinguishing the roles of causal and intentional analyses in moral judgment”,Cognition, Vol. 108 No. 2, pp. 353-380.
Cushman, F. and Greene, J.D. (2011), “Finding faults: how moral dilemmas illuminate cognitive structure”,Social Neuroscience, pp. 1-11.
Dasborough, M.T., Hannah, S.T. and Zhu, W. (2019),“The generation and function of moral emotions in teams: an integrative review”,Journal of Applied Psychology, Vol. 105 No. 5, pp. 433-452.
Decker, W.H. and Calo, T.J. (2007),“Observers’impressions of unethical persons and whistleblowers”, Journal of Business Ethics, Vol. 76 No. 3, pp. 309-318.
de Hooge, I.E., Nelissen, R.M.A., Breugelmans, S.M. and Zeelenberg, M. (2011),“What is moral about guilt? Acting “prosocially”at the disadvantage of others”,Journal of Personality and Social Psychology, Vol. 100 No. 3, pp. 462-473.
Doherty, N.F., Anastasakis, L. and Fulford, H. (2011),“Reinforcing the security of corporate information resources: a critical review of the role of the acceptable use policy”,International Journal of Information Management, Vol. 31 No. 3, pp. 201-209.
Eisenberg, N. (2000),“Emotion, regulation, and moral development”,Annual Review of Psychology, Vol. 51 No. 1, pp. 665-697.
Epley, N., Caruso, E.M. and Bazerman, M.H. (2006),“When perspective taking increases taking:
reactive egoism in social interaction”,Journal of Personality and Social Psychology, Vol. 91 No. 5, pp. 872-889.
Goetz, J.L., Keltner, D. and Simon-Thomas, E. (2010), “Comparison: an evolutionary analysis and empirical review”,Psychological Bulletin, Vol. 136 No. 3, pp. 351-374.
Green, J.D., Burnette, J.L. and Davis, J.L. (2008),“Third-party forgiveness: (not) forgiving your close other’s betrayer”,Personality and Social Psychology Bulletin, Vol. 34 No. 3, pp. 407-418.
Information security breach
203
Greene, J.D., Cushman, F.A., Stewart, L.E., Lowenberg, K., Nystrom, L.E. and Cohen, J.D. (2009),
“Pushing moral buttons: the interaction between personal force and intention in moral judgment”,Cognition, Vol. 111 No. 3, pp. 364-371.
Haidt, J. (2003),“The moral emotions”, in Davidson, R.J., Scherer, K.R. and Goldsmith, H.H. (Eds), Handbook of Affective Sciences, Oxford University Press, New York, NY, pp. 852-870.
Haidt, J. (2007),“The new synthesis in moral psychology”,Science, Vol. 316 No. 5827, pp. 998-1002.
Haidt, J. (2008),“Morality”,Perspectives on Psychological Science, Vol. 3 No. 1, pp. 65-72.
Haidt, J. and Kesebir, S. (2010),“Morality”, in Fiske, S., Gilbert, D. and Lindzey, G. (Eds),Handbook of Social Psychology, Wiley, Hobeken, NJ, pp. 797-832.
Hair, J.F., Anderson, R.E., Tatham, R.L. and Black, W.C. (1998),Multivariate Data Analysis, Prentice Hall, Englewood Cliffs, NJ.
Hauser, M. (2006),Moral Minds: How Nature Designed Our Universal Sense of Right and Wrong, Ecco Books, New York, NY.
Horberg, E.J., Oveis, C., Keltner, D. and Cohen, A.B. (2009),“Disgust and the moralization of purity”, Journal of Personality and Social Psychology, Vol. 97 No. 6, pp. 963-976.
Hume, D. (1739/1969),A Treatise in Human Nature, Pelican, Baltimore, MD. (Original work published in 1739).
Hutcherson, C.A. and Gross, J.J. (2011),“The moral emotions: a social-functionalist account of anger, disgust, and contempt”,Journal of Personality and Social Psychology, Vol. 100 No. 4, pp. 719-737.
Inbar, Y., Pizarro, D.A. and Cushman, F. (2012),“Benefiting from misfortune: when harmless actions are judged to be morally blameworthy”,Personality and Social Psychology Bulletin, Vol. 38 No. 1, pp. 52-62.
Joireman, J., Balliet, D., Sprott, D., Spangenberg, E. and Schultz, J. (2008),“Consideration of future consequences, ego-depletion, and self-control: support for distinguishing between CFC-Immediate and CFC-Future Sub- scales”,Personality and Individual Differences, Vol. 45 No. 1, pp. 15-21.
Jones, T.M. (1991), “Ethical decision making by individuals in organizations: an issue-contingent model”,Academy of Management Review, Vol. 16 No. 2, pp. 366-395.
Jordan, J., Diermeier, D.A. and Galinsky, A.D. (2012),“The strategic samaritan: how effectiveness and proximity affect corporate responses to external crises”,Business Ethics Quarterly, Vol. 22 No. 4, pp. 621-648.
Ketelaar, T. and Au, W.T. (2003),“The effects of guilt on the behavior of uncooperative individuals in repeated social bargaining games: an affect-as-information interpretation of the role of emotion in social interaction”,Cognition and Emotion, Vol. 17 No. 3, pp. 429-453.
Killen, M. and Smetana, J.G. (2015),“Origins and development of morality”, in Lamb, M.E. and Lerner, R.M. (Eds),Handbook of Child Psychology and Developmental Science: Socioemotional Processes, John Wiley and Sons Inc. pp. 701-749.
Kritzinger, E. and von Solms, S.H. (2010),“Cyber security for home users: a new way of protection through awareness enforcement”,Computers and Security, Vol. 29 No. 8, pp. 840-847.
Levine, E.E., Barasch, A., Rand, D., Berman, J.Z. and Small, D.A. (2018),“Signaling emotion and reason in cooperation”,Journal of Experimental Psychology: General, Vol. 147 No. 5, pp. 702-719.
Leyens, J.-P., Paladino, P.M., Rodriguez-Torres, R., Vaes, J., Demoulin, S., Rodriguez-Perez, A. and Gaunt, R. (2000),“The emotional side of prejudice: the attribution of secondary emotions to ingroups and outgroups”,Personality and Social Psychology Review, Vol. 4 No. 2, pp. 186-197.
Li, L., He, W., Xu, L., Ash, I., Anwar, M. and Yuan, X. (2019),“Investigating the impact of cybersecurity policy awareness on employees’cybersecurity behavior”,International Journal of Information Management, Vol. 45, pp. 13-24.
Lowry, P.B., Moody, G.D. and Chatterjee, S. (2017),“Using IT design to prevent cyberbullying”,Journal of Management Information Systems, Vol. 34 No. 3, pp. 863-901.
