Abstract Within the field of organizational cybersecurity, much attention has been given to insider compliance and non-compliance with the information security policies (ISPs) set forth by their organizations. Most of these efforts apply theoretical foundations based on self-interest, personal incentive, and cost-benefit calculations to explain compliance and non-compliance motives. We take a different approach to understand insiders’ ISP compliance by exploring how insiders view their rights and responsibilities related to security-relevant behaviors. Relying on Deonance Theory, we assess the extent to which insiders categorize a wide variety of behaviors that are or can be implemented in corporate ISPs according to several deontic conditional operators (e.g., nature of perceived requiredness). These operators form the basis for a rights and responsibility framework. We find that out of 38 unique security-relevant behaviors, 22 exhibit one or more forms of potential moral “gray area” patterns. Among these patterns, significant differences between insiders’ descriptive (i.e., “is”) and normative (i.e., “should be”) assessments of rights and responsibilities perceptions are particularly interesting. Our findings shed additional light on insiders’ compliance with organizational ISPs when those ISPs place increased restrictions on what the insider must or must not do.

中文翻译：

---

组织内部人员对网络相关权利和责任的描述性和规范性认知的探索性检验

摘要 在组织网络安全领域，内部人员遵守和不遵守组织制定的信息安全政策 (ISP) 受到了很多关注。这些努力中的大多数应用基于自身利益、个人激励和成本效益计算的理论基础来解释合规和不合规动机。我们通过探索内部人员如何看待与安全相关行为相关的权利和责任，采用不同的方法来了解内部人员的 ISP 合规性。依靠 Deonance 理论，我们评估内部人员根据几个道义条件运算符（例如，感知需求的性质）对企业 ISP 中正在实施或可以实施的各种行为进行分类的程度。这些运营商构成了权利和责任框架的基础。我们发现，在 38 种独特的安全相关行为中，有 22 种表现出一种或多种形式的潜在道德“灰色地带”模式。在这些模式中，内部人士对权利和责任认知的描述性（即“是”）和规范性（即“应该是”）评估之间的显着差异特别有趣。当 ISP 对内部人员必须或不可以做什么施加更多限制时，我们的研究结果进一步阐明了内部人员对组织 ISP 的遵守情况。“应该”）对权利和责任认知的评估特别有趣。当 ISP 对内部人员必须或不可以做什么施加更多限制时，我们的研究结果进一步阐明了内部人员对组织 ISP 的遵守情况。“应该”）对权利和责任认知的评估特别有趣。当 ISP 对内部人员必须或不可以做什么施加更多限制时，我们的研究结果进一步阐明了内部人员对组织 ISP 的遵守情况。