The role of ethical climates in employee information security policy violations

In the context of information security, the organizational social environment plays an important role in deterring employee violations of the Information Security Policy (ISP). As extant research has not yet determined the role ethical climates may play, this study seeks to understand their influence on employee ISP violations. To this end, we classified ISPs into two major categories: those related to communal information technology (IT) resources in the organization, such as databases or software applications, and those related to connective IT resources, such as email or Internet access. Then, we explored how rules-, performance-, and friendship-oriented organizational ethical climates affect ISP violations. Based on a survey of 177 professionals employed in the United States, we found that rules-oriented and friendship-oriented ethical climates deter ISP violations, whereas a performanceoriented one does not. Moreover, rules- and friendship-oriented ethical climates lead to fewer communal ISP violations, while performance-oriented ethical climates lead to more connectivity ISP violations. These findings underscore the importance of considering the type of IT resources that an ISP aims to protect as well as the ethical climate of an organization in order to better understand the causes of ISP violations.