To comply with global industrial standards, businesses are often required to set up internal security policies. These policies aim to regulate and make transparent the use of digital equipment, networks, and devices for work and pleasure. On some level, the policies are in place to ensure that the organisation has access to certain private, employee domains and devices, while equally encouraging employee dependance on the organisation (and presumed security provider). However, all of this boils down to a common IT issue: the question of enforcing the security practices and policies in place. The basic, underlying issue here is the question of relevance in reference to internal conceptions or external threats, to maximise the probability of obedience and narrow down the chance that one may choose to overlook the standards in place.
Classic organisational obedience theories have been built upon various other theories studying the role of fear in ensuring compliance to the policies imposed by an organisation (sovereign in that context). On the other hand, Johnston and colleagues have argued that, in the context of Information Security Policy (ISP) compliance, there are various components to be added and taken into account in order to construct a coherent theory on the ISP compliance mechanics.
The conventional “Fear Appeal Theory” is based on four elements that the subjects were aware of, and thus encouraged behaviors which ensured compliance of the security policy. This theory suggests that if the subject becomes and stays conscious of the severity of a threat, and that it will likely be triggered and have an efficient response, that it will lead to a maximum intent to comply with the policies in place. However, as one can see, this theory is based on violence and animality; in populistic terms it is the same as saying, “do as we say, or we will hit you hard enough so that any reasonable person would make sure not to make the same mistake in order to avoid the punishment.”
Johnston et al argue that the fear appeal framework for the ISP requires more elements, namely related to the rhetorics set up to support conventional elements. This ensures that the intention to comply with security policies is clearly communicated with the proper rhetoric to build up the conceptions of both formal and informal certainty and severity of the sanctions. The division of the informal and formal is relevant here, as to highlight the sanctions on the level of immediate peers, rather than just organisational punishment (social pressure). In this, the authors are in line with the current development of governance models from organisational enforcement towards the persuasion by mere social pressure and attachment to the immediate peers.
However, on the fundamental level, can end up supporting the coercive and violent means, and fail to consider the changing organisational settings. They take for granted the workforce as an industrial resource, and thus validate this type of governance for particular organisations, including inducing fear and stress in people. One should heavily consider the concept of organisational security policies in this context and ask if it adapts and is suitable for modern organisations and conceptions of humanity. This type of fear based theory lacks consideration of the effects of these types intrusive mechanisms on an individuals creativity and character development. As such, this type of practice aims – in the old fashion way – to secure the organisation and its governance, rather than provide any security for the people.
One particular compliance problem with cyber security is how to deal with employees idling in the office and misusing company Internet resources. This can lead to security issues such as worms, viruses, spyware and loss of the reputation for the company network. On some level this kind of problem can be seen to belong to the past early years of networking when white-collar workers were newly equipped with browsers and all the fun they bring along. But the issue of employees taking advantage of company resources, time or other privileges for personal gain has always existed. Now, the introduction of the personal communication equipment into the Workplace has once again made the discussion relevant. And a wide array of studies has been published about how to deter cyberloafers.
The fact that such studies neglect to pay attention to the prevalence of the issue in the pre-Internet era highlights contemporary concerns about identifying the governance of the networked equipment, whether on a personal, organizational or state level. In a way, the research and the topic itself contributes to the building of modern cyber identities and attachments by the organization, or other self-proclaimed sovereigns, in the cyber-age. This also forms part of the thinking that would transform societies and organizations from industrial entities into mere service networks, as it aims to establish organizational governance for a phenomena which was not developed for the organization but imposed from outside.
Some studies have highlighted the positive aspects of personal use of communication technologies in the workplace, mostly for recreational purposes and as an important means for personal recovery (Ivarsson, Larsson 2012). However, this notion presumes the stressful nature of the work, thus building upon the old industrial idea that sees people as mere resources in the machinery of business. While other studies on the subject concentrate more on the issue of ensuring compliance (thus recognizing and imposing the authority of the organization), Ivarsson aims to highlight the idea that the use of personal communication equipment in the office is part of the overall process of change in our understanding of the nature of work. Aiming to limit and forbid its usage is therefore like forbidding people to have a cup of coffee or taking a holiday every now and then.
Ivarsson represents the school of thought that considers changing workplace culture, but also changes in organizations and the business environment as a whole. In fact, he concludes by suggesting that the need to govern the personal use of networked resources should be put into context. For example, the nature of the work needs to be balanced against the need to protect against harmful effects of having access to hostile network resources, or even the possibility of illegal activity.
When considering the nature of cyberloafing, or other employee misbehaviours, one must reflect on the structure of the organization, its relation to society as a whole, and its represented ethical and moral values. As other studies have pointed out, idling might be a result of unjust behaviour on the part of the organization itself. If employees have no agency, or the means to just leave, they must find a way to protest silently (Lim 2002, 10.1002/job.161). In these kinds of situations simply punishing employees might not be the way to go.
By Kristo Helasvuo
