Moral sensitivity in information security dilemmas

Abstract

Activities that undermine information security such as noncompliance with information security policies raise moral concerns since they can expose valuable information assets. Existing research shows that moral reflection could play an inhibitory role in one’s decision to undermine information security. However, it is not clear whether users interpret such decisions from a moral standpoint to engage in moral reflection in the first place. Users have to be morally sensitive before they engage in moral reflection. Moral sensitivity involves perceiving a situation as morally relevant, identifying the parties involved and perceiving possible courses of action. We examine moral sensitivity in security dilemmas in a Finnish university setting. We develop audio records of conversations about two policy compliance scenarios, each involving moral concerns. After playing back these audio records to participants, we pose probing questions to examine their moral sensitivity. Our preliminary results indicate that users may not be sensitive towards the moral concerns raised by security dilemmas. Based on our findings, we suggest providing users with information regarding those affected by security decisions, IT capabilities in an organization and the possible consequences of different courses of action in security education programs rather than directives about morally right or wrong behavior.