Revisiting neutralization theory and its underlying assumptions to inspire future information security research

Over two decades ago, neutralization theory was introduced to information systems research from the field of criminology and is currently emerging as an influential foundation to both explain and solve the information security policy noncompliance problem. Much of what we know about the theory focuses exclusively on the neutralization techniques identified in the original as well as subsequent criminological writings. What is often left unexamined in IS research is the underlying assumptions about the theory’s core elements; assumptions about the actor, the act, the normative system, and the nature of neutralizing itself. The objective of this commentary is to revisit the origin of neutralization theory to identify its core assumptions and to lay a foundation for future IS research inspired by these assumptions. This paper points to five core assumptions: (1) The actor is an early-stage offender; (2) The act is shameful; (3) Neutralizing precedes and facilitates deviance; (4) Normative rules are disputable; and (5) Specific neutralization techniques are more relevant to specific violations. Ignoring these underlying assumptions could lead to a situation where we make unfounded claims about the theory or provide practitioners with harmful, rather than helpful, guidance.