The Collective Violation Talkshow : How do Workgroups Account for Cyberdeviance?

Abstract

Cyberdeviance within workgroups is one of the most challenging cybersecurity problems facing modern organizations. Cyberdeviance is an intentional form of security policy violation, reflecting the outcome of a justification process deeming the violation acceptable for the violator. The collective nature of cyberdeviance within groups increases the challenge because group context can steer members to act in accordance with the group’s decisions, even when it violates organizational directives. Despite these challenges, we know very little about how workgroups justify cyberdeviance. We ask: How do workgroups create and validate accounts for cyberdeviance? Guided by the theoretical lens of accounts and based on insights from five deviant workgroups using unauthorized technologies (aka, shadow IT), our analysis points to three core findings. First, the group context is crucial to understanding the violation framing process. Second, at the discursive level, the groups use a unique set of verbalizations that deem cyberdeviance acceptable within the group. Third, we found that this set of verbalized accounts is instrumental to ensure group cohesion and belongingness. We discuss the theoretical and practical implications of these novel insights.