Understanding the mindset of the abusive insider: An examination of insiders’ causal reasoning following internal security changes

Employees can have a profound, detrimental influence on information security that costs organizations billions of U.S. dollars annually. As a result, organizations implement stringent security controls, which can inadvertently foster the behaviors that they are designed to deter. This research attempts to understand this phenomenon of increased internal computer abuses by applying causal reasoning theory to explain employees’ causal-search process following the implementation of information security measures. Our findings show how interpersonal and environmental factors influence insiders’ beliefs that the organization trusts them (i.e., attributed trust) and how low attributed trust perceptions drive computer abuse incidents subsequent to security changes. We also highlight the need for both managers and security researchers to assess the frequency with which employees encounter information security changes within dynamic, organizational environments.

► We investigate internal computer abuse incidents following security changes.
► Uncertainty about managerial practices breeds perceptions of lack of trust.
► Lack of trust strongly influences computer abuse incidents.
► Insiders' perception of organizational security changes must be taken into account.