Examining the Neural Basis of Information Security Policy Violations: A Noninvasive Brain Stimulation Approach

Non-malicious information security policy (ISP) violations can cause organizations significant harm. In this paper, we aim to extend the understanding of why employees engage in such acts. A large body of ISP violation research has been based on the tenet that people violate ISPs to obtain personal benefit as explained by rational choice and expectancy theories, but this assumption has only been weakly tested, using mostly correlational approaches. Our objective is to improve the causal basis for this argument by using a noninvasive brain stimulation (NIBS) technique, which actually modulates brain activity in regions of the brain that process value/gain assessments. Therefore, it can substantially increase the claim of causality: that potential rewards lead to ISP violations. To do so, we build on expectancy theory and neuroscience knowledge to theorize why reducing the excitability of neurons in the left dorsolateral prefrontal cortex (L DLPFC) can lower the endorsement of ISP violations. We test this idea in four experiments in which we use a NIBS technique called high-definition direct current stimulation (HD-tDCS). Our findings support the assertion that the L DLPFC is likely involved in the expectancy theory of ISP violations, and that endorsing such violations can be experimentally adjusted with NIBS techniques. These findings extend the understanding of cybersecurity behaviors, improve the causal support for the common assumption made by rational choice theory studies that ISP violations are motivated through perceived benefits, point to the need to consider the L DLPFC in research on positively valenced (or attractive) technology-mediated actions, and pave the way for future use of brain stimulation techniques in information systems research.