Reducing internet abuse in the workplace.
Several recent articles have discussed the dangers of Internet abuse in the workplace (Verespej, 2000; Marsan, 2000). These commentaries have highlighted among other issues the losses in corporate productivity and the risks of damaging lawsuits in the wake of such abuse. Many companies, however, lack a clear vision of how to cope with Internet abuse, though some, like Xerox Corporation, are beginning to strictly implement their Internet access policies by taking measures such as firing employees who violate them (Merlino, 2000).
Internet abuse may be viewed as a kind of systems risk, i.e., the likelihood that a firm's information systems are insufficiently protected against certain kinds of damage or loss. As with systems risk, managers are generally unaware of the full range of actions they can take to reduce the problem (Straub and Welke, 1998). Therefore, an examination of research theories that have been applied to systems risk may prove relevant to Internet abuse. The general deterrence theory, drawn from the field of criminology, suggests that sanctions and disincentive measures can reduce systems abuse by making potential abusers aware that their unethical behavior will be detrimental to their own good (Pearson and Weiner, 1985).
According to this theory, strategies that can be adopted to reduce systems risk fall into four sequential activities: (1) deterrence, (2) prevention, (3) detection, and (4) remedies (Forcht, 1994). Deterrent measures include policies and guidelines for proper system use. These measures tend to be passive in that they have no inherent provision for enforcement and depend wholly on the willingness of system users to comply. Preventive measures include locks on computer room doors and password access controls, for example. These are active measures with enforcement that may ward off illegitimate use. If deterrent and preventive measures are unsuccessful in containing abuse, then detection measures can be deployed. These include proactive security responses such as suspicious activity reports, system audits and virus scanning reports, or reactive responses such as detective work after a documented breach in security. These measures gather evidence of abuse and identify perpetrators. Finally, remedies are measures that can correct the harmful effect of an abusive act and punish the perpetrators. Internal actions include warnings, reprimands, and termination of employment. Legal actions include criminal and civil suits (Straub and Welke, 1998). Theoretically, these four kinds of defense can help reduce Internet abuse.
A company can start by deploying deterrent measures. If these are not successful, it can then use preventive, detective, and finally remedial measures. There is, however, limited evidence available in practice to prove the effectiveness of these four techniques despite their strong theoretical basis. This research, therefore, seeks to empirically support the general deterrence theory in the context of Internet abuse, to provide help for practicing managers.
A two-stage methodology was adopted that consisted of interviews with managers to gather qualitative data, and a field survey of end users to gather quantitative data. Structured interviews were conducted with managers of 66 companies that allowed their employees Internet access. One manager from each of the companies was interviewed for a total of 66 responses. Forty-six of the companies were in the service sector, with the remaining companies in the manufacturing sector. The companies ranged in size from small (<500 employees, n 38, [micro] = 113 employees), to medium (between 500 and 1000 employees, n = 16, [micro] = 871 employees), to large (>1000 Employees, n = 12, [mu] = 12,517 employees). Of the managers interviewed, eight were in Information Systems (IS) and the remaining were non-IS. These managers were asked to describe their companies' measures to reduce Internet abuse by the employees. The identified 18 measures, which are shown in Table 1 and were used to develop the survey instrument for the se cond stage of the study.
* Instrument Development
The survey instrument was divided into the following major sections:
(1) A definition of Internet abuse in the workplace which evolved from interviews with managers in the first stage. This definition read "Internet abuse in the workplace is defined as sending or receiving nonwork-related e-mails, accessing nonwork-related Web sites, and subscribing or contributing to nonwork-related Internet discussion groups during work hours while using the company's electronic resources."
(2) The list of 18 measures from Table 1. Respondents chose from a 1 to 7 (1 being Not Effective and 7 being Very Effective) Likert-type scale to indicate in their opinion how effective each of the 18 measures would be in reducing Internet abuse in their companies. A nineteenth question allowed them to enter a measure and rating in addition to the measures from Table 1.
(3) Two questions that asked the extent to which the employees would abuse the Internet at work if (a) none of the 18 measures were in place, (b) one or more of the 18 measures was in place. A 1 to 7 rating scale allowed the respondent to indicate that extent.
(4) Questions for demographic purposes about the organizations' and subjects' characteristics. Seven end users affiliated with an organization that provided Internet access at work volunteered to participate in a pilot of the survey instrument. The pilots resulted in minor changes to the contents and introduction to the survey.
Three instruments were personally administered by each student (total number of students = 72) enrolled in an undergraduate management information systems class of a Mid-western university to three office workers the student was acquainted with. To ensure reliability and unique responses, respondents were required to list their names and telephone numbers at the end of the survey. Completed surveys came from 192 subjects for a response rate of 89%.
Table 1 reports the perceived effectiveness of the 18 measures in reducing Internet abuse and the percentage of respondent companies actually using each measure. Factor analysis reduces a large number of items to a more manageable number, making key themes visible (Nunnally, 1978). It reveals, in effect, the items that belong together by showing which ones measure the same theme and how much they do so. A factor is thus a construct assumed to underlie a group of items or an individual one. A factor loading can be seen as the correlation between the item and a factor. Eigenvalues represent the amount of variance accounted for by given factors. Cronbach's alpha reliability coefficient measures the extent to which the items that load on a factor correlate with one another.
The factor analysis revealed four factors and explained 64.36% of the variance in the data. Table 2 shows the factor loadings. Items with loadings greater than .5 were retained, so of the 18 measures, two were dropped because of inconclusive loadings. These were "terminate employees who abuse the Internet at work" and "limit Internet access to only certain employees upon their supervisors' consent." In performing the factor analysis, we followed an iterative approach of dropping inconclusive loadings as described by Sethi and King (1994). To remove any kind of subjectivity from the analysis, we did not retain any measure that failed to load significantly on a factor. Cronbach's alpha reliability coefficients are shown in the table. The alpha values are greater than 0.6 indicating that the items in each factor do belong together. Table 2 also contains labels that the researcher applied to the factors. In general, most of the factors are meaningful sets of items, and the labels synthesizing the measures were ea sily identifiable because they tied in well with general deterrence theory. One factor, "explicit prevention and detection," focused on the prevention and detection of Internet abuse by monitoring the activities of employees. Another factor, "coerced prevention and detection," included measures that appeared intimidating with an intent to force employees not to abuse the Internet. A third factor, "deterrence," included four measures that appear passive and require the employee's cooperation. The last factor, "remedies," included two measures to punish offenders as well as one of cooperation with employees to allay the problem.
Multiple regression analysis shows the relationship among variables in the form of an equation. If an exact relationship does not exist, regression analysis chooses the "best" equation to describe the relationship. Regression coefficients are the coefficients of the explanatory variables in this equation. A measure of how well a multiple regression equation fits the data is provided by the coefficient of determination, [R.sup.2] which represents the proportion of variation in the dependent variable explained by the regression. The F statistic provides an additional measure of how well the multiple regression equation fits the data. Nonsignificance of the F-statistic implies that the explanatory variables in the regression equation are of little or no use in explaining the variation of the dependent variable.
Multiple regressions tested the relationship between the four measure factors described above and the (perceived) extent to which Internet abuse had been reduced due to the measures. Table 3 shows the results of the regression including the individual regression coefficients for each of the four factors. It also shows each factor's mean perceived effectiveness.
Discussion and Implications
This research examined the general deterrence theory to determine if it was relevant to Internet abuse. It confirms that companies do indeed use deterrent and remedial techniques to counter Internet abuse as the theory predicts. However, the other two techniques, detection and prevention, do not show up as clearly in the factor analysis. The results show that Factor 1, a combination of detection and prevention measures, which we have called "explicit prevention and detection techniques" (e.g., monitoring with special software all the Web sites visited by employees, monitoring what every computer in the company is being used for at a particular time, monitoring electronic files downloaded on employee computers to identify if they are nonwork related, monitoring all the e-mails of employees, and blocking access to nonwork-related and offensive Web sites by using Internet Filters) is the only significant (p < .05) predictor of reduction in Internet abuse. Surprisingly, the other combined technique, "coerced prev ention and detection," (Factor 2) and "remedial techniques" (Factor 4) do not appear effective in reducing Internet abuse. However, as predicted by the general deterrence theory, deterrent techniques (Factor 3) that lack inherent provisions for enforcement are not perceived to be effective in reducing Internet abuse.
This research demonstrates that the general deterrence theory can be applied to Internet abuse though its predictions are not entirely supported. Future research, however, could refine and validate the measures developed here and retest the theory. Perhaps a causal model might shed light on understanding why the theory was only partially supported. An interesting point is that end users do not view coercive techniques as effective in reducing Internet abuse. Perhaps IS managers would have a different viewpoint? Replicating the study using IS managers as subjects might provide interesting results and useful comparisons.
This research helps identify for a practicing manager the measures that may be the most effective in reducing Internet abuse. It also provides a perspective of how other companies and managers are coping with this problem. An interesting revelation of the research is the wide breadth of measures that companies are using to reduce Internet abuse. Some of these may even seem to infringe upon the rights of employees (such as monitoring their screens and keystrokes), which raises ethical concerns. Should companies act as Big Brothers or could other means be used? For instance, several companies allow limited personal Internet usage to employees during their free time, after work hours, or in emergencies. A 'kinder, gentler' corporate image might in fact make employees loyal and more productive.
An interesting point is that the most widely used measure-having a written company policy barring Internet abuse (used by nearly 42% of the respondent companies)-is also considered one of the least effective. This clearly suggests that companies need to give teeth to their policy statements rather than mere lip service.
In conclusion, it also helps to visit a practical consideration. Most companies already have the means to track the Internet usage of their employees but choose not to do so because of the effort involved. Some practitioners we interviewed estimated the average cost of Internet abuse to their company (in terms of lost productivity) did not exceed the annual salary of one employee. Therefore, it may not be cost justifiable to add a new staff member to the IS department simply to monitor and eliminate the abuse. Eventually, however, every company must decide for itself if the risks from Internet abuse exceed the costs of lost productivity and alienated employees.
Table 1. Measures to Reduce Internet Abuse Std. (Percentage of companies using this measure) Mean Dev. To block accessto nonwork related and offensive 5.24 1.72 web sites by using Internet Filters (23.4%) To terminate employees who abuse the internet at 5.11 1.94 work (22.4%) To take away Internet privileges of employees who 4.87 1.64 abuse the Internet at work (24%) To monitor with special software all the Web Sites 4.85 1.53 visited by employees (26.6%) To monitor with special software what every 4.61 1.82 computer in the company is being used for at a particular time (15.1%) To monitor electronic files downloaded on the 4.60 1.71 computers of employees to identify if they are nonwork-related (16.7%) To have managers reprimand employees who abuse the 4.57 1.58 Internet at work (29.2%) To monitor with special software all the e-mails 4.51 1.74 of employees (20.8%) To limit Internet access to only certain employees 4.30 1.86 upon their supervisors' consent (25.0%) To allow but limit personal Internet usage to 4.14 1.82 employees in their free time, or after work hours, or in emergencies (17.2%) To have employees who access Internet-enabled 3.92 1.70 computers at work to log their name, time in, time out, and the reason for using the Interne (6.8%) To watch on cameras all employees using computers 3.89 2.16 (0.5%) To use an 'Internet cop' to police the workplace 3.83 1.89 for Internet Abuse (5.7%) To have a written company manual/policy sheet/ 3.70 1.73 employee handbook/memorandum stating that the Internet at work is to be used for work related purposes only (42.2%) To have employees sign forms stating that they w 3.60 1.69 will abstain from visiting offensive Web sites while at work (21.4%) To have employees agree to accept the company's 3.55 1.65 'Internet Use Policy' when logging into their computers (18.7%) To arrange seminars, staff meeting, and show 3.09 1.55 videotapes to educate new and old employees about Internet Abuse (4.7%) To have employees with Internet access at work 2.91 1.58 fill out weekly log sheets describing their Internet usage (1.6%) Table 2 Factor 1: Emplicit prevention and 1 2 3 4 detection ([infinity] = .87) To monitor with special software all the .831 .151 -.04 .143 Web sites visited by employees To monitor with special software what .814 .111 .137 .04 every computer in the company is being used for at a particular time To monitor electronic files downloaded .784 .122 .229 .130 on the computers of employees to identify it they are nonwork-related To monitor with special software all the .778 .164 .206 .113 e-mails of employees To block access to nonwork-related and .692 .130 .09 .194 offensive Web sites by using Internet Filters Factors 2: Coerced prevention and detection ([infinity] = .80) To watch on cameras all employees using .034 .808 .036 .195 computers To have employees with Internet access .099 .792 .171 .092 at work fill out weekly log sheets describing their Internet usage To use an 'Internet cop' to police the .157 .759 .147 .010 workplace for Internet abuse To have employees who access Internet .027 .749 .043 .325 enabled computers at work to log their name, time in, time out, and the reason for using the Internet Factor 3: Deterrence ([infinity] = .75) To have employees agree to accept the .105 .08 .781 .253 company's 'Internet Use Policy' when logging into their computers To have a written company manual/policy .140 .03 .767 .118 sheets/employee handbook/memorandum stating that the Internet at work is to be used for work related purposes only To arrange seminars, staff meetings, and .133 .126 .636 .252 show videotapes to educate new and old employees about Internet abuse To have employees sign forms stating .140 .367 .613 -.07 that they will abstain from visiting offensive Web sites while at work Factor 4: Remedies ([infinity] = .67) To take away Internet privileges of .260 .09 .123 .792 employees who abuse the Internet at work To have managers reprimand employees who .155 .487 .117 .646 abuse the Internet at work To allow but limit personal Internet .109 .06 .321 .617 usage to employees in their free time, or after work hours, or in emergencies Eigenvalue 12.21 2.63 1.36 1.31 % of Total Variance Explained 35.48 12.16 9.83 6.89 Cumulative Variance Explained 35.48 47.64 57.47 64.36 Table 3 Factor (Mean Importance) Regression Coefficients 1: Explicit prevention and detection (4.78) .180 * 2: Remedies (4.53) .057 3: Coerced prevention and detection (3.63) .057 4: Deterrence (3.49) .014 [R.sup.2] .06 F 2.52 * * p [less than or equal to] .05
Blumstein, A. (1978). Introduction. In A Blumstein, J. Cohen, & D. Nagin (Eds.), Deterrence and incapacitation: Estimating the effects of criminal sanctions on crime rates. Washington D.C.: National Academy of Sciences.
Forcht, K. A. (1994). Computer security management. Danvers, MA: Boyd and Fraser.
Marsan, C. D. (2000, April 24). Employee study cites rampant Internet abuse. Network World, 17, 38.
Merlino, L. (2000). Employers laid back over Internet abuse. Upside, 12 (5), 46.
Nunnally, J. C. (1978). Psychometric research. New York: McGraw-Hill.
Pearson, F. S., & Weiner, N. A. (1985, Winter). Toward an integration of criminological theories. Journal of Crime and Criminology, 116-150.
Sethi, V., & King, W. (1994). Development of measures to assess the extent to which an information technology application provides competitive advantage. Management Science, 40 (12), 1601-1627
Straub, D. W. (1990). Effective IS security: An empirical study. Information Systems Research, 1 (3), 255-276.
Straub, D. W., & Welke, R. J. (1998, December). Coping with systems risk: Planning models for management decision making. MIS Quarterly, 441-469.
Verespej, M. A. (2000, February 7). Internet surfing. Industry Week, 249 (3), 58-64
Dr. Mirchandani teaches information systems management and focuses his research on information systems planning and electronic commerce. He has also published widely in journals and conference proceedings. Dr. Motwani has published more than 100 articles in the areas of competitive strategies, inventory management, technology management, quality management, and health care management. He also serves as consultant, trainer, and facilitator in the fields of total quality management, project management, and customer services.