Information security is more than just policy; It is in your personality

Even with clear and often strict policies in place, with clear sanctions, employees still are considered to be the weakest link in the field of information security (IS). This paper seeks to find one explanation to this phenomenon in military context by exploring military cadets’ attitudes towards IS, as well as their reasons and justifications for using neutralisation techniques in order to transgress from organisational IS regulations. These techniques are as follows: Condemnation of the condemners, The Metaphor of the ledger, Denial of injury, Denial of responsibility, Appeal to higher loyalties and Defence of necessity. 144 military cadets completed a survey assessing their use of neutralisation techniques (Siponen & Vance 2010) in addition to assessing their personality by the Five Factor (Konstabel, et. al. 2012) and the Dark Triad (Jones & Paulhus, 2014) models of personality. The results suggest that a more individualised approach in IS education could be useful. Understanding how one’s personality can sensitise oneself to certain kinds of neutralisation techniques can help an individual to acknowledge his or her strengths and vulnerabilities in IS behaviour.