{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,2]],"date-time":"2025-08-02T18:18:37Z","timestamp":1754158717796,"version":"3.41.2"},"reference-count":53,"publisher":"Emerald","issue":"5","license":[{"start":{"date-parts":[[2017,11,13]],"date-time":"2017-11-13T00:00:00Z","timestamp":1510531200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2017,11,13]]},"abstract":"<jats:sec><jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title><jats:p>This study aims to explore the challenges that the escalation of commitment poses to information security.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title><jats:p>Two distinct scenarios of escalation behavior are presented based on literature review. Psychological, organizational and economic theories on escalation of commitment are reviewed and applied to the area of information security.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Findings<\/jats:title><jats:p>Escalation of commitment involves continuation of a course of action after receiving negative information about it. In the information security compliance context, escalation affects a firm when an employee decides to break the firm\u2019s information security policy to complete a failing task. In the information security investment context, escalation occurs if a manager continues investment in policies and solutions that are ineffective because of psychological, organizational or economic factors. Both of these types of escalation may be prevented with de-escalation techniques including a change in management or rotation of duties, monitoring, auditing and governance mechanisms.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Practical implications<\/jats:title><jats:p>Implications of escalation of commitment behavior for information security decision-makers and for future research are discussed.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title><jats:p>This study complements the literature by establishing the context of escalation of commitment in decisions related to information security and reviewing managerial and economic theories on escalation of commitment.<\/jats:p><\/jats:sec>","DOI":"10.1108\/ics-02-2016-0015","type":"journal-article","created":{"date-parts":[[2017,10,3]],"date-time":"2017-10-03T19:12:43Z","timestamp":1507057963000},"page":"580-592","source":"Crossref","is-referenced-by-count":6,"title":["Escalation of commitment and information security: theories and implications"],"prefix":"10.1108","volume":"25","author":[{"given":"Dmitriy V.","family":"Chulkov","sequence":"first","affiliation":[]}],"member":"140","reference":[{"issue":"1","key":"key2020120419532238200_ref001","doi-asserted-by":"crossref","first-page":"124","DOI":"10.1016\/0749-5978(85)90049-4","article-title":"The psychology of sunk cost","volume":"35","year":"1985","journal-title":"Organizational Behaviour and Human Decision Processes"},{"issue":"1","key":"key2020120419532238200_ref002","doi-asserted-by":"crossref","first-page":"70","DOI":"10.1287\/isre.10.1.70","article-title":"A case for using real options pricing analysis to evaluate information technology project investments","volume":"10","year":"1999","journal-title":"Information Systems Research"},{"issue":"1","key":"key2020120419532238200_ref003","doi-asserted-by":"crossref","first-page":"39","DOI":"10.5465\/amr.1992.4279568","article-title":"The escalation of commitment to a failing course of action: toward theoretical progress","volume":"17","year":"1992","journal-title":"Academy of Management Review"},{"volume-title":"Entrapment in Escalating Conflicts: A Social Psychological Analysis","year":"1985","key":"key2020120419532238200_ref004"},{"key":"key2020120419532238200_ref005","doi-asserted-by":"crossref","first-page":"523","DOI":"10.2307\/25750690","article-title":"Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness","volume":"34","year":"2010","journal-title":"MIS Quarterly"},{"issue":"3","key":"key2020120419532238200_ref006","doi-asserted-by":"crossref","first-page":"431","DOI":"10.3233\/JCS-2003-11308","article-title":"The economic cost of publicly announced information security breaches: empirical evidence from the stock market","volume":"11","year":"2003","journal-title":"Journal of Computer Security"},{"key":"key2020120419532238200_ref007","first-page":"65","article-title":"Economics of IT security management: four improvements to current security practices","volume":"14","year":"2004","journal-title":"Communications of the Association for Information Systems"},{"key":"key2020120419532238200_ref008","doi-asserted-by":"crossref","first-page":"53","DOI":"10.1080\/15536548.2010.10855881","article-title":"Making sound security investment decisions","volume":"6","year":"2010","journal-title":"Journal of Information Privacy & Security"},{"issue":"4","key":"key2020120419532238200_ref009","doi-asserted-by":"crossref","first-page":"324","DOI":"10.1108\/09685220810908769","article-title":"Escalation and premature termination in MIS projects: the role of real options","volume":"16","year":"2008","journal-title":"Information Management & Computer Security"},{"issue":"2","key":"key2020120419532238200_ref010","doi-asserted-by":"crossref","first-page":"402","DOI":"10.2307\/256529","article-title":"The role of project completion information in resource allocation decisions","volume":"36","year":"1993","journal-title":"Academy of Management Journal"},{"key":"key2020120419532238200_ref011","doi-asserted-by":"crossref","first-page":"162","DOI":"10.1016\/j.cose.2014.12.006","article-title":"Improving the information security culture through monitoring and implementation actions illustrated through a case study","volume":"49","year":"2015","journal-title":"Computers & Security"},{"key":"key2020120419532238200_ref012","first-page":"29","article-title":"Escalation of commitment in MIS projects: a meta-analysis","volume":"13","year":"2009","journal-title":"International Journal of Management & Information Systems"},{"issue":"4","key":"key2020120419532238200_ref013","doi-asserted-by":"crossref","first-page":"71","DOI":"10.1080\/07421222.1991.11517904","article-title":"Justifying investments in new information technologies","volume":"7","year":"1991","journal-title":"Journal of Management Information Systems"},{"issue":"3","key":"key2020120419532238200_ref014","doi-asserted-by":"crossref","first-page":"170","DOI":"10.1057\/palgrave.jit.2000046","article-title":"What we never have, we never miss? Decision error and the risks of premature termination","volume":"20","year":"2005","journal-title":"Journal of Information Technology"},{"volume-title":"A Theory of Cognitive Dissonance","year":"1957","key":"key2020120419532238200_ref015"},{"issue":"4","key":"key2020120419532238200_ref016","doi-asserted-by":"crossref","first-page":"438","DOI":"10.1145\/581271.581274","article-title":"The economics of information security investment","volume":"5","year":"2002","journal-title":"ACM Transactions on Information and System Security"},{"key":"key2020120419532238200_ref017","first-page":"1","article-title":"Information security expenditures and real options: a wait-and-see approach","volume":"19","year":"2003","journal-title":"Computer Security Journal"},{"volume-title":"Managing Cybersecurity Resources: A Cost-Benefit Analysis","year":"2006","key":"key2020120419532238200_ref018"},{"key":"key2020120419532238200_ref019","doi-asserted-by":"crossref","first-page":"377","DOI":"10.1108\/09685220810908796","article-title":"Implementation and effectiveness of organizational information security measures","volume":"16","year":"2008","journal-title":"Information Management & Computer Security"},{"issue":"1","key":"key2020120419532238200_ref020","doi-asserted-by":"crossref","first-page":"99","DOI":"10.1016\/S0378-7206(03)00030-2","article-title":"De-escalation of commitment in software projects: who matters? What matters?","volume":"41","year":"2003","journal-title":"Information & Management"},{"issue":"3","key":"key2020120419532238200_ref021","first-page":"337","article-title":"Investments in information security: a real options perspective with Bayesian post audit","volume":"25","year":"2009","journal-title":"Journal of Management Information Systems"},{"issue":"2","key":"key2020120419532238200_ref022","doi-asserted-by":"crossref","first-page":"154","DOI":"10.1016\/j.dss.2009.02.005","article-title":"Encouraging information security behaviours in organizations: role of penalties, pressures and perceived effectiveness","volume":"47","year":"2009","journal-title":"Decision Support Systems"},{"issue":"2","key":"key2020120419532238200_ref023","doi-asserted-by":"crossref","first-page":"793","DOI":"10.1016\/j.ijpe.2008.04.002","article-title":"An economic analysis of the optimal information security investment in the case of a risk-averse firm","volume":"114","year":"2008","journal-title":"International Journal of Production Economics"},{"issue":"3","key":"key2020120419532238200_ref024","doi-asserted-by":"crossref","first-page":"231","DOI":"10.1057\/ejis.2015.15","article-title":"Dispositional and situational factors: influences on information security policy violations","volume":"25","year":"2016","journal-title":"European Journal of Information Systems"},{"issue":"2","key":"key2020120419532238200_ref025","doi-asserted-by":"crossref","first-page":"263","DOI":"10.2307\/1914185","article-title":"Prospect theory: an analysis of decision under risk","volume":"47","year":"1979","journal-title":"Econometrica"},{"year":"2013","key":"key2020120419532238200_ref026","article-title":"Assessing self-justification as an antecedent of noncompliance with information security policies"},{"first-page":"3169","article-title":"Assessing Sunk cost effect on employees\u2019 intentions to violate information security policies in organizations","year":"2014","key":"key2020120419532238200_ref027"},{"issue":"1","key":"key2020120419532238200_ref028","doi-asserted-by":"crossref","first-page":"59","DOI":"10.2307\/2491207","article-title":"Escalation errors and the sunk cost effect: an explanation based on reputation and information asymmetries","volume":"27","year":"1989","journal-title":"Journal of Accounting Research"},{"issue":"4","key":"key2020120419532238200_ref029","doi-asserted-by":"crossref","first-page":"421","DOI":"10.2307\/249627","article-title":"Pulling the plug: software project management and the problem of project escalation","volume":"19","year":"1995","journal-title":"MIS Quarterly"},{"key":"key2020120419532238200_ref030","first-page":"40","article-title":"The nature and extent of information technology escalation: results from a survey of information systems audit and control professionals","volume":"1","year":"1997","journal-title":"IS Audit and Control Journal"},{"issue":"4","key":"key2020120419532238200_ref031","doi-asserted-by":"crossref","first-page":"63","DOI":"10.1080\/07421222.1999.11518222","article-title":"Turning around troubled software projects: an exploratory study of the de-escalation of commitment to failing courses of action","volume":"15","year":"1999","journal-title":"Journal of Management Information Systems"},{"issue":"4","key":"key2020120419532238200_ref032","doi-asserted-by":"crossref","first-page":"631","DOI":"10.2307\/3250950","article-title":"Why software projects escalate: an empirical analysis of four theoretical models","volume":"24","year":"2000","journal-title":"MIS Quarterly"},{"issue":"2","key":"key2020120419532238200_ref033","doi-asserted-by":"crossref","first-page":"153","DOI":"10.1142\/S0219649207001688","article-title":"Prediction of IS project escalation based on software development risk management","volume":"6","year":"2007","journal-title":"Journal of Information & Knowledge Management"},{"issue":"4","key":"key2020120419532238200_ref034","doi-asserted-by":"crossref","first-page":"904","DOI":"10.1016\/j.dss.2011.02.009","article-title":"Profit-maximizing firm investments in customer information security","volume":"51","year":"2011","journal-title":"Decision Support Systems"},{"issue":"2","key":"key2020120419532238200_ref035","doi-asserted-by":"crossref","first-page":"173","DOI":"10.2307\/249574","article-title":"Threats to information systems: today\u2019s reality, yesterday\u2019s understanding","volume":"16","year":"1992","journal-title":"MIS Quarterly"},{"issue":"2","key":"key2020120419532238200_ref036","doi-asserted-by":"crossref","first-page":"239","DOI":"10.1111\/j.1540-5915.2008.00191.x","article-title":"Information technology project escalation: a process model","volume":"39","year":"2008","journal-title":"Decision Sciences"},{"issue":"3","key":"key2020120419532238200_ref037","doi-asserted-by":"crossref","first-page":"417","DOI":"10.2307\/3250968","article-title":"De-escalating information technology projects: lessons from the denver international airport","volume":"24","year":"2000","journal-title":"MIS Quarterly"},{"key":"key2020120419532238200_ref038","unstructured":"Open Security Foundation (2016), Data Loss Statistics, available at: www.datalossdb.org (accessed 15 December 2016)."},{"issue":"1","key":"key2020120419532238200_ref039","doi-asserted-by":"crossref","first-page":"3","DOI":"10.1111\/j.1365-2575.2006.00209.x","article-title":"Escalation and de-escalation of commitment: a commitment transformation analysis of an e-government project","volume":"16","year":"2006","journal-title":"Information Systems Journal"},{"key":"key2020120419532238200_ref040","unstructured":"PriceWaterhouseCoopers (2016), Global Economic Crime Survey 2016: Cybercrime, available at: www.pwc.com\/crimesurvey (accessed 15 December 2016)."},{"issue":"8","key":"key2020120419532238200_ref041","doi-asserted-by":"crossref","first-page":"781","DOI":"10.1016\/S0378-7206(02)00104-0","article-title":"Escalating commitment to information system projects: findings from two simulated experiments","volume":"40","year":"2003","journal-title":"Information & Management"},{"issue":"5","key":"key2020120419532238200_ref042","doi-asserted-by":"crossref","first-page":"1023","DOI":"10.1111\/jpim.12142","article-title":"De\u2010escalation mechanisms in high\u2010technology product innovation","volume":"31","year":"2014","journal-title":"Journal of Product Innovation Management"},{"issue":"4","key":"key2020120419532238200_ref043","doi-asserted-by":"crossref","first-page":"419","DOI":"10.1037\/0021-9010.77.4.419","article-title":"De-escalation strategies: a comparison of techniques for reducing commitment to losing courses of action","volume":"77","year":"1992","journal-title":"Journal of Applied Psychology"},{"key":"key2020120419532238200_ref044","doi-asserted-by":"crossref","first-page":"487","DOI":"10.2307\/25750688","article-title":"Neutralization: new insights into the problem of employee information systems security policy violations","volume":"34","year":"2010","journal-title":"MIS Quarterly"},{"issue":"2","key":"key2020120419532238200_ref045","doi-asserted-by":"crossref","first-page":"124","DOI":"10.1016\/j.cose.2004.07.001","article-title":"Analysis of end user security behaviors","volume":"24","year":"2005","journal-title":"Computers & Security"},{"key":"key2020120419532238200_B45a","doi-asserted-by":"crossref","first-page":"27","DOI":"10.1016\/0030-5073(76)90005-2","article-title":"Knee-deep in the big muddy: a study of escalating commitment to a chosen course of action","volume":"16","year":"1976","journal-title":"Organizational Behavior and Human Performance"},{"key":"key2020120419532238200_ref046","first-page":"39","article-title":"Behavior in escalation situations: antecedents, prototypes, and solutions","volume-title":"Research in Organizational Behavior","year":"1987"},{"issue":"6","key":"key2020120419532238200_ref047","doi-asserted-by":"crossref","first-page":"664","DOI":"10.2307\/2089195","article-title":"Techniques of neutralization: a theory of delinquency","volume":"22","year":"1957","journal-title":"American Sociological Review"},{"issue":"3","key":"key2020120419532238200_ref048","doi-asserted-by":"crossref","first-page":"357","DOI":"10.1111\/j.1540-5414.2006.00131.x","article-title":"Information systems project continuation in escalation situations: a real options model","volume":"37","year":"2006","journal-title":"Decision Sciences"},{"issue":"4","key":"key2020120419532238200_ref049","doi-asserted-by":"crossref","first-page":"476","DOI":"10.1016\/j.cose.2009.10.005","article-title":"Information security culture: a management perspective","volume":"29","year":"2010","journal-title":"Computers & Security"},{"issue":"2","key":"key2020120419532238200_ref050","doi-asserted-by":"crossref","first-page":"311","DOI":"10.5465\/amr.1986.4283111","article-title":"Escalating commitment to a course of action: a reinterpretation","volume":"11","year":"1986","journal-title":"Academy of Management Review"},{"issue":"4","key":"key2020120419532238200_ref051","doi-asserted-by":"crossref","first-page":"304","DOI":"10.1016\/j.infoandorg.2006.08.001","article-title":"Understanding the perpetration of employee computer crime in the organisational context","volume":"16","year":"2006","journal-title":"Information and Organization"},{"key":"key2020120419532238200_ref052","doi-asserted-by":"crossref","first-page":"1","DOI":"10.25300\/MISQ\/2013\/37.1.01","article-title":"Beyond deterrence: an expanded view of employee computer abuse","volume":"37","year":"2013","journal-title":"MIS Quarterly"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-02-2016-0015\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-02-2016-0015\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:22:40Z","timestamp":1753406560000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/25\/5\/580-592\/189045"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,11,13]]},"references-count":53,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2017,11,13]]}},"alternative-id":["10.1108\/ICS-02-2016-0015"],"URL":"https:\/\/doi.org\/10.1108\/ics-02-2016-0015","relation":{},"ISSN":["2056-4961"],"issn-type":[{"type":"print","value":"2056-4961"}],"subject":[],"published":{"date-parts":[[2017,11,13]]}}}