{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,17]],"date-time":"2025-10-17T14:01:08Z","timestamp":1760709668944,"version":"3.41.0"},"reference-count":48,"publisher":"Association for Computing Machinery (ACM)","issue":"3","license":[{"start":{"date-parts":[[2018,7,25]],"date-time":"2018-07-25T00:00:00Z","timestamp":1532476800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100019279","name":"Korea University Business School","doi-asserted-by":"crossref","award":["IBRE Award"],"award-info":[{"award-number":["IBRE Award"]}],"id":[{"id":"10.13039\/501100019279","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["SIGMIS Database"],"published-print":{"date-parts":[[2018,7,25]]},"abstract":"<jats:p>Information leakage is a major concern for organizations. As information travels through the organization's eco-system, perimeter-based defense is no longer sufficient. Rather, organizations are implementing data-centric solutions that persist throughout the information life-cycle regardless of its location. Enterprise rights management (ERM) systems are an example of persistent data-centric security. ERM defines specific access rules as an instantiation of organizational information security policies and has been suggested as means of role-based access permissions control. Yet, evidence shows that employees often circumvent or work around organizational security rules and policies since these controls hinder task-performance. In this exploratory case study, we use the theory of workarounds as a lens to examine users' workaround behavior. We introduce an empowerment-based ERM system highlighting users' permission to override provisionally assigned access rules. The concept of empowered security policies is novel and presents a shift in the current security compliance paradigm. Subsequently, we compare users' compliance intention between empowered ERM users and conventional ERM users. Our descriptive results indicate that circumventing intention is lower while perceived responsibility and task-performance benefits are higher for the empowered ERM users than for the conventional ERM users. Compliance intention is higher for conventional ERM users than for empowered ERM users.<\/jats:p>","DOI":"10.1145\/3242734.3242739","type":"journal-article","created":{"date-parts":[[2018,7,26]],"date-time":"2018-07-26T11:58:04Z","timestamp":1532606284000},"page":"54-77","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":14,"title":["Rethinking the Prevailing Security Paradigm"],"prefix":"10.1145","volume":"49","author":[{"given":"Soohyun","family":"Jeon","sequence":"first","affiliation":[{"name":"Bang College of Business, KIMEP University"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Anat","family":"Hovav","sequence":"additional","affiliation":[{"name":"Korea University Business School, Seoul, South Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jinyoung","family":"Han","sequence":"additional","affiliation":[{"name":"Chung-Ang University, Seoul, South Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Steven","family":"Alter","sequence":"additional","affiliation":[{"name":"University of San Francisco, San Francisco, CA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2018,7,25]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1016\/0749-5978(91)90020-T"},{"key":"e_1_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.17705\/1CAIS.03455"},{"key":"e_1_2_1_3_1","volume-title":"Proceedings of the 21st Americas Conference on Information Systems (pp. 1--12)","author":"Alter S.","year":"2015","unstructured":"Alter , S. ( 2015 ). Beneficial noncompliance and detrimental compliance: Expected paths to unintended consequences . In Proceedings of the 21st Americas Conference on Information Systems (pp. 1--12) , Puerto Rico. Alter, S. (2015). Beneficial noncompliance and detrimental compliance: Expected paths to unintended consequences. In Proceedings of the 21st Americas Conference on Information Systems (pp. 1--12), Puerto Rico."},{"issue":"3","key":"e_1_2_1_4_1","first-page":"99","article-title":"Teaching smart people how to learn","volume":"69","author":"Argyris C.","year":"1991","unstructured":"Argyris , C. ( 1991 ). Teaching smart people how to learn . Harvard Business Review , 69 ( 3 ), 99 -- 109 . Argyris, C. (1991). Teaching smart people how to learn. Harvard Business Review, 69(3), 99--109.","journal-title":"Harvard Business Review"},{"key":"e_1_2_1_5_1","volume-title":"Proceedings of the 4th Information Security South Africa (pp. 1--15)","author":"Arnab A.","year":"2004","unstructured":"Arnab , A. , & Hutchison , A. ( 2004 ). Digital rights management-An overview of current challenges and solutions . Proceedings of the 4th Information Security South Africa (pp. 1--15) , Midrand, South Africa. Arnab, A., & Hutchison, A. (2004). Digital rights management-An overview of current challenges and solutions. Proceedings of the 4th Information Security South Africa (pp. 1--15), Midrand, South Africa."},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1197\/jamia.M1471"},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1016\/S1361-3723(09)70032-6"},{"key":"e_1_2_1_8_1","volume-title":"Data-centric security","author":"Bilger M.","year":"2006","unstructured":"Bilger , M. , O'Connor , L. , Schunter , M. , Swimmer , M. , & Zunic , N. ( 2006 ). Data-centric security . IBM Corporation . Retrieved from http:\/\/www-935.ibm.com\/services\/us\/cio\/risk\/gov_wp_data_centric. pdf Bilger, M., O'Connor, L., Schunter, M., Swimmer, M., & Zunic, N. (2006). Data-centric security. IBM Corporation. Retrieved from http:\/\/www-935.ibm.com\/services\/us\/cio\/risk\/gov_wp_data_centric. pdf"},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.25300\/MISQ\/2015\/39.4.5"},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1111\/j.1744-6570.1993.tb01571.x"},{"key":"e_1_2_1_11_1","volume-title":"Enterprise digital rights management {PowerPoint slides}. Provided by Fasoo during the interview process","author":"Cho K.","year":"2011","unstructured":"Cho , K. ( 2011 ). Enterprise digital rights management {PowerPoint slides}. Provided by Fasoo during the interview process . Cho, K. (2011). Enterprise digital rights management {PowerPoint slides}. Provided by Fasoo during the interview process."},{"key":"e_1_2_1_12_1","volume-title":"Data leakage worldwide: The effectiveness of security policies. CISCO.","author":"Cisco","year":"2008","unstructured":"Cisco . ( 2008 ). Data leakage worldwide: The effectiveness of security policies. CISCO. Retrieved from http:\/\/www.cisco.com\/c\/en\/us\/solutions\/collateral\/enterprise-networks\/data-loss-prevention\/white_paper_c11--503131.pdf Cisco. (2008). Data leakage worldwide: The effectiveness of security policies. CISCO. Retrieved from http:\/\/www.cisco.com\/c\/en\/us\/solutions\/collateral\/enterprise-networks\/data-loss-prevention\/white_paper_c11--503131.pdf"},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.5465\/amr.1988.4306983"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1037\/h0087212"},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1287\/isre.1070.0160"},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.2753\/MIS0742-1222310210"},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.5465\/amr.1989.4308385"},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1016\/S0147-1767(99)00002-4"},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1057\/palgrave.ejis.3000629"},{"key":"e_1_2_1_20_1","volume-title":"Belief, attitude, intention and behavior: An introduction to theory and research","author":"Fishbein M.","year":"1975","unstructured":"Fishbein , M. , & Ajzen , I. ( 1975 ). Belief, attitude, intention and behavior: An introduction to theory and research . Reading, MA : Addison-Wesley Publishing Co. Fishbein, M., & Ajzen, I. (1975). Belief, attitude, intention and behavior: An introduction to theory and research. Reading, MA: Addison-Wesley Publishing Co."},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/214427.214429"},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/BDIM.2007.375015"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.5555\/1850636.1850638"},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.pmcj.2016.06.007"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.5555\/2017470.2017478"},{"key":"e_1_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/1056808.1056966"},{"key":"e_1_2_1_27_1","first-page":"215","article-title":"Workarounds to computer access in healthcare organizations: You want my password or a dead patient","volume":"208","author":"Koppel R.","year":"2015","unstructured":"Koppel , R. , Smith , S. , Blythe , J. , & Kothari , V. ( 2015 ). Workarounds to computer access in healthcare organizations: You want my password or a dead patient ? Studies in Health Technology and Informatics , 208 , 215 -- 220 . Koppel, R., Smith, S., Blythe, J., & Kothari, V. (2015). Workarounds to computer access in healthcare organizations: You want my password or a dead patient? Studies in Health Technology and Informatics, 208, 215--220.","journal-title":"Studies in Health Technology and Informatics"},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1016\/S0925-7535(97)00073-8"},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1111\/isj.12043"},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1111\/isj.12063"},{"issue":"1","key":"e_1_2_1_31_1","first-page":"40","article-title":"Exception based enterprise rights management: Towards a paradigm shift in information security and policy management","volume":"1","author":"Morin J. H.","year":"2008","unstructured":"Morin , J. H. ( 2008 ). Exception based enterprise rights management: Towards a paradigm shift in information security and policy management . International Journal on Advances in Systems and Measurements , 1 ( 1 ), 40 -- 49 . Morin, J. H. (2008). Exception based enterprise rights management: Towards a paradigm shift in information security and policy management. International Journal on Advances in Systems and Measurements, 1(1), 40--49.","journal-title":"International Journal on Advances in Systems and Measurements"},{"key":"e_1_2_1_32_1","volume-title":"France.","author":"Morin J. H.","year":"2014","unstructured":"Morin , J. H. ( 2014 ). La responsabilit\u00e9 num\u00e9rique: Restaurer la confiance \u00e0 l'\u00e8re du num\u00e9rique. FYP Edition , France. Morin, J. H. (2014). La responsabilit\u00e9 num\u00e9rique: Restaurer la confiance \u00e0 l'\u00e8re du num\u00e9rique. FYP Edition, France."},{"key":"e_1_2_1_33_1","volume-title":"From digital rights management to enterprise rights and policy management: Challenges and opportunities (pp. 169--188)","author":"Morin J.","year":"2007","unstructured":"Morin , J. , & Pawlak , M. ( 2007 ). From digital rights management to enterprise rights and policy management: Challenges and opportunities (pp. 169--188) . Hershey, PA : IGI Global . Morin, J., & Pawlak, M. (2007). From digital rights management to enterprise rights and policy management: Challenges and opportunities (pp. 169--188). Hershey, PA: IGI Global."},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/947380.947391"},{"key":"e_1_2_1_35_1","volume-title":"Proceedings of the 16th Comptuer Security Applications Conference (pp. 224--233)","author":"Park J.","year":"2000","unstructured":"Park , J. , Sandhu , R. , & Schifalacqua , J. ( 2000 ). Security architectures for controlled digital informaiton dissemination . Proceedings of the 16th Comptuer Security Applications Conference (pp. 224--233) , New Orleans, USA. Park, J., Sandhu, R., & Schifalacqua, J. (2000). Security architectures for controlled digital informaiton dissemination. Proceedings of the 16th Comptuer Security Applications Conference (pp. 224--233), New Orleans, USA."},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2011.05.002"},{"key":"e_1_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1080\/07421222.2015.1138374"},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2006.10.004"},{"key":"e_1_2_1_39_1","volume-title":"A design theory for information security awareness","author":"Puhakainen P.","year":"2006","unstructured":"Puhakainen , P. ( 2006 ). A design theory for information security awareness . Oulu, Finland : University of Oulu Press. Puhakainen, P. (2006). A design theory for information security awareness. Oulu, Finland: University of Oulu Press."},{"key":"e_1_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/1610252.1610289"},{"issue":"5","key":"e_1_2_1_41_1","doi-asserted-by":"crossref","first-page":"1442","DOI":"10.2307\/256865","article-title":"Psychological empowerment in the workplace: Dimensions, measurement, and validation","volume":"38","author":"Spreitzer G. M.","year":"1995","unstructured":"Spreitzer , G. M. ( 1995 ). Psychological empowerment in the workplace: Dimensions, measurement, and validation . Academy of Management Journal , 38 ( 5 ), 1442 -- 1465 . Spreitzer, G. M. (1995). Psychological empowerment in the workplace: Dimensions, measurement, and validation. Academy of Management Journal, 38(5), 1442--1465.","journal-title":"Academy of Management Journal"},{"key":"e_1_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1016\/S0022-4359(01)00041-0"},{"key":"e_1_2_1_43_1","volume-title":"Aia Software.","author":"Van Beek M. H.","year":"2007","unstructured":"Van Beek , M. H. ( 2007 ). Comparison of enterprise digital rights management systems. Advice report , Aia Software. Retrieved from http:\/\/www.cs.ru.nl\/mtl\/scripties\/2007\/MartijnVanBeekScriptie.pdf Van Beek, M. H. (2007). Comparison of enterprise digital rights management systems. Advice report, Aia Software. Retrieved from http:\/\/www.cs.ru.nl\/mtl\/scripties\/2007\/MartijnVanBeekScriptie.pdf"},{"key":"e_1_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1145\/1330311.1330320"},{"key":"e_1_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.25300\/MISQ\/2013\/37.1.01"},{"key":"e_1_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.chb.2008.04.005"},{"key":"e_1_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.infoandorg.2009.06.001"},{"key":"e_1_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1016\/S1361-3723(00)10029-6"}],"container-title":["ACM SIGMIS Database: the DATABASE for Advances in Information Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3242734.3242739","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3242734.3242739","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T00:57:22Z","timestamp":1750208242000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3242734.3242739"}},"subtitle":["Can User Empowerment with Traceability Reduce the Rate of Security Policy Circumvention?"],"short-title":[],"issued":{"date-parts":[[2018,7,25]]},"references-count":48,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2018,7,25]]}},"alternative-id":["10.1145\/3242734.3242739"],"URL":"https:\/\/doi.org\/10.1145\/3242734.3242739","relation":{},"ISSN":["0095-0033","1532-0936"],"issn-type":[{"type":"print","value":"0095-0033"},{"type":"electronic","value":"1532-0936"}],"subject":[],"published":{"date-parts":[[2018,7,25]]},"assertion":[{"value":"2018-07-25","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}