Ig/fiOrJfos/o^ $cs Ob!SJf EFFECT OF ACCEPTABLE USE POLICY ON EMPLOYEE COMPUTER USE: CASE OF SRI LANKAN SOFTWARE DEVELOPMENT ORGANIZATIONS MASTER OF BUSINESS ADMINISTRATION IN INFORMATION TECHNOLOGY University of Moratuwa 92265 CZ>~fc tTr'A l H C. fucL-4: cj T.R. Liyanagunawardena Department of Computer Science & Engineering University of Moratuwa December 2007 9z%6£ oo>A^°^ / 922G5 EFFECT OF ACCEPTABLE USE POLICY ON EMPLOYEE COMPUTER USE: CASE OF SRI LANKAN SOFTWARE DEVELOPMENT ORGANIZATIONS By T.R. Liyanagunwardena The Dissertation was submitted to the Department of Computer Science & Engineering of the University of Moratuwa in partial fulfillment of the requirement for the Degree of Master of Business Administration. Department of Computer Science & Engineering University of Moratuwa December 2007 A*> -o - DECLARATION “I certify that this thesis does not incorporate without acknowledgement any material previously submitted for a degree or diploma in any university to the best of my knowledge and believe it does not contain any material previously published, written or orally communicated by another person or myself except where due reference is made in the text. I also hereby give consent for my dissertation, if accepted, to be made available for photocopying and for interlibrary loans, and for the title and summary to be available to outside organizations” a^;0|;£1008 Signature of the Candidate Date To the best of my knowledge, the above particulars are correct. Supervisor A. T. L. K. Samarasinghe Head Department of Electronic & Telecommunication Engineering University or Moratuwa, Sri Lanka i TABLE OF CONTENTS ABSTRACT........................................................................................................................ 1 ACKNOWLEDGEMENT .................................................................................................. 2 ACRONYMS...................................................................................................................... 3 CHAPTER 1 – BACKGROUND ....................................................................................... 4 1.1 Introduction............................................................................................................... 4 1.2 Motivation................................................................................................................. 5 1.3 Problem Statement .................................................................................................... 6 1.4 Objectives ................................................................................................................. 6 1.5 Importance/ Benefits of the Study ............................................................................ 6 1.6 Research Design........................................................................................................ 7 1.7 Brief Review on Literature ....................................................................................... 8 1.8 Nature and Form of Results ...................................................................................... 9 CHAPTER 2 – LITERATURE REVIEW ........................................................................ 10 2.1 Introduction............................................................................................................. 10 2.2 Information Systems Misuse................................................................................... 11 2.3 Areas of Work Computer Misuse ........................................................................... 11 2.4 Consequences of Misuse......................................................................................... 12 2.5 Controlling Misuse of Work Computers................................................................. 13 2.6 Acceptable Use ....................................................................................................... 15 2.7 Effectiveness of Acceptable Use Policy ................................................................. 16 2.8 Awareness ............................................................................................................... 17 2.9 Factors Influencing Computer Misuse.................................................................... 19 CHAPTER 3 – RESEARCH DESIGN............................................................................. 22 3.1 Nature of the Study ................................................................................................. 22 3.2 Research Approach ................................................................................................. 23 3.3 Working Definitions ............................................................................................... 24 3.4 Theoretical Framework........................................................................................... 25 3.5 Method .................................................................................................................... 26 3.6 Sampling Design..................................................................................................... 32 3.7 Procedure ................................................................................................................ 35 3.8 Sample Demographic Details ................................................................................. 36 CHAPTER 4 - DATA ANALYSIS .................................................................................. 39 4.1 Reliability................................................................................................................ 39 4.2 Analysis of Distributions ........................................................................................ 40 4.3 Objective 1 .............................................................................................................. 41 4.4 Objective 2 .............................................................................................................. 43 4.5 Objective 3 .............................................................................................................. 47 4.6 Objective 4 .............................................................................................................. 49 4.7 Predicting Level of Misuse ..................................................................................... 60 CHAPTER 5 – RESULTS AND DISCUSSION.............................................................. 62 5.1 Objective 1 .............................................................................................................. 62 5.2 Objective 2 .............................................................................................................. 66 5.3 Objective 3 .............................................................................................................. 68 ii 5.4 Objective 4 .............................................................................................................. 69 5.5 Limitations .............................................................................................................. 72 CHAPTER 6 - CONCLUSIONS & RECOMMENDATIONS ........................................ 74 6.1 Conclusion .............................................................................................................. 74 6.2 Recommendations................................................................................................... 74 6.3 Future Research Directions..................................................................................... 77 REFERENCES ................................................................................................................. 78 BIBLIOGRAPHY............................................................................................................. 83 APPENDIX – A................................................................................................................ 84 APPENDIX – B ................................................................................................................ 85 iii INDEX OF TABLES Table 1: Operationalization............................................................................................... 28 Table 2: Organizational Structure Categories................................................................... 31 Table 3: Reliability Statistics for Misuse.......................................................................... 39 Table 4: Scale Statistics for Misuse .................................................................................. 39 Table 5: Reliability Statistics for Usage ........................................................................... 40 Table 6: Scale Statistics for Usage.................................................................................... 40 Table 7: Availability of AUP............................................................................................ 42 Table 8: Use Policy by Organization Size ........................................................................ 42 Table 9: Descriptive Statistics for Q5-9............................................................................ 44 Table 10: Descriptive Statistics for Q10-18...................................................................... 44 Table 11: Ranks Q10 -18 .................................................................................................. 46 Table 12: Mann-Whitney U Test for Q10- Q18 ................................................................. 1 Table 13: Descriptive Statistics of Awareness Questions................................................. 47 Table 14: Correlation Analysis - Awareness and Misuse................................................. 48 Table 15: ANOVA Education and Level of Misuse......................................................... 50 Table 16: ANOVA Gender and Level of Misuse ............................................................. 50 Table 17: ANOVA Access and Level of Misuse.............................................................. 51 Table 18: Correlation Job Security and Misuse................................................................ 53 Table 19: ANOVA Concurrent Jobs and Level of Misuse ............................................... 53 Table 20: ANOVA Hierarchy and Level of Misuse ......................................................... 54 Table 21: Correlation Span of control and Level of Misuse............................................. 54 Table 22: ANOVA Level of Span of Control and Level of Misuse ................................. 54 Table 23: Categorization of Organizations ....................................................................... 55 Table 24: ANOVA Organizational Category and Misuse ................................................ 55 Table 25: Tukey Test - Multiple Comparisons Organizational Category......................... 55 Table 26: Correlation Cultural traits and Level of Misuse ............................................... 57 Table 27: ANOVA Cultural Orientation (Internal/External) and Misuse ........................ 58 Table 28: ANOVA Cultural Orientation (Flexible/Control) and Level of Misuse........... 58 Table 29: Regression Model Summary............................................................................. 60 Table 30: ANOVA – For the Regression Model .............................................................. 60 Table 31: Regression Coefficients .................................................................................... 61 Table 32: Use Policy by Organization Size (%) ............................................................... 62 iv INDEX OF FIGURES Figure 1: Model of Ethical Decision Making Related to Computer Technology............. 20 Figure 2: Sample Demographics - Gender........................................................................ 36 Figure 3: Sample Demographics - Education ................................................................... 37 Figure 4: Sample by Existence of AUP ............................................................................ 37 Figure 5: Sample Demographics - Organizations............................................................. 38 Figure 6: Distribution - Misuse......................................................................................... 41 Figure 7: Distribution - Usage .......................................................................................... 41 Figure 8: Existence of AUP in Organizations................................................................... 42 Figure 9: Organization Size and Existence of AUP.......................................................... 43 Figure 10: Correlation Awareness and Misuse - Residual Plot ........................................ 48 Figure 11: Correlation Awareness and Misuse - Normal Residual Plot........................... 49 Figure 12: Correlation Matrix........................................................................................... 59 Figure 13: Organization Size and Existence of AUP (%)................................................. 63 1 ABSTRACT It is a known fact that some employees misuse the organizational computers to do their personal work such as sending emails, surfing the Internet, chatting, playing games. These activities not only waste productive time of employees but also bring a risk factor to the organization. This affects organizations in the software industry very much as almost all of their employees are connected to the Internet throughout the day. By introducing an Acceptable Use Policy (AUP) for an organization, it is believed that the computer misuse by its employees could be reduced. In many countries Acceptable Use Policies are used and they have been studied with various perspectives. In Sri Lankan context research on these areas are scarce. This research explored the situation in Sri Lanka with respect to AUPs and their effectiveness. A descriptive study was carried out to identify the large and medium scale software development organizations that had implemented computer usage guidelines for employees. A questionnaire was used to gather information regarding employee’s usual computer usage behavior. Stratified random sampling was employed to draw a representative sample from the population. Majority of the organizations have not employed a written guideline on acceptable use of work computers. The study results did not provide evidence to conclude that the presence or non presence of an AUP has a significant difference in computer use behaviors of employees. A significant negative correlation was observed between level of awareness about AUP and misuse. Access to the Internet and organizational settings were identified as significant factors that influence employee computer misuse behavior. 2 ACKNOWLEDGEMENT This dissertation could not have been written without Mr. Kithsiri Samarashinghe who not only served as my supervisor but also encouraged and challenged me throughout my academic program. He guided me through the dissertation process, never accepting less than my best efforts. I would like to thank him for his enormous support. I would like to extend my sincere gratitude to Mrs. Vishaka Nanayakkara, head of the department of Computer Science and Engineering and all the staff members of the Department of Computer Science and Engineering and the Department of Management of Technology contributed in various ways to make this study a success. Last but not the least I would like to mention my loving husband and my family, who were encouraging and supporting me, during the period of research study as well as during the postgraduate studies for nearly two years. 3 ACRONYMS ADSL - Asymmetric Digital Subscriber Line AUP - Acceptable Use Policy CDMA - Code Division Multiple Access FBI - Federal Bureau of Investigations ICT - Information and Communication Technology ICTA - Information and Communication Technology Agency IS - Information Systems IT - Information Technology SEA - Software Exporters Association SLASI - Sri Lanka Association for Software Industry SLICTA - Sri Lanka Information and Communication Technology Agency