Neural correlates of decision making related to information security: Self-control and moral potency

Robert West; Emily Budde; Qing Hu

doi:10.1371/journal.pone.0221808

Abstract

Security breaches of digital information represent a significant threat to the wellbeing of individuals, corporations, and governments in the digital era. Roughly 50% of breaches of information security result from the actions of individuals inside organizations (i.e., insider threat), and some evidence indicates that common deterrence programs may not lessen the insiders’ intention to violate information security. This had led researchers to investigate contextual and individual difference variables that influence the intention to violate information security policies. The current research builds upon previous studies and explores the relationship between individual differences in self-control and moral potency and the neural correlates of decision making in the context of information security. The behavioral data revealed that individuals were sensitive to the severity of a violation of information security, and that the measures of self-control and moral potency were reliable indicators of the underlying constructs. The ERP data provided a partial replication of previous research, revealing differences in neural activity for scenarios describing security violations relative to control stimuli over the occipital, medial and lateral frontal, and central regions of the scalp. Brain-behavior analyses showed that higher moral potency was associated with a decrease in neural activity, while higher self-control was associated with an increase in neural activity; and that moral potency and self-control tended to have independent influences on neural recruitment related to considering violations of information security. These findings lead to the suggestion that enhancing moral potency and self-control could represent independent pathways to guarding against insider threat.

Citation: West R, Budde E, Hu Q (2019) Neural correlates of decision making related to information security: Self-control and moral potency. PLoS ONE 14(9): e0221808. https://doi.org/10.1371/journal.pone.0221808

Editor: Valerio Capraro, Middlesex University, UNITED KINGDOM

Received: January 15, 2019; Accepted: August 9, 2019; Published: September 4, 2019

Copyright: © 2019 West et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.

Data Availability: The materials and data are available in the Open Science Framework: https://osf.io/fqz37.

Funding: The authors received no specific funding for this work.

Competing interests: The authors have declared that no competing interests exist.

Introduction

Breaches of information security increasingly represent a substantial threat to the wellbeing of private citizens, corporations, and government entities in the digital global ecosystem. Cybersecurity Ventures [1] estimates that in 2015 the costs of cybercrime to the world economy was $3 trillion. Based upon this estimate, cybercrime would have represented the world’s fifth largest economy in 2016 [2]. In addition to the financial costs, breaches of information security may lower consumer confidence [3] and shape national politics and international relations [4]. Given the ubiquity of insider threats to information security (i.e., roughly 50% of security breaches have a substantial insider component [5]), many organizations have relied on deterrence programs as a primary component of security defense. However, evidence indicates that sanctions embodied in deterrence programs may not be a significant predictor of insiders’ intention to violate information security policies [6]. This finding has led researchers to explore contextual and individual difference variables that may be more effective in predicting the insiders’ intention to compromise information security. As an example, drawing on theories of criminology, scholars have found that lower self-control is associated with higher levels of the intention to violate information security policies [6], while higher moral belief is associated with lower levels of the intention to violate information security policies [7]. However, these findings are based on survey data that do not reveal the mechanisms underlying decision making that gives rise to these relationships. The current study extends upon prior research by using event-related brain potentials (ERPs) to examine the association between self-control and moral potency, and the behavioral and neural correlates of decision making in the context of information security.

Scholars within the information systems community have advocated for the utility of incorporating neuromonitoring measures (e.g., functional magnetic resonance imaging (fMRI) or ERPs) into studies examining the processes underpinning decision making within this field [8, 9, 10]. As a testament to the value of neuromonitoring measures, the inclusion of these methods in information systems research has yielded significant insight into the neurocognitive mechanisms that contribute to the ineffectiveness of security warnings related to malware [11], and the neural basis of methods that may serve to enhance the effectiveness of such warnings [12]. Also, Hu et al. [13] used ERPs to examine both the neural correlates of decision making related to information security, and to identify the locus of the influence of self-control on the neural correlates of decision making within this domain.

Information security paradigm for ERP research

Hu et al. [13] developed the information security paradigm (ISP) to examine the neural correlates of decision making related to information security using ERPs. In this task individuals are first given some background information about Josh, a hypothetical IT specialist who is under pressure at work and experiencing some financial strain. In the task, individuals are asked to answer a series of prompts as if they were Josh. For each trial, individuals first read a scenario that is one to two sentences in length and then advance to a one sentence prompt describing an action that Josh could take based upon the scenario. As implemented in the current study, the task includes three types of scenarios (i.e., control, minor or major violation of information security policy). Control scenarios do not include an ethical consideration, while minor and major violation scenarios include ethical dilemmas that vary in severity. In the task, response choice, response time, and ERPs are locked to the onset of the choice prompt.

With this paradigm, Hu et al. [13] studied ERPs that distinguished control scenarios from minor and major violation scenarios, and minor violation scenarios from major violation scenarios. Differences in the ERPs elicited by scenarios including an ethical consideration relative to control scenarios emerged around 200 ms after presentation of the decision prompt and were then observed for up to 1800 ms after presentation of the prompt. Over the posterior region of the scalp, the effects of a violation on the ERPs reflected both transient activity between 200–500 ms after presentation of the prompt, and more sustained ERP activity that extend over much of the 2000 ms epoch that was analyzed. Distributed source analysis localized the early transient ERP activity to the right occipital-temporal region and the right anterior frontal/frontal-polar regions of the cortex. Following the early transient posterior activity, there was longer lasting sustained ERP activity over the medial and lateral frontal regions of the scalp. This sustained activity was localized to the anterior frontal, lateral frontal, and anterior temporal cortex.

Hu et al. [13] demonstrated that individual differences in self-control were associated with an attenuation of early transient and later sustained ERP activity that distinguished major violation scenarios from control scenarios; and differential sustained ERP activity that distinguished minor violation scenarios from control scenarios over the lateral frontal region. One limitation of the Hu et al. study was the use of a composite variable of self-control that collapsed across the six subscales represented within the measure, making it impossible to determine whether various aspects of self-control are differentially related to ERP activity elicited during decision making. Therefore, in the current study, we examine the association between ERP activity related to information security decision making and each of the six dimensions of self-control.

Self-control and moral potency

The idea that variation in self-control represents a significant predictor of criminal behavior in general [14] and violations of information security [15] more specifically is well supported by the extant literature. Extensive work examining the predictors of criminal and antisocial behavior reveals the poor self-control may represents one of the strongest predictors of criminal behavior [14]. Additionally, experimental work conducted within the ego depletion framework reveals that the temporary depletion of self-control is associated with an increase in dishonest or unethical behavior [16]. The temporary disruption of self-control is associated with both an increase in the frequency of cheating and an increase in the likelihood that individuals will select an environmental context that affords a greater opportunity to act dishonestly [17]. In the broader context of the current study, there is also some indication that the effect of self-control depletion on cheating behavior may arise from a reduction moral awareness [16].

Within the information security domain, low self-control is related to higher levels of software [18] and digital piracy [19] in college students, hacking behavior in young adults [15], and higher intentions to commit violations of information security in corporate employees [6]. Some evidence indicates that there may be differences in the effects of subcomponents of self-control on unethical behavior related to information security. For instance, risk-taking is related to digital piracy [19] and hacking for either fun or revenge [15], while the ability to regulation emotion (i.e., tempe) is more strongly related to exploratory hacking than exploitative hacking [15]. The effect of self-control on the intention to violate information security is related to an individual's perception of both the extrinsic and intrinsic benefits that may be derived from the unethical act [6], indicating that variation in the function or sensitivity of the reward system in individuals with low self-control could contribute to violations of information security.

The importance of high moral character within the business world has been widely appreciated and represents a fundamental tenet of both moral potency theory [20] and moral foundations theory [21]. In the decision making literature there is clear evidence that priming moral beliefs related to fairness, correctness, and generousity has a strong effect on cooperation and prosocial behavior that may override the influence on concepts related to the equitable and efficient distribution of resources in a variety of tasks [22,23]. In considering the potential intersection of self-control and moral belief, there is evidence that both coorperation and ethical behavior require the deployment of controlled deliberative processes [24], and that the availability of controlled processes may interact with individual differences in moral identity to predict the frequency of unethical behavior [16].

In the context of information systems, moral belief in the appropriateness of an action is known to be a reliable predictor of violations of information security [25,26]. As an example, moral belief represents a moderate to strong unique predictor of both exploratory and exploitative hacking behavior and the strength of this effect is reasonably consistent regardless of the motivation for the unethical behavior [15]. For instance, the strength of the effect of moral belief on hacking for fun is similar to the strength of the effect of moral belief on hacking for profit [15]. Moral beliefs may also be related to the intention to commit violations of information security in corporate professionals, and this effect may be related to the perceived risks [6] and benefits [27] associated with the unethical act. In the current study, we sought to examine the association between the behavioral and neural correlates of decision making related to information security and general moral beliefs as measured in the Moral Potency Questionnaire [20,28] in order to consider the influence of individual differences in moral beliefs beyond the context of the unethical actions considered in previous research that were specifically related to information security [15,26].

Functional neuroanatomy of ethical decision making

There has been limited research examining the functional neuroanatomy of ethical decision making related to information security [13]; in contrast, significant progress has been made in characterizing the neural networks that underpin ethical or moral reasoning more generally [29]. In synthesizing this literature, Greene [29] notes that moral reasoning emerges from the interaction of a distributed neural network where none of the elements of the network are uniquely dedicated to moral reasoning. Studies incorporating fMRI and typical individuals reveal that moral reasoning is consistently associated with the recruitment of structures within the frontal cortex including the anterior cingulate cortex, middle frontal gyrus, medial frontal gyrus, and ventromedial prefrontal cortex [30,31,32]. These and other studies also reveal recruitment of posterior cortical structures including the angular gyrus [30], temporoparietal junction [33], posterior cingulate [30], and subcortical structures including the amygdala [34]. Complimenting the results of activation studies using fMRI, there is evidence that either the temporary disruption of [35], or damage to [36,37], these structures can alter moral reasoning.

The current study

The present study sought to address four hypotheses that were motivated by our previous work using ERPs to examine the neural correlates of decision making related to information security, and the broader literature related to the role of self-control and moral belief in violations of information security:

Hypothesis 1: ERP activity elicited during the decision prompt should reveal a transient modulation of the ERPs over the posterior region beginning around 200 ms after stimulus onset that reflects greater negativity for control trials than for minor or major violations. Following this early transient activity, the ERPs should reveal sustained differences in amplitude over the frontal-central region reflecting greater positivity for minor and major violations than for control trials between 500–2000 ms; and differences in slow wave activity between control trials and minor and major violations over the lateral frontal region between 500–2000 ms after onset of the prompt.

This hypothesis was motivated by two goals. First, we sought to replicate the findings of the Hu et al. [13] study by using a sample of undergraduate students and university staff that represent a broader distribution of interests than the male undergraduate business majors included in our previous research. Second, we also sought to determine whether the ISP developed in Hu et al. [13] would continue to capture the neural correlates of decision making related to information security when the strong deception manipulation used in that study was removed from the paradigm.

Hypothesis 2: Moral potency will be correlated with modulations of the ERPs that distinguish violation scenarios from control scenarios as described in Hypothesis 1. Based upon existing theories within moral philosophy and psychology, the correlation between moral potency and the ERP correlates of ethical decision making could be either positive or negative depending upon how moral potency contributes to decision making [38,39]. Specifically, under the “grace” hypothesis of moral reasoning one could expect to observe a negative correlation between moral potency and ERP amplitude (i.e., lower amplitude with greater moral potency). This pattern would be consistent with the idea that moral potency serves to protect individuals from making unethical decision by lessening the attractiveness of potential benefits or instilling within them an absolute sense of right and wrong. In contrast, under the “will” hypothesis of moral reasoning one could expect to observe a positive correlation between moral potency and ERP amplitude (i.e., higher amplitude with greater moral potency). This pattern would reflect the idea that moral potency serves to potentiate controlled deliberative processes that allow one to resist the temptation inherent in the benefit associated with making an unethical decision [29].

Hypothesis 3: The amplitude of the ERPs that distinguish violations from control trials should be reduced in individuals with lower self-control relative to those with higher self-control; and the association between self-control and the ERP correlates of decision making related to information security will vary across the six subscales of the self-control questionnaire.

This hypothesis is motivated by the finding that subcomponents of self-control may be differentially related to the frequency of hacking behavior, and that this effect may interact with one’s motivation for the unethical behavior (i.e., whether it is exploratory or exploitative [15]). Based upon this evidence, one might expect the ERPs to be more strongly related to emotion regulation (tempe) and risk-taking than to impulsivity, self-centeredness, a preference for simple task, or level of physical activity.

Hypothesis 4: The direction of the correlation between self-control and moral potency, as related to the ERP correlates of decision making will be in the opposite direction This hypothesis is guided by the findings of previous research demonstrating that self-control and moral beliefs may have opposite effects on either the intention to violate information security policies [6] or hacking behavior related to exploratory or exploitative motivation [15].

Materials and methods

Ethics statement

This study was approved by the Institutional Review Board of DePauw University as an expedited study. Written informed consent was obtained. IRB approval: “As a member of the IRB, I received your proposal on Information Security and Decision Making for review on 6/9/16. I concur that the project fits the criteria for Category I review. Thank you for submitting such a thorough and thoughtful proposal, which has granted me an opportunity to write the following sentence in an IRB response. The project is approved as submitted. You and Emily may begin to collect data at your convenience.”

Participants

Forty-eight individuals participated in the study and represented a mix of students and professional staff from a private liberal arts university in the midwest. The data for six individuals were not included in the analyses due to poor quality of the EEG data; the demographic and individual difference data for one additional individual were lost due to an internet error, so the ERP data for this individual were not included in the analyses. For the 41 participants included in the analyses, the average years of age was M = 19.59, SD = 2.61. The sample was 68% female, 75% White, 15% Asian, and 10% Hispanic or Latino(a).

Materials

Information security paradigm.

The information security paradigm was nearly identical to that used in Hu et al. [13] and the full set of materials is available online (https://osf.io/fqz37). Some minor changes were made to the priming information that described Josh and the text of the five practice and 45 test scenarios, these served to correct typographical errors that were present in the original materials or to add clarity to the prose. There were 15 instances of each type of scenario. The length of the scenarios ranged from 94–209 characters, and the length of prompts ranged from 19–68 characters. Examples of the three types of scenarios are presented in Table 1. The 15 control scenarios involved routine decisions in daily life that did not involve information security or an ethical component (scenarios M = 150, SD = 27 characters, prompts M = 40, SD = 8 characters). The 15 minor violation scenarios were related to various aspects of information security and could have moderate negative consequences were the action to be committed and the person caught by the organization (scenarios M = 151, SD = 16 characters, prompts M = 55, SD = 6 characters). The 15 major violation scenarios were also related to various aspects of information security and could have significant consequences were the action to be taken and the person caught by the organization (scenarios M = 170, SD = 22 characters, prompts M = 55, SD = 12 characters). During the task, the 45 scenarios were presented in a quasi-random order with the constraint that no more than three scenarios of the same type could appear consecutively.

Download:

Table 1. Examples of control, minor violation, and major violation scenarios and prompts.

https://doi.org/10.1371/journal.pone.0221808.t001

For the information security paradigm, the background information described Josh as a skilled IT professional with broad access to digital assests within his company; this information also indicated that the company had strict policies against unathorized use of assets, and that Josh was under time pressure for some projects in additional to financial strain. In responding to the scenarios, participants were asked to “imaging that you are Josh”. For each trial, a blank screen was presented for 500 milliseconds followed by the scenario that remained on the screen until the participant pressed the space bar to advance to the prompt (Fig 1). The scenario was followed by a fixation cross in the center of the screen that was presented for 500 milliseconds and followed by onset of the prompt. The prompt remained on the screen until a response was made and then the program advanced to the next trial. Participants were asked to response by pressing one of four keys on a USB keyboard (C-left middle finger, V-left index finger, B-right index finger, N-right middle finger) that were associated with four responses (No, Likely No, Likely Yes, Yes). A TTL trigger was delivered to the amplifier via a parallel port, that was aligned with the onset of the prompt.

Download:

Fig 1. Sequence of events within a trial for the information security paradigm.

The TTL pulse was aligned with onset of the Prompt, so that the response time and the ERP data are locked to onset of the prompt.

https://doi.org/10.1371/journal.pone.0221808.g001

Self-control scale.

The self-control scale was identical to that used by Hu et al. [13]. The scale included 24 items that represented six constructs measured with four items each (Impulsivity, Risk taking, Self centered, Simple task, Physical activity, Tempe). Participants used a 7-point scale (1-Strongly disagree, 4-Neutral, 7-Strongly agree) to respond to the 24 items.

Moral potency scale.

This scale was developed by Hannah and Avolio [20] and is designed to measure three aspects of the general construct moral potency (i.e., moral courage, moral ownership, moral efficacy). The scale includes 12 items and individuals responded using a 5-point scale (1-Strongly disagree, 2-Disagree, 3-Neither agree/Disagree, 4-Agree, 5-Strongly agree) with higher scores presenting greater moral potency.

Short handedness scale [40].

This scale included 10 items and was designed to measure an individual’s tendency to prefer the left or right hand when performing various simple tasks (e.g., writing, sweeping with a broom). Individuals responded by placing two plus signs in the column marked right or left if the activity was always performed with one or the other hand or distributed the plus signs between the left and right hand options is a specific hand was not preferred.

Procedure

After arriving at the laboratory for the testing session, individuals received a brief overview of the study that described the EEG recording procedure and the individual difference and experimental tasks to be completed during the study. If the individual agreed to participate, signed informed consent was obtained. Then the participants head was measured to determine the appropriate size of the actiCAP. Individuals then completed the demographic and individual difference measures while the researchers prepared the actiCAP for application. After the questionnaires were completed, individuals were fitted with the actiCAP and then completed the information security paradigm followed by the two doors gambling task for a parallel study. After completion of the two computer tasks, the actiCAP was removed and individuals were debriefed and compensated for their participation. Compensation was either $20 ($10 for participation and $10 winning for the gambling task) for staff members, or research credits and $10 (representing winnings from the gambling task) for students.

EEG recording and analysis

The EEG data were recorded with a 32 channel actiCAP and actiCHamp active Ag/AgCl electrode system using the Brain Vision Recorder software (Brain Vision, LLC). The EEG was sampled at 500 Hz, from DC-150 Hz with a 24 bit digitizer. Thirty electrodes were distributed across the scalp in the standard Brain Vision configuration (two inferior ocular electrodes replaced electrodes CP1-CP2), two electrodes were placed below the eyes to monitor blinks and vertical eye movements; and the ground electrode was placed at electrode Fpz. During recording the electrodes were referenced to electrode Cz, and electrode impedances were below 20 kΩ. The EEG was re-referenced to the average reference following the correction of ocular artifacts (i.e., blinks and saccades) using ICA. Triggers were delivered to the amplifier via a parallel port and were synchronized to the onset of the prompt.

Data processing was done using EEGLAB [41] and ERPLAB [42]. First a .1–30 Hz bandpass IIR filter (2^nd order, half amplitude -6 dB, half power -3 dB) was applied to the continuous EEG. Then an ICA was run to identify artifacts associated with blinks, and vertical and horizontal saccades. Visual inspection of the IC topography and time course (aligned to the raw EEG) was used to identify components reflecting ocular artifacts. Following the correction of ocular artifacts, up to two bad channels were corrected as needed using linear interpolation, the average reference was applied to the EEG data, and activity at electrode Cz was reinstated into the dataset. The ERPs were epoched from -200 to 2000 ms around the TTL pulse that was aligned to onset of the prompt, and remaining artifacts were rejected using a +/- 100 μV absolute voltage threshold. Artifact free trials were averaged for control trials (M = 14.49, SD = .90), minor violations (M = 14.51, SD = .81) and major violations (M = 14.61, SD = .80).

Task Partial Least Squares (PLS) Analysis [43] was used to examine mean differences in ERP amplitude between the three task conditions. This allowed us to consider the data for all conditions, time points, and electrodes within a single analysis. This method also allows us to refrain from making decisions, which may be somewhat arbitrary, regarding the electrodes and time points to include in the analysis. The TaskPLS Analyses included data from 0–2000 ms after stimulus onset at 30 electrodes (i.e., all but the two ocular channels). The analyses were conducted with the ERP module of the PLSGUI (http://www.rotman-baycrest.on.ca) run under Matlab R2013b. Five hundred permutations and bootstrap samples were used to evaluate the significance of the latent variables and the stability of the electrode saliences. Time ranges reported in the Results section represent temporal epoch where the bootstrap ratio exceeded 2.0 that approximates p = .05.

Behavioral Partial Least Squares (PLS) analysis was used to examine brain-behavior relationships between the ERP data and the individual difference measures related to moral potency and self-control. This technique allows one to examine the correlation between one or more behavioral measures and the full time-course and topography of the ERP data. This represents a particularly attractive tool given that the effects of decision making on the ERPs are distributed in both space and time. For the BehavioralPLS analyses, a difference wave was calculated that represented the average ERPs for minor and major violation scenarios minus the average ERP for control scenarios. The PLS analyses included the difference wave ERPs for 0–2000 ms after onset of the prompt at 30 electrodes. Bootstrap resampling (500 iterations) was used to estimate the 95% confidence around the brain-behavior correlations. The scatterplots for an initial set of PLS analyses revealed one participant that was a multivariate outlier reflected by an extreme scalp score, therefore, this individual was removed from the analyses reported in the results section. In order to visualize the timing and distribution of the brain-behavior correlations, grand-averaged differences waves (minor and major violations minus control scenarios) using a median split for the relevant behavioral or individual different variable are presented in the Results section.

Results

Choice and response time data

The response choice data revealed a significant main effect of scenario, F(2,80) = 185.80, p < .001, d = 4.15, reflecting a decrease in the likelihood of responding yes from the control scenarios (M = 2.90, SD = .32) to the minor violation scenarios (M = 1.74, SD = .41, t(40) = 14.52, p < .001, d = 2.27) and from the minor violation scenarios to the major violation scenarios (M = 1.66, SD = .43, t(40) = 2.41, p = .02, d = .38). These findings are consistent with previous research [12] and indicate that individuals are in general less likely to endorse the unethical behaviors than the neutral behaviors, and are also sensitive to the severity of the ethical violation.

The response time data, measured in seconds, revealed a significant main effect of scenario, F(2,80) = 9.58, p < .001, d = .98, reflecting similar response time for control scenarios (M = 2.43, SD = .99) and major violation scenarios (M = 2.44, SD = 1.34, t(40) = .05, p = .96, d = .01), and longer response times for minor violation scenarios (M = 2.78, SD = 1.10) than for either control scenarios, t(40) = 4.05, p < .001, d = .63, or major violation scenarios, t(40) = 3.66, p < .001, d = .57. These findings are also consistent with previous research [13], and may reflect longer deliberation for committing the minor violations weighted against the potential benefits to be gained.

The correlations for the response choice and response time data for the three types of scenarios are reported in Table 2. The correlation between response choice was large and significant for minor and major violations, while response choice for control scenarios was not significantly correlated with response choice for either type of violation. These findings reveal both convergent validity (i.e., robust correlation between response choice for the violations) and discriminant validity (i.e., low correlations between choices for ethical and control scenarios) for the response choice data in the information security paradigm. The correlations between response time for the three types of scenarios were all high and significant, indicating that response time may be a reliable construct in the information security task, and that similar processes likely contribute to decision latency across the three types of scenarios.

Download:

Table 2. Pearson correlations between choice and response time for control, minor violation, and major violation scenarios.

https://doi.org/10.1371/journal.pone.0221808.t002

Individual difference data

The reliability for the full 12-item Moral Potency Scale was acceptable for a research instrument, Cronbach’s α = .72, 95%CI[.58-.83]. The reliability of the three subscales was below α = .70 (Moral Courage, Cronbach’s α = .67, 95%CI[.46-.81], Moral Efficacy, Cronbach’s α = .62, 95%CI[.41-.78], Moral Ownership subscale, Cronbach’s α = .35, 95%CI[-.09-.63]). Given these results, we decided to treat moral potency as a single composite measure averaged across the 12 items in the brain-behavior analyses.

The reliabilities for the six subscales of the self-control scale were all acceptable for experimental measures (Table 3) and were greatest for the risk-taking and physical activity subscales. Given these findings, examining brain-behavior associations at the subscale level for self-control is justified.

Download:

Table 3. Cronbach’s α for the six subscales of the self control scale.

https://doi.org/10.1371/journal.pone.0221808.t003

ERP data

Fig 2 includes a subset of the electrodes portraying modulations of the ERPs that distinguish minor and major violation scenarios from control scenarios. These data reveal modulations of the ERPs between 200–2000 ms after onset of the prompt that differ for the control scenarios and the minor and major violation scenarios.

Download:

Fig 2. Grand-averaged ERPs for 41 subjects at 10 electrodes demonstrating the timing of differences in ERP amplitude between the control scenarios and the minor and major scenarios.

https://doi.org/10.1371/journal.pone.0221808.g002

The first latent variable from the TaskPLS analysis provides support for Hypothesis 1, and reveals a general effect of ethical decision making on the ERPs that was insensitive to the severity of the violations. The first latent variable contrasted the control scenarios (contrast weight = .80) with the minor (contrast weight = -.53) and major (contrast weight = -.28) violation scenarios and accounted for 72.65% of the crossblock covariance (p = .002). The electrode saliences for this latent variable revealed a transient modulation of the posterior N2 component between 190–320 ms after onset of the prompt (Fig 3, electrode Oz). This effect on the posterior N2 was coupled with transient modulations over the medial frontal region (electrode Fz) and over the right hemisphere extending from the frontal-polar region to the temporal-parietal region (electrode F8). The early transient modulations were followed by transient modulations over the medial frontal region between 460–540 ms, and over the right lateral frontal region between 840–1250 ms (electrode F8). Finally this contrast was associated with slow wave activity that extended from the frontal-central to the parietal region over the left hemisphere (electrode C3), and from the frontal-polar to the lateral frontal region over the right hemisphere (650–2000 ms). The pattern of electrode saliences for the first latent variable is consistent with previous results [13] in demonstrating that ethical decision making as related to information security is associated with sustained activity over the frontal and central regions of the scalp.

Download:

Fig 3. ERP saliences from the TaskPLS analysis at four electrodes and topography maps demonstrating the spatial distribution of the electrode saliences for the first latent variable that contrasted minor and major violation scenarios with control scenarios.

The times represent point where the bootstrap ratio exceeded 2.0. Topographic maps represent the mean voltage over the time window indicated and are to maximize the voltage gradient, ranging from +/-1.0–2.0 microvolts.

https://doi.org/10.1371/journal.pone.0221808.g003

The second latent variable contrasted minor violation scenarios (contrast weight = .62) with major violation scenarios (contrast weight = -.77) with a small contribution from control scenarios (contrast weight = .15). This latent variable accounted for 27.35% of the crossblock covariance, but not differ from chance (p = .77). Therefore, in contrast to the findings of Hu et al. [13], the current study does not reveal ERP activity that reliably distinguishes between minor and major violations (i.e., that is sensitive to the severity of the violation).

Brain-behavior relationships

Before examining the brain-behavior relationships tied to Hypotheses 2–4, we explored the relationship between the choice data for minor and major violation scenarios and the ERP data representing the difference in amplitude between the average of minor or major violation scenarios and the control scenarios in a BehavioralPLS analysis. This analysis revealed negative correlations between the ERP scalp scores and choice for minor violation scenarios (r = -.71, 95%CI [-.65,-.84]) and major violation scenarios (r = -.63, 95%CI[-.57,.83]). These correlations reflected greater ERP amplitude for those individuals with higher scores (i.e., more likely to choose Yes) relative to those individuals with lower scores over the occipital and medial frontals at the time of the N2/P2, and lateral frontal and central regions of the scalp from around 1000–2000 ms after onset of the prompt (Fig 4a). These findings demonstrate that there is a reasonably strong relationship between choice behavior in the information security paradigm and neural activity that distinguishes violation scenarios from control scenarios. Furthermore, these data indicate that the neural system supporting decision making in the information security paradigm is more strongly recruited in those individuals who are more likely to endorse an unethical action within the task.

Download:

Fig 4.

a) Grand-averaged difference waves (violation minus control) collapsed across minor and major violation scenarios reflecting a median split for choice on minor and major violations. b) Grand-averaged difference waves (violation minus control) reflecting a median split for moral potency.

https://doi.org/10.1371/journal.pone.0221808.g004

The second BehavioralPLS analysis addressed Hypothesis 2 by examining the relationship between moral potency and the violation minus control scenario difference wave. Supporting Hypothesis 2, this analysis revealed a positive correlation between moral potency and ERP amplitude (r = .77, 95%CI[.71,.87]). This correlation represented greater ERP amplitude over the medial frontal, lateral frontal, and frontal-central regions for individuals with lower moral potency relative to those individuals with higher moral potency (Fig 4b). In contrast, the amplitude of the posterior N2 was not sensitive to individual differences in moral potency (Fig 4b electrode O2). This finding may indicate that individuals who possess higher moral potency give less consideration to potential violations of information security, or that higher moral potency may temper the attractiveness of unethical decisions.

The third BehavioralPLS analysis addressed Hypothesis 3 by examining the relationship between the six subscales of self-control and the ERP data. This analysis provides support for Hypothesis 3, and revealed two patterns of brain-behavior correlations representing ERP activity that was broadly distributed across the scalp (Fig 5a and 5b). Consistent with the analysis of moral potency, these brain-behavior correlations were related to the ERPs over the occipital, and lateral frontal regions of the scalp. The first reflected negative correlations between ERP activity, and the self-centered and simple tasks subscales, and a positive correlation between ERP activity and the physical activity subscale (Table 4). This pattern reflected lower ERP amplitude for individuals with higher scores (i.e., those that possessed lower control) on the three subscales (i.e., were more self-centered, had a preference for simple tasks, and preferred physical over mental activity) than for those individuals that scored lower in the three subscales. The second represented negative correlations between ERP amplitude and impulsivity, risk-taking and tempe (Table 4). This pattern also reflected lower ERP amplitude for individuals that scored higher on these three scales (i.e., were more impulsive, more risk-seeking, and exhibited poorer emotion regulation). Together, the results of this analysis indicate that there may be two higher order components of self-control that are both related to the under recruitment of the neural system underpinning ethical decision making related to information security.

Download:

Table 4. Brain-behavior correlations with 95% confidence intervals for the six subscales of self-control and ERP activity.

https://doi.org/10.1371/journal.pone.0221808.t004

Download:

Fig 5.

a) Grand-averaged difference waves (violation minus control) reflecting a median split for average of self-centered, simple task, and physical activity. b) Grand-averaged difference waves (violation minus control) reflecting a median split for average of impulsivity, risk-taking, and tempe.

https://doi.org/10.1371/journal.pone.0221808.g005

A final set of BehavioralPLS analyses addressed Hypothesis 4, and examined the relationship between moral potency, the two components of self-control, and the ERP data. One analysis included moral potency, self-centered, simple tasks, and physical activity; and the other included moral potency, impulsivity, risk-taking, and tempe. In support of Hypothesis 4, the correlations between moral potency and self-control were either in the opposite direction (e.g., positive for moral potency and negative for self-control) or moral potency and self-control were related to different latent variables (Table 5). These findings may indicate that moral potency and various aspects of self-control have either opposing or indepdent effects on the recruitment of the neural system that underpins decision making related to information security.

Download:

Table 5. Brain-behavior correlations and 95% confidence intervals for moral potency, the two components of self-control, and ERP activity.

https://doi.org/10.1371/journal.pone.0221808.t005

Discussion

This study was designed to provide a replication and extension of previous research examining the neural correlates of decision making related to violations of information security policy. The study focused on four hypotheses that were either motivated by the previous research on self-control and information security decision making or the larger empirical literature related to self-control, moral belief, and decision making. Analyses of the behavioral and ERP data, and an examination of brain-behavior relationships, provide full or partial support for each of the four hypotheses. Given this, the current data may serve to build upon and extends our understanding of the influence of individual difference in self-control and moral belief on the neural architecture underpinning decision making in the context of information security.

Hypothesis 1 focused on replicating the results of previous research [13] in a sample with more diverse academic and professional interests, and when the strong deception manipulation was removed from the research paradigm. The results of the TaskPLS analysis provided partial support for Hypothesis 1. Consistent with the previous findings [13], the contrast of minor and major violation scenarios with control scenarios revealed reliable differences in ERP activity beginning around 200 ms after onset of the prompt and continuing until at least 2000 ms. The early modulations of the ERPs were localized over the occipital, and medial and lateral frontal regions, while the later modulations were localized over the anterior and lateral frontal region, and the central and temporal regions. Diverging from previous findings, the current data did not reveal reliable differences in ERP amplitude between minor and major violations of information security. These findings demonstrate that deception is not required to reliably engage the neural network underpinning decision making in the information security paradigm; and are important as they reveals that individuals will engage in the task when performance is untethered from expectations grounded in the reward structure of the paradigm.

The effect of scenario type on the posterior N2 and frontal P2 represented a decrease in the amplitude of the components for information security violation scenarios relative to control scenarios. Given the visual and semantic complexity of the prompts, and the fact that response time was relatively slow across the three types of scenarios (i.e., 2000 ms), it seems unlikely that the effects observed for these components arise from the properties of the prompts. This then leads one to wonder what psychological processing might give rise to these effects. The posterior N2 and frontal P2 are both known to be sensitive to the allocation of attention to stimuli in the visual environment [44]. The amplitude of these components is typically greater when attention is directed to a goal-relevant stimulus attribute and when more attentional resources are available for stimulus processing [44]. For instance, the amplitude of the posterior N2 and frontal P2 is attenuated for visual stimuli when individuals are also trying to maintain two or more items in working memory [45]. In the context of this literature, the attenuation of the posterior N2 and frontal P2 for information security violations may reflect the inward allocation of attentional resources directed toward weighing the potential benefits and risks of the unethical acts represented in the scenarios that results in the attenuation of visual processes devoted to encoding of the decision prompt.

The medial and lateral frontal, and right central modulations of the ERPs that distinguished minor and major violation scenarios from control scenarios are also consistent with previous findings [13]. These data also converge with the broader moral reasoning literature revealing the contribution of structures within the medial and lateral frontal cortex, and the temporal and parietal lobes to ethical decision making [29]. The neuro-cognitive processes represented by the sustained modulations of the ERPs remain unclear based upon the available evidence. One possibility is that the information security paradigm elicits activity in elements of the mentalizing or prospection network [46] related to weighing the potential costs and benefits embodied in the scenarios in a way that differs from the recruitment of this network when considering the control scenarios. A second possibility is that the medial and lateral frontal activity reflects processing that serves to resolve conflict that arises between the potential gains and penalties represented in the scenarios [47]. The medial and lateral frontal ERP activity might reflect the recruitment of structures involved in the evaluation of the utility associated with the potential gain or loss related to accepting the unethical actions represented in the minor and major violation scenarios [47]. Importantly, these are not mutually exclusive accounts and future research could serve to untangle the contributions of these different processes to the ERPs related to decision making in the information security paradigm.

Hypothesis 2 examined the relationship between moral potency and ERP activity that distinguished violations of information security from control scenarios. An examination of the psychometric properties of the moral potency scale revealed that the full scale provided a reliable construct, while the three subscales did not. The BehavioralPLS analysis related to this hypothesis revealed a strong correlation between moral potency and ERP amplitude. This correlation represented greater ERP activity for individuals low in moral potency relative to those high in moral potency over the medial, lateral, and anterior frontal regions of the scalp, but not over the occipital region at the time of the N2. This finding provides support for the grace hypothesis, rather than the will hypothesis [30,38], and may indicate that higher moral potency serves to insulate individuals from the temptation presented by the potential for ill-gotten gains represented by the violations of information security. The correlation between moral potency and the ERPs related to ethical decision making in the context of information security extends upon the extant literature in this domain that has focused on moral beliefs specifically related to information security [15,26], demonstrating a more general effect of the strength of individual moral beliefs on neural recruitment when contemplating an unethical behavior.

Hypothesis 3 examined the relationship between the ERPs related to information security decision making and the six subscales of the self-control scale. The BehavioralPLS analysis revealed two latent variables that distinguished the six subscales. One representing self-concern, a preference for simple tasks, and a preference for physical activity; and one representing impulsivity, risk-taking, and tempe. Higher scores on the subscales were associated with reduced ERP amplitude, which may indicate that individuals with lower self-control are less likely to consider or deliberate over the costs and benefits represented in the ethical violations scenarios, and thus being more likely to base their decisions upon more automatic non-deliberative processes [29,39]. This finding nicely converges with the broader decision making literature demonstrating that cooperation and moral behavior often require the engagement of controlled deliberative processes [48,49].

In Hypothesis 4 we proposed that the direction of the correlation between ERP activity and moral potency and self-control would be in the opposite direction. The analyses provided partial support for this hypotheses, and revealed two patterns of association. For one of the four latent variables, the correlation was positive for moral potency and negative for two of the three subscales of self-control. This pattern is consistent with the idea that moral potency and self-control may have opposing effects on the neural correlates of decision making [6, 15]. For the other three latent variables, the association between the ERP activity and the individual difference measures was reliable for either moral potency or self-control. Thus, taken together it would seem that across the four latent variables the most consistent description of the pattern of correlations is that moral potency and self-control have independent, rather than opposing, effects on neural activity related to decision making related to information security. However, this finding diverges from some findings in criminology literature wherein moral belief moderates the influence of self-control in decision making that involves unethical behavior such as crime [48,49], revealing that the effect of self-control is only significant in the individuals with lower morality. Multiple factors could have contributed to this discrepancy, such as differences in measurement scales for moral potency and self-control and the dependent variable. But it nonetheless remains an interesting research subject for future study.

One of the motivations for exploring the neural correlates of information security decision making is to identify the processes that may contribute to policy violations arising from insider threat [13]. Such knowledge may provide insight into the factors that contribute to violations of information security policy and the limited success of deterrence programs [6]. Deterrence programs are often built upon a set of rules or regulations that are designed to insure the protection of an organization’s digital assets. Our data may indicate that the failure of individuals with low self-control to engage deliberative processes that facilitate the application of rules or regulations during decision making could contribute to violations of information security policy. The current data and those of other investigators, also lead to the idea that high moral belief or identity may serve to insulate individuals from the effect of low self-control related to either individual differences or temporary depletion [16,17], and that priming moral thinking can have a significant effect on the outcome of decision making [22,23]. Together this literature may serve to support the refinement of deterrence programs thereby reducing instances of insider threat.

Limitations

There are some limitations to the current study that are worthy of consideration. First, one could question the ecological validity of the paradigm given the large number of security violations that individuals are faced with in the task. The information security paradigm was modeled after a method used in behavioral studies of information security wherein individuals are only posed with a small number of examples (e.g., three). In our previous work [13] and in the current dataset, we observed that individual differences in self-control, that are known to be predictors of violations of information security in natural settings [15,48], were consistently related to variation in neural recruitment providing some indication that our implementation of the information security paradigm may capture decision making processes that are relavant to decision making in more naturalistic situations. Second, the current sample is primarily female, and there is evidence from the NeuroIS literature that neural recuitment related to decision making in the context of trust may differ in males and females [50]. Our previous research examining the neural correlates of information security included only males, so a logical next step for this program of research would be to conduct a study with a gender balenced sample that would permit the direct comparison of gender differences in neural recruitment in the task. Third, we did not assess participants experience with violations of information security or knowledge of information security policies and practices. This would clearly be an interesting question to consider in future research as it could provide insight into both the ecological validity of the information security paradigm, and the impact or effectiveness of training in information security on decision making. Fourth, the ERPs related to decision making were measured over a relatively long epoch (i.e., 2 seconds) and the task includes only three conditions. This makes it difficult to clearly map cognitive processes to the ERPs that distinguished control scenarios from ethical violation scenarios. The prompts for each type of scenario require encoding a visual stimulus that represents a sentence, making a decision related to an action to be taken, and selecting a response. So these fundamental cognitive processes would not seem to capture the differences observed across the three task conditions. Therefore, one goal of future research could be to further elucidate the cognitive processes that are reflected in both the transient and sustained ERP activity that distinguishes the various trials in the information security paradigm. Finally, differences in response choice could influence the ERPs as responses for the minor and major violations would primarily reflect use of the left hand given the means were below two, while responses for the control trials would reflect a greater number of right hand responses given that the mean was around three. The left central slow wave that distinguishes security violation scenarios from control scenarios does not reveal a reversal over the right central region as would be expected if this ERP activity reflected the preparation or execution of a motor response that differed between the control and violation scenarios. However, research that controls for differences in responses between control and violation trials, and yet continues to reveal ERP activity that distinguishes between these two types of trials, represents an important future step in this line of research.

Conclusions

The findings of the current study provide full or partial support for the four hypotheses, and demonstrate that the information security paradigm is associated with the recruitment of a neural network that is not dependent upon the use of deception to motivate participants task performance. Higher moral potency may serve to decrease the attractiveness of information security violations. While low self-control may result in a decrease in the degree to which individuals engage deliberative processes when faced with choices to violate or not to violate information security policies. Perhaps the most interesting finding is that moral potency and self-control appear to have somewhat independent influences on neural activity in the information security paradigm, supporting the idea that both deliberative and non-deliberative processing are involved in decision making related to information security [38,39].

References

1. 2019 Official Annual Cybercrime Report. Cybersecurity Ventures. https://cybersecurityventures.com/cybersecurity-market-report/
2. The World Bank. databank.worldbank.org
3. Yayla A, Hu Q. The impact of information security events on the stock value of firms: The effect of contingency factors. J. Inf. Technol. 2011;26: 60–77.
- View Article
- Google Scholar
4. Groll E. Russian interference went far beyond DNC hack, senate panel hears. 2017, March 30 Foreignpolicy.com.
5. Bailey T, Kolo B, Rajagopalan K, Ware D. Insider threat: The human element of cyberrisk. McKinsey & Co. September 2018. https://www.mckinsey.com/business-functions/risk/our-insights/insider-threat-the-human-element-of-cyberrisk.
6. Hu Q, Xu Z, Dinev T, Ling H. Does deterrence work in reducing information security policy abuse by employees? Commun. ACM. 2011;54: 55–60.
- View Article
- Google Scholar
7. Siponen M, Vance A, Willison R. New insights into the problem of software piracy: The effects of neutralization, shame, and moral beliefs. Inf. Manag. 2012;49(7–8): 334–341.
- View Article
- Google Scholar
8. Crossler R, Johnston A, Lowry P, Hu Q, Warkentin M, Baskerville R. Future directions for behavioral information security research. Comput. Secur. 2013;32: 90–101.
- View Article
- Google Scholar
9. Dimoka A, Pavlou P, Davis F. NeuroIS: The potential of cognitive neuroscience for information systems research. Inf. Syst. Res. 2011;2: 687–702.
- View Article
- Google Scholar
10. Yu P, Wan Y, Chen G, Hu Q, Huang L, Wang K, Wang Q, Wang W, Rao H. Current Situation and Prospects of Neuro Information Systems. J. Manag. Sci (in Chinese). 2018; 21(5):1–21.
- View Article
- Google Scholar
11. Anderson B, Vance A, Kirwan C, Jenkins J, Eargle D. From warning to wallpaper: Why the brain habituates to security warnings and what can be done about it. J. Manag. Inf. Syst. 2016;33(3): 713–743.
- View Article
- Google Scholar
12. Vance A, Jenkins J, Anderson B, Bjornn D, Kirwan C. Tuning out security warnings: A longitudinal examination of habituation through fMRI, eye tracking, and field experiments. Manag. Inf. Syst. Q. 2018;42(2):355–380.
- View Article
- Google Scholar
13. Hu Q, West R, Smarandescu L. The role of self-control in information security violations: Insights from a cognitive neuroscience perspective. J. Manag. Inf. Syst. 2015;31: 6–48.
- View Article
- Google Scholar
14. Gottfredson M, Hirschi T. A general theory of crime. Stanford University Press. 1990.
15. Hu Q, Zhang C, Xu Z. Moral beliefs, self-control, and sports: Effective antidotes to the youth computer hacking epidemic. (2012, January). Paper presented at 45th Hawaii International Conference on Systems Science.
16. Gino F, Schweitzer M, Mead N, Ariely D. Unable to resist temptation: How self-control deplection promotes unethical behavior. Organ. Behav. Hum. Decis. Process. 2011;115: 191–203.
- View Article
- Google Scholar
17. Mead N, Baumeister R, Gino F, Schweitzer M, Ariely D. To tired to tell the truth: Self-control resource depletion and dishonesty. J. Exp. Soc. Psychol. 2009;45: 594–597. pmid:20047023
- View Article
- PubMed/NCBI
- Google Scholar
18. Higgins G, Wilson A, Fell B. An application of deterrence theory to software piracy. J. Crim. Just. Pop. Cult. 2005;12(3): 166–184.
- View Article
- Google Scholar
19. Zhang L, Smith W, McDowell W. Examining digital piracy: Self-control, punishment, and self-efficacy. Inf. Resourc. Manag. J. 2009;22: 24–44.
- View Article
- Google Scholar
20. Hannah S, Avolio B. Moral potency: Building the capacity for character-based leadership. Consult. Psychol. J.: Pract. Res. 2010;62(4): 291–310.
- View Article
- Google Scholar
21. Graham J, Haidt J, Koleva S, Motyl M, Iyer R, Wojcik S, Ditto P. Moral foundations theory: The pragmatic validity of moral pluralism. Adv. Exp. Soc. Psychol. 2013;47:55–130.
- View Article
- Google Scholar
22. Tappin B, Capraro V. Doing good vs. avoiding bad in prosocial choice: A refined test and extension of the morality preference hypothesis. J. Exp. Soc. Psychol. 2018;79: 64–70.
- View Article
- Google Scholar
23. Capraro V, Rand D. Do the right thing: Experimental evidence that preferences for moral behavior, rather than equity or efficiency per se, drive human prosociality. Judgm. Decis. Mak. 2018;13: 99–111.
- View Article
- Google Scholar
24. Capraro V, Cococcioni G. Rethinking spontenous giving: Extreme time pressure and ego-depletion favor self-regarding reactions. Sci. Rep. 2016;6:27219. pmid:27251762
- View Article
- PubMed/NCBI
- Google Scholar
25. Myyry L, Siponen M, Pahnila S, Vartiainen T, Vance A. What levels of moral reasoning and values explain adherence to information security rules? An empirical study. Eur. J. Inf. Syst. 2009;18(2): 126–139.
- View Article
- Google Scholar
26. Siponen M, Vance A, Willison R. New insights into the problem of software piracy: The effects of neutralization, shame, and moral beliefs. Inf. Manage. 2012;49(7–8): 334–341.
- View Article
- Google Scholar
27. Vance A, Siponen M. IS security policy violations: A rational choice perspective. J. Organ. End User Comput. 2012;24(1): 21–41.
- View Article
- Google Scholar
28. Hannah S, Avolio B, May D. Moral maturation and moral conation: A capacity approach to explaining moral thought and action. Acad. Manage Rev. 2011;36(4): 663–685.
- View Article
- Google Scholar
29. Greene J. The cognitive neuroscience of moral judgment and decision making. The Cognitive Neurosciences 5^th Edition. Cambridge, MA: The MIT Press. 2014: 1013–1024.
30. Greene J, Sommerville R, Nystrom L, Darley J, Cohen J. An fMRI investigation of emotional engagement in moral judgment. Science. 2001;293: 2105–2108. pmid:11557895
- View Article
- PubMed/NCBI
- Google Scholar
31. Green J, Nystrom L, Engell A, Darley J, Cohen J. The neural bases of cognitive conflict and control in moral judgment. Neuron. 2004;44(2): 389–400. pmid:15473975
- View Article
- PubMed/NCBI
- Google Scholar
32. Decety J, Porges E. Imagining being the agent of actions that carry different moral consequences: An fMRI study. Neuropsychologia. 2011;49(11): 2994–3001. pmid:21762712
- View Article
- PubMed/NCBI
- Google Scholar
33. Young L, Cushman F, Hauser M, Saxe R. The neural basis of the interaction between theory of mind and moral judgment. Proc. Natl. Acad. Sci. USA. 2007;104(20): 8235–8240. pmid:17485679
- View Article
- PubMed/NCBI
- Google Scholar
34. Blair R. The amygdala and ventromedial prefrontal cortex in morality and psychopathy. Trends in Cogn. Sci. 2007;11(9): 387–392. pmid:17707682
- View Article
- PubMed/NCBI
- Google Scholar
35. Crockett M, Clark L, Hauser M. Robbins T. Serotonin selectivity influences moral judgment and behavior through effects of harm aversion. Proc. Natl. Acad. Sci. USA. 2010;107(40): 17433–17438. pmid:20876101
- View Article
- PubMed/NCBI
- Google Scholar
36. Young L, Bechara A, Tranel D, Damasio H, Hauser M, Damasio A. Damage to ventromedial prefrontal cortex impairs judgment of harmful intent. Neuron. 2010;65(6): 845–851. pmid:20346759
- View Article
- PubMed/NCBI
- Google Scholar
37. Ciaramelli E, Muccioli M, Ladavas E, de Pellegrino G. Selective deficit in personal moral judgment following damage to the ventromedial prefrontal cortex. Soc. Cogn. Affect Neurosci. 2007;2: 84–92. pmid:18985127
- View Article
- PubMed/NCBI
- Google Scholar
38. De Oliveira-Souza R, Zahn R, Moll J. Neural correlates of human morality: An overview. The Moral Brain: A Multidisciplinary Perspective. The MIT Press. Cambridge, MA 183–195.
39. Shenhav A, Greene J. Integrative moral judgment: Dissociating the roles of the amygdala and ventromedial prefrontal cortex. J. Neurosci. 2014;34(13): 4741–4749. pmid:24672018
- View Article
- PubMed/NCBI
- Google Scholar
40. Oldfield R. The assessment and analysis of handedness: The Edinburgh inventory. Neuropsychologia. 1971;9: 97–113. pmid:5146491
- View Article
- PubMed/NCBI
- Google Scholar
41. Delorme A, Makeig S. EEGLAB: An open source toolbox for analysis of single-trial EEG dynamics including independent component analysis. J Neurosci Methods. 2004;134(1): 9–21. pmid:15102499
- View Article
- PubMed/NCBI
- Google Scholar
42. Lopez-Calderon J, Luck S. ERPLAB: An open-source toolbox for the analysis of event-related potentials. Front. Hum. Neurosci. 2014;8: Article 213. pmid:24782741
- View Article
- PubMed/NCBI
- Google Scholar
43. Lobaugh N, West R, McIntosh A. Spatiotemporal analysis of experimental differences in event-related potential data with partial least squares. Psychophysiology 2001;38(3): 517–530. pmid:11352141
- View Article
- PubMed/NCBI
- Google Scholar
44. Luck S, Hillyard S. Electrophysiology of visual attention in humans. The Cognitive Neurosciences 5^th Edition. Cambridge, MA: The MIT Press. 2014: 187–196.
45. Bailey K, Mlynarczyk G, West R. Slow wave activity related to working memory maintenance in the N-back task. J Psychophysiol. 2016:1–14.
- View Article
- Google Scholar
46. Buckner R, Andrews-Hanna J, Schacter D. The brain’s default network: Anatomy, function, and relevance to disease. Ann. NY Acad. Sci. 2008;1124(1):1–38. pmid:18400922
- View Article
- PubMed/NCBI
- Google Scholar
47. Knutson B, Peterson R. Neurally reconstructing expected utility. Game Econ. Behav. 2005;52(2): 305–315.
- View Article
- Google Scholar
48. Wikstrom P-O, Svensson R. When does self-control matter? The interaction between morality and self-control in crime causation. Eur. J. Criminol. 2010;7(5): 395–410.
- View Article
- Google Scholar
49. Hirtenlehner H, Kunz F. The interaction between self-control and morality in crime causation among older adults. Eur. J. Criminol. 2016;13(3): 393–409.
- View Article
- Google Scholar
50. Riedl R, Hubert M, Kenning P. Are there neural gender differences in online trust: An fMRI study on the perceived trustworthiness of eBay offers. Manag. Inf. Syst. Q. 2010;34: 397–428.
- View Article
- Google Scholar

[ref1] 1. 2019 Official Annual Cybercrime Report. Cybersecurity Ventures. https://cybersecurityventures.com/cybersecurity-market-report/

[ref2] 2. The World Bank. databank.worldbank.org

[ref3] 3. Yayla A, Hu Q. The impact of information security events on the stock value of firms: The effect of contingency factors. J. Inf. Technol. 2011;26: 60–77.
View Article
Google Scholar

[4] View Article

[5] Google Scholar

[ref4] 4. Groll E. Russian interference went far beyond DNC hack, senate panel hears. 2017, March 30 Foreignpolicy.com.

[ref5] 5. Bailey T, Kolo B, Rajagopalan K, Ware D. Insider threat: The human element of cyberrisk. McKinsey & Co. September 2018. https://www.mckinsey.com/business-functions/risk/our-insights/insider-threat-the-human-element-of-cyberrisk.

[ref6] 6. Hu Q, Xu Z, Dinev T, Ling H. Does deterrence work in reducing information security policy abuse by employees? Commun. ACM. 2011;54: 55–60.
View Article
Google Scholar

[9] View Article

[10] Google Scholar

[ref7] 7. Siponen M, Vance A, Willison R. New insights into the problem of software piracy: The effects of neutralization, shame, and moral beliefs. Inf. Manag. 2012;49(7–8): 334–341.
View Article
Google Scholar

[12] View Article

[13] Google Scholar

[ref8] 8. Crossler R, Johnston A, Lowry P, Hu Q, Warkentin M, Baskerville R. Future directions for behavioral information security research. Comput. Secur. 2013;32: 90–101.
View Article
Google Scholar

[15] View Article

[16] Google Scholar

[ref9] 9. Dimoka A, Pavlou P, Davis F. NeuroIS: The potential of cognitive neuroscience for information systems research. Inf. Syst. Res. 2011;2: 687–702.
View Article
Google Scholar

[18] View Article

[19] Google Scholar

[ref10] 10. Yu P, Wan Y, Chen G, Hu Q, Huang L, Wang K, Wang Q, Wang W, Rao H. Current Situation and Prospects of Neuro Information Systems. J. Manag. Sci (in Chinese). 2018; 21(5):1–21.
View Article
Google Scholar

[21] View Article

[22] Google Scholar

[ref11] 11. Anderson B, Vance A, Kirwan C, Jenkins J, Eargle D. From warning to wallpaper: Why the brain habituates to security warnings and what can be done about it. J. Manag. Inf. Syst. 2016;33(3): 713–743.
View Article
Google Scholar

[24] View Article

[25] Google Scholar

[ref12] 12. Vance A, Jenkins J, Anderson B, Bjornn D, Kirwan C. Tuning out security warnings: A longitudinal examination of habituation through fMRI, eye tracking, and field experiments. Manag. Inf. Syst. Q. 2018;42(2):355–380.
View Article
Google Scholar

[27] View Article

[28] Google Scholar

[ref13] 13. Hu Q, West R, Smarandescu L. The role of self-control in information security violations: Insights from a cognitive neuroscience perspective. J. Manag. Inf. Syst. 2015;31: 6–48.
View Article
Google Scholar

[30] View Article

[31] Google Scholar

[ref14] 14. Gottfredson M, Hirschi T. A general theory of crime. Stanford University Press. 1990.

[ref15] 15. Hu Q, Zhang C, Xu Z. Moral beliefs, self-control, and sports: Effective antidotes to the youth computer hacking epidemic. (2012, January). Paper presented at 45th Hawaii International Conference on Systems Science.

[ref16] 16. Gino F, Schweitzer M, Mead N, Ariely D. Unable to resist temptation: How self-control deplection promotes unethical behavior. Organ. Behav. Hum. Decis. Process. 2011;115: 191–203.
View Article
Google Scholar

[35] View Article

[36] Google Scholar

[ref17] 17. Mead N, Baumeister R, Gino F, Schweitzer M, Ariely D. To tired to tell the truth: Self-control resource depletion and dishonesty. J. Exp. Soc. Psychol. 2009;45: 594–597. pmid:20047023
View Article
PubMed/NCBI
Google Scholar

[38] View Article

[39] PubMed/NCBI

[40] Google Scholar

[ref18] 18. Higgins G, Wilson A, Fell B. An application of deterrence theory to software piracy. J. Crim. Just. Pop. Cult. 2005;12(3): 166–184.
View Article
Google Scholar

[42] View Article

[43] Google Scholar

[ref19] 19. Zhang L, Smith W, McDowell W. Examining digital piracy: Self-control, punishment, and self-efficacy. Inf. Resourc. Manag. J. 2009;22: 24–44.
View Article
Google Scholar

[45] View Article

[46] Google Scholar

[ref20] 20. Hannah S, Avolio B. Moral potency: Building the capacity for character-based leadership. Consult. Psychol. J.: Pract. Res. 2010;62(4): 291–310.
View Article
Google Scholar

[48] View Article

[49] Google Scholar

[ref21] 21. Graham J, Haidt J, Koleva S, Motyl M, Iyer R, Wojcik S, Ditto P. Moral foundations theory: The pragmatic validity of moral pluralism. Adv. Exp. Soc. Psychol. 2013;47:55–130.
View Article
Google Scholar

[51] View Article

[52] Google Scholar

[ref22] 22. Tappin B, Capraro V. Doing good vs. avoiding bad in prosocial choice: A refined test and extension of the morality preference hypothesis. J. Exp. Soc. Psychol. 2018;79: 64–70.
View Article
Google Scholar

[54] View Article

[55] Google Scholar

[ref23] 23. Capraro V, Rand D. Do the right thing: Experimental evidence that preferences for moral behavior, rather than equity or efficiency per se, drive human prosociality. Judgm. Decis. Mak. 2018;13: 99–111.
View Article
Google Scholar

[57] View Article

[58] Google Scholar

[ref24] 24. Capraro V, Cococcioni G. Rethinking spontenous giving: Extreme time pressure and ego-depletion favor self-regarding reactions. Sci. Rep. 2016;6:27219. pmid:27251762
View Article
PubMed/NCBI
Google Scholar

[60] View Article

[61] PubMed/NCBI

[62] Google Scholar

[ref25] 25. Myyry L, Siponen M, Pahnila S, Vartiainen T, Vance A. What levels of moral reasoning and values explain adherence to information security rules? An empirical study. Eur. J. Inf. Syst. 2009;18(2): 126–139.
View Article
Google Scholar

[64] View Article

[65] Google Scholar

[ref26] 26. Siponen M, Vance A, Willison R. New insights into the problem of software piracy: The effects of neutralization, shame, and moral beliefs. Inf. Manage. 2012;49(7–8): 334–341.
View Article
Google Scholar

[67] View Article

[68] Google Scholar

[ref27] 27. Vance A, Siponen M. IS security policy violations: A rational choice perspective. J. Organ. End User Comput. 2012;24(1): 21–41.
View Article
Google Scholar

[70] View Article

[71] Google Scholar

[ref28] 28. Hannah S, Avolio B, May D. Moral maturation and moral conation: A capacity approach to explaining moral thought and action. Acad. Manage Rev. 2011;36(4): 663–685.
View Article
Google Scholar

[73] View Article

[74] Google Scholar

[ref29] 29. Greene J. The cognitive neuroscience of moral judgment and decision making. The Cognitive Neurosciences 5^th Edition. Cambridge, MA: The MIT Press. 2014: 1013–1024.

[ref30] 30. Greene J, Sommerville R, Nystrom L, Darley J, Cohen J. An fMRI investigation of emotional engagement in moral judgment. Science. 2001;293: 2105–2108. pmid:11557895
View Article
PubMed/NCBI
Google Scholar

[77] View Article

[78] PubMed/NCBI

[79] Google Scholar

[ref31] 31. Green J, Nystrom L, Engell A, Darley J, Cohen J. The neural bases of cognitive conflict and control in moral judgment. Neuron. 2004;44(2): 389–400. pmid:15473975
View Article
PubMed/NCBI
Google Scholar

[81] View Article

[82] PubMed/NCBI

[83] Google Scholar

[ref32] 32. Decety J, Porges E. Imagining being the agent of actions that carry different moral consequences: An fMRI study. Neuropsychologia. 2011;49(11): 2994–3001. pmid:21762712
View Article
PubMed/NCBI
Google Scholar

[85] View Article

[86] PubMed/NCBI

[87] Google Scholar

[ref33] 33. Young L, Cushman F, Hauser M, Saxe R. The neural basis of the interaction between theory of mind and moral judgment. Proc. Natl. Acad. Sci. USA. 2007;104(20): 8235–8240. pmid:17485679
View Article
PubMed/NCBI
Google Scholar

[89] View Article

[90] PubMed/NCBI

[91] Google Scholar

[ref34] 34. Blair R. The amygdala and ventromedial prefrontal cortex in morality and psychopathy. Trends in Cogn. Sci. 2007;11(9): 387–392. pmid:17707682
View Article
PubMed/NCBI
Google Scholar

[93] View Article

[94] PubMed/NCBI

[95] Google Scholar

[ref35] 35. Crockett M, Clark L, Hauser M. Robbins T. Serotonin selectivity influences moral judgment and behavior through effects of harm aversion. Proc. Natl. Acad. Sci. USA. 2010;107(40): 17433–17438. pmid:20876101
View Article
PubMed/NCBI
Google Scholar

[97] View Article

[98] PubMed/NCBI

[99] Google Scholar

[ref36] 36. Young L, Bechara A, Tranel D, Damasio H, Hauser M, Damasio A. Damage to ventromedial prefrontal cortex impairs judgment of harmful intent. Neuron. 2010;65(6): 845–851. pmid:20346759
View Article
PubMed/NCBI
Google Scholar

[101] View Article

[102] PubMed/NCBI

[103] Google Scholar

[ref37] 37. Ciaramelli E, Muccioli M, Ladavas E, de Pellegrino G. Selective deficit in personal moral judgment following damage to the ventromedial prefrontal cortex. Soc. Cogn. Affect Neurosci. 2007;2: 84–92. pmid:18985127
View Article
PubMed/NCBI
Google Scholar

[105] View Article

[106] PubMed/NCBI

[107] Google Scholar

[ref38] 38. De Oliveira-Souza R, Zahn R, Moll J. Neural correlates of human morality: An overview. The Moral Brain: A Multidisciplinary Perspective. The MIT Press. Cambridge, MA 183–195.

[ref39] 39. Shenhav A, Greene J. Integrative moral judgment: Dissociating the roles of the amygdala and ventromedial prefrontal cortex. J. Neurosci. 2014;34(13): 4741–4749. pmid:24672018
View Article
PubMed/NCBI
Google Scholar

[110] View Article

[111] PubMed/NCBI

[112] Google Scholar

[ref40] 40. Oldfield R. The assessment and analysis of handedness: The Edinburgh inventory. Neuropsychologia. 1971;9: 97–113. pmid:5146491
View Article
PubMed/NCBI
Google Scholar

[114] View Article

[115] PubMed/NCBI

[116] Google Scholar

[ref41] 41. Delorme A, Makeig S. EEGLAB: An open source toolbox for analysis of single-trial EEG dynamics including independent component analysis. J Neurosci Methods. 2004;134(1): 9–21. pmid:15102499
View Article
PubMed/NCBI
Google Scholar

[118] View Article

[119] PubMed/NCBI

[120] Google Scholar

[ref42] 42. Lopez-Calderon J, Luck S. ERPLAB: An open-source toolbox for the analysis of event-related potentials. Front. Hum. Neurosci. 2014;8: Article 213. pmid:24782741
View Article
PubMed/NCBI
Google Scholar

[122] View Article

[123] PubMed/NCBI

[124] Google Scholar

[ref43] 43. Lobaugh N, West R, McIntosh A. Spatiotemporal analysis of experimental differences in event-related potential data with partial least squares. Psychophysiology 2001;38(3): 517–530. pmid:11352141
View Article
PubMed/NCBI
Google Scholar

[126] View Article

[127] PubMed/NCBI

[128] Google Scholar

[ref44] 44. Luck S, Hillyard S. Electrophysiology of visual attention in humans. The Cognitive Neurosciences 5^th Edition. Cambridge, MA: The MIT Press. 2014: 187–196.

[ref45] 45. Bailey K, Mlynarczyk G, West R. Slow wave activity related to working memory maintenance in the N-back task. J Psychophysiol. 2016:1–14.
View Article
Google Scholar

[131] View Article

[132] Google Scholar

[ref46] 46. Buckner R, Andrews-Hanna J, Schacter D. The brain’s default network: Anatomy, function, and relevance to disease. Ann. NY Acad. Sci. 2008;1124(1):1–38. pmid:18400922
View Article
PubMed/NCBI
Google Scholar

[134] View Article

[135] PubMed/NCBI

[136] Google Scholar

[ref47] 47. Knutson B, Peterson R. Neurally reconstructing expected utility. Game Econ. Behav. 2005;52(2): 305–315.
View Article
Google Scholar

[138] View Article

[139] Google Scholar

[ref48] 48. Wikstrom P-O, Svensson R. When does self-control matter? The interaction between morality and self-control in crime causation. Eur. J. Criminol. 2010;7(5): 395–410.
View Article
Google Scholar

[141] View Article

[142] Google Scholar

[ref49] 49. Hirtenlehner H, Kunz F. The interaction between self-control and morality in crime causation among older adults. Eur. J. Criminol. 2016;13(3): 393–409.
View Article
Google Scholar

[144] View Article

[145] Google Scholar

[ref50] 50. Riedl R, Hubert M, Kenning P. Are there neural gender differences in online trust: An fMRI study on the perceived trustworthiness of eBay offers. Manag. Inf. Syst. Q. 2010;34: 397–428.
View Article
Google Scholar

[147] View Article

[148] Google Scholar

Figures

Abstract

Introduction

Information security paradigm for ERP research

Self-control and moral potency

Functional neuroanatomy of ethical decision making

The current study

Materials and methods

Ethics statement

Participants

Materials

Information security paradigm.

Self-control scale.

Moral potency scale.

Short handedness scale [40].

Procedure

EEG recording and analysis

Results

Choice and response time data

Individual difference data

ERP data

Brain-behavior relationships

Discussion

Limitations

Conclusions

References