Given the growing trend of electronic networks of practice and the growing propensity of individuals to rely on the Internet for problem solving, we examine whether programmers in a hypothetical situation would be likely to disclose confidential information through an online forum in attempt to solve a programming problem. We hypothesize and find in a survey of 187 programmers that online forum commitment and trust lead to greater online forum participation, which in turn predicts a higher likelihood of confidential information disclosure. We also find that programmers with greater awareness of security policies exhibit a lower likelihood of deciding to risk disclosing confidential information. The study contributes to extant literature by raising and exploring the potentially negative, dark side of knowledge sharing through electronic networks of practice.
Virtual collaboration through electronic networks of practice, such as an online forum, is generally believed to facilitate effective problem solving (Adamic et al. 2008). However, two key trends point to a potentially dark and unexplored side of virtual collaboration. First, virtual collaboration is proliferating beyond the control of traditionally company-sponsored online forums (Burkhard et al. 2011) and, second, widespread adoption of Internet search networks and other communication forums continues to be embedded into individual habits shaping human memory and problem-solving strategies (Sparrow et al. 2011). Amid these trends, there is an absence of information on how these evolving problem-solving behaviors might lead to an increasing likelihood of confidential information disclosure.1 Accordingly, we empirically investigate the likelihood of individuals to disclose confidential information through virtual collaboration in an online forum setting with the purpose of seeking help to solve a problem. By confidential information we are referring to any type of data, information, or knowledge that is considered private or secret to a company that could potentially lead to negative consequences if revealed to others outside of that company.
These trends also warrant the consideration of how a company maintains confidential information within the boundaries of the company's control. An effective internal control system is essential for protecting company assets due to fraud and errors, but preventing the release of confidential information may be difficult to control given that independent contractors and company employees are able join numerous online forums to collaborate outside of traditional firm boundaries (Brown and Duguid 2001). Accordingly, we also explore whether an individual's awareness of security policies will curtail their likelihood to risk disclosing confidential information.
In general, prior literature has primarily focused on overcoming communication barriers in order to promote collaboration (Jarvenpaa et al. 1998; Pan and Leidner 2003; Cross and Sproull 2004; Hsu and Lin 2008; Phang et al. 2009; Ma and Agarwal 2007). The existing body of literature in this area describes, “a growing consensus on factors that motivate people to make contributions to these [online] communities” (Faraj et al. 2011, 1225). This stream of research is justifiably motivated by the striking findings that over 90 percent of those who participate in many online forums are lurkers (i.e., those who visit online forums but do not post or reply) (Katz 1998; Nielsen 2006; Muller et al. 2010). Yet, while scholars have recognized the competitive advantage that confidential knowledge may convey to a firm, there has also been recognition that user's irresponsibility, carelessness, or lack of minding the consequences can lead to disclosure of intellectual property and confidential information (Laorden et al. 2010).2 Despite the inherent difficulties of controlling such information (Liebeskind 1996), we are unaware of any prior research that has explored the tendency of individuals to post proprietary, company-owned knowledge within a virtual collaboration environment. This knowledge management paradox is recognized as tension between desiring to belong to networks of knowledge sharing while at the same time protecting confidential information (Chae and Bloodgood 2006). Managing this paradox requires carefully balancing the exploitation of opportunities for gain while minimizing losses through opportunism, activism (e.g., Wikileaks), or inadvertent disclosure of confidential information.
To study the tendency of confidential information disclosure in a virtual community, we investigate the likelihood that computer programmers will disseminate confidential information through an online forum through their responses to a hypothetical scenario and related survey. The scenario asks programmers to consider the likelihood that they would share their client's confidential information in an online forum if other forum members request that information to assist them in solving a pressing programming problem. Given that many firms do take precautions against the release of confidential information, we further consider the impact of the awareness of security policies to minimize the distribution of confidential information (Puhakainen and Siponen 2010). While it seems plausible that such policies are commonplace, a recent survey by PricewaterhouseCoopers (2011) indicates that 49 percent of firms conduct employee security-awareness programs, and only 46 percent have established security baselines for external partners, customers, suppliers, and vendors.
In this light, the current study examines three interrelated research questions:
What antecedent factors are associated with the extent to which programmers participate in online forums?
When attempting to solve a programming problem, are programmers likely to disclose confidential information through an online forum?
Will awareness of employer and client security policies reduce the likelihood that programmers will disclose confidential information through an online forum?
Our results suggest that three antecedents are significantly positively associated with the extent of online forum participation: online forum commitment, online forum competence, and online forum benevolence. We further find a positive association between programmers' historical level of online forum participation and the likelihood that they would post confidential information to the forum. Finally, the likelihood of posting confidential information is negatively moderated by a higher awareness of security policies by programmers.
The current study points to a possible gap in the internal control boundary that surrounds and protects a company. The implications suggest that companies need to protect against possible security breaches perpetrated through employee involvement in external networks of practice. This caution does not pertain only to programmers, as employees in many functional areas (e.g., purchasing, sales, and engineering) share best practices and other information through specialized electronic networks of practice. The study also provides evidence to bolster the internal control and computer security literature by showing that increased awareness of security policies can help prevent the leakage of confidential information through virtual collaboration. Our findings strengthen the basis for increasing employee awareness of firm policies, as is often assumed in internal control documentation promulgated by authoritative and other industry groups, such as The Committee of Sponsoring Organizations, International Organization for Standardization, and the Financial Accounting Standards Board. From a practical standpoint, the results point to the potential benefit of security awareness policies that focus on the unauthorized disclosure of confidential digital information. While the research is limited in external validity due to the survey method, it does provide some initial empirical evidence about the extent to which individuals would be willing to disclose confidential information—motivating additional research on the topic. Given the dearth of literature in this domain, we anticipate that others will also find this to be a fertile area for future research.
The remainder of the paper is organized as follows. Section II presents a conceptual background of knowledge collaboration and its vulnerabilities in virtual communities. In Section III, we then present our research model, noting research hypotheses related to online forum commitment, online forum trust, habitual use of online forums, and security awareness. In Section IV, we describe the methodology used to test the research model. Section V presents the results. Finally, Section VI concludes with a discussion of the results, limitations, and implications.
Knowledge sharing has long been recognized as a critical factor for individual learning and organizational growth and competitiveness (Liebeskind 1996; Hoopes and Postrel 1999; Kaplan et al. 2001; Alavi and Leidner 2001). A rich body of literature examines the influences of individual, organizational, environmental, contextual, and technological characteristics on the propensity to participate as a knowledge seeker (Chiu et al. 2006; Pan and Leidner 2003; Wasko and Faraj 2005). As the proliferation of knowledge management and communication tools continue to facilitate exchange (i.e., Wiki, social media, search engines, and other online communities), one facet of knowledge sharing largely unexplored in prior research is the lack of controls, rules, and boundaries to protect the release of company-owned information within online communities. While it is true that most organizations have policies and procedures regarding online community participation, prior research has emphasized many positive facets of knowledge as an organizational asset to achieve competitive advantage. Security issues surrounding the intentional and unintentional disclosure of confidential knowledge within online communities have not been widely studied.
Electronic knowledge sharing is enabled globally through the Internet, a global asynchronous and distributed system (Wasko et al. 2004). In order to encourage individuals to share knowledge, firms should cultivate the view that knowledge is a public good and not inseparably embedded in the organization or individual (Wasko and Faraj 2000). Generally, knowledge sharing in non-firm controlled (i.e., open) online forums depends upon consistent participation (Butler 2001; Ma and Agarwal 2007). Prior research has shown that when individuals are able to verify their online identity and receive recognition, they are more likely to contribute knowledge and are more satisfied in their participation (Ma and Agarwal 2007). Phang et al. (2009) find that both usability (ease of use, system reliability, and knowledge tracking) and sociability (interactivity and perception of the forum moderator) enable knowledge seeking and contribution. For each of these studies, the emphasis is on how to improve the participation, leading to effective knowledge sharing and learning. Thus, this stream of research is not concerned with risks that might be associated with online forum participation.
In arguing for the critical role of knowledge in establishing and sustaining a firm's competitive advantage, extant research has shown that, unlike tangible assets that can be observed, controlled and accounted for, intangible assets (e.g., knowledge, patents, and copyrights) are not as manageable. Because knowledge resides in the individual, despite apparent organizational ownership rights, knowledge transfer is difficult to prevent, detect, and control (Liebeskind 1996).
Scholars have also recognized that knowledge can be “sticky” and difficult to move within an organization (e.g., sharing best practices or solving problems), while at the same time knowledge can be “leaky” or overflow outside the bounds of an organization. Knowledge that leaks beyond organizational boundaries creates a risk of confidential information being released into the hands of competitors or unauthorized individuals (Brown and Duguid 2001, 207).
Using historical examples (e.g., graphical user interface, CAT scan technology, and others), Brown and Duguid (2001) argue that approaches to understanding the nature of sticky and leaky knowledge have been less than fruitful. Rather, “instead of addressing the inertia of knowledge in terms of inherent properties of knowledge itself (cf., Polanyi 1966; Ryle 1949), it seems more fruitful to look to the context or environment in which knowledge sticks or leaks” (Brown and Duguid 2001, 200). In particular, electronic networks of practice can lead to situations where people rarely interact, but through shared practices, these individuals are able to share knowledge in a manner that leaks across organizational boundaries.
We find practical and theoretical motivation for this research in the need to protect certain types of knowledge for competitive advantage (Liebeskind 1996), the ease through which knowledge can leak across electronic networks of practice (Brown and Duguid 2001), and the degree to which virtual collaboration research focuses on how to promote rather than control knowledge sharing. In contrast, publically available computer-mediated communications (e.g., text messaging, social network sites, online forums) are generally accessible and searchable resources of information. A recent example illustrates the potential damage to an institution that allows confidential information to escape its control. A third-party subcontractor with confidential data from Stanford University Hospital shared the data with a potential employee. Subsequently, the potential employee uploaded the data to a homework help website hoping to find assistance in analyzing the data as part of the job interviewing process (Sack 2011).
Electronic networks of practice have been described as, “open to anyone with an interest in the practice. As long as an individual has access to the technology, participation is openly available regardless of physical location, demographics, organizational affiliation, social position, or personal expertise. Thus, electronic networks of practice may have thousands of members who are typically strangers coming from a wide variety of organizations across the globe” (Wasko et al. 2004, 498). As online forums continue to enable professional electronic networks of practice beyond organizational boundaries, it becomes increasingly likely that knowledge will leak—intentionally or otherwise.
III. RESEARCH MODEL AND HYPOTHESES
Our research model stems from asking what factors might influence the likelihood of leaking confidential knowledge into an electronic network of practice. As illustrated in our research model (see Figure 1), online forum commitment, in addition to online forum trust (as measured by competence and benevolence) are antecedents of online forum participation. Online forum participation is expected to predict the likelihood to post confidential information to an online forum. Prior research has examined the influence of trustworthiness on knowledge exchange under conditions where such exchanges are encouraged by the organization (Mayer and Davis 1999; Mayer et al. 1995; Abrams et al. 2003; Hsu and Lin 2008; Krishnan et al. 2006; Levin and Cross 2004; Szulanski et al. 2004). In contrast, we are interested in understanding what could lead to risky communication outside of organizational boundaries and what factors would mediate or control such behavior. Therefore, our model includes a moderating variable, awareness of security policies, which potentially can serve to curtail knowledge leakage. We now develop the hypotheses pertaining to the research model.
Online Commitment and Online Forum Participation
Research suggests that knowledge sharing within communities is greater when commitment and trust exist (Mayer et al. 1995; Jarvenpaa et al. 1998; Roberts 2006). Similar to the concept of organizational commitment, members of electronic networks of practice form a commitment to online communities that develops over time (Kankanhalli et al. 2005; Nahapiet and Ghoshal 1998). Much of the prior research examining commitment has focused on organizational commitment in the areas of employee turnover, job satisfaction, and job characteristics (Aranya and Ferris 1984; Brown et al. 2007; Ferris and Aranya 1983; Lawrence and William 2007; Parker and Kohlmeyer 2005; Williams and Hazer 1986). Organizational commitment is defined as “the relative strength of an individual's identification with, and involvement in, a particular organization” (Mowday et al. 1979, 226). Within the context of electronic networks of practice, we might expect a similar form of commitment to exist. Similar to an organization, an electronic network of practice is a professional network of individuals who are able to communicate and share knowledge, where individuals have come to rely on such communities as a source of knowledge and a way of maintaining sustainability (Pan and Leidner 2003).
Members of electronic networks of practices have been described as having characteristics or interests, assumed roles, expectations, and ongoing relationships that foster communication, and an ongoing relationship among members (Abrams et al. 2003; Hsu and Lin 2008). Arguably, the frequency of interaction signals a commitment to the network (Wasko and Faraj 2005).
Wasko and Faraj (2005) build a strong case of how members can become committed to online communities, arguing that members build a sense of responsibility to help others (both members and nonmembers), give back to their profession, and facilitate participation and structure of the forum. Extant literature hypothesizes that individuals who are committed to the forum will have a higher level of knowledge contribution than others will (Wasko and Faraj 2005). However, these hypotheses have been largely unsupported.
Other researchers have measured knowledge contribution in terms of the helpfulness of the contribution and the volume of contribution (Taylor and Murthy 2009), but failed to find support for a positive relationship between commitment and the frequency of postings to an online forum. It is possible, however, that the findings would have been supported across different types of online networks. For example, in some online networks there may be greater variance between those who feel highly committed to a specific forum versus those who occasionally lurk. Accordingly, the level of contribution may vary, and the online activity may be more broadly interpreted as not only posting, but also reading and rating posted information. While the level of commitment may vary, we expect that the more highly committed individuals are to an online forum, the more active they will be in their online forum use, thus:
There is a positive association between an individuals' commitment to online forums and online forum participation.
Online Trust and Online Forum Participation
Although difficult to achieve, trust within the online communities is a critical component of knowledge exchange. Trust is defined as “the willingness of a party to be vulnerable to the actions of another party based on the expectation that the other will perform a particular action important to the trustor, irrespective of the ability to monitor or control that other party” (Mayer et al. 1995, 712). Once trust is developed between holders of knowledge and members of electronic networks of practice, preventing voluntary or involuntary release of information may prove challenging for organizations, especially when using traditional controls to minimize this form of risk-taking behavior (Jarvenpaa et al. 1998). Risk-taking activities, such as releasing confidential information, may increase for those who place trust in electronic network communities, especially in situations of perceived low risk coupled with a benefit (Mayer et al. 1995).
Unlike organizational trust, where individuals typically know each other, online trust may be generalized to a collective body of individuals who are strangers to each other and the organization. Alternatively, while members may not know one another as they might in an organization, individuals may still be able to verify their online identity through the use of a consistent username, and therefore others could come to trust specific individuals within an electronic network (Ma and Agarwal 2007).
Two aspects of trust models are that individuals determine the level of trust to place in other individuals based on both the competence and benevolence of the other party (Mayer et al. 1995).3 Perceptions of competence refer to how a forum member perceives the other members relative to their knowledge about the topics discussed. Perceptions of benevolence refer to how a forum member perceives whether other members have concerns for others and will not take advantage of them. Trust derived from competence refers to a trustor being willing to be vulnerable to one who demonstrates a domain-specific ability; trust derived from benevolence reflects, “the extent to which a trustee is believed to want to do good to the trustor” (Mayer et al. 1995, 718).
Prior studies have emphasized the importance of trust in knowledge sharing (Abrams et al. 2003; Jarvenpaa et al. 1998; Levin and Cross 2004; Ridings et al. 2002; Roberts 2006; Szulanski et al. 2004; Yakovleva et al. 2010), but few have examined trust within the context of electronic networks of practice or trust from the “knowledge seeker.” Similar to knowledge providers, when reciprocity is considered the norm within electronic networks, knowledge seekers will trust the environment and are likely to pursue actions that benefit themselves, such as posting information and asking questions (Wasko and Faraj 2005) with increased frequency. Therefore, we posit that when trust in online communities exists among knowledge seekers, they are likely to have higher level of online forum participation, thus:
There is a positive association between the perception of forum members' competence and online forum participation.
There is a positive association between the perception of forum members' benevolence and online forum participation.
Online Forum Participation and Likelihood to Post Confidential Information
Prior research has shown that past behavior patterns predict the likely occurrence of future behavior (Ouellette and Wood 1998; Ajzen 2001). This would tend to explain why individuals who participate in online forums would generally be more likely to post confidential information. This logic follows research that suggests that users who have established an online forum behavioral pattern are likely to seek online forums to solve problems, despite the availability of other problem-solving techniques, if online forums have been successful in the past for solving problems (Aarts and Dijksterhuis 1999; Aarts et al. 1997). Research suggests that the use of online forums for problem solving can become a habitual, automatic approach in which the well-practiced, routine behavior can become unconscious and unintentional to online forum users (Ouellette and Wood 1998; Ajzen 2001). More recently, psychologists have found that the ubiquitous use of Internet search engines acts as a form of external or trans-active memory in which people are primed to rely on use of the search engine for recalling information rather than the recall of the information itself (Sparrow et al. 2011). Given that frequency seems to be related to not only a potential increase in volume, but also the increase in the propensity to use online forums, we propose that:
Online forum participation frequency will positively influence the likelihood that a programmer will post confidential information.
As it follows that past behavior predicts the likely occurrence of future behavior (Ajzen 2001), we anticipate that programmers will be inclined to engage in habitual, automatic, problem-solving behavior (Ouellette and Wood 1998). Accordingly, we posit that for individuals that have higher levels of perceived commitment, competence, and benevolence toward online forums, these will develop into a habitual pattern of online forum participation (i.e., online forum activities). Thus, we theorize that online forum participation will mediate the relationship between a programmer's commitment, competence, and benevolence and the likelihood that they would potentially leak confidential information as indicated in the hypothetical scenario (i.e., the dependent variable = likelihood to post). The logic is in considering the correlation between a single episode of posting confidential information and the antecedents that the strength of the prior online forum participation will fully mediate the trust and commitment variables. We therefore predict that:
Online forum participation will mediate the relationship between commitment and the trust variables (competence and benevolence), and likelihood to post.
Awareness of Security Policies
An information security policy is “a statement of the roles and responsibilities of the employees to safeguard the information and technology of their organizations” (Bulgurcu et al. 2010, 526–527). A purpose of security policies is to align employee behaviors with desired information security practices of management. However, in order for policies to be effective and allow users to participate in information security, users must at least be aware of the policies (Spears and Barki 2010). While the responsibility for maintaining internal controls and security falls on both management and employees, recent studies indicate that management is not always effective at enforcing policies and employees are often lax in adhering to recommended security practices (Bulgurcu et al. 2010; Johnston and Warkentin 2010; Puhakainen and Siponen 2010; Siponen and Vance 2010; Aytes and Connolly 2004). In response to these concerns, we investigate whether the awareness of security policies can serve to avert security breaches arising from employees or independent contractor actions. In particular, we focus on security violations associated with electronic networks of practice.
There is evidence that information security awareness is an effective security management tool (Bulgurcu et al. 2010; D'Arcy et al. 2009; Liang and Xue 2010; Spears and Barki 2010). Awareness of security policies leads to intentions to comply with the policies (Bulgurcu et al. 2010), less IS misuse (D'Arcy et al. 2009), and security training programs improve end users' motivation to comply with security policies (Puhakainen and Siponen 2010). Experimental research has also found that by informing end users about the potential dangers (i.e., spyware (obtaining confidential information) and recommending a solution, users were more likely to comply with recommendations to adopt protection measures (Johnston and Warkentin 2010). These studies provide important insights about the connection between awareness and the likely effects on user attitudes and intentions to engage in activities that would typically be counter to security policies—sharing confidential information in an online environment. Online forums present an easy opportunity for releasing confidential information. Given that security-awareness research has found support that awareness leads to compliance, we predict that:
Awareness of existing security policies will negatively moderate the relationship between online forum participation and the likelihood to post confidential information.
IV. RESEARCH METHOD
To test our hypotheses, we designed a survey instrument that included a hypothetical scenario about a programmer sharing overtly confidential information in an online forum, questions about online forum use, security awareness questions, and demographic questions. All research participants received the same material, which was developed by the authors of this study (see this article's Appendix A to download the supplemental material). The scenario describes an independent, offsite programmer who receives an emergency call from the information technology director of a regional bank to solve a complex program that would help the bank better manage debt covenants and avoid covenant violations. The authors chose a debt-covenant situation given the findings of a large body of research indicating that accounting and other decisions are based on the desire to avoid debt- covenant violations (Beatty et al. 2002; Smith 1993; Sweeney 1994; Watts and Zimmerman 1990). After accepting the job, the independent programmer was granted access to the accounting system and confidential information belonging to the bank. Additional highlights of the scenario include a need to resolve the problem within a few days, given that the bank had previously suffered from other debt-covenant violations. Additionally, the bank had hired the independent programmer previously; hence, the programmer was familiar with the bank's accounting system.
The scenario further describes that the programming assignment proved to be challenging, thus, the programmer sought assistance through an online forum, what we have characterized earlier as an electronic network of practice. After posting a general question in the online forum, the forum members requested additional information to solve the problem. The additional information included programming code containing confidential information. Therefore, a decision needs to be made as to whether the bank's confidential information should be released to helpful experts who are available through the online forum.
The survey was conducted during a two-day training session that was attended by a diverse group of computer programmers and application developers. The session's topic was how to build applications for the Apple iPhone using the iOS 4 (Apple's mobile operating system). The training was conducted by an international consulting firm4 and was held in a major city in the United States, thus, the participants reflect a convenience sample.5 The survey materials were administered by one of the coauthors. At the beginning of the training session, attendees were asked if they would volunteer to complete a survey. All attendees agreed and completed the survey questions.
One hundred eighty-seven programmers were surveyed as part of this study. The respondents categorized themselves as a self-employed programmer (independent contractor), employee of a company that provides programming services to others (service provider), employees of the company for which they offer their programming services (permanent employee), or a combination thereof. The sample consisted of 160 males (86 percent) and 27 females (14 percent), which generally reflect the demographics for this population. The modal age range was 21–35 for the sample. Seventy-three percent of the respondents indicated having at least “some college” level or higher formal education. The modal field of study was computer science/information systems with many of the respondents (83 percent) having more than five years' experience. The overall demographics are shown below in Table 1.
This study adapted various survey items from extant literature, along with new measures; thus, steps are required to demonstrate the reliability and validity of model constructs. Online forum commitment and online trust (i.e., competence and benevolence) are composed of multiple measures that are expected to covary within each construct; hence, we model them as reflective indicators. Online forum participation (four measures) and awareness of security policies (five measures), are not necessarily expected to covary; therefore, they are modeled as formative indicators (Bollen and Lennox 1991). Because the sample consisted of participants that worked independently and others that worked as direct employees, we asked them to respond about their awareness of employer security policies or client security policies. Finally, the dependent variable construct (likelihood to post confidential information) is comprised of three items that are modeled as reflective indicators, as they are expected to covary. Given the combination of reflective and formative constructs, two different examinations will be required to demonstrate construct reliability and validity. The validity and reliability tests of both the reflective and formative constructs were performed and exhibited a sufficient degree of reliability and validity, which allows us to rely on the model to test our hypotheses. The extended tests of reliability and validity can be seen in Appendix B (see this article's Appendix A to download the supporting material). The general response information regarding mean, standard deviation, range, as well as a correlation matrix for the formative measures are shown below in Table 2 and Table 3 and the actual text of each item is available in Appendix C (see this article's Appendix A to download the supporting material).
The research hypotheses were tested by examining the size and significance of structural paths using PLS analysis. The overall model results, which explain 77 percent of the variance in the dataset, are shown in Figure 2. All of the proposed hypotheses were supported with commitment (β = 0.24, p < 0.01), competence (β = 0.18, p < 0.05), and benevolence (β = 0.17, p < 0.10) positively influencing online forum participation, as proposed by H1, H2, and H3. In turn, online forum participation positively influences the likelihood to post confidential information (β = 0.43, p < 0.01), as predicted by H4.
Baron and Kenny (1986) note that to establish mediation conditions, you must (1) show that the trust variables have a significant effect on likelihood to post, (2) show that the trust variables have a significant effect on online forum participation, and (3) show that the trust variables have a lower effect (or no significant effect) on likelihood to post when online forum participation is used as a mediator. Perfect mediation occurs when the significant effects shown in Step 2 disappear in Step 3. Following these steps, the results show perfect mediation for all paths (commitment, competence, and benevolence) as predicted in H5.
Finally, as posited by H6, awareness of security policies significantly reduces individuals' propensity to post confidential information (β = −0.26, p < 0.05). Interestingly, however, there still remains a considerable likelihood of posting as indicated by the significant pathway from online participation to likelihood to post (β = 0.43, p < 0.01).
Common Method Bias
To detect possible common method variance (CMV), we run Harman's single-factor test (Podsakoff et al. 2003; Malhotra and Galletta 2005) by performing exploratory factor analysis on all of the indicator variables. The unrotated solution yields seven factors, with the first factor explaining 19 percent of the variance (eigenvalue = 5.24) and the remaining factors explaining between 18 and 5 percent of the variance in the model (eigenvalues between 3.99 and 1.00). If a substantial amount of CMV is present, either (1) one individual factor explaining more than 50 percent of the covariance among the variables will emerge from the factor analysis, or (2) one of the general factors will comprise the majority of the covariance among the variables. As noted above, there is no individual factor among the variables and no general factor explains more than 19 percent of the variance, therefore we conclude that CMV is not an issue in this study.
Effects of Security Policy Awareness
One of the fundamental objectives of statistical analysis is to be able to compare competing models. The overall purpose of this analysis is to gauge the relative effects of security policy awareness on the relationship between online forum participation and likelihood to post confidential information. While the least squares approach of PLS does not allow the calculation of goodness of fit statistics that are commonly used with variance/covariance-based structural equation methods, we are able to compare the models using other techniques (Mathieson et al. 2001).
To gauge the relative impact of the moderating components we first need to establish that the items being used actually measure different things. This is accomplished using factor analysis and is shown in Table 4. All of the variables load on separate constructs with the exception of online forum participation. However, since online forum participation has been deemed to be formative, the fact that the indicators do not distinctly factor is a minor concern. What is more important is that online forum participation does not cross-factor with other variables.
Mathieson et al. (2001) proposed a comparison method employing a modification of Chow's partial F-test whereby constructs are added to an existing model and (as shown in Figure 3) the effect size (of the added construct as shown in Figure 2) is estimated. The effect size is classified as small (0.02), medium (0.15), and large (0.35) (Cohen 1988). The effect size (ƒ2) is multiplied by a constant to produce a pseudo F-statistic that can be used to determine significance. Performing this test results in an ƒ2 effect size of 0.22, or a medium-to-large effect size. When the effect size is multiplied by n − k − 1 (where n =187 and k = 5), we find an F-statistic of 39.35 (p-value < 0.001) with 1 and 4 degrees of freedom and it shows that the addition of security policy awareness as a moderating variable provides a significant addition to the original online commitment and trust model discussed in extant literature.
VI. DISCUSSION AND CONCLUSION
Much of the prior literature on virtual collaboration has emphasized the problem of getting individuals to more fully participate (Wasko and Faraj 2005; Katz 1998; Nielsen 2006), and how to promote greater and consistent contributions leading to knowledge sharing and learning (Ma and Agarwal 2007; Phang et al. 2009; Jarvenpaa et al. 1998; Pan and Leidner 2003; Cross and Sproull 2004; Hsu and Lin 2008). Instead, we focused on a risk of virtual collaboration—leaking confidential information. We drew on the perspective of networks of practice to explain how knowledge can be easily leaked across professional associations and interactions (Brown and Duguid 2001). We further motivated our scenario by drawing on research about how repetitive problem-solving patterns reinforce the strength of those patterns of use (Ajzen 2001; Ouellette and Wood 1998; Sparrow et al. 2011). It is not uncommon for many professionals, especially programmers, to engage in virtual collaborations in online forums as a matter of practice. Our interest followed how programmers' motivations to use online forums for knowledge sharing conflict with a potential release of confidential information. Further, we sought to understand whether awareness of security policies might constrain such leakage.
A total of 187 programmers completed our survey and hypothetical scenario in which we examined three major issues. First, we investigated some of the factors identified in prior literature that are potentially associated with programmers' developing patterns of online use frequency. Our results indicated that programmers' commitment to an online forum and two dimensions of online forum trust (competence and benevolence) are positively related to habitual use of the forum. While prior research does not find support for the relation between commitment and knowledge contribution (Wasko and Faraj 2005), we find that commitment relates positively to programmers' online forum participation. The significant relationship between the trust components and online forum participation suggests a likely reciprocal, reinforcing pattern of continued use. However, more research would be needed to confirm the direction of the causality, as it might be that increased forum participation biases programmers' views on the benevolence and competence of those with whom they collaborate. This finding also extends the connection between trust and knowledge contribution (Abrams et al. 2003; Jarvenpaa et al. 1998; Levin and Cross 2004; Ridings et al. 2002; Szulanski et al. 2004; Yakovleva et al. 2010) to trust and knowledge seeking.
Second, we examine whether programmers' online forum use frequency is positively related to the likelihood of posting confidential information on the forum. As predicted, the results indicate a significant and positive relationship. It is interesting that the relationship between online forum participation and likelihood to post is quite strong, given that programmers are asked in the survey the likelihood that they would post confidential information. Similar to the automaticity found in internet searching when recalling information (Sparrow et al. 2011), it appears that programmers maybe inclined to automatic, problem-solving behavior (Ouellette and Wood 1998) with participation in online forums. Because we measured perceived frequency of forum-use behaviors (i.e., the measures that constitute online forum participation), we are clearly limited in making claims about the formation of habits leading to greater propensity of non-compliant behavior such as posting confidential information. Future research should continue to explore the connection of habit and behavior surrounding not only IT use (Lankton et al. 2010) but also related to security policy compliance.
Third, we study whether awareness of security policies will influence the programmers' decision to post confidential information to a forum. The results indicate that security policy awareness does have a significant effect on reducing the likelihood of posting confidential information. Additionally, we reinforce this point by noting the statistical significance between models (with and without the security awareness construct) and the medium-to-large effect size when including the security policy awareness construct to the base model. This finding extends the prior research that finds value in security policy awareness into the domain of releasing confidential information through an online forum (D'Arcy et al. 2009; Liang and Xue 2010; Spears and Barki 2010; Bulgurcu et al. 2010). However, it is also important to note that the effect of awareness, while significant, does not eliminate the potential for posting. Again, we suggest that future research should continue to look into more detailed measures of awareness and understanding of security policies along with the underlying thinking that programmers might be making in weighing the pros and cons, which might reveal a more nuanced explanation about their risk calculations.
Since our responses reflect self-reports, they could be affected by a self-presentation bias that under-reports deviant behavior of this nature, which would reduce the effect size on the likelihood to post confidential information. Despite this potential bias, we find that the R2 of the PLS model is fairly high, with 77 percent of the variance in the dataset being explained. One reason might be that while the scenario is plausible, participants may not respond the same way if actually confronted by the same scenario. A second limitation involves the relatively small sample size which limits our ability to apply strong statistical testing. Another limitation related to generalizability is that the programmers were drawn from a specific population of those interested in learning more about programming for the Apple iOS platform. Consequently, they may not have sensitivity to financial and accounting topics (e.g., debt covenants) that are a part of the hypothetical scenario. At the same time, the results remain interesting given the rapid increase of mobile application development for iOS operating system and the desire of many firms to potentially reach out to those that have experience in working with iOS in adapting their legacy applications to the iOS platform. Ultimately, further research would do a great deal to refine and extend the model we have proposed and tested by increasing the sample size and accounting for a more detailed profile of programmer knowledge.
Firms are grappling with a dynamic, global environment in which they are expected to develop and protect confidential aspects of their business. At the same time, businesses often work with third parties for the development of their applications and face the risk of losing confidential knowledge and information. Employers are faced with the “no-win” scenario of the impossibility of closing all loopholes, while the attempt to block the outflow of knowledge at the organizational boundary may additionally result in a restriction of knowledge inflow (Brown and Duguid 2001). Yet, sharing and securing knowledge is critical for competitive advantage (Liebeskind 1996). Because programmers potentially use online forums in a habitual problem-solving routine, closing these avenues down may minimize efficient and effective problem solving. As a result, organizations might consider modification of training and support efforts for programmers (direct and outsourced), focusing particularly on how to guide the interaction within their professional communities when seeking knowledge in a way that will minimize the risk of releasing confidential information. Given that less than half of the firms in their survey have security awareness policies and training programs, it appears as though such awareness needs more attention in the workplace as well (PricewaterhouseCoopers 2011). We recommend that firms continue to develop and communicate such policies to their employees and outsourced contractors, with specific reference to the disclosure of confidential information within the use of electronic networks of practice.
There is also an absence of data about how the volume of confidential information disclosure may be growing through the expanded use of the Internet.
Research on information leaks has emphasized the challenge of controlling personally identifiable information in online social networks (Krishnamurthy and Wills 2009), protecting sensitive information while releasing information to the public (Chen et al. 2009), and developing technical solutions to protect against covert communication channel leakage (Lee et al. 2009), or computational linguistics to dynamically identify potential leaks of sensitive information (Gomez-Hidalgo et al. 2010).
Integrity is another component of trust development included in Mayer et al.'s (1995) model. As integrity is concerned with the consistency of the trustees (i.e., online forum members), we assume that our participants will embed an element of whether or not members are consistently competent or consistently benevolent and rank them accordingly. In other words, if competence and benevolence were erratic, then even if there were occasional flashes of competence or benevolence, the participant would still disagree that they are highly competent or benevolent. Further, as it is difficult to determine whether forum members, including the participants, have established any agreed upon principles, it would be difficult to rely on their evaluation of integrity. Thus, we excluded measuring their perceptions of online forum members' integrity.
Due to a strict confidentiality agreement, the researchers cannot disclose the name of the consulting firm.
Since the sample is comprised of participants who voluntarily attended a training session, there is a self-selection bias. However, we have no reason to believe that the participating programmers are substantially different from other programmers.
Editors Note: Accepted by Miklos A. Vasarhelyi.
Supplemental materials can be accessed by clicking the links in Appendix A.
We thank the professional programmers who participated in this study, and the consulting firm that provided access to the programmers. We also acknowledge the insightful and helpful comments of reviewers, and those in attendance at presentations at the 2012 AAA IS Midyear Meeting, Bentley University, and Brigham Young University.