A field study of corporate employee monitoring: Attitudes, absenteeism, and the moderating influences of procedural justice perceptions
1. Introduction
Managers carry special responsibilities for stewardship over personnel and organizational re-sources through enforcement of company policies and practices. In the execution of their stewardship, they may be involved in the gathering of information about employees such as their performance measurements compared to their objectives and other work-related activities; but also, increasingly, managers are called upon to gather information about employees and enforce organizational policies that include various security practices such as monitoring access to vital corporate resources. Monitoring is the physical or electronic observation of someone's activities and behavior.
These practices are particularly acute in organizations that are regulated by government legislation, such as in the healthcare industry in the United States (US) through the Health Insurance Portability and Accountability Act (HIPAA) or those that deliver products and services to a government agency or are regulated in the European Union (EU) or the United Kingdom (UK). Thus in most cases, organizations must gather information about employees to identify and authenticate them for access control, and then monitor their behavior as they conduct their work, which produces a large cache of employee-specific data. Because of the severity of the consequences of security breaches, as well as levied as punitive measures by regulators for non-compliance, organizations are increasing their technological monitoring practices, but research into the organizational impacts from these practices is lagging behind.
While a significant amount research has investigated issues related to company policy compliance, we contribute to the literature in several ways. First, we fill a gap in the literature by studying the effects of forced compliance, and second, while studies have begun to assess the psychosocial impacts on people from monitoring, the findings are mixed -- some studies indicating deleterious effects, while others often finding acceptance among workers for such practices. Our research helps to explain these contradictory findings. Finally, we addressed whether organizational procedural justice practices might offset some of the negative effects such as absenteeism.
1.1. Monitoring: the unblinking eye
The unlinking eye is a reference to the constant mon- itoring of physical or electronic movements and activities of people. In most cases people are aware of company monitoring activities in the US, EU, and the UK However; this is not always the case as was exposed about the covert monitoring of employees at Deutsche Bahn and Deutsche Telekom and other companies. Post the "US-9/11 attacks" as it is known, there are new legal protections for corporate monitoring in the US, UK, and EU, and the prac- tices have continued to expand in both range and depth.
In an organizational setting, it has become common practice for instance to allow the electronic observation of web surfing activity, monitoring emails, and telephone call monitoring of office employees (e.g. "for quality assurance purposes"), along with increasing use of global positioning satellite systems (GPS) and radio frequency identification (RFID) for tracking mobile workers.
1.2. Monitoring: attitudes and organizational behavior
The growing pervasiveness of the information collections has combined with increasing technolog- ical sophistication, allowing companies to monitor the actions of employees more invasively also. Software that covertly monitors computer activities and monitoring hardware devices are being fashioned to blend into the environment by hid- ing them in pens, clocks, or bookends. These may dampen employee monitoring aware- ness regardless of whether employers notify employees of such monitoring, which can create a psychological double bind on employees who know they are being monitored, but the unobtrusive- ness of the technology may make them seem innocuous. This creates a double bind because it carries the implied presumption that everyone is "potentially guilty".
Nevertheless, employees state that maintaining their privacy is an essential element in how they feel about their jobs and their employers. They assert that monitoring negatively impacts their attitudes and their work-related behaviors such as absenteeism.
2. Theory framework
The escalation in monitoring has been sparked in part by the increasing focus on security threats to individuals and to organizations. Protec- tion motivation theory has been used to examine the individual level threat assess- ments and behavioral coping responses, primarily in regards to healthcare issues. Extending from this line of research, Workman, Bommer, and Straub developed a threat control model (TCM) and tested it in relation to why employees, who are aware of security threats and the countermeasures, often choose not to implement discretionary security protections. Working from this previous research, the present study investigates how those factors related to mon- itoring of employee behaviors.
2.1. Monitoring, attitudes and absenteeism
Organizations espouse treats in order to gain compliance with security policies that include having employees give up personal information and subsequently allow monitoring of them. In this regard, the term commercial fear has been used in reference to the manipulation of strong emotions to neutralize negative attitudes toward something undesirable. Importantly in this process, employees have expectations that the leadership in their organization will treat them fairly in the process, and they develop tacit expectations that the organization will act in the best interest of the employees while conducting its stewardship over organizational resources including personnel -- the concept is that of a psychological contract.
2.2. Threat perceptions, severity and likelihood, and monitoring
The perception of threat is the anticipation of a psychological (e.g., assault), physical (e.g., battery), or sociological (e.g., theft) violation or harm to oneself or others, and which may be induced vicari- ously. From a security perspective, the focal stance in organizations has relied heavily on a theory of deterrence to try to prevent people from carrying out threatening acts by fear of damage, punishment, or retaliation. In organizations, deterrents are applied in two ways: internal threats of punishments for misbehaviors, and warnings of external threats to gain compliance with rules or policies. Security policies are organi- zational instruments that establish the rules and punitive sanctions regarding security behaviors. Increasingly, employment is conditioned upon employee agreements that elicit promises to comply with security policies including allowing the organization to collect personal data and monitoring their activities.
2.3. Efficacy and monitoring
On the one hand, fear appeals may serve to mobilize people for taking actions against threats, but they can have a reverse effect -- they might engender fatalistic attitudes in some people. The coping mechanisms people may take toward espoused threats rely in part on their perceived confidence in their abilities, or self-efficacy, to take alterative courses of action compared against their personal assessments of the costs of those actions. In context of our study, this ranges from availing themselves of adjudication channels or quitting compared to conceding to mon- itoring practices and suppressing their resentments. This is because compared to people with low self- efficacy, people who possess high self-efficacy tend to perceive more control over their outcomes, such having a greater say in organizational practices, and having the ability to quit and find other employ- ment when working conditions become unsuitable.
2.4. Trust and monitoring
As indicated before, the extent to which employee expectations of what the organization will pro- vide and what they owe the organization in return forms the basis of a psychological contract. People will tolerate monitoring and give up certain of their privacies so long as they perceive that the psychological contract is maintained. While some research has suggested that age may factor into perceptions of the psychological contract (and hence should be controlled in hypotheses tests) there are significant relationships be- tween a psychological contract breach and work-related outcomes.
2.5. Procedural justice interactions with TCM components
The literature posits many influences among people in their compliance with security policies, which establish the rules for governing their behaviors. However, whether or not people simply comply with policies is incomplete in explaining organizational results. Employees may comply with the policies but harbor resentment or exhibit other (possibly subtle) counterproductive behaviors if they consider the policies unfair. For example, the literature reports that per- sistent fear appeals and protracted hyper-vigilance can have negative consequences for psychological states of mind such as attitudes, and suggests negative effects from systemic monitoring on prosocial behaviors of the law abiding.
3. Method
3.1. Participants
To gain a bounded population with qualities that would yield data to address our research ques- tion, we selected and gained entree into a multinational company with offices in the US, throughout Europe, throughout the UK, and in various locations in India. We made this selection so that the sampling validity could be ascertained while preserving the multinational attributes important to our study. The company was involved in a range of product development and services, conducting quality assurance, delivering customer support and services, and performing marketing and sales functions -- and we sampled across the lines of business to help preserve ecological validity while controlling for variations in organizational contexts and to avoid cross-organizational validity issues. Using a com- pany employee list frame, we randomly sampled 624 employees from a population of approximately 102,000, and we received a 62% response rate, or 387 respondents giving us a 95% sampling confidence level &plusmn;5% at a standard error of estimate of 0.05. We then collected absenteeism data for these partic- ipants in number of hours over a 20 month period.
3.2. Instrumentation
In order to properly assess during our manipulation checks the codification of the data, we asked the respondents what information the company collected for the purpose of monitoring and that they considered "personal". Responses included, Meyers-Briggs type indictors (given to all employees), "4S" Selling Styles inventory (given to the sales department), yearly credit checks, pre-employment background checks including reference checks, drug tests, educational records and criminal histories, social security numbers, fingerprint scans (for some employees who access computer server rooms), military service records, performance evaluations, demographics and addresses, health information (including disabilities), various information collected about their activities during the monitoring such as what Websites they visited and emails they sent, and information including biometrics used for identification and authentication.
3.3. Procedures
Corporate executive sponsors facilitated our entree once researchers had signed a nondisclosure and confidentiality agreement and had obtained approvals from the institutional IRB. The researchers were provided with company directory of the population under study, including location and email addresses. The corporate sponsors sent each participant a message, with an acknowledgement flag set, in which they were informed that researchers were studying a problem involving how best to ad- dress employee concerns and simultaneously respond to company security concerns.
4. Results
We took an initial step to compare respondents on their perceptions about the collection of infor- mation for employment purposes compared to perceptions of information collections from monitor- ing. It was interesting to note that the mean scores were significantly different. The information collection for employment mean was 4.6 (on a scale of 7) indicating a rather benign view of the practice, but monitoring had a mean score of 3.2 indicating a rather unfavorable view of the practice. Therefore, the separation of these data for the dependent variable and the moderation test became crucial in our interpretation of the results. The descriptive data for our study are shown in Table 1.
In this process, companies may use tactics to make vigilant an organization's workforce making even remote threats seem severe and imminent but mitigated under the auspices of due care of the organization to assuage negative attitudes. Security awareness and training programs, security standards and compliance audits, some types of mandatory access controls, and issuing warnings such as popup dialogs in user interfaces are just some of the ways that organizations elicit fear appeals. Fear appeals must constantly reenergize employees because over time their effects begin to deplete. Unless people are continuously mobilized against a threat, they eventually become complacent. This is important in terms of ensuring security policy compliance and security-conscious behaviors because it has been found for example that people may ignore or disable security measures when they are perceived as intrusive or ineffective, unless they are constantly placed in a psychological state of hyper-vigilance about severe impending threats. However, this is also significant because employee attitudes about monitoring of their behavior in order for organizations to provide security initiatives depend on their perceptions of the severity and likelihood of a threat occurrence.