Kuang-Ming Kuo,Paul C Talley,Chi-Hsien Huang

DOI: https://doi.org/10.1016/j.cose.2020.101928

2020-09-01

Abstract:Deterrence theory has been widely adopted in the study of information security management; however, evidence frequently presents sometimes contradictory results. Prior meta-analytic studies have focused primarily on the use of formal deterrence constructs to predict security-compliant behavior, while informal deterrence constructs and security-risk behavior are often neglected as a result. This study aims to meta-analyze the relationships formed between both formal/informal deterrence constructs and security-compliant/risk behaviors in a comprehensive manner beyond what has taken place in prior IS security meta-analysis based on deterrence theory. By searching multiple electronic databases, we have located 40 studies, along with 108 effect sizes, pertinent to our study's purpose. Inverse variance method weighted with sample sizes was used to determine mean effect sizes. The random-effects model was used to report meta-analysis results since Q, I2, and H index showed some degree of heterogeneity existent in the collected data. Publication bias was assessed by means of fail-safe N. All proposed relationships occurring between formal/informal deterrence constructs and security-compliant/-risk behaviors were supported. Formal deterrence constructs exerted weak to moderate effects on security behavior, while informal deterrence constructs exerted moderate to strong effects on security behavior. Further, informal deterrence constructs showed greater mean effect sizes than formal deterrence constructs. Additionally, prediction intervals of deterrence constructs, along with detection certainty, included zero, which indicated that moderators may be present. Based on these findings, the mean effect sizes of deterrence constructs may be more clearly identified when dividing security behavior into both compliant- and risk- behaviors. Further moderators might be employed to improve the inconsistent findings evidenced in deterrence theory.

computer science, information systems

Kholekile L. Gwebu,Jing Wang,Michael Y. Hu

DOI: https://doi.org/10.1111/isj.12257

2020-01-01

Abstract:Despite the significant advancements made in understanding the factors that drive employees' compliance and noncompliance behaviours with information security policy (ISP), less is known about how different factors interact to impact such behaviours. Having been drawn on the social information processing theory, this research develops an integrative model that investigates how ethical work climate, beliefs, and neutralization interact to jointly explain ISP noncompliance. The model is tested via a survey of a broad cross section of employees. Neutralization, perceived cost of compliance, and perceived cost of noncompliance are found to significantly impact ISP noncompliance. Egoistic, benevolent, and principled climates are found to differentially influence neutralization and individuals' cognitive beliefs about the cost and benefit of ISP compliance versus noncompliance. Neutralization appears to be a more important moderator of the belief‐noncompliance relationship than the principled climate.

Qing Hu,Zhengchuan Xu,Tamara Dinev,Hong Ling

DOI: https://doi.org/10.1145/1953122.1953142

IF: 22.7

2011-01-01

Communications of the ACM

Abstract:Methods for evaluating and effectively managing the security behavior of employees.

John D’Arcy,Anat Hovav

DOI: https://doi.org/10.1007/s10551-008-9909-7

IF: 6.331

2008-08-27

Journal of Business Ethics

Abstract:Research from the fields of criminology and social psychology suggests that the deterrent effect of security countermeasures is not uniform across individuals. In this study, we examine whether certain individual characteristics (i.e., computer self-efficacy) or work arrangement (i.e., virtual status) moderate the influence of␣security policies, security education, training, and awareness (SETA) program, and computer monitoring on information systems misuse. The results suggest that computer savvy individuals are less deterred by SETA programs and computer monitoring, while these countermeasures are also less influential (from a deterrence perspective) on employees that spend more working days outside the office. Implications for both the research and practice of information security are discussed.

business,ethics

Nader Sohrabi Safa,Carsten Maple,Steve Furnell,Muhammad Ajmal Azad,Charith Perera,Mohammad Dabbagh,Mehdi Sookhak

DOI: https://doi.org/10.1016/j.future.2019.03.024

IF: 7.307

2019-08-01

Future Generation Computer Systems

Abstract:Previous studies show that information security breaches and privacy violations are important issues for organisations and people. It is acknowledged that decreasing the risk in this domain requires consideration of the technological aspects of information security alongside human aspects. Employees intentionally or unintentionally account for a significant portion of the threats to information assets in organisations. This research presents a novel conceptual framework to mitigate the risk of insiders using deterrence and prevention approaches. Deterrence factors discourage employees from engaging in information security misbehaviour in organisations, and situational crime prevention factors encourage them to prevent information security misconduct. Our findings show that perceived sanctions certainty and severity significantly influence individuals’ attitudes and deter them from information security misconduct. In addition, the output revealed that increasing the effort, risk and reducing the reward (benefits of crime) influence the employees’ attitudes towards prevent information security misbehaviour. However, removing excuses and reducing provocations do not significantly influence individuals’ attitudes towards prevent information security misconduct. Finally, the output of the data analysis also showed that subjective norms, perceived behavioural control and attitude influence individuals’ intentions, and, ultimately, their behaviour towards avoiding information security misbehaviour.

Mikko Siponen,Wael Soliman,Anthony Vance

DOI: https://doi.org/10.1145/3514097.3514101

2022-01-24

Abstract:In the 1980s, information systems (IS) borrowed deterrence theory (DT) from the field of criminology to explain information security behaviors (or intention). Today, DT is among the most commonly used theories in IS security research. Our review of IS research applying DT highlights that many fundamental assumptions of DT are unrecognized and therefore unexamined. This may have resulted in misunderstandings and conceptual confusions regarding some of the basic concepts of DT. For example, some IS studies confuse general deterrence with specific deterrence or do not recognize the difference between the two. Moreover, these fundamental assumptions, when directly examined, may provide important information about the applicability of DT in certain IS security contexts. This research commentary aims to identify and discuss some of the fundamental assumptions of DT and their implications for IS research. By examining these assumptions, IS researchers can study the previously unexplored aspects of DT in different IS contexts. Further, by recognizing these assumptions, IS scholars can revise them and build new variants of DT to better account for specific characteristics of IS behaviors and contexts.

Fan Zhou,Hongxu Lu,Chunping Jiang

DOI: https://doi.org/10.1016/j.ssci.2023.106353

IF: 6.392

2024-01-01

Safety Science

Abstract:Non-compliant behaviors have been indicated to be leading indicators of accidents in workplaces. Though most studies treat intentional non-compliant behavior or violations as monolithic indicators for adverse safety performance, non-compliant behaviors might take different forms with distinct motives and outcomes. To examine and compare the effects of different forms of non-compliant safety behavior, we proposed a construct of risk-adjusted non-compliant behavior, which refers to employees' deliberate deviation from safety rules while considering safety concerns and adjusting their behavior accordingly, and investigated the differential antecedent effects by contextual factors and consequential effects on safety outcomes. By a sample of 390 workers and their supervisors in a power grid construction firm, the results of our study indicated that safety climate and transformational leadership were positively associated with safety compliance and negatively associated with violation by multi-level analyses. However, active transactional leadership also had a positive association with risk-adjusted non-compliant behavior, and this association was moderated by safety climate such that the relationship was stronger in higher level of safety climate. Furthermore, although risk-adjusted non-compliant behavior did not significantly affect penalties for deviance compared to violation behavior, it increased the workers' risk perception of hazard. The implications of these findings for theory were discussed.

TONI MAKKAI,JOHN BRAITHWAITE

DOI: https://doi.org/10.1177/0022427894031004001

1994-11-01

Journal of Research in Crime and Delinquency

Abstract:Panel data fail to support a subjective expected utility model of corporate deterrence. There is partial confirmation, however, that chief executives of small organizations who perceive the certainty of detection as high have better regulatory compliance in their organizations. Perceived sanction threats do not work significantly more effectively for chief executives (a) of for-profit versus nonprofit organizations; (b) who are owners as well as managers; (c) who say they think about sanctions more (sanction salience); and (d) who have a weaker belief in the law. Nor does the effectiveness of corporate deterrents depend on compliance costs. There is, however, a significant deterrent effect for managers who are low on emotionality, but an opposite counter-deterrent effect for actors high on emotionality. This supports the critique of those who condemn rational actor models from a sociology of the emotions perspective. Emotions of guilt among managers predict the subsequent compliance of their organizations. The results are consistent with perceptual deterrent studies of individuals that find little effect of formal sanctions and social disapproval as deterrents, but stronger support for an effect of self-disapproval (guilt or shame) on law observance. Qualitative data are used to show why it would be folly to interpret these results as showing that business regulation can work without sanction threats and social disapproval. Rather, the data evince the need for a complete reconceptionalization of the way policy analysts think about the deterrence of law breaking.

criminology & penology

Adam M. Bossler

DOI: https://doi.org/10.1177/10439862211001630

2021-03-24

Journal of Contemporary Criminal Justice

Abstract:The threat of formal sanctions is the criminal justice system’s primary tool to discourage online and offline deviant behavior. Yet, scholars have expressed strong concerns about the effectiveness of formal sanctions to deter cybercrime. Even more surprising is the sparsity of deterrence research in the cybercrime literature. This study examined the effects of perceived formal and informal sanctions on digital piracy, computer hacking, and online harassment in a large American college sample. Perceived formal sanctions was negatively correlated with software piracy, media piracy, password cracking, accessing accounts, sending mean messages privately online, and posting mean messages. Higher levels of perceived formal sanctions did not significantly predict any form of cybercrime, however, when controlling for informal sanctions and deviant peer associations. The implications of the findings for our ability to deter deviant behavior in cyberspace are explored.

criminology & penology

Paul Benjamin Lowry,Clay Posey,Rebecca J. Bennett,Tom L. Roberts,Rebecca Becky J. Bennett

DOI: https://doi.org/10.1111/isj.12063

IF: 7.767

2015-02-24

Information Systems Journal

Abstract:Research shows that organisational efforts to protect their information assets from employee security threats do not always reach their full potential and may actually encourage the behaviours they attempt to thwart, such as reactive computer abuse (CA). To better understand this dilemma, we use fairness theory (FT) and reactance theory (RT) to explain why employees may blame organisations for and retaliate against enhanced information security policies (ISPs). We tested our model with 553 working professionals and found support for most of it. Our results show that organisational trust can decrease reactive CA. FT suggests that explanation adequacy (EA) is an important factor that builds trust after an event. Our results also suggest that trust both fully mediates the relationship between EA and CA and partially mediates the relationship between perceived freedom restrictions related to enhanced ISPs and reactive CA. EA also had a strong negative relationship with freedom restrictions. Moreover, organisational security education, training and awareness (SETA) initiatives decreased the perceptions of external control and freedom restrictions and increased EA, and advance notification of changes increased EA. We also included 14 control variables and rival explanations to determine with more confidence what drove reactive CA in our context. Notably, the deterrence theory (DT)‐based constructs of sanction severity, certainty and celerity had no significant influence on reactive CA. We provide support for the importance of respectful communication efforts and SETA programmes, coupled with maximising employee rights and promoting trust and fairness to decrease reactive CA. These efforts can protect organisations from falling victim to their own organisational security efforts.

information science & library science

Kuang-Ming Kuo,Paul C. Talley,Dyi-Yih Michael Lin

DOI: https://doi.org/10.1177/00469580211029599

2021-01-01

Abstract:Information security has come to the forefront as an organizational priority since information systems are considered as some of the most important assets for achieving competitive advantages. Despite huge capital expenditures devoted to information security, the occurrence of security breaches is still very much on the rise. More studies are thus required to inform organizations with a better insight on how to adequately promote information security. To address this issue, this study investigates important factors influencing hospital staff’s adherence to Information Security Policy (ISP). Deterrence theory is adopted as the theoretical underpinning, in which punishment severity and punishment certainty are recognized as the most significant predictors of ISP adherence. Further, this study attempts to identify the antecedents of punishment severity and punishment certainty by drawing from upper echelon theory and well-acknowledged international standards of IS security practices. A survey approach was used to collect 299 valid responses from a large Taiwanese healthcare system, and hypotheses were tested by applying partial least squares-based structural equation modeling. Our empirical results show that Security Education, Training, and Awareness (SETA) programs, combined with internal auditing effectiveness are significant predictors of punishment severity and punishment certainty, while top management support is not. Further, punishment severity and punishment certainty are significant predictors of hospital staff’s ISP adherence intention. Our study highlights the importance of SETA programs and internal auditing for reinforcing hospital staff’s perceptions on punishment concerning ISP violation, hospitals can thus propose better internal strategies to improve their staff’s ISP compliance intention accordingly.

Rima Khatib,Henri Barki

DOI: https://doi.org/10.1108/ics-01-2021-0008

2021-08-09

Information and Computer Security

Abstract:Purpose To help reduce the increasing number of information security breaches that are caused by insiders, past research has examined employee non-compliance with information security policy. However, existent studies have observed mixed results, which suggest that an interaction is likely to exist among the variables that explain employee non-compliance. In an effort to provide evidence for this possibility, this paper aims to better explain why employees routinely engage in non-compliant behaviors by examining the direct and interactive effects of employees’ perceived costs and rewards of compliance and non-compliance on their routinized non-compliant behaviors. Design/methodology/approach Based on rational choice theory, this study used 16 hypothetical scenarios in an experimental survey, collecting data from 326 respondents and analyzing them via structural equation modeling and a four-way factorial experiment. Findings The results suggest that routinized non-compliance of employees is more strongly influenced by the rewards than the costs they perceive in their non-compliance. Further, employees’ routinized non-compliance behavior was found to be positively influenced by an interactive effect of perceived rewards of compliance when their perceptions of their non-compliance costs and rewards were both high and low. Originality/value This paper’s key contribution is to suggest that non-compliance behavior is influenced by direct and interactive effects of perceived rewards of compliance and non-compliance.

Teodor Sommestad,Henrik Karlzén,Jonas Hallberg

DOI: https://doi.org/10.1080/08874417.2017.1368421

2017-09-18

Journal of Computer Information Systems

Abstract:Much of the research on security policy compliance has tested the relationships posited by the theory of planned behavior. This theory explains far from all of the measurable variance in policy compliance intentions. However, it is associated with something called the sufficiency assumption, which essentially states that no variable is missing from the theory. This paper addresses this assumption in the context of information security policy compliance. A meta-analysis of published tests on information security behavior and a review of the literature in related fields are used to identify variables that have the potential to improve the theory’s predictions. These results are tested using a random sample of 645 white-collar workers. The results suggest that the variables anticipated regret and habit improve the predictions. The variables increase the explained variance by 3.4 and 2.6 percentage points, respectively, when they are added individually, and by 5.4 percentage points when both are added.

computer science, information systems

Xue Yang,Wei T. Yue,Choon Lin Sia

DOI: https://doi.org/10.1007/978-3-642-29873-8_17

2012-01-01

Abstract:IS security policy is one of the essential tools to ensure the secure use of information systems and technological assets. To enhance the effectiveness of policy implementation, organizations rely on security training, education and awareness (STEA) programs to help employees understand the IS security issues of the organization. However, different levels of STEA informativeness may have conflicting effects on employees' compliance decisions. In addition, the urgency of a task may also lead employees to abandon the compliance decision occasionally. The existing corporate information security policy (ISP) could also serve as a deterrence message that would influence compliance decisions. An experimental survey was conducted to examine this phenomenon and test the related hypotheses. The results of this study can be used to inform and guide researchers and practitioners as to how to better enforce an IS security policy through better implementation of STEA programs and improved design of ISP in different task scenarios.

Xiaofeng Chen,Liqiang Chen,Dazhong Wu

DOI: https://doi.org/10.1080/08874417.2016.1258679

2016-12-27

Journal of Computer Information Systems

Abstract:Information security policy (ISP) plays an important role in information security management in organizations. Past research investigated various factors that may impact employee behavior toward security policy compliance from the perspective of general deterrence theory (GDT), protection and motivation Theory (PMT), and rational choice theory (RCT). However, there is no unifying foundation/framework that examines all of those factors in a harmonic way so that the research findings can guide information security practices and research into the employee ISP compliance management context. Additionally, prior findings provided mixed results. This study proposes a research model based on the awareness-motivation-capability (AMC) framework, aiming to unify the factors to predict employee ISP compliance intention. We believe that a harmonic approach in managing employee ISP compliance can create optimal outcomes.

computer science, information systems

Philip Menard,Gregory J. Bott,Robert E. Crossler

DOI: https://doi.org/10.1080/07421222.2017.1394083

IF: 7.582

2017-10-02

Journal of Management Information Systems

Abstract:Managers desiring to protect information systems must understand how to most effectively motivate users to engage in secure behaviors. Information security researchers have frequently studied individuals’ performance of secure behaviors in response to threats. Protection motivation theory (PMT) has been used to explain individuals’ propensity to engage in voluntary secure behaviors, but the adaptation of this theory has yielded inconsistent results. Motivation as a measurable construct, as derived from self-determination theory (SDT), has never been included in or compared against PMT. In this study, we construct security messages that appeal to individuals’ intrinsic motivation, rather than fear, as a way to elicit secure responses. Using three sets of respondents, we integrated the SDT and PMT models and compared the native models in the context of security behaviors. We demonstrate that by using data- and individual-focused appeals and providing choices for users, managers may observe greater intention to engage in secure behavior among employees.

information science & library science,management,computer science, information systems

Daeun Lee,Harjinder Singh Lallie,Nadine Michaelides

2023-07-06

Abstract:Despite the rapid rise in social engineering attacks, not all employees are as compliant with information security policies (ISPs) to the extent that organisations expect them to be. ISP non-compliance is caused by a variety of psychological motivation. This study investigates the effect of psychological contract breach (PCB) of employees on ISP compliance intention (ICI) by dividing them into intrinsic and extrinsic motivation using the theory of planned behaviour (TPB) and the general deterrence theory (GDT). Data analysis from UK employees (\textit{n=206}) showed that the higher the PCB, the lower the ICI. The study also found that PCBs significantly reduced intrinsic motivation (attitude and perceived fairness) for ICI, whereas PCBs did not moderate the relationship between extrinsic motivation (sanction severity and sanctions certainty) and ICI. As a result, this study successfully addresses the risks of PCBs in the field of IS security and proposes effective solutions for employees with high PCBs.

Computers and Society

Princely Ifinedo

DOI: https://doi.org/10.1080/08874417.2022.2065553

2022-04-20

Journal of Computer Information Systems

Abstract:Organizations whose employees participate in risky cybersecurity behaviors (RCySecB) could suffer disastrous consequences either directly or indirectly from actions linked to such behaviors. This study used conceptualizations facilitated by Attribution Theory to examine the effects of dispositional factors (self-control and knowledge of IS security threats/risks and their potential consequences) and situational factors (security, education, training, and awareness (SETA) programs and computer monitoring) in reducing employee participation in RCySecB. Data was collected from a survey of working professionals in India, and relevant hypotheses were formulated. The PLS technique was used for data analysis. This study investigated the direct effects of the factors on the dependent construct and analyzed the interacting effects of the constructs as well. The results indicate that all factors reduce employee participation in RCySecB. However, the joint effects of the situational factor elements and the dispositional factor of personal knowledge security threats/risks and their potential consequences were insignificant in the model.

computer science, information systems

Paul Benjamin Lowry,Gregory D. Moody,Srikanth Parameswaran,Nicholas James Brown

DOI: https://doi.org/10.1080/07421222.2023.2267318

IF: 7.582

2023-12-12

Journal of Management Information Systems

Abstract:Most of the information security management research involving fear appeals is guided by either protection motivation theory or the extended parallel processing model . Over time, extant research has extended these theories, as well as their derivative theories, in a variety of ways, leading to several theoretical and empirical inconsistencies. The large body of fragmented, and sometimes conflicting, research has muddied the broader understanding of what drives protection- and defensive motivation. We provide guidance to the security discourse by offering the first study in the literature to employ two-stage meta-analytic structural equation modeling (TSSEM), which combines covariance-based structural equation modeling and meta-analysis. Information systems (IS) researchers have traditionally used meta-analysis for structural equation modeling for such purposes—an approach that has several serious statistical flaws. Using 341 systematically selected empirical security articles (representing 383 unique studies) and TSSEM, we pool a large series of five datasets to test six models, from which we examine the effects of constructs and paths in the security fear-appeals literature. We compare and test six versions of models inspired by issues in the broader fear-appeals literature. We confirm the importance of both the threat- and coping-appraisal processes; establish the central role of fear and that it has greater importance than threat; show that efficacy is a stronger predictor of protection motivation than is threat; demonstrate that response costs as currently measured are ineffective but that maladaptive rewards have a strong negative effect on protection motivation and a positive effect on defensive motivation; and provide evidence that dual models of danger control and fear control should be used.

information science & library science,management,computer science, information systems

Mansour Naser Alraja,Usman Javed Butt,Maysam Abbod

DOI: https://doi.org/10.1016/j.cose.2023.103208

IF: 5.105

2023-06-01

Computers & Security

Abstract:Information security threats have a severe negative impact on enterprises. Organizations rely on employee compliance with information security policies to eliminate or reduce these hazards. The Unified Model of Information Security Policies Compliance (UMISPC) is employed to identify the factors that may affect employees' intention towards compliance with information systems security policy and reactance in a global setting. The study was assessed in two phases. The model's validity and measurement reliability were evaluated in the first phase, while in the second phase, all preliminary model relationships were appraised. This was achieved utilizing structural equation modelling to establish whether the proposed constructs, i.e. neutralization, response efficacy, fear, threat, habit and role values were good predictors for intention or reactance towards compliance with information systems security policy. Participants included 348 employees from 7 nations, i.e. the USA, the UK, Oman, India, Pakistan, Malaysia, and the Philippines. SmartPLS v. 3.3.9 was used for data analysis. The models' measurement reliability and validity were affirmed. Fear and role values have a significant influence on intention toward ISPC. RE significantly predicted threat which in turn significantly predicted fear, and the latter demonstrated a significant effect on reactance as well as Neutralization predicted reactance. In contrast, habit failed to reach a significant influence on intention towards ISPC. The implications are presented, together with proposals for further studies. Our findings are helpful for ISS literature and application by supporting the crucial functions of role values in encouraging employees to behave in a compliant manner. Additionally, it is regarded as the first empirical attempt to estimate intended compliance concerning ISPs in higher education from a worldwide viewpoint.

computer science, information systems