research-article

Free access

Does deterrence work in reducing information security policy abuse by employees?

Authors:

Qing Hu,

Zhengchuan Xu,

Tamara Dinev,

Hong LingAuthors Info & Claims

Communications of the ACM, Volume 54, Issue 6

Pages 54 - 60

https://doi.org/10.1145/1953122.1953142

Published: 01 June 2011 Publication History

All formats PDF

Abstract

Methods for evaluating and effectively managing the security behavior of employees.

References

[1]

Acquisti, A and Gross, R. Imagined communities: Awareness, information sharing, and privacy on the Facebook. In Proceedings of the 6th Workshop on Privacy Enhancing Technologies (Cambridge, U.K, June 28--30, 2006).

Digital Library

Google Scholar

[2]

Anderson, R., Böhme, R., Clayton, R., and Moore, T. Security economics and european policy. In Proceedings of the Workshop on Economics of Information Security (New Haven, CT, 2008).

Google Scholar

[3]

Anderson, J. C., and Gerbing, S. W. Structural equation modeling in practice: A review and recommended two-step approach. Psychological Bulletin 103, 3 (1988), 411--423.

Crossref

Google Scholar

[4]

Bachman, R., Paternoster, R., and Ward, S. The rationality of sexual offending: Testing a deterrence/rational choice conception of sexual assault. Law & Society Review 26, 2 (1992), 343--372.

Google Scholar

[5]

Becker, G. Crime and punishment: An economic approach. Journal of Political Economy 76, (1968), 169--217.

Crossref

Google Scholar

[6]

Cable, D. M. and Judge, T. A. Person--organization fit, job choice decisions, and organizational entry. Organizational Behavior and Human Decision Processes 67, 3 (1996), 294--311.

Crossref

Google Scholar

[7]

Cornish, D. B. and Clarke, R. V. The Reasoning Criminal: Rational Choice Perspectives on Offending. Springer-Verlag, New York, NY, 1986.

Crossref

Google Scholar

[8]

D'Arcy, J., Havav, A., and Galletta, D. User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research 20, 1 (2009), 79--98.

Digital Library

Google Scholar

[9]

Debatin, B., Lovejoy, J. P., Horn, A. K., and Hughes, B. N. Facebook and online privacy: Attitudes, behaviors, and unintended consequences. Journal of Computer-Mediated Communication 15, 1 (2009), 83--108.

Crossref

Google Scholar

[10]

Dinev, T. and Hu, Q. The centrality of awareness in the formation of user behavioral intentions towards preventive technologies in the context of voluntary use. Journal of the Association for Information Systems 8, 7 (2007), 386--408.

Crossref

Google Scholar

[11]

Ernst & Young. Global Information Security Survey (2008); http://www.ey.com.

Google Scholar

[12]

Gettfredson, M. and Hirschi. T. A General Theory of Crime. Stanford University Press, Stanford, CA, 1990.

Google Scholar

[13]

Gibbs, J. P. Crime, Punishment, and Deterrence. Elsevier, New York, NY, 1975.

Google Scholar

[14]

Hofstede, G. Cultures and Organizations: Software of the Mind. McGraw-Hill, New York, NY, 1991.

Google Scholar

[15]

Hulland, J. use of partial least squares (PLS) in strategic management research: A review of four recent studies. Strategic Management Journal 20 (1999), 195--204.

Crossref

Google Scholar

[16]

Lewis, M. Shame: The Exposed Self. Macmillan, New York, NY, 1992.

Google Scholar

[17]

Mercuri, R. T. Analyzing security costs. Commun. ACM 46, 6 (June 2003), 15--18.

Digital Library

Google Scholar

[18]

Nagin, D. S. and Paternoster, R. Enduring individual differences and rational choice theories of crime. Law & Society Review 27, 3 (1993), 467--496.

Google Scholar

[19]

Paternoster, R. and Simpson, S. Sanction threats and appeals to morality: Testing a rational choice model of corporate crime. Law & Society Review 30, 3 (1996) 549--583.

Google Scholar

[20]

Paternoster, R., Saltzman, L. E., Waldo, G. P., and Chiricos, T. G. Perceived risk and social control: Do sanctions really deter? Law & Society Review 17, 3 (1983), 457--480.

Google Scholar

[21]

Piquero, A. and Tibbetts, S. Specifying the direct and indirect effects of low self-control and situational factors in offenders' decision making: Toward a more complete model of rational offending. Justice Quarterly 13, 3 (1996), 481--510.

Crossref

Google Scholar

[22]

Richardson, R. CSI Computer Crime & Security survey (2008); http://www.cse.msstate.edu/~cse6243/readings/CSIsurvey2008.pdf/

Google Scholar

[23]

Ringle, C. M., Wende, S., and Will, A. SmartPLS, 2.0 (beta), University of Hamburg, Hamburg, Germany, 2005; http://www.smartpls.de/

Google Scholar

[24]

Simon, H. Bounded rationality in social science: Today and tomorrow. Mind & Society 1, 1 (2000), 25--39.

Google Scholar

[25]

Siponen, M. and Vance, A. Neutralization: New insights into the problem of employee information systems security policy violations. MIS Quarterly 34, 2 (2010).

Digital Library

Google Scholar

[26]

Straub, D. W. and Welke, R. J. Coping with systems risk: Security planning models for management decision making. MIS Quarterly 22, 4 (1998), 441--469

Digital Library

Google Scholar

[27]

Tittle, C. R. Sanctions and Social Deviance: The Question of Deterrence. Praeger, New York, NY, 1980.

Google Scholar

[28]

Tibbetts, S. G. and Gibson, C. L. Individual propensities and rational decision-making: Recent findings and promising approaches. In Rational Choice and Criminal Behavior: Recent Research and Future Challenges. A. R. Piquero and S. G. Tibbetts, eds. Routledge, New York, NY, 3--24.

Google Scholar

[29]

Tunnell, K. Choosing crime: Close your eyes and take your choices. Justice Quarterly 7, 4 (1990), 673--690.

Crossref

Google Scholar

[30]

Warkentin, M. and Willison, R. Behavioral and policy issues in information systems security: The insider threat. European Journal of Information Systems 18 (2009), 101--105.

Crossref

Google Scholar

Cited By

View all

Alshehri A(2024)A Review of Online Information Privacy Theories Advanced in Eight AIS Journals Over the Last DecadeInformation Resources Management Journal10.4018/IRMJ.34997737:1(1-22)Online publication date: 17-Sep-2024
https://dl.acm.org/doi/10.4018/IRMJ.349977
Feng LLiu JWang ZHong Y(2024)Navigating compliance complexity: insights from the MOA framework in international constructionEngineering, Construction and Architectural Management10.1108/ECAM-02-2024-0163Online publication date: 15-Jul-2024
https://doi.org/10.1108/ECAM-02-2024-0163
Oh JMyeong S(2024)The effects of organizational images on security compliance intention: focused on affection and job security in South KoreaSecurity Journal10.1057/s41284-024-00429-137:4(1509-1525)Online publication date: 14-May-2024
https://doi.org/10.1057/s41284-024-00429-1
Show More Cited By

Index Terms

Does deterrence work in reducing information security policy abuse by employees?

Recommendations

Employees' adherence to information security policies: An exploratory field study

The key threat to information security comes from employees who do not comply with information security policies. We developed a new multi-theory based model that explained employees' adherence to security policies. The paradigm combines elements from ...
Employees' Behavior towards IS Security Policy Compliance
HICSS '07: Proceedings of the 40th Annual Hawaii International Conference on System Sciences

The literature agrees that the major threat to IS security is constituted by careless employees who do not comply with organizations' IS security policies and procedures. To address this concern , different approaches for ensuring employees' IS security ...
What Drives Information Security Policy Violations among Banking Employees?: Insights from Neutralization and Social Exchange Theory

Employees' information security policy ISP violations are a major problem that plagues organizations worldwide, particularly in the banking/financial sector. Research shows that employees use neutralization techniques to rationalize their ISP violating ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

Communications of the ACM Volume 54, Issue 6

June 2011

134 pages

ISSN:0001-0782

EISSN:1557-7317

DOI:10.1145/1953122

Issue’s Table of Contents

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 June 2011

Published in CACM Volume 54, Issue 6

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Popular
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

208
Total Citations
View Citations
36,840
Total Downloads

Downloads (Last 12 months)2,311
Downloads (Last 6 weeks)55

Reflects downloads up to 13 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Alshehri A(2024)A Review of Online Information Privacy Theories Advanced in Eight AIS Journals Over the Last DecadeInformation Resources Management Journal10.4018/IRMJ.34997737:1(1-22)Online publication date: 17-Sep-2024
https://dl.acm.org/doi/10.4018/IRMJ.349977
Feng LLiu JWang ZHong Y(2024)Navigating compliance complexity: insights from the MOA framework in international constructionEngineering, Construction and Architectural Management10.1108/ECAM-02-2024-0163Online publication date: 15-Jul-2024
https://doi.org/10.1108/ECAM-02-2024-0163
Oh JMyeong S(2024)The effects of organizational images on security compliance intention: focused on affection and job security in South KoreaSecurity Journal10.1057/s41284-024-00429-137:4(1509-1525)Online publication date: 14-May-2024
https://doi.org/10.1057/s41284-024-00429-1
Wang XWang CYi TLi W(2024)Understanding the deterrence effect of punishment for marine information security policies non-complianceJournal of Ocean Engineering and Science10.1016/j.joes.2022.06.0019:1(9-12)Online publication date: Feb-2024
https://doi.org/10.1016/j.joes.2022.06.001
Yazdanmehr AJawad MBenbunan-Fich RWang J(2024)The role of ethical climates in employee information security policy violationsDecision Support Systems10.1016/j.dss.2023.114086177(114086)Online publication date: Feb-2024
https://doi.org/10.1016/j.dss.2023.114086
Lee SBaek HKim S(2023)How people perceive malicious comments differently: factors influencing the perception of maliciousness in online news commentsFrontiers in Psychology10.3389/fpsyg.2023.122100514Online publication date: 22-Aug-2023
https://doi.org/10.3389/fpsyg.2023.1221005
Zuo X(2023)Research on Personal Information Security Protection of Social Networks in the Era of Big DataProceedings of the 2nd International Academic Conference on Blockchain, Information Technology and Smart Finance (ICBIS 2023)10.2991/978-94-6463-198-2_153(1478-1484)Online publication date: 26-Jul-2023
https://doi.org/10.2991/978-94-6463-198-2_153
Burns ARoberts TPosey CLowry PFuller B(2023)Going Beyond DeterrenceInformation Systems Research10.1287/isre.2022.113334:1(342-362)Online publication date: 1-Mar-2023
https://dl.acm.org/doi/10.1287/isre.2022.1133
Steinmetz KHolt T(2023)Falling for Social EngineeringSocial Science Computer Review10.1177/0894439322111750141:2(592-607)Online publication date: 1-Apr-2023
https://dl.acm.org/doi/10.1177/08944393221117501
Falowo OKoshoedo KOzer M(2023)An Assessment of Capabilities Required for Effective Cybersecurity Incident Management - A Systematic Literature Review2023 International Conference on Data Security and Privacy Protection (DSPP)10.1109/DSPP58763.2023.10404318(1-11)Online publication date: 16-Oct-2023
https://doi.org/10.1109/DSPP58763.2023.10404318
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Digital Edition

View this article in digital edition.

Digital Edition

Magazine Site

View this article on the magazine site (external)

Magazine Site

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Abstract

References

Cited By

Index Terms

Recommendations

Employees' adherence to information security policies: An exploratory field study

Employees' Behavior towards IS Security Policy Compliance

What Drives Information Security Policy Violations among Banking Employees?: Insights from Neutralization and Social Exchange Theory

Comments

Information

Published In

Publisher

Publication History

Permissions

Check for updates

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

PDF

eReader

Digital Edition

Magazine Site

Get Access

Login options

Full Access

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations