• Corpus ID: 19446226

Do it OR ELSE! Exploring the Effectiveness of Deterrence on Employee Compliance with Information Security Policies

  title={Do it OR ELSE! Exploring the Effectiveness of Deterrence on Employee Compliance with Information Security Policies},
  author={Salvatore Aurigemma and Thomas Mattson},
Organizations have long relied upon the threat of sanctions to influence employees to follow information security policies. Unfortunately, the belief in the power of deterrence has provided mixed results in both research and in real life. This study explored the impact of sanction effects in an organization with a robust information security program. Findings indicate an employee’s perceived sanction severity has a significant impact on their intent to follow ISP guidelines while their… 

Figures and Tables from this paper

Response and Cultural Biases in Information Security Policy Compliance Research

Correlation analysis reveals that the Power Distance index correlates negatively, while Individualism correlates positively with the mean self-reported policy compliance, which supports previous findings on the role of Power Distance and contradict the influence of response and social desirability biases on self- reported information security policy compliance.

Understanding Internal Information Systems Security Policy Violations as Paradoxes

The paradox perspective, borrowed from the discipline of management, is introduced as an insightful lens in this article to better understand the theoretical predisposition of IS security policy violation.

On the Impact of Perceived Vulnerability in the Adoption of Information Systems Security Innovations

The SLR findings revealed the appropriateness of the existing empirical investigations of the relationship between perceived vulnerability of IS security threats on IS security innovation adoption and confirmed that individuals who perceives vulnerable to an IS security threat are more likely to engage in the adoption anIS security innovation.

On the possible impact of security technology design on policy adherent user behavior - Results from a controlled empirical experiment

Subjects not only indicated maximum frustration, but also a strong and significant correlation with work impediment caused by the security technology could indicate that user-centred design does not only contribute to the acceptance of a security technology, but may also be able to positively influence practical information security as a whole.

Information Systems Security Policy Violation: Systematic Literature Review on Behavior Threats by Internal Agents

This work presents an insightful approach to how SLR may be applicable in the domain of Information Systems security through a pre-selection and coding of literature using Atlas.ti.

Influence of Human Factors on the Adaptation of a Security Culture: Evidence from a leading IT company operating in Sri Lanka

The results have shown that human factors have a significant role in adapting a security culture for an organization and that relationship between the depicted human factors and adaptation of a securityculture is moderately strong and positive in context.

Are users competent to comply with information security policies? An analysis of professional competence models

This paper is the first study that addresses ISP compliance behavior from a professional competence perspective and provides implications for the design of information security awareness programs and information security management systems in organizations.

A primer on insider threats in cybersecurity

A broad primer on human factors in cybersecurity, specifically focusing on the threat posed by organizational insiders, emphasizes the pivotal role that users play in determining overall system security and aims to introduce non-experts to this field, stimulating new interest in this intersection of humans and computers.

The Significance of Main Constructs of Theory of Planned Behavior in Recent Information Security Policy Compliance Behavior Study: A Comparison among Top Three Behavioral Theories

For a decade since year of 2000 until 2010, Theory of Planned Behavior [TPB] and its main construct of Attitude, Normative belief and Self-efficacy have been considered as a significant theory and

Measuring employees' compliance - the importance of value pluralism

This paper aims to investigate two different types of compliance measures: the first measure is a value-monistic compliance measure, whereas the second is avalue-pluralistic measure, whose purpose is to establish a baseline for this type of compliance measure.



The effects of multilevel sanctions on information security violations: A mediating model

Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations

This article shows that neutralization theory, a theory prominent in Criminology but not yet applied in the context of IS, provides a compelling explanation for IS security policy violations and offers new insight into how employees rationalize this behavior.

Protection motivation and deterrence: a framework for security policy compliance in organisations

An Integrated Protection Motivation and Deterrence model of security policy compliance under the umbrella of Taylor-Todd's Decomposed Theory of Planned Behaviour is developed and it is found that employees in the sample underestimate the probability of security breaches.

A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings

The review and analysis presented in this paper facilitates a deeper understanding of deterrence theory in the IS security domain, which can assist in cumulative theory-building efforts and advance security management strategies rooted in deterrence principles.

Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness

The results show that an employee's intention to comply with the ISP is significantly influenced by attitude, normative beliefs, and self-efficacy to comply, and the role of ISA and compliance-related beliefs in an organization's efforts to encourage compliance is shed.

Impact of perceived technical protection on security behaviors

Perceived technical protection affects behavioral intentions both indirectly, through PBC, and directly, and suggests possible risk compensation effects in the information security context.

Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model

This study proposes and test empirically a nonmalicious security violation (NMSV) model with data from a survey of end users at work, and suggests that utilitarian outcomes, normative outcomes, and self-identity outcomes are key determinants of end user intentions to engage in NMSVs.