• Corpus ID: 15622977

Why Deterrence is not enough: The Role of Endogenous Motivations on Employees' Information Security Behavior

  title={Why Deterrence is not enough: The Role of Endogenous Motivations on Employees' Information Security Behavior},
  author={Johann Kranz and Felix Haeussinger},
Information systems security (ISS) is an increasingly critical issue for companies worldwide. In 2013 cybercrime has caused losses worth US $113 billion affecting 378m victims (Norton Symantec Cybercrime Report 2013). Besides criminal attacks and system malfunctions, human error is the major reason for information security incidents. Hence, refining our understanding how employees’ behavior regarding information security can be explained and influenced is a top priority in academia and business… 

Figures and Tables from this paper

Information Security Behavior and Information Security Policy Compliance: A Systematic Literature Review for Identifying the Transformation Process from Noncompliance to Compliance

A systematic literature review of the literature on ISPC and ISB identified the behavioral transformation process from noncompliance to compliance, providing a behavior transformation process model based on the existing ISPC literature.

Antecedents of Employees' Information Security Awareness - Review, synthesis, and Directions for Future Research

An extensive review of the literature on ISA’s antecedents is provided with the aim to synthesize the literature and to reveal areas for further research.

Expert assessment of organizational cybersecurity programs and development of vignettes to measure cybersecurity countermeasures awareness

This study used subject-matter experts (SMEs) to validate the key topics needed for two SETA program types, the measurement criteria for employees’ cybersecurity countermeasures awareness (CCA), and develop a vignettebased measure of CCA.

Information Security Behaviour: A Critical Review and Research Directions

This study reviews research on Info Sec behaviours and highlights three main lacunae: a widespread assumption that InfoSec behaviours are non-habitual activities, a lack of attention to intuitive cognition, and a lack to focus on InfoSec behaviour as a secondary activity.

Organizational Governance, Social Bonds and Information Security Policy Compliance: A Perspective towards Oil and Gas Employees

Information security attacks on oil and gas (O&G) organizations have increased since the last decade. From 2015 to 2019, almost 70 percent of O&G organizations faced at least one significant security

Peers matter: The moderating role of social influence on information security policy compliance

Information security in an organization largely depends on employee compliance with information security policy (ISP). Previous studies have mainly explored the effects of command-and-control and

Information Security Policy Compliance Behavior Based on Comprehensive Dimensions of Information Security Culture: A Conceptual Framework

An enhanced conceptual framework of ISP compliance behavior is discussed by addressing ISC as a multidimensional concept which consist of seven comprehensive dimensions which are aligned with the widely accepted concept of organizational culture and ISC.

Seeing the Forest and the Trees: A Meta-Analysis of the Antecedents to Information Security Policy Compliance

A meta-analysis of the relevant literature classified 401 independent variables into 17 distinct categories and analyzed each category’s relationship with security policy compliance, including an analysis for possible domain-specific moderators.

The Significance of Main Constructs of Theory of Planned Behavior in Recent Information Security Policy Compliance Behavior Study: A Comparison among Top Three Behavioral Theories

For a decade since year of 2000 until 2010, Theory of Planned Behavior [TPB] and its main construct of Attitude, Normative belief and Self-efficacy have been considered as a significant theory and

A dimension-based information security culture model and its relationship with employees’ security behavior: A case study in Malaysian higher educational institutions

An ISC model based on seven new formulated dimensions to examine its influence on employees’ Information Security Policy (ISP) compliance behavior is proposed and revealed all seven dimensions are significant in contributing to the underlying concept of ISC.



Protection motivation and deterrence: a framework for security policy compliance in organisations

An Integrated Protection Motivation and Deterrence model of security policy compliance under the umbrella of Taylor-Todd's Decomposed Theory of Planned Behaviour is developed and it is found that employees in the sample underestimate the probability of security breaches.

Which Factors Explain Employees' Adherence to Information Security Policies? An Empirical Study

The findings show that direct paths from threat appraisal, self-efficacy, normative beliefs, and visibility to the intention to comply with IS security policies were significant and Sanctions have a significant effect on actual compliance with Islamic State security policies.

Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness

The results show that an employee's intention to comply with the ISP is significantly influenced by attitude, normative beliefs, and self-efficacy to comply, and the role of ISA and compliance-related beliefs in an organization's efforts to encourage compliance is shed.

A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings

The review and analysis presented in this paper facilitates a deeper understanding of deterrence theory in the IS security domain, which can assist in cumulative theory-building efforts and advance security management strategies rooted in deterrence principles.

Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model

This study proposes and test empirically a nonmalicious security violation (NMSV) model with data from a survey of end users at work, and suggests that utilitarian outcomes, normative outcomes, and self-identity outcomes are key determinants of end user intentions to engage in NMSVs.

The amplification effects of procedural justice on a threat control model of information systems security behaviours

This study found that individual factors outlined in the threat control model amplified with high perceptions of organisational procedural justice on taking specified security countermeasures.

Information Security Awareness: Its Antecedents and Mediating Effects on Security Compliant Behavior

The study shows that ISA mediates the relationship between ISA’s antecedents and behavioral intention, and will be useful for stakeholders interested in encouraging employees’ information security policy compliant behavior.

Out of Fear or Desire: Why do Employees Follow Information Systems Security Policies?

This study aims to identify specific factors drawn from each of the two competing approaches that determine the level of employees’ adherence to their organization’s ISSP, and to develop and empirically test a conceptual model based on the two groups of determinants to be identified.

If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security

A model to explain individual information security precaution-taking behavior is built and it is found that the acts of specifying policies and evaluating behaviors are effective in convincing individuals that security policies are mandatory.