John D'Arcy

User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach

Intentional insider misuse of information systems resources (i.e., IS misuse) represents a significant threat to organizations. For example, industry statistics suggest that between 50%--75% of security incidents originate from within an organization. Because of the large number of misuse incidents, it has become important to understand how to reduce such behavior. General deterrence theory suggests that certain controls can serve as deterrent mechanisms by increasing the perceived threat of punishment for IS misuse. This paper presents an extended deterrence theory model that combines work from criminology, social psychology, and information systems. The model posits that user awareness of security countermeasures directly influences the perceived certainty and severity of organizational sanctions associated with IS misuse, which leads to reduced IS misuse intention. The model is then tested on 269 computer users from eight different companies. The results suggest that three practices deter IS misuse: user awareness of security policies; security education, training, and awareness (SETA) programs; and computer monitoring. The results also suggest that perceived severity of sanctions is more effective in reducing IS misuse than certainty of sanctions. Further, there is evidence that the impact of sanction perceptions vary based on ones level of morality. Implications for the research and practice of IS security are discussed.

A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings

Deterrence theory is one of the most widely applied theories in information systems (IS) security research, particularly within behavioral IS security studies. Based on the rational choice view of human behavior, the theory predicts that illicit behavior can be controlled by the threat of sanctions that are certain, severe, and swift. IS scholars have used deterrence theory to predict user behaviors that are either supportive or disruptive of IS security, and other IS security-related outcome variables. A review of this literature suggests an uneven and often contradictory picture regarding the influence of sanctions and deterrence theory in general in the IS security context. In this paper, we set out to make sense of the discrepant findings in the IS deterrence literature by drawing upon the more mature body of deterrence literature that spans multiple disciplines. In doing so, we speculate that a set of contingency variables and methodological and theoretical issues can shed light on the inconsistent findings and inform future research in this area. The review and analysis presented in this paper facilitates a deeper understanding of deterrence theory in the IS security domain, which can assist in cumulative theory-building efforts and advance security management strategies rooted in deterrence principles.

Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the U.S. and South Korea

Intentional employee misuse of IS is a global problem. Research suggests that security countermeasures can deter misuse by increasing the perceived certainty and severity of punishment for such behavior. However, the value of generalizing this work beyond Western cultures is open to question. In our study, we examined whether national culture influenced the deterrent capabilities of security policies, security education, training, and awareness programs and computer monitoring. Using U.S. and Korean samples, we found evidence that the deterrent effect of certain security countermeasures varied between the two countries, as did the influence of age and gender. The results have implications for information security management practices in global businesses.

Employee Misuse of Information Technology Resources: Testing a Contemporary Deterrence Model

Recent research in information systems and operations management has considered the positive impacts of information technology (IT). However, an undesirable side effect of firms’ increasing reliance on IT to support the distribution and delivery of goods and services to customers is a greater exposure to a diverse set of IT security risks. One such risk is intentional employee misuse of technology resources. In this article, we draw upon modern deterrence frameworks to develop a predictive model of technology misuse intention that incorporates formal and informal sanctions as well as employment context factors. The model specifies previously untested relationships between formal and informal sanctions, thereby providing fresh insight into the role of sanctions in deterring technology misuse in organizations. Our results suggest that a predisposition toward the need for social approval and moral beliefs regarding the behavior are key determinants of technology misuse. Contrary to criminological research that has questioned the relative importance of formal sanctions in the deterrence process, we also found that the threat of formal sanctions has both direct and indirect influences on technology misuse intention. Further, from an employment context standpoint, employees who spend more working days away from the office (i.e., “virtual” mode) appear more inclined to misuse their organizations technology resources. The findings have implications for the research and practice of technology management.

Modifying smartphone user locking behavior

With an increasing number of organizations allowing personal smart phones onto their networks, considerable security risk is introduced. The security risk is exacerbated by the tremendous heterogeneity of the personal mobile devices and their respective installed pool of applications. Furthermore, by virtue of the devices not being owned by the organization, the ability to authoritatively enforce organizational security polices is challenging. As a result, a critical part of organizational security is the ability to drive user security behavior through either on-device mechanisms or security awareness programs. In this paper, we establish a baseline for user security behavior from a population of over one hundred fifty smart phone users. We then systematically evaluate the ability to drive behavioral change via messaging centered on morality, deterrence, and incentives. Our findings suggest that appeals to morality are most effective over time, whereas deterrence produces the most immediate reaction. Additionally, our findings show that while a significant portion of users are securing their devices without prior intervention, it is difficult to influence change in those who do not.

Security culture and the employment relationship as drivers of employees’ security compliance

Purpose – The purpose of this paper is to examine the influence of security-related and employment relationship factors on employees’ security compliance decisions. A major challenge for organizations is encouraging employee compliance with security policies, procedures and guidelines. Specifically, we predict that security culture, job satisfaction and perceived organizational support have a positive effect on employees’ security compliance intentions. Design/methodology/approach – This study used a survey approach for data collection. Data were collected using two online surveys that were administered at separate points in time. Findings – Our results provide empirical support for security culture as a driver of employees’ security compliance in the workplace. Another finding is that an employee’s feeling of job satisfaction influences his/her security compliance intention, although this relationship appears to be contingent on the employee’s position, tenure and industry. Surprisingly, we also found a negative relationship between perceived organizational support and security compliance intention. Originality/value – Our results provide one of the few empirical validations of security culture, and we recognize its multidimensional nature as conceptualized through top management commitment to security (TMCS), security communication and computer monitoring. We also extend security compliance research by considering the influence of employment relationship factors drawn from the organizational behavior literature.

An exploratory investigation of message-person congruence in information security awareness campaigns

Abstract In this study, we sought to answer the question of whether certain information security awareness message themes are more or less effective for different types of individuals based on their personality traits. We considered five message themes (deterrence, morality, regret, feedback, and incentive) as they relate to seven personality traits (the Big Five, Machiavellianism, and social desirability). Our survey analysis of 293 users provides evidence that security awareness message effectiveness does vary based on personality, but not always as one would expect. Depending on certain personality traits, some security messages appear beneficial to security efforts, whereas other personality traits make the individual less receptive to certain message types and therefore security messages may backfire in terms of achieving their intended effect. Our exploratory results can assist practitioners in identifying a best fit between security awareness themes and individual users based on their personality profile.

Does Security Impact E‐procurement Performance? Testing a Model of Direct and Moderated Effects

Despite the widespread adoption of e-procurement and the critical role of information security in these situations, academic research examining the relationship between information security and e-procurement performance has been surprisingly minimal. This study represents an interdisciplinary approach to present and test a theoretical model that links security in e-procurement processes to e-procurement performance. E-procurement performance is measured as a combination of cost savings, order quality, and satisfaction of fulfillment as perceived by buyers. The model also posits that two aspects of the procurement process will enhance the value of security in e-procurement, namely, process complexity and process interdependence. We empirically examine these relationships using data collected from procurement managers. Our results have important implications for managing the e-procurement process.

When Do IT Security Investments Matter? Accounting for the Influence of Institutional Factors in the Context of Healthcare Data Breaches

In this study, we argue that institutional factors determine the extent to which hospitals are symbolic or substantive adopters of information technology (IT) specific organizational practices. We then propose that symbolic and substantive adoption will moderate the effect that IT security investments have on reducing the incidence of data security breaches over time. Using data from three different sources, we create a matched panel of over 5,000 U.S. hospitals and 938 breaches over the 2005-2013 time frame. Using a growth mixture model approach to model the heterogeneity in likelihood of breach, we use a two class solution in which hospitals that (1) belong to smaller health systems, (2) are older, (3) smaller in size, (4) for-profit, (5) non-academic, (6) faith-based, and (7) less entrepreneurial with IT are classified as symbolic adopters. We find that symbolic adoption diminishes the effectiveness of IT security investments, resulting in an increased likelihood of breach. Contrary to our theorizing, the use of more IT security is not directly responsible for reducing breaches, but instead, institutional factors create the conditions under which IT security investments can be more effective. Implications of these findings are significant for policy and practice, the most important of which may be the discovery that firms need to consider how adoption is influenced by institutional factors and how this should be balanced with technological solutions. In particular, our results support the notion that deeper integration of security into IT-related processes and routines leads to fewer breaches, with the caveat that it takes time for these benefits to be realized.

Managing Security in Organizations: Adoption of Information Security Solutions

We develop an integrative model grounded in two theoretical perspectives -- the diffusion of innovation theory and the technology-organization-environment framework -- to examine the diffusion of information security solutions (ISS) in organizations. We specify four innovation characteristics that are specific to ISS (compatibility, complexity, costs, and relative advantage), two organizational factors (organizational readiness and top management support), and two environmental factors (external pressure and visibility) as drivers of ISS diffusion. The model will be tested using data collected through survey questionnaires. We hope to share the results at the workshop in June.