Abstract
Research from the fields of criminology and social psychology suggests that the deterrent effect of security countermeasures is not uniform across individuals. In this study, we examine whether certain individual characteristics (i.e., computer self-efficacy) or work arrangement (i.e., virtual status) moderate the influence of␣security policies, security education, training, and awareness (SETA) program, and computer monitoring on information systems misuse. The results suggest that computer savvy individuals are less deterred by SETA programs and computer monitoring, while these countermeasures are also less influential (from a deterrence perspective) on employees that spend more working days outside the office. Implications for both the research and practice of information security are discussed.
Similar content being viewed by others
References
Anderson, J. C. and D. W. Gerbing: 1988, ‹Structural Equation Modeling in Practice: A Review and Recommended Two-Step Approach’, Psychological Bulletin 103(3), 411–423
Azjen, I.: 1988, Attitudes, Personality, and Behavior (Dorsey Press, Chicago, IL)
Bachman, R., R. Paternoster and S. Ward: 1992, ‹The Rationality of Sexual Offending: Testing a Deterrence/Rational Choice Conception of Sexual Assault’, Law and Society Review 26(2), 343–372
Banerjee, D., T. P. Cronan and T. W. Jones: 1998, Modeling IT Ethics: A Study in Situational Ethics’, MIS Quarterly 22(1), 31–60
Chau, P. Y. K.: 2001, Influence of Computer Attitude and Self-Efficacy on IT Usage Behavior’, Journal of End User Computing 13(1), 26–33
Chin, W.: 1998, ‹The Partial Least Squares Approach to Structural Equation Modeling’, in G.A. Marcoulides (ed.), Modern Methods for Business Research (Lawrence Erlbaum Associates, Mahwah, NJ), pp. 295–336
Chin, W., B. L. Marcolin and P. R. Newsted: 2003, ‹A Partial Least Squares Latent Variable Modeling Approach for Measuring Interaction Effects: Results from a Monte Carlo Simulation Study and an Electronic-Mail Emotion/Adoption Study’, Information Systems Research 14(2), 189–217
Compeau, D. R. and C. A. Higgins: 1995 ‹Computer Self-Efficacy: Development of a Measure and Initial Test’, MIS Quarterly 19(2), 189–211
D’Arcy, J. and A. Hovav: 2007, ‹Towards a Best Fit Between Organizational Security Countermeasures and Information Systems Misuse Behaviors’, Journal of Information System Security 3(2), 3–30
Dhillon, G: 1999, ‹Managing and Controlling Computer Misuse’, Information Management & Computer Security 7(4), 171–175
Ernst and Young: 2003, Global Information Security Survey 2003 (New York, NY)
Finch, J. H., S. M. Furnell and P. S. Dowland: 2003, ‹Assessing IT Security Culture: System Administrator and End-User’, Proceedings of the ISOneWorld Conference, Las Vegas, NV
Foltz, C. B.: 2000, ‹The Impact of Deterrent Countermeasures Upon Individual Intent to Commit Misuse: A Behavioral Approach’, Unpublished Doctoral Dissertation, University of Arkansas, Fayetteville, AK
Fornell, C. and D. F. Larcker: 1981, ‹Evaluating Structural Equation Models with Unobservable Variables and Measurement Error’, Journal of Marketing Research 18(1), 39–50
Gattiker, U. E. and H. Kelley: 1999, ‹Morality and Computers: Attitudes and Differences in Moral Judgments’, Information Systems Research 10(3), 233–254
Gefen, D. and D. Straub: 2005, ‹A Practical Guide to Factorial Validity Using PLS-Graph: Tutorial and Annotated Example’, Communications of the AIS 16(5), 91–109
Gopal, R. D. and G. L. Sanders: 1997, ‹Preventative and Deterrent Controls for Software Piracy’, Journal of Management Information Systems 13(4), 29–47
Harrington, S. J: 1996, ‹The Effect of Codes of Ethics and Personal Denial of Responsibility on Computer Abuse Judgments and Intentions’, MIS Quarterly 20(3), 257–278
Heath, C. and A. Tversky: 1991, ‹Preference and Belief: Ambiguity and Competence in Choice Under Uncertainty’, Journal of Risk and Uncertainty 4, 5–28
Hoffer, J. A. and D. Straub: 1989, ‹The 9 to 5 Underground: Are You Policing Computer Crimes?’, Sloan Management Review 30(4), 35–43
Hollinger, R. C. and T. P. Clark: 1983, ‹Deterrence in the Workplace: Perceived Certainty, Perceived Severity, and Employee Theft’, Social Forces 62(2), 398–418
IDC Research: 2007, ‹Worldwide Mobile Worker: 2007–2011 Forecast and Analysis’, http://www.idc.com/getdoc.jsp?containerId=prUS21037208
InformationWeek: 2005, ‹U.S. Information Security Research Report’, United Business Media
Kankanhalli, A., H. H. Teo, B. C. Tan and K. K. Wei: 2003, ‹An Integrative Study of Information Systems Security Effectiveness’, International Journal of Information Management 23(2), 139–154
Kreie, J. and T. P. Cronan: 1998, ‹How Men and Women View Ethics’, Communications of the ACM 41(9), 70–76
Kruegar, N. J. and P. R. Dickson: 1994, ‹How Believing in Ourselves Increases Risk Taking: Perceived Self-Efficacy and Opportunity Recognition’, Decision Sciences 25(3), 385–400
Lee, S. M., S. G. Lee and S. Yoo: 2004, ‹An Integrative Model of Computer Abuse Based on Social Control and General Deterrence Theories’, Information and Management 41(6), 707–718
Leonard, L. N. K. and T. P. Cronan: 2001, ‹Illegal, Inappropriate, and Unethical Behavior in an Information Technology Context: A Study to Explain Influences’, Journal of the Association for Information Systems 1(12), 1–30
Lin, T.-C., M. H. Hsu, F. Y. Kuo and P. C. Sun: 1999, ‹An Intention Model-Based Study of Software Piracy’, Proceedings of the 32nd Hawaii International Conference on System Sciences, Maui, Hawaii
Loch, K. D. and S. Conger: 1996, ‹Evaluating Ethical Decision Making and Computer Use’, Communications of the ACM 39(7), 74–83
Magklaras, G. B., S. M. Furnell and P. J. Brooke P. J: 2006, ‹Towards an Insider Threat Prediction Specification Language’, Information Management & Computer Security 14(4), 361–381
Mann, R. E., G. Smart, E. M. Stoduto, E. Adlaf, D. Vingilis, R. Beirness, R. Lamble and M. Ashbridge: 2003, ‹The Effects of Drinking-Driving Laws: A Test of the Differential Deterrence Hypothesis’, Addiction 98(11), 1531–1536
Mann, S., R. Varey and W. Button: 2000, ‹An Exploration of the Emotional Impact of Teleworking via Computer-Mediated Communication’, Journal of Managerial Psychology 15(7), 668–690
Pearlson, K. E. and C. S. Saunders: 2001, ‹There’s No Place Like Home: Managing Telecommuting Paradoxes’, Academy of Management Executive 15(2), 117–128
Ping, R. A.: 2004, 'Testing Latent Variable Models with Survey Data', 2nd Edition. www.wright.edu/~robert.ping/lv1/toc1.htm)
Potter, E. E.: 2003, ‹Telecommuting: The Future of Work, Corporate Culture, and American Society’, Journal of Labor Research 24(1), 73–84
Richardson, R.: 2007, ‹CSI Computer Crime and Security Survey’, Computer Security Institute (San Francisco, CA)
Sacco, V. F. and E. Zureik: 1990, ‹Correlates of Computer Misuse: Data from a Self-Reporting Sample’, Behaviour & Information Technology 9(5), 353–369
Sheppard, B., H. J. Hartwick and P. R. Warshaw: 1988, ‹The Theory of Reasoned Action: A Meta-Analysis of Past Research With Recommendations for Modifications and Future Research’, Journal of Consumer Research 15, 325–343
Silberman, M.: 1976, ‹Towards a Theory of Criminal Deterrence. American Sociological Review’, 41(3), 442–461
Straub, D. W.: 1990, ‹Effective IS Security: An Empirical Study’, Information Systems Research 1(3), 255–276
Tenbrunsel, A. E. and D. M. Messick: 1999, ‹Sanctioning Systems, Decision Frames, and Cooperation’, Administrative Science Quarterly 44(4), 684–707
Tittle, C. R: 1980, ‹Sanctions and Social Deviance: The Question of Deterrence’, (Praeger, NY)
Watad, M. M. and F. J. DiSanzo: 2000, ‹Case Study: The Synergism of Telecommuting and Office Automation’, Sloan Management Review 41(2), 85–97
Weaver, F. M. and J. S. Carroll: 1985, ‹Crime Perceptions in a Natural Setting by Expert and Novice Shoplifters’, Social Psychology Quarterly 48(4), 349–359
Whitman, M. E.: 2003, ‹Enemy at the Gate: Threats to Information Security’, Communications of the ACM 46(8), 91–95
Wiant, T. L.: 2003, ‹Policy and Its Impact on Medical Record Security’, Unpublished Doctoral Dissertation, University of Kentucky, Lexington, KY
Wiesenfeld, B. M., S. Raghuram and R. Garud: 1999, ‹Communication Patterns as Determinants of Organizational Identification in a Virtual Organization’, Organization Science 10(6), 777–790
Williams, K.: 1992, ‹Social Sources of Marital Violence and Deterrence: Testing an Integrated Theory of Assaults Between Partners’, Journal of Marriage and Family 54(3), 620–629
Wyatt, G.: 1990, ‹Risk-taking and Risk-avoiding Behavior: The Impact of Some Dispositional and Situational Variables’, The Journal of Psychology 124(4), 437–447
Zimbardo, P. G.: 1969, ‹The Human Choice: Individuation, Reason, and Order Versus Deindividuation, Impulse, and Chaos’, in W.J. Arnold and D. Levine (eds.), Nebraska Symposium on Motivation (University of Nebraska Press, Lincoln, NE)
Acknowledgments
The authors thank the State Farm Companies Foundation for providing partial funding for this research. Earlier versions of this paper were presented at the Fifth Ethical Dimensions in Business Conference at the University of Notre Dame (November 29, 2007) and the Pre-ICIS Workshop on Information Security and Privacy (Milwaukee, WI, December 10, 2006). The paper also benefited from discussions with participants of the University of Notre Dame Management Department Seminar Series.
Author information
Authors and Affiliations
Corresponding author
Appendix – IS misuse scenarios
Appendix – IS misuse scenarios
Unauthorized access scenario
By chance, Alex found the password that allowed him to access the restricted computer system that contained the salary information of employees within his company. Around the same time, Alex was preparing to ask for a raise. Before meeting with his boss, Alex accessed the computer system and viewed the salaries of others in similar jobs. Alex used this information to determine how much of a salary increase to ask for.
Unauthorized modification scenario
Chris prepares payroll records for his company’s employees and therefore has access to the computer timekeeping and payroll systems. Periodically, Chris would increase the hours-worked records of certain employees with whom he was friends by “rounding up” their total hours for the week (for example, Chris would change 39.5 h worked to 40 h worked).
Rights and permissions
About this article
Cite this article
D’Arcy, J., Hovav, A. Does One Size Fit All? Examining the Differential Effects of IS Security Countermeasures. J Bus Ethics 89 (Suppl 1), 59–71 (2009). https://doi.org/10.1007/s10551-008-9909-7
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10551-008-9909-7