Does One Size Fit All? Examining the Differential Effects of IS Security Countermeasures

  • John D’Arcy
  • Anat Hovav


Research from the fields of criminology and social psychology suggests that the deterrent effect of security countermeasures is not uniform across individuals. In this study, we examine whether certain individual characteristics (i.e., computer self-efficacy) or work arrangement (i.e., virtual status) moderate the influence of␣security policies, security education, training, and awareness (SETA) program, and computer monitoring on information systems misuse. The results suggest that computer savvy individuals are less deterred by SETA programs and computer monitoring, while these countermeasures are also less influential (from a deterrence perspective) on employees that spend more working days outside the office. Implications for both the research and practice of information security are discussed.


information systems security deterrence theory computer ethics information security management computer self-efficacy differential deterrence hypothesis virtual work 



The authors thank the State Farm Companies Foundation for providing partial funding for this research. Earlier versions of this paper were presented at the Fifth Ethical Dimensions in Business Conference at the University of Notre Dame (November 29, 2007) and the Pre-ICIS Workshop on Information Security and Privacy (Milwaukee, WI, December 10, 2006). The paper also benefited from discussions with participants of the University of Notre Dame Management Department Seminar Series.


  1. Anderson, J. C. and D. W. Gerbing: 1988, ‹Structural Equation Modeling in Practice: A Review and Recommended Two-Step Approach’, Psychological Bulletin 103(3), 411–423CrossRefGoogle Scholar
  2. Azjen, I.: 1988, Attitudes, Personality, and Behavior (Dorsey Press, Chicago, IL)Google Scholar
  3. Bachman, R., R. Paternoster and S. Ward: 1992, ‹The Rationality of Sexual Offending: Testing a Deterrence/Rational Choice Conception of Sexual Assault’, Law and Society Review 26(2), 343–372CrossRefGoogle Scholar
  4. Banerjee, D., T. P. Cronan and T. W. Jones: 1998, Modeling IT Ethics: A Study in Situational Ethics’, MIS Quarterly 22(1), 31–60CrossRefGoogle Scholar
  5. Chau, P. Y. K.: 2001, Influence of Computer Attitude and Self-Efficacy on IT Usage Behavior’, Journal of End User Computing 13(1), 26–33Google Scholar
  6. Chin, W.: 1998, ‹The Partial Least Squares Approach to Structural Equation Modeling’, in G.A. Marcoulides (ed.), Modern Methods for Business Research (Lawrence Erlbaum Associates, Mahwah, NJ), pp. 295–336Google Scholar
  7. Chin, W., B. L. Marcolin and P. R. Newsted: 2003, ‹A Partial Least Squares Latent Variable Modeling Approach for Measuring Interaction Effects: Results from a Monte Carlo Simulation Study and an Electronic-Mail Emotion/Adoption Study’, Information Systems Research 14(2), 189–217CrossRefGoogle Scholar
  8. Compeau, D. R. and C. A. Higgins: 1995 ‹Computer Self-Efficacy: Development of a Measure and Initial Test’, MIS Quarterly 19(2), 189–211CrossRefGoogle Scholar
  9. D’Arcy, J. and A. Hovav: 2007, ‹Towards a Best Fit Between Organizational Security Countermeasures and Information Systems Misuse Behaviors’, Journal of Information System Security 3(2), 3–30Google Scholar
  10. Dhillon, G: 1999, ‹Managing and Controlling Computer Misuse’, Information Management & Computer Security 7(4), 171–175CrossRefGoogle Scholar
  11. Ernst and Young: 2003, Global Information Security Survey 2003 (New York, NY)Google Scholar
  12. Finch, J. H., S. M. Furnell and P. S. Dowland: 2003, ‹Assessing IT Security Culture: System Administrator and End-User’, Proceedings of the ISOneWorld Conference, Las Vegas, NVGoogle Scholar
  13. Foltz, C. B.: 2000, ‹The Impact of Deterrent Countermeasures Upon Individual Intent to Commit Misuse: A Behavioral Approach’, Unpublished Doctoral Dissertation, University of Arkansas, Fayetteville, AKGoogle Scholar
  14. Fornell, C. and D. F. Larcker: 1981, ‹Evaluating Structural Equation Models with Unobservable Variables and Measurement Error’, Journal of Marketing Research 18(1), 39–50CrossRefGoogle Scholar
  15. Gattiker, U. E. and H. Kelley: 1999, ‹Morality and Computers: Attitudes and Differences in Moral Judgments’, Information Systems Research 10(3), 233–254CrossRefGoogle Scholar
  16. Gefen, D. and D. Straub: 2005, ‹A Practical Guide to Factorial Validity Using PLS-Graph: Tutorial and Annotated Example’, Communications of the AIS 16(5), 91–109Google Scholar
  17. Gopal, R. D. and G. L. Sanders: 1997, ‹Preventative and Deterrent Controls for Software Piracy’, Journal of Management Information Systems 13(4), 29–47Google Scholar
  18. Harrington, S. J: 1996, ‹The Effect of Codes of Ethics and Personal Denial of Responsibility on Computer Abuse Judgments and Intentions’, MIS Quarterly 20(3), 257–278CrossRefGoogle Scholar
  19. Heath, C. and A. Tversky: 1991, ‹Preference and Belief: Ambiguity and Competence in Choice Under Uncertainty’, Journal of Risk and Uncertainty 4, 5–28CrossRefGoogle Scholar
  20. Hoffer, J. A. and D. Straub: 1989, ‹The 9 to 5 Underground: Are You Policing Computer Crimes?’, Sloan Management Review 30(4), 35–43Google Scholar
  21. Hollinger, R. C. and T. P. Clark: 1983, ‹Deterrence in the Workplace: Perceived Certainty, Perceived Severity, and Employee Theft’, Social Forces 62(2), 398–418CrossRefGoogle Scholar
  22. IDC Research: 2007, ‹Worldwide Mobile Worker: 2007–2011 Forecast and Analysis’,
  23. InformationWeek: 2005, ‹U.S. Information Security Research Report’, United Business MediaGoogle Scholar
  24. Kankanhalli, A., H. H. Teo, B. C. Tan and K. K. Wei: 2003, ‹An Integrative Study of Information Systems Security Effectiveness’, International Journal of Information Management 23(2), 139–154CrossRefGoogle Scholar
  25. Kreie, J. and T. P. Cronan: 1998, ‹How Men and Women View Ethics’, Communications of the ACM 41(9), 70–76CrossRefGoogle Scholar
  26. Kruegar, N. J. and P. R. Dickson: 1994, ‹How Believing in Ourselves Increases Risk Taking: Perceived Self-Efficacy and Opportunity Recognition’, Decision Sciences 25(3), 385–400CrossRefGoogle Scholar
  27. Lee, S. M., S. G. Lee and S. Yoo: 2004, ‹An Integrative Model of Computer Abuse Based on Social Control and General Deterrence Theories’, Information and Management 41(6), 707–718CrossRefGoogle Scholar
  28. Leonard, L. N. K. and T. P. Cronan: 2001, ‹Illegal, Inappropriate, and Unethical Behavior in an Information Technology Context: A Study to Explain Influences’, Journal of the Association for Information Systems 1(12), 1–30Google Scholar
  29. Lin, T.-C., M. H. Hsu, F. Y. Kuo and P. C. Sun: 1999, ‹An Intention Model-Based Study of Software Piracy’, Proceedings of the 32nd Hawaii International Conference on System Sciences, Maui, HawaiiGoogle Scholar
  30. Loch, K. D. and S. Conger: 1996, ‹Evaluating Ethical Decision Making and Computer Use’, Communications of the ACM 39(7), 74–83CrossRefGoogle Scholar
  31. Magklaras, G. B., S. M. Furnell and P. J. Brooke P. J: 2006, ‹Towards an Insider Threat Prediction Specification Language’, Information Management & Computer Security 14(4), 361–381CrossRefGoogle Scholar
  32. Mann, R. E., G. Smart, E. M. Stoduto, E. Adlaf, D. Vingilis, R. Beirness, R. Lamble and M. Ashbridge: 2003, ‹The Effects of Drinking-Driving Laws: A Test of the Differential Deterrence Hypothesis’, Addiction 98(11), 1531–1536CrossRefGoogle Scholar
  33. Mann, S., R. Varey and W. Button: 2000, ‹An Exploration of the Emotional Impact of Teleworking via Computer-Mediated Communication’, Journal of Managerial Psychology 15(7), 668–690CrossRefGoogle Scholar
  34. Pearlson, K. E. and C. S. Saunders: 2001, ‹There’s No Place Like Home: Managing Telecommuting Paradoxes’, Academy of Management Executive 15(2), 117–128Google Scholar
  35. Ping, R. A.: 2004, 'Testing Latent Variable Models with Survey Data', 2nd Edition.
  36. Potter, E. E.: 2003, ‹Telecommuting: The Future of Work, Corporate Culture, and American Society’, Journal of Labor Research 24(1), 73–84CrossRefGoogle Scholar
  37. Richardson, R.: 2007, ‹CSI Computer Crime and Security Survey’, Computer Security Institute (San Francisco, CA)Google Scholar
  38. Sacco, V. F. and E. Zureik: 1990, ‹Correlates of Computer Misuse: Data from a Self-Reporting Sample’, Behaviour & Information Technology 9(5), 353–369CrossRefGoogle Scholar
  39. Sheppard, B., H. J. Hartwick and P. R. Warshaw: 1988, ‹The Theory of Reasoned Action: A Meta-Analysis of Past Research With Recommendations for Modifications and Future Research’, Journal of Consumer Research 15, 325–343CrossRefGoogle Scholar
  40. Silberman, M.: 1976, ‹Towards a Theory of Criminal Deterrence. American Sociological Review’, 41(3), 442–461CrossRefGoogle Scholar
  41. Straub, D. W.: 1990, ‹Effective IS Security: An Empirical Study’, Information Systems Research 1(3), 255–276CrossRefGoogle Scholar
  42. Tenbrunsel, A. E. and D. M. Messick: 1999, ‹Sanctioning Systems, Decision Frames, and Cooperation’, Administrative Science Quarterly 44(4), 684–707CrossRefGoogle Scholar
  43. Tittle, C. R: 1980, ‹Sanctions and Social Deviance: The Question of Deterrence’, (Praeger, NY)Google Scholar
  44. Watad, M. M. and F. J. DiSanzo: 2000, ‹Case Study: The Synergism of Telecommuting and Office Automation’, Sloan Management Review 41(2), 85–97Google Scholar
  45. Weaver, F. M. and J. S. Carroll: 1985, ‹Crime Perceptions in a Natural Setting by Expert and Novice Shoplifters’, Social Psychology Quarterly 48(4), 349–359CrossRefGoogle Scholar
  46. Whitman, M. E.: 2003, ‹Enemy at the Gate: Threats to Information Security’, Communications of the ACM 46(8), 91–95CrossRefGoogle Scholar
  47. Wiant, T. L.: 2003, ‹Policy and Its Impact on Medical Record Security’, Unpublished Doctoral Dissertation, University of Kentucky, Lexington, KYGoogle Scholar
  48. Wiesenfeld, B. M., S. Raghuram and R. Garud: 1999, ‹Communication Patterns as Determinants of Organizational Identification in a Virtual Organization’, Organization Science 10(6), 777–790CrossRefGoogle Scholar
  49. Williams, K.: 1992, ‹Social Sources of Marital Violence and Deterrence: Testing an Integrated Theory of Assaults Between Partners’, Journal of Marriage and Family 54(3), 620–629CrossRefGoogle Scholar
  50. Wyatt, G.: 1990, ‹Risk-taking and Risk-avoiding Behavior: The Impact of Some Dispositional and Situational Variables’, The Journal of Psychology 124(4), 437–447Google Scholar
  51. Zimbardo, P. G.: 1969, ‹The Human Choice: Individuation, Reason, and Order Versus Deindividuation, Impulse, and Chaos’, in W.J. Arnold and D. Levine (eds.), Nebraska Symposium on Motivation (University of Nebraska Press, Lincoln, NE)Google Scholar

Copyright information

© Springer Science+Business Media B.V. 2008

Authors and Affiliations

  1. 1.Department of ManagementUniversity of Notre DameNotre DameU.S.A.
  2. 2.Korea University Business SchoolSeoulKorea

Personalised recommendations