A meta-analysis of the deterrence theory in security-compliant and security-risk behaviors

Abstract Deterrence theory has been widely adopted in the study of information security management; however, evidence frequently presents sometimes contradictory results. Prior meta-analytic studies have focused primarily on the use of formal deterrence constructs to predict security-compliant behavior, while informal deterrence constructs and security-risk behavior are often neglected as a result. This study aims to meta-analyze the relationships formed between both formal/informal deterrence constructs and security-compliant/risk behaviors in a comprehensive manner beyond what has taken place in prior IS security meta-analysis based on deterrence theory. By searching multiple electronic databases, we have located 40 studies, along with 108 effect sizes, pertinent to our study's purpose. Inverse variance method weighted with sample sizes was used to determine mean effect sizes. The random-effects model was used to report meta-analysis results since Q, I2, and H index showed some degree of heterogeneity existent in the collected data. Publication bias was assessed by means of fail-safe N. All proposed relationships occurring between formal/informal deterrence constructs and security-compliant/-risk behaviors were supported. Formal deterrence constructs exerted weak to moderate effects on security behavior, while informal deterrence constructs exerted moderate to strong effects on security behavior. Further, informal deterrence constructs showed greater mean effect sizes than formal deterrence constructs. Additionally, prediction intervals of deterrence constructs, along with detection certainty, included zero, which indicated that moderators may be present. Based on these findings, the mean effect sizes of deterrence constructs may be more clearly identified when dividing security behavior into both compliant- and risk- behaviors. Further moderators might be employed to improve the inconsistent findings evidenced in deterrence theory.

[1]  Tejaswini Herath,et al.  A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings , 2011, Eur. J. Inf. Syst..

[2]  Anat Hovav,et al.  Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the U.S. and South Korea , 2012, Inf. Manag..

[3]  J. Gibbs Crime, punishment, and deterrence , 1975 .

[4]  J. D'Arcy,et al.  Security culture and the employment relationship as drivers of employees' security compliance , 2014, Inf. Manag. Comput. Secur..

[5]  Rathindra Sarathy,et al.  Understanding compliance with internet use policy from the perspective of rational choice theory , 2010, Decis. Support Syst..

[6]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[7]  H GuoKen Security-related behavior in using information systems in the workplace , 2013 .

[8]  J. Hsu,et al.  Examining the antecedents of employee unauthorized computer access , 2018 .

[9]  Yajiong Xue,et al.  Punishment, Justice, and Compliance in Mandatory IT Settings , 2011, Inf. Syst. Res..

[10]  Sherrie Drye Cannoy,et al.  A framework for health care information assurance policy and compliance , 2010, CACM.

[11]  Simon Trang,et al.  When Does Deterrence Work? A Moderation Meta-analysis of Employees' Information Security Policy Behavior , 2018, ICIS.

[12]  J. Michael Pearson,et al.  The effects of sanctions and stigmas on cyberloafing , 2013, Comput. Hum. Behav..

[13]  H. Weistroffer,et al.  Understanding Deterrence Theory in Security Compliance Behavior: A Quantitative Meta-Analysis Approach , 2016 .

[14]  Charles R. Tittle,et al.  Sanction Fear and the Maintenance of Social Order , 1977 .

[15]  Yufei Yuan,et al.  The effects of multilevel sanctions on information security violations: A mediating model , 2012, Inf. Manag..

[16]  Dazhong Wu,et al.  Factors That Influence Employees’ Security Policy Compliance: An Awareness-Motivation-Capability Perspective , 2018, J. Comput. Inf. Syst..

[17]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[18]  Icek Ajzen,et al.  Explaining the Discrepancy between Intentions and Actions: The Case of Hypothetical Bias in Contingent Valuation , 2004, Personality & social psychology bulletin.

[19]  Jai-Yeol Son,et al.  Out of fear or desire? Toward a better understanding of employees' motivation to follow IS security policies , 2011, Inf. Manag..

[20]  Michael Foth,et al.  Factors influencing the intention to comply with data protection regulations in hospitals: based on gender differences in behaviour and deterrence , 2016, Eur. J. Inf. Syst..

[21]  A. Hovav,et al.  Does One Size Fit All? Examining the Differential Effects of IS Security Countermeasures , 2009 .

[22]  P. Cozby,et al.  Methods in behavioral research , 1977 .

[23]  Travis C. Pratt,et al.  The Empirical Status of Deterrence Theory: A Meta-Analysis , 2006 .

[24]  Rathindra Sarathy,et al.  Self-control, organizational context, and rational choice in Internet abuses at work , 2017, Inf. Manag..

[25]  Mikko T. Siponen,et al.  Which Factors Explain Employees' Adherence to Information Security Policies? An Empirical Study , 2007, PACIS.

[26]  William N. Dilla,et al.  The relationship between internal audit and information security: An exploratory investigation , 2012, Int. J. Account. Inf. Syst..

[27]  Ali Eydgahi,et al.  Evaluating the explanatory power of theoretical frameworks on intention to comply with information security policies in higher education , 2019, Comput. Secur..

[28]  R Core Team,et al.  R: A language and environment for statistical computing. , 2014 .

[29]  Punit Ahluwalia,et al.  Examining the impact of deterrence factors and norms on resistance to Information Systems Security , 2019, Comput. Hum. Behav..

[30]  Ying Li,et al.  Understanding the violation of IS security policy in organizations: An integrated model based on social control and deterrence theory , 2013, Comput. Secur..

[31]  Teodor Sommestad,et al.  The sufficiency of the theory of planned behavior for explaining information security policy compliance , 2015, Inf. Comput. Secur..

[32]  Sarv Devaraj,et al.  Employee Misuse of Information Technology Resources: Testing a Contemporary Deterrence Model , 2012, Decis. Sci..

[33]  William R. King,et al.  Understanding the Role and Methods of Meta-Analysis in IS Research , 2005, Commun. Assoc. Inf. Syst..

[34]  Charles R. Tittle,et al.  Crime Rates and Legal Sanctions , 1969 .

[35]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[36]  Rathindra Sarathy,et al.  Exploring the effects of organizational justice, personal ethics and sanction on internet use policy compliance , 2014, Inf. Syst. J..

[37]  Dazhong Wu,et al.  Sanction severity and employees' information security policy compliance: Investigating mediating, moderating, and control variables , 2018, Inf. Manag..

[38]  Qinyu Liao,et al.  Workplace Management and Employee Misuse: Does Punishment Matter? , 2009, J. Comput. Inf. Syst..

[39]  Ken H. Guo Security-related behavior in using information systems in the workplace: A review and synthesis , 2013, Comput. Secur..

[40]  Merrill Warkentin,et al.  An Enhanced Fear Appeal Rhetorical Framework: Leveraging Threats to the Human Asset Through Sanctioning Rhetoric , 2015, MIS Q..

[41]  Richard D Riley,et al.  Interpretation of random effects meta-analyses , 2011, BMJ : British Medical Journal.

[42]  LuoXin,et al.  Exploring the effects of organizational justice, personal ethics and sanction on internet use policy compliance , 2014 .

[43]  H. Raghav Rao,et al.  Examining employee security violations: moral disengagement and its environmental influences , 2018, Inf. Technol. People.

[44]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[45]  R. Rosenthal The file drawer problem and tolerance for null results , 1979 .

[46]  Mikko T. Siponen,et al.  Toward a Unified Model of Information Security Policy Compliance , 2018, MIS Q..

[47]  G. Lawrence Sanders,et al.  The effect of deterrence policy in software piracy , 2014 .

[48]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[49]  Jingguo Wang,et al.  Employees' information security policy compliance: A norm activation perspective , 2016, Decis. Support Syst..

[50]  Alex R. Piquero,et al.  Specifying the direct and indirect effects of low self-control and situational factors in offenders' decision making: Toward a more complete model of rational offending , 1996 .

[51]  Qing Hu,et al.  The Role of Rational Calculus in Controlling Individual Propensity Toward Information Security Policy Non-Compliance Behavior , 2018, HICSS.

[52]  Ming-Chien Hung,et al.  A Deterrence Approach to Regulate Nurses’ Compliance with Electronic Medical Records Privacy Policy , 2017, Journal of Medical Systems.

[53]  W. G. Cochran The combination of estimates from different experiments. , 1954 .

[54]  S. Thompson,et al.  Quantifying heterogeneity in a meta‐analysis , 2002, Statistics in medicine.

[55]  Jelle J Goeman,et al.  Plea for routinely presenting prediction intervals in meta-analysis , 2016, BMJ Open.

[56]  Todd M. Dugo,et al.  The Insider Threat to Organizational Information Security: A Structural Model and Empirical Test , 2007 .

[57]  L. Hedges,et al.  Introduction to Meta‐Analysis , 2009, International Coaching Psychology Review.

[58]  Yajiong Xue,et al.  Ensuring Employees' IT Compliance: Carrot or Stick? , 2013, Inf. Syst. Res..

[59]  Dennis F. Galletta,et al.  Software Piracy in the Workplace: A Model and Empirical Test , 2003, J. Manag. Inf. Syst..

[60]  Qing Hu,et al.  Does deterrence work in reducing information security policy abuse by employees? , 2011, Commun. ACM.

[61]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[62]  Steven Furnell,et al.  Deterrence and Prevention-based Model to Mitigate Information Security Insider Threats in Organisations , 2019, Future Gener. Comput. Syst..

[63]  R. Paternoster,et al.  Sanction threats and appeals to morality : Testing a rational choice model of corporate crime , 1996 .

[64]  Jacob Cohen,et al.  Applied multiple regression/correlation analysis for the behavioral sciences , 1979 .

[65]  Thomas Mattson,et al.  Deterrence and punishment experience impacts on ISP compliance attitudes , 2017, Inf. Comput. Secur..

[66]  Myeonggil Choi,et al.  Social control through deterrence on the compliance with information security policy , 2018, Soft Computing.

[67]  Guido Reger,et al.  Advantages and Disadvantages of Scenario Approaches for Strategic Foresight , 2005 .