Sanction severity and employees' information security policy compliance: Investigating mediating, moderating, and control variables

Abstract Information security policy (ISP) plays a critical role in information systems security management. Past research using General Deterrence Theory (GDT) on employees’ compliance intention (CI) with ISP produced mixed results. We use survey data to investigate how other factors influence the relationship between sanction severity and employees’ CI. The results show that none of the investigated moderating variables interacts with sanction severity on employees’ ISP compliance intentions. However, the significant impact of sanction severity on employees’ ISP CI disappears when the investigated variables are included, and the impact of sanction severity is mediated by perceived efficacy and descriptive norm.

[1]  Rex B. Kline,et al.  Principles and Practice of Structural Equation Modeling , 1998 .

[2]  Thomas E. Becker Potential Problems in the Statistical Control of Variables in Organizational Research: A Qualitative Analysis With Recommendations , 2005 .

[3]  Susan J. Harrington,et al.  The Effect of Codes of Ethics and Personal Denial of Responsibility on Computer Abuse Judgments and Intentions , 1996, MIS Q..

[4]  Mikko T. Siponen,et al.  Toward a Unified Model of Information Security Policy Compliance , 2018, MIS Q..

[5]  Harold G. Grasmick,et al.  The Deterrent Effect of Perceived Severity of Punishment , 1980 .

[6]  Richard Baskerville,et al.  Power and Practice in Information Systems Security Research , 2008, ICIS.

[7]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[8]  Paul E. Spector,et al.  Methodological Urban Legends: The Misuse of Statistical Control Variables , 2011 .

[9]  David F. Greenberg,et al.  Methodological Issues in Survey Research on the Inhibition of Crime , 1981 .

[10]  James A. Breaugh,et al.  Rethinking the Control of Nuisance Variables in Theory Testing , 2006 .

[11]  Dennis F. Galletta,et al.  What Do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear that Motivate Protective Security Behaviors , 2015, MIS Q..

[12]  Jack P. Gibbs,et al.  Deterrence and Knowledge of Statutory Penalties , 1981 .

[13]  Rathindra Sarathy,et al.  Self-control, organizational context, and rational choice in Internet abuses at work , 2017, Inf. Manag..

[14]  Wynne W. Chin,et al.  A Partial Least Squares Latent Variable Modeling Approach for Measuring Interaction Effects: Results from a Monte Carlo Simulation Study and an Electronic - Mail Emotion/Adoption Study , 2003, Inf. Syst. Res..

[15]  W. F. Skinner,et al.  A Social Learning Theory Analysis of Computer Crime among College Students , 1997 .

[16]  Princely Ifinedo,et al.  Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition , 2014, Inf. Manag..

[17]  Alex R. Piquero,et al.  Specifying the direct and indirect effects of low self-control and situational factors in offenders' decision making: Toward a more complete model of rational offending , 1996 .

[18]  Daniel S. Nagin,et al.  Criminal Deterrence Research at the Outset of the Twenty-First Century , 1998, Crime and Justice.

[19]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[20]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[21]  R. H. Moorman,et al.  Individualism‐collectivism as an individual difference predictor of organizational citizenship behavior , 1995 .

[22]  Qing Hu,et al.  Does deterrence work in reducing information security policy abuse by employees? , 2011, Commun. ACM.

[23]  D. Nagin,et al.  Enduring individual differences and rational choice theories of crime , 1993 .

[24]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[25]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[26]  Teodor Sommestad,et al.  Variables influencing information security policy compliance: A systematic review of quantitative studies , 2014, Inf. Manag. Comput. Secur..

[27]  Paul E. Spector,et al.  Why negative affectivity should not be controlled in job stress research: don't throw out the baby with the bath water , 2000, Journal of Organizational Behavior.

[28]  W. B. Harvey,et al.  The Weakest Link , 2008 .

[29]  Jordan Shropshire,et al.  The influence of the informal social learning environment on information privacy policy compliance efficacy and intention , 2011, Eur. J. Inf. Syst..

[30]  Tyler J. VanderWeele,et al.  Explanation in Causal Inference: Methods for Mediation and Interaction , 2015 .

[31]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[32]  Merrill Warkentin,et al.  Beyond Deterrence: An Expanded View of Employee Computer Abuse , 2013, MIS Q..

[33]  P. Sheeran,et al.  Augmenting the Theory of Planned Behavior: Roles for Anticipated Regret and Descriptive Norms , 1999 .

[34]  M. Rosenberg,et al.  The Logic of Survey Analysis. , 1968 .

[35]  Greg Pogarsky,et al.  Identifying “deterrable” offenders: Implications for research on deterrence , 2002 .

[36]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[37]  Kuang-Wei Wen,et al.  Organizations' Information Security Policy Compliance: Stick or Carrot Approach? , 2012, J. Manag. Inf. Syst..

[38]  Scott B. MacKenzie,et al.  Common method biases in behavioral research: a critical review of the literature and recommended remedies. , 2003, The Journal of applied psychology.

[39]  Tom L. Roberts,et al.  Leveraging fairness and reactance theories to deter reactive computer abuse following enhanced organisational information security policies: an empirical study of the influence of counterfactual reasoning and organisational trust , 2015, Inf. Syst. J..

[40]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[41]  Merrill Warkentin,et al.  An Enhanced Fear Appeal Rhetorical Framework: Leveraging Threats to the Human Asset Through Sanctioning Rhetoric , 2015, MIS Q..

[42]  Paul Benjamin Lowry,et al.  The Role of Extra-Role Behaviors and Social Controls in Information Security Policy Effectiveness , 2015, Inf. Syst. Res..

[43]  Bruce A. Jacobs,et al.  DETERRENCE AND DETERRABILITY , 2010 .

[44]  Andrea Back,et al.  A new perspective on neutralization and deterrence: Predicting shadow IT usage , 2017, Inf. Manag..

[45]  Tom L. Roberts,et al.  Bridging the divide: A qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders , 2014, Inf. Manag..

[46]  K. Williams,et al.  Perceptual research on general deterrence: A critical review. , 1986 .

[47]  Detmar W. Straub,et al.  A Practical Guide To Factorial Validity Using PLS-Graph: Tutorial And Annotated Example , 2005, Commun. Assoc. Inf. Syst..

[48]  Merrill Warkentin,et al.  Introducing the Check-Off Password System (COPS): An Advancement in User Authentication Methods and Information Security , 2004, J. Organ. End User Comput..

[49]  K. Witte Putting the fear back into fear appeals: The extended parallel process model , 1992 .

[50]  Sang M. Lee,et al.  An integrative model of computer abuse based on social control and general deterrence theories , 2004, Inf. Manag..

[51]  Marc Buelens,et al.  An analysis of differences in work motivation between public and private sector organizations , 2007 .

[52]  Paul Benjamin Lowry,et al.  Increasing Accountability Through User-Interface Design Artifacts: A New Approach to Addressing the Problem of Access-Policy Violations , 2015, MIS Q..

[53]  Kevin D. Carlson,et al.  The Illusion of Statistical Control , 2012 .

[54]  M. Sarstedt,et al.  A new criterion for assessing discriminant validity in variance-based structural equation modeling , 2015 .

[55]  Jacob Cohen Statistical Power Analysis for the Behavioral Sciences , 1969, The SAGE Encyclopedia of Research Design.

[56]  Tejaswini Herath,et al.  A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings , 2011, Eur. J. Inf. Syst..

[57]  J. Gibbs Crime, punishment, and deterrence , 1975 .

[58]  Richard P. Bagozzi,et al.  Assessing Construct Validity in Organizational Research , 1991 .

[59]  Rathindra Sarathy,et al.  Understanding compliance with internet use policy from the perspective of rational choice theory , 2010, Decis. Support Syst..

[60]  J. Gibbs,et al.  The deterrence doctrine and the perceived certainty of legal punishments. , 1977, American sociological review.

[61]  Amitai Etzioni,et al.  The Moral Dimension: Toward a New Economics , 1989, Journal of Marketing.

[62]  F. Zimring,et al.  Deterrence and Marginal Groups , 1968 .

[63]  Mo Adam Mahmood,et al.  Employees' adherence to information security policies: An exploratory field study , 2014, Inf. Manag..

[64]  P. Cook Research in Criminal Deterrence: Laying the Groundwork for the Second Decade , 1980, Crime and Justice.

[65]  David J. Houston,et al.  Public-Service Motivation: A Multivariate Test , 2000 .

[66]  R. Paternoster,et al.  The deterrent effect of the perceived certainty and severity of punishment: A review of the evidence and issues , 1987 .

[67]  Sarv Devaraj,et al.  Employee Misuse of Information Technology Resources: Testing a Contemporary Deterrence Model , 2012, Decis. Sci..

[68]  Houston H. Carr,et al.  Threats to Information Systems: Today's Reality, Yesterday's Understanding , 1992, MIS Q..

[69]  Scott H. Decker,et al.  Perceptual deterrence among active residential burglars: A research note. , 1993 .

[70]  T. Pratt,et al.  THE EMPIRICAL STATUS OF GOTTFREDSON AND HIRSCHI'S GENERAL THEORY OF CRIME: A META‐ANALYSIS , 2000 .

[71]  Yufei Yuan,et al.  The effects of multilevel sanctions on information security violations: A mediating model , 2012, Inf. Manag..

[72]  P. E. Crewson,et al.  Public-Service Motivation: Building Empirical Evidence of Incidence and Effect , 1997 .

[73]  Sally S. Simpson,et al.  Informal Sanction Threats and Corporate Crime: Additive Versus Multiplicative Models , 1995 .