Punishment and ethics deterrents: A study of insider security contravention

Information security is a growing concern among the general population. For instance, it has been estimated by the U.S. Department of Justice (2004) that one in three people will become victims of identity theft at some point in their lifetime. The bulk of the research into information security has gone into the investigation of technological aspects of security, and there are gaps in the literature relative to contravention of security measures. Drawing from deterrence theory and using the theory of planned behavior as a general framework, this empirical field study investigated the effects of punishment and ethics training on behaviors related to contravention of information security measures among information professionals to fill an important gap in the literature. We found that both punishment and ethics training can be effective in mitigating the threat of software and information security, but that these depend on certain underlying motivational factors of individuals. The results of this study suggest a need to develop and refine the theoretical models, and we offer suggestions for getting at the root of behavioral issues surrounding information security. © 2007 Wiley Periodicals, Inc.

[1]  Evangelos A. Kiountouzis,et al.  The insider threat to information systems and the effectiveness of ISO17799 , 2005, Comput. Secur..

[2]  Jih-Hsin Tang,et al.  The Effect of Interpersonal Influence on Softlifting Intention and Behaviour , 2005 .

[3]  Michael Workman,et al.  Observance and Contravention of Information Security Measures , 2005, Security and Management.

[4]  Daniel C. Phelps Information system security : self-efficacy and security effectiveness in Florida libraries , 2005 .

[5]  David A. Makin,et al.  Self-Control, Deviant Peers, and Software Piracy , 2004, Psychological reports.

[6]  Bernd Marcus,et al.  Antecedents of counterproductive behavior at work: a general perspective. , 2004, The Journal of applied psychology.

[7]  Thomas M. Thomas,et al.  Network security first-step , 2004 .

[8]  M. Wenzel The Social Side of Sanctions: Personal and Social Norms as Moderators of Deterrence , 2004, Law and human behavior.

[9]  Vincent J. Calluzzo,et al.  Ethics in Information Technology and Software Use , 2004 .

[10]  Helmut Schneider,et al.  The domino effect of password reuse , 2004, CACM.

[11]  Robert Willison,et al.  Understanding the offender/environment dynamic for computer crimes: assessing the feasibility of applying criminological theory to the IS security context , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.

[12]  F. P. Bresz People – Often the Weakest Link in Security, but One of the Best Places to Start , 2004 .

[13]  Amir N. Licht,et al.  Culture, Law, and Corporate Governance , 2004 .

[14]  Lisa Dorn,et al.  Making sense of invulnerability at work—a qualitative study of police drivers , 2003 .

[15]  Lorrie Faith Cranor,et al.  Analysis of security vulnerabilities in the movie production and distribution process , 2003, DRM '03.

[16]  Vernon J. Richardson,et al.  Information Transfer among Internet Firms: The Case of Hacker Attacks , 2003, J. Inf. Syst..

[17]  Dennis F. Galletta,et al.  Software Piracy in the Workplace: A Model and Empirical Test , 2003, J. Manag. Inf. Syst..

[18]  Stephen Hinde Careless about privacy , 2003, Comput. Secur..

[19]  Hock-Hai Teo,et al.  An integrative study of information systems security effectiveness , 2003, Int. J. Inf. Manag..

[20]  Martha J. Heltsley,et al.  the good mother: neutralization techniques used by pageant mothers , 2003 .

[21]  Simon N. Foley,et al.  A nonfunctional approach to system integrity , 2003, IEEE J. Sel. Areas Commun..

[22]  Richard C. Hatfield,et al.  An Investigation of the Theory of Planned Behavior and the Role of Moral Obligation in Tax Compliance , 2003 .

[23]  C. Tang,et al.  Responsibility Attribution for Violence Against Women: A Study of Chinese Public Service Professionals , 2002 .

[24]  Jintae Lee,et al.  A holistic model of computer abuse within organizations , 2002, Inf. Manag. Comput. Secur..

[25]  Gavriel Salvendy,et al.  Improving computer security for authentication of users: Influence of proactive password restrictions , 2002, Behavior research methods, instruments, & computers : a journal of the Psychonomic Society, Inc.

[26]  I. Ajzen Perceived behavioral control, self-efficacy, locus of control, and the theory of planned behavior. , 2002 .

[27]  Jeffrey D. Berejikian A Cognitive Theory of Deterrence , 2002 .

[28]  Meng Hsiang Hsu,et al.  An investigation of volitional control in information ethics , 2003, ICIS.

[29]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[30]  Afzaal H. Seyal,et al.  Factors Affecting Softlifting Intention of Computing Students: An Empirical Study , 2001 .

[31]  Tim Barnett,et al.  Dimensions of Moral Intensity and Ethical Decision Making: An Empirical Study , 2001 .

[32]  James Backhouse,et al.  Current directions in IS security research: towards socio‐organizational perspectives , 2001, Inf. Syst. J..

[33]  Karim Jamal,et al.  Control and Assurance in E-Commerce: Privacy, Integrity, and Security at Ebay , 2001 .

[34]  Ted O’Donoghue,et al.  The economics of immediate gratification , 2000 .

[35]  Kevin L. Blankenship,et al.  Relation of General Deviance to Academic Dishonesty , 2000 .

[36]  M. Conner,et al.  Interaction effects in the theory of planned behaviour: studying cannabis use. , 1999, The British journal of social psychology.

[37]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[38]  John S. Seiter,et al.  Persuasion: Social Inflence and Compliance Gaining , 2015 .

[39]  Stephen R Bowers Information Warfare: The Computer Revolution is Altering How Future Wars will be Conducted , 1998 .

[40]  Thomas Finne,et al.  The three categories of decision-making and information security , 1998, Comput. Secur..

[41]  Lisa A. Burke,et al.  Improving positive transfer: A test of relapse prevention training on transfer outcomes , 1997 .

[42]  Craig R. Scott,et al.  Identification with Multiple Targets in a Geographically Dispersed Organization , 1997 .

[43]  Susan J. Harrington,et al.  A Test of a Person -- Issue Contingent Model of Ethical Decision Making in Organizations , 1997 .

[44]  J. Salgado The Five Factor Model of personality and job performance in the European Community. , 1997, The Journal of applied psychology.

[45]  John T. Scholz Enforcement Policy and Corporate Misconduct: The Changing Perspective of Deterrence Theory , 1997 .

[46]  Susan J. Harrington,et al.  The Effect of Codes of Ethics and Personal Denial of Responsibility on Computer Abuse Judgments and Intentions , 1996, MIS Q..

[47]  N. Milgram,et al.  Typology in procrastination , 1996 .

[48]  Nancy B. Kurland Ethical Intentions and the Theories of Reasoned Action and Planned Behavior1 , 1995 .

[49]  Bena Kallick,et al.  Assessment in the learning organization : shifting the paradigm , 1995 .

[50]  P. Simpson,et al.  Softlifting: A model of motivating factors , 1994 .

[51]  James M. Geary Executive Liability for Computer Crime and How to Prevent It , 1994, Inf. Manag. Comput. Secur..

[52]  D. Dillman,et al.  How to conduct your own survey , 1994 .

[53]  Harold G. Grasmick,et al.  Testing the Core Empirical Implications of Gottfredson and Hirschi's General Theory of Crime , 1993 .

[54]  Linda Klebe Trevino,et al.  The Social Effects of Punishment in Organizations: A Justice Perspective , 1992 .

[55]  Detmar W. Straub,et al.  Detering Highly Motivated Computer Abusers: A Field Experiment in Computer Security , 1992, SEC.

[56]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[57]  Detmar W. Straub,et al.  Discovering and Disciplining Computer Abuse in Organizations: A Field Study , 1990, MIS Q..

[58]  H W Marsh,et al.  The Multidimensionality of the Rotter I-E Scale and its Higher-order Structure: An Application of Confirmatory Factor Analysis. , 1987, Multivariate behavioral research.

[59]  Herbert W. Marsh,et al.  The Rotter locus of control scale: The comparison of alternative response formats and implications for reliability, validity, and dimensionality , 1986 .

[60]  Ronald L. Akers,et al.  Adolescent marijuana use: A test of three theories of deviant behavior , 1985 .

[61]  Icek Ajzen,et al.  From Intentions to Actions: A Theory of Planned Behavior , 1985 .

[62]  Robert D. Marx,et al.  Relapse Prevention for Managerial Training: A Model for Maintenance of Behavior Change , 1982 .

[63]  L. Lanza-Kaduce,et al.  Social learning and deviant behavior: a specific test of a general theory. , 1979, American sociological review.

[64]  S. Worchel,et al.  The Social psychology of intergroup relations , 1979 .

[65]  J. Teasdale Self-efficacy: Toward a unifying theory of behavioural change? , 1978 .

[66]  F. Levine,et al.  Legal socialization : strategies for an ethical legality , 1974 .

[67]  June E. Chance,et al.  Applications of a social learning theory of personality , 1972 .

[68]  L. Kohlberg,et al.  Developing Senses of Law and Legal Justice , 1971 .

[69]  J. Rotter Generalized expectancies for internal versus external control of reinforcement. , 1966, Psychological monographs.

[70]  Arthur Scheller,et al.  Law and Morality , 1953 .