Going Beyond Deterrence: A Middle-Range Theory of Motives and Controls for Insider Computer Abuse

2023 | Information Systems Research | Citations: 0

Authors: Burns, A. J.; Roberts, Tom L.; Posey, Clay; Lowry, Paul Benjamin; Fuller, Bryan

Abstract: Despite widespread agreement among practitioners and academicians that organizat ... Expand

Abstract: Despite widespread agreement among practitioners and academicians that organizational insiders are a significant threat to organizational information systems security, insider computer abuse (ICA)—unauthorized and deliberate misuse of organizational information resources by organizational insiders—remains a serious issue. Recent studies have shown that most employees are willing to share confidential or regulated information under certain circumstances, and nearly one-third to half of major security breaches are tied to insiders. These trends indicate that organizational security efforts, which generally focus on deterrence and sanctions, have yet to effectively address ICA. Therefore, leading security researchers and practitioners have called for a more nuanced understanding of insiders in respect to deterrence efforts. We answer these calls by proposing a middle-range theory of ICA that focuses on understanding the inherent tensions between insider motivations and organizational controls. Our careful review distinguishes two categories of personal motives for ICA: (1) instrumental (i.e., financial benefits) and (2) expressive (i.e., psychological contract violations) motives. Our novel theory of ICA also includes the influence of two classes of controls for ICA: (1) intrinsic (i.e., self-control) and (2) extrinsic (i.e., organizational deterrence) controls. We developed and empirically examined a research model based on our middle-range theory that explains a substantial portion of the variance in ICA. Specifically, our results indicate that both instrumental and expressive motives are positively related to ICA. Moreover, intrinsic self-control exerted significant direct and moderating influences in our research model, whereas extrinsic organizational deterrence failed to exhibit a direct effect on ICA and significantly moderated instrumental motives’ relationship with ICA only. Not only do our results show that self-control exerted a stronger effect on the model than deterrence did but they also help us identify the limits of deterrence in ICA research.History: Ola Henfridsson served as the senior editor and Debabrata Dey served as associate editor for this article.Supplemental Material: The online appendix is available at https://doi.org/10.1287/isre.2022.1133. Collapse

Topics: IT security data security anonymity organizational control password

Methods: theory development partial least squares path modeling factor analysis data transformation PLS tool

Theories: control theory deterrence theory

Understanding Online Music Piracy Behavior via Private Communication Channels

2023 | Information Systems Frontiers | Citations: 0

Authors: Park, Soomin; Moon, Junghoon; Rhee, Cheul; Choe, Young-Chan

Abstract: In this study, we developed and tested a theoretical model to understand online ... Expand

Abstract: In this study, we developed and tested a theoretical model to understand online music piracy behavior via email and instant messaging. We developed this theoretical model by drawing on a comprehensive literature review on music piracy, theory of reasoned action, social identity, and the deterrence theory. We collected primary data to test the hypotheses, and the results from the partial least squares analyses suggest attitude toward music file-sharing behavior and social identity positively affect intention to pirate music, whereas the perceived severity and certainty of punishment do not have significant effects on the attitude. The findings highlight the important role of social identity when a theoretical model with the concept explains music file-sharing behavior without monetary benefits in return. Collapse

Topics: social identity digital piracy electronic mail social media online chat

Methods: partial least squares regression survey structural equation modeling survey design literature study

Theories: deterrence theory theory of reasoned action behavioral theory

WILL THEY STILL PAY? A STUDY OF CONSUMER BEHAVIOR IN AN UNMANNED RETAIL ENVIRONMENT

2022 | International Conference on Information Systems | Citations: 0

Authors: Lan, Yihong; Jiang, Zhenhui; Hahn, Jungpil

Abstract: An unmanned retail shelf is a new retail format made possible by the advance in ... Expand

Abstract: An unmanned retail shelf is a new retail format made possible by the advance in mobile internet and digital payment technologies. With drastically reduced personnel costs and upfront equipment investment, unmanned retail shelves promise the potential of deeper penetration into more convenient locations for consumers. However, a lack of onsite staff can also mean that unmanned retail shelves are more vulnerable to incidences of theft as compared to traditional stores. We investigate the impact of formal and informal surveillance technology in the context of an unmanned retail environment. By investigating the impact of surveillance technology on consumer behavior outcomes such as theft rate, approach rate, and conversion rate, we hope to better understand if surveillance technologies live up to the promises of improving net economic outcomes by delivering better security. Collapse

Topics: privacy social presence information privacy concern WeChat decision making

Methods: experimental group field experiment theory development experiment computational algorithm

Theories: deterrence theory social presence theory

Common Misunderstandings of Deterrence Theory in Information Systems Research and Future Research Directions

2022 | ACM SIGMIS Database | Citations: 0

Authors: Siponen, Mikko; Soliman, Wael; Vance, Anthony

Abstract: In the 1980s, information systems (IS) borrowed deterrence theory (DT) from the ... Expand

Abstract: In the 1980s, information systems (IS) borrowed deterrence theory (DT) from the field of criminology to explain information security behaviors (or intention). Today, DT is among the most commonly used theories in IS security research. Our review of IS research applying DT highlights that many fundamental assumptions of DT are unrecognized and therefore unexamined. This may have resulted in misunderstandings and conceptual confusions regarding some of the basic concepts of DT. For example, some IS studies confuse general deterrence with specific deterrence or do not recognize the difference between the two. Moreover, these fundamental assumptions, when directly examined, may provide important information about the applicability of DT in certain IS security contexts. This research commentary aims to identify and discuss some of the fundamental assumptions of DT and their implications for IS research. By examining these assumptions, IS researchers can study the previously unexplored aspects of DT in different IS contexts. Further, by recognizing these assumptions, IS scholars can revise them and build new variants of DT to better account for specific characteristics of IS behaviors and contexts. Collapse

Topics: IT security IT security threat data security phishing social network

Methods: literature sample literature study synthesis field experiment experimental group

Theories: deterrence theory general deterrence theory

Social Media Aggression: An Assessment Based on the Contemporary Deterrence Theory

2021 | Americas Conference on Information Systems | Citations: 0

Authors: Boadi, Caleb; Kolog, Emmanuel Awuni

Abstract: The role played by incendiary messages identifies as online radicalism is a low ... Expand

Abstract: The role played by incendiary messages identifies as online radicalism is a low-cost tool that has been a medium to violence and potential dangers to social media users and the society at large. The unregulated mass communication evolves as an overtly aggressive, a covertly aggressive, and non-aggressive society. Strategies to attract compliance to Information and Communications Technology (ICT) ethics to scrutinize the applicability of the theories of neutralization and deterrence on cognition and behaviour have been recognised in Information Systems (IS) research. This study uses the contemporary deterrence theory to explain illicit, deviant, and unethical behaviours of social media user's with the construct and effect of the Sub-Saharan Africa cultural values. The study seeks to answer the research question: What are the influencers of the adolescent intention to engage in social media aggression? The study draws on the contemporary deterrence theory to answer the underpinning research question. Collapse

Topics: social media

Theories: deterrence theory

The role of deterrability for the effect of multi-level sanctions on information security policy compliance: Results of a multigroup analysis

2021 | Information & Management | Citations: 0

Authors: Jaeger, Lennart; Eckhardt, Andreas; Kroenung, Julia

Abstract: This paper offers a new perspective on the effectiveness of sanctions in influen ... Expand

Abstract: This paper offers a new perspective on the effectiveness of sanctions in influencing information security policy compliance. We observe compliance from a group perspective to identify undeterrable employees who comply based on inner conviction and deterrable employees who comply because of external coercion. Drawing upon survey data, we show that multilevel sanctions (i.e., formal, social, and personal sanctions) have a varying impact on the compliance of inclined and disinclined employees. We also find that multilevel sanction percep­ tions are differently influenced by information security policy awareness. This group-based deterrability perspective opens up new avenues to study the value of sanctions. Collapse

Topics: security policy information security policy compliance cloud computing data security information security management

Methods: partial least squares regression survey partial least squares path modeling statistical hypothesis test PLS tool

Theories: deterrence theory

Mitigating the Security Intention-Behavior Gap: The Moderating Role of Required Effort on the Intention-Behavior Relationship

2021 | Journal of the Association for Information Systems | Citations: 0

Authors: Jenkins, Jeffrey; Durcikova, Alexandra; Jay F. Nunamaker, Jr

Abstract: Although users often express strong positive intentions to follow security polic ... Expand

Abstract: Although users often express strong positive intentions to follow security policies, these positive intentions fail to consistently translate to behavior. In a security setting, the inconsistency between intentions and behavior—termed the intention-behavior gap—is particularly troublesome, as a single failure to enact positive security intentions may make a system vulnerable. We address a need in security compliance literature to better understand the intention-behavior gap by explaining how an omnipresent competing intention—the user’s desire to minimize required effort—negatively moderates the relationship between positive intentions and actual security behavior. Moreover, we posit that this moderating effect is not accounted for in extant theories used to explain behavioral information security, introducing an opportunity to broadly impact information security research to more consistently predict behavior. In three experiments, we found that high levels of required effort negatively moderated users’ intentions to follow security policies. Controlling for this moderating effect substantially increased the explained variance in security policy compliance. The results suggest that security researchers should be cognizant of the existence of competing intentions, such as the desire to minimize required effort, which may moderate the security intention-behavior relationship. Otherwise, such competing intentions may cause unexpected inconsistencies between users’ intentions to behave securely and their actual security behavior. Collapse

Topics: security policy password data breach lean manufacturing IT security training

Methods: experiment experimental group survey statistical hypothesis test regression analysis method

Theories: theory of planned behavior protection motivation theory deterrence theory theory of bounded rationality

High-Risk Deviant Decisions: Does Neutralization Still Play a Role?

2021 | Journal of the Association for Information Systems | Citations: 0

Authors: Trinkle, Bradley; Warkentin, Merrill; Malimage, Kalana; Raddatz, Nirmalee

Abstract: Extant research has shown that neutralization processes can enable potential IS ... Expand

Abstract: Extant research has shown that neutralization processes can enable potential IS security policy violators to justify their behavior and overcome the deterrence effect of sanctions in order to engage in unethical behaviors. However, such sanctions are typically moderate and not career ending. We test the boundary conditions of this theory by evaluating whether neutralization plays a role in overcoming the impact of extreme levels of deterrence. We extend the Siponen and Vance (2010) framework within a professional context that assigns extreme sanctions to violators. Using the scenario-based factorial survey method common in IS security research, we collected data from future auditors who understand these extreme sanctions. We test the reasons that auditors may use to form intentions to falsify information concerning an information security issue with a company's accounting information system, thereby jeopardizing data integrity and security by modifying working papers to hide irregularities and, by doing so, violating their professional standards, which could result in career-ending sanctions. We empirically validated and tested the theoretical model. Our results show that sanctions play an important role in reducing employees' intentions to violate policy but that, even under extreme boundary conditions, employees might seek to rationalize their unethical behavior by denying responsibility for their actions through, for example, arguing that their supervisors pressured them into performing the violations. We also establish that messages heightening the awareness and perceptions of the certainty and severity of organizational punishment are likely to attenuate such deviant behaviors. We discuss the implications of these findings and suggest future avenues for research. Collapse

Topics: behavioral intention accounting IT career IT security threat accounting information system

Methods: survey hierarchical linear modeling statistical hypothesis test experiment experimental design

Theories: deterrence theory neutralization theory behavioral theory general deterrence theory protection motivation theory

Too Good to Be True: Firm Social Performance and the Risk of Data Breach

2020 | Information Systems Research | Citations: 0

Authors: D’Arcy, John; Adjerid, Idris; Angst, Corey M.; Glavas, Ante

Abstract: In this paper, we draw from research in the information systems security and man ... Expand

Abstract: In this paper, we draw from research in the information systems security and management fields to theorize that a firm’s social performance, as measured by its engagement in socially responsible (or irresponsible) activities (i.e., corporate social performance (CSP)), affects its likelihood of being subject to computer attacks that result in data breaches. Drawing from stakeholder theory and positioning employees and external hackers as key stakeholders of the firm with respect to information security, we propose a set of hypotheses that elaborate relationships between aspects of a firm’s CSP and the likelihood of experiencing a data breach. To test our hypotheses, we compiled a unique data set that consists of publicly available data on firms’ data breach incidents, external assessments of their CSP, and other firm-specific factors. Our contribution is an intriguing and previously unknown account of CSP as it relates to information security. Paradoxically, our results suggest that firms that are noted to have poor CSP records (i.e., CSP concerns) are no more likely to experience a data breach, although a positive CSP record (i.e., CSP strengths) in areas that are peripheral to core firm activities (e.g., philanthropy, recycling programs) results in an elevated likelihood of breach. Delving into this latter finding, our results suggest that firms that simultaneously have peripheral CSP strengths along with high CSP concerns in other areas are at increased risk of breach. The increased likelihood of breach for firms with seemingly disingenuous CSP records suggests that perceived “greenwashing” efforts that attempt to mask poor social performance make firms attractive targets for security exploitation. Collapse

Topics: data breach data security IT security database system missing data

Methods: robustness check theory development statistical hypothesis test econometric modeling longitudinal research

Theories: stakeholder theory organizational learning theory deterrence theory institutional theory cognitive dissonance theory

Compliance with IS-Security-Policies: A Socio-Material Perspective Towards Security

2020 | Americas Conference on Information Systems | Citations: 0

Authors: Falahati, Arman; Lapointe, Liette

Abstract: In the face of ever-growing IS-security breaches and their substantial impacts ... Expand

Abstract: In the face of ever-growing IS-security breaches and their substantial impacts on organizations and societies, the necessity of enhancing organizational IS-security becomes paramount. Meanwhile, the employees' compliance with organizational IS-security policies (ISSP) is known to be critical for ensuring security. However, the extant knowledge about ISSP-compliance has remained scattered and inconclusive, and the social aspects of compliance are mostly underexplored despite their importance and impact. Moreover, there is a need for more studies that bridge the gap between the design side and the behavioral sides of IS-security; such a gap has created both conceptual and practical shortfalls within the literature. In this paper, we address these gaps by first introducing an enhanced unified framework of ISSP-compliance and, second, by theorizing a model where we propose that transparency of use enacts four distinct social practices, which, in turn, increase the employees' compliance with ISSP. Future avenues of research are also suggested. Collapse

Topics: IT security information system use IS management digital literacy systems design

Methods: literature study conceptual modelling theory development

Theories: sociomaterialism theory deterrence theory rational choice theory