darcy08.pdf - Published online ahead of print informs...

Info icon This preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon
Information Systems Research Articles in Advance , pp. 1–20 issn 1047-7047 eissn 1526-5536 inf orms ® doi 10.1287/isre.1070.0160 © 2008 INFORMS User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach John D’Arcy Mendoza College of Business, University of Notre Dame, Notre Dame, Indiana 46556, [email protected] Anat Hovav Korea University Business School, Seoul 136-701 Korea, [email protected] Dennis Galletta Katz Graduate School of Business, University of Pittsburgh, Pittsburgh, Pennsylvania 15260, [email protected] I ntentional insider misuse of information systems resources (i.e., IS misuse) represents a significant threat to organizations. For example, industry statistics suggest that between 50%–75% of security incidents originate from within an organization. Because of the large number of misuse incidents, it has become important to understand how to reduce such behavior. General deterrence theory suggests that certain controls can serve as deterrent mechanisms by increasing the perceived threat of punishment for IS misuse. This paper presents an extended deterrence theory model that combines work from criminology, social psychology, and information systems. The model posits that user awareness of security countermeasures directly influences the perceived certainty and severity of organizational sanctions associated with IS misuse, which leads to reduced IS misuse intention. The model is then tested on 269 computer users from eight different companies. The results suggest that three practices deter IS misuse: user awareness of security policies; security education, training, and aware- ness (SETA) programs; and computer monitoring. The results also suggest that perceived severity of sanctions is more effective in reducing IS misuse than certainty of sanctions. Further, there is evidence that the impact of sanction perceptions vary based on one’s level of morality. Implications for the research and practice of IS security are discussed. Key words : IS misuse; IS security; security countermeasures; general deterrence theory; security management; end-user security History : Sandra Slaughter, Senior Editor; Sue Brown, Associate Editor. This paper was received on July 11, 2006, and was with the authors 7 months for 2 revisions. Published online in Articles in Advance . Introduction A United Nations (2005, p. xxiii) report describes “tens, if not hundreds of billions of dollars” of annual worldwide economic damage caused by compro- mises in information security. The latest survey from the Computer Security Institute (Richardson 2007) reported losses averaging $345,000 among the 39% of respondents able to estimate losses and willing to report them. Interestingly, research indicates that between 50%–75% of security incidents originate from within an organization (Ernst and Young 2003, Infor- mationWeek 2005), often perpetrated by disgruntled employees (Standage 2002). Because only a fraction of security incidents are actually discovered (Hoffer and Straub 1989, Whitman 2003), the reported statistics likely underestimate the problem. Moreover, organi-
Image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Image of page 2
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern