Abstract
Information system security (ISS) has become an extremely significant issue in organizations to protect information as an organizational asset. The purpose of this study is to investigate what factors affect individuals’ perception of sanction threats. This study uses social control theory to understand the effects of deterrence on public corporation employees’ ISS compliance and elucidate employees’ motivations of ISS violation and different perceptions of sanction threats. The effects and their significance in the model were tested. The results of this study help information security institutions to consider deterrence and self-punishment and to manage compliance with information security policy effectively and securely.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Bachman R, Paternoster R, Ward S (1992) The rationality of sexual offending: testing a deterrence/rational choice conception of sexual assault. Law Soc Rev 26(2):343–372
Beccaria C (1963) On crimes and punishments. Macmillan, New York
Becker GS (1968) Crime and punishment: an economic approach. The economic dimensions of crime. Palgrave Macmillan, Basingstoke, pp 13–68
Boss S, Kirsch L (2007) The last line of defense: motivating employees to follow corporate security guidelines. In: ICIS 2007 proceedings 103
Brown S, Massey A, Montoya-Weiss M, Burkman J (2002) Do I really have to?. User acceptance of mandated technology. Eur J Inf Syst 11:283–295
Bulgurcu B, Cavusoglu H, Benbasat I (2010) Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Q 34(3):523–548
Caldwell T (2012) Training–the weakest link. Comput Fraud Secur 2012(9):8–14
Cavusoglu H, Raghunathan S (2009) Configuration of and interaction between information security technologies: the case of firewalls and intrusion detection systems. Inf Syst Res 20(2):198–217
Chin WW (1998) The partial least squares approach to structural equation modeling. Mod Methods Bus Res 295(2):295–336
Chin WW, Newsted PR (1999) Structural equation modeling analysis with small samples using partial least squares. Stat Strateg Small Sample Res 2:307–342
Choi MG (2016) Leadership of information security manager on the effectiveness of information systems security for secure sustainable computing. Sustain 8:1–21
Choi MG, Lee CH (2015) Information security management as a bridge in cloud systems from private to public organizations. Sustain 7:12032–12051
Cochran JK, Chamlin MB, Wood PB, Sellers CS (1999) Shame, embarrassment, and formal sanction threats: extending the deterrence/rational choice model to academic dishonesty. Sociol Inq 69(1):91–105
Cornish D, Clarke R (1986) Situational prevention, displacement of crime and rational choice theory. In: Heal K, Laycock GK (eds) Situational crime prevention: from theory into practice. HMSO, London
D’Arcy J, Hovav A (2009) Does one size fit all? Examining the differential effects of IS security countermeasures. J Bus Ethics 89(1):59–71
D’Arcy J, Herath T (2011) A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings. Eur J Inf Syst 20(6):643–658
D’Arcy J, Hovav A, Galletta D (2009) User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Inf Syst Res 20(1):79–98
Dhillon G, Backhouse J (2000) Technical opinion: information system security management in the new millennium. Commun ACM 43(7):125–128
Feng N, Wang HJ, Li M (2014) A security risk analysis model for information systems: causal relationships of risk factors and vulnerability propagation analysis. Inf Sci 256:57–73
Galletta DF, Hufnagel EM (1992) A model of end-user computing policy: context, process, content and compliance. Inf Manag 22(1):1–18
Gefen D, Straub D (2005) A practical guide to factorial validity using pls-graph: tutorial and annotated example. Commun Assoc Inf Syst 16:91–109
Herath T, Rao HR (2009a) Protection motivation and deterrence: a framework for security policy compliance in organisations. Eur J Inf Syst 18(2):106–125
Herath T, Rao HR (2009b) Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness. Decis Support Syst 47(2):154–165
Higgins GE, Wilson AL, Fell BD (2005) An application of deterrence theory to software piracy. J Crim Justice Popul Cult 12(3):166–184
Hirschi T (1969) Causes of delinquency. University of California Press, Berkeley
Hsu JS, Shih SP, Lowry PB (2015) The role of extra-role behaviors and social controls in information security policy effectiveness. Inf Syst Res 26(2):282–300
Hu Q, Xu Z, Dinev T, Ling H (2011) Does deterrence work in reducing information security policy abuse by employees? Commun ACM 54(6):54–60
Hwang S, Akers RL (2003) Substance use by Korean adolescents: a crosscultural test of social learning, social bonding, and self-control theories. Soc Learn Theory Explain Crime 11:39–63
Ifinedo P (2014) Information systems security policy compliance: an empirical study of the effects of socialisation, influence, and cognition. Inf Manag 51(1):69–79
Jacoby J, Chestnut RW (1978) Brand loyalty: measurement and management. Wiley, New York
Jingle IDJ, Rajsingh EB (2014) ColShield: an effective and collaborative protection shield for the detection and prevention of collaborative flooding of DDoS attacks in wireless mesh networks. Hum Centric Comput Inf Sci 4(1):1
Kalleberg AL (1977) Work values and job rewards: a theory of job satisfaction. Am Sociol Rev 42(1):124–143
Katz J (1988) Seductions of crime: moral and sensual attractions of doing evil. Basic Books, New York
Kim S, Lee H, Kwon H, Lee S (2015) Evaluation model of defense information systems use. J Converg 6(1):18–26
Krohn MD, Massey JL (1980) Social control and delinquent behavior: an examination of the elements of the social bond. Sociol Q 21(4):529–543
Lee SM, Lee SG, Yoo S (2004) An integrative model of computer abuse based on social control and general deterrence theories. Inf Manag 41(6):707–718
Loughran TA, Pogarsky G, Piquero AR, Paternoster R (2012) Re-examining the functional form of the certainty effect in deterrence theory. Justice Q 29(5):712–741
Mitnick KD, Simon WL (2011) The art of deception: controlling the human element of security. Wiley, New York
Nye FI (1958) Family relationships and delinquent behavior. Wiley, New York
O’Reillys CA, Puffer SM (1989) The impact of rewards and punishments in a social context: a laboratory and field experiment. J Occup Psychol 62(1):41–53
Özbay Ö, Özcan YZ (2006) A test of Hirschi’s social bonding theory juvenile delinquency in the high schools of Ankara, Turkey. Int J Offender Ther Comp Criminol 50(6):711–726
Paternoster R, Simpson S (1996) Sanction threats and appeals to morality: testing a rational choice model of corporate crime. Law Soc Rev 30(3):549–583
Pavlou PA, Fygenson M (2006) Understanding and predicting electronic commerce adoption: an extension of the theory of planned behavior. MIS Q 30(1):115–143
Piquero A, Tibbetts S (1996) Specifying the direct and indirect effects of low self-control and situational factors in offenders’ decision making: toward a more complete model of rational offending. Justice Q 13(3):481–510
Puhakainen P, Siponen M (2010) Improving employees’ compliance through information systems security training: an action research study. Mis Q 34(4):757–778
Safa NS, Soloms R, Furnell S (2016) Information security policy compliance model in organization. Comput Secur 56:70–82
Sampson RJ, Laub JH (1990) Crime and deviance over the life course: the salience of adult social bonds. Am Sociol Rev 55(5):609–627
Siponen MT (1999) Four approaches to construction of information security guidelines. In: Seminar in Scandinavia (IRIS 22), enterprise architectures for virtual organisations, Keuruu, Finland, pp 157
Siponen MT (2000) A conceptual foundation for organizational information security awareness. Inf Manag Comput Secur 8(1):31–41
Siponen M, Vance A (2010) Neutralization: new insights into the problem of employee information systems security policy violations. MIS Q 34(3):487–502
Siponen M, Vance A, Willison R (2012) New insights into the problem of software piracy: the effects of neutralization, shame, and moral beliefs. Inf Manag 49(7):334–341
Siponen M, Mahmood MA, Pahnila S (2014) Employees’ adherence to information security policies: an exploratory field study. Inf Manag 51(2):217–224
Son JY (2011) Out of fear or desire? Toward a better understanding of employees’ motivation to follow IS security policies. Inf Manag 48(7):296–302
Song Y, Pang Y (2014) How to manage cloud risks based on the BMIS model. J Inf Process Syst 10(1):132–144
Stanton JM, Stam KR, Mastrangelo P, Jolton J (2005) Analysis of end user security behaviors. Comput Secur 24(2):124–133
Straub DW Jr (1990) Effective IS security: an empirical study. Inf Syst Res 1(3):255–276
Straub DW Jr, Nance WD (1990) Discovering and disciplining computer abuse in organizations: a field study. Mis Q 14(1):45–60
Susanto H, Almunawar MN, Tuan YC (2011) Information security management system standards: a comparative study of the big five. Int J Electr Comput Sci 11(5):23–29
Thatcher JB, Perrewe PL (2002) An empirical examination of individual traits as antecedents to computer anxiety and computer self-efficacy. MIS Q 26(4):381–396
Warkentin M, Willison R (2009) Behavioral and policy issues in information systems security: the insider threat. Eur J Inf Syst 18(2):101
Wells LE, Rankin JH (1988) Direct parental controls and delinquency. Criminology 26:263
Whitman ME, Townsend AM, Alberts RJ (2001) Information systems security and the need for policy. In: Khosrowpour M (ed) Information security management: global challenges in the new millennium. Idea Group Publishing, Hershey, PA, pp 9–18
Wiatrowski M, Anderson KL (1987) The dimensionality of the social bond. J Quant Criminol 3(1):65–81
Williams KR, Hawkins R (1986) Perceptual research on general deterrence: a critical review. Law Soc Rev 20(4):545–572
Willison R, Warkentin M (2013) Beyond deterrence: an expanded view of employee computer abuse. MIS Q 37(1):1–20
Zimring FE, Hawkins G, Vorenberg J (1973) Deterrence: the legal threat in crime control. University of Chicago Press, Chicago, pp 18–23
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
Authors declare that they have no conflict of interest.
Ethical approval
This article does not contain any studies with human participants performed by any of the authors.
Additional information
Communicated by G. Yi.
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Choi, M., Song, J. Social control through deterrence on the compliance with information security policy. Soft Comput 22, 6765–6772 (2018). https://doi.org/10.1007/s00500-018-3354-z
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00500-018-3354-z