Online citations, reference lists, and bibliographies.
Please confirm you are human
(Sign Up for free to never see this)
← Back to Search

User Awareness Of Security Countermeasures And Its Impact On Information Systems Misuse: A Deterrence Approach

J. Darcy, A. Hovav, D. Galletta
Published 2009 · Psychology, Computer Science

Save to my Library
Download PDF
Analyze on Scholarcy
Share
Intentional insider misuse of information systems resources (i.e., IS misuse) represents a significant threat to organizations. For example, industry statistics suggest that between 50%--75% of security incidents originate from within an organization. Because of the large number of misuse incidents, it has become important to understand how to reduce such behavior. General deterrence theory suggests that certain controls can serve as deterrent mechanisms by increasing the perceived threat of punishment for IS misuse. This paper presents an extended deterrence theory model that combines work from criminology, social psychology, and information systems. The model posits that user awareness of security countermeasures directly influences the perceived certainty and severity of organizational sanctions associated with IS misuse, which leads to reduced IS misuse intention. The model is then tested on 269 computer users from eight different companies. The results suggest that three practices deter IS misuse: user awareness of security policies; security education, training, and awareness (SETA) programs; and computer monitoring. The results also suggest that perceived severity of sanctions is more effective in reducing IS misuse than certainty of sanctions. Further, there is evidence that the impact of sanction perceptions vary based on one's level of morality. Implications for the research and practice of IS security are discussed.
This paper references
10.1201/1086/43298.9.6.20010102/30985.4
Designing a Security Awareness Program: Part 1
Susan D. Hansche (2001)
10.2307/2094253
Toward a theory of criminal deterrence.
M. Silberman (1976)
10.1509/jmkg.67.2.1.18607
What to Convey in Antismoking Advertisements for Adolescents: The use of Protection Motivation Theory to Identify Effective Message Themes
C. Pechmann (2003)
10.2307/249307
Discovering and Disciplining Computer Abuse in Organizations: A Field Study
D. Straub (1990)
CSI/FBI computer crime and security survey
R. Power (2001)
10.1023/B:LAHU.0000046433.57588.71
The Social Side of Sanctions: Personal and Social Norms as Moderators of Deterrence
M. Wenzel (2004)
Inappropriate Internet surfing
M. A. Verespej (2000)
United Nations. 2005. Conference on Trade and Development, Information Economy Report
Social psychophysiology : a sourcebook
J. Cacioppo (1983)
Principles of Information Security. Course Technology
M E Whitman (2005)
10.1080/07418828700089271
The deterrent effect of the perceived certainty and severity of punishment: A review of the evidence and issues
R. Paternoster (1987)
10.2307/248873
Four ethical issues of the information age
R. Mason (1986)
10.2307/1162206
Foundations of Behavioral Research
F. N. Kerlinger (1973)
10.1287/mnsc.1060.0597
Common Method Variance in IS Research: A Comparison of Alternative Approaches and a Reanalysis of Past Research
N. Malhotra (2006)
10.17705/1CAIS.01605
A Practical Guide To Factorial Validity Using PLS-Graph: Tutorial And Annotated Example
D. Gefen (2005)
10.1016/j.cose.2005.05.002
The insider threat to information systems and the effectiveness of ISO17799
M. Theoharidou (2005)
Policy and its impact on medical record security
T. Wiant (2003)
10.1287/isre.1.3.255
Effective IS Security: An Empirical Study
D. Straub (1990)
The partial least squares approach for structural equation modeling.
W. Chin (1998)
10.4018/IRMJ.1989100101
Protecting Organizational Information Resources
Detmar W. Straub (1989)
10.1145/859670.859675
Enemy at the gate: threats to information security
M. Whitman (2003)
10.1093/SF/59.2.471
The Deterrent Effect of Perceived Severity of Punishment
H. Grasmick (1980)
10.1017/9781108147873.004
"The weakest link".
J. Adamson (1981)
10.2307/3250940
A Cross-Cultural Study on Escalation of Commitment Behavior in Software Projects
M. Keil (2000)
10.2466/pr0.1992.71.2.499
Moral Development and Behavior
T. Mwamwenda (1992)
10.1037/0033-2909.113.3.497
Drugs and the law: a psychological analysis of drug prohibition.
R. MacCoun (1993)
The impact of deterrent countermeasures upon individual intent to commit misuse: a behavioral approach
P. Cronan (2000)
10.1093/SF/62.2.398
Deterrence in the workplace: perceived certainty, perceived severity, and employee theft.
R. Hollinger (1983)
2005 Electronic monitoring and surveillance survey
AMA. (2005)
10.1109/HICSS.1999.772932
An intention model-based study of software piracy
M. Hsu (1999)
10.1145/502269.502304
Monitoring for pornography and sexual harassment
R. Panko (2002)
Attitudes, Personality and Behavior
I. Ajzen (1988)
The 9 to 5 underground : Are you policing computer crimes ?
R. C. Hollinger (1989)
10.1037/0021-9010.88.5.879
Common method biases in behavioral research: a critical review of the literature and recommended remedies.
P. M. Podsakoff (2003)
Risky business: New survey shows almost 70 percent of e-mail-using employees have sent or received e-mail that may pose a threat to businesses
Fotiva (2005)
Shoplifting prevention: The role of communication-based intervention strategies
V. F. Sacco (1985)
10.1016/0142-0496(81)90017-5
Computer Security Management
K. Forcht (1993)
An investigation of the effect of detection risk perceptions, penalty sanctions, and income visibility on tax compliance
G. A. Carnes (1995)
10.1287/isre.10.3.233
Morality and Computers: Attitudes and Differences in Moral Judgments
U. Gattiker (1999)
User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse
D'arcyJohn (2009)
10.1002/ASI.V58:2
Punishment and ethics deterrents: A study of insider security contravention
M. Workman (2007)
Judgments about computer ethics : Do individual , co - worker , and company judgments differ ?
M. A. Pierce (2000)
The partial least squares approach to structural equation modeling Modern Methods For Business Research
W Chin (1998)
10.1016/j.im.2003.12.008
What influences IT ethical behavior intentions - planned behavior, reasoned action, perceived importance, or individual characteristics?
L. Leonard (2004)
10.1111/J.1745-9125.1989.TB01052.X
THE DETERRENT EFFECT OF PERCEIVED CERTAINTY AND SEVERITY OF PUNISHMENT REVISITED
S. Klepper (1989)
10.4018/978-1-878289-78-0.CH002
Information Systems Security and the Need for Policy
M. Whitman (2001)
Multivariate Data Analysis: Text and Readings
Joseph F. Hair (1979)
10.1016/j.ijinfomgt.2003.12.003
In defense of the realm: understanding the threats to information security
M. Whitman (2004)
10.1201/1086/45241.14.2.20050501/88292.6
Implementing an Information Security Awareness Program
Cism Thomas R. Peltier Cissp (2005)
10.2307/249551
Coping With Systems Risk: Security Planning Models for Management Decision Making
D. Straub (1998)
Drink driving rehabilitation: The present context
Megan Ferguson (1999)
10.2307/249564
Computer-Based Monitoring: Common Perceptions and Empirical Results
Joey F. George (1996)
Fighting computer crime
D. Parker (1983)
10.2307/249677
Modeling IT Ethics: A Study in Situational Ethics
D. Banerjee (1998)
10.1108/09576050210447037
A prototype tool for information security awareness and training
S. Furnell (2002)
Testing deterrence: The effects of a DWI law and publicity campaigns
B. C. Nienstedt (1985)
10.1348/096317905X52607
Examining employee compliance with organizational surveillance and monitoring
Christiane Spitzmüller (2006)
Instructional case : Software piracy — Who does it impact ?
C. A. Cole (1994)
10.1016/J.AAP.2005.11.001
An application of Stafford and Warr's reconceptualisation of deterrence to a group of recidivist drink drivers.
J. Freeman (2006)
10.2307/3053901
The Rationality of Sexual Offending: Testing a Deterrence/Rational Choice Conception of Sexual Assault
R. Bachman (1992)
Conference on Trade and Development, Information Economy Report
United Nations. (2005)
The effect of tax laws and tax administration on tax compliance: The case of the U.S. individual income tax
D. Witte (1985)
10.1509/jmkr.38.2.269.18845
Index Construction with Formative Indicators: An Alternative to Scale Development
A. Diamantopoulos (2001)
Information systems security and the need for policy Information Security Management: Global Challenges in the New Millennium
M E Whitman (2001)
10.1023/A:1006324404561
Judgements about Computer Ethics: Do Individual, Co-worker, and Company Judgements Differ? Do Company Codes Make a Difference
M. Pierce (2000)
10.1111/J.1559-1816.2005.TB02138.X
Protection Motivation Theory and Skin Cancer Risk: The Role of Individual Differences in Responses to Persuasive Appeals
Ben F. Mcmath (2005)
Assessing IT security culture: System administrator and end-user
J. H. Finch (2003)
The global state of information security 2005
S. Berinato (2005)
A Primer for Soft Modeling
R. F. Falk (1992)
10.1109/TEM.2002.808257
Diffusing the Internet in the Arab world: the role of social norms and technological culturation
Karen D. Loch (2003)
Second annual BSA and IDC global software piracy study
Bsa (2005)
Risky business: New survey shows almost 70 percent of e-mail-using employees have sent or received e-mail that may pose a threat to businesses. Available online at
Inc Fotiva (2005)
10.1901/JABA.1976.9-399
Shoplifting prevention: providing information through signs.
M. P. McNees (1976)
Effective drug-free workplace plan uses worker testing as a deterrent.
Quazi Mm (1993)
Global information security survey 1997 : Beveiliging van informatie systemen. Stand van zaken wereldwijd en in Nederland
P. Kessel (1998)
Second annual BSA and IDC global software piracy study
BSA. (2005)
Deterrence and alienation effects of IRS enforcement: An analysis of survey data
K. A. Kinsey (1992)
10.2307/249656
The Effect of Codes of Ethics and Personal Denial of Responsibility on Computer Abuse Judgments and Intentions
S. Harrington (1996)
10.1145/502269.502303
Does electronic monitoring of employee internet usage work?
Andrew Urbaczewski (2002)
Cognitive and physiological processes in fear appeals and attitude change: a revised theory of prote
R. W. Rogers (1983)
The 9 to 5 underground: Are you policing computer crimes? Sloan Management Rev
J. A. Hoffer (1989)
Electronic monitoring and surveillance survey
Ama (2005)
Instructional case: Software piracy—Who does it impact? Issues Accounting Ed
A. Christensen (1994)
10.1111/J.1533-8525.1981.TB02204.X
Deterrence and the Morally Committed
H. Grasmick (1980)
10.2307/3053879
DECISIONS TO PARTICIPATE IN AND DESIST FROM FOUR TYPES OF COMMON DELINQUENCY: DETERRENCE AND THE RATIONAL CHOICE PERSPECTIVE
Raymond Paternost ' Er (1989)
Stage and sequence: The cognitive-developmental approach to socialization
L. Kohlberg (1969)
10.1037/0033-2909.103.3.411
STRUCTURAL EQUATION MODELING IN PRACTICE: A REVIEW AND RECOMMENDED TWO-STEP APPROACH
J. Anderson (1988)
Testing deterrence: The effects of a DWI law and publicity campaigns. Unpublished doctoral dissertation
B C Nienstedt (1985)
10.2307/3151312
Evaluating structural equation models with unobservable variables and measurement error.
C. Fornell (1981)
10.4324/9781410604385
Modern methods for business research
G. A. Marcoulides (1998)
10.1016/j.im.2006.08.008
Clarifying the effects of Internet monitoring on job attitudes: The mediating role of employee trust
G. Alder (2006)
10.1177/0022427897034004005
A Social Learning Theory Analysis of Computer Crime among College Students
W. F. Skinner (1997)
Deterrence and consumer fraud
C. A. Cole (1989)
Criminal deterrence and sentence severity : an analysis of recent research
A. Hirsch (1999)
10.2139/ssrn.897341
Audit Certainty, Audit Productivity, and Taxpayer Compliance
James Alm (2006)
10.1080/07421222.2003.11045759
Software Piracy in the Workplace: A Model and Empirical Test
A. G. Peace (2003)
10.2753/JEC1086-4415100404
Why Do Internet Users Stick with a Specific Web Site? A Relationship Perspective
Dahui Li (2006)
10.1080/07421222.1997.11518141
Preventive and Deterrent Controls for Software Piracy
R. Gopal (1997)
The State of Data Security in North America
Forrester Research. (2007)
10.2307/1142953
Crime, punishment, and deterrence
J. Gibbs (1975)
10.2307/445949
The Individual Income Tax
R. Goode (1964)
10.2307/249688
Computer Self-Efficacy: Development of a Measure and Initial Test
Deborah Compeau (1995)
10.1177/002224377701400320
Estimating Nonresponse Bias in Mail Surveys
J. S. Armstrong (1977)
10.1016/S0167-4048(00)06027-2
Authentication and Supervision: A Survey of User Attitudes
S. Furnell (2000)
10.1016/0378-7206(90)90068-S
Ethical attitudes of entry-level MIS personnel
David B. Paradice (1990)
10.17705/1JAIS.00012
Illegal, Inappropriate, And Unethical Behavior In An Information Technology Context: A Study To Explain Influences
L. Leonard (2000)
Global Security Survey
Deloitte. (2005)
Moral stages and moralization: The cognitivedevelopmental approach. T. Lickona, ed. Moral Development and Behavior
L Kohlberg (1976)
10.1037/0021-9010.86.1.114
Accounting for common method variance in cross-sectional research designs.
M. Lindell (2001)
10.1016/j.cose.2004.01.013
From policies to culture
R. V. Solms (2004)
10.1111/J.0021-9029.2006.00135.X
Why drug testing in elite sport does not work: Perceptual deterrence theory and the role of personal moral beliefs
P. Strelan (2006)
Information security : strategies for successful management
S. J. Gaston (1996)
J. Marketing Res
InformationWeek. 2005. U.S. Information Security Research Report 2005. United Business Media
10.1287/isre.14.2.189.16018
A Partial Least Squares Latent Variable Modeling Approach for Measuring Interaction Effects: Results from a Monte Carlo Simulation Study and an Electronic - Mail Emotion/Adoption Study
W. Chin (2003)
10.1086/376806
A Critical Review of Construct Indicators and Measurement Model Misspecification in Marketing and Consumer Research
C. Jarvis (2003)
Inappropriate Internet surfing. Indust. Week
M A Verespej (2000)
10.4018/978-1-878289-78-0
Information Security Management: Global Challenges in the New Millennium
G. Dhillon (2000)
10.1016/J.COSE.2004.07.001
Analysis of end user security behaviors
J. Stanton (2005)
10.1016/j.im.2003.08.008
An integrative model of computer abuse based on social control and general deterrence theories
S. Lee (2004)
10.1016/S0747-5632(00)00018-2
Electronic monitoring in their own words: an exploratory study of employees' experiences with new types of surveillance
J. Stanton (2000)
10.1177/0038038587021001008
The Vignette Technique in Survey Research
J. Finch (1987)
The Effect of Audit Rates on the Federal Individual Income Tax, 1977-1986
J. A. Dubin (1990)
10.1016/S0167-4048(02)00109-8
Insider Threat Prediction Tool: Evaluating the probability of IT misuse
G. Magklaras (2002)
10.1108/09576050210447019
An information security meta‐policy for emergent organizations
R. Baskerville (2002)
10.1108/09685220210424104
A holistic model of computer abuse within organizations
J. Lee (2002)
CSI/FBI Computer Crime and Security Survey
L. Gordon (2004)
Moral stages and moralization: The cognitivedevelopmental approach
L. Kohlberg (1976)
10.1108/09685229910292664
Managing and controlling computer misuse
Gurpreet Dhillon (1999)
J. Management Inform. Systems
10.1177/0002764207312000
The Weakest Link
W. Harvey (2008)
10.1016/S0268-4012(02)00105-6
An integrative study of information systems security effectiveness
A. Kankanhalli (2003)
10.2307/2067221
Sanctions and social deviance: The question of deterrence
C. Tittle (1980)
10.1111/J.1745-9125.2001.TB00943.X
INTEGRATING CELERITY, IMPULSIVITY, AND EXTRALEGAL SANCTION THREATS INTO A MODEL OF GENERAL DETERRENCE: THEORY AND EVIDENCE*
D. Nagin (2001)
10.2753/MIS0742-1222230101
Relational Antecedents of Information Flow Integration for Supply Chain Coordination
Ravi Patnayakuni (2006)
Principles of Information Security
M. Whitman (2004)



This paper is referenced by
10.1007/978-3-030-43276-8
Information and Cyber Security: 18th International Conference, ISSA 2019, Johannesburg, South Africa, August 15, 2019, Proceedings
Phoebe Beverly Chen (2020)
10.1016/J.JSIS.2016.06.002
"Cargo Cult" science in traditional organization and information systems survey research: A case for using nontraditional methods of data collection, including Mechanical Turk and online panels
P. B. Lowry (2016)
10.1016/j.cose.2013.09.009
Understanding the violation of IS security policy in organizations: An integrated model based on social control and deterrence theory
Lijiao Cheng (2013)
DoD Comprehensive Military Unmanned Aerial Vehicle Smart Device Ground Control Station Threat Model
Katrina Mansfield (2015)
Information Security Behavior: Factors and Research Directions
S. Abraham (2011)
10.24251/HICSS.2018.635
An Exploratory Study of Current Information Security Training and Awareness Practices in Organizations
M. Alshaikh (2018)
Understanding Internet Abuses at Work Using Extended Rational Choice Theory
Han Li (2014)
10.1109/HICSS.2014.325
Mobile Personal Health Records: Research Agenda for Applications in Global Health
Michael Dohan (2014)
Transformational Leadership and Employees' Information Security Performance: The Mediating Role of Motivation and Climate
Benedikt Lebek (2014)
10.25300/MISQ/2019/14360
What Users Do Besides Problem-Focused Coping When Facing IT Security Threats: An Emotion-Focused Coping Perspective
Huigang Liang (2019)
10.14400/JDPM.2013.11.10.153
An Investigation of the Factors that Influence the Compliance to Information Security Policy: From Risk Compensation Theory
Myung-Seong Yim (2013)
Contextualising the insider threat: a mixed method study
Sean Browne (2016)
Economic issues of federated identity management - an estimation of the costs of identity lifecycle management in inter-organisational information exchange using transaction cost theory
S. Kurowski (2015)
10.1080/07421222.2019.1661090
An Integrative Theory Addressing Cyberharassment in the Light of Technology-Based Opportunism
P. B. Lowry (2019)
Cybersecurity From the User ' s Perspective
I. Bernik (2018)
10.1016/J.IM.2019.03.002
Perceived argument quality's effect on threat and coping appraisals in fear appeals: An experiment and exploration of realism check heuristics
J. D. Wall (2019)
10.1080/08874417.2019.1571459
Information Security Policy Compliance: Leadership and Trust
J. Paliszkiewicz (2019)
10.17705/1CAIS.04208
Ranking Factors by Importance in Factorial Survey Analysis
Robert F. Otondo (2018)
10.1016/j.cose.2016.12.016
An integrative model of information security policy compliance with psychological contract: Examining a bilateral perspective
JinYoung Han (2017)
10.1080/15228916.2012.727737
Organizational Culture, Competitive Strategy, and Performance in Ghana
Charlene A. Dadzie (2012)
10.17705/1JAIS.00491
Intervention Effect Rates as a Path to Research Relevance: Information Systems Security Example
M. Siponen (2018)
10.1111/isj.12077
Internet aggression in online communities: a contemporary deterrence perspective
Bo Xu (2016)
10.1109/NCS.2018.00014
Impact of Perceived Risk, Perceived Controllability, and Security Self-Efficacy on Secure Intention from Social Comparison Theory Perspective
D. Kim (2018)
10.1016/j.pmcj.2016.06.007
This is my device! Why should I follow your rules? Employees' compliance with BYOD security policy
A. Hovav (2016)
10.1108/ICS-11-2016-0088
Mitigating cyber attacks through the measurement of non-IT professionals' cybersecurity skills
Melissa Carlton (2019)
Information Security Awareness: Its Antecedents and Mediating Effects on Security Compliant Behavior
F. Haeussinger (2013)
Pattern, Practice, and Potency of Information Systems Security Research: A Methodological Perspective
Ruilin Zhu (2017)
Collective Security Efficacy and Group Security Compliance Research-in-Progress
C. Yoo (2014)
The Insider Threat - Understanding The Aberrant Thinking Of The Rogue"Trusted Agent"
Sean Browne (2015)
10.1109/JEEIT.2019.8717438
Information Security Policy Perceived Compliance Among Staff in Palestine universities: An Empirical Pilot study
Yousef Mohammad Iriqat (2019)
Employee Compliance to Information Security in Retail Stores
Bertrand Muhire (2018)
10.1108/ICS-04-2016-0029
Theorising on risk homeostasis in the context of information security behaviour
Wayne D. Kearney (2016)
See more
Semantic Scholar Logo Some data provided by SemanticScholar