IS Security Policy Violations: A Rational Choice Perspective

IS Security Policy Violations: A Rational Choice Perspective

Anthony Vance (Brigham Young University, USA) and Mikko T. Siponen (University of Oulu, Finland)
Copyright: © 2012 |Pages: 21
DOI: 10.4018/joeuc.2012010102
OnDemand PDF Download:
No Current Special Offers


Employee violations of IS security policies are reported as a key concern for organizations. Although behavioral research on IS security has received increasing attention from IS scholars, little empirical research has examined this problem. To address this research gap, the authors test a model based on Rational Choice Theory (RCT)—a prominent criminological theory not yet applied in IS—which explains, in terms of a utilitarian calculation, an individual’s decision to commit a violation. Empirical results show that the effects of informal sanctions, moral beliefs, and perceived benefits convincingly explain employee IS security policy violations, while the effect of formal sanctions is insignificant. Based on these findings, the authors discuss several implications for research and practice.
Article Preview

Previous Research on IS Security Behavior and Compliance

Previous research in the area of IS security behavior in an organizational context can be divided into three areas: (1) IS security awareness and training, (2) computer abuse, and (3) information security policy violations. In this section, we show below that while many contributions have been made in the first two areas, comparatively little research has directly addressed the problem of intentional violations of IS security policies. Next, we show that although the first two streams of research have made important contributions to IS security research, they have addressed distinctly different research questions than those examining factors that lead to deliberate violations of IS security policies.

IS Security Awareness and Training

Research on IS security awareness and training programs (Lafleur, 1992; McLean, 1992; Puhakainen, 2006; Siponen, 2000; Telders, 1991; Thomson & von Solms, 1998; Vroom & von Solms, 2002) offers important insights into how employees’ awareness of IS security policies and guidelines can be increased (Lafleur, 1992; McLean, 1992; Thomson & von Solms, 1998; Vroom & von Solms, 2002). Such research also offers insights into how employees can be motivated to comply with such policies (Puhakainen, 2006; Siponen & Iivari, 2006). Contributions to this research stream generally comprise conceptual frameworks (Lafleur, 1992; McLean, 1992; Siponen, 2000; Telders, 1991; Thomson & von Solms, 1998; Vroom & von Solms, 2002) and qualitative studies on the effect of IS security education on employees’ IS security policy compliance. Although valuable, these studies do not examine the behavior of employees who are aware of IS security policies but who deliberately choose to violate them (Aytes & Connolly, 2003).

Computer Abuse

Computer abuse has received considerable attention in the area of IS security. This research stream can be traced back to the research of Parker (1976), who first studied and coined the term “computer abuse.”1 This term has been consistently defined in the field of information systems as “the unauthorized and deliberate misuse of assets of the local organizational information system by individuals,” including the misuse of hardware, software, data, and computer services (Straub, 1990, p. 257; Harrington, 1996; D’Arcy et al., 2009).

While Parker (1976) did not explicitly apply theory in his work, subsequent studies on computer abuse have generally applied criminological theories, particularly deterrence theory (Grasmick & Bryjak, 1980). The first to do so was Straub (1990), who applied deterrence theory (involving the certainty and severity of formal sanctions) to examine whether information security investments deter computer abuse. He applied formal sanctions by linking the number of reported incidents to various information security countermeasures and found that these countermeasures reduced the number of computer abuse incidents within organizations. While Straub (1990) did not measure computer abuse at the level of individuals, subsequent studies have addressed this point. Harrington (1996) found support that codes of ethics act as deterrents because they induce a fear of punishment. Lee et al. (2004) studied whether a number of deterrents, such as security policies and awareness programs, deter computer abuse. They found that social norms and involvement lead to increased computer abuse. Finally, D’Arcy et al.’s (2009) study of IS misuse extended the classical deterrence theory to include preceding factors such as computer awareness and education as well as the formulation of security policies. They found that user awareness of IS security policies, IS security training, computer monitoring, and the severity of formal sanctions deters IS misuse.

Complete Article List

Search this Journal:
Volume 33: 6 Issues (2021): 2 Released, 4 Forthcoming
Volume 32: 4 Issues (2020)
Volume 31: 4 Issues (2019)
Volume 30: 4 Issues (2018)
Volume 29: 4 Issues (2017)
Volume 28: 4 Issues (2016)
Volume 27: 4 Issues (2015)
Volume 26: 4 Issues (2014)
Volume 25: 4 Issues (2013)
Volume 24: 4 Issues (2012)
Volume 23: 4 Issues (2011)
Volume 22: 4 Issues (2010)
Volume 21: 4 Issues (2009)
Volume 20: 4 Issues (2008)
Volume 19: 4 Issues (2007)
Volume 18: 4 Issues (2006)
Volume 17: 4 Issues (2005)
Volume 16: 4 Issues (2004)
Volume 15: 4 Issues (2003)
Volume 14: 4 Issues (2002)
Volume 13: 4 Issues (2001)
Volume 12: 4 Issues (2000)
Volume 11: 4 Issues (1999)
Volume 10: 4 Issues (1998)
Volume 9: 4 Issues (1997)
Volume 8: 4 Issues (1996)
Volume 7: 4 Issues (1995)
Volume 6: 4 Issues (1994)
Volume 5: 4 Issues (1993)
Volume 4: 4 Issues (1992)
Volume 3: 4 Issues (1991)
Volume 2: 4 Issues (1990)
Volume 1: 3 Issues (1989)
View Complete Journal Contents Listing