Article Preview
Previous Research on IS Security Behavior and Compliance
Previous research in the area of IS security behavior in an organizational context can be divided into three areas: (1) IS security awareness and training, (2) computer abuse, and (3) information security policy violations. In this section, we show below that while many contributions have been made in the first two areas, comparatively little research has directly addressed the problem of intentional violations of IS security policies. Next, we show that although the first two streams of research have made important contributions to IS security research, they have addressed distinctly different research questions than those examining factors that lead to deliberate violations of IS security policies.
IS Security Awareness and Training
Research on IS security awareness and training programs (Lafleur, 1992; McLean, 1992; Puhakainen, 2006; Siponen, 2000; Telders, 1991; Thomson & von Solms, 1998; Vroom & von Solms, 2002) offers important insights into how employees’ awareness of IS security policies and guidelines can be increased (Lafleur, 1992; McLean, 1992; Thomson & von Solms, 1998; Vroom & von Solms, 2002). Such research also offers insights into how employees can be motivated to comply with such policies (Puhakainen, 2006; Siponen & Iivari, 2006). Contributions to this research stream generally comprise conceptual frameworks (Lafleur, 1992; McLean, 1992; Siponen, 2000; Telders, 1991; Thomson & von Solms, 1998; Vroom & von Solms, 2002) and qualitative studies on the effect of IS security education on employees’ IS security policy compliance. Although valuable, these studies do not examine the behavior of employees who are aware of IS security policies but who deliberately choose to violate them (Aytes & Connolly, 2003).
Computer Abuse
Computer abuse has received considerable attention in the area of IS security. This research stream can be traced back to the research of Parker (1976), who first studied and coined the term “computer abuse.”1 This term has been consistently defined in the field of information systems as “the unauthorized and deliberate misuse of assets of the local organizational information system by individuals,” including the misuse of hardware, software, data, and computer services (Straub, 1990, p. 257; Harrington, 1996; D’Arcy et al., 2009).
While Parker (1976) did not explicitly apply theory in his work, subsequent studies on computer abuse have generally applied criminological theories, particularly deterrence theory (Grasmick & Bryjak, 1980). The first to do so was Straub (1990), who applied deterrence theory (involving the certainty and severity of formal sanctions) to examine whether information security investments deter computer abuse. He applied formal sanctions by linking the number of reported incidents to various information security countermeasures and found that these countermeasures reduced the number of computer abuse incidents within organizations. While Straub (1990) did not measure computer abuse at the level of individuals, subsequent studies have addressed this point. Harrington (1996) found support that codes of ethics act as deterrents because they induce a fear of punishment. Lee et al. (2004) studied whether a number of deterrents, such as security policies and awareness programs, deter computer abuse. They found that social norms and involvement lead to increased computer abuse. Finally, D’Arcy et al.’s (2009) study of IS misuse extended the classical deterrence theory to include preceding factors such as computer awareness and education as well as the formulation of security policies. They found that user awareness of IS security policies, IS security training, computer monitoring, and the severity of formal sanctions deters IS misuse.