Deterrence theory model study finding that user awareness of security countermeasures directly influences the perceived certainty and severity of organizational sanctions associated with Information System (IS) misuse, which leads to reduced IS misuse intention. More severe sactions reduce IS misuse.
| Construct | Cites | Category | Questions given? | Content validity | Pretests | Response type | Notes |
|---|---|---|---|---|---|---|---|
| perceptions of the certainty | Peace et al., 2003 | yes | panel of 6 MIS faculty members | pilot | 7-point scale | ||
| severity of organizational sanctions for engaging in IS misuse | Peace et al., 2003 | yes | panel of 6 MIS faculty members | pilot | 7-point scale | ||
| moral commitment | Lin et al., 1999 | yes | panel of 6 MIS faculty members | pilot | 7-point scale | ||
| IS misuse intention 1 | NEW | yes | panel of 6 MIS faculty members | pilot | 7-point scale | ||
| IS misuse intention 2 | Leonard, 2001 | yes | panel of 6 MIS faculty members | pilot | 7-point scale | ||
| users’ awareness of security policies | NEW | yes | panel of 6 MIS faculty members | pilot | binary | ||
| SETA programs | NEW | yes | panel of 6 MIS faculty members | pilot | binary | ||
| computer monitoring within their organizations | NEW | yes | panel of 6 MIS faculty members | pilot | binary |
John D'Arcy, Anat Hovav, and Dennis Galletta. User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach. Information Systems Research, 20(1):79–98, March 2009. doi:10.1287/isre.1070.0160.
@article{darcy_user_2009,
abstract = {Intentional insider misuse of information systems resources (i.e., IS misuse) represents a significant threat to organizations. For example, industry statistics suggest that between 50\%\textendash{}75\% of security incidents originate from within an organization. Because of the large number of misuse incidents, it has become important to understand how to reduce such behavior. General deterrence theory suggests that certain controls can serve as deterrent mechanisms by increasing the perceived threat of punishment for IS misuse. This paper presents an extended deterrence theory model that combines work from criminology, social psychology, and information systems. The model posits that user awareness of security countermeasures directly influences the perceived certainty and severity of organizational sanctions associated with IS misuse, which leads to reduced IS misuse intention. The model is then tested on 269 computer users from eight different companies. The results suggest that three practices deter IS misuse: user awareness of security policies; security education, training, and awareness (SETA) programs; and computer monitoring. The results also suggest that perceived severity of sanctions is more effective in reducing IS misuse than certainty of sanctions. Further, there is evidence that the impact of sanction perceptions vary based on one's level of morality. Implications for the research and practice of IS security are discussed.},
author = {D'Arcy, John and Hovav, Anat and Galletta, Dennis},
doi = {10.1287/isre.1070.0160},
issn = {1047-7047},
journal = {Information Systems Research},
month = {March},
number = {1},
pages = {79-98},
shorttitle = {User {{Awareness}} of {{Security Countermeasures}} and {{Its Impact}} on {{Information Systems Misuse}}},
title = {User {{Awareness}} of {{Security Countermeasures}} and {{Its Impact}} on {{Information Systems Misuse}}: {{A Deterrence Approach}}},
volume = {20},
year = {2009}
}