Hu et al., 2011: Does Deterrence Work in Reducing Information Security Policy Abuse by Employees?

Topic:

We found that while the rational choice framework of deviant behavior is largely supported, the perceived benefits of violations often dominate the perceived risks in individual decision calculus. As a result, the deterrence antecedents are less effective than the self-control and moral belief antecedents in shaping individual behavior.

survey with scenarios, 207 employees

Constructs in this publication:

Construct	Cites	Category	Questions given?	Content validity	Pretests	Response type	Notes
Low Self-Control	NOT NEW	Individual Propensity	no	None	pilot with students	7-point Likert scale
Moral Beliefs	NOT NEW	Individual Moral Beliefs	no	None	pilot with students	7-point Likert scale
Perceived Certainty of Sanctions	NOT NEW	Perceived Deterrence	no	None	pilot with students	7-point Likert scale
Perceived Severity of Sanctions	NOT NEW	Perceived Deterrence	no	None	pilot with students	7-point Likert scale
Perceived Celerity of Sanctions	NOT NEW	Perceived Deterrence	no	None	pilot with students	7-point Likert scale
Perceived Extrinsic Benefits	NOT NEW	Rational Choice Calculus	no	None	pilot with students	7-point Likert scale
Perceived Intrinsic Benefits	NOT NEW	Rational Choice Calculus	no	None	pilot with students	7-point Likert scale
Perceived Formal Risk	NOT NEW	Rational Choice Calculus	no	None	pilot with students	7-point Likert scale
Perceived Informal Risk	NOT NEW	Rational Choice Calculus	no	None	pilot with students	7-point Likert scale
Perceived Risk of Shame	NOT NEW	Rational Choice Calculus	no	None	pilot with students	7-point Likert scale
Intention to Commit Violation	NOT NEW	Behavioral Intention	no	None	pilot with students	7-point Likert scale

This publication is cited by the following publications:

• Sommestad et al., 2014: Intention to misuse
• Sommestad et al., 2014: Perceived extrinsic benefits
• Sommestad et al., 2014: Perceived intrinsic benefits
• Sommestad et al., 2014: Perceived risk of Shame
• Sommestad et al., 2014: Perceived severity of sanctions
• Sommestad et al., 2014: Perceived informal risk
• Sommestad et al., 2014: Perceived Celerity of Sanctions
• Sommestad et al., 2014: Perceived formal Risk

Citation:

Qing Hu, Zhengchuan Xu, Tamara Dinev, and Hong Ling. Does Deterrence Work in Reducing Information Security Policy Abuse by Employees? Commun. ACM, 54(6):54–60, June 2011. doi:10.1145/1953122.1953142.

Bibtex

@article{hu_does_2011,
 abstract = {Methods for evaluating and effectively managing the security behavior of employees.},
 author = {Hu, Qing and Xu, Zhengchuan and Dinev, Tamara and Ling, Hong},
 doi = {10.1145/1953122.1953142},
 issn = {0001-0782},
 journal = {Commun. ACM},
 month = {June},
 number = {6},
 pages = {54--60},
 title = {Does {{Deterrence Work}} in {{Reducing Information Security Policy Abuse}} by {{Employees}}?},
 volume = {54},
 year = {2011}
}

---