Information Systems Research
HOME HELP FEEDBACK SUBSCRIPTIONS ARCHIVE SEARCH
QUICK SEARCH:   [advanced]


     

INFORMATION SYSTEMS RESEARCH,
Published online in Articles in Advance, June 20, 2008
DOI: 10.1287/isre.1070.0160
This Article
Right arrow Full Text (PDF)
Right arrow Alert me when this article is cited
Right arrow Alert me if a correction is posted
Services
Right arrow Email this article to a friend
Right arrow Similar articles in this journal
Right arrow Alert me to new issues of the journal
Right arrow Download to citation manager
Right arrow reprints & permissions
Google Scholar
Right arrow Articles by D'Arcy, J.
Right arrow Articles by Galletta, D.

User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach

John D'Arcy, Anat Hovav, Dennis Galletta

Mendoza College of Business, University of Notre Dame, Notre Dame, Indiana 46556
Korea University Business School, Seoul 136-701 Korea
Katz Graduate School of Business, University of Pittsburgh, Pittsburgh, Pennsylvania 15260
jdarcy1{at}nd.edu
anatzh{at}korea.ac.kr
galletta{at}katz.pitt.edu

Intentional insider misuse of information systems resources (i.e., IS misuse) represents a significant threat to organizations. For example, industry statistics suggest that between 50%–75% of security incidents originate from within an organization. Because of the large number of misuse incidents, it has become important to understand how to reduce such behavior. General deterrence theory suggests that certain controls can serve as deterrent mechanisms by increasing the perceived threat of punishment for IS misuse. This paper presents an extended deterrence theory model that combines work from criminology, social psychology, and information systems. The model posits that user awareness of security countermeasures directly influences the perceived certainty and severity of organizational sanctions associated with IS misuse, which leads to reduced IS misuse intention. The model is then tested on 269 computer users from eight different companies. The results suggest that three practices deter IS misuse: user awareness of security policies; security education, training, and awareness (SETA) programs; and computer monitoring. The results also suggest that perceived severity of sanctions is more effective in reducing IS misuse than certainty of sanctions. Further, there is evidence that the impact of sanction perceptions vary based on one's level of morality. Implications for the research and practice of IS security are discussed.

Key Words: IS misuse; IS security; security countermeasures; general deterrence theory; security management; end-user security
History: This paper was received on July 11, 2006.




HOME HELP FEEDBACK SUBSCRIPTIONS ARCHIVE SEARCH
Copyright © 2008 by INFORMS.