Abstract
Enforcing information security policies is a key concern of information security managers. To deter employees from deviant behavior, organizations often implement sanction mechanisms. However, evidence from research regarding the efficiency of such a deterrence approach has been mixed. Drawing on this inconsistency, this paper examines the applicability of deterrence theory in information security policy compliance research. It is argued that contextual and methodological moderators play a crucial role when conceptualizing deterrence theory in security studies. Applying a meta-analysis, the results suggest that sanctions have an overall effect on deviant behavior. However, the results also indicate that this relationship is dependent on the study’s context. Deterrence theory better predicts deviant behavior in malicious contexts, cultures with a high degree of power distance, and cultures with a high uncertainty avoidance. The meta-analysis also reveals no meaningful differences arising from the methodological context in terms of scenario-based and behavior-specific measurement.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Alshare, K., Lane, P. L., & Lane, M. R. (2018). Information security policy compliance: A higher education case study. Information and Computer Security, 26(1), 91–108. https://doi.org/10.1108/ICS-09-2016-0073.
Arunothong, W. (2014). Three research essays on propensity to disclose medical information through formal and social information technologies. ProQuest Dissertations and Theses. University of Wisconsin Milwaukee. Retrieved from https://search.proquest.com/docview/1664611536?accountid=14169
Aurigemma, S., & Mattson, T. (2017). Deterrence and punishment experience impacts on ISP compliance attitudes. Information & Computer Security, 25(4), 421–436. https://doi.org/10.1108/ICS-11-2016-0089.
Baskerville, R., & Siponen, M. (2002). An information security meta-policy for emergent organizations. Logistics Information Management, 15(5/6), 337–346. https://doi.org/10.1108/09576050210447019.
Bochner, S., & Hesketh, B. (1994). Power distance, individualism/collectivism, and job-related attitudes in a culturally diverse work group. Journal of Cross-Cultural Psychology, 25(2), 233–257.
Brown, D. A. (2017). Examining the behavioral intention of individuals’ compliance with information security policies. Walden Dissertations and Doctoral Studies. Walden University. Retrieved from http://scholarworks.waldenu.edu/dissertations%0Ahttp://scholarworks.waldenu.edu/dissertations/3750/
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010a). Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523–548.
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010b). Quality and fairness of an information security policy as antecedents of employees’ security engagement in the workplace: An empirical investigation. In Proceedings of the 43rd Hawaii International Conference on System Sciences (pp. 1–7). https://doi.org/10.1109/HICSS.2010.312.
Busk, P. L. (2005). Field experiment. In B. Everitt & D. Howell (Eds.), Encyclopedia of statistics in behavioral science (pp. 650–652). Ltd: John Wiley & Sons.
Cao, L. (2004). Major criminological theories: Concepts and measurements. Wadsworth Publishing.
Chao, J. M. C., Cheung, F. Y. L., & Wu, A. M. S. (2011). Psychological contract breach and counterproductive workplace behaviors: Testing moderating effect of attribution style and power distance. International Journal of Human Resource Management, 22(4), 763–777. https://doi.org/10.1080/09585192.2011.555122.
Chen, X., Chen, L., Wu, D., & Perspective, A. (2018). Factors that influence employees’ security policy compliance: An awareness-motivation-capability perspective. Journal of Computer Information Systems, 58(4), 312–324. https://doi.org/10.1080/08874417.2016.1258679.
Chen,Y., Ramamurthy, K., Wen, K.-W. (2013). Organizations’ Information Security Policy Compliance: Stick or Carrot Approach?, Journal of Management. Information Systems, 29 157–188. https://doi.org/10.25300/MISQ/2018/13853.
Cheng, L., Li, Y., Li, W., Holm, E., & Zhai, Q. (2013). Understanding the violation of IS security policy in organizations: An integrated model based on social control and deterrence theory. Computers and Security, 39(PART B), 447–459. https://doi.org/10.1016/j.cose.2013.09.009.
Cram, W. A., Proudfoot, J. G., & D’Arcy, J. (2017). Seeing the forest and the trees: A meta-analysis of information security policy compliance literature. In Proceedings of the 50th Hawaii International Conference on System Sciences (pp. 4051–4060).
Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M., & Baskerville, R. (2013). Future directions for behavioral information security research. Computers and Security, 32, 90–101. https://doi.org/10.1016/j.cose.2012.09.010.
Cuganesan, S., Steele, C., & Hart, A. (2018). How senior management and workplace norms influence information security attitudes and self-efficacy. Behaviour and Information Technology, 37(1), 50–65. https://doi.org/10.1080/0144929X.2017.1397193.
D’Arcy, J., & Greene, G. (2014). Security culture and the employment relationship as drivers of employees’ security compliance. Information Management & Computer Security, 22(5), 474–489. https://doi.org/10.1108/IMCS-08-2013-0057.
D’Arcy, J., & Herath, T. (2011). A review and analysis of deterrence theory in the IS security literature: Making sense of the disparate findings. European Journal of Information Systems, 20(6), 643–658. https://doi.org/10.1057/ejis.2011.23.
D’Arcy, J., & Hovav, A. (2009). Does one size fit all? Examining the differential effects of IS security countermeasures. Journal of Business Ethics, 89(SUPPL. 1), 59–71. https://doi.org/10.1007/s10551-008-9909-7.
D’Arcy, J., Hovav, A., & Galletta, D. F. (2009). User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research, 20(1), 79–98. https://doi.org/10.1287/isre.1070.0160.
D’Arcy, J., Herath, T., & Shoss, M. K. (2014). Understanding employee responses to stressful information security requirements: A coping Perspective. Journal of Management Information Systems, 31(2), 285–318. https://doi.org/10.2753/MIS0742-1222310210.
Dickersin, K. (1990). The existence of publication Bias and risk factors for its occurrence. The Journal of the American Medical Association, 10(263), 1385–1359.
Dinev, T., Goo, J., Hu, Q., & Nam, K. (2009). User behaviour towards protective information technologies: The role of national cultural differences. Information Systems Journal, 19(4), 391–412. https://doi.org/10.1111/j.1365-2575.2007.00289.x.
Dugo, T. M. (2007). The insider threat to Organisational information security: A structural model and empirical test. Auburn University. Retrieved from https://etd.auburn.edu/handle/10415/1345
Foth, M. (2016). Factors influencing the intention to comply with data protection regulations in hospitals: Based on gender differences in behaviour and deterrence. European Journal of Information Systems, 25(2), 91–109. https://doi.org/10.1057/ejis.2015.9.
Gartner. (2018). Gartner forecasts worldwide information security spending to exceed $124 billion in 2019. https://www.gartner.com/en/newsroom/press-releases/2018-08-15-gartner-forecasts-worldwide-information-security-spending-to-exceed-124-billion-in-2019
Gerow, J. E., Grover, V., Thatcher, J., & Roth, P. L. (2014). Looking toward the future of IT-business strategic alignment through the past: A meta-analysis. Management Information Systems Quarterly, 38(4), 1159–1185.
Gibbs, J. P. (1975). Crime, punishment, and deterrence. New York: Elsevier.
Guo, K. H., & Yuan, Y. (2012). The effects of multilevel sanctions on information security violations: A mediating model. Information and Management, 49(6), 320–326. https://doi.org/10.1016/j.im.2012.08.001.
Guo, K. H., Yuan, Y., Archer, N. P., & Connelly, C. E. (2011). Understanding nonmalicious security violations in the workplace: A composite behavior model. Journal of Management Information Systems, 28(2), 203–236. https://doi.org/10.2753/MIS0742-1222280208.
Harrington, S. J. (1996). The effect of codes of ethics and personal denial of responsibility on computer abuse judgments and intentions. MIS Quarterly, 20(3), 257–278. https://doi.org/10.2307/249656.
Herath, T., & Rao, H. R. (2009a). Protection motivation and deterrence: A framework for security policy compliance in organisations. European Journal of Information Systems, 18(2), 106–125. https://doi.org/10.1057/ejis.2009.6.
Herath, T., & Rao, H. R. (2009b). Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems, 47(2), 154–165. https://doi.org/10.1016/j.dss.2009.02.005.
Hofstede, G. (1980). Culture’s consequences: International differences in work-related values. London: Sage Publications.
Hofstede, G., Hofstede, G. J., & Minkov, M. (2010). Cultures and organizations: Software of the mind. New York: McGraw-Hill.
Hovav, A., & D’Arcy, J. (2012). Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the U.S. and South Korea. Information and Management, 49(2), 99–110. https://doi.org/10.1016/j.im.2011.12.005.
Hu, Q., & Xu, Z. (2018). The role of rational calculus in controlling individual propensity toward information security policy non-compliance behavior. In Proceedings of the 51st Hawaii International Conference on System Sciences (pp. 3688–3697).
Hu, Q., Xu, Z., Dinev, T., & Ling, H. (2011). Does deterrence work in reducing information security policy abuse by employees? Communications of the ACM, 54(6), 54–60. https://doi.org/10.1145/1953122.1953142.
Humaidi, N., & Balakrishnan, V. (2015). Leadership styles and information security compliance behavior: The mediator effect of information security awareness. International Journal of Information and Education Technology, 5(4), 311–318. https://doi.org/10.7763/IJIET.2015.V5.522.
Humaidi, N., Balakrishnan, V., & Shahrom, M. (2014). Exploring user’s compliance behavior towards health information system security policies based on extended health belief model. 2014 IEEE Conference on e-Learning, e-Management and e-Services (IC3e), 30–35. https://doi.org/10.1109/IC3e.2014.7081237.
Hunter, J. E., & Schmidt, F. L. (2004). Methods of meta-analysis: Correcting error and bias in research findings (2nd ed.). Newbury Park: SAGE Publications.
Hwang, Y., & Lee, K. C. (2012). Investigating the moderating role of uncertainty avoidance cultural values on multidimensional online trust. Information & Management, 49(3–4), 171–176. https://doi.org/10.1016/j.im.2012.02.003.
ISO/IEC. (2013a). ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements (Vol. 2013).
ISO/IEC. (2013b). ISO/IEC 27002:2013 Information technology — Security techniques — Code of practice for information security controls (Vol. 2013).
Johnston, A. C., Warkentin, M., & Siponen, M. (2015). An enhanced fear appeal rhetorical framework: Leveraging threats to the human asset through sanctioning rhetoric. MIS Quarterly, 39(1), 113–134. https://doi.org/10.25300/MISQ/2015/39.1.06.
Kahneman, D., & Tversky, A. (1979). Prospect theory: An analysis of decision under risk. Econometrica, 47(2), 263–291.
King, W. R., & He, J. (2015). Understanding the role and methods of meta-analysis in IS research. Communications of the Association for Information Systems, 16(1), 665–686. https://doi.org/10.17705/1cais.01632.
Kirkman, B. L., Chen, G., Farh, J.-L., Chen, Z. X., & Lowe, K. B. (2009). Individual power distance orientation and follower reactions to transformational leaders: A cross-level, cross-cultural examination. Academy of Management Journal, 52(4), 744–764.
Kuo, K., Talley, P. C., Hung, M., & Chen, Y. (2017). A deterrence approach to regulate nurses’ compliance with electronic medical records privacy policy. Journal of Medical Systems, 41(12), 198–208.
Ladbury, J. L., & Hinsz, V. B. (2009). Uncertainty avoidance influences choices for potential gains but not losses. Current Psychology, 28(3), 187–193. https://doi.org/10.1007/s12144-009-9056-z.
Lee, S. M., Lee, S. G., & Yoo, S. (2004). An integrative model of computer abuse based on social control and general deterrence theories. Information and Management, 41(6), 707–718. https://doi.org/10.1016/j.im.2003.08.008.
Lee, H., Jeon, S., & Zeelim-Hovav, A. (2016). Impact of psychological empowerment, position and awareness of audit on information security policy compliance intention. In Proceedings of the Pacific Asia Conference on Information Systems 2016 (p. 62).
Li, W., & Cheng, L. (2013). Effects of neutralization techniques and rational choice theory on internet abuse in the workplace. In Proceedings of the Pacific Asia Conference on Information Systems 2013 (p. 169).
Li, H., Zhang, J., & Sarathy, R. (2010). Understanding compliance with internet use policy from the perspective of rational choice theory. Decision Support Systems, 48(4), 635–645. https://doi.org/10.1016/j.dss.2009.12.005.
Li, H., Sarathy, R., Zhang, J., & Luo, X. (2014). Exploring the effects of organizational justice, personal ethics and sanction on internet use policy compliance. Information Systems Journal, 24(6), 479–502. https://doi.org/10.1111/isj.12037.
Lian, H., Ferris, D. L., & Brown, D. J. (2012). Does power distance exacerbate or mitigate the effects of abusive supervision? It depends on the outcome. Journal of Applied Psychology, 97(1), 107–123. https://doi.org/10.1037/a0024610.
Liao, Q., Gurung, A., Luo, X., Li, L., Gurung, A., & Li, L. (2009). Workplace management and employee misuse : Does punishment matter ? Workplace management and employee misuse : Does punishment matter ? Journal of Computer Information Systems, 50(2), 49–59. https://doi.org/10.1080/08874417.2009.11645384.
Lowry, P. B., Posey, C., Bennett, R., Becky, J., & Roberts, T. L. (2015). Leveraging fairness and reactance theories to deter reactive computer abuse following enhanced organisational information security policies: An empirical study of the influence of counterfactual reasoning and organisational trust. Information Systems Journal, 25(3), 193–273. https://doi.org/10.1111/isj.12063.
Mahmood, M. A., Siponen, M., Straub, D., Rao, H. R., & Raghu, T. S. (2010). Moving toward black hat research in information systems security: An editorial introduction to the special issue. MIS Quarterly, 34(3), 431–433.
Menard, P., Warkentin, M., & Lowry, P. B. (2018). The impact of collectivism and psychological ownership on protection motivation: A cross-cultural examination. Computers and Security, 75, 147–166. https://doi.org/10.1016/j.cose.2018.01.020.
Moody, G. D., Siponen, M., & Pahnila, S. (2018). Toward a unified model of information security policy compliance. MIS Quarterly, 42(1), 285–312. https://doi.org/10.25300/MISQ/2018/13853.
Moquin, R., & Wakefield, R. L. (2016). The roles of awareness, sanctions, and ethics in software compliance. Journal of Computer Information Systems, 56(3), 261–270.
Mou, J., Cohen, J., & Kim, J. (2017). A meta-analytic structural equation modeling test of protection motivation theory in information security literature. In Thirty Eighth International Conference on Information Systems (pp. 1–20).
Naor, M., Linderman, K., & Schroeder, R. (2010). The globalization of operations in eastern and Western countries: Unpacking the relationship between national and organizational culture and its impact on manufacturing performance. Journal of Operations Management, 28(3), 194–205. https://doi.org/10.1016/j.jom.2009.11.001.
Pahnila, S., Siponen, M., & Mahmood, M. A. (2007). Employees’ behavior towards IS security policy compliance. In Proceedings of the Annual Hawaii International Conference on System Sciences (pp. 156–166). https://doi.org/10.1109/HICSS.2007.206.
Park, E. H., Kim, J., & Park, Y. S. (2017). The role of information security learning and individual factors in disclosing patients ’ health information. Computers & Security, 65, 64–76. https://doi.org/10.1016/j.cose.2016.10.011.
Paternoster, R. (1989). Decisions to participate in and desist from four types of common delinquency: Deterrence and the rational choice Perspective. Law & Society Review, 23(1), 7–40. https://doi.org/10.2307/3053879.
Paternoster, R. (2010). How much do we really know about criminal deterrence. Journal of Criminal Law and Criminology, 100(3), 765–824.
Paternoster, R., & Simpson, S. (1993). A rational choice theory of corporate crime. In R. V. Clarke & M. Felson (Eds.), Advances in criminological theory volume 5: Routine activity and rational choice (pp. 37–58). New Brunswick: Transaction Books.
Paternoster, R., & Simpson, S. (1996). Sanction threats and appeals to morality: Testing a rational choice model of corporate crime. Law & Society Review, 30(3), 549–584.
Peace, A. G., Galletta, D. F., & Thong, J. Y. L. (2003). Software piracy in the workplace: A model and empirical test. Journal of Management Information Systems, 20(1), 153–177. https://doi.org/10.1080/07421222.2003.11045759.
Posey, C., Bennett, R. J., Roberts, T. L., & Lowry, P. B. (2011). When computer monitoring backfires: Invasion of privacy and organizational injustice as precursors to computer abuse. Journal of Information System Security, 7(1), 24–47.
Pratt, T. C., Cullen, F. T., Blevins, K. R., Daigle, L. E., & Madensen, T. D. (2006). The empirical status of deterrence theory: A meta-analysis. In F. T. Cullen, J. P. Wright, & K. R. Blevins (Eds.), Taking stock: The status of criminological theory (pp. 367–395). Piscataway: Transaction Publishers.
Puhakainen, P., & Siponen, M. (2010). Improving Employee’s compliance through information systems security training: An action research study. MIS Quarterly, 34(4), 757–778.
Rocha Flores, W., Holm, H., Nohlberg, M., & Ekstedt, M. (2015). Investigating personal determinants of phishing and the effect of national culture. Information and Computer Security, 23(2), 178–199. https://doi.org/10.1108/ICS-05-2014-0029.
Rosenthal, R. (1979). The file drawer problem and tolerance for null results. Psychological Bulletin, 86(3), 638–641.
Rosenthal, R. (1991). Metaanalytic procedures for social research (2nd ed.). California: SAGE Publications.
Schatz, D., & Bashroush, R. (2017). Economic valuation for information security investment: A systematic literature review. Information Systems Frontiers, 19(5), 1205–1228. https://doi.org/10.1007/s10796-016-9648-8.
Siponen, M., & Vance, A. (2010). Neutralization: New insights into the problem of employee information systems security policy violations. MIS Quarterly, 34(3), 487–502.
Siponen, M., & Vance, A. (2014). Guidelines for improving the contextual relevance of field surveys: The case of information security policy violations. European Journal of Information Systems, 23(3), 289–305. https://doi.org/10.1057/ejis.2012.59.
Siponen, M., Pahnila, S., & Mahmood, M. A. (2007). Employees’ adherence to information security policies: An empirical study. In Proceedings of the IFIP SEC (pp. 133–144). https://doi.org/10.1007/978-0-387-72367-9_12.
Sommestad, T., Hallberg, J., Lundholm, K., & Bengtsson, J. (2014). Variables influencing information security policy compliance. Information Management & Computer Security, 22(1), 42–75. https://doi.org/10.1108/IMCS-08-2012-0045.
Sommestad, T., Karlzén, H., & Hallberg, J. (2015). A meta-analysis of studies on protection motivation theory and information security behaviour. International Journal of Information Security and Privacy, 9(1), 26–46. https://doi.org/10.4018/IJISP.2015010102.
Son, J.-Y. (2011). Out of fear or desire? Toward a better understanding of employees’ motivation to follow IS security policies. Information and Management, 48(7), 296–302. https://doi.org/10.1016/j.im.2011.07.002.
Son, J.-Y., & Park, J. (2016). Procedural justice to enhance compliance with non-work-related computing (NWRC) rules: Its determinants and interaction with privacy concerns. International Journal of Information Management, 36(3), 309–321. https://doi.org/10.1016/j.ijinfomgt.2015.12.005.
Straub, D. (1990). Effective IS Securty: An empirical study. Information Systems Research, 1(3), 255–276. https://doi.org/10.1287/isre.1.3.255.
Switzer, F. S., Paese, P. W., & Drasgow, F. (1992). Bootstrap estimates of standard errors in validity generalization. Journal of Applied Psychology, 77(2), 123–129.
Ugrin, J. C., Pearson, J. M., & Odom, M. D. (2011). Cyber-slacking: Self-control, prior behavior and the impact of deterrence measures. Review of Business Information Systems, 12(1), 75. https://doi.org/10.19030/rbis.v12i1.4399.
Willison, R., Lowry, P. B., & Paternoster, R. (2018a). A tale of two deterrents: Considering the role of absolute and restrictive deterrence to inspire new directions in behavioral and organizational security research. Journal of the Association for Information Systems, 19(12), 1187–1216 http://www.ncl.ac.uk/business-school/staff/profile/robertwillison.html%0Ahttps://seanacademic.qualtrics.com/SE/?SID=SV_7WCaP0V7FA0GWWx%0Ahttps://ssrn.com/abstract=3099392.
Willison, R., Warkentin, M., & Johnston, A. C. (2018b). Examining employee computer abuse intentions: Insights from justice, deterrence and neutralization perspectives. Information Systems Journal, 28(2), 266–293. https://doi.org/10.1111/isj.12129.
Workman, M. (2009). A field study of corporate employee monitoring: Attitudes, absenteeism, and the moderating influences of procedural justice perceptions. Information and Organization, 19(4), 218–232. https://doi.org/10.1016/j.infoandorg.2009.06.001.
Wu, J., & Lederer, A. (2009). A meta-analysis of the role of environment based voluntariness in information technology acceptance. Management Information Systems Quarterly, 33(2), 419–432.
Xu, F., Luo, X. R., Zhang, H., Liu, S., & Huang, W. W. (2017). Do strategy and timing in IT security investments matter? An empirical investigation of the alignment effect. Information Systems Frontiers, 1–15. https://doi.org/10.1007/s10796-017-9807-6.
Xue, Y., Liang, H., & Wu, L. (2011). Punishment, justice, and compliance in mandatory IT settings. Information Systems Research, 22(2), 400–414. https://doi.org/10.1287/isre.1090.0266.
Yoon, C., & Kim, H. (2013). Understanding computer security behavioral intention in the workplace. Information Technology & People, 26(4), 401–419. https://doi.org/10.1108/ITP-12-2012-0147.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendix
Appendix
Rights and permissions
About this article
Cite this article
Trang, S., Brendel, B. A Meta-Analysis of Deterrence Theory in Information Security Policy Compliance Research. Inf Syst Front 21, 1265–1284 (2019). https://doi.org/10.1007/s10796-019-09956-4
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-019-09956-4