Posted Content•
A Tale of Two Deterrents: Considering the Role of Absolute and Restrictive Deterrence to Inspire New Directions in Behavioral and Organizational Security Research
TL;DR: It is proposed that future research on the deterrent effects of ICA should be anchored in a more general RCT, rather than in examinations of deterrence as an isolated construct, and explained how adopting RCT with DT opens up new avenues of research.
Abstract: This research-perspective article reviews and contributes to the literature that explains how to deter internal computer abuse (ICA), which is criminal computer behavior committed by organizational insiders. ICA accounts for a large portion of insider trading, fraud, embezzlement, the selling of trade secrets, customer privacy violations, and other criminal behaviors, all of which are highly damaging to organizations. Although ICA represents a momentous threat for organizations, and despite numerous calls to examine this behavior, the academic response has been lukewarm. However, a few security researchers have examined ICA’s influence in an organizational context and the potential means of deterring it. However, the results of the studies have been mixed, leading to a debate on the applicability of deterrence theory (DT) to ICA. We argue that more compelling opportunities will arise in DT research if security researchers more deeply study its assumptions and more carefully recontextualize it. The purpose of this article is to advance a deterrence research agenda that is grounded in the pivotal criminological deterrence literature. Drawing on the distinction between absolute and restrictive deterrence and aligning them with rational choice theory (RCT), this paper shows how deterrence can be used to mitigate the participation in and frequency of ICA. We thus propose that future research on the deterrent effects of ICA should be anchored in a more general RCT, rather than in examinations of deterrence as an isolated construct. We then explain how adopting RCT with DT opens up new avenues of research. Consequently, we propose three areas for future research, which cover not only the implications for the study of ICA deterrence, but also the potential motivations for this type of offence and the skills required to undertake them.
Citations
More filters
TL;DR: A design-science research project to improve an organization’s compound problems of unsuccessful employee phishing prevention and poorly received internal security training created a gamified security training system focusing on enhancing intrinsic motivation through gamification and improving security learning and efficacy.
Abstract: We conducted a design-science research project to improve an organization’s compound problems of (1) unsuccessful employee phishing prevention and (2) poorly received internal security training. To...
87 citations
TL;DR: A two-year design science research (DSR) study of a smart contract initiative piloted by a consortium in the UK’s construction sector, which explores how a group of supply chain actors collectively designs and pilots a blockchain solution that addresses the supply chain transparency and provenance problem.
Abstract: While blockchain technologies are gaining momentum within supply chains, academic understanding of concrete, real-life design and implementation is still lagging, hence offering very limited insights into the true implications of blockchain technology on supply chains. This paper reports a two-year design science research (DSR) study of a smart contract initiative piloted by a consortium in the UK’s construction sector. We seek answers to the research question, ‘How should a blockchain enabled supply chain be designed?’ Guided by the theory of business model, we explore how a group of supply chain actors collectively designs and pilots a blockchain solution that addresses the supply chain transparency and provenance problem. Our research is one of the very few longitudinal empirical studies to offer in-depth evidence about how blockchain is deployed in complex multi-tier supply chain networks. In compliance with DSR research paradigm, we make contributions at three levels: designing and instantiating the blockchain architect and proving its utility in addressing the target problem; developing a set of design principles as a mid-range theory that can be applied and tested in different blockchain supply chain contexts; and refining and extending the kernel theory of business value at supply chain network level.
56 citations
TL;DR: Examining the applicability of deterrence theory in information security policy compliance research suggests that sanctions have an overall effect on deviant behavior, but the results also indicate that this relationship is dependent on the study’s context.
Abstract: Enforcing information security policies is a key concern of information security managers. To deter employees from deviant behavior, organizations often implement sanction mechanisms. However, evidence from research regarding the efficiency of such a deterrence approach has been mixed. Drawing on this inconsistency, this paper examines the applicability of deterrence theory in information security policy compliance research. It is argued that contextual and methodological moderators play a crucial role when conceptualizing deterrence theory in security studies. Applying a meta-analysis, the results suggest that sanctions have an overall effect on deviant behavior. However, the results also indicate that this relationship is dependent on the study’s context. Deterrence theory better predicts deviant behavior in malicious contexts, cultures with a high degree of power distance, and cultures with a high uncertainty avoidance. The meta-analysis also reveals no meaningful differences arising from the methodological context in terms of scenario-based and behavior-specific measurement.
52 citations
TL;DR: An empirical test of the influence of institutional governance (IG) on protection motivation and planned behavior of employees in HEIs confirms the significant contribution of IG in motivating protection behavior among employees of HEIs.
49 citations
References
More filters
TL;DR: A design-science research project to improve an organization’s compound problems of unsuccessful employee phishing prevention and poorly received internal security training created a gamified security training system focusing on enhancing intrinsic motivation through gamification and improving security learning and efficacy.
Abstract: We conducted a design-science research project to improve an organization’s compound problems of (1) unsuccessful employee phishing prevention and (2) poorly received internal security training. To...
87 citations
TL;DR: A two-year design science research (DSR) study of a smart contract initiative piloted by a consortium in the UK’s construction sector, which explores how a group of supply chain actors collectively designs and pilots a blockchain solution that addresses the supply chain transparency and provenance problem.
Abstract: While blockchain technologies are gaining momentum within supply chains, academic understanding of concrete, real-life design and implementation is still lagging, hence offering very limited insights into the true implications of blockchain technology on supply chains. This paper reports a two-year design science research (DSR) study of a smart contract initiative piloted by a consortium in the UK’s construction sector. We seek answers to the research question, ‘How should a blockchain enabled supply chain be designed?’ Guided by the theory of business model, we explore how a group of supply chain actors collectively designs and pilots a blockchain solution that addresses the supply chain transparency and provenance problem. Our research is one of the very few longitudinal empirical studies to offer in-depth evidence about how blockchain is deployed in complex multi-tier supply chain networks. In compliance with DSR research paradigm, we make contributions at three levels: designing and instantiating the blockchain architect and proving its utility in addressing the target problem; developing a set of design principles as a mid-range theory that can be applied and tested in different blockchain supply chain contexts; and refining and extending the kernel theory of business value at supply chain network level.
56 citations
TL;DR: Examining the applicability of deterrence theory in information security policy compliance research suggests that sanctions have an overall effect on deviant behavior, but the results also indicate that this relationship is dependent on the study’s context.
Abstract: Enforcing information security policies is a key concern of information security managers. To deter employees from deviant behavior, organizations often implement sanction mechanisms. However, evidence from research regarding the efficiency of such a deterrence approach has been mixed. Drawing on this inconsistency, this paper examines the applicability of deterrence theory in information security policy compliance research. It is argued that contextual and methodological moderators play a crucial role when conceptualizing deterrence theory in security studies. Applying a meta-analysis, the results suggest that sanctions have an overall effect on deviant behavior. However, the results also indicate that this relationship is dependent on the study’s context. Deterrence theory better predicts deviant behavior in malicious contexts, cultures with a high degree of power distance, and cultures with a high uncertainty avoidance. The meta-analysis also reveals no meaningful differences arising from the methodological context in terms of scenario-based and behavior-specific measurement.
52 citations
TL;DR: An empirical test of the influence of institutional governance (IG) on protection motivation and planned behavior of employees in HEIs confirms the significant contribution of IG in motivating protection behavior among employees of HEIs.
49 citations