뉴스
세미나
[연구]User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrenc
2009.03.01 Views 1040 경영학연구분석센터
Information Systems Research
Volume 20, Issue 1,March 1, 2009, Page: 79 - 98
John D'Arcy Mendoza College of Business, University of Notre Dame, Notre Dame, Indiana 46556
Anat Hovav Korea University Business School, Seoul 136-701 Korea
Dennis Galletta Katz Graduate School of Business, University of Pittsburgh, Pittsburgh, Pennsylvania 15260
http://pubsonline.informs.org/doi/abs/10.1287/isre.1070.0160
Abstract
Intentional insider misuse of information systems resources (i.e., IS misuse) represents a significant threat to organizations. For example, industry statistics suggest that between 50%–75% of security incidents originate from within an organization. Because of the large number of misuse incidents, it has become important to understand how to reduce such behavior. General deterrence theory suggests that certain controls can serve as deterrent mechanisms by increasing the perceived threat of punishment for IS misuse. This paper presents an extended deterrence theory model that combines work from criminology, social psychology, and information systems. The model posits that user awareness of security countermeasures directly influences the perceived certainty and severity of organizational sanctions associated with IS misuse, which leads to reduced IS misuse intention. The model is then tested on 269 computer users from eight different companies. The results suggest that three practices deter IS misuse: user awareness of security policies; security education, training, and awareness (SETA) programs; and computer monitoring. The results also suggest that perceived severity of sanctions is more effective in reducing IS misuse than certainty of sanctions. Further, there is evidence that the impact of sanction perceptions vary based on one's level of morality. Implications for the research and practice of IS security are discussed.
Keywords:
IS misuse ;
IS security ;
security countermeasures ;
general deterrence theory ;
security management ;
end-user security
Volume 20, Issue 1,March 1, 2009, Page: 79 - 98
John D'Arcy Mendoza College of Business, University of Notre Dame, Notre Dame, Indiana 46556
Anat Hovav Korea University Business School, Seoul 136-701 Korea
Dennis Galletta Katz Graduate School of Business, University of Pittsburgh, Pittsburgh, Pennsylvania 15260
http://pubsonline.informs.org/doi/abs/10.1287/isre.1070.0160
Abstract
Intentional insider misuse of information systems resources (i.e., IS misuse) represents a significant threat to organizations. For example, industry statistics suggest that between 50%–75% of security incidents originate from within an organization. Because of the large number of misuse incidents, it has become important to understand how to reduce such behavior. General deterrence theory suggests that certain controls can serve as deterrent mechanisms by increasing the perceived threat of punishment for IS misuse. This paper presents an extended deterrence theory model that combines work from criminology, social psychology, and information systems. The model posits that user awareness of security countermeasures directly influences the perceived certainty and severity of organizational sanctions associated with IS misuse, which leads to reduced IS misuse intention. The model is then tested on 269 computer users from eight different companies. The results suggest that three practices deter IS misuse: user awareness of security policies; security education, training, and awareness (SETA) programs; and computer monitoring. The results also suggest that perceived severity of sanctions is more effective in reducing IS misuse than certainty of sanctions. Further, there is evidence that the impact of sanction perceptions vary based on one's level of morality. Implications for the research and practice of IS security are discussed.
Keywords:
IS misuse ;
IS security ;
security countermeasures ;
general deterrence theory ;
security management ;
end-user security