To make high-quality research more accessible and easier to explore.

4 results

Beyond Deterrence: An Expanded View of Employee Computer Abuse1

MIS Quarterly 2013 37(1), 1-20
Recent academic investigations of computer security policy violations have largely focused on non-malicious noncompliance due to poor training, low employee motivation, weak affective commitment, or individual oversight. Established theoretical foundations applied to this domain have related to protection motivation, deterrence, planned behavior, self-efficacy, individual adoption factors, organizational commitment, and other individual cognitive factors. But another class of violation demands greater research emphasis: the intentional commission of computer security policy violation, or insider computer abuse. Whether motivated by greed, disgruntlement, or other psychological processes, this act has the greatest potential for loss and damage to the employer. We argue the focus must include not only the act and its immediate antecedents of intention (to commit computer abuse) and deterrence (of the crime), but also phenomena which temporally precede these areas. Specifically, we assert the need to consider the thought processes of the potential offender and how these are influenced by the organizational context, prior to deterrence. We believe the interplay between thought processes and this context may significantly impact the efficacy of IS security controls, specifically deterrence safeguards. Through this focus, we extend the Straub and Welke (1998) security action cycle framework and propose three areas worthy of empirical investigation—techniques of neutralization (rationalization), expressive/instrumental criminal motivations, and disgruntlement as a result of perceptions of organizational injustice—and propose questions for future research in these areas.

Fear Appeals and Information Security Behaviors: An Empirical Study1

MIS Quarterly 2010 34(3), 549-566
Information technology executives strive to align the actions of end users with the desired security posture of management and of the firm through persuasive communication. In many cases, some element of fear is incorporated within these communications. However, within the context of computer security and information assurance, it is not yet clear how these fear-inducing arguments, known as fear appeals, will ultimately impact the actions of end users. The purpose of this study is to investigate the influence of fear appeals on the compliance of end users with recommendations to enact specific individual computer security actions toward the mitigation of threats. An examination was performed that culminated in the development and testing of a conceptual model representing an infusion of technology adoption and fear appeal theories. Results of the study suggest that fear appeals do impact end user behavioral intentions to comply with recommended individual acts of security, but the impact is not uniform across all end users. It is determined in part by perceptions of self-efficacy, response efficacy, threat severity, and social influence. The findings of this research contribute to information systems security research, human–computer interaction, and organizational communication by revealing a new paradigm in which IT users form perceptions of the technology, not on the basis of performance gains, but on the basis of utility for threat mitigation.

An Enhanced Fear Appeal Rhetorical Framework: Leveraging Threats to the Human Asset Through Sanctioning RhetoriC1

MIS Quarterly 2015 39(1), 113-134
Fear appeals, which are used widely in information security campaigns, have become common tools in motivating individual compliance with information security policies and procedures. However, empirical assessments of the effectiveness of fear appeals have yielded mixed results, leading IS security scholars and practitioners to question the validity of the conventional fear appeal framework and the manner in which fear appeal behavioral modeling theories, such as protection motivation theory (PMT), have been applied to the study of information security phenomena. We contend that the conventional fear appeal rhetorical framework is inadequate when used in the context of information security threat warnings and that its primary behavioral modeling theory, PMT, has been misspecified in the extant information security research. Based on these arguments, we propose an enhanced fear appeal rhetorical framework that leverages sanctioning rhetoric as a secondary vector of threats to the human asset, thereby adding the dimension of personal relevance, which is critically absent from previous fear appeal frameworks and PMT-grounded security studies. Following a hypothetical scenario research approach involving the employees of a Finnish city government, we validate the efficacy of the enhanced fear appeal framework and determine that informal sanction rhetoric effectively enhances conventional fear appeals, thus providing a significant positive influence on compliance intentions.