A review and analysis of deterrence theory in the IS security literature: Making sense of the disparate findings

European Journal of Information Systems

Volumn 20, Issue 6, 2011, Pages 643-658

  D'Arcy, John ^a   Herath, Tejaswini ^b  

^a UNIVERSITY OF NOTRE DAME   (United States)

^b BROCK UNIVERSITY   (Canada)

Author keywords

computer abuse; eterrence theory; IS misuse; IS security compliance; IS security policy violations; rational choice theory

Indexed keywords

COMPUTER ABUSE; ETERRENCE THEORY; IS SECURITY COMPLIANCES; IS SECURITY POLICIES; RATIONAL CHOICE THEORY;

BEHAVIORAL RESEARCH;

EID: 80455178572     PISSN: 0960085X     EISSN: 14769344     Source Type: Journal    
DOI: 10.1057/ejis.2011.23     Document Type: Review

References (77)

1. ANTIA KD, BERGEN ME, DUTTA S and FISHER RJ (2006) How does market enforcement deter gray market incidence? Journal of Marketing 70(1), 92-106.
2. BACHMAN R, PATERNOSTER R and WARD S (1992) The rationality of sexual offending: Testing a deterrence/rational choice conception of sexual assault. Law & Society Review 26(2), 343-372.
3. BECCARIA C (1963) On Crimes and Punishment. Macmillan, New York.
4. BOUFFARD JA, EXUM ML and COLLINS PA (2010) Methodological artifacts in tests of rational choice theory. Journal of Criminal Justice 38(4), 400-409.
5. BULGURCU B, CAVUSOGLU H and BENBASAT I (2010) Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly 34(3), 523-548.
6. CAO L (2004) Major Criminological Theories: Concepts and Measurement. Wadsworth, Belmont, California.
7. CHIDAMBARAM L and TUNG LL (2005) Is out of sight, out of mind? an empirical study of social loafing in technology-supported groups. Information Systems Research 16(2), 149-168.
8. COCHRAN JK, ALEKSA V and SANDERS BA (2008) Are persons low in self-control rational and deterrable? Deviant Behavior 29(5), 461-483.
9. CSO/CERT/DELOITTE (2010) Cybersecurity watch survey. [WWW document] http://www.cert.org/insider-threat (accessed 1 May 2011).
10. D'ARCY J and HOVAV A (2009) Does one size fit all? examining the differential effects of IS security countermeasures. Journal of Business Ethics 89(1), 59-71.
11. D'ARCY J, HOVAV A and GALLETTA DF (2009) User awareness of security countermeasures and its impact on information systems misuse: A deterrence perspective. Information Systems Research 20(1), 79-98.
12. ELIS LA and SIMPSON S (1995) Informal sanction threats and corporate crime: Additive versus multiplicative models. Journal of Research in Crime and Delinquency 32(4), 399-424.
13. ERNST AND YOUNG (2009) 12th annual global information security survey. [WWW document] http://www.ey.com (accessed 1 May 2011).
14. GIBBS JP (1975) Crime, Punishment, and Deterrence. Elsevier, New York.
15. GOPAL RD and SANDERS GL (1997) Preventative and deterrent controls for software piracy. Journal of Management Information Systems 13(4), 29-47.
16. GRASMICK HG and BRYJAK GJ (1980) The deterrent effect of perceived severity of punishment. Social Forces 59(2), 471-491.
17. GRASMICK HG and BURSIK R (1990) Conscience, significant others, and rational choice: Extending the deterrence model. Law and Society Review 24(3), 837-861.
18. GRASMICK HG, TITTLE R, BURSIK J and ARNEKLEV B (1993) Testing the core implications of Gettfredson and Hirschi's general theory of crime. Journal of Research in Crime and Delinquency 30(1), 5-29.
19. HARRINGTON SJ (1996) The effect of codes of ethics and personal denial of responsibility on computer abuse judgments and intentions. MIS Quarterly 20(3), 257-278.
20. HERATH T and RAO HR (2009a) Protection motivation and deterrence: A framework for security policy compliance in organizations. European Journal of Information Systems 18(2), 106-125.
21. HERATH T and RAO HR (2009b) Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems 47(2), 14-165.
22. HIGGINS G, WILSON A and FELL B (2005) An application of deterrence theory to software piracy. Journal of Criminal Justice and Popular Culture 12(3), 166-184.
23. HOLLINGER RC (1993) Crime by computer: Correlates of software piracy and unauthorized account access. Security Journal 4(1), 2-12.
24. JACOBS BA (2010) Deterrence and deterrability. Criminology 48(2), 417-441.
25. KANKANHALLI A, TEO H-H, TAN BCY and WEI K-K (2003) An integrative study of information systems security effectiveness. International Journal of Information Management 23(2), 139-154.
26. KLEPPER S andNAGIN DS (1989) The deterrent effect of perceived certainty and severity of punishment revisited. Criminology 27(4), 721-746.
27. KOHLBERG L (1969) Stage and sequence: The cognitive developmental approach to socialization. In Handbook of Socialization Theory (Goslin DA, Ed.), pp 347-380, Rand McNally, Chicago.
28. KRUEGAR NJ and DICKSON PR (1994) How believing in ourselves increases risk taking: Perceived self-efficacy and opportunity recognition. Decision Sciences 25(3), 385-400.
29. LEE SM, LEE S-G and YOO S (2004) An integrative model of computer abuse based on social control and general deterrence theories. Information and Management 41(6), 707-718.
30. LI H, ZHANG J and SARATHY R (2010) Understanding compliance within internet use policy from the perspective of rational choice theory. Decision Support Systems 48(4), 635-645.
31. LIAO Q, GURUNG A, LUO X and LI L (2009) Workplace management and employee misuse: Does punishment matter? Journal of Computer Information Systems 50(2), 49-59.
32. LOCH KD and CONGER S (1996) Evaluating ethical decision making and computer use. Communications of the ACM 39(7), 74-83.
33. MANN RE, SMART RG, STODUTO G, ADLAF EM, VINGILIS E, BEIRNESS D, LAMBLE R and ASHBRIDGE M (2003) The effects of drinking-driving laws: A test of the differential deterrence hypothesis. Addiction 98(11), 1531-1536.
34. MARAKAS GM, JOHNSON RD and CLAY PF (2007) The evolving nature of the computer self-efficacy construct: An empirical investigation of measurement construction, validity, reliability and stability over time. Journal of the Association for Information Systems 8(1), 16-46.
35. MCCLOSKEY DW and IGBARIA M (2003) Does 'out of sight' mean 'out of mind'? an empirical investigation of career advancement prospects of telecommuters. Information Resources Management Journal 16(2), 19-34.
36. MENDES SM and MCDONALD MD (2001) Putting severity of punishment back in the deterrence package. Policy Studies Journal 29(4), 588-610.
37. MERCURI RT (2003) Analyzing security costs. Communications of the ACM 46(6), 15-18.
38. MYYRY L, SIPONEN M, PAHNILA S, VARTIAINEN T and VANCE A (2009) What levels of moral reasoning and values explain adherence to information security rules? an empirical study. European Journal of Information Systems 18(2), 1-14.
39. NAGIN DS and POGARSKY G (2001) Integrating celerity, impulsivity, and extralegal sanction threats into a model of general deterrence: Theory and evidence. Criminology 39(4), 865-891.
40. PAHNILA S, SIPONEN M and MAHMOOD A (2007) Employees' behavior towards IS security policy compliance. In Proceedings of the 40th Annual Hawaii International Conference on System Sciences, Hawaii, USA.
41. PATERNOSTER R (1987) The deterrence effect of perceived certainty and severity of punishment: A review of the evidence and issues. Justice Quarterly 4(2), 173-217.
42. PATERNOSTER R (2010) How much do we really know about criminal deterrence? The Journal of Criminal Law and Criminology 100(3), 765-823.
43. PATERNOSTER R and IOVANNI L (1986) The deterrent effect of perceived severity: A reexamination. Social Forces 64, 751-777.
44. PATERNOSTER R and SIMPSON S (1993) A rational choice theory of corporate crime. In Routine Activities and Rational Choice: Advances in Criminological Theory, Volume 5 (CLARKE RV and FELSON M, Eds), pp 37-58, Transaction Publishers, New Brunswick, NJ.
45. PATERNOSTER R and SIMPSON S (1996) Sanction threats and appeals to morality: Testing a rational choice model of corporate crime. Law & Society Review 30(3), 549-584.
46. PINSONNEAULT A and HEPPEL N (1998) Anonymity in group support systems research: A new conceptualization, measure, and contingency framework. Journal of Management Information Systems 14(3), 89-108.
47. PIQUERO A and TIBBETTS S (1996) Specifying the direct and indirect effects of low self-control and situational factors in offenders decision making: Toward a more comparative model of rational offending. Justice Quarterly 13(3), 481-510.
48. POGARSKY G and PIQUERO AR (2004) Studying the reach of deterrence: Can deterrence theory help explain police misconduct? Journal of Criminal Justice 32(4), 371-386.
49. POGARSKY G, PIQUERO AR and PATERNOSTER R (2004) Modeling change in perceptions about sanction threats: The neglected linkage in deterrence theory. Journal of Quantitative Criminology 20(4), 343-369.
50. POSTMES T and SPEARS R (1998) Deindividuation and antinormative behavior: A meta-analysis. Psychological Bulletin 123(3), 238-259.
51. PRATT TC and CULLEN FT (2000) The empirical status of Gottfredson and Hirschi's general theory of crime: A meta-analysis. Criminology 38, 931-964.
52. PRATT TC, CULLEN FT, BLEVIS KR, DAIGLE LE and MADENSEN TD (2006) The empirical status of deterrence theory: A meta-analysis. In Taking Stock: The Status of Criminological Theory (CULLEN FT, WRIGHT JP and BLEVINS KR, Eds), pp 37-76, Transaction Publishers, New Brunswick, NJ.
53. PREDD J, PFLEEGER SL, HUNKER J and BULFORD C (2008) Insiders behaving badly. IEEE Security & Privacy 6(4), 66-70.
54. PWC/CSO/CIO (2010) The global state of information security. [WWW document] http://www.pwc.com/en-GX/gx/information-security-survey/ pdf/pwcsurvey2010-cio-reprint.pdf (accessed 1 May 2011).
55. REBELLON CJ, PIQUERO NL, PIQUERO AR and TIBBETTS SG (2010) Anticipated shaming and criminal offending. Journal of Criminal Justice 38(5), 988-997.
56. ROBEY D and BOUDREAU MC (1996) Accounting for the contradictory organizational consequences of information technology: Theoretical directions and methodological implications. Information Systems Research 10(2), 167-185.
57. SCHOEPFER A and PIQUERO AR (2006) Self-control, moral beliefs, and criminal activity. Deviant Behavior 27(1), 51-71.
58. SILBERMAN M (1976) Toward a theory of criminal deterrence. American Sociological Review 41(3), 442-461.
59. SIMPSON S, PIQUERO N and PATERNOSTER R (2002) Rationality and corporate offending decisions. In Rational Choice and Criminal Behavior: Recent Research and Future Challenges (Piquero AR and Tibbetts SG, Eds), pp 25-39, Routledge, New York.
60. SIPONEN M and VANCE A (2010) Neutralization: New insights into the problem of employee information systems security policy violations. MIS Quarterly 34(3), 487-502.
61. SIPONEN M, PAHNILA S and MAHMOOD A (2007) Employees' adherence to information security policies: An empirical study. In International Federation for Information Processing, Volume 232, New Approaches for Security, Privacy and Trust in Complex Environments (VENTER H, ELOFF M, LABUSCHAGNE L, ELOFF J and VON SOLMS R Eds), pp 133-144, Springer, Boston, MA.
62. SIPONEN M, WILLISON R and BASKERVILLE R (2008) Power and practice in information systems security research. In Proceedings of the International Conference on Information Systems , pp 14-17, Paris, France.
63. SKINNER WF and FREAM AM (1997) A social learning theory analysis of computer crime among college students. Journal of Research in Crime and Delinquency 34(4), 495-518.
64. SMITH NC, SIMPSON SS and HUANG C-Y (2007) Why managers fail to do the right thing: An empirical study of unethical and illegal conduct. Business Ethics Quarterly 17(4), 633-667.
65. STRAUB DW (1990) Effective IS security: An empirical study. Information Systems Research 1(3), 255-276.
66. THEOHARIDOU M, KOKOLAKIS S, KARYDA M and KIOUNTOUZIS E (2005) The insider threat to information systems and the effectiveness of ISO17799. Computers & Security 24(6), 472-484.
67. THORNBERRY TP (1989) Reflections on the advantages and disadvantages of theoretical integration. In Theoretical Integration in the Study of Deviance and Crime (MESSNER SF, KROHN MD, and LISKA AE, eds.), pp 51-60, State University of New York Press, Albany, NY.
68. TITTLE CR (1980) Sanctions and Social Deviance: The Question of Deterrence. Praeger, New York.
69. TREVINO LK, WEAVER GR and REYNOLDS SJ (2006) Behavioral ethics in organizations: A review. Journal of Management 32(6), 951-990.
70. UNITED NATIONS (2005) Information economy report 2005. [WWW document] http://www.unctad.org/en/docs/sdteecb20051overview-en pdf (accessed 1 May 2011).
71. WARKENTIN M and WILLISON R (2009) Behavioral and policy issues in information systems security: The insider threat. European Journal of Information Systems 18(2), 101-105.
72. WIESENFELD B, RAGHURAM S and GARUD R (1999) Communication patterns as determinants of organizational identification in a virtual organization. Organization Science 10(6), 777-790.
73. WILLIAMS KR and HAWKINS R (1986) Perceptual research on general deterrence: A critical review. Law & Society Review 20(4), 545-572.
74. WORKMAN M and GATHEGI J (2007) Punishment and ethics deterrents: A study of insider security contravention. Journal of the American Society for Information Science and Technology 58(2), 212-222.
75. WRIGHT BRE, CASPI A, MOFFITT TE and PATERNOSTER R (2004) Does the perceived risk of punishment deter criminally prone individuals? rational choice, self-control, and crime. Journal of Research in Crime and Delinquency 41(2), 180-213.
76. ZHANG L, SMITH WW and MCDOWELL WC (2006) Examining digital piracy: Self-control, punishment, and self-efficacy. Information Resources Management Journal 22(1), 24-44.
77. ZIMBARDO PG (1969) The human choice: Individuation, reason, and order versus deindividuation, impulse, and chaos. In Nebraska Symposium on Motivation (ARNOLD WJ and LEVINE D, Eds), pp 237-307, University of Nebraska Press, Lincoln, Nebraska.