Designing an incentive mechanism for information security policy compliance: An experiment

Abstract

Much information security research focuses on policies firms could adopt to reduce or eliminate employees’ violation behavior. However, current information security policies are based on increasingly outmoded models of compliance behavior. This paper proposes a novel behavioral-based mechanism that offers rewards and punishments to incentivize employees to take the time to protect a company's information assets. This new mechanism is grounded in insights from externality taxes and subsidies, as well as from behavioral economics, that specific incentives operationalized as monetary rewards and punishments effectively improve information security compliance. We also consider the importance of detection in implementing our mechanism. We conduct a set of laboratory experiments to study the impact of the rewards and punishments, as well as the importance of the probability of detection.Our results show clearly that rewards alone or a combination of rewards and punishments are effective in improving information security policy compliance in both high and low-detection environments, but punishments alone are not effective in either of our environments. In addition, a company's information security compensation plan is more likely to be effective in improving compliance if the company can more reliably detect violations. Overall, our study suggests that a compensation structure based on small and predictable financial rewards and punishments is likely more effective than the current punishment-focused approach.