Deterrence and punishment experience impacts on ISP compliance attitudes

Abstract

PurposeThe paper aims to examine the inconclusive impacts of sanction-related deterrence on employee information security policy (ISP) compliance from the extant literature. It proposes that the disparate findings can be partially explained by two factors: investigating the mediating impact of attitudes on sanction effects instead of directly on behavioral intentions and examining employees with and without previous punishment experiences separately.Design/methodology/approachThe paper relied upon survey data from 239 employees of a large governmental organization with a robust ISP and security education and training awareness program.FindingsThe paper provides empirical evidence that the rational estimation of sanction effects impacts the cognitive component of attitudes to develop a positive or negative attitude toward performing the ISP directed behavior. Furthermore, this attitudinal effect (created by sanction threats) will be biased depending on whether the employee has experienced, personally or vicariously, any previous punishment for violating the ISP.Research limitations/implicationsBecause of the chosen research approach (self-reported survey data) and context (single hierarchical organization and a very specific security threat), the research results may lack generalizability. Therefore, researchers are encouraged to test the proposed propositions further in different organizational and threat contexts.Practical implicationsOrganizations should have a thorough understanding of how their employees’ perceive sanctions in relationship to their prior experiences before implementing such policies.Originality/valueThe paper addresses previous research calls for examining possible mediation variables for deterrence effects and impacts of punishment experiences on employee ISP compliance.