Abstract
ABSTRACT There is no doubt that organisational security threats are currently surging, internally and externally. In an effort to prevent internal threats – employee violations of information security policy (ISP) – security training programmes and sanction policies are implemented to a large extent in organisations. However, few studies have verified their practical effectiveness and the impact of individual characteristics within organisations. This study conducted a field experiment to examine the actual deterrent effect of those measures against phishing attacks. By fabricating fake phishing schemes through a simulation programme, the specific deterrent effect of punishment, the general deterrent effect of education, and employees’ organisational position were tested on their ISP compliance behaviour. Findings confirmed that punishment effectively prevented the punished from falling for phishing again and that the trained group fell for phishing much less often than the untrained group. In addition, the higher one’s organisational position, the more likely the person fell for phishing. Regardless of the treatment (i.e. training or punishment), this position effect stood out. The results of this study offer researchers and practitioners insightful information about effective deterrence measures and policies for organisational information security.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
