Information Security Policy Compliance

Abstract

One of the most challenging problems modern firms face is that their weakest link in maintaining information security is the behavior of employees: clicking on phishing emails, telling friends and family private information, and searching for private information about themselves (Loch et al. 1992; Mitnick and Simon 2001; Warkentin and Willison 2009a). A survey conducted by the Computer Security Institute reported that the average monetary loss per incident was $288,618 and that 44% of those who responded to the survey reported insider security-related abuse, making it the second-most frequently occurring computer security incident (Richardson and Director 2008). This paper uses a questionnaire from Hu, et al. (2017) to test for the efficacy of different reward and punishment schemes in preventing insider security-related abuse. Hu, et al.’s (2015) scenarios elicit from participants whether they would recommend violating company IT policies. Real monetary payments provide motivation. The results indicate that, if a company can detect abuses with some degree of certainty, the best strategy among those tested is to regularly reward individual employees with small rewards for complying with company policy and punish every detected violation. This recommendation contrasts with the existing literature, which focuses almost entirely on punishment for detected security breaches. This focus on punishment is referred to as General Deterrence Theory (Straub, Jr., 1990). The results in this paper suggest strongly that General Deterrence Theory does not provide an effective strategy for preventing security breaches.