Abstract
One of the most challenging problems modern firms face is that their weakest link in maintaining information security is the behavior of employees: clicking on phishing emails, telling friends and family private information, and searching for private information about themselves (Loch et al. 1992; Mitnick and Simon 2001; Warkentin and Willison 2009a). A survey conducted by the Computer Security Institute reported that the average monetary loss per incident was $288,618 and that 44% of those who responded to the survey reported insider security-related abuse, making it the second-most frequently occurring computer security incident (Richardson and Director 2008). This paper uses a questionnaire from Hu, et al. (2017) to test for the efficacy of different reward and punishment schemes in preventing insider security-related abuse. Hu, et al.’s (2015) scenarios elicit from participants whether they would recommend violating company IT policies. Real monetary payments provide motivation. The results indicate that, if a company can detect abuses with some degree of certainty, the best strategy among those tested is to regularly reward individual employees with small rewards for complying with company policy and punish every detected violation. This recommendation contrasts with the existing literature, which focuses almost entirely on punishment for detected security breaches. This focus on punishment is referred to as General Deterrence Theory (Straub, Jr., 1990). The results in this paper suggest strongly that General Deterrence Theory does not provide an effective strategy for preventing security breaches.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.