You are here: Home Contents V3 N2 V3N2_DArcy.html
Personal tools

Towards a Best Fit Between Organizational Security Countermeasures and Information Systems Misuse Behaviors



Full text

Journal of Information Systems Security
Volume 3, Number 2 (2007)
Pages 330
ISSN 1551-0123 (Print)
ISSN 1551-0808 (Online)
John D'Arcy — University of Notre Dame, USA
Anat Hovav — Korea University, Korea
Information Institute Publishing, Washington DC, USA




Industry surveys indicate that internal information systems (IS) misuse is a serious problem for organizations. This problem is likely to persist in the future, as the computer literacy of organizational staffs continues to increase. Information security advocates recommend a mix of procedural and technical countermeasures as a strategy for deterring IS misuse. In this study, we examine whether certain security countermeasures are more or less effective depending on the type of IS misuse behavior. Using survey data collected from 507 computer-using professionals, we assessed the deterrent effectiveness of security policies, security education, training, and awareness (SETA) programs, and computer monitoring on a range of IS misuse behaviors that vary in severity. The results suggest that computer monitoring is effective in deterring more severe forms of IS misuse, while security policies and SETA programs are effective against a number of misuse types that vary in severity. The findings contribute to an improved understanding of the "fit" between different security countermeasures and IS misuse behaviors. The research also has several implications for the practice of IS security management.




Information Systems Security, Information Systems Misuse, General Deterrence Theory, Security Countermeasures, Security Management, End User Security




Ajzen, I. (1988), Attitudes, Personality, and Behavior, Dorsey Press, Chicago.

AMA. (2005), "2005 Electronic Monitoring and Surveillance Survey," American Management Association, New York, NY.

Anderson, J.C. and Gerbing, D.W. (1988), "Structural Equation Modeling in Practice: A Review and Recommended Two-Step Approach," Psychological Bulletin, 103 (3): 411-423.

Aytes, K. and Connolly, T. (2004), "Computer Security and Risky Computing Practices: A Rational Choice Perspective," Journal of Organizational and End User Computing, 16 (3): 22-40.

Banerjee, D., Cronan, T.P. and Jones, T.W. (1998), "Modeling IT Ethics: A Study in Situational Ethics," MIS Quarterly, 22 (1): 31-60.

Berinato, S. (2005), "The Global State of Information Security 2005," CIO Magazine, 15 September 2005.

BSA. (2005), "Second Annual BSA and IDC Global Software Piracy Study," Business Software Alliance, Washingtion, D.C.

Chin, W. (1998), "The Partial Least Squares Approach to Structural Equation Modeling," in Modern Methods For Business Research, ed. G.A. Marcoulides, Lawrence Erlbaum Associates.

Cronan, T.P., Foltz, C.B. and Jones, T.W. (2006), "Piracy, Computer Crime, and IS Misuse at the University," Communications of the ACM, 49 (6): 85-90.

D'Arcy, J. and Hovav, A. (forthcoming, 2007), "Deterring Internal Information Systems Misuse: An End User Perspective," Communications of the ACM.

Deloitte and Touche LLP. (2005), "2005 Global Security Survey," New York, NY. 

Dhillon, G. (1999), "Managing and Controlling Computer Misuse," Information Management & Computer Security, 7 (4): 171-175.

Dinev, T. and Hu, Q. (2005), "The Centrality of Awareness in the Formation of User Behavioral Intention Toward Preventative Technologies in the Context of Voluntary Use, " Fourth Annual Pre-ICIS Workshop on HCI Research in MIS. Dec 10. Las Vegas, NV.

Doherty, N.F. and Fulford, H. (2005), "Do Information Security Policies Reduce the Incidence of Security Breaches: An Exploratory Analysis," Information Resources Management Journal, 18 (4): 21-39.

Duane, A. and Finnegan, P. (2005), "Monitoring and Controlling E-Mail Systems: A Cross Case Analysis," International Journal of E-Business Research, 1 (4): 24-40.

Dutta, A. and Roy, R. (2003), "The Dynamics of Organizational Information Security," Twenty-Fourth International Conference on Information Systems." Dec 14-17. Seattle, WA.

Ernst and Young. (2003), "Global Information Security Survey 2003," New York, NY.

Finch, J.H., Furnell, S.M. and Dowland, P.S. (2003), "Assessing IT Security Culture: System Administrator and End-User," ISOneWorld Conference, April 23-25. Las Vegas, NV.

Foltz, C.B. (2000), "The Impact of Deterrent Countermeasures Upon Individual Intent to Commit Misuse: A Behavioral Approach," University of Arkansas. Fayetteville, Unpublished PhD Thesis.

Fornell, C. and Larcker, D.F. (1981), "Evaluating Structural Equation Models with Unobservable Variables and Measurement Error," Journal of Marketing Research, 18 (1): 39-50.

Fortiva, Inc. (2005), "Risky Business: New Survey Shows Almost 70 Percent of Email-Using Employees Have Sent or Received Email That May Pose a Threat to Businesses,"

Galletta, D.F. and Polak, P. (2003), "An Empirical Investigation of Antecedents of Internet Abuse in the Workplace," Second Annual Pre-ICIS Workshop on HCI Research in MIS, Dec 12-13. Seattle, WA.

Gattiker, U.E. and Kelley, H. (1999), "Morality and Computers: Attitudes and Differences in Moral Judgments," Information Systems Research, 10 (3): 233-254.

Gefen, D. and Straub, D. (2005), "A Practical Guide to Factorial Validity Using PLS-Graph: Tutorial and Annotated Example," Communications of the AIS, 16: 91-109.

Gopal, R.D. and Sanders, G.L. (1997), "Preventative and Deterrent Controls for Software Piracy," Journal of Management Information Systems, 13 (4): 29-47.

Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Richardson, R. (2005), "2005 CSI/FBI Computer Crime and Security Survey," Computer Security Institute, San Francisco, CA.

Gottfredson, M.R. and Hirschi, T. (1990), A General Theory of Crime, MacMillian, New York.

Hair, J.F., Anderson, R.E., Tatham, R.L. and Black, W.C. (1998), Multivariate Data Analysis, Prentice Hall, Englewood Cliffs, NJ.

Harrington, S.J. (1996), "The Effect of Codes of Ethics and Personal Denial of Responsibility on Computer Abuse Judgments and Intentions," MIS Quarterly, 20 (3): 257-278.

Higgins, G.E. (2005), "Can Low Self-Control Help With the Understanding of the Software Piracy Problem?" Deviant Behavior, 26 (1): 1-24.

Igbaria, M. and Guimaraes, T. (1995), "Testing the Determinants of Microcomputer Usage via a Structural Equation Model," Journal of Management Information Systems, 11 (4): 87-114.

InformationWeek. (2005), "U.S. Information Security 2005 Research Report," United Business Media.

Kankanhalli, A., Teo, H.-H., Tan, B.C.Y. and Wei, K.-K. (2003), "An Integrative Study of Information Systems Security Effectiveness," International Journal of Information Management, 23 (2): 139-154.

Kerlinger, F.N. (1986), Foundations of Behavioral Research Third Edition, Holt, Rinehart & Winston, New York.

Lee, J., and Lee, Y. (2002), "A Holistic Model of Computer Abuse Within Organizations," Information Management & Computer Security, 10 (2): 57-63.

Lee, S.M., Lee, S.-G. and Yoo, S. (2004), "An Integrative Model of Computer Abuse Based on Social Control and General Deterrence Theories," Information and Management, 41 (6): 707-718.

Leonard, L.N.K. and Cronan, T.P. (2001), "Illegal, Inappropriate, and Unethical Behavior in an Information Technology Context: A Study to Explain Influences," Journal of the Association for Information Systems, 1 (12).

Leonard, L.N.K., Cronan, T.P. and Kreie, J. (2004), "What Influences IT Ethical Behavior Intentions - Planned Behavior, Reasoned Action, Perceived Importance, Individual Characteristics?," Information and Management, 42 (1): 143-158.

Loch, K.D. and Conger, S. (1996), "Evaluating Ethical Decision Making and Computer Use," Communications of the ACM, 39 (7): 74-83.

Ma, Q. and Pearson, J.M. (2005), "ISO 17799: Best Practices in Information Security Management?" Communications of the AIS, 15 (32).

Magklaras, G.B. and Furnell, S.M. (2002), "Insider Threat Prediction Tool: Evaluating the Probability of IT Misuse," Computers & Security, 21 (1): 62-73.

Mason, R. (1986), "Four Ethical Issues of the Information Age," MIS Quarterly, 10 (1): 4-12.

Panko, R.R. and Beh, H.G. (2002), "Monitoring for Pornography and Sexual Harassment," Communications of the ACM, 45 (1): 84-87.

Parker, D.B. (1976), Crime By Computer, Charles Scribner's Sons, New York.

Parker, D.B. (1998), Fighting Computer Crime, John Wiley & Sons, Inc., New York.

Peace, A.G., Galletta, D.F. and Thong, J.L. (2003), "Software Piracy in the Workplace: A Model and Empirical Test," Journal of Management Information Systems, 20 (1): 153-177.

Ping, R.A. (2004), "Testing Latent Variable Models with Survey Data, Second Edition,"

Sasse, M.A., Brostoff, S. and Weirich, D. (2001), "Transforming the Weakest Link - A Human/Computer Interaction Approach to Usable and Effective Security," BT Technology Journal, 19 (3): 122-131.

Siegel, D.A., Reid, B. and Dray, S.M. (2006), "IT Security: Protecting Organizations in Spite of Themselves," Interactions, 13 (3): 20-27.

Siponen, M.T. (2000), "A Conceptual Foundation for Organizational Information Security Awareness," Information Management & Computer Security, 8 (1): 31-41.

Standage, T. (2002), "The Weakest Link." Economist, 1 November 2002.

Stanton, J.M., Stam, K.R., Mastrangelo, P. and Jolton, J. (2004), "Behavioral Information Security: Two End User Survey Studies of Motivation and Security Practices," Tenth Americas Conference on Information Systems, Aug 5-8. New York, NY.

Stanton, J.M., Stam, K.R., Mastrangelo, P. and Jolton, J. (2005), "Analysis of End User Security Behaviors," Computers & Security, 24 (2): 124-133.

Straub, D.W. (1990), "Effective IS Security: An Empirical Study," Information Systems Research, 1 (3): 255-276.

Straub, D.W. and Nance, W.D. (1990), "Discovering and Disciplining Computer Abuse in Organizations: A Field Study," MIS Quarterly, 14 (1): 45-60.

Straub, D.W. and Welke, R.J. (1998), "Coping With Systems Risk: Security Planning Models for Management Decision Making," MIS Quarterly, 22 (4): 441-469.

Tittle, C.R. (1980), Sanctions and Social Deviance: The Question of Deterrence, Praeger, New York.

Troutt, M.D. (2002), "IT Security Issues: The Need for End User Oriented Research," Journal of End User Computing, 14 (2): 48-49,

Urbaczewski, A. and Jessup, L.M. (2002), "Does Electronic Monitoring of Employee Internet Usage Work?," Communications of the ACM, 45 (1): 80-83.

Verespej. M.A. (2000), "Inappropriate Internet Surfing." Industry Week, 7 February 2000.

von Solms, R. and von Solms, B. (2004), "From Policies to Culture," Computers & Security, 23 (4): 275-279.

Weirich, D. and Sasse, M.A. (2001 ), "Pretty Good Persuasion: A First Step Towards Effective Password Security in the Real World," New Security Paradigms Workshop (NSPW '01), Sept 10-13. Cloudcroft, NM.

Whitman, M.E. (2004), "In Defense of the Realm: Understanding the Threats to Information Security," International Journal of Information Management, 24: 43-57.

Whitman, M.E., Townsend, A.M. and Alberts, R.J. (2001), "Information Systems Security and the Need for Policy," in Information Security Management: Global Challenges in the New Millennium, ed. M. Khosrowpour, Idea Group Publishing.

Wiant, T.L. (2003), "Policy and Its Impact on Medical Record Security." University of Kentucky. Lexington, Unpublished PhD Thesis.

Wybo, M.D. and Straub, D.W. (1989), "Protecting Organizational Information Resources," Information Resources Management Journal, 2 (4): 1-15.