Deterrence and punishment experience impacts on ISP compliance attitudes
Abstract
Purpose
The paper aims to examine the inconclusive impacts of sanction-related deterrence on employee information security policy (ISP) compliance from the extant literature. It proposes that the disparate findings can be partially explained by two factors: investigating the mediating impact of attitudes on sanction effects instead of directly on behavioral intentions and examining employees with and without previous punishment experiences separately.
Design/methodology/approach
The paper relied upon survey data from 239 employees of a large governmental organization with a robust ISP and security education and training awareness program.
Findings
The paper provides empirical evidence that the rational estimation of sanction effects impacts the cognitive component of attitudes to develop a positive or negative attitude toward performing the ISP directed behavior. Furthermore, this attitudinal effect (created by sanction threats) will be biased depending on whether the employee has experienced, personally or vicariously, any previous punishment for violating the ISP.
Research limitations/implications
Because of the chosen research approach (self-reported survey data) and context (single hierarchical organization and a very specific security threat), the research results may lack generalizability. Therefore, researchers are encouraged to test the proposed propositions further in different organizational and threat contexts.
Practical implications
Organizations should have a thorough understanding of how their employees’ perceive sanctions in relationship to their prior experiences before implementing such policies.
Originality/value
The paper addresses previous research calls for examining possible mediation variables for deterrence effects and impacts of punishment experiences on employee ISP compliance.
Keywords
Citation
Aurigemma, S. and Mattson, T. (2017), "Deterrence and punishment experience impacts on ISP compliance attitudes", Information and Computer Security, Vol. 25 No. 4, pp. 421-436. https://doi.org/10.1108/ICS-11-2016-0089
Publisher
:Emerald Publishing Limited
Copyright © 2017, Emerald Publishing Limited