To read this content please select one of the options below:

Deterrence and punishment experience impacts on ISP compliance attitudes

Salvatore Aurigemma (Department of Computer Information Systems, University of Tulsa, Tulsa, Oklahoma, USA)
Thomas Mattson (Robins School of Business, University of Richmond, Richmond, Virginia, USA)

Information and Computer Security

ISSN: 2056-4961

Article publication date: 9 October 2017

684

Abstract

Purpose

The paper aims to examine the inconclusive impacts of sanction-related deterrence on employee information security policy (ISP) compliance from the extant literature. It proposes that the disparate findings can be partially explained by two factors: investigating the mediating impact of attitudes on sanction effects instead of directly on behavioral intentions and examining employees with and without previous punishment experiences separately.

Design/methodology/approach

The paper relied upon survey data from 239 employees of a large governmental organization with a robust ISP and security education and training awareness program.

Findings

The paper provides empirical evidence that the rational estimation of sanction effects impacts the cognitive component of attitudes to develop a positive or negative attitude toward performing the ISP directed behavior. Furthermore, this attitudinal effect (created by sanction threats) will be biased depending on whether the employee has experienced, personally or vicariously, any previous punishment for violating the ISP.

Research limitations/implications

Because of the chosen research approach (self-reported survey data) and context (single hierarchical organization and a very specific security threat), the research results may lack generalizability. Therefore, researchers are encouraged to test the proposed propositions further in different organizational and threat contexts.

Practical implications

Organizations should have a thorough understanding of how their employees’ perceive sanctions in relationship to their prior experiences before implementing such policies.

Originality/value

The paper addresses previous research calls for examining possible mediation variables for deterrence effects and impacts of punishment experiences on employee ISP compliance.

Keywords

Citation

Aurigemma, S. and Mattson, T. (2017), "Deterrence and punishment experience impacts on ISP compliance attitudes", Information and Computer Security, Vol. 25 No. 4, pp. 421-436. https://doi.org/10.1108/ICS-11-2016-0089

Publisher

:

Emerald Publishing Limited

Copyright © 2017, Emerald Publishing Limited

Related articles