Understanding Organization Employee's Information Security Omission Behavior: an Integrated Model of Social norm and Deterrence

Employee`s information security behavior is critical to ensure the security of organization`s information assets. Countermeasures, such as information security policies, are helpful to reduce computer abuse and information systems misuse. However, employees in practice tend to engage in these violation behaviors, although they know policies and countermeasures. Undoubtedly, these omission behaviors will bring big loss or other potential risks to information assets security. The current study try to make clear on the influence factors of information security omission behaviors and how these drive factors work. From organization control perspective, we integrate deterrence theory and social norm theory to construct research model. We expect deterrence (as normal control) will effectively decrease omission behavioral intention. Besides, colleague`s security omission behaviors may mislead some employee`s behaviors more or less, which is easy to form error code of conduct and induce to the similar omission behaviors. To date, social norms of misperception (as informal control) has not been sufficiently concerned in IS security literature and we believe that may provide a new perceptive to understand the formation mechanism of security omission behaviors.