Punishment and ethics deterrents: A study of insider security contravention

by the U.S. Department of Justice (2004) that one in three people will become victims of identity theft at some point in their lifetime. The bulk of the research into information security has gone into the investigation of technological aspects of security, and there are gaps in the literature relative to contravention of security measures. Drawing from deterrence theory and using the theory of planned behavior as a general framework, this empirical field study investigated the effects of punishment and ethics training on behaviors related to contravention of information security measures among information professionals to fill an important gap in the literature. We found that both punishment and ethics training can be effective in mitigating the threat of software and information security , but that these depend on certain underlying moti-vational factors of individuals. The results of this study suggest a need to develop and refine the theoretical models, and we offer suggestions for getting at the root of behavioral issues surrounding information security. Information security has become an increasingly important research topic because there is little in the literature to explain why people contravene information security defense procedures that lead to billions of dollars annually in corporate and Contravention is associated with the behaviors of illegal copying of software (software piracy or softlifting), breaking software license keys, removing software and/or proprietary information from the office for personal use, cracking passwords, and committing fraudulent acts such as stealing information The problem has been studied primarily from the point of view of a technological problem, and the extant research has suggested techniques and technologies to use for creating better defenses, for example, through criteria used in performing risk analyses and the appropriate application of countermeasures (cf. Duh, Jamal, & Sunder, 2002). However, the problem has a behavioral root, and the ability to breach security defenses continues to outrun the ability to defend against them (Bresz, 2004; Sasse et al., 2004). Some of the counterproductive behaviors research (e.g., Harrington, 1996) has suggested treatments such as using ethics training as a means to address contravention propensities ; however, this approach appears, on the whole, to be somewhat ineffective in stemming the contravention prob-have used deter-rence theory to explain behaviors associated with various insider security breaches and have suggested punitive forms of treatment after the fact. While these studies have helped to advance the understanding of techniques to preclude or at least diminish some …