Control, Risk and Information Security Precautions

The introduction of the Internet to the business world has changed many ways of doing business. Unfortunately, the Internet has also become an arena where individuals are constantly at risk for computer viruses, spyware/adware infection, and malicious attacks designed to misuse or appropriate corporate assets. The wide-spread publicity of both cyber-attacks and ways to combat these problems, public and corporate education efforts, and prevention efforts (including corporate spending on new protections and enforcement of existing policies), suggest that it is logical for users to put precautionary practices in place. Unfortunately, they often don’t. Many individuals within organizations underestimate their vulnerability and do not follow prescribed security policies and procedures implemented within their organizations. Extant security literature heavily emphasizes automatic or programmed security measures, but does not focus strongly on the behaviors of individuals in the security setting. This paper examines two research questions: What are the effects of organizational policies and procedures on security precautions taken by individuals? What is the role that individual risk perceptions play in individual cyberprecautions choices? These questions will be addressed by theory taken from the formal control and fear of crime literatures. This theory posits that formal controls and individuals’ experiences have a strong effect on both individual perceptions of mandatory rules and individual risk perceptions. These perceptions, in turn, lead to precaution-taking behaviors. The resulting model will be tested with a field survey.