To Enforce or To Influence? Understanding the Effects of Organizational, Workgroup, and Personal-Self Sanctions on Preventing Information Security Policy Violations in the Workplace

“Insiders” – employees within organizations – have been seen as a major problem for information security management. Employees were often found to intentionally violate organizational information security policies despite the possibility of being disciplined for their actions. In this study, we aim to examine the effects of different types of sanctions – organizational, workgroup, and personal self-sanctions – on employees’ intention to violate information security policies. We collected survey data from a sample of 306 computer users at work to empirically test our proposed research model. The results suggest that the effect of organizational sanctions on employee behavioral intention diminishes when workgroup and personal self-sanctions are taken into account; personal self-sanctions also partially mediate the effect of organizational and workgroup sanctions. Implications for theories and information security management practices are also discussed.