Employees' noncompliance with information security policy and rules is a serious impediment to the effectiveness of security programs in organizations. The extant information security studies have used General Deterrence Theory (GDT) to investigate noncompliant information security behavior, yet most of the findings have not been effective in practice due to a lack of strong theoretical underpinning. Neglecting criminal propensity of the potential perpetrator has been identified to be one of the theoretical weaknesses of GDT-based studies. Any attempt to explain noncompliant information security behavior in organizational context, demands a well grounded framework to explain why employees transgress information security policies and rules. The purpose of this study was to empirically investigate the link between self-control (criminal propensity), deterrence perceptions, and noncompliant information security behavior. Criminal propensity was operationalized using the three perspectives of self-control: personality trait, social bond, and self-generated inhibitions. This study then examined the influence of the three self-control variables on deterrence perceptions (certainty, severity, and celerity). Further, the study investigated the impact of deterrence perceptions on noncompliant information security behavior.
Data collected from 421 employees in a Southern USA-based company was used to test the relationships between research model constructs using SPSS's Amos structural equation modeling software package. Results indicated that employees' perceptions on all three dimensions of deterrents were positively impacted by self-control based on self-generated inhibitions. The results also showed that only employees' perceptions on certainty of apprehension and celerity of punishment were positively impacted by social bond self-control. No significant relationships were established between deterrence perceptions and personality trait self-control. Further, employees' perceptions on certainty of apprehension and celerity of punishment were negatively associated with noncompliant information security behavior. The results also indicated that severity of punishment was not a significant predictor of noncompliant information security behavior. The uniqueness of this study provided evidence on the importance of incorporating criminal propensity in GDT-based studies. The current study also highlighted the importance of celerity of punishment dimension, which is highly neglected by GDT-based information security studies.
Identifer | oai:union.ndltd.org:nova.edu/oai:nsuworks.nova.edu:gscis_etd-1119 |
Date | 01 January 2012 |
Creators | Chuma, Ramadhan |
Publisher | NSUWorks |
Source Sets | Nova Southeastern University |
Detected Language | English |
Type | text |
Format | application/pdf |
Source | CEC Theses and Dissertations |
Page generated in 0.0021 seconds