This document summarizes a research paper that empirically tests a model based on general deterrence theory regarding how user awareness of security countermeasures impacts perceptions of punishment certainty and severity for information systems misuse. The study developed hypotheses about the relationships between security policies, security education/training/awareness programs, computer monitoring, perceived certainty and severity of sanctions, and intentions for systems misuse. Data was collected through an online survey of professionals and analyzed using partial least squares and other statistical techniques. The results provided support for most of the hypotheses and showed that security countermeasures influence perceptions of punishment, which impact misuse intentions.

1. Korea Advanced Institute of Science and TechnologyLABORATORY SEMINAR“User Awareness of Security Countermeasures andIts Impact on Information Systems Misuse:A Deterrence Approach”(Information Systems Research, Vol. 20, No. 1, March 2009, pp. 79-98)John D’Arcy, AnatHovav, Dennis Galletta

2. Korea Advanced Institute of Science and Technology//ftp.Table%of%Contents.phpIntroduction

3. Research Objective

4. Literature Review

5. Research Model and Hypothesis

6. Methodology

7. Data Analysis and Results

8. Discussion and Conclusion

9. Limitations and Future ResearchKorea Advanced Institute of Science and TechnologyIntroductionA United Nations report (2005, p. xxiii):“tens, if not hundreds of billions of dollars” of annual worldwide economic damage caused which related to information securityResearch indicates that between 50%–75% of security incidents come from within an organization (Ernst and Young 2003, InformationWeek 2005), often performed by unsatisfied employees (Standage 2002)Organizations should emphasize the importance of understanding such behavior of internal misuse of IS resourcesGeneral deterrence theory suggests that certain controls can serve as deterrent mechanisms by increasing the perceived threat of punishment for IS misuse

10. Korea Advanced Institute of Science and TechnologyResearch ObjectivesThis study will introduce and empirically test an extended GDT model that posits that user awareness of security countermeasures programs directly impacts user perceptions of the certainty (PC) and severity (PS) of sanctions associated with IS misuse intentionIt suggests a modified version of GDT in the IS security context to advance understanding of the underlying process through which security countermeasures impact users’ intentions to IS misuseIt also reveals important implications for the practice of IS security management

11. Korea Advanced Institute of Science and TechnologyLiterature ReviewAn effective IS security management should aim to maximize the number of deterred and prevented abusive acts and minimize those that are detected and punished (Theoharidou et al. 2005) Deterring IS misuse can be set with a mix of procedural and technical controls such as security policies, SETA programs, and monitoring software (Dhillon 1999, Parker 1998, Straub and Welke 1998)Empirical studies have assessed the effectiveness of a variety of security countermeasures which used GDT as a theoretical baseSecurity countermeasures can serve as deterrent mechanisms by increasing perceptions of the certainty and severity of punishment for IS misuse

12. Korea Advanced Institute of Science and TechnologyLiterature ReviewStudies that turned to the individual level for assessing the impact of security countermeasures have encountered similar ambiguityLimited empirical research on deterrent effects as assessing the deterrent capabilities of SETA programs is particularly salient for practitioners as strategic priority within many organizations (Berinato 2005, Deloitte 2005)Within the IS security literature, active and visible security efforts in the form of computer monitoring and auditing are recommended approaches for deterring IS misuse based on the theoretical perspective of GDT (Kankanhalli et al. 2003, Straub 1990)

13. Korea Advanced Institute of Science and TechnologyResearch Model and HypothesisExtended GDT model which integrates user awareness of security countermeasures, sanction perceptions, and IS misuse intentions as antecedents to PC and PS (Fig.1)@Security Countermeasures- Security Policies- SETA Program- Computer Monitoring@Sanction Perceptions- Perceived Certainty of Sanctions- Perceived Severity of Sanctions@IS Misuse Intention@Control Variables- Age- Gender- Moral Commitment- Organization

14. Korea Advanced Institute of Science and TechnologyResearch Model and HypothesisSecurity Policies, defines rules and guidelines for the proper use of organizational IS resources: acceptable use guidelines (Whitman et al. 2001)

15. SETA Programs, necessary to control IS misuse and can take many forms, and focus on providing users with general knowledge of the information security environment (Dhillon 1999, Parker 1998, Whitman 2001)

16. Computer Monitoring, used by organizations to gain compliance with rules and regulations and can reduce IS misuse (Urbaczewski and Jessup 2002)Korea Advanced Institute of Science and TechnologyResearch Model and HypothesisSanction Perceptions, associated with committing IS misuse where certainty of sanctions refers to the probability of being punished, and severity of sanctions refers to the degree of punishment (Tittle 1980)

17. IS Misuse Intention, defined as an individual’s intention to perform a behavior that is defined by the organization as a misuse of IS resources (Magklaras and Furnell 2002)

18. Control Variables, as significant variables which potentially influence on IS misuse intention (Gattiker and Kelley 1999, Leonard 2001, Leonard et al. 2004, Paternoster 1987, Wentzel 2004, Banerjee et al. 1998)Korea Advanced Institute of Science and TechnologyResearch Model and HypothesisHypothesis can be derived from above model as follows: Hypothesis 1A (H1A). PC is negatively associated with IS misuse intentionHypothesis 1B (H1B). PS is negatively associated with IS misuse intentionHypothesis 2A (H2A). User awareness of IS security policies is positively associated with PCHypothesis 2B (H2B). User awareness of IS security policies is positively associated with PS

19. Korea Advanced Institute of Science and TechnologyResearch Model and HypothesisHypothesis 3A (H3A). User awareness of SETA programs is positively associated with PCHypothesis 3B (H3B). User awareness of SETA programs is positively associated with PSHypothesis 4A (H4A). User awareness of computer monitoring practices is positively associated with PCHypothesis 4B (H4B). User awareness of computer monitoring practices is positively associated with PS

20. Korea Advanced Institute of Science and TechnologyMethodologyUsing a survey instrument for data collection through field studyDesigned to capture respondents’ perceptions of the certainty (PC) and severity (PS) in IS misuse, moral commitment (MC), and IS misuse intention (INT)

21. Measuring respondent awareness of security policies, SETA programs, and computer monitoringThe PC, PS, MC, and INT constructs were measured using four misuse scenarios Inappropriate email

22. Unlicensed software

23. Unauthorized access

24. Unauthorized modificationThe scenarios, pretested on a group of 26 professionals taking MBA classes at a large U.S. university