| Intentional insider misuse of information technology resources (i.e., IS misuse) is a serious problem for organizations. This problem is likely to persist in the future, as the computer literacy of organizational staffs continues to increase. In response to the growing threat of IS misuse, researchers have suggested that organizations employ certain technical and procedural techniques---termed here security countermeasures---in an effort to deter such behavior. This study uses the framework of general deterrence theory to investigate the impact of security countermeasures (defined as security policies, security awareness programs, monitoring practices, and preventative security software) on IS misuse, and the role of perceived certainty and severity of sanctions in mediating these relationships. In addition, the study tests the differential deterrence hypothesis by examining the moderating influence of computer self-efficacy, risk propensity, and virtual status on the effectiveness of the aforementioned security countermeasures.; Data were collected using a survey instrument that captured respondents' intentions and perceived certainty and severity of organizational sanctions regarding different IS misuse scenarios and measured the other variables in the proposed model. Based on analyses of three different datasets, strong support was found for the effectiveness of security policies, security awareness programs, and computer monitoring in deterring IS misuse. Preventative security software, at least in the form of basic access control technologies, appears only moderately effective in deterring IS misuse. The results also suggest that risk propensity does not impact the effectiveness of security countermeasures, but computer self-efficacy and virtual status do. Specifically, security policies, computer monitoring, and preventative security software are less effective in deterring IS misuse for individuals with greater computer self-efficacy, while security awareness programs are more effective for these individuals. Security awareness programs also have a greater deterrent effect on virtual workers, but security policies are less effective for these individuals.; Overall, this study presents significant progress toward explaining the relationships between security countermeasures and IS misuse, while reaffirming the applicability of general deterrence theory to the IS security domain. The results also have strong implications for IS security management practices within organizations. |
PDF Full Text Request