Impact of Protection Motivation and Deterrence on IS Security Policy Compliance: A Multi-Cultural View

IS security policy non-compliance is a problem experienced globally. Organizations have implemented formal and informal sanctions to enforce policy compliance. Sanctions can be positive (rewards) or negative (punishment) and may influence employees differently across different cultures. We propose an examination of antecedents that influence IS security policy compliance utilizing Protection Motivation Theory (PMT) and Deterrence Theory in a global context. Using six different countries, we plan to find if protection motivation and deterrence factors differ among different cultures through the influence of Hofstede’s cultural dimensions

Overcoming Mixed-Gender Requirements Misspecification with the Modified Coherence Method

Research has identified significant differences between the communication patterns employed by males and females in all cultures. The variances in communication can lead to ineffective transfer of information from the user to an analyst in the system development process. The quality of the resulting system will primarily depend on the information that is verbalized to the system analyst by the system users during the requirements elicitation process. Therefore, coherence between the parties, especially within mixed gender dyads, is vital in understanding what the user would expect from the system to be developed. We explore these communication differences in an attempt to improve the understanding among both parties in overcoming issues arising from lack of themal coherence. After analyzing those differences, the modified coherence method is presented as a primary method in overcoming the language barriers encountered during the discourse between analyst and users during requirements elicitation

High-Risk Deviant Decisions: Does Neutralization Still Play a Role?

Extant research has shown that neutralization processes can enable potential IS security policy violators to justify their behavior and overcome the deterrence effect of sanctions in order to engage in unethical behaviors. However, such sanctions are typically moderate and not career ending. We test the boundary conditions of this theory by evaluating whether neutralization plays a role in overcoming the impact of extreme levels of deterrence. We extend the Siponen and Vance (2010) framework within a professional context that assigns extreme sanctions to violators. Using the scenario-based factorial survey method common in IS security research, we collected data from future auditors who understand these extreme sanctions. We test the reasons that auditors may use to form intentions to falsify information concerning an information security issue with a company’s accounting information system, thereby jeopardizing data integrity and security by modifying working papers to hide irregularities and, by doing so, violating their professional standards, which could result in career-ending sanctions. We empirically validated and tested the theoretical model. Our results show that sanctions play an important role in reducing employees’ intentions to violate policy but that, even under extreme boundary conditions, employees might seek to rationalize their unethical behavior by denying responsibility for their actions through, for example, arguing that their supervisors pressured them into performing the violations. We also establish that messages heightening the awareness and perceptions of the certainty and severity of organizational punishment are likely to attenuate such deviant behaviors. We discuss the implications of these findings and suggest future avenues for research

Impact of deterrence and inertia on information security policy changes

This study examines the impact of deterrence and inertia on information security policy changes. Corporations recognize the need to prioritize information security, which sometimes involves designing and implementing new security measures or policies. Using an online survey, we investigate the effect of deterrent sanctions and inertia on respondents’ intentions to comply with modifications to company information security policies. We find that certainty and celerity associated with deterrent sanctions increase compliance intentions, while inertia decreases respondents’ compliance intentions related to modified information security policies. Therefore, organizations must work to overcome employees’ reluctance to change in order to improve compliance with security policy modifications. They may also consider implementing certain and timely sanctions for noncompliance