One of the most challenging problems modern firms face is that their weakest link in maintaining information security is the behavior of employees: clicking on phishing emails, telling friends and family private information, and searching for private information about themselves (Loch, Carr and Warkentin 1992). A survey conducted by the Computer Security Institute reported that the average monetary loss per incident was $288,618 and that 44% of those who responded to the survey reported insider security-related abuse, making it the second-most frequently occurring computer security incident (Richardson 2008).
This paper uses a questionnaire from Hu, West and Smarandescu (2015) to test for the efficacy of different reward and punishment schemes in preventing insider security-related abuse. Hu et al.’s (2015) scenarios elicit from participants whether they would recommend violating company IT policies. Real monetary payments provide motivation.3 The results indicate that, if a company can detect abuses with some degree of certainty, the best strategy among those tested is to regularly reward individual employees with small rewards for complying with company policy and punish every detected violation. This recommendation contrasts with the existing literature, which focuses almost entirely on punishment for detected security breaches. This focus on punishment is referred to as General Deterrence Theory (Straub Jr 1990). The results in this paper suggest strongly that General Deterrence Theory does not provide an effective strategy for preventing security breaches.
Original Release Date: November 2019
Department of Economics, Iowa State University
Li, Yuanxiang John and Hoffman, Elizabeth, "Information Security Policy Compliance" (2019). Economics Working Papers: Department of Economics, Iowa State University. 19024.