IDEAS home Printed from https://ideas.repec.org/a/inm/orisre/v34y2023i1p342-362.html
   My bibliography  Save this article

Going Beyond Deterrence: A Middle-Range Theory of Motives and Controls for Insider Computer Abuse

Author

Listed:
  • A. J. Burns

    (Stephenson Department of Entrepreneurship and Information Systems, E. J. Ourso College of Business, Louisiana State University, Baton Rouge, Louisiana 70803)

  • Tom L. Roberts

    (Soules College of Business, The University of Texas at Tyler, Tyler, Texas 75799)

  • Clay Posey

    (Information Systems Department, Marriott School of Business, Brigham Young University, Provo, Utah 84602)

  • Paul Benjamin Lowry

    (Business Information Technology, Pamplin College of Business, Virginia Tech, Blacksburg, Virginia 24061)

  • Bryan Fuller

    (Department of Management, Louisiana Tech University, Ruston, Louisiana 71272)

Abstract

Despite widespread agreement among practitioners and academicians that organizational insiders are a significant threat to organizational information systems security, insider computer abuse (ICA)—unauthorized and deliberate misuse of organizational information resources by organizational insiders—remains a serious issue. Recent studies have shown that most employees are willing to share confidential or regulated information under certain circumstances, and nearly one-third to half of major security breaches are tied to insiders. These trends indicate that organizational security efforts, which generally focus on deterrence and sanctions, have yet to effectively address ICA. Therefore, leading security researchers and practitioners have called for a more nuanced understanding of insiders in respect to deterrence efforts. We answer these calls by proposing a middle-range theory of ICA that focuses on understanding the inherent tensions between insider motivations and organizational controls. Our careful review distinguishes two categories of personal motives for ICA: (1) instrumental (i.e., financial benefits) and (2) expressive (i.e., psychological contract violations) motives. Our novel theory of ICA also includes the influence of two classes of controls for ICA: (1) intrinsic (i.e., self-control) and (2) extrinsic (i.e., organizational deterrence) controls. We developed and empirically examined a research model based on our middle-range theory that explains a substantial portion of the variance in ICA. Specifically, our results indicate that both instrumental and expressive motives are positively related to ICA. Moreover, intrinsic self-control exerted significant direct and moderating influences in our research model, whereas extrinsic organizational deterrence failed to exhibit a direct effect on ICA and significantly moderated instrumental motives’ relationship with ICA only. Not only do our results show that self-control exerted a stronger effect on the model than deterrence did but they also help us identify the limits of deterrence in ICA research.

Suggested Citation

  • A. J. Burns & Tom L. Roberts & Clay Posey & Paul Benjamin Lowry & Bryan Fuller, 2023. "Going Beyond Deterrence: A Middle-Range Theory of Motives and Controls for Insider Computer Abuse," Information Systems Research, INFORMS, vol. 34(1), pages 342-362, March.
    • Handle: RePEc:inm:orisre:v:34:y:2023:i:1:p:342-362
    DOI: 10.1287/isre.2022.1133
    as

    Download full text from publisher

    File URL: http://dx.doi.org/10.1287/isre.2022.1133
    Download Restriction: no
    File URL: https://libkey.io/10.1287/isre.2022.1133?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Geoffrey Brennan & Alan Hamlin, 1998. "Expressive voting and electoral equilibrium," Public Choice, Springer, vol. 95(1), pages 149-175, April.
    2. Mark Kunze & Kim Gower, 2012. "The Influence Of Subordinate Affect And Self-Monitoring On Multiple Dimensions Of Leader-Member Exchange," International Journal of Management and Marketing Research, The Institute for Business and Finance Research, vol. 5(3), pages 83-100.
    3. Michael Breward & Khaled Hassanein & Milena Head, 2017. "Understanding Consumers’ Attitudes Toward Controversial Information Technologies: A Contextualization Approach," Information Systems Research, INFORMS, vol. 28(4), pages 760-774, December.
    4. Detmar W. Straub, 1990. "Effective IS Security: An Empirical Study," Information Systems Research, INFORMS, vol. 1(3), pages 255-276, September.
    5. Allen C Johnston & Merrill Warkentin & Maranda McBride & Lemuria Carter, 2016. "Dispositional and situational factors: influences on information security policy violations," European Journal of Information Systems, Taylor & Francis Journals, vol. 25(3), pages 231-251, May.
    6. Weiyin Hong & Frank K. Y. Chan & James Y. L. Thong & Lewis C. Chasalow & Gurpreet Dhillon, 2014. "A Framework and Guidelines for Context-Specific Theorizing in Information Systems Research," Information Systems Research, INFORMS, vol. 25(1), pages 111-136, March.
    7. Paul Benjamin Lowry & Tamara Dinev & Robert Willison, 2017. "Why security and privacy research lies at the centre of the information systems (IS) artefact: proposing a bold research agenda," European Journal of Information Systems, Taylor & Francis Journals, vol. 26(6), pages 546-563, November.
    8. Gino, Francesca & Schweitzer, Maurice E. & Mead, Nicole L. & Ariely, Dan, 2011. "Unable to resist temptation: How self-control depletion promotes unethical behavior," Organizational Behavior and Human Decision Processes, Elsevier, vol. 115(2), pages 191-203, July.
    9. Yu, Jiang, 1994. "Punishment celerity and severity: Testing a specific deterrence model on drunk driving recidivism," Journal of Criminal Justice, Elsevier, vol. 22(4), pages 355-366.
    10. John D'Arcy & Tejaswini Herath, 2011. "A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings," European Journal of Information Systems, Taylor & Francis Journals, vol. 20(6), pages 643-658, November.
    11. Tejaswini Herath & H Raghav Rao, 2009. "Protection motivation and deterrence: a framework for security policy compliance in organisations," European Journal of Information Systems, Taylor & Francis Journals, vol. 18(2), pages 106-125, April.
    12. Paul A. Pavlou & David Gefen, 2005. "Psychological Contract Violation in Online Marketplaces: Antecedents, Consequences, and Moderating Role," Information Systems Research, INFORMS, vol. 16(4), pages 372-399, December.
    13. Amrit Tiwana, 2009. "Governance-Knowledge Fit in Systems Development Projects," Information Systems Research, INFORMS, vol. 20(2), pages 180-197, June.
    14. Amrit Tiwana, 2015. "Evolutionary Competition in Platform Ecosystems," Information Systems Research, INFORMS, vol. 26(2), pages 266-281, June.
    15. Ambrose, Maureen L. & Seabright, Mark A. & Schminke, Marshall, 2002. "Sabotage in the workplace: The role of organizational injustice," Organizational Behavior and Human Decision Processes, Elsevier, vol. 89(1), pages 947-965, September.
    16. Michael Foth, 2016. "Factors influencing the intention to comply with data protection regulations in hospitals: based on gender differences in behaviour and deterrence," European Journal of Information Systems, Taylor & Francis Journals, vol. 25(2), pages 91-109, March.
    17. John D'Arcy & Anat Hovav & Dennis Galletta, 2009. "User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach," Information Systems Research, INFORMS, vol. 20(1), pages 79-98, March.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Yan Chen & Dennis F. Galletta & Paul Benjamin Lowry & Xin (Robert) Luo & Gregory D. Moody & Robert Willison, 2021. "Understanding Inconsistent Employee Compliance with Information Security Policies Through the Lens of the Extended Parallel Process Model," Information Systems Research, INFORMS, vol. 32(3), pages 1043-1065, September.
    2. Eun Hee Park & Jongwoo Kim & Lynn Wiles, 2023. "The role of collectivism and moderating effect of IT proficiency on intention to disclose protected health information," Information Technology and Management, Springer, vol. 24(2), pages 177-193, June.
    3. A. J. Burns & Clay Posey & James F. Courtney & Tom L. Roberts & Prabhashi Nanayakkara, 2017. "Organizational information security as a complex adaptive system: insights from three agent-based models," Information Systems Frontiers, Springer, vol. 19(3), pages 509-524, June.
    4. Debabrata Dey & Abhijeet Ghoshal & Atanu Lahiri, 2022. "Circumventing Circumvention: An Economic Analysis of the Role of Education and Enforcement," Management Science, INFORMS, vol. 68(4), pages 2914-2931, April.
    5. A. J. Burns & Clay Posey & James F. Courtney & Tom L. Roberts & Prabhashi Nanayakkara, 0. "Organizational information security as a complex adaptive system: insights from three agent-based models," Information Systems Frontiers, Springer, vol. 0, pages 1-16.
    6. Li, Yuanxiang John & Hoffman, Elizabeth, 2023. "Designing an incentive mechanism for information security policy compliance: An experiment," Journal of Economic Behavior & Organization, Elsevier, vol. 212(C), pages 138-159.
    7. Bent Flyvbjerg & Alexander Budzier & Jong Seok Lee & Mark Keil & Daniel Lunn & Dirk W. Bester, 2022. "The Empirical Reality of IT Project Cost Overruns: Discovering A Power-Law Distribution," Papers 2210.01573, arXiv.org.
    8. V. S. Prakash Attili & Saji K. Mathew & Vijayan Sugumaran, 2022. "Information Privacy Assimilation in IT Organizations," Information Systems Frontiers, Springer, vol. 24(5), pages 1497-1513, October.
    9. Silva, Leiser & Hsu, Carol & Backhouse, James & McDonnell, Aidan, 2016. "Resistance and power in a security certification scheme: the case of c:cure," LSE Research Online Documents on Economics 68348, London School of Economics and Political Science, LSE Library.
    10. Sumantra Sarkar & Anthony Vance & Balasubramaniam Ramesh & Menelaos Demestihas & Daniel Thomas Wu, 2020. "The Influence of Professional Subculture on Information Security Policy Violations: A Field Study in a Healthcare Context," Information Systems Research, INFORMS, vol. 31(4), pages 1240-1259, December.
    11. Jack Shih-Chieh Hsu & Sheng-Pao Shih & Yu Wen Hung & Paul Benjamin Lowry, 2015. "The Role of Extra-Role Behaviors and Social Controls in Information Security Policy Effectiveness," Information Systems Research, INFORMS, vol. 26(2), pages 282-300, June.
    12. Nils Koester & Patrick Cichy & David Antons & Torsten Oliver Salge, 2022. "Perceived privacy risk in the Internet of Things: determinants, consequences, and contingencies in the case of connected cars," Electronic Markets, Springer;IIM University of St. Gallen, vol. 32(4), pages 2333-2355, December.
    13. Mengmeng Song & Joseph Ugrin & Man Li & Jinnan Wu & Shanshan Guo & Wenpei Zhang, 2021. "Do Deterrence Mechanisms Reduce Cyberloafing When It Is an Observed Workplace Norm? A Moderated Mediation Model," IJERPH, MDPI, vol. 18(13), pages 1-16, June.
    14. Maurizio Cavallari, 2023. "Organizational Determinants and Compliance Behavior to Shape Information Security Plan," Academic Journal of Interdisciplinary Studies, Richtmann Publishing Ltd, vol. 12, November.
    15. Warut Khern-am-nuai & Matthew J. Hashim & Alain Pinsonneault & Weining Yang & Ninghui Li, 2023. "Augmenting Password Strength Meter Design Using the Elaboration Likelihood Model: Evidence from Randomized Experiments," Information Systems Research, INFORMS, vol. 34(1), pages 157-177, March.
    16. Qian Tang & Andrew B. Whinston, 2020. "Do Reputational Sanctions Deter Negligence in Information Security Management? A Field Quasi‐Experiment," Production and Operations Management, Production and Operations Management Society, vol. 29(2), pages 410-427, February.
    17. Simon Trang & Benedikt Brendel, 2019. "A Meta-Analysis of Deterrence Theory in Information Security Policy Compliance Research," Information Systems Frontiers, Springer, vol. 21(6), pages 1265-1284, December.
    18. Patricia L. Moravec & Antino Kim & Alan R. Dennis, 2020. "Appealing to Sense and Sensibility: System 1 and System 2 Interventions for Fake News on Social Media," Information Systems Research, INFORMS, vol. 31(3), pages 987-1006, September.
    19. Jeffrey D. Wall & Prashant Palvia & John D’Arcy, 2022. "Theorizing the Behavioral Effects of Control Complementarity in Security Control Portfolios," Information Systems Frontiers, Springer, vol. 24(2), pages 637-658, April.
    20. Eunkyung Kweon & Hansol Lee & Sangmi Chai & Kyeongwon Yoo, 2021. "The Utility of Information Security Training and Education on Cybersecurity Incidents: An empirical evidence," Information Systems Frontiers, Springer, vol. 23(2), pages 361-373, April.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:inm:orisre:v:34:y:2023:i:1:p:342-362. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Chris Asher (email available below). General contact details of provider: https://edirc.repec.org/data/inforea.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.