IDEAS home Printed from https://ideas.repec.org/a/inm/ormnsc/v68y2022i4p2914-2931.html
   My bibliography  Save this article

Circumventing Circumvention: An Economic Analysis of the Role of Education and Enforcement

Author

Listed:
  • Debabrata Dey

    (Foster School of Business, University of Washington, Seattle, Washington 98195)

  • Abhijeet Ghoshal

    (Gies College of Business, University of Illinois, Champaign, Illinois 61820)

  • Atanu Lahiri

    (Jindal School of Management, University of Texas, Dallas, Texas 75080)

Abstract

The role of education and enforcement in ensuring compliance with a law or policy has been debated for more than a century now. We reopen this debate in the context of security circumvention by employees, currently a leading cause of information security and privacy breaches. Drawing on prior literature, we develop a microeconomic framework that captures employees’ circumventing behavior in the face of security controls. This allows us to obtain interesting insights that have implications for how an organization should employ anticircumvention measures. First, unless circumvention is rampant, education and enforcement often work better in combination, and not in isolation. Second, there are incentives for an organization to tolerate circumvention to an extent, even when education and enforcement are cheap. Finally, education and enforcement may be strategic complements or substitutes in different parts of the parameter space. When they are complements, if a change in cost parameters compels the organization to increase one, it would also require an increase in the other in lockstep. In contrast, when they are substitutes, an increase in one is associated with a decrease in the other.

Suggested Citation

  • Debabrata Dey & Abhijeet Ghoshal & Atanu Lahiri, 2022. "Circumventing Circumvention: An Economic Analysis of the Role of Education and Enforcement," Management Science, INFORMS, vol. 68(4), pages 2914-2931, April.
    • Handle: RePEc:inm:ormnsc:v:68:y:2022:i:4:p:2914-2931
    DOI: 10.1287/mnsc.2021.4027
    as

    Download full text from publisher

    File URL: http://dx.doi.org/10.1287/mnsc.2021.4027
    Download Restriction: no
    File URL: https://libkey.io/10.1287/mnsc.2021.4027?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Michael Workman & John Gathegi, 2007. "Punishment and ethics deterrents: A study of insider security contravention," Journal of the American Society for Information Science and Technology, Association for Information Science & Technology, vol. 58(2), pages 212-222, January.
    2. Huseyin Cavusoglu & Birendra Mishra & Srinivasan Raghunathan, 2005. "The Value of Intrusion Detection Systems in Information Technology Security Architecture," Information Systems Research, INFORMS, vol. 16(1), pages 28-46, March.
    3. HOLMSTROM, Bengt, 1979. "Moral hazard and observability," LIDAM Reprints CORE 379, Université catholique de Louvain, Center for Operations Research and Econometrics (CORE).
    4. Atanu Lahiri & Debabrata Dey, 2018. "Versioning and Information Dissemination: A New Perspective," Information Systems Research, INFORMS, vol. 29(4), pages 965-983, December.
    5. Detmar W. Straub, 1990. "Effective IS Security: An Empirical Study," Information Systems Research, INFORMS, vol. 1(3), pages 255-276, September.
    6. Anastasia Danilov & Dirk Sliwka, 2017. "Can Contracts Signal Social Norms? Experimental Evidence," Management Science, INFORMS, vol. 63(2), pages 459-476, February.
    7. Terrence August & Tunay I. Tunca, 2008. "Let the Pirates Patch? An Economic Analysis of Software Security Patch Restrictions," Information Systems Research, INFORMS, vol. 19(1), pages 48-70, March.
    8. Soomro, Zahoor Ahmed & Shah, Mahmood Hussain & Ahmed, Javed, 2016. "Information security management needs more holistic approach: A literature review," International Journal of Information Management, Elsevier, vol. 36(2), pages 215-225.
    9. Tejaswini Herath & H Raghav Rao, 2009. "Protection motivation and deterrence: a framework for security policy compliance in organisations," European Journal of Information Systems, Taylor & Francis Journals, vol. 18(2), pages 106-125, April.
    10. Sam Ransbotham & Sabyasachi Mitra, 2009. "Choice and Chance: A Conceptual Model of Paths to Information Security Compromise," Information Systems Research, INFORMS, vol. 20(1), pages 121-139, March.
    11. Jack Shih-Chieh Hsu & Sheng-Pao Shih & Yu Wen Hung & Paul Benjamin Lowry, 2015. "The Role of Extra-Role Behaviors and Social Controls in Information Security Policy Effectiveness," Information Systems Research, INFORMS, vol. 26(2), pages 282-300, June.
    12. Bengt Holmstrom, 1979. "Moral Hazard and Observability," Bell Journal of Economics, The RAND Corporation, vol. 10(1), pages 74-91, Spring.
    13. Karthik Kannan & Mohammad S. Rahman & Mohit Tawarmalani, 2016. "Economic and Policy Implications of Restricted Patch Distribution," Management Science, INFORMS, vol. 62(11), pages 3161-3182, November.
    14. John D'Arcy & Anat Hovav & Dennis Galletta, 2009. "User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach," Information Systems Research, INFORMS, vol. 20(1), pages 79-98, March.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Sabyasachi Mitra & Sam Ransbotham, 2015. "Information Disclosure and the Diffusion of Information Security Attacks," Information Systems Research, INFORMS, vol. 26(3), pages 565-584, September.
    2. Carol Hsu & Jae-Nam Lee & Detmar W. Straub, 2012. "Institutional Influences on Information Systems Security Innovations," Information Systems Research, INFORMS, vol. 23(3-part-2), pages 918-939, September.
    3. A. J. Burns & Tom L. Roberts & Clay Posey & Paul Benjamin Lowry & Bryan Fuller, 2023. "Going Beyond Deterrence: A Middle-Range Theory of Motives and Controls for Insider Computer Abuse," Information Systems Research, INFORMS, vol. 34(1), pages 342-362, March.
    4. Eun Hee Park & Jongwoo Kim & Lynn Wiles, 2023. "The role of collectivism and moderating effect of IT proficiency on intention to disclose protected health information," Information Technology and Management, Springer, vol. 24(2), pages 177-193, June.
    5. John D’Arcy & Idris Adjerid & Corey M. Angst & Ante Glavas, 2020. "Too Good to Be True: Firm Social Performance and the Risk of Data Breach," Information Systems Research, INFORMS, vol. 31(4), pages 1200-1223, December.
    6. Qian Tang & Andrew B. Whinston, 2020. "Do Reputational Sanctions Deter Negligence in Information Security Management? A Field Quasi‐Experiment," Production and Operations Management, Production and Operations Management Society, vol. 29(2), pages 410-427, February.
    7. Li, Yuanxiang John & Hoffman, Elizabeth, 2023. "Designing an incentive mechanism for information security policy compliance: An experiment," Journal of Economic Behavior & Organization, Elsevier, vol. 212(C), pages 138-159.
    8. Paul Lowry & Clay Posey & Tom Roberts & Rebecca Bennett, 2014. "Is Your Banker Leaking Your Personal Information? The Roles of Ethics and Individual-Level Cultural Characteristics in Predicting Organizational Computer Abuse," Journal of Business Ethics, Springer, vol. 121(3), pages 385-401, May.
    9. Hugo Hopenhayn & Arantxa Jarque, 2006. "Moral Hazard and Persistence," 2006 Meeting Papers 670, Society for Economic Dynamics.
    10. Calcagno, R. & Renneboog, L.D.R., 2004. "Capital Structure and Managerial Compensation : The Effects of Renumeration Seniority," Discussion Paper 2004-120, Tilburg University, Center for Economic Research.
    11. Yaofeng Fu & Ruokun Huang & Yiran Sheng, 2017. "Labor Contract Law -An Economic View," Papers 1702.03977, arXiv.org.
    12. Marcelo Bianconi, 2004. "Aggregate and Idiosyncratic Risk and the Behavior of Individual Preferences under Moral Hazard," Discussion Papers Series, Department of Economics, Tufts University 0410, Department of Economics, Tufts University.
    13. McCausland, David & Pouliakas, Konstantinos & Theodossiou, Ioannis, 2005. "Some are Punished and Some are Rewarded: A Study of the Impact of Performance Pay on Job Satisfaction," MPRA Paper 14243, University Library of Munich, Germany.
    14. Rajesh K. Aggarwal & Andrew A. Samwick, 1999. "Executive Compensation, Strategic Competition, and Relative Performance Evaluation: Theory and Evidence," Journal of Finance, American Finance Association, vol. 54(6), pages 1999-2043, December.
    15. Lau, Stephanie, 2011. "Investment incentives in bilateral trading," Games and Economic Behavior, Elsevier, vol. 73(2), pages 538-552.
    16. David Martimort & Flavio Menezes & Myrna Wooders & ELISABETTA IOSSA & DAVID MARTIMORT, 2015. "The Simple Microeconomics of Public-Private Partnerships," Journal of Public Economic Theory, Association for Public Economic Theory, vol. 17(1), pages 4-48, February.
    17. Tiantian Gu & Anand Venkateswaran, 2018. "Firm-supplier relations and managerial compensation," Review of Quantitative Finance and Accounting, Springer, vol. 51(3), pages 621-649, October.
    18. Kuang, Yu Flora & Qin, Bo, 2009. "Performance-vested stock options and interest alignment," The British Accounting Review, Elsevier, vol. 41(1), pages 46-61.
    19. Roussey, Ludivine & Soubeyran, Raphael, 2018. "Overburdened judges," International Review of Law and Economics, Elsevier, vol. 55(C), pages 21-32.
    20. Xin Qu & Majella Percy & Fang Hu & Jenny Stewart, 2022. "Can CEO equity‐based compensation limit investment‐related agency problems?," Accounting and Finance, Accounting and Finance Association of Australia and New Zealand, vol. 62(2), pages 2579-2614, June.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:inm:ormnsc:v:68:y:2022:i:4:p:2914-2931. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Chris Asher (email available below). General contact details of provider: https://edirc.repec.org/data/inforea.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.