Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Supplementary Appendix Tables A1–A3 (doc 195K)

advertisement 
Online Supplementary Appendix – Tables A1, A2, and A3
Table A1: Overview of IS Deterrence Studies
Study
D’Arcy et al. (2009)
Deterrence Constructs
Perceived certainty of
formal sanctions,
perceived severity formal
of sanctions
Other Constructs
Security policies, SETA
program, computer
monitoring, moral
commitment, organization
Dependent Variable
IS misuse intention
D’Arcy and Hovav
(2009)
Security policies, SETA
program, computer
monitoring
Virtual status, computer
self-efficacy
Unauthorized access
intention, unauthorized
modification intention
Gopal and Sanders
(1997)
Information on the
certainty and severity of
legal consequences for
software piracy
General and IS codes of
ethics (proxies for
certainty and severity of
formal sanctions)
Perceived certainty of
detection, perceived
severity of penalty
Ethical index, age, gender
Software piracy intention
Denial of responsibility
Computer abuse
judgments and intentions
Normative beliefs, peer
behavior, perceived
effectiveness
IS security policy
compliance intention
Herath and Rao
(2009b)
Perceived certainty of
detection, perceived
severity of penalty
Various constructs from
Protection Motivation
Theory and Theory of
Planned Behavior
IS security policy
compliance intention
Higgins et al. (2005)
Perceived certainty of
detection, perceived
severity of fine, self
disapproval, social
Self-control, prior
software piracy, peer
association, age, gender
Software piracy intention
Harrington (1996)
Herath and Rao
(2009a)
Summary of Deterrence Findings
Perceived severity was associated with lower
IS misuse intention. Perceived certainty was
only significant for individuals with high
moral commitment scores. Security policies,
SETA program, and computer monitoring
had indirect effects on IS misuse intention.
SETA program was associated with lower
unauthorized access intention; security
policies and computer monitoring were
associated with lower unauthorized
modification intention. Purpose of the study
was to assess the moderating influences of
virtual status and computer self-efficacy.
Participants who received the deterrence
information had significantly lower
intentions to commit software piracy.
General codes had no impact on computer
abuse judgments and intentions, except for
individuals high in responsibility denial. ISspecific codes had a small effect.
Perceived certainty of detection was
positively associated with compliance
intention. Perceived severity of penalty was
negatively associated with compliance
intention, contrary to expectations.
Perceived certainty of detection was
positively associated with compliance
intention. Perceived severity of penalty was
negatively associated with compliance
intention, contrary to expectations.
Perceived certainty of detection, but not
severity of fine, was associated with lower
piracy intention. Other significant variables
were self disapproval, social disapproval,
1
Hollinger (1993)
Kankanhalli et al.
(2003)
Lee et al. (2004)
Li et al. (2010)
Pahnila et al. (2007)
Siponen et al. (2007)
Siponen and Vance
(2010)
disapproval, moral beliefs
Perceived certainty of
getting caught
Security personnel hours
(proxy for certainty of
formal sanctions) and
punishment severity
Security policies, security
awareness, security
system (proxies for
certainty and severity of
formal sanctions)
Perceived detection
probability, perceived
formal sanction severity,
informal sanction
(subjective norm)
Sanctions (combination of
formal and informal)
Sanctions (combination of
formal and informal)
Perceived certainty and
severity of formal
sanctions, informal
sanctions, and shame
Skinner and Fream
(1997)
Perceived certainty of
apprehension, perceived
severity of punishment
Straub (1990)
Investment in security
countermeasures (proxies
for certainty and severity
of formal sanctions)
peer association, self-control, and gender.
Perceived certainty of getting caught was
associated with reduced software piracy but
not unauthorized access.
Deterrent and preventative efforts were
positively associated with IS managers’
perceived security effectiveness. Deterrent
severity was not.
Security system was positively associated
with IS security intention while security
policies and security awareness were not.
Peer involvement and
various demographic
variables
Preventative security
software, organization
size, top management
support, industry type
Attachment, commitment,
involvement, norm
Software piracy and
unauthorized access
behavior (self-reported)
Perceived IS security
effectiveness
Perceived benefits,
security risk, personal and
organizational norms,
identification
Internet usage policy
compliance intention
Perceived detection probability, but not
sanction severity, was positively associated
with compliance intention. Perceived benefits
and personal norms were also significant.
Threat appraisal, coping
appraisal, normative
beliefs, information
quality, facilitating
conditions, habits,
rewards, attitude
Threat appraisal, response
efficacy, self-efficacy
Defense of necessity,
appeal to higher loyalties,
condemn the condemners,
metaphor of the ledger,
denial of injury, denial of
responsibility
Various constructs from
social learning theory
IS security policy
compliance intention
Sanctions were not significantly associated
with IS security policy compliance intention.
IS security policy
compliance (self-reported)
Intention to violate IS
security policy
Sanctions were positively associated with IS
security policy compliance.
Shame, formal, and informal sanctions were
not associated with intention to violate
security policy. Purpose of the study was to
assess the influence of neutralization
constructs but deterrence constructs were
included for comparative purposes.
The only significant deterrence relationship
was the influence of perceived severity of
punishment on illegally accessing accounts.
Security software,
offender motivation,
security tightness and
visibility
IS security intention
(intention to install access
control and intrusion
prevention software)
Software piracy; two
types of unauthorized
access; combined index of
the three (self-reported)
Computer abuse incidents
Use of security countermeasures was
associated with reduced incidence of
computer abuse. Deterrent severity was
stronger than deterrent certainty.
2
Zhang et al. (2006)
Perceived certainty of
punishment, perceived
severity of punishment
Self-control, self-efficacy
Digital piracy behavior
(self-reported)
Perceived certainty of punishment was
associated with lower digital piracy behavior
but perceived severity was not.
Table A2: Summary of Methodological Treatment in IS Deterrence Studies
Study
Deterrence
Constructs
Significance
Treatment
Dependent
Variable
Treatment
D’Arcy et al. (2009)
Perceived certainty
of formal sanctions
Perceived severity
of formal sanctions
Not significant
Constructs treated
as separate
(summed responses
for four scenarios)
Summed responses
for four scenarios
Security policies
Significant
(unauthorized
modification only)
Significant
(unauthorized
access only)
Significant
(unauthorized
modification only)
Significant
(-) IS misuse
intention
Participants given
four IS misuse
scenarios (sending
inappropriate email,
unauthorized access
and modification,
software piracy
(-) Unauthorized
access and
modification
intention
Participants given
two scenarios
Individual analysis
of each scenario
507 employees eight
U.S. organizations
and MBA students
(Individual)
(-) Software piracy
intention
Participants given
four software piracy
scenarios: self,
family, friend, and
colleague
(-) Computer abuse
intention
Participants given
five computer abuse
scenarios: hacking
Summed responses
for four scenarios
123 U.S. MBA
students (Individual)
Individual analysis
of each scenario
219 IS employees in
nine U.S.
organizations
(Individual)
D’Arcy and Hovav
(2009)
SETA program
Computer
monitoring
Gopal and Sanders
(1997)
Certainty and
severity of legal
consequences for
software piracy (i.e.,
deterrence
information)
Harrington (1996)
IS and general codes
of ethics
Significant
Significant
(computer sabotage
only); moderated by
denial of
responsibility
Constructs treated
as separate (proxies
for perceived formal
sanctions)
Certainty and
severity constructs
treated together
(respondents
received a one-page
sheet with this
information)
Constructs treated
as separate (proxies
for perceived formal
sanctions)
Sample
Characteristics
(Level of Analysis)
269 employees in
nine U.S.
organizations
(Individual)
3
personality trait
Herath and Rao
(2009a, b)
Perceived certainty
of detection
Perceived severity
of penalty
Significant
Perceived certainty
of detection
Perceived severity
of fine
Social disapproval
Self disapproval
Perceived certainty
of getting caught
Significant
Deterrent efforts
(proxy for certainty
of formal sanctions)
Deterrent severity
Significant
Lee et al. (2004)
Security policies
Security awareness
Security system
Significant
Not significant
Not significant
Constructs treated
as separate (proxies
for perceived formal
sanctions)
Li et al. (2010)
Perceived detection
probability
Perceived formal
sanction severity
Informal sanctions
(subjective norm)
Significant
Constructs treated
as separate
Higgins et al. (2005)
Hollinger (1993)
Kankanhalli et al.
(2003)
Constructs treated
as separate
Significant (in
opposite direction)
Constructs treated
as separate
Not significant
Significant
Significant
Significant (for
software piracy but
not unauthorized
access)
Single construct
Constructs treated
as separate
Not significant
Not significant
Not significant
software; computer
sabotage; spreading
viruses; fraudulent
computer usage.
(+) IS security
policy compliance
intention
Items measuring
projected IS security
policy compliance
behavior.
(-) Software piracy
intention
Participants given
one software piracy
scenario.
(-) Software piracy
and unauthorized
access
Participants reported
their actual behavior
(+) IS security
effectiveness
Items measuring
perception of IS
security efforts
(+) IS security
intention
Items measuring
projected access
control and
intrusion prevention
software usage.
(+) Internet usage
policy compliance
intention
Items measuring
projected policy
compliance
Single construct
measured once
312 employees in
twelve U.S.
organizations
(Individual)
Analysis of the
responses to the
single scenario
382 U.S.
undergraduate
students (Individual)
Individual analysis
of each behavior
1,672 U.S.
undergraduate
students (Individual)
Single construct
measured once
63 IS security
managers
(Organizational)
Single construct
measured once
162 Korean IS
managers and MBA
students (Individual)
Single construct
measured once
246 employees in
various U.S.
organizations
(Individual)
4
Pahnila et al. (2007)
Sanctions
Not significant
Single construct
comprised of formal
and informal
sanctions
Siponen et al.
(2007)
Sanctions
Significant
Single construct
comprised of formal
and informal
sanctions
Siponen and Vance
(2010)
Perceived certainty
and severity of
formal sanctions
Perceived certainty
and severity of
informal sanctions
Perceived certainty
and severity of
shame
Perceived certainty
of apprehension
Perceived severity
of punishment
Not significant
Constructs treated
as separate
(certainty multiplied
by severity for each
construct)
Straub (1990)
Deterrent certainty
Deterrent severity
Significant
Significant
Constructs treated
as separate
Zhang et al. (2006)
Perceived certainty
of punishment
Perceived severity
of punishment
Significant
Constructs treated
as separate
Skinner and Fream
(1997)
Not significant
Not significant
Not significant
Constructs treated
as separate
Significant (illegal
access only)
Not significant
behavior.
(+) IS security
policy compliance
intention
Items measuring
projected IS security
policy compliance
behavior.
(+) IS security
policy compliance
Items measuring
actual IS security
policy compliance
behavior.
(-) Intention to
violate IS security
policy
Participants given
one of three
scenarios: careless
use of USB drive;
failure to logoff;
password sharing.
(-) Software piracy
and two types of
unauthorized
access
Participants reported
their actual behavior
(-) Computer abuse
IS security
managers reported
actual computer
abuse incidents
(-) Digital piracy
Participants reported
their actual behavior
(ranged from
‘never’ to ’10 or
more times’)
Single construct
measured once
240 employees in a
Finnish company
(Individual)
Single construct
measured once
917 employees in
four Finnish
companies
(Individual)
Analysis of the
responses to the
single scenario
(which scenario
added as a control)
395 employees in
three Finnish
organizations
(Individual)
Individual analysis
of each behavior
and combined index
of the three
545 U.S.
undergraduate
students (Individual)
Single construct:
number of incidents,
amount of losses,
seriousness of
breach
Single construct
measured once
1,211 IS security
personnel (mostly
managers) in U.S.
organizations
(Organizational)
207 U.S.
undergraduate
students
5
Table A3: Measurement of Deterrence Constructs in IS Deterrence Studies
Study
D’Arcy et al.
(2009)
Deterrence
Construct(s)
Perceived certainty
of formal sanctions
Perceived severity
of formal sanctions
D’Arcy and
Hovav (2009)
Security policies
SETA program
Computer
monitoring
Gopal and
Sanders (1997)
Deterrence
information
Harrington
(1996)
General and IS
codes of ethics
(proxies)
Perceived certainty
of detection
Herath and Rao
(2009a, b)
Measurement
1. Alex would probably be caught, eventually, after accessing the computer system: (strongly disagree/strongly agree)
2. The likelihood the organization would discover that Alex accessed the computer system is: (very low/very high)
Note: these items modified for each scenario; measured via 7-point scales
1. If caught accessing the computer system, Alex would be severely reprimanded: (strongly disagree/strongly agree)
2. If caught accessing the computer system, Alex’s punishment would be: (not severe at all/very severe)
Note: these items modified for each scenario; measured via 7-point scales
1. My organization has specific guidelines that describe acceptable use of e-mail.
2. My organization has established rules of behavior for use of computer resources.
3. My organization has a formal policy that forbids employees from accessing computer systems that they are not
authorized to use.
4. My organization has specific guidelines that govern what employees are allowed to do with their computers.
Note: measured via 7-point scales (‘strongly disagree’ to ‘strongly agree’)
1. My organization provides training to help employees improve their awareness of computer and information security
issues.
2. In my organization, employees are briefed on the consequences of modifying computerized data in an unauthorized
way.
3. My organization educates employees on their computer security responsibilities.
4. In my organization, employees are briefed on the consequences of accessing computer systems that they are not
authorized to use.
Note: measured via 7-point scales (‘strongly disagree’ to ‘strongly agree’)
1. I believe that my organization monitors any modification or altering of computerized data by employees.
2. I believe that employee computing activities are monitored by my organization.
3. I believe that my organization monitors computing activities to ensure that employees are performing only explicitly
authorized tasks.
4. I believe that my organization reviews logs of employees’ computing activities on a regular basis.
5. I believe that my organization actively monitors the content of employees’ e-mail messages.
Note: measured via 7-point scales (‘strongly disagree’ to ‘strongly agree’)
Experimental study in which certain participants received a one-page information sheet describing the certainty and
severity of punishment for software piracy. Those who received the deterrence information were coded as 1, others
were coded as 0.
Participants’ managers were asked whether their company had a general code of ethics and/or an IS-specific code of
ethics. These served as proxies for perceived certainty and severity of formal sanctions.
1. Employee computer practices are properly monitored policy violations. (strongly disagree/strongly agree)
2. If I violate organization security policies, I would probably be caught. (strongly disagree/strongly agree)
Note: measured via 7-point scales
6
Perceived severity
of penalty
Higgins et al.
(2005)
Perceived certainty
of detection
Perceived severity
of fine
Social disapproval
Self disapproval
Hollinger (1993)
Perceived certainty
of getting caught
Kankanhalli et
al. (2003)
Deterrent efforts
(proxy for certainty
of formal sanctions)
Deterrent severity
Lee et al. (2004)
Security policies
(proxy for perceived
formal sanctions)
Security awareness
(proxy for perceived
formal sanctions)
Security system
(proxy for perceived
1. The organization disciplines employees who break information security rules. (strongly disagree/strongly agree)
2. My organization terminates employees who repeatedly break security rules. (strongly disagree/strongly agree)
3. If I were caught violating organization information security policies, I would be severely reprimanded. (strongly
disagree/strongly agree)
Note: measured via 7-point scales
How likely you will get caught for the software piracy scenario behavior: (11-point scale: not being caught at all to
100% chance of being caught)
Severity of sentence if caught for the software piracy scenario behavior (11-point scale with the following categories:
(a) no fine (b) $500 fine (c) $1000 fine (d) $10000 fine (e) no jail or fine (f) 1 month jail time (g) 3 month jail time (h)
6 month jail time (i) one year jail time (j) 3 year jail time (k) 5 year jail time)
1. How likely is it that your family would find out that you used a copy of the program in the circumstances described
in the scenario? (not likely/likely)
2. How likely is it that your friends would find out that you used a copy of the program in the circumstances described
in the scenario? (not likely/likely)
Note: measured via 11-point scales
1. How likely would you feel guilty if you were to use the copy of the program in the circumstances described in the
scenario? (not likely/likely)
2. How likely would you feel shame if you were to use the copy of the program in the circumstances described in the
scenario? (not likely/likely)
Note: measured via 11-point scales
Chance of getting caught by officials (separate for software piracy and unauthorized access): (4-point scale with the
following categories: (a) none (b) 10-20% (c) 30-50% (d) 60-100%)
Chance of getting caught by fellow students (separate for software piracy and unauthorized access): (4-point scale with
the following categories: (a) none (b) 10-20% (c) 30-50% (d) 60-100%)
Total man-hours expended on IS security purposes per week
Most severe form of punishment meted out by the organization for IS security abuse: (5-point scale with the following
categories: (a) no action taken (b) reprimand by management (c) suspension of duties (d) dismissal from appointment
(e) prosecution in court)
1. Degree of knowledge of security policy
2. Severity of security policy
3. Helpfulness of security policy
Note: measured via 7-point scales
1. Frequency of awareness programs per year
2. Degree of security awareness
3. Helpfulness of security awareness
Note: measured via 7-point scales
1. Degree of security system effectiveness
2. Investment in security system
7
formal sanctions)
Li et al. (2010)
Perceived detection
probability
Perceived formal
sanction severity
Informal sanction
(subjective norms)
Pahnila et al.
(2007)
Siponen et al.
(2007)
Siponen and
Vance (2010)
Sanctions
(combination of
formal and informal)
Sanctions
(combination of
formal and informal)
Perceived certainty
and severity of
formal sanctions
Perceived certainty
and severity of
informal sanctions
3. Sufficiency of budget for security system
Note :measured via 7-point scales
If I used the Internet access provided by the organization for non-work-related purposes, …
1. The probability that I would be caught is (very low/very high)
2. I would probably be caught. (strongly agree/strongly disagree)
Note: measured via 5-point scales
If I were caught using the Internet access provided by the organization for non-work-related purposes, …
1. I think the punishment would be (very low/very high)
2. I would be severely punished by my organization. (strongly agree/strongly disagree)
Note: measured via 5-point scales
1. If I used the Internet access provided by the organization for non-work-related purposes, most of the people who are
important to me would (approve/disapprove)
2. Most people who are important to me would look down on me if I used the Internet access provided by the
organization for non-work-related purposes. (very likely/very unlikely)
3. If I used the Internet access provided by the organization for non-work-related purposes, most of the people who are
important to me would (strongly agree/strongly disagree)
Note: measured via 5-point scales
Four items adapted from Higgins et al. (2005); the specific items were not provided
Four items adapted from Higgins et al. (2005); the specific items were not provided
1. What is the chance that you would be formally sanctioned if management learned that you had violated company
information security policy?
2. What is the chance that you would be formally reprimanded if management learned you had violated company
information security policy?
3. How much of a problem would it create in your life if you were formally sanctioned for doing what [the scenario
character] did?
4. How much of a problem would it create in your life if you were formally reprimanded for doing what [the scenario
character] did?
Notes: measured via 11-point scales; each certainty item multiplied by its corresponding severity item
1. How likely is it that you would lose the respect and good opinion of our co-workers for violating the company
information security policy?
2. How likely is it that you would jeopardize your promotion prospects if management learned that you had violated
company information security policy?
3. How likely is it that you would lose the respect and good opinion of your manager if management learned that you
had violated company IT security policies?
4. How much of a problem would it create in your life if you lost the respect and good opinion of your co-workers for
violating the company information security policy?
8
Perceived certainty
and severity of
shame
Skinner and
Fream (1997)
Perceived certainty
of apprehension
Perceived severity
of punishment
Straub (1990)
Deterrent certainty
Deterrent severity
Zhang et al.
(2006)
Perceived
punishment certainty
5. How much of a problem would it create in your life if you jeopardized your future job promotion prospects for
doing what [the scenario character] did?
6. How much of a problem would it create in your life if you lost the respect of your manager for violating the
company information security policy?
Notes: measured via 11-point scales; each certainty item multiplied by its corresponding severity item
1. How likely is it that you would be ashamed if co-workers knew that you had violated company information security
policy?
2. How likely is it that you would be ashamed if others knew that you had violated the company information security
policy?
3. How likely is it that you would be ashamed if managers knew that you had violated the company information
security policy?
4. How much of a problem would it be if you felt ashamed that co-workers knew you had violated the company
information security policy?
5. How much of a problem would it be if you felt ashamed that others knew you had violated the company information
security policy?
6. How much of a problem would it be if you felt ashamed that managers knew you had violated the company
information security policy?
Notes: measured via 11-point scales; each certainty item multiplied by its corresponding severity item
1. How likely is it that you would be caught using, making, or giving to another person a “pirated” copy of software?
(never/very likely)
2. How likely is it that you would be caught accessing or trying to access another’s computer account or files without
his or her knowledge or permission? (never/very likely)
Note: measured via 5-point scales
1. How severe do you think the punishment would be if you got caught using, making, or giving to another person a
“pirated” copy of software? (not severe at all/very severe)
2. How severe do you think the punishment would be if you caught accessing or trying to access another’s computer
account or files without his or her knowledge or permission? (not severe at all/very severe)
Note: measured via 5-point scales
1. Number of full time security staff
2. Number of part-time security staff
3. Total security hours per week
4. Data security hours per week
5. Total security staff salaries
6. Subjective estimate of deterrent effect
7. Age of security
1. Severity of penalties for abuse
2. Number of informational sources
3. Subjective estimate of deterrent effect
What is the likelihood of getting caught for: (5-point scale; 1=less than 20% to 5=almost 100%)
- duplicate a copyrighted CD
9
Perceived
punishment severity
- download unauthorized music from the Internet
- duplicate a copyrighted DVD
- download unauthorized movies from the Internet
- install a pirated copy of software on your computer
How severe would the punishment be if you were caught: (5-point scale; 1=not severe at all to 5=very severe)
- duplicate a copyrighted CD
- download unauthorized music from the Internet
- duplicate a copyrighted DVD
- download unauthorized movies from the Internet
- install a pirated copy of software on your computer
10
Related documents
Word Doc
Word Doc
How to read a radar chart
How to read a radar chart
Important Determinants
Important Determinants
School hazards assessment
School hazards assessment
expression of interest for appointment form
expression of interest for appointment form
Stress Management - Dr. Fayose
Stress Management - Dr. Fayose
Policy - Conflict of Interest
Policy - Conflict of Interest
Creating Customer Value, Satisfaction and Loyalty
Creating Customer Value, Satisfaction and Loyalty
Analyzing Depth and Distance Ask students to bring a picture to
Analyzing Depth and Distance Ask students to bring a picture to
Health Belief Model Powerpoint
Health Belief Model Powerpoint
Download
advertisement