Advanced SearchSearch Tips
The Causal Relationship between Information Security Countermeasures and Information System Misuse
facebook(new window)  Pirnt(new window) E-mail(new window) Excel Download
 Title & Authors
The Causal Relationship between Information Security Countermeasures and Information System Misuse
Lee, Joontaik; Kim, Sanghoon;
  PDF(new window)
Intentional information systems (IS) misuse is a serious problem in many organizations. This study aims at developing the theoretical framework of deterring IS misuse on the basis of Nagin`s General Deterrence Theory (GDT) which is very famous in the area of socio-criminology. Applying GDT to the IS misuse situation could be reasoned that the perceived certainty and the perceived severity of sanctions associated with committing IS misuse have positive impact on deterring the deviant behaviors. Also, these two constructs (certainty of sanctions and severity of sanctions) could be inferred to be influenced by the four types of IS security countermeasures (security policies, security awareness program, monitoring practices and preventive security software) derived through critically reviewing IS security-relevant literature. The proposed research model and ten hypotheses were empirically analysed using structural equation modelling with the data collected by conducting a questionnaire survey of staff members in business organizations in Korea. As a result, it was found that five ones of ten hypotheses were supported. It is thought that this study makes theoretical contribution to expanding research area of IS security and also has strong implications for IS security management practices within organizations.
General Deterrence Theory;IS Misuse;IS Security Countermeasures;
 Cited by
Ajzen, I., Attitude, Personality, and Behavior, Chicago : Dorsey Press, 1988.

Ajzen, I., "The Theory of Planned Behavior", Organizational Behavior and Human Decision Processes, Vol.50, No.2, 1991, 179-211. crossref(new window)

Bachman, R., R. Paternoster, and S. Ward, "The Rationality of Sexual Offending : Testing a Deterrence/Rational Choice Conception of Sexual Assault", Law and Society Review, Vol.26, No.2, 1992, 343-372. crossref(new window)

Bagozzi, R.P., Y. Yi, and L.W. Phillips, "Assessing Construct Validity in Organizational Research", Administrative Science Quarterly, Vol.36, No.3, 1991, 421-458. crossref(new window)

Barclay, D.C., C. Higgins, and R. Thompson, "The Partial Least Squares Approach to Causal Modeling : Personal Computer Adoption and Use as an Illustration", Technology Studies, Vol.2, No.2, 1995, 285-308.

Cavusoglu, H. and S. Raghunathan, "Economics of IT Security Management : Four Improvements to Current Security Practices", Communications of the AIS, Vol.14, No.3, 2004, 65-75.

Chang, H.S. and D.H. Jung, "Organizational and Personal Characteristics to Determine the Intentions and Actions of the Computer Abuse", Informatization Policy, Vol.20, No.1, 2013, 42-60.(장활식, 정대현, "컴퓨터 오남용의 의도와 행동을 결정하는 조직 및 개인적 특성", 정보화정책, 제20권, 제1호, 2013, 42-60.)

Chin, W.W., "The Partial Least Squares Approach to Structural Equation Modeling", In Modern methods for business research, Vol.295, No.2, 1998, 295-336.

Cook, P.J., "Research In Criminal Deterrence : Laying the Groundwork for the Second Decade", In Crime and Justice, Vol.2, 1880, 211-268.

Dhillon, G., "Managing and Controlling Computer Misuse", Information Management and Computer Security, Vol.7, No.4, 1999, 171-175. crossref(new window)

Dutta, A. and R. Roy, "The Dynamics of Organizational Information Security", In Proceedings of the Twenty-Fourth International Conference on Information Systems, December 14-17, Seattle, WA, 2003.

Falk, R.F. and N.B. Miller, A Primer for Soft Modelling, Akron, OH : Univ. of Akron Press, 1992.

Finch, J., "The Vignette Technique in Survey Research", Sociology, Vol.21, No.1, 1987, 105-114. crossref(new window)

Foltz, C.B., "The Impact of Deterrent Countermeasures upon Individual Intent to Commit Misuse : A Behavioral Approach", Ph.D. diss, University of Arkansas, 2000.

Fornell, C. and D.F. Larcker, "Evaluating Structural Equation Models with Unobservable Variables and Measurement Error", Journal of Marketing Research, Vol.18, No.1, 1981, 39-50. crossref(new window)

Furnell, S.M., M. Gennatou, and P.S. Dowland, "A Prototype Tool for Information Security Awareness and Training", Logistics Information Management, Vol.15, No.5, 2002, 352-357. crossref(new window)

Gefen, D., D.W. Straub, and M.C. Boudreau, "Structural Equation Modeling Techniques and Regression : Guidelines for Research Practice", Communications of the AIS, Vol.7, No.7, 2000, 1-78.

Gordon, L.A., M.P. Loeb, W. Lucyshyn, and R. Richardson, 2004 CSI/FBI Computer Crime and Security Survey, Computer Security Journal, Vol.20, No.3, 2004, 33-51.

Ha, S.W. and H.J. Kim, "The Effects of User's Security Awareness on Password Security Behavior", Journal of Digital Contents Society, Vol.14, No.2, 2013, 179-189.(하상원, 김형중, "정보보안의식이 패스워드 보안행동에 미치는 영향에 관한 연구", 한국디지털콘텐츠학회논문지, 제14권, 제2호, 2013, 179-189.) crossref(new window)

Hair, J.F., R.E. Anderson, R.L. Tatham, and W.C. Black, Multivariate Data Analysis, Englewood Ciffs, NJ : Prentice Hall, 1998.

Hansche, S., "Designing a Security Awareness Program : Part 1", Information Systems Security, Vol.9, No.6, 2001, 14-22.

Harrington, S.J., "The Effect of Codes of Ethics and Personal Denial of Responsibility on Computer Abuse Judgments and Intentions", MIS Quarterly, Vol.20, No.3, 1996, 257-278. crossref(new window)

Irakleous, I., S.M. Furnell, P.S. Dowland, and M. Papadaki, "An Experimental Comparison of Secret-Based User Authentication Technologies", Information Management and Computer Security, Vol.10, No.3, 2002, 100-108. crossref(new window)

Ives, B., K.R. Walsh, and H. Schneider, "The Domino Effect of Password Reuse", Communications of the ACM, Vol.47, No.4, 2004, 75-78.

Jensen, B., "The Importance of Security Awareness Traing", Available at (Accessed May 13, 2003).

Kankanhalli, A., H.H. Teo, B.C.Y. Tan, and K.K. Wei, "An Integrative Study of Information Systems Security Effectiveness", International Journal of Information Management, Vol.23, No.2, 2003, 139-154. crossref(new window)

Kerlinger, F.N., Foundations of Behavioral Research, Second Edition, New York : Holt, Rinehart and Winston, 1973.

Lee, J. and Y. Lee, "A Holistic Model of Computer Abuse within Organizations", Information Management and Computer Security, Vol.10, No.2, 2002, 57-63. crossref(new window)

Lee, S.M., S.G. Lee, and S. Yoo, "An Integrative Model of Computer Abuse Based on Social Control and General Deterrence Theorices", Information and Management, Vol.41, No.6, 2004, 707-718. crossref(new window)

Leonard, L.N.K., T.P. Cronan, and J. Kreie., "What Influences IT Ethical Behavior Intentions-Planned Behavior, Reasoned Action, Perceived Importance, Individual Characteristics?", Information and Management, Vol.42, No.1, 2004. 143-158. crossref(new window)

Nagin, D.S., "General Deterrence : A Review of the Empirical Evidence", In Deterrence and incapacitation : Estimating the effexts of criminal sanctions on crime rates, edited by A. Blumstein, J. Cohen and D.S. Nagin, Washington, D.C. : National Academy of Sciences, 1978.

Nagin, D.S. and G. Pogarsky, "Integrating Celerity, Impulsivity, and Extralegal Sanction Threats into a Model of General Deterrence and Evidence", Criminology, Vol.39, No.4, 2001, 865-891. crossref(new window)

Nunnally, J.C., Psychometric Theory, Second Edition, New York : McGraw-Hill, 1978.

Panko, R.R. and H.G. Beh, "Monitoring for Pornography and Sexual Harrassment", Communications of the ACM, Vol.45, No.1, 2002, 84-87. crossref(new window)

Parker, D.B., Fighting Computer Crime, New York : John Wiley and Sons, 1998.

Peace, A.G., D.F. Galletta, and J.Y.L. Thong, "Software Piracy in the Workplace : A Model and Empirical Test", Journal of Management Information System, Vol.20, No.1, 2003, 153-177. crossref(new window)

Saari, J., "Computer Crime-Numbers Lie", Computers and Security, Vol.6 No.2, 1987, 111-117. crossref(new window)

Schou, C.D. and K. Trimmer, J., "Information Assurance and Security", Journal of Organizational and End User Computing, Vol.16, No.3, 2004, 1-7.

Silberman, M., "Toward a Theory of Criminal Deterrence", American Sociological Review, Vol.41, No.3, 1976, 442-461. crossref(new window)

Siponen, M.T., "A Conceptual Foundation for Organizational Information Security Awareness", Information Management and Computer Security, Vol.8, No.1, 2000, 31-41. crossref(new window)

Solarz, A., "Computer-Related Embezzlement", Computers and Security, Vol.6 No.1, 1987, 49-53. crossref(new window)

Stanton, J.M., C. Caldera, A. Issac, K.R. Stam, and S.J. Marchinlowski, "Behavioral Information Security : Defining the Criterion Space", The Systems Assurance Institute, Syracuse University, Syracuse, New York, 2003.

Straub, D.W., "Effective IS Security : An Empirical Study", Information Systems Research, Vol.1, No.3, 1990, 255-276. crossref(new window)

Straub, D.W. and W.D. Nance, "Discovering and Disciplining Computer Abuse in Organizations : A Field Study", MIS Quarterly, Vol. 14, No.1, 1990, 45-60. crossref(new window)

Straub, D.W. and R.J. Welke, "Coping with Systems Risk : Security Planning Models for Management Decision Making", MIS Quarterly, Vol.22, No.4, 1998, 441-469. crossref(new window)

Tittle, C.R., Sanctions and Social Deviance : The Question of Deterrence, New York : Praeger, 1980.

Urbaczewski, A. and L.M. Jessup, "Does Electronic Monitoring of Employee Internet Usage Work?", Communications of the ACM, Vol. 45, No.1, 2002, 80-83.

Weaver, F.M. and J.S. Carroll, "Crime Perceptions in a Natural Setting by Expert and Novice Shoplifters", Social Psychology Quarterly, Vol.48, No.4, 1985, 349-359. crossref(new window)

Whitman, M.E., A.M. Townsen, and R.J. Alberts, "Information Systems Security and the Need for Policy", In Information security management : Global challenges in the new millenium, edited by M. Khosrowpou, Hershey, PA : Idea Group Publishing, 2001.

Willson, R., "Understanding and Addressing Criminal Opportunity : The Application of Situational Crime Prevention to IS Security", Journal of Financial Crime, Vol.7, No.3, 2000, 201-210. crossref(new window)

Wybo, M.D. and D.W. Straub, "Protecting Organizational Information Resources", Information Resources Management Journal, Vol.2, No.4, 1989, 1-15.

Yu, K.H., W.C. Choi, S.K. Kim, and C.Y. Goo, "A Study on Establishing Guidelines for Information Protection and Security for Educational Institutes", Journal of the Korea Society of IT Services, Vol.7, No.3, 23-43.(유기훈, 최웅철, 김신곤, 구천열, "학내 정보보호수립에 관한 연구", 한국IT서비스학회지, 제7권, 제3호, 2008, 23-43.)