Abstract
There is a long-held belief that deterrence mechanisms are more useful in developing countries. Evidence on this belief is anecdotal rather than empirical. In this chapter, individual compliance to information system security policy (ISSP) is examined through the lenses of deterrence theory. The effects of certainty of detection and severity of punishment on attitude towards compliance and also ISSP compliance behaviour are investigated. A survey questionnaire was distributed to gather responses from 432 individuals who are staff of a public university in Ghana. The data was analysed using partial least square structural equation modelling (PLS-SEM). The results indicate that severity of punishment has a positive effect on attitude towards compliance and ISSP compliance behaviour. However, certainty of detection neither affected attitude towards compliance nor ISSP compliance behaviour. It is recommended that organizations enhance the severity of sanctions imposed on those who violate ISSPs. Future studies should explore how users apply neutralization techniques to evade sanctions.
TopLiterature Review
In recent years, approaches for ensuring information security have shifted focus from technology to the human perspective. Literature suggests that insiders through their ignorance, negligence or deliberate acts subject organizations’ IS to various threats (Safa et al., 2019). Indeed, many security issues are as a result of the actions or inactions of end-users (Cheng, Li, Li, Holm, & Zhai, 2013). Despite the provision of ISSPs which stipulates desired security behavior, end-users mostly choose to engage in abusive behavior. Therefore, many scholars recommend deterrent and preventive approaches (e.g. sanctions) to influence end-user compliance to information security. For instance, Johnston and Warkentin (2010) point out that fear of sanctions is a significant predictor of intention to comply with ISSP. In a similar investigations into factors that affect security behavior, scholars have discovered that formal sanctions, threat appraisals, detection certainty, punishment certainty, and severity play a crucial role in ISSP compliance intention (Cheng et al., 2013; Herath & Rao, 2009a; Ifinedo, 2012; Li, Zhang, & Sarathy, 2010; Safa et al., 2019).
Key Terms in this Chapter
Information Systems Security Policies (ISSPs): They are guidelines that outlines acceptable behaviour for ensuring information security.
Severity of Punishment (SP): The believe that abuse of information systems resources will attract harsh punishment.
Deterrence: An action of discouraging improper security behavior by instilling fear of punishment.
Compliance Intention (CI): It is the possibility that users will comply with information systems security policy the near future.
Information Systems (IS): An integrated set of digital products for collecting, processing and storing organizations’ informational resources.
Attitude Towards Compliance (ATT): A person’s positive and negative feelings toward information systems security policy compliance.
Certainty of Detection (CD): The believe that abuse of information systems resources will be detected.