We found a match
Your institution may have access to this item. Find your institution then sign in to continue.
- Title
Going Beyond Deterrence: A Middle-Range Theory of Motives and Controls for Insider Computer Abuse.
- Authors
Burns, A. J.; Roberts, Tom L.; Posey, Clay; Lowry, Paul Benjamin; Fuller, Bryan
- Abstract
Reports indicate that employees are willing to share sensitive information under certain circumstances, and one-third to half of security breaches are tied to insiders. These statistics reveal that organizational security efforts, which most often rely on deterrence-based sanctions to address the insider threats to information security, are insufficient. Thus, insiders' computer abuse (ICA)—unauthorized and deliberate misuse of organizational information resources by organizational insiders—remains a significant issue for industry. We present a motive–control theory of ICA that distinguishes among instrumental and expressive motives and internal and external controls. Specifically, we show that organizational deterrents (e.g., sanctions) do not create motives for ICA, but weaken existing motives (e.g., financial benefits). Conversely, financial benefits and psychological contract violations create motives to perform ICA, and insiders' self-control diminishes the influence of these motives. The implications for practice are threefold: (1) organizations should make efforts to reduce psychological contract breach for employees by increasing the congruence between expectations and reality to reduce expressive motives for ICA; (2) organizations should seek maintain personnel with adequate self-control to diminish the impact of harmful ICA motives should they arise; and (3) organizations should develop targeted sanctions for committing ICA to control the harmful influence of financial motives. Despite widespread agreement among practitioners and academicians that organizational insiders are a significant threat to organizational information systems security, insider computer abuse (ICA)—unauthorized and deliberate misuse of organizational information resources by organizational insiders—remains a serious issue. Recent studies have shown that most employees are willing to share confidential or regulated information under certain circumstances, and nearly one-third to half of major security breaches are tied to insiders. These trends indicate that organizational security efforts, which generally focus on deterrence and sanctions, have yet to effectively address ICA. Therefore, leading security researchers and practitioners have called for a more nuanced understanding of insiders in respect to deterrence efforts. We answer these calls by proposing a middle-range theory of ICA that focuses on understanding the inherent tensions between insider motivations and organizational controls. Our careful review distinguishes two categories of personal motives for ICA: (1) instrumental (i.e., financial benefits) and (2) expressive (i.e., psychological contract violations) motives. Our novel theory of ICA also includes the influence of two classes of controls for ICA: (1) intrinsic (i.e., self-control) and (2) extrinsic (i.e., organizational deterrence) controls. We developed and empirically examined a research model based on our middle-range theory that explains a substantial portion of the variance in ICA. Specifically, our results indicate that both instrumental and expressive motives are positively related to ICA. Moreover, intrinsic self-control exerted significant direct and moderating influences in our research model, whereas extrinsic organizational deterrence failed to exhibit a direct effect on ICA and significantly moderated instrumental motives' relationship with ICA only. Not only do our results show that self-control exerted a stronger effect on the model than deterrence did but they also help us identify the limits of deterrence in ICA research. History: Ola Henfridsson served as the senior editor and Debabrata Dey served as associate editor for this article. Supplemental Material: The online appendix is available at https://doi.org/10.1287/isre.2022.1133.
- Subjects
INFORMATION technology security; PSYCHOLOGICAL contracts (Employment); AUTOMATION; BREACH of contract; SECURITY systems; CONTROL theory (Engineering)
- Publication
Information Systems Research, 2023, Vol 34, Issue 1, p342
- ISSN
1047-7047
- Publication type
Article
- DOI
10.1287/isre.2022.1133