Abstract
An understanding of insider threats in information systems (IS) is important to help address one of the dangers lurking within organizations. This article provides a review of the literature on insider compliance (and failure of compliance) with information systems' policies in order to understand the status of IS research regarding negligent and malicious insiders. We begin by defining the terms, developing a new taxonomy of insiders, and then providing a comprehensive review of articles on IS policy compliance for the past 26 years. Grounding the analysis in the literature, we inductively identify four themes to foster Information Security policy compliance among employees. The themes are: 1) IS management philosophy, 2) procedural countermeasures, 3) technical countermeasures, and 4) environmental countermeasures. We propose that future research can draw upon these themes and use them as the building blocks of an indigenous IS security theory.
- Alder, G. S., Noel, T. W., and Ambrose, M. L. (2006). "Clarifying the Effects of Internet Monitoring on Job Attitudes: The Mediating Role of Employee Trust." Information & Management, Vol. 43, No. 7: pp. 894--903. Google ScholarDigital Library
- Andreoni, J., Harbaugh, W., and Vesterlund, L. (2003). "The Carrot or the Stick: Rewards, Punishments, and Cooperation." American Economic Review, Vol. 93, No. 3: pp. 893--902. Google ScholarCross Ref
- Banerjee, D., Cronan, T. P., and Jones, T. W. (1998). "Modeling IT Ethics: A Study in Situational Ethics." MIS Quarterly, Vol. 22, No. 1: pp. 31--60. Google ScholarDigital Library
- BBC News (2015, July 20). "Ashley Madison Infidelity Site's Customer Data Stolen." Retrieved April 9, 2016, from http://www.bbc.com/news/technology-33592594Google Scholar
- Boss, S., Kirsch, L., Angermeier, I., Shingler, R., and Boss, R. (2009). "If Someone Is Watching, I'll Do What I'm Asked: Mandatoriness, Control, and Information Security." European Journal of Information Systems, Vol. 18, No. 2: pp. 151--164. Google ScholarCross Ref
- Boss, S. R., Galletta, D. F., Lowry, P. B., Moody, G. D., and Polak, P. (2015). "What Do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear that Motivate Protective Security Behaviors." MIS Quarterly, Vol. 39, No. 4: pp. 837--864.Google ScholarDigital Library
- Boudreau, M.C. and Robey, D. (2005). "Enacting Integrated Information Technology: A Human Agency Perspective." Organization Science, Vol. 16, No. 1: pp. 3--18. Google ScholarDigital Library
- Bulgurcu, B., Cavusoglu, H., and Benbasat, I. (2010). "Information Security Policy Compliance: An Empirical Study of Rationality-based Beliefs and Information Security Awareness." MIS Quarterly, Vol. 34, No. 3: pp. 523--548.Google ScholarCross Ref
- Cannoy, S. D. and Salam, A. F. (2010). "A Framework for Health Care Information Assurance Policy and Compliance." Communications of the ACM, Vol. 53, No. 3: pp. 126--131. Google ScholarDigital Library
- Chatterjee, S., Sarker, S., and Valacich, J. S. (2015). "The Behavioral Roots of Information Systems Security: Exploring Key Factors Related to Unethical IT Use." Journal of Management Information Systems, Vol. 31, No. 4: pp. 49--87. Google ScholarCross Ref
- Chen, Y., Nyemba, S., and Malin, B. (2012a). "Detecting Anomalous Insiders in Collaborative Information Systems." IEEE Transactions on Dependable and Secure Computing, Vol. 9, No. 3: pp. 332--344. Google ScholarDigital Library
- Chen, Y. R., Ramamurthy, K. and Wen, K.-W. (2012b). "Organizations' Information Security Policy Compliance: Stick or Carrot approach"? Journal of Management Information Systems, Vol. 29, No. 3: pp. 157--188. Google ScholarCross Ref
- Chen, Y. and Zahedi, F. M. (2016). "Individuals' Internet Security Perceptions and Behaviors: Polycontextual Contrasts Between the United States and China." MIS Quarterly, Vol. 40, No. 1: pp. 205--222.Google ScholarDigital Library
- Cronan, T. P., Foltz, C. B., and Jones, T. W. (2006). "Piracy, Computer Crime, and IS Misuse at the University." Communications of the ACM, Vol. 49, No. 6: pp. 85--90. Google ScholarDigital Library
- Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M. and Baskerville, R. (2013). "Future Directions for Behavioral Information Security Research." Computers & Security, Vol. 32, pp. 90--101. Google ScholarDigital Library
- D'Arcy, J. and Devaraj, S. (2012). "Employee Misuse of Information Technology Resources: Testing a Contemporary Deterrence Model." Decision Sciences, Vol. 43, No. 6: pp. 1091--1124. Google ScholarCross Ref
- D'Arcy, J. and Herath, T. (2011). "A Review and Analysis of Deterrence Theory in the IS Security Literature: Making Sense of the Disparate Findings." European Journal of Information Systems, Vol. 20, No. 6: pp. 643--658. Google ScholarCross Ref
- D'Arcy, J. and Hovav, A. (2007). "Deterring Internal Information Systems Misuse." Communications of the ACM, Vol. 50, No. 10: pp. 113--117. Google ScholarDigital Library
- D'Arcy, J., Hovav, A., and Galletta, D. (2009). "User Awareness of Security Countermeasures and its Impact on Information Systems Misuse: A Deterrence Approach." Information Systems Research, Vol. 20, No. 1: pp. 79--98. Google ScholarDigital Library
- D'Arcy, J., Herath, T., and Shoss, M. K. (2014). Understanding Employee Responses to Stressful Information Security Requirements: A Coping Perspective.? Journal of Management Information Systems, Vol. 31, No. 2: pp. 285--318. Google ScholarCross Ref
- Davis, L. F. (1987). Moral Judgment Development of Graduate Management Students in Two Cultures: Minnesota and Singapore (Unpublished Doctoral Dissertation). University of Minnesota, Minneapolis, MN.Google Scholar
- Dhillon, G. and Torkzadeh, G. (2006). "Value-focused Assessment of Information System Security in Organizations." Information Systems Journal, Vol. 16: pp. 293--314. Google ScholarCross Ref
- Doherty, N. F. and Fulford, H. (2005). "Do Information Security Policies Reduce the Incidence of Security Breaches: An Exploratory Analysis." Information Resources Management Journal, Vol. 18, No. 4: pp. 21--39. Google ScholarDigital Library
- Fullbright Commission. (2015). "Cultural Differences." Retrieved August 24, 2015, from http://www.fulbright.org.uk/pre-departure/us-culture/cultural-differencesGoogle Scholar
- Gattiker, U. E. and Kelley, H. (1999). "Morality and Computers: Attitudes and Differences in Moral Judgments." Information Systems Research, Vol. 10, No: 3: pp. 233--254. Google ScholarDigital Library
- Guo, K. H. (2013). "Security-related Behavior in Using Information Systems in the Workplace: A Review and Synthesis." Computers & Security, Vol. 32: pp. 242--251. Google ScholarDigital Library
- Guo, K. H., and Yuan, Y. (2012). "The Effects of Multilevel Sanctions on Information Security Violations: A Mediating Model." Information & Management, Vol. 49, No. 6: pp. 320--326. Google ScholarDigital Library
- Guo, K., Yufei, Y., Archer, N., and Connelly, C. (2011). "Understanding Non-malicious Security Violations in the Workplace: A Composite Behavior Model." Journal of Management Information Systems, Vol. 28, No. 2: pp. 203--236. Google ScholarDigital Library
- Harrington, S. J. (1996). "The Effect of Codes of Ethics and Personal Denial of Responsibility on Computer Abuse Judgments and Intentions." MIS Quarterly, Vol. 20, No. 3: pp. 257--278. Google ScholarDigital Library
- Herath, T. and Rao, H. (2009a). "Protection Motivation and Deterrence: A Framework for Security Policy Compliance in Organisations." European Journal of Information Systems, Vol. 18, No. 2: pp. 106--125. Google Scholar
- Herath, T., and Rao, H. (2009b). "Encouraging Information Security Behaviors in Organizations: Role of Penalties, Pressures and Perceived Effecrtiveness." Decision Support Systems, Vol. 47, No. 2: pp. 154--165. Google ScholarDigital Library
- Herath, T., Chen, R., Wang, J., Banjara, K., Wilbur, J., and Rao, H. R. (2014). "Security Services as Coping Mechanisms: An Investigation into User Intention to Adopt an Email Authentication Service." Information Systems Journal, Vol. 24, No. 1: pp. 61--84. Google ScholarDigital Library
- Hovav, A. and D'Arcy, J. (2012). "Applying an Extended Model of Deterrence across Cultures: An Investigation of Information Systems Misuse in the U.S. and South Korea." Information & Management, Vol. 49, No. 2: pp. 99--110. Google ScholarDigital Library
- Hu, Q., Xu, Z., Dinev, T., and Ling, H. (2011), "Does Deterrence Work in Reducing Information Security Policy Abuse by Employees"? Communications of the ACM, Vol. 54, No. 6: pp. 54--60. Google ScholarDigital Library
- Hu, Q., Dinev, T., Hart, P., and Cooke, D. (2012). "Managing Employee Compliance with Information Security Policy: The Critical Role of Top Management and Organizational Culture." Decision Sciences, Vol. 43, No. 4: pp. 615--659. Google ScholarCross Ref
- Hu, Q., West, R., and Smarandescu, L. (2015). "The Role of Self-control in Information Security Violations: Insights from a Cognitive Neuroscience Perspective." Journal of Management Information Systems, Vol. 31, No. 4: pp. 6--48. Google ScholarCross Ref
- Hui, K. L., Teo, H. H., and Lee, S. Y. T. (2007). "The Value of Privacy Assurance: An Exploratory Field Experiment." MIS Quarterly, Vol. 31, No. 1: pp. 19--33.Google ScholarCross Ref
- Hunter, P. (2003). "Computer Espionage." Computer Fraud & Security, Vol. 7: pp. 16.Google Scholar
- Hsu, J. S. C., Shih, S. P., Hung, Y. W., and Lowry, P. B. (2015). "The Role of Extra-role Behaviors and Social Controls in Information Security Policy Effectiveness." Information Systems Research, Vol. 26, No. 2: pp. 282--300. Google ScholarDigital Library
- Johnston, A. C., and Warkentin, M. (2010). "Fear Appeals and Information Security Behaviors: An Empirical Study." MIS Quarterly, Vol. 34, No. 3: pp. 549--566.Google ScholarCross Ref
- Johnston, A. C., Warkentin, M., and Siponen, M. T. (2015). "An Enhanced Fear Appeal Rhetorical Framework: Leveraging Threats to the Human Asset Through Sanctioning Rhetoric." MIS Quarterly, Vol. 39, No. 1: pp. 113--134.Google ScholarDigital Library
- Kankanhalli, A., Teo, H., Tan, B. C. Y., and Wei, K. (2003). "An Integrative Study of Information Systems Security Effectiveness." International Journal of Information Management, Vol. 23, No. 2: pp. 139--154. Google ScholarDigital Library
- Kirsch, L. and Boss, S. (2007). "The Last Line of Defense: Motivating Employees to Follow Corporate Security Guidelines." ICIS 2007 Proceedings. Paper 103. http://aisel.aisnet.org/icis2007/103Google Scholar
- Lee, S. M., Lee, S. G., and Yoo, S. (2004). "An Integrative Model of Computer Abuse Based on Social Control and General Deterrence Theories." Information & Management, Vol. 41, No. 6: pp. 707--718. Google ScholarDigital Library
- Leidner, D. and Kayworth, T. (2006). "Review: A Review of Culture in Information Systems Research: Toward a Theory of Information Technology Culture Conflict." MIS Quarterly, Vol. 30, No. 2: pp. 357--399.Google ScholarDigital Library
- Leonard, L. N. K., Cronan, T. P., and Kreie, J. (2004). "What Influences IT Ethical Behavior Intentions - Planned Behavior, Reasoned Action, Perceived Importance, or Individual Characteristics"? Information & Management, Vol. 42, No. 1: pp. 143--158. Google ScholarDigital Library
- Leonard, L. N. K. and Cronan, T.P. (2001). "Illegal, Inappropriate, and Unethical Behavior in an Information Technology Context: A Study to Explain Influences." Journal of the Association of Information Systems, Vol. 1, No. 12: pp. 1--31.Google ScholarCross Ref
- Li, H., Zhang, J., and Sarathy, R. (2010). "Understanding Compliance with Internet Use Policy from the Perspective of Rational Choice Theory." Decision Support Systems, Vol. 48, No. 4: pp. 635--645. Google ScholarDigital Library
- Li, H., Sarathy, R., Zhang, J., and Luo, X. (2014). "Exploring the Effects of Organizational Justice, Personal Ethics and Sanction on Internet Use Policy Compliance." Information Systems Journal, Vol. 24, No. 6: pp. 479--502. Google ScholarDigital Library
- Lim, V. K. G., Teo, T. S. H., and Loo, G. L. (2002). "How Do I Loaf Here? Let me Count the Ways." Communications of the ACM, Vol. 45, No. 1: pp. 66--70. Google ScholarDigital Library
- Loch, K., Carr, H., and Warkentin, M. (1992). "Threats to Information Systems: Today's Reality, Yesterday's Understanding." MIS Quarterly, Vol. 16, No. 2: pp. 173--186. Google ScholarCross Ref
- Loch, K. D., and Conger, S. (1996). "Evaluating Ethical Decision Making and Computer Use." Communications of the ACM, Vol. 39, No. 7: pp. 74--83. Google ScholarDigital Library
- London, M. and Bray, D. W. (1980). "Ethical Issues in Testing and Evaluation for Personnel Decisions." American Psychologist, Vol. 35, No. 10: pp. 890--901. Google ScholarCross Ref
- Lowry, P. B., Moody, G. D., Galetta, D. F., and Vance, A. (2013). "The Drivers in the Use of Online Whistle-Blowing Reporting Systems." Journal of Management Information Systems, Vol. 30, No. 1: pp. 153--189. Google ScholarCross Ref
- Lowry, P. B., Romans D., and Curtis A. (2004). "Global Journal Prestige and Supporting Disciplines: A Scientometric Study of Information Systems Journals." Journal of the Association for Information Systems, Vol. 5, No. 2: pp. 29--77.Google ScholarCross Ref
- Lowry, P. B. and Moody, G. D. (2015). "Proposing the Control-Reactance Compliance Model (CRCM) to Explain Opposing Motivations to Comply with Organisational Information Security Policies." Information Systems Journal, Vol. 25, No. 5: pp. 433--463. Google ScholarDigital Library
- Lowry, P. B., Posey, C., Bennett, R. B. J., and Roberts, T. L. (2015). "Leveraging Fairness and Reactance Theories to Deter Reactive Computer Abuse Following Enhanced Organisational Information Security Policies: An Empirical Study of the Influence of Counterfactual Reasoning and Organisational Trust." Information Systems Journal, Vol. 25, No. 3: pp. 193--273. Google ScholarDigital Library
- Ma, Q. and Pearson, J. M. (2005). "ISO 17799: 'Best Practices' in Information Security Management"? Communications of the AIS, Vol. 15, No. 1: pp. 577--591.Google Scholar
- Myyry, L., Siponen, M., Pahnila, S., Vartiainen, T., and Vance, A. (2009). "What Levels of Moral Reasoning and Values Explain Adherence to Information Security Rules' An Empirical Study." European Journal of Information Systems, Vol. 18, No. 2: pp. 126--139. Google ScholarCross Ref
- Neumann, P. G. (1999). "Risks of Insiders." Comunications of the ACM, Vol. 42, No. 12: pp. 160. Google ScholarDigital Library
- Ng, B.-Y., Kankanhalli, A., and Xu, Y. C. (2009). "Studying Users' Computer Security Behavior: A Health Belief Perspective." Decision Support Systems, Vol. 46, No. 4: pp. 815--825. Google ScholarDigital Library
- Pahnila, S., Siponen, M., and Mahmood, A. (2007). "Employees' Behavior Towards IS Security Policy Compliance," in 40th Hawaii International Conference on System Sciences (HICSS 07). Hawaii, USA. Google ScholarDigital Library
- Peace, A. G., Galletta, D., and Thong, J. Y. L. (2003). "Software Privacy in the Workplace: A Model and Empirical Test," Journal of Management Information Systems, Vol. 20, No. 1: pp. 153--177. Google ScholarDigital Library
- Ponemon Institute (2012). 2013 State of the Endpoint. Traverse City, MI. Available at http://www.ponemon.org/blog/2013-state-of-the-endpointGoogle Scholar
- Posey, C., Bennett, R. J., and Roberts, T. L. (2011). "Understanding the Mindset of the Abusive Insider: An Examination of Insiders' Causal Reasoning Following Internal Security Changes." Computers & Security, Vol. 30, No. 6: pp. 486--497. Google ScholarDigital Library
- Puhakainen, P. and Siponen, M. (2010). "Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study." MIS Quarterly, Vol. 34, No. 4: pp. 757--778.Google ScholarCross Ref
- PWC, PricewaterhouseCoopers. (2015). Managing Cyber Risks in an Interconnected World: Key Findings from the Global State of Information Security Survey 2015. Retrieved from http://www.pwc.com/gsiss2015Google Scholar
- Renaud, K. (2012). "Blaming Noncompliance Is Too Convenient: What Really Causes Information Breaches"? Security & Privacy, Vol. 10, No. 3: pp. 57--63. Google ScholarDigital Library
- Rest, J. R. (1979). Development in Judging Moral Issues. Minneapolis, MN: University of Minnesota Press.Google Scholar
- Richardson R. (2011). "15th Annual 2010/2011 Computer Crime and Security Survey." Computer Security Institute. Available at http://reports.informationweek.com/abstract/21/7377/Security/research-2010--2011-csi-survey.htmlGoogle Scholar
- Sharp, A. (2015, Aug 24). "Two People May Have Committed Suicide After Ashley Madison Hack: Police." Retrieved April 9, 2016, from http://www.wired.com/2015/08/ashley-madison-ceo-resigns-wake-hack-news-affairs/Google Scholar
- Shaw, E., Ruby, K. G., and Post, J. M. (1998). "The Insider Threat to Information Systems" [pdf]. Security Awareness Bulletin, Vol. 2, No. 98: pp. 1. Available online at www.pol-psych.com/sab.pdfGoogle Scholar
- Shropshire, J. (2009). "A Canonical Analysis of Intentional Information Security Breaches by Insiders." Information Management and Computer Security, Vol. 17, No. 4: pp. 221--234. Google ScholarCross Ref
- Siponen, M. T. and Oinas-Kukkonen, H. (2007). "A Review of Information Security Issues and Respective Research Contributions." The DATABASE for Advances in Information Systems, Vol. 38, No. 1: pp. 60--80. Google ScholarDigital Library
- Siponen, M., Pahnila, S., and Mahmood, M.A. (2010). "Compliance with Information Security Policies: An Empirical Investigation." Computer, Vol. 43, No. 2: pp. 64--71. Google ScholarDigital Library
- Siponen, M. and Vance, A. (2010). "Neutralization: New Insights into the Problem of Employee Information Systems Security Policy Violations." MIS Quarterly, Vol. 34, No. 3: pp. 487--512.Google ScholarCross Ref
- Skinner, W. F. and Fream, A. M. (1997). "A Social Learning Theory Analysis of Computer Crime Among College Students." Journal of Research on Crime and Delinquency, Vol. 34, No. 4: pp. 495--518. Google ScholarCross Ref
- Smith, A. L., Baxter, R. J., Boss, S. R., and Hunton, J. E. (2012). "The Dark Side of Online Knowledge Sharing." Journal of Information Systems, Vol. 26, No. 2: pp. 71--91. Google ScholarCross Ref
- Son, J. Y. (2011). "Out of Fear or Desire? Toward a Better Understanding of Employees' Motivation to Follow IS Security Policies." Information & Management, Vol. 48, No. 7: pp. 296--302. Google ScholarDigital Library
- Spears, J. and Barki, H. (2010). "User Participation in Information Systems Security Risk Management." MIS Quarterly, Vol. 34, No. 3: pp. 503--522.Google ScholarCross Ref
- Stahl, B. C., Doherty, N. F., and Shaw, M. (2012). "Information Security Policies in the U.K. Healthcare Sector: A Critical Evaluation." Information Systems Journal, Vol. 22, No. 1: pp. 77--94. Google ScholarCross Ref
- Stanton, J. M., Stam, K. R., Mastrangelo, P., and Jolton, J. (2005). "Analysis of End User Security Behaviors." Computers & Security, Vol. 24, No. 2: pp. 124--133. Google ScholarDigital Library
- Straub, D. W. (1990). "Effective IS Security: An Empirical Study." Information Systems Research, Vol. 1, No. 3: pp. 255--276. Google ScholarDigital Library
- Straub, D. W. and Nance, W. D. (1990). "Discovering and Disciplining Computer Abuse in Organizations: A Field Study." MIS Quarterly, Vol. 14, No. 1: pp. 45--60. Google ScholarDigital Library
- Straub, D. W. and Welke, R. J. (1998). "Coping with Systems Risk: Security Planning Models for Management Decision Making." MIS Quarterly, Vol. 22, No. 4: pp. 441--469. Google ScholarDigital Library
- Straub, D. W. and Widon, C. S. (1984). "Deviancy by Bits and Bytes: Computer Abusers and Control Measures," in Computer Security: A Global Challenge. J. Finch & E. Dougall (Eds.). Amsterdam: Elsevier Science Publishers B.V, (North-Holland) and IFIP, pp. 431--442.Google Scholar
- Thoma, S. J. and Davison, M. L. (1983). "Moral Reasoning Development and Graduate Education." Journal of Applied Developmental Psychology, Vol. 4, No. 3: pp. 227--238. Google ScholarCross Ref
- Tsai, J. Y., Egelman, S., Cranor, L., and Acquisti, A. (2011). "The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study." Information Systems Research, Vol. 22, No. 2: pp. 254--268. Google ScholarDigital Library
- Tsohou, A., Karyda, M., Kokolakis, S., and Kiountouzis, E. (2015). "Managing the Introduction of Information Security Awareness Programmes in Organisations." European Journal of Information Systems, Vol. 24, No. 1: pp. 38--58. Google ScholarCross Ref
- Tyler, R. T. and Blader, S. L. (2005). "Can Businesses Effectively Regulate Employee Conduct? The Antecedents of Rule Following in Work Settings." The Academy of Management Journal, Vol. 48, No. 6: pp. 1143--1158. Google ScholarCross Ref
- Vance, A., Siponen, M., and Pahnila, S. (2012). "Motivating IS Security Compliance: Insights from Habit and Protection Motivation Theory." Information & Management, Vol. 49, No. 3: pp. 190--198. Google ScholarDigital Library
- Vance, A., Anderson, B. B., Kirwan, C. B., and Eargle, D. (2014). "Using Measures of Risk Perception to Predict Information Security Behavior: Insights from Electroencephalography (EEG)." Journal of the Association for Information Systems, Vol. 15, No. 10: pp. 679--722.Google ScholarCross Ref
- Vance, A., Lowry, P. B., and Eggett, D. L. (2015). "Increasing Accountability Through User-interface Design Artifacts: A New Approach to Addressing the Problem of Access-Policy Violations." MIS Quarterly, Vol. 39, No. 2: pp. 345--366.Google ScholarDigital Library
- Verizon. (2013). "Data Breach Investigations Report." Verizon Enterprise. Available at http://www.verizonenterprise.com/DBIR/2013/Google Scholar
- Warkentin, M., Johnston, A. C., and Shropshire, J. (2011). "The Influence of the Informal Social Learning Environment on Information Privacy Policy Compliance Efficacy and Intention." European Journal of Information Systems, Vol. 20: pp. 267--284. Google ScholarCross Ref
- Warkentin, M. and Willison, R. (2009). "Behavioral and Policy Issues in Information Systems Security: The Insider Threat." European Journal of Information Systems, Vol. 18, No. 2: pp. 101--105. Google ScholarCross Ref
- Whitman, M. (2004). "In Defense of the Realm: Understanding the Threats to Information Security." International Journal of Information Management, Vol. 24: pp. 43--57. Google ScholarDigital Library
- Willison, R. and Backhouse, J. (2006). "Opportunities for Computer Crime: Considering Systems Risk from a Criminological Perspective." European Journal of Information Systems, Vol. 15, No. 4: pp. 403--414. Google ScholarCross Ref
- Willison, R. and Warkentin, M. (2013). "Beyond Deterrence: An Expanded View of Employee Computer Abuse." MIS Quarterly, Vol. 37, No. 1: pp. 1--20.Google ScholarDigital Library
- Workman, M. and Gathegi, J. (2007). "Punishment and Ethics Deterrents: A Study of Insider Security Contravention." Journal of the American Society for Information Science and Technology, Vol. 58, No. 2: pp. 212--222. Google ScholarDigital Library
- Workman, M., Bommer, W. H., and Straub, D. (2008). "Security Lapses and the Omission of Information Security Measures: A Threat Control Model and Empirical Test." Computers in Human Behavior, Vol. 24: pp. 2799--2816. Google ScholarDigital Library
- Young, E. (2014). "Get Ahead of Cybercrime." Ernst & Young's 2014 Global Information Security Survey.Google Scholar
- Zetter, K. (2015, Aug 28). "Ashley Madison CEO Resigns in Wake of Hack, News of Affair." Retrieved April 9, 2016, from http://www.wired.com/2015/08/ashley-madisons-business-growing-company-says/Google Scholar
- Zviran, M., and Haga, W. J. (1999). "Password Security: An Empirical Study." Journal of Management Information Systems, Vol. 15, No. 4: pp. 161--185. Google ScholarDigital Library
Index Terms
- Review of IS Security Policy Compliance: Toward the Building Blocks of an IS Security Theory
Recommendations
Curiosity Killed the Organization: A Psychological Comparison between Malicious and Non-Malicious Insiders and the Insider Threat
RIIT '16: Proceedings of the 5th Annual Conference on Research in Information TechnologyInsider threats remain a significant problem within organizations, especially as industries that rely on technology continue to grow. Traditionally, research has been focused on the malicious insider; someone that intentionally seeks to perform a ...
Reflecting on the Ability of Enterprise Security Policy to Address Accidental Insider Threat
STAST '14: Proceedings of the 2014 Workshop on Socio-Technical Aspects in Security and TrustAn enterprise's information security policy is an exceptionally important control as it provides the employees of an organisation with details of what is expected of them, and what they can expect from the organisation's security teams, as well as ...
Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition
This study investigated employees' information systems security policy (ISSP) compliance behavioural intentions in organisations from the theoretical lenses of social bonding, social influence, and cognitive processing. Given that previous research on ...
Comments