CERIAS - Center for Education and Research in Information Assurance and Security

Skip Navigation
CERIAS Logo
Purdue University - Discovery Park
Center for Education and Research in Information Assurance and Security

USER AWARENESS OF SECURITY COUNTERMEASURES AND ITS IMPACT ON INFORMATION SYSTEMS MISUSE: A DETERRENCE APPROACH

John D'Arcy - Notre Dame

Apr 15, 2009

Size: 654.0MB

Download: Video Icon MP4 Video  
Watch in your Browser   Watch on Youtube Watch on YouTube

Abstract

Intentional insider misuse of information systems resources (i.e., IS misuse) represents a significant threat to organizations. For example, industry statistics suggest that between 50-75% of security incidents originate from within an organization. Because of the large number of misuse incidents, it has become important to understand how to reduce such behavior. General deterrence theory suggests that certain controls can serve as deterrent mechanisms by increasing the perceived threat of punishment for IS misuse. This study presents an extended deterrence theory model that combines work from criminology, social psychology, and information systems. The model posits that user awareness of security countermeasures directly influences the perceived certainty and severity of organizational sanctions associated with IS misuse, which leads to reduced IS misuse intention. The model is then tested on 269 computer users from eight different companies. The results suggest that three practices deter IS misuse: user awareness of security policies; security education, training, and awareness (SETA) programs; and computer monitoring. The results also suggest that perceived severity of sanctions is more effective in reducing IS misuse than certainty of sanctions. Further, there is evidence that the impact of sanction perceptions vary based on one’s level of morality. The results have implications for both the research and practice of IS security.

About the Speaker

John D’Arcy is an Assistant Professor in the Department of Management in the Mendoza College of Business at the University of Notre Dame. Dr. D’Arcy teaches an MBA course on technology risk management and an undergraduate course on computer networking and security. After gaining a BS in Finance from The Pennsylvania State University, he worked the following four years as a cost accountant and then a financial systems analyst for Ford Motor Company. During that time, he earned an MBA from LaSalle University. He subsequently earned a PhD in Business Administration with a concentration in Management Information Systems from Temple University.

Dr. D’Arcy’s research interests include information assurance and security, computer ethics, and human-computer interaction. In recent papers, he has examined the effectiveness of procedural and technical security controls in deterring computer abuse. His research also investigates individual and organizational factors that contribute to end user security behavior in the workplace. Dr. D’Arcy has published articles in journals such as Information Systems Research, Communications of the ACM, Decision Support Systems, Journal of Information System Security, and Computers & Security.

Unless otherwise noted, the security seminar is held on Wednesdays at 4:30P.M. STEW G52, West Lafayette Campus. More information...

Disclaimer

The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.