The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

John D'Arcy - Notre Dame

Students: Spring 2024, unless noted otherwise, sessions will be virtual on Zoom.

User Awareness of Security Countermeasures and its Impact on Information Systems Misuse: A Deterrence Approach

Apr 15, 2009

Download: Video Icon MP4 Video Size: 654.0MB  
Watch on Youtube Watch on YouTube

Abstract

Intentional insider misuse of information systems resources (i.e., IS misuse) represents a significant threat to organizations. For example, industry statistics suggest that between 50-75% of security incidents originate from within an organization. Because of the large number of misuse incidents, it has become important to understand how to reduce such behavior. General deterrence theory suggests that certain controls can serve as deterrent mechanisms by increasing the perceived threat of punishment for IS misuse. This study presents an extended deterrence theory model that combines work from criminology, social psychology, and information systems. The model posits that user awareness of security countermeasures directly influences the perceived certainty and severity of organizational sanctions associated with IS misuse, which leads to reduced IS misuse intention. The model is then tested on 269 computer users from eight different companies. The results suggest that three practices deter IS misuse: user awareness of security policies; security education, training, and awareness (SETA) programs; and computer monitoring. The results also suggest that perceived severity of sanctions is more effective in reducing IS misuse than certainty of sanctions. Further, there is evidence that the impact of sanction perceptions vary based on one's level of morality. The results have implications for both the research and practice of IS security.

About the Speaker

John D'Arcy is an Assistant Professor in the Department of Management in the Mendoza College of Business at the University of Notre Dame. Dr. D'Arcy teaches an MBA course on technology risk management and an undergraduate course on computer networking and security. After gaining a BS in Finance from The Pennsylvania State University, he worked the following four years as a cost accountant and then a financial systems analyst for Ford Motor Company. During that time, he earned an MBA from LaSalle University. He subsequently earned a PhD in Business Administration with a concentration in Management Information Systems from Temple University.

Dr. D'Arcy's research interests include information assurance and security, computer ethics, and human-computer interaction. In recent papers, he has examined the effectiveness of procedural and technical security controls in deterring computer abuse. His research also investigates individual and organizational factors that contribute to end user security behavior in the workplace. Dr. D'Arcy has published articles in journals such as Information Systems Research, Communications of the ACM, Decision Support Systems, Journal of Information System Security, and Computers & Security.


Ways to Watch

YouTube

Watch Now!

Over 500 videos of our weekly seminar and symposia keynotes are available on our YouTube Channel. Also check out Spaf's YouTube Channel. Subscribe today!