Understanding the deterrence effect of punishment for marine information security policies non-compliance

doi:10.1016/j.joes.2022.06.001

Abstract

Abstract:

In the organizational setting of marine engineering, a significant number of information security incidents have been arised from the employees' failure to comply with the information security policies (ISPs). This may be treated as a principal-agent problem with moral hazard between the employer and the employee for the practical compliance effort of an employee is not observable without high cost-. On the other hand, according to the deterrence theory, the employer and the employee are inherently self-interested beings.It is worth examining to what extent the employee is self-interested in the marine ISPs compliance context. Moreover, it is important to clarify the proper degree of severity of punishment in terms of the deterrent effect. In this study, a marine ISPs compliance game model has been proposed to evaluate the deterrence effect of punishment on the non-compliance behavior of employee individuals. It is found that in a non-punishment contract, the employee will decline to comply with the marine ISPs; but in a punishment contract, appropriate punishment will lead her to select the marine ISPs compliance effort level expected by the employer, and cause no potential backfire effect.

Key words: Deterrence mechanism, Marine engineering, Information security policies, Non-compliance behavior, Principal-agent model with moral hazard, Punishment

Xiaolong Wang, Changlin Wang, Tianyu Yi, Wenli Li. Understanding the deterrence effect of punishment for marine information security policies non-compliance[J]. Journal of Ocean Engineering and Science, 2024, 9(1): 9-12.

Xiaolong Wang, Changlin Wang, Tianyu Yi, Wenli Li. [J]. Journal of Ocean Engineering and Science, 2024, 9(1): 9-12.

/ / Recommend / Download Citations

URL: https://www.qk.sjtu.edu.cn/joes/EN/10.1016/j.joes.2022.06.001

https://www.qk.sjtu.edu.cn/joes/EN/Y2024/V9/I1/9

Figures/Tables 2

References 35

[1]	Herjavec Group, "2022 Cybersecurity Conversations Report", available at: accessed 21 May 2022). URL
[2]	G.D. Moody, M. Siponen, S. Pahnila. Toward a Unified Model of Information Security Policy Compliance. MIS Quart, 42 (1) (2018), pp. 285-311
[3]	M. Silic, P.B. Lowry. Using Design-science Based Gamification to Improve Organizational Security Training and Compliance. J. Manage. Inform. Syst., 37 (1) (2020), pp. 129-161 DOI: 10.1080/07421222.2019.1705512
[4]	J. Zhou, Y. Fang, V. Grover. Managing Collective Enterprise Information Systems Compliance: a Social and Performance Management Context Perspective. MIS Quart, 46 (1) (2022), pp. 71-100 DOI: 10.25300/misq/2022/14727
[5]	C. Liu, H. Liang, N. Wang, et al.. Ensuring Employees' Information Security Policy Compliance by Carrot and Stick: the Moderating Roles of Organizational Commitment and Gender. Inform. Technol. Peopl., 35 (2) (2022), pp. 802-834 DOI: 10.1108/itp-09-2019-0452
[6]	M.A. Mahmood, M. Siponen, D. Straub, et al.. Moving Toward Black Hat Research in Information Systems Security: an Editorial Introduction to the Special Issue. MIS Quert, 34 (3) (2010), pp. 431-433 DOI: 10.2307/25750685
[7]	J. D'Arcy, P.B. Lowry. Cognitive-affective Drivers of Employees' Daily Compliance with Information Security Policies: a Multilevel, Longitudinal Study. Inform. Syst. J., 29 (1) (2019), pp. 43-69 DOI: 10.1111/isj.12173
[8]	M. Karjalainen, M. Siponen, S. Sarker. Toward a Stage Theory of the Development of Employees' Information Security Behavior. Comput. Secur., 93 (12) (2020), Article 101782 URL
[9]	Y. Chen, D. Galletta, P.B. Lowry. Understanding Inconsistent Employee Compliance with Information Security Policies Through the Lens of the Extended Parallel Process Model. Inform. Syst. Res., 32 (3) (2021), pp. 1043-1065 DOI: 10.1287/isre.2021.1014
[10]	P. Balozian, D. Leidner. Review of IS Security Policy Compliance: toward the Building Blocks of an IS Security Theory. Data Base Adv. Inf. Sy., 48 (3) (2017), pp. 11-43 DOI: 10.1145/3130515.3130518
[11]	M. Foth. Factors Influencing the Intention to Comply with Data Protection Regulations in Hospitals: based on Gender Differences in Behaviour and Deterrence. Eur. J. Inform. Syst., 25 (2) (2016), pp. 91-109 DOI: 10.1057/ejis.2015.9
[12]	K.D. Loch, H.H. Carr, M. Warkentin. Threats to Information Systems: today's Reality, Yesterday's Understanding. MIS Quart, 16 (2) (1992), pp. 173-186 DOI: 10.2307/249574
[13]	B. Bulgurcu, H. Cavusoglu, I. Benbasat. Information Security Policy Compliance: an Empirical Study of Rationality-based Beliefs and Information Security Awareness. MIS Quart, 34 (2010), pp. 523-548 DOI: 10.2307/25750690
[14]	M. Siponen, M.A. Mahmood, S. Pahnila. Employees' Adherence to Information Security Policies: an Exploratory Field Study. Inform. Manage., 51 (2) (2014), pp. 217-224 URL
[15]	J.P. Gibbs. Crime, punishment, and Deterrence. Elsevier, New York (1975)
[16]	R. Willison, M. Siponen. Overcoming the Insider: reducing Employee Computer Crime through Situational Crime Prevention. Commun. ACM, 52 (2009), pp. 133-137 DOI: 10.1145/1562164.1562198
[17]	M. Warkentin, R. Willison. Behavioral and Policy Issues in Information Systems Security: the Insider Threat. Eur. J. Inform. Syst., 18 (2) (2009), pp. 101-105 DOI: 10.1057/ejis.2009.12
[18]	T. Herath, H.R. Rao. Protection Motivation and Deterrence: a Framework for Security Policy Compliance in Organizations. Eur. J. Inform. Syst., 18 (2) (2009), pp. 106-125 DOI: 10.1057/ejis.2009.6
[19]	L. Myyry, M. Siponen, S. Pahnila, et al.. What Levels of Moral Reasoning and Values Explain Adherence to Information Security Rules? An Empirical Study. Eur. J. Inform. Syst., 18 (2) (2009), pp. 126-139 DOI: 10.1057/ejis.2009.10
[20]	M. Siponen, A. Vance. Neutralization: new Insights into the Problem of Employee Information Systems Security Policy Violations. MIS Quart, 34 (3) (2010), pp. 487-502 DOI: 10.2307/25750688
[21]	Q. Hu, T. Dinev, P. Hart, et al.. Managing Employee Compliance with Information Policies: the Role of Top Management and Organizational Culture. Decision Sci, 43 (4) (2012), pp. 615-660 DOI: 10.1111/j.1540-5915.2012.00361.x
[22]	A. Hovav, J. D'Arcy. Applying an Extended Model of Deterrence Across Cultures: an Investigation of Information Systems Misuse in the U.S. and South Korea. Inform. Manage., 49 (2) (2012), pp. 99-110 URL
[23]	D. Straub. Effective IS Security: an Empirical Study. Inform. Syst. Res., 1 (3) (1990), pp. 255-276 DOI: 10.1287/isre.1.3.255
[24]	J. D'Arcy, A. Hovav, D. Galletta. User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: a Deterrence Approach. Inform. Syst. Res., 20 (1) (2009), pp. 79-98 DOI: 10.1287/isre.1070.0160
[25]	Y. Chen, K. Ramamurthy, K. Wen. Organizations' Information Security Policy Compliance: stick or Carrot Approach. J. Manage. Inform. Syst., 29 (3) (2013), pp. 157-188 DOI: 10.1186/1556-276X-8-157
[26]	J. D'Arcy, T. Herath. A Review and Analysis of Deterrence Theory in the IS Security Literature: making Sense of the Disparate Findings. Eur. J. Inform. Syst., 20 (6) (2011), pp. 643-658 DOI: 10.1057/ejis.2011.23
[27]	R. Willison, P.B. Lowry, R. Paternoster. A Tale of Two Deterrents: considering the Role of Absolute and Restrictive Deterrence in Inspiring New Directions in Behavioral and Organizational Security. J. Assoc. Inf. Syst., 19 (12) (2018), pp. 1187-1216 DOI: 10.17705/1jais.00524
[28]	Q. Hu, Z. Xu, T. Dinev, et al.. Does Deterrence Work in Reducing Information Security Policy Abuse by Employees?. Commun. ACM, 54 (6) (2011), pp. 54-60 DOI: 10.1145/1953122.1953142
[29]	M. Siponen, W. Soliman, A. Vance. Common Misunderstandings of Deterrence Theory in Information Systems Research and Future Research Directions. ACM SIGMIS Database: The DATABASE for Advances in Information Systems, 53 (1) (2022), pp. 25-60 DOI: 10.1145/3514097.3514101
[30]	A. Beautement, A. Sasse. The Economics of User Effort in Information Security. Comput. Fraud Secur. (10) (2009), pp. 8-12 https://www.sciencedirect.com/science/article/pii/S1361372309701277/pdfft?md5=f275be386c9ef32cc6f11d1e205e1410&pid=1-s2.0-S1361372309701277-main.pdf DOI: 10.1016/s1361-3723(09)70127-7
[31]	R. Paternoster. How Much Do We Really Know about Criminal Deterrence. J. Crim. Law Criminol., 100 (3) (2010), pp. 765-824
[32]	J.A. Mirrlees. The Optimal Structure of Authority and Incentive within an Organization. Bell J. Econ., 7 (1) (1976), pp. 105-131 DOI: 10.2307/3003192
[33]	B. Holmström. Moral Hazard and Observability. Bell J. Econ., 10 (1) (1979), pp. 74-91 DOI: 10.2307/3003320
[34]	S. Grossman, O. Hart. An Analysis of the Principal-agent Problem. Econometrica, 51 (1) (1983), pp. 7-45 DOI: 10.2307/1912246
[35]	J. D'Arcy, S. Devaraj. Employee Misuse of Information Technology Resources: testing a Contemporary Deterrence Model. Decision Sci, 43 (6) (2012), pp. 1091-1124 DOI: 10.1111/j.1540-5915.2012.00383.x

Please choose a citation manager

Content to export