Research article

Understanding the deterrence effect of punishment for marine information security policies non-compliance

  • Xiaolong Wang , a, * ,
  • Changlin Wang a ,
  • Tianyu Yi b ,
  • Wenli Li c
Expand
  • a School of Economics and Management, Binzhou University, Binzhou, 256600, China
  • b School of Business, Macau University of Science and Technology, Macau, 999078, China
  • c School of Economics and Management, Dalian University of Technology, Dalian, 116024, China
* School of Economics and Management, Binzhou University, Shandong, 256600, China. E-mail address: (X. Wang).

Received date: 2022-05-27

  Revised date: 2022-05-29

  Accepted date: 2022-06-01

  Online published: 2022-06-03

Abstract

In the organizational setting of marine engineering, a significant number of information security incidents have been arised from the employees' failure to comply with the information security policies (ISPs). This may be treated as a principal-agent problem with moral hazard between the employer and the employee for the practical compliance effort of an employee is not observable without high cost-. On the other hand, according to the deterrence theory, the employer and the employee are inherently self-interested beings.It is worth examining to what extent the employee is self-interested in the marine ISPs compliance context. Moreover, it is important to clarify the proper degree of severity of punishment in terms of the deterrent effect. In this study, a marine ISPs compliance game model has been proposed to evaluate the deterrence effect of punishment on the non-compliance behavior of employee individuals. It is found that in a non-punishment contract, the employee will decline to comply with the marine ISPs; but in a punishment contract, appropriate punishment will lead her to select the marine ISPs compliance effort level expected by the employer, and cause no potential backfire effect.

Cite this article

Xiaolong Wang , Changlin Wang , Tianyu Yi , Wenli Li . Understanding the deterrence effect of punishment for marine information security policies non-compliance[J]. Journal of Ocean Engineering and Science, 2024 , 9(1) : 9 -12 . DOI: 10.1016/j.joes.2022.06.001

Introduction

Employees’ non-compliance behaviors violating the marine Information Security Policies (ISPs) have resulted in a large number of information security incidents [1], [2], [3], [4], [5], [6]. The ISPs refer to a set of rules or regulations formulated by an organization of marine engineering, and required to be abided by the employees [7], [8], [9], [10], [11]. The various marine ISPs non-compliance behaviors include the volitional but unmalicious non-compliance, and the intentional and malicious computer abuse behaviors [12]. Previous studies have shown that the information security incidents caused even by one employee can be devastating [13, 14]. The influence factors of these non-compliance behaviors are worth exploring for the management of information security in the organizational setting of marine engineering.
Empirical method has been used to study the ISPs non-compliance behaviors, of which many studies are based on the deterrence theory [15], [16], [17], [18], [19], [20], [21], [22]. Straub et al. emphasized the deterrence of sanction exerted on computer abuse, and the the primaryimportance of it in preventing such behavior from happening [23]. D'Arcy et al. pointed out that information system misuse could be reduced once the employees perceive the severity and certainty of sanction [24]. Similar results have been obtained by Bulgurcu et al. [13] and Chen et al. [25]. However, some opposite results have also been obtained regarding the influence of punishment on the ISPs non-compliance [2, [26], [27], [28], [29]]. For example, Moody et al. argued that the influence of deterrents is not found to be significant. There has no consensus in these empirical studies [26].
Alternatively from the economic perspective, Beautement et al. suggested that the ISPs non-compliance behavior of employee individuals could be well understood [30]. Their study indicates that the key factors affecting the compliance decision are the actual and anticipated cost, and the benefit of compliance for employee individuals, and that understanding the economic essence of the non-compliance could provide a better basis for making countermeasure to influence her non-compliance. Hence, the employer should accept that compliance with the ISPs is a finite resource that needs to be carefully managed [30]. Chen et al. also demonstrated that employee would consider the potential effect of punishment on her utility function when she has decided not to comply with the ISPs [25]. Paternoster proposed that the deterrence of punishment was essentially consistent with the economic hypothesis of rational actor [31]. Based on the economic viewpoint, an employee individual is assumed to be a rational actor pursuing maximized payoffs in the organizational setting of marine engineering, and she would choose to comply with the ISPs if the punishment for the non-compliance behavior exceeds the benefit obtained from this behavior. In the practical context of the marine ISPs compliance management, however, the compliance effort of an employee individual (the agent) generally cannot be observed and accurately measured by the employer (the principal) without high cost. In the present study, the principal-agent model with moral hazard [32], [33], [34], [35] is used to explore the deterrence effect of punishment on motivating an employee individual to comply with the marine ISPs. It is a vital problem, i.e., to what extent the marine engineering employee is self-interested, needs to be examined carefully, since both the employer and the employee are self-interested beings. Moreover, in the marine ISPs compliance context, it is important to clarify the proper level of severity of punishment in terms of the deterrent effect, i.e., to what extent the punishment actually leads to the anticipated deterrence effect, considering an unjustified punishment may result in a decreased compliance level, for instance, the decrease in information security attitude and organizational commitment, i.e., an unjustified punishment maybe lead to the backfire effect [29]. We first propose an extensive-form of marine ISPs compliance game model for more deeply exploring the deterrence effect of punishment on the non-compliance behavior of the marine engineering employee individuals. The deterrence effect of punishment is then analyzed by using the compliance game model.

A marine ISPs compliance game model

For the deterrence effect of punishment on the marine ISPs compliance behavior of employee individuals in the organizational setting, a principal-agent problem with moral hazard is considered. Some random factors may influence the compliance outcome of the marine engineering employee, and are also taken into account. The marine engineering employer cannot design a contract specifying a transfer as a function of the compliance effort. Although the compliance effort of the employee cannot be observed and measured accurately, the marine ISPs compliance outcome of the employee can be confirmed with certainty. A contract thus can be designed by the employer based on this outcome.
Suppose that, (I) the two players of the marine ISPs compliance game are an employer and an employee individual in an organization of marine engineering, (II) the marine ISPs compliance is the only one task assigned to the employee in a given time duration, (III) the two players are rational, i.e., the employer and the employee are self-interested beings, (IV) the two players share the common knowledge, (V) each player is aware of the game rules, (VI) the marine ISPs compliance effort of the employee together with the random factors determine the compliance outcome, (VII) the employer is risk neutral with utility function u ( x ) = x, where x stands for the amount of payoff of the employer, (VIII) the employee is risk averse with utility function v ( z ) = z μ , 0 < μ < 1, and z stands for the amount of payoff of the employee, (IX) a good compliance outcome will bring about a revenue m 0 to the employer, while a bad outcome results in a revenue of m 1, and (X) the interaction of the two players is depicted by the extensive-form representation in Fig. 1.
Fig. 1. The marine ISPs compliance game model 1.
This marine ISPs compliance game proceeds as follows: (I) at the beginning of the game, the employer (i.e., Pr) offers the employee (i.e., Ag) a punishment and wage package. In particular, the employee is paid a wage ( w) regardless the compliance outcome, whereas the punishment f, f > 0, will be imposed only if the outcome is bad. Here, the punishment can be a formal sanction such as financial punishment or incarceration, or an informal punishment such as social disapproval, self-disapproval or shame, (II) the employee decides whether or not to accept the contract package. If she declines the contract, viz., she chooses No, the game ends. In this case, the expected payoffs of the employer and the employee are 0 and w 0 μ, respectively. Here, w 0 μ corresponds to the expected payoff of the employee obtained from her outside options, and (III) if the employee chooses acceptance, viz., she chooses Yes, then she has to decide whether to comply with the ISPs (C) or not (NC). The choice of NC will result in a chance node (Node 1) at which nature (the pseudo-player) selects randomly a good (G) or bad (B) compliance outcome. The probabilities of selecting G and B are set to 1 p 1 and p 1, respectively, and it is reasonable to assume p 1 > 1 p 1 . Along the C extension, nature selects G and B with probabilities of p 2 and 1 p 2 at the chance node (Node 2), respectively, and p 2 > 1 p 2 is assumed.
Suppose that the employee chooses to comply with the marine ISPs. If nature selects G, the perceived payoff of the employer is derived to be m 0 w from the utility function u ( x ) = x, and with the function v ( z ) = z μ , 0 < μ < 1, the employee gets the utility ( w c 0 ) μ, where c 0 is the compliance effort cost of the employee. If nature selects B, the employer and the employee get the utilities m 1 w + f and ( w c 0 f ) μ, respectively. Suppose that the employee does not comply with the marine ISPs. The employer and the employee get respectively the expected utilities m 0 w and w μ if nature selects G, and m 1 w + f and ( w f ) μ if nature selects B.
Consequently, the expected payoffs of the two chance nodes are obtained. When the employee selects C, the expected payoffs of the employer and the employee are calculated to be p 2 ( m 0 w ) + ( 1 p 2 ) ( m 1 w + f ), and p 2 ( w c 0 ) μ + ( 1 p 2 ) ( w c 0 f ) μ, respectively. If the employee selects NC, the expected payoffs of the employer and the employee are ( 1 p 1 ) ( m 0 w ) + p 1 ( m 1 w + f ), and ( 1 p 1 ) w μ + p 1 ( w f ) μ, respectively. With these expected payoffs, the marine ISPs compliance game is further illustrated in an extensive-form (Fig. 2).
Fig. 2. The marine ISPs compliance game model 2.

The deterrence effect of punishment

Based on the marine ISPs compliance game model, the deterrence effect of punishment on the non-compliance behavior of employee individuals can be obtained. The non-punishment contract is first considered. When the employee chooses to comply with the marine ISPs and if f = 0, her expected payoff satisfies the equality: p 2 ( w c 0 ) μ + ( 1 p 2 ) ( w c 0 f ) μ = ( w c 0 ) μ. When she picks a non-compliance action and if f = 0, the equality turns to be: ( 1 p 1 ) w μ + p 1 ( w f ) μ = w μ. Note that ( w c 0 ) μ < w μ, the employee will decide not to comply with the marine ISPs.
In the case of f 0, in order for the employee to be motivated to follow the marine ISPs, the punishment contract that she would like to accept must satisfy such a participation constraint: the expected payoff from C must be not less than that she can get from the outside options, viz., p 2 ( w c 0 ) μ + ( 1 p 2 ) ( w c 0 f ) μ w 0 μ. Meanwhile, the employer designs the punishment contract to pursue her maximized payoff. From this inequality relationship, the employer can increase the amount of punishment such that the participation constraint is still satisfied. So, the optimal punishment contract for the employer should satisfy the following equation: p 2 ( w c 0 ) μ + ( 1 p 2 ) ( w c 0 f ) μ = w 0 μ. If such a contract is designed that the employee's expected payoff from C is not less than that from NC, the employee will be motivated to comply with the marine ISPs. Therewith, the incentive compatibility condition is reached: p 2 ( w c 0 ) μ + ( 1 p 2 ) ( w c 0 f ) μ ( 1 p 1 ) w μ + p 1 ( w f ) μ. Assume that the expected payoff of the employee is a constant r. If the punishment f corresponding to w is expressed as the function g ( w ), and g ( w ) > 0, viz., p 2 ( w c 0 ) μ + ( 1 p 2 ) ( w c 0 g ( w ) ) μ = r. Calculate the first-order derivative of ( w ) . We get g ( w ) = 1 + p 2 1 p 2 ( 1 g ( w ) w c 0 ) 1 μ. When w c 0 g ( w ), g ( w ) 1. This result reveals that, if the increment of the punishment f is greater than that of w, the expected payoff of the individual employee can be kept unchanged ( r). And the equation p 2 ( w c 0 ) μ + ( 1 p 2 ) ( w c 0 f ) μ = w 0 μ is satisfied correspondingly. The increment of the punishment f increases the employer's expected payoff while keeping that of the employee unchanged. Hence, the following equation is established: p 2 ( w c 0 ) μ + ( 1 p 2 ) ( w c 0 f ) μ = ( 1 p 1 ) w μ + p 1 ( w f ) μ. Combining the preceding equations, we obtain ( 1 p 1 ) w μ + p 1 ( w f ) μ = w 0 μ. This result means that, the employee individual will accept the contract in which f and w satisfy the equation, and she will select the marine ISPs compliance effort level expected by the employer. Meanwhile, the potential backfire effect of punishment is eliminated accordingly.

Concluding remarks

The deterrence theory is incorporated into the principal-agent model with moral hazard to understand the marine information security policies compliance behavior of employee individuals. The results show that an employee individual will decline to comply with the marine information security policies in a non-punishment contract, but in a punishment contract, appropriate punishment will lead her to exert the compliance effort level expected by the employer. It helps clarify to what extent the marine engineering employee is self-interested, and to what extent punishment works for the compliance level expected by the employer, and hence would be useful for the marine information security practitioners to make better decisions on the application of punishment.

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Acknowledgements

This work was funded in part by the National Natural Science Foundation of China (No. 70972058, No. 71272092 and No. 71431002), and portions of this work were presented at the 7th International Conference on Social Science, Education and Humanities Research in 2018, DOI: 10.25236/ssehr.2018.005.
[1]
Herjavec Group, "2022 Cybersecurity Conversations Report", available at: accessed 21 May 2022).

[2]
G.D. Moody, M. Siponen, S. Pahnila. Toward a Unified Model of Information Security Policy Compliance. MIS Quart, 42 (1) (2018), pp. 285-311

[3]
M. Silic, P.B. Lowry. Using Design-science Based Gamification to Improve Organizational Security Training and Compliance. J. Manage. Inform. Syst., 37 (1) (2020), pp. 129-161 DOI: 10.1080/07421222.2019.1705512

[4]
J. Zhou, Y. Fang, V. Grover. Managing Collective Enterprise Information Systems Compliance: a Social and Performance Management Context Perspective. MIS Quart, 46 (1) (2022), pp. 71-100 DOI: 10.25300/misq/2022/14727

[5]
C. Liu, H. Liang, N. Wang, et al.. Ensuring Employees' Information Security Policy Compliance by Carrot and Stick: the Moderating Roles of Organizational Commitment and Gender. Inform. Technol. Peopl., 35 (2) (2022), pp. 802-834 DOI: 10.1108/itp-09-2019-0452

[6]
M.A. Mahmood, M. Siponen, D. Straub, et al.. Moving Toward Black Hat Research in Information Systems Security: an Editorial Introduction to the Special Issue. MIS Quert, 34 (3) (2010), pp. 431-433 DOI: 10.2307/25750685

[7]
J. D'Arcy, P.B. Lowry. Cognitive-affective Drivers of Employees' Daily Compliance with Information Security Policies: a Multilevel, Longitudinal Study. Inform. Syst. J., 29 (1) (2019), pp. 43-69 DOI: 10.1111/isj.12173

[8]
M. Karjalainen, M. Siponen, S. Sarker. Toward a Stage Theory of the Development of Employees' Information Security Behavior. Comput. Secur., 93 (12) (2020), Article 101782

[9]
Y. Chen, D. Galletta, P.B. Lowry. Understanding Inconsistent Employee Compliance with Information Security Policies Through the Lens of the Extended Parallel Process Model. Inform. Syst. Res., 32 (3) (2021), pp. 1043-1065 DOI: 10.1287/isre.2021.1014

[10]
P. Balozian, D. Leidner. Review of IS Security Policy Compliance: toward the Building Blocks of an IS Security Theory. Data Base Adv. Inf. Sy., 48 (3) (2017), pp. 11-43 DOI: 10.1145/3130515.3130518

[11]
M. Foth. Factors Influencing the Intention to Comply with Data Protection Regulations in Hospitals: based on Gender Differences in Behaviour and Deterrence. Eur. J. Inform. Syst., 25 (2) (2016), pp. 91-109 DOI: 10.1057/ejis.2015.9

[12]
K.D. Loch, H.H. Carr, M. Warkentin. Threats to Information Systems: today's Reality, Yesterday's Understanding. MIS Quart, 16 (2) (1992), pp. 173-186 DOI: 10.2307/249574

[13]
B. Bulgurcu, H. Cavusoglu, I. Benbasat. Information Security Policy Compliance: an Empirical Study of Rationality-based Beliefs and Information Security Awareness. MIS Quart, 34 (2010), pp. 523-548 DOI: 10.2307/25750690

[14]
M. Siponen, M.A. Mahmood, S. Pahnila. Employees' Adherence to Information Security Policies: an Exploratory Field Study. Inform. Manage., 51 (2) (2014), pp. 217-224

[15]
J.P. Gibbs. Crime, punishment, and Deterrence. Elsevier, New York (1975)

[16]
R. Willison, M. Siponen. Overcoming the Insider: reducing Employee Computer Crime through Situational Crime Prevention. Commun. ACM, 52 (2009), pp. 133-137 DOI: 10.1145/1562164.1562198

[17]
M. Warkentin, R. Willison. Behavioral and Policy Issues in Information Systems Security: the Insider Threat. Eur. J. Inform. Syst., 18 (2) (2009), pp. 101-105 DOI: 10.1057/ejis.2009.12

[18]
T. Herath, H.R. Rao. Protection Motivation and Deterrence: a Framework for Security Policy Compliance in Organizations. Eur. J. Inform. Syst., 18 (2) (2009), pp. 106-125 DOI: 10.1057/ejis.2009.6

[19]
L. Myyry, M. Siponen, S. Pahnila, et al.. What Levels of Moral Reasoning and Values Explain Adherence to Information Security Rules? An Empirical Study. Eur. J. Inform. Syst., 18 (2) (2009), pp. 126-139 DOI: 10.1057/ejis.2009.10

[20]
M. Siponen, A. Vance. Neutralization: new Insights into the Problem of Employee Information Systems Security Policy Violations. MIS Quart, 34 (3) (2010), pp. 487-502 DOI: 10.2307/25750688

[21]
Q. Hu, T. Dinev, P. Hart, et al.. Managing Employee Compliance with Information Policies: the Role of Top Management and Organizational Culture. Decision Sci, 43 (4) (2012), pp. 615-660 DOI: 10.1111/j.1540-5915.2012.00361.x

[22]
A. Hovav, J. D'Arcy. Applying an Extended Model of Deterrence Across Cultures: an Investigation of Information Systems Misuse in the U.S. and South Korea. Inform. Manage., 49 (2) (2012), pp. 99-110

[23]
D. Straub. Effective IS Security: an Empirical Study. Inform. Syst. Res., 1 (3) (1990), pp. 255-276 DOI: 10.1287/isre.1.3.255

[24]
J. D'Arcy, A. Hovav, D. Galletta. User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: a Deterrence Approach. Inform. Syst. Res., 20 (1) (2009), pp. 79-98 DOI: 10.1287/isre.1070.0160

[25]
Y. Chen, K. Ramamurthy, K. Wen. Organizations' Information Security Policy Compliance: stick or Carrot Approach. J. Manage. Inform. Syst., 29 (3) (2013), pp. 157-188 DOI: 10.1186/1556-276X-8-157

[26]
J. D'Arcy, T. Herath. A Review and Analysis of Deterrence Theory in the IS Security Literature: making Sense of the Disparate Findings. Eur. J. Inform. Syst., 20 (6) (2011), pp. 643-658 DOI: 10.1057/ejis.2011.23

[27]
R. Willison, P.B. Lowry, R. Paternoster. A Tale of Two Deterrents: considering the Role of Absolute and Restrictive Deterrence in Inspiring New Directions in Behavioral and Organizational Security. J. Assoc. Inf. Syst., 19 (12) (2018), pp. 1187-1216 DOI: 10.17705/1jais.00524

[28]
Q. Hu, Z. Xu, T. Dinev, et al.. Does Deterrence Work in Reducing Information Security Policy Abuse by Employees?. Commun. ACM, 54 (6) (2011), pp. 54-60 DOI: 10.1145/1953122.1953142

[29]
M. Siponen, W. Soliman, A. Vance. Common Misunderstandings of Deterrence Theory in Information Systems Research and Future Research Directions. ACM SIGMIS Database: The DATABASE for Advances in Information Systems, 53 (1) (2022), pp. 25-60 DOI: 10.1145/3514097.3514101

[30]
A. Beautement, A. Sasse. The Economics of User Effort in Information Security. Comput. Fraud Secur. (10) (2009), pp. 8-12 https://www.sciencedirect.com/science/article/pii/S1361372309701277/pdfft?md5=f275be386c9ef32cc6f11d1e205e1410&pid=1-s2.0-S1361372309701277-main.pdf DOI: 10.1016/s1361-3723(09)70127-7

[31]
R. Paternoster. How Much Do We Really Know about Criminal Deterrence. J. Crim. Law Criminol., 100 (3) (2010), pp. 765-824

[32]
J.A. Mirrlees. The Optimal Structure of Authority and Incentive within an Organization. Bell J. Econ., 7 (1) (1976), pp. 105-131 DOI: 10.2307/3003192

[33]
B. Holmström. Moral Hazard and Observability. Bell J. Econ., 10 (1) (1979), pp. 74-91 DOI: 10.2307/3003320

[34]
S. Grossman, O. Hart. An Analysis of the Principal-agent Problem. Econometrica, 51 (1) (1983), pp. 7-45 DOI: 10.2307/1912246

[35]
J. D'Arcy, S. Devaraj. Employee Misuse of Information Technology Resources: testing a Contemporary Deterrence Model. Decision Sci, 43 (6) (2012), pp. 1091-1124 DOI: 10.1111/j.1540-5915.2012.00383.x

Outlines

/