DETERRING INTERNAL
INFORMATION SYSTEMS MISUSE
Deterring employee intentions to misuse computer systems
requires complementary technical and procedural controls.
Though organizations are generally
concerned with external security
threats (such as viruses and hacking
attempts) [9], industry surveys suggest that a substantial portion of
computer security incidents are due
to the intentional actions of legitimate users [2, 4]. A study by Vista
Research in 2002 estimated that
70% of security breaches involving
losses of more than $100,000 were
internal, often perpetrated by disgruntled employees [8]. Besides
financial loss, the negative conse-
quences of such insider misuse of IS
resources, or “IS misuse,” include
negative publicity, competitive disadvantage, and loss of customer
confidence. Security experts predict
that the frequency of IS misuse and
the loss associated with it will persist
due to increasing user sophistication
and the availability of advanced
software tools [5].
Researchers and practitioners concerned with information security recommend
that
organizations
implement security countermeasures
By John D’Arcy and Anat Hovav
COMMUNICATIONS OF THE ACM October 2007/Vol. 50, No. 10
113
to control IS misuse [7, 10]. Countermeasures should are likely to have more stringent policies than, say,
include a combination of procedural controls (such as educational institutions.
security policy statements, acceptable usage guideSecurity-awareness programs focus on raising
lines, and security awareness education and training) employees’ awareness of their responsibilities regardand technical controls (such as biometric devices and ing their organizations’ information resources and the
filtering and monitoring software). They can serve as consequences of abusing them, providing the necesa deterrent in that users perceive a greater threat of sary skills to help fulfill these responsibilities. Effective
getting caught and punished for IS misuse and there- security awareness requires an ongoing effort by the
fore would be discouraged from engaging in such organization, including: reminders to change passbehavior.
words; email messages announcing new virus threats;
Research on the topic has produced conflicting security-awareness newsletters; and periodic briefings
results. A notion supported in [11] maintains that explaining the consequences of noncompliance.
security policy statements and access controls deter IS
Security technologies (such as internal firewalls and
misuse, while [6, 12] found that security policies have filters) are often implemented to prevent IS misuse
limited effect. The study in [11]
was conducted more than 20 years Variable Sample Items
ago when most business computers Security
My organization has established rules of behavior for the use of its computer resources.
were monolithic (mainframes), and policies
My organization has specific guidelines that govern what employees are allowed to do with
the security function was much
their computers.
more centralized than it is today. Security
My organization provides training to help employees improve their awareness of computer
Moreover, the analyses in [11, 12] awareness and information security issues.
were limited to the misuse inci- program
My organization educates employees on their computer security responsibilities.
dents detected by the organization, Computer I believe that employee computing activities are monitored by my organization.
often only a fraction of the actual monitoring
I believe that my organization monitors any modification or altering of computerized data
number of incidents [7]. Meanby employees.
while, the results of a survey Preventive A password is required to gain access to any computer system in my organization.
reported in [5] (primarily of man- security
My organization uses biometric controls (such as voice patterns and fingerprints) to
agers) regarding security policies software
authorize employees’ access to computer systems.
may differ from users’ perceptions
Table 1.
of the same policies.
[7]. Here, we focus on technical controls as a deterrent
Measuring security
Considering that the success of
against IS misuse by convincing potential offenders of
countermeasures.
security countermeasures as a
the certainty
of detection
[6, 10]. The effect is, howDarcy table
1 (10/07)
deterrence mechanism ultimately depends on the ever, contingent on user awareness of the controls.
actions and awareness of end users, managers should Therefore, we limit our discussion to two controls—
understand the effect of controls from the user per- computer monitoring and preventive security softspective. Such understanding would help produce a ware—end users interact with. Computer monitoring
more realistic evaluation of the effect of security coun- records who is doing what in the system and when
termeasures on end-user computing behavior. Our such action takes place; examples include monitoring
2005 study examined employee awareness of four employee email and Internet use, recording network
security countermeasures—security policies, security- activity, and performing security audits [2, 7].
awareness programs, computer monitoring, and prePreventive security software includes access control
ventive security software—and their deterrent effect and authentication programs. The most common
on user intentions regarding IS misuse. The results ones employ a user ID or password to authenticate
have important implications for IS security manage- users [6, 11]. More sophisticated ones authenticate
ment within organizations.
users via token-based approaches (such as smart cards)
Security policies typically include statements of and biometric techniques (such as fingerprints) [2].
organizational goals and beliefs, existing controls, and
employee responsibilities [5]. Their purpose is to pro- STUDY AND ANALYSIS
vide detailed guidance to users regarding acceptable We conducted our 2005 study using a sample of
use of organizational IS resources. International stan- employees from eight organizations across the U.S.
dard ISO 17799 provides a common set of “best prac- and part-time MBA students from two mid-Atlantic
tices” for writing and implementing security policies. U.S. universities. We used a Web-based survey to
However, security policies vary by industry and by elicit respondents’ IS misuse intentions and awareorganization. For example, health care organizations ness of security countermeasures within their orga114
October 2007/Vol. 50, No. 10 COMMUNICATIONS OF THE ACM
nizations (see the sidebar “How the Survey Was
Done”). All survey items were measured on sevenpoint scales with appropriate endpoints (for example, 1 = strongly disagree to 7 = strongly agree);
Table 1 lists sample items for each of the counter-
Mean Score (St. Dev.)
pensive to implement and that most organizations of
at least moderate size employ some type of policy [5].
It is interesting to note that security-awareness programs had the lowest score of the four countermeasures, suggesting that although organizations invest
resources in developing security
Security
Regression
Result
Interpretation
policies, they don’t devote extensive
Countermeasure Coefficient
resources toward educating users
Security policies
Significant Greater awareness of security policies is negatively
-142
on the importance of compliance.
associated with IS misuse intention.
We next performed a regression
Security awareness
Significant Greater awareness of security awareness programs
-224
program
is negatively associated with IS misuse intention.
analysis to assess the effect of
awareness of each of the security
Not
Computer
-055
Awareness of computer monitoring is not
Significant significantly associated with IS misuse intention.
monitoring
countermeasures on IS misuse
-135
Significant Greater awareness of preventive security software
Preventive security
intentions. To eliminate potential
software
is negatively associated with IS misuse intention.
bias due to age and gender, we controlled for both these variables in
Table 2. Regression
measures we measured.
the regression (see Table 2). With
results.
A panel of experts tested, modified, and validated
the exception of computer monithe survey; we also used two pilot studies. The fulltoring, awareness of each of the
Darcy
2 (10/07)
scale study yielded a total
of table
579 usable
surveys. countermeasures had a significant negative effect on
Respondents were all employed professionals who IS misuse intentions, suggesting that as end users
used a computer regularly in their jobs. About 64% become more aware of the existence of security poliwere male, and about 50%
cies, security-awareness
were in the 25–34 age
programs, and preventive
7
group. They held managersecurity software within
ial (23%), technical (29%),
their organizations, they
6
5.23
4.87
(1.01)
professional (39%), and
are less likely to engage in
4.54
4.46
(0.95)
5
(1.00)
(0.98)
administrative (9%) posithe misuse behaviors in
4
tions in various industries,
the survey. The results
3
including manufacturing
also suggest that the effect
(32%), finance/insurance
of the countermeasures is
2
(22%), software (17%),
not the same. Users seem
1
Security
Awareness
Computer
Preventative
health care (10%), advertismost deterred by the exispolicies
program
monitoring
software
ing/marketing (7%), edutence of security-awarecation (6%), and retail
ness programs, followed
Awareness of security by security policies and preventive security software.
(6%). Company size
countermeasures.
ranged from small to large,
Awareness of computer monitoring does not appear
Darcy figure
(10/07)
with a sizable portion
to deter users from IS misuse.
(44%) with 10,000 or more employees.
We initially examined respondents’ awareness of IMPLICATIONS
the four security countermeasures discussed earlier While security researchers and best-practice advowithin their organizations (see the figure here). This cates extol the benefits of security-awareness prohelped assess the security efforts of respondent orga- grams [7, 10], there is little empirical evidence to
nizations from an end-user perspective. Respondents support their claims. Our results provide evidence
were most aware of the existence of security policies that educating users is an effective way to deter IS
compared to the other countermeasures. This was not misuse. Moreover, considering that awareness prosurprising given that such policies are relatively inex- grams also alert users to known vulnerabilities and
THIS DISPROPORTIONATE FOCUS on technical security
countermeasures may partially explain why IS misuse remains a
significant problem.
COMMUNICATIONS OF THE ACM October 2007/Vol. 50, No. 10
115
HOW THE SURVEY WAS DONE
The first part of the survey measured user intentions to misuse IS resources in various contexts ranging from low-risk to
high-risk behavior, including password sharing, inappropriate
use of email, software piracy, unauthorized access to company
data, and unauthorized modification of company data. The
survey described misuse behavior in the form of scenarios,
and respondents indicated the likelihood of whether they
would engage in each behavior.
Scenario 1. By chance, Alex found the password that would
allow him to access the restricted computer system storing the
salary information of all employees within his company. At the
same time, Alex was preparing to ask for a raise. Before meeting
with his boss, Alex accessed the computer system and viewed
the salaries of others in similar jobs. Alex used the information
to determine how much of a salary increase to ask for.
If you were Alex, what is the likelihood that you would have
accessed the system?
Very
Very
Unlikely 1 2 3 4 5 6 7 Likely
As the study focused on generalized patterns of IS misuse
rather than on specific behaviors, we computed a composite IS
misuse-intention score by summing the responses across the
five scenarios for each respondent. To account for the possible
confounding effects of socially acceptable responses, we
included a preexisting scale [3] to measure social desirability
bias (SDB). Our statistical tests revealed that SDB was not significantly correlated with IS misuse intention, suggesting that
impression management concerns were not an issue in our
study.
The second part of the survey included a series of questions
that measured respondents’ awareness of security countermeasures within their organizations, as in Table 1. During our data
analysis, we examined the construct validity of these newly
developed measures using factor analysis. After eliminating a
few items that had either weak loadings or cross-loaded on
unintended constructs, four factors with eigenvalues greater
than one emerged, corresponding to our four security countermeasure variables. Tests of reliability using Cronbach’s alpha
revealed that all measurement scales had reliability scores
above the recommended 0.70 threshold.
exploits (such as viruses, identity theft, and social
engineering), our results suggest that educating users
on security issues helps reduce the intentions behind
IS misuse. Our results also suggest that securityawareness education/training is the most neglected
countermeasure by organizations compared to the
other countermeasures in the survey.
The survey’s results also have implications for the
allocation of IS security budgets. In [4], over 70% of
surveyed organizations indicated that they use security technologies (such as virus-detection software and
firewalls) to protect information systems, while only
28% indicated that they have implemented securityawareness programs. Our results suggest that organizations should consider allocating a greater portion of
their IS security budgets to ongoing security awareness.
116
October 2007/Vol. 50, No. 10 COMMUNICATIONS OF THE ACM
Prior research suggested that security policies have
little, if any, effect on individual IS misuse behavior
[6, 12]. However, it used managers’ perceptions of
security policies rather than asking end users directly;
it is possible that employees were not fully aware of
the security policies within their organizations.
Therefore, an accurate assessment of the effect of
these policies on end users could not be obtained.
Such discrepancy between managers’ awareness of
security policies and users’ awareness of the same policies is likely, given the lack of emphasis on user education and training. Our results suggest that users’
awareness of security-policy statements and guidelines
decreases the likelihood that they will engage in IS
misuse.
Organizations should improve users’ awareness of
security policies by introducing them during
employee orientation, even making employees sign an
acknowledgment that they have read and understand
them. Security-policy statements and procedures
should also be prominently displayed on the organization’s internal Web site.
The insignificant effect of computer monitoring
on intentions regarding IS misuse is contrary to the
notion that making users aware that they are being
“watched” is an effective deterrent against IS misuse
[11]. It is possible that users do not equate monitoring with being caught. For example, our informal discussions with several of our 54 pilot study
participants revealed that many believed that their
organizations recorded employees’ Internet browsing
and email behavior; however, they also doubted that
IT personnel were reviewing these logs on a regular
basis. A study [1] that found that monitoring had no
effect on Internet abuse in the workplace is consistent
with this line of thinking. It is also possible that even
if users feel that monitoring increases their chances of
getting caught, they doubt the punishment will be
severe, since convicted computer abusers have historically received only light punishment, with some
eventually hired as consultants [5]. Future research
should examine the plausibility of these explanations
in more detail in order to determine why computer
monitoring does not seem to deter IS misuse.
The significant relationship between preventive
security software and intentions regarding IS misuse
empirically supports the argument that preventive
technologies also serve as a deterrent by increasing
users’ fear of detection [5, 10]. Hence, organizations
should make a concerted effort to alert employees as
to the latest technological solutions protecting IS
resources. Providing real-time feedback during the
password-construction process is one such approach.
The finding regarding the effect of preventive secu-
OUR RESULTS SUGGEST THAT USERS’ AWARENESS of
security-policy statements and guidelines decreases the likelihood
that they will engage in IS misuse.
rity software has additional implications. Because this
software helps prevent unauthorized activity, the
apparent deterrent effect of preventive technologies is
over and above their core functionality. IS managers
should highlight the added value of deterrence when
proposing investment in preventive security technologies (such as smart cards and biometric devices) to
upper management, especially given the high cost of
their implementation.
CONCLUSION
The success of IS security depends largely on enduser behavior and awareness. Our study empirically
examined user awareness of security policies, security-awareness programs, computer monitoring, and
preventive security software and their effect on user
intentions regarding IS misuse. With the exception
of computer monitoring, each of these four security
countermeasures appears to significantly reduce
users’ IS misuse intentions. What makes this an
important finding is that research indicates that
managers consider IS security a preventive rather
than a deterrent function [10]. Consequently, strategies for combating IS misuse are often reactive. Our
results suggest that a combined proactive and preventive approach to security that deters users from IS
misuse should include:
• Policy statements and guidelines for appropriate
use of IS resources;
• Ways to inform and educate users on what constitutes legitimate use of IS resources and the consequences of illegitimate use;
• Ways to alert users to known vulnerabilities and
threats to the organization’s IS assets; and
• Preventive security technologies that control
access to IS resources.
They further suggest that ongoing security-awareness education and training is effective at deterring IS
misuse and that monitoring end-user computer activity has little deterrent effect. However, while the
results point to the benefits of procedural countermeasures, industry surveys continue to indicate that
organizations manage IS security with a strong technological focus that places little emphasis on process
controls. This disproportionate focus on technical
countermeasures may partially explain why IS misuse
remains a significant problem. Technical and procedural controls should complement one another.
It seems that end users are sophisticated enough
today that technical security controls alone cannot
deter misuse; they need additional “proof ” that the
organization is serious about security. Fostering a
security culture that encourages compliance with
security policies, along with end-user awareness and
attention to security issues, will help reduce IS misuse
in the workplace. c
References
1. Galletta, D. and Polak, P. An empirical investigation of antecedents of
Internet abuse in the workplace. In Proceedings of the Second Annual
Workshop on HCI Research in MIS (Seattle, Dec. 12–13, 2003), 47–51.
2. Gordon, L., Loeb, M., Lucyshyn, W., and Richardson. R. 2006
CSI/FBI Computer Crime and Security Survey. Computer Security Institute, San Francisco, CA; www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml.
3. Hays, R., Hayashi, T., and Stewart, A. A five-item measure of socially
desirable response set. Educational and Psychology Measurement 49, 3
(1989), 629–637.
4. InformationWeek. U.S. Information Security Research Report. InformationWeek (Aug. 29, 2005); www.informationweek.com/reports/
showReport.jhtml?articleID=170100861.
5. Lee, J. and Lee, Y. A holistic model of computer abuse within organizations. Information Management & Computer Security 10, 2 (2002),
57–63.
6. Lee, S.M., Lee, S.-G., and Yoo, S. An integrative model of computer
abuse based on social control and general deterrence theories. Information and Management 41, 6 (2004), 707–718.
7. Parker, D. Fighting Computer Crime. John Wiley & Sons, New York,
1998.
8. Standage, T. The weakest link. The Economist (Oct. 26, 2002), 11–14.
9. Stanton, J., Stam, K., Mastrangelo, P., and Jolton, J. An analysis of
end-user security behaviors. Computers & Security 24, 2 (2005),
124–133.
10. Straub, D. and Welke, R. Coping with systems risk: Security planning
models for management decision making. MIS Quarterly 22, 4 (Dec.
1998), 441–469.
11. Straub, D. Effective IS security: An empirical study. Information Systems
Research 1, 3 (1990), 255–276.
12. Wiant, T. Policy and Its Impact on Medical Record Security. Unpublished
doctoral dissertation, University of Kentucky, 2003.
John D’Arcy ([email protected]) is an assistant professor in the
Department of Management in the Mendoza College of Business at the
University of Notre Dame, South Bend, IN.
Anat Hovav ([email protected]) teaches at Korea University
Business School, Seoul, South Korea.
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
for profit or commercial advantage and that copies bear this notice and the full citation
on the first page. To copy otherwise, to republish, to post on servers or to redistribute
to lists, requires prior specific permission and/or a fee.
© 2007 ACM 0001-0782/07/1000 $5.00
COMMUNICATIONS OF THE ACM October 2007/Vol. 50, No. 10
117