Understanding the violation of IS security policy in organizations: An integrated model based on social control and deterrence theory

It is widely agreed that a large amount of information systems (IS) security incidents occur in the workplace because employees subvert existing IS Security Policy (ISSP). In order to understand the factors that constrain employees from deviance and violation of the organizational ISSP, past work has traditionally viewed this issue through the lens of formal deterrence mechanisms; we postulated that we could better explain employees’ ISSP violation behaviours through considering both formal and informal control factors as well as through considering existing deterrence theory. We therefore developed a theoretical model based on both deterrence and social bond theories rooted in a social control perspective to better understand employee behaviour in this context. The model is validated using survey data of 185 employees. Our empirical results highlight that both formal and informal controls have a significant effect on employees’ ISSP violation intentions. To be specific, employees’ social bonding is found to have mixed impacts on the employee’s intention to violate ISSP. Social pressures exerted by subjective norms and co-worker behaviours also significantly influence employees’ ISSP violation intentions. In analyzing the formal sanctions, the perceived severity of sanctions was found to be significant while, perceived certainty of those sanctions was not. We discuss the key implications of our findings for managers and researchers and the implications for professional practice.