Deterrence theory has been widely applied in information security behavioral research. In organizations, employees’ information security policy (ISP) compliance is definitely an important information security behavior. To explore employees’ ISP compliance, previous information security behavioral studies mainly based on the perspective of sanctions from deterrence theory; however, these studies have inconsistent results of deterrence effect, which mean that the direct effects of deterrence on employees’ information security behaviors are not universally applicable in all organization settings [1]. In addition, while most ISP compliance studies applied deterrence theory focus on the impacts of deterrence (i.e. punishment severity and detection certainty) on ISP compliance behaviors, these studies ignored the fact that, different individuals tend to have two fundamental needs: nurturance and security [2], that may affect the magnitude of the impact of deterrence on ISP compliance behaviors. Regulatory focus theory explains the needs and formulates two different regulatory foci: promotion and prevention. Promotion focus is more associated with need for growth and achievement, whereas prevention focus is more driven by security needs. In view of aforementioned research gaps, based on the deterrence theory and regulatory focus theory, this study tries to understand the effect of different regulatory focus on the relationship between deterrence and employees’ ISP compliance intention. We collected data through a questionnaire survey from the employees working in high tech industry in Taiwan. The results show that detection certainty and punishment severity positively affect ISP compliance intention. The relationship between punishment severity and ISP compliance intention is moderated by prevention focus and the relationship between detection certainty and ISP compliance intention is moderated by promotion focus. This study provides an in-depth understanding of deterrence in ISP compliance context while suggesting that regulatory focus plays an important role in affecting employees’ compliance with information security policy. Implications for both academic and practice are also highlighted to address the moderating effects on the relationship between deterrence and ISP compliance intention
關聯:
Proceedings of Forty-Fifth Annual Conference of the Western Decision Sciences Institute , pp.173-188
