IS Security Policy Violations: A Rational Choice Perspective

Employee violations of IS security policies are reported as a key concern for organizations. Although behavioral research on IS security has received increasing attention from IS scholars, little empirical research has examined this problem. To address this research gap, the authors test a model based on Rational Choice Theory (RCT)-a prominent criminological theory not yet applied in IS-which explains, in terms of a utilitarian calculation, an individual's decision to commit a violation. Empirical results show that the effects of informal sanctions, moral beliefs, and perceived benefits convincingly explain employee IS security policy violations, while the effect of formal sanctions is insignificant. Based on these findings, the authors discuss several implications for research and practice.