Punishment and ethics deterrents: A study of insider security contravention

Information security is a growing concern among the general population. For instance, it has been estimated by the U.S. Department of Justice (2004) that one in three people will become victims of identity theft at some point in their lifetime. The bulk of the research into information security has gone into the investigation of technological aspects of security, and there are gaps in the literature relative to contravention of security measures. Drawing from deterrence theory and using the theory of planned behavior as a general framework, this empirical field study investigated the effects of punishment and ethics training on behaviors related to contravention of information security measures among information professionals to fill an important gap in the literature. We found that both punishment and ethics training can be effective in mitigating the threat of software and information security, but that these depend on certain underlying motivational factors of individuals. The results of this study suggest a need to develop and refine the theoretical models, and we offer suggestions for getting at the root of behavioral issues surrounding information security.