Going Beyond Deterrence: A Middle-Range Theory of Motives and Controls for Insider Computer Abuse

A. J. Burns (), Tom L. Roberts (), Clay Posey (), Paul Benjamin Lowry () and Bryan Fuller ()
Additional contact information
A. J. Burns: Stephenson Department of Entrepreneurship and Information Systems, E. J. Ourso College of Business, Louisiana State University, Baton Rouge, Louisiana 70803
Tom L. Roberts: Soules College of Business, The University of Texas at Tyler, Tyler, Texas 75799
Clay Posey: Information Systems Department, Marriott School of Business, Brigham Young University, Provo, Utah 84602
Paul Benjamin Lowry: Business Information Technology, Pamplin College of Business, Virginia Tech, Blacksburg, Virginia 24061
Bryan Fuller: Department of Management, Louisiana Tech University, Ruston, Louisiana 71272

Information Systems Research, 2023, vol. 34, issue 1, 342-362

Abstract: Despite widespread agreement among practitioners and academicians that organizational insiders are a significant threat to organizational information systems security, insider computer abuse (ICA)—unauthorized and deliberate misuse of organizational information resources by organizational insiders—remains a serious issue. Recent studies have shown that most employees are willing to share confidential or regulated information under certain circumstances, and nearly one-third to half of major security breaches are tied to insiders. These trends indicate that organizational security efforts, which generally focus on deterrence and sanctions, have yet to effectively address ICA. Therefore, leading security researchers and practitioners have called for a more nuanced understanding of insiders in respect to deterrence efforts. We answer these calls by proposing a middle-range theory of ICA that focuses on understanding the inherent tensions between insider motivations and organizational controls. Our careful review distinguishes two categories of personal motives for ICA: (1) instrumental (i.e., financial benefits) and (2) expressive (i.e., psychological contract violations) motives. Our novel theory of ICA also includes the influence of two classes of controls for ICA: (1) intrinsic (i.e., self-control) and (2) extrinsic (i.e., organizational deterrence) controls. We developed and empirically examined a research model based on our middle-range theory that explains a substantial portion of the variance in ICA. Specifically, our results indicate that both instrumental and expressive motives are positively related to ICA. Moreover, intrinsic self-control exerted significant direct and moderating influences in our research model, whereas extrinsic organizational deterrence failed to exhibit a direct effect on ICA and significantly moderated instrumental motives’ relationship with ICA only. Not only do our results show that self-control exerted a stronger effect on the model than deterrence did but they also help us identify the limits of deterrence in ICA research.

Keywords: cybersecurity; organizational security; information security; insider computer abuse (ICA); self-control theory; deterrence theory (DT); instrumental motives; expressive motives (search for similar items in EconPapers)
Date: 2023
References: View references in EconPapers View complete reference list from CitEc
Citations:

Downloads: (external link)
http://dx.doi.org/10.1287/isre.2022.1133 (application/pdf)

Related works:
This item may be available elsewhere in EconPapers: Search for items with the same title.

Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text

Persistent link: https://EconPapers.repec.org/RePEc:inm:orisre:v:34:y:2023:i:1:p:342-362

Access Statistics for this article

More articles in Information Systems Research from INFORMS Contact information at EDIRC.
Bibliographic data for series maintained by Chris Asher ().