Online Supplementary Appendix – Tables A1, A2, and A3
Table A1: Overview of IS Deterrence StudiesStudy / Deterrence Constructs / Other Constructs / Dependent Variable / Summary of Deterrence Findings
D’Arcy et al. (2009) / Perceived certainty of formal sanctions, perceived severity formal of sanctions / Security policies, SETA program, computer monitoring, moral commitment, organization / IS misuse intention / Perceived severity was associated with lower IS misuse intention. Perceived certainty was only significant for individuals with high moral commitment scores. Security policies, SETA program, and computer monitoring had indirect effects on IS misuse intention.
D’Arcy and Hovav (2009) / Security policies, SETA program, computer monitoring / Virtual status, computer self-efficacy / Unauthorized access intention, unauthorized modification intention / SETA program was associated with lower unauthorized access intention; security policies and computer monitoring were associated with lower unauthorized modification intention. Purpose of the study was to assess the moderating influences of virtual status and computer self-efficacy.
Gopal and Sanders (1997) / Information on the certainty and severity of legal consequences for software piracy / Ethical index, age, gender / Software piracy intention / Participants who received the deterrence information had significantly lower intentions to commit software piracy.
Harrington (1996) / General and IS codes of ethics (proxies for certainty and severity of formal sanctions) / Denial of responsibility / Computer abuse judgments and intentions / General codes had no impact on computer abuse judgments and intentions, except for individuals high in responsibility denial. IS-specific codes had a small effect.
Herath and Rao (2009a) / Perceived certainty of detection, perceived severity of penalty / Normative beliefs, peer behavior, perceived effectiveness / IS security policy compliance intention / Perceived certainty of detection was positively associated with compliance intention. Perceived severity of penalty was negatively associated with compliance intention, contrary to expectations.
Herath and Rao (2009b) / Perceived certainty of detection, perceived severity of penalty / Various constructs from Protection Motivation Theory and Theory of Planned Behavior / IS security policy compliance intention / Perceived certainty of detection was positively associated with compliance intention. Perceived severity of penalty was negatively associated with compliance intention, contrary to expectations.
Higgins et al. (2005) / Perceived certainty of detection, perceived severity of fine, self disapproval, social disapproval, moral beliefs / Self-control, prior software piracy, peer association, age, gender / Software piracy intention / Perceived certainty of detection, but not severity of fine, was associated with lower piracy intention. Other significant variables were self disapproval, social disapproval, peer association, self-control, and gender.
Hollinger (1993) / Perceived certainty of getting caught / Peer involvement and various demographic variables / Software piracy and unauthorized access behavior (self-reported) / Perceived certainty of getting caught was associated with reduced software piracy but not unauthorized access.
Kankanhalli et al. (2003) / Security personnel hours (proxy for certainty of formal sanctions) and punishment severity / Preventative security software, organization size, top management support, industry type / Perceived IS security effectiveness / Deterrent and preventative efforts were positively associated with IS managers’ perceived security effectiveness. Deterrent severity was not.
Lee et al. (2004) / Security policies, security awareness, security system (proxies for certainty and severity of formal sanctions) / Attachment, commitment, involvement, norm / IS security intention (intention to install access control and intrusion prevention software) / Security system was positively associated with IS security intention while security policies and security awareness were not.
Li et al. (2010) / Perceived detection probability, perceived formal sanction severity, informal sanction (subjective norm) / Perceived benefits, security risk, personal and organizational norms, identification / Internet usage policy compliance intention / Perceived detection probability, but not sanction severity, was positively associated with compliance intention. Perceived benefits and personal norms were also significant.
Pahnila et al. (2007) / Sanctions (combination of formal and informal) / Threat appraisal, coping appraisal, normative beliefs, information quality, facilitating conditions, habits, rewards, attitude / IS security policy compliance intention / Sanctions were not significantly associated with IS security policy compliance intention.
Siponen et al. (2007) / Sanctions (combination of formal and informal) / Threat appraisal, response efficacy, self-efficacy / IS security policy compliance (self-reported) / Sanctions were positively associated with IS security policy compliance.
Siponen and Vance (2010) / Perceived certainty and severity of formal sanctions, informal sanctions, and shame / Defense of necessity, appeal to higher loyalties, condemn the condemners, metaphor of the ledger, denial of injury, denial of responsibility / Intention to violate IS security policy / Shame, formal, and informal sanctions were not associated with intention to violate security policy. Purpose of the study was to assess the influence of neutralization constructs but deterrence constructs were included for comparative purposes.
Skinner and Fream (1997) / Perceived certainty of apprehension, perceived severity of punishment / Various constructs from social learning theory / Software piracy; two types of unauthorized access; combined index of the three (self-reported) / The only significant deterrence relationship was the influence of perceived severity of punishment on illegally accessing accounts.
Straub (1990) / Investment in security countermeasures (proxies for certainty and severity of formal sanctions) / Security software, offender motivation, security tightness and visibility / Computer abuse incidents / Use of security countermeasures was associated with reduced incidence of computer abuse. Deterrent severity was stronger than deterrent certainty.
Zhang et al. (2006) / Perceived certainty of punishment, perceived severity of punishment / Self-control, self-efficacy / Digital piracy behavior (self-reported) / Perceived certainty of punishment was associated with lower digital piracy behavior but perceived severity was not.
Table A2: Summary of Methodological Treatment in IS Deterrence Studies
Study / Deterrence Constructs / Significance / Treatment / Dependent Variable / Treatment / Sample Characteristics (Level of Analysis)
D’Arcy et al. (2009) / Perceived certainty of formal sanctions / Not significant / Constructs treated as separate (summed responses for four scenarios) / (-) IS misuse intention
Participants given four IS misuse scenarios (sending inappropriate email, unauthorized access and modification, software piracy / Summed responses for four scenarios / 269 employees in nine U.S. organizations (Individual)
Perceived severity of formal sanctions / Significant
D’Arcy and Hovav (2009) / Security policies / Significant (unauthorized modification only) / Constructs treated as separate (proxies for perceived formal sanctions) / (-) Unauthorized access and modification intention
Participants given two scenarios / Individual analysis of each scenario / 507 employees eight U.S. organizations and MBA students (Individual)
SETA program / Significant (unauthorized access only)
Computer monitoring / Significant (unauthorized modification only)
Gopal and Sanders (1997) / Certainty and severity of legal consequences for software piracy (i.e., deterrence information) / Significant / Certainty and severity constructs treated together (respondents received a one-page sheet with this information) / (-) Software piracy intention
Participants given four software piracy scenarios: self, family, friend, and colleague / Summed responses for four scenarios / 123 U.S. MBA students (Individual)
Harrington (1996) / IS and general codes of ethics / Significant (computer sabotage only); moderated by denial of responsibility personality trait / Constructs treated as separate (proxies for perceived formal sanctions) / (-) Computer abuse intention
Participants given five computer abuse scenarios: hacking software; computer sabotage; spreading viruses; fraudulent computer usage. / Individual analysis of each scenario / 219 IS employees in nine U.S. organizations (Individual)
Herath and Rao (2009a, b) / Perceived certainty of detection / Significant / Constructs treated as separate / (+) IS security policy compliance intention
Items measuring projected IS security policy compliance behavior. / Single construct measured once / 312 employees in twelve U.S. organizations (Individual)
Perceived severity of penalty / Significant (in opposite direction)
Higgins et al. (2005) / Perceived certainty of detection / Significant / Constructs treated as separate / (-) Software piracy intention
Participants given one software piracy scenario. / Analysis of the responses to the single scenario / 382 U.S. undergraduate students (Individual)
Perceived severity of fine / Not significant
Social disapproval / Significant
Self disapproval / Significant
Hollinger (1993) / Perceived certainty of getting caught / Significant (for software piracy but not unauthorized access) / Single construct / (-) Software piracy and unauthorized access
Participants reported their actual behavior / Individual analysis of each behavior / 1,672 U.S. undergraduate students (Individual)
Kankanhalli et al. (2003) / Deterrent efforts (proxy for certainty of formal sanctions) / Significant / Constructs treated as separate / (+) IS security effectiveness
Items measuring perception of IS security efforts / Single construct measured once / 63 IS security managers (Organizational)
Deterrent severity / Not significant
Lee et al. (2004) / Security policies / Significant / Constructs treated as separate (proxies for perceived formal sanctions) / (+) IS security intention
Items measuring projected access control and intrusion prevention software usage. / Single construct measured once / 162 Korean IS managers and MBA students (Individual)
Security awareness / Not significant
Security system / Not significant
Li et al. (2010) / Perceived detection probability / Significant / Constructs treated as separate / (+) Internet usage policy compliance intention
Items measuring projected policy compliance behavior. / Single construct measured once / 246 employees in various U.S. organizations (Individual)
Perceived formal sanction severity / Not significant
Informal sanctions (subjective norm) / Not significant
Pahnila et al. (2007) / Sanctions / Not significant / Single construct comprised of formal and informal sanctions / (+) IS security policy compliance intention
Items measuring projected IS security policy compliance behavior. / Single construct measured once / 240 employees in a Finnish company (Individual)
Siponen et al. (2007) / Sanctions / Significant / Single construct comprised of formal and informal sanctions / (+) IS security policy compliance
Items measuring actual IS security policy compliance behavior. / Single construct measured once / 917 employees in four Finnish companies (Individual)
Siponen and Vance (2010) / Perceived certainty and severity of formal sanctions / Not significant / Constructs treated as separate (certainty multiplied by severity for each construct) / (-) Intention to violate IS security policy
Participants given one of three scenarios: careless use of USB drive; failure to logoff; password sharing. / Analysis of the responses to the single scenario (which scenario added as a control) / 395 employees in three Finnish organizations (Individual)
Perceived certainty and severity of informal sanctions / Not significant
Perceived certainty and severity of shame / Not significant
Skinner and Fream (1997) / Perceived certainty of apprehension / Not significant / Constructs treated as separate / (-) Software piracy and two types of unauthorized access
Participants reported their actual behavior / Individual analysis of each behavior and combined index of the three / 545 U.S. undergraduate students (Individual)
Perceived severity of punishment / Significant (illegal access only)
Straub (1990) / Deterrent certainty / Significant / Constructs treated as separate / (-) Computer abuse
IS security managers reported actual computer abuse incidents / Single construct: number of incidents, amount of losses, seriousness of breach / 1,211 IS security personnel (mostly managers) in U.S. organizations (Organizational)
Deterrent severity / Significant
Zhang et al. (2006) / Perceived certainty of punishment / Significant / Constructs treated as separate / (-) Digital piracy
Participants reported their actual behavior (ranged from ‘never’ to ’10 or more times’) / Single construct measured once / 207 U.S. undergraduate students
Perceived severity of punishment / Not significant
Table A3: Measurement of Deterrence Constructs in IS Deterrence Studies
Study / Deterrence Construct(s) / Measurement
D’Arcy et al. (2009) / Perceived certainty of formal sanctions / 1. Alex would probably be caught, eventually, after accessing the computer system: (strongly disagree/strongly agree)
2. The likelihood the organization would discover that Alex accessed the computer system is: (very low/very high)
Note: these items modified for each scenario; measured via 7-point scales
Perceived severity of formal sanctions / 1. If caught accessing the computer system, Alex would be severely reprimanded: (strongly disagree/strongly agree)
2. If caught accessing the computer system, Alex’s punishment would be: (not severe at all/very severe)
Note: these items modified for each scenario; measured via 7-point scales
D’Arcy and Hovav (2009) / Security policies / 1. My organization has specific guidelines that describe acceptable use of e-mail.
2. My organization has established rules of behavior for use of computer resources.
3. My organization has a formal policy that forbids employees from accessing computer systems that they are not authorized to use.
4. My organization has specific guidelines that govern what employees are allowed to do with their computers.
Note:measured via 7-point scales (‘strongly disagree’ to ‘strongly agree’)
SETA program / 1. My organization provides training to help employees improve their awareness of computer and information security issues.
2. In my organization, employees are briefed on the consequences of modifying computerized data in an unauthorized way.
3. My organization educates employees on their computer security responsibilities.
4. In my organization, employees are briefed on the consequences of accessing computer systems that they are not authorized to use.
Note:measured via 7-point scales (‘strongly disagree’ to ‘strongly agree’)
Computer monitoring / 1. I believe that my organization monitors any modification or altering of computerized data by employees.
2. I believe that employee computing activities are monitored by my organization.
3. I believe that my organization monitors computing activities to ensure that employees are performing only explicitly authorized tasks.
4. I believe that my organization reviews logs of employees’ computing activities on a regular basis.
5. I believe that my organization actively monitors the content of employees’ e-mail messages.
Note:measured via 7-point scales (‘strongly disagree’ to ‘strongly agree’)
Gopal and Sanders (1997) / Deterrence information / Experimental study in which certain participants received a one-page information sheet describing the certainty and severity of punishment for software piracy. Those who received the deterrence information were coded as 1, others were coded as 0.
Harrington (1996) / General and IS codes of ethics (proxies) / Participants’ managers were asked whether their company had a general code of ethics and/or an IS-specific code of ethics. These served as proxies for perceived certainty and severity of formal sanctions.
Herath and Rao (2009a, b) / Perceived certainty of detection / 1. Employee computer practices are properly monitored policy violations. (strongly disagree/strongly agree)
2. If I violate organization security policies, I would probably be caught. (strongly disagree/strongly agree)
Note:measured via 7-point scales
Perceived severity of penalty / 1. The organization disciplines employees who break information security rules. (strongly disagree/strongly agree)
2. My organization terminates employees who repeatedly break security rules. (strongly disagree/strongly agree)
3. If I were caught violating organization information security policies, I would be severely reprimanded. (strongly disagree/strongly agree)
Note:measured via 7-point scales
Higgins et al. (2005) / Perceived certainty of detection / How likely you will get caught for the software piracy scenario behavior: (11-point scale: not being caught at all to 100% chance of being caught)
Perceived severity of fine / Severity of sentence if caught for the software piracy scenario behavior (11-point scale with the following categories: (a) no fine (b) $500 fine (c) $1000 fine (d) $10000 fine (e) no jail or fine (f) 1 month jail time (g) 3 month jail time (h) 6 month jail time (i) one year jail time (j) 3 year jail time (k) 5 year jail time)
Social disapproval / 1. How likely is it that your family would find out that you used a copy of the program in the circumstances described in the scenario? (not likely/likely)
2. How likely is it that your friends would find out that you used a copy of the program in the circumstances described in the scenario? (not likely/likely)
Note:measured via 11-point scales
Self disapproval / 1. How likely would you feel guilty if you were to use the copy of the program in the circumstances described in the scenario? (not likely/likely)
2. How likely would you feel shame if you were to use the copy of the program in the circumstances described in the scenario? (not likely/likely)
Note:measured via 11-point scales
Hollinger (1993) / Perceived certainty of getting caught / Chance of getting caught by officials (separate for software piracy and unauthorized access): (4-point scale with the following categories: (a) none (b) 10-20% (c) 30-50% (d) 60-100%)
Chance of getting caught by fellow students (separate for software piracy and unauthorized access): (4-point scale with the following categories: (a) none (b) 10-20% (c) 30-50% (d) 60-100%)
Kankanhalli et al. (2003) / Deterrent efforts (proxy for certainty of formal sanctions) / Total man-hours expended on IS security purposes per week
Deterrent severity / Most severe form of punishment meted out by the organization for IS security abuse: (5-point scale with the following categories: (a) no action taken (b) reprimand by management (c) suspension of duties (d) dismissal from appointment (e) prosecution in court)
Lee et al. (2004) / Security policies (proxy for perceived formal sanctions) / 1. Degree of knowledge of security policy
2. Severity of security policy
3. Helpfulness of security policy
Note:measured via 7-point scales
Security awareness (proxy for perceived formal sanctions) / 1. Frequency of awareness programs per year
2. Degree of security awareness
3. Helpfulness of security awareness
Note:measured via 7-point scales
Security system (proxy for perceived formal sanctions) / 1. Degree of security system effectiveness
2. Investment in security system
3. Sufficiency of budget for security system
Note:measured via 7-point scales
Li et al. (2010) / Perceived detection probability / If I used the Internet access provided by the organization for non-work-related purposes, …
1. The probability that I would be caught is (very low/very high)
2. I would probably be caught. (strongly agree/strongly disagree)
Note: measured via 5-point scales
Perceived formal sanction severity / If I were caught using the Internet access provided by the organization for non-work-related purposes, …
1. I think the punishment would be (very low/very high)
2. I would be severely punished by my organization. (strongly agree/strongly disagree)
Note: measured via 5-point scales
Informal sanction (subjective norms) / 1. If I used the Internet access provided by the organization for non-work-related purposes, most of the people who are important to me would (approve/disapprove)
2. Most people who are important to me would look down on me if I used the Internet access provided by the organization for non-work-related purposes. (very likely/very unlikely)