A Comprehensive Approach to Prevention and

General Deterrence Theory (GDT)

Stephen Patton

CPSC 6126

Course ID: 909288692

Columbus State University

Abstract— Organizations are continually taking financial losses due to human aspects of security. Better computer use practices can help mitigate these losses. Three approaches are outlined in this paper. The first approach uses punitive methods to deter an organization’s users from information systems misuse. The second approach discusses the benefits of training and the positive effect of using your entire workforce to manage the security of your organization. The final approach attempts to totally prevent users from harming themselves and from harming the network. All three approaches are effective, but the final approach allows for users that cannot be deterred by punitive measures.

Keywords-o rganizations; users; security; best practices

I.  Introduction

The chosen article (D’Arcy, et. al. 2009) is about the fact that the misuse of information systems leads to real monetary damage. The proposed solution offered by the authors is a general deterrence approach. My chosen article was published this year, thus the authors’ contribution is still relevant to the current information security environment. While this is due in part to the recent publication date, it is also a result of the fact that the focus of the article has a behavioral approach that is much more long-standing in the scholarship than other information security topics.

According to the authors, information systems misuse leads to massive financial damage to the worldwide community. The authors assign a dollar amount in the tens if not hundreds of billions of dollars though they also go on to acknowledge that it is difficult to get accurate projections of these losses. This is based on the fact that businesses, institutions, and organizations do not want to disclose breaches in security for the fear that it will negatively impact their mission or bottom line. In Stamp’s book, he discusses this very issue in section 11.4.3. In this section, he cites an example in which a disgruntled employee was let go from the organization. The ex-employee proceeded to misuse the information system to delete thousands of records from the company’s computer. Afterwards, “out of fear of embarrassment, the company was reluctant to pursue a legal case against Burleson, despite his malicious actions.”

In the next section, I will examine the authors’ problem statement and proposed solution, including an introduction of the concepts and terms needed to understand general deterrence theory. In the related works section I will examine a work that emphasizes security education, training, and awareness (SETA). In the final section, I will offer my own proposed solution of using preventative measures instead of punitive measures as a suggestion for further work along with a conclusion with the limitations of the proposal.

II.  Problem statement and proposed solution

My chosen article’s proposed solution to mitigate losses and to enhance information security is based on general deterrence theory (GDT). The authors’ hypothesis is that GDT mechanisms, which here consist of perceived certainty (PC) and perceived severity (PS), will impact users information systems misuse behaviors. The authors attempt to manipulate these two variables through the use of security policies, security education, training, and awareness (SETA), and computer monitoring. They group these terms under a single term of “user awareness of security countermeasures.” The researchers are interested in how these countermeasures affect users’ intentions to improperly use information systems. The authors are very vague on what misuses of information systems this could apply to, although in Appendix A, they outline the misuse survey questions asked to the participants.

After reading this article, I feel that this could apply to more than just security breaches and email misuse. For example, most workers know that they are not allowed to steal paper clips and pens from their office, but they do not realize that watching YouTube all day in their office not only robs their organization of man hours, but can also seriously impact available bandwidth. Another example would be a user that decides to install a “free” poker game on their computer. This free poker game also happens to be spyware. Eventually, an IT professional is called to help speed up a ‘laggy’ computer. The irony is that the user will most likely blame the professional for the slowness of his or her computer. They will thus never realize their serious infraction of policy, their waste of IT man-hour resources, and the possibility of severe information breach via their free poker application.

D’Arcy et al.’s literature review for this article outlines the background knowledge the reader will need to understand the research that was conducted. This includes such concepts as “security action cycle”. This concept is made up of four stages: deterrence, prevention, detection, and recovery. It should be noted that my chosen paper focuses on the security action cycle stage of deterrence. The authors of this paper took their ideas of security countermeasure, which include security policies, SETA, and computer monitoring from the publications by Dhillon 1999, Parker 1998, Straub and Welke 1998 cited in full in their article. D’Arcy et al. summed up concepts from these three studies and called them “security countermeasures.” Other cited works compare security policies to societal laws and explain that security policies and SETA are effective by being informative of “what constitutes unacceptable conduct.” Other cited research states that computer monitoring is effective due to “perceived chances of detection and punishment.” My paper’s study excludes preventative mechanisms such as access controls. The authors go on to state that deterrent-based research has been inconclusive as of this point. They cite several studies and surveys with conflicting results for the effectiveness of deterrence. The authors state that they are “focusing on the impact of user awareness” and that the previous research in this area was not as focused and that focusing their research on this one specific issue may shed light on the inconsistent results of all of the previous bodies of work on deterrence. They mention that SETA programs are lacking in published research to show proven results. Even with this lack of demonstrable research, the industry has widely accepted SETA programs as being effective. They continue in their review by citing the statistic that “76% of organizations monitor their employees’ email and website usage.” They mention that there have been studies published on workplace attitudes and satisfaction within the workplace, but they do not outline what those studies say. I would propose that this is the point at which the authors start slanting the reader to the view that monitoring employees is an effective strategy. The fact that they mention workplace satisfaction and workplace attitudes but do not discuss the impact of monitoring on those critical attributes, I believe, clearly shows the article’s bias. My feeling is that those attributes would be severely adversely impacted by the use of monitoring. The literature review goes on to mention that there is a breadth of empirical research on monitoring. They conclude the literature review by stating that the difference between their research and the previous research is that they are focusing on “measuring GDT’s two main constructs, perceived certainty and perceived severity of sanctions.” And as was previously stated, their focus was on an individual’s intentions.

Next, my chosen paper outlines what the authors’ label an ‘extended GDT model.’ Here they use a conglomeration of the normal GDT model that includes the mechanism’s perceived certainty and perceived severity of punishment with their security countermeasures, which include security policies, SETA, and computer monitoring. I will now outline each aspect of their extended GDT model as it is presented.

The first aspect that is outlined is IS misuse intention. IS misuse intention is a user’s intent to abuse an organization’s resources with either ignorance or full knowledge of the organization’s security policies. The authors state that this description illustrates a myriad of behaviors. They outline some examples in the article. Here, I will give you an example of my own. A user’s company has made the security decision to not implement a wireless network due to the sensitivity of the data that is traversed in that organization’s network. An example of IS misuse intention is if a user intended to install a rogue wireless access point in their office so that they could easily use their personal home laptop, even though the user may be ignorant of the policy or even the ramifications of their misuse of the organization’s resources. See the figure below for a visualization of this model.

Figure 1.

The authors’ argument continues in their assertion that increasing the GDT model’s countermeasures perceived certainty and perceived severity you can lower the rate of IS misuse intentions. Certainty of sanctions is defined as “the probability of being punished.” An example of this would be if a user sends SPAM email, he will most likely be caught. The term severity of sanctions is defined as the intensity of the negative stimuli. For example, a user has been caught sending out SPAM and the user has been assessed a $1 million fine. Next, the authors cite criminological studies that state the fear of sanctions have a deterrent effect on deviant behavior. What this means is that both the fear of getting caught and the severity of the sanction reduces criminal behavior. This is just another supporting argument for PC and PS. They also cite another criminological article that says that “PS is just as strong if not stronger than that of PC.” This is in total adherence with behavioral theory, which has proven that punishment needs to be immediate and intensely severe to be effective. That is in line with PS. PC on its own, without severe sanctions is also outlined in behavioral theory. Behavioral theory says that continual use of punishment without severity will only dishabituate an organism to punishment. The authors state that their study is only going to attempt to prove an inverse relationship of PC or PS to IS misuse intention. They caution that they are not trying to predict the deterrent capacity of PC or PS.

“A security policy defines rules and guidelines for the proper use of organizational IS resources.” The authors allude to the idea that security policies are similar to criminal law and in criminal law if you want to make an effective change in society, making a law is not enough. You also have to ensure that the public is informed. They need to be informed about what is a breach of the law and how the law will be enforced, as well as what types of sanctions will be assessed. The authors say that this comparison is apt because many times a security policy can go on to be the basis of litigation. The authors hypothesize that perceived certainty and severity of sanctions increases users’ awareness of security policy.

A security education, training, and awareness (SETA) program is an educational program designed to increase security awareness to an organization’s users. This can include anything from email updates to webinars to classes. Many of these SETA programs use the security policy as the foundation for the training. This ensures the user’s awareness of the policy. But SETA programs are not limited to just security policies. They can be anything from information risks to the organization describing recent punitive actions against employees in violation of the security policy to also pointing out an employee’s responsibilities in regards to information resources. A SETA program’s intent is to get across the point that an organization’s security policy is not just another document to be filed away and forgotten about and that the organization takes its policy seriously. The authors hypothesize that SETA programs increase a user’s sense of the certainty and severity of sanctions.

Computer monitoring is anything from monitoring your Internet surfing habits, reading your email, going through your file systems to recording any data for future sanctions. Not surprisingly, this leads to an increase in the perceived certainty of sanctions. The authors also say that there is evidence that there is an increase in the perceived sanction’s severity. I would imagine, personally, that if my employer was willing to use these methods that the sanctions would be quite severe since they obviously have no respect for their employees. They cite studies that an increase in IRS audits positively affects tax plans. “Users can interpret the devotion of resources to monitoring as a warning of severe punishment for violation.” Other variables that have an effect on PS and PC are age, gender, and morality.

Now we will discuss the research study that was conducted in my chosen paper. For the sake of brevity I will not go into the full depth of the study, but will only highlight the major points. The researchers ran some pilot sample surveys. The final sample size of the actual survey was 805 employed professionals, while 259 was the number of usable responses from that population. They separated these respondents into groups of public and private businesses and further separated those businesses into their industries of manufacturing, service, and other. They found no significant differences with these relationships. The table below shows a summary of hypotheses that were tested.