Between 50-75% of computer security incidents originate from within an organization

Author: Carol Newswriting

Hundreds of billions of dollars annually. That’s the low estimate of worldwide economic damage caused by compromises in information security. Many organizations, citing negative publicity and damaged stock price, are reluctant to disclose any figures at all.

Management Professor John P. D’Arcy has looked into what can be done to deter employee misuse of technology through such practices as sending inappropriate e-mail, downloading pirated software or gaining unauthorized access to confidential data.

In a forthcoming paper in Information Systems Research, D’Arcy and colleagues suggest three deterrents: user awareness of security policies; security education, training and awareness programs; and computer monitoring.

Interestingly, they found that perceived severity of sanctions is more effective than certainty of sanctions. Adding to the mix is evidence that the impact of sanction perceptions varies based on one’s moral sense, perhaps because no matter what the penalty, those with a higher sense of morality find it unpleasant even to be accused of a socially undesirable act. Those with lower moral commitment are more concerned about the penalty they would receive.

The study also suggests that user awareness of acceptable usage guidelines and computer monitoring has some deterrent effect and is achieved indirectly through the perceived certainty and/or severity of sanctions.

To learn more about the research of John D’Arcy, Assistant Professor of Management, visit