Help
Cart
Skip main navigation

Available Issues

April 10, 2013 - June 5, 2026

Available Issues

April 10, 2013 - June 5, 2026

Circumventing Circumvention: An Economic Analysis of the Role of Education and Enforcement

Published Online:11 Aug 2021https://doi.org/10.1287/mnsc.2021.4027

References

  • August T, Tunca TI (2008) Let the pirates patch? An economic analysis of software security patch restrictions. Inform. Systems Res. 19(1):48–70.LinkGoogle Scholar
  • Barlow JB, Warkentin M, Ormond D, Dennis AR (2013) Don’t make excuses! Discouraging neutralization to reduce IT policy violation. Comput Security 39(B):145–159.CrossrefGoogle Scholar
  • Beautement A, Sasse A (2009) The economics of user effort in information security. Comput. Fraud Security 10:8–12.CrossrefGoogle Scholar
  • Bicchieri C, Chavez A (2010) Behaving as expected: Public information and fairness noems. J. Behav. Decision Making 23:161–178.CrossrefGoogle Scholar
  • Blythe J, Koppel R, Smith SW (2013) Circumvention of security: Good users do bad things. IEEE Security Privacy 11(5):80–83.CrossrefGoogle Scholar
  • Boss SR, Galletta DF, Lowry PB, Moody GD, Polak P (2015) What do systems users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors. MIS Quart. 4(39):837–864.CrossrefGoogle Scholar
  • Bulgurcu B, Cavusoglu H, Benbasat I (2010) Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quart. 34(3):487–502.CrossrefGoogle Scholar
  • Cavusoglu H, Mishra B, Raghunathan S (2005) The value of intrusion detection systems in information technology security architecture. Inform. Systems Res. 16(1):28–46.LinkGoogle Scholar
  • Cavusoglu H, Raghunathan S, Yue WT (2008) Decision-theoretic and game-theoretic approaches to IT security investment. J. Management Inform. Systems 25(2):281–304.CrossrefGoogle Scholar
  • Cram WA, D’Arcy J, Proudfoot JG (2019) Seeing the forest and the trees: A meta-analysis of the antecedents to information security policy compliance. MIS Quart. 43(2):525–554.CrossrefGoogle Scholar
  • Danilov A, Sliwka D (2017) Can contracts signal social norms? Experimental evidence. Management Sci. 63(2):459–476.LinkGoogle Scholar
  • D’Arcy J, Hovav A, Galletta D (2009) User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Inform. Systems Res. 20(1):79–98.LinkGoogle Scholar
  • Davis J (2016) IBM: Employees, not outsiders, are responsible for majority of cyber threats. Accessed May 2, 2020, https://www.healthcareitnews.com/news/ibm-employees-not-outsiders-are-responsible-majority-cyber-threats.Google Scholar
  • Dey D, Ghoshal A, Lahiri A (2018) Security circumvention: To educate or to enforce? Proc. 51st Hawaii Internat. Conf. System Sci., 5195–5204.Google Scholar
  • Dey D, Lahiri A, Zhang G (2012) Hacker behavior, network effects, and the security software market. J. Management Inform. Systems 2(2):77–108.CrossrefGoogle Scholar
  • Dey D, Lahiri A, Zhang G (2014) Quality competition and market segmentation in the security software market. MIS Quart. 38(2):589–606.CrossrefGoogle Scholar
  • DiMaggio PJ, Powell WW (1983) The iron cage revisited: Individual isomorphism and collective rationality in organizational fields. Amer. Sociol. Rev. 48(2):147–160.CrossrefGoogle Scholar
  • Epley N, Kumar A (2019) How to design an ethical organization. Harvard Bus. Rev. 97(3):144–150.Google Scholar
  • Esteves J, Ramalho E, de Haro G (2017) To improve cybersecurity, think like a hacker. Sloan Management Rev. 58(3):71–77.Google Scholar
  • Feighery E, Altman DG, Shaffer G (1991) The effects of combining education and enforcement to reduce tobacco sales to minors. JAMA 266(22):3168–3171.CrossrefGoogle Scholar
  • Festré A (2010) Incentives and social normas: A motivation-based economic analysis of social norms. J. Econom. Survey 24(3):511–538.CrossrefGoogle Scholar
  • Ghoshal A, Lahiri A, Dey D (2017) Drawing a line in the sand: Commitment problem in ending software support. MIS Quart. 41(4):1227–1247.CrossrefGoogle Scholar
  • Green DE (1989) Measures of illegal behavior in individual-level deterrence research. J. Res. Crime Delinquency 26(3):253–275.CrossrefGoogle Scholar
  • Hagen JM, Albrechtsen E, Hovden J (2008) Implementation and effectiveness of organizational information security measures. Inform. Management Comput. Security 16(4):377–397.CrossrefGoogle Scholar
  • Heckle RR (2011) Security dilemma: Healthcare clinicians at work. IEEE Security Privacy 9(6):14–19.CrossrefGoogle Scholar
  • Herath T, Rao HR (2009) Protection motivation and deterrence: A framework for security policy compliance in organisations. Eur. J. Inform. Systems 18(2):106–125.CrossrefGoogle Scholar
  • Herath T, Yim M-S, D’Arcy J, Nam K, Rao HR (2018) Examining employee security violations: Moral disengagement and its environmental influences. Inform. Tech. People 31(6):1135–1162.CrossrefGoogle Scholar
  • Holmstrom B (1979) Moral hazard and observability. Bell J. Econom. 10(1):74–91.CrossrefGoogle Scholar
  • Hsu JS-C, Shih S-P, Hung YW, Lowry PB (2015) The role of extra-role behaviors and social controls in information security policy effectiveness. Inform. Systems Res. 26(2):282–300.LinkGoogle Scholar
  • Hu Q, Dinev T, Hart P, Cooke D (2012) Managing employee compliance with information security policies: The critical role of top management and organizational culture. Decision Sci. 43(4):615–660.CrossrefGoogle Scholar
  • Kankanhalli A, Teo H-H, Tan BCY, Wei K-K (2003) An integrative study of information systems security effectiveness. Internat. J. Inform. Management 23(2):139–154.CrossrefGoogle Scholar
  • Kannan K, Rahman MS, Tawarmalani M (2016) Economic and policy implications of restricted patch distribution. Management Sci. 62(11):3161–3182.LinkGoogle Scholar
  • Karjalainen M, Siponen M, Sarker S (2020) Toward a stage theory of the development of employees’ information security behavior. Comput. Security 93:1–18.CrossrefGoogle Scholar
  • Koppel R, Smith S, Blythe J, Kothari V (2015) Workarounds to computer access in healthcare organizations: You want my password or a dead patient? Stud. Health Tech. Informatics 208:215–2020.Google Scholar
  • Lahiri A, Dey D (2018) Versioning and information dissemination: A new perspective. Inform. Systems Res. 24(4):965–983.LinkGoogle Scholar
  • Ma Q, Schmidt MB, Pearson JM (2009) An integrated framework forinformation security management. Rev. Bus. 30(1):58–69.Google Scholar
  • Milgrom P, Roberts J (1992) Economics, Organization & Management (Prentice Hall, Upper Saddle River, NJ).Google Scholar
  • Moody GD, Siponen M, Pahnila S (2018) Toward a unified model of information security policy compliance. MIS Quart. 42(1):285–311.CrossrefGoogle Scholar
  • Morgan S (2019) Global cybersecurity spending predicted to exceed $1 trillion from 2017–2021. Accessed March 4, 2020, https://cybersecurityventures.com/cybersecurity-market-report/.Google Scholar
  • Png IPL, Wang Q-H (2009) Information security: Facilitating user precautions vis-à-vis enforcement against attackers. J. Management Inform. Systems 26(2):97–121.CrossrefGoogle Scholar
  • Puhakainen P, Siponen M (2010) Improving employee’s compliance through information systems security training: An action research study. MIS Quart. 34(4):757–778.CrossrefGoogle Scholar
  • Ransbotham S, Mitra S (2009) Choice and chance: A concepual model of paths to information security compromise. Inform. Systems Res. 20(1):121–139.LinkGoogle Scholar
  • Rasool A (2020) How free VPNs can be dangerous? Accessed January 6, 2020, https://digital informationworld.com/2020/03/the-dangers-of-using-free-vpns-infographic.html.Google Scholar
  • Schneier B (2007) The psychology of security. Comm. ACM 50(5):128.CrossrefGoogle Scholar
  • Siponen M, Vance A (2010) Neutralization: New insights into the problem of employee information systems security policy violations. MIS Quart. 34(3):487–502.CrossrefGoogle Scholar
  • Siponen M, Mahmood MA, Pahnila S (2014) Employees’ adherence to information security policies: An exploratory field study. Inform. Management 51(2):217–224.CrossrefGoogle Scholar
  • Soomro ZA, Shah MH, Ahmed J (2016) Information security management needs more holistic approach: A literature review. Internat. J. Inform. Management 36(2):215–225.CrossrefGoogle Scholar
  • Straub DW Jr (1990) Effective IS security: An empirical study. Inform. Systems Res. 1(3):255–276.LinkGoogle Scholar
  • Straub DW Jr, Nance WD (1990) Discovering and disciplining computer abuse in organizations: A field study. MIS Quart. 14(1):45–60.CrossrefGoogle Scholar
  • Straub DW Jr, Welke RW (1998) Coping with systems risk: Security planning models for management decision making. MIS Quart. 22(4):441–469.CrossrefGoogle Scholar
  • Upton DM, Creese S (2014) The danger from within. Harvard Bus. Rev. 92(9):94–101.Google Scholar
  • van den Berg PT, Wilderom CPM (2004) Defining, measuring, and comparing organisational cultures. Appl. Psych. 53(4):570–582.CrossrefGoogle Scholar
  • Vance A, Lowry PB, Eggett D (2015) Increasing accountability through user-interface design artifacts: A new approach to addressing the problem of access-policy violations. MIS Quart. 39(2):345–366.CrossrefGoogle Scholar
  • West R (2008) The psychology of security. Comm. ACM 51(4):34–41.CrossrefGoogle Scholar
  • Workman M, Gathegi J (2007) Punishment and ethics deterrents: A study of insider security contravention. J. Amer. Soc. Inform. Sci. Tech. 58(2):212–222.CrossrefGoogle Scholar
Previous
Back to Top
Next
INFORMS site uses cookies to store information on your computer. Some are essential to make our site work; Others help us improve the user experience. By using this site, you consent to the placement of these cookies. Please read our Privacy Statement to learn more.
Agree