Deterrent effects of punishment and training on insider security threats: a field experiment on phishing attacks.

There is no doubt that organisational security threats are currently surging, internally and externally. In an effort to prevent internal threats – employee violations of information security policy (ISP) – security training programmes and sanction policies are implemented to a large extent in organisations. However, few studies have verified their practical effectiveness and the impact of individual characteristics within organisations. This study conducted a field experiment to examine the actual deterrent effect of those measures against phishing attacks. By fabricating fake phishing schemes through a simulation programme, the specific deterrent effect of punishment, the general deterrent effect of education, and employees' organisational position were tested on their ISP compliance behaviour. Findings confirmed that punishment effectively prevented the punished from falling for phishing again and that the trained group fell for phishing much less often than the untrained group. In addition, the higher one's organisational position, the more likely the person fell for phishing. Regardless of the treatment (i.e. training or punishment), this position effect stood out. The results of this study offer researchers and practitioners insightful information about effective deterrence measures and policies for organisational information security. [ABSTRACT FROM AUTHOR]

Copyright of Behaviour & Information Technology is the property of Taylor & Francis Ltd and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)