Going beyond deterrence: A middle-range theory of motives and controls for insider computer abuse

dc.contributor.authorBurns, A. J.en
dc.contributor.authorRoberts, Tom L.en
dc.contributor.authorPosey, Clayen
dc.contributor.authorLowry, Paul Benjaminen
dc.contributor.authorFuller, Bryanen
dc.description.abstractDespite widespread agreement among practitioners and academicians that organizational insiders are a significant threat to organizational information systems security, insider computer abuse (ICA)—unauthorized and deliberate misuse of organizational information resources by organizational insiders—remains a serious issue. Recent studies have shown that most employees are willing to share confidential or regulated information under certain circumstances and nearly a third to half of major security breaches are tied to insiders. These trends indicate that organizational security efforts, which generally focus on deterrence and sanctions, have yet to effectively address ICA. Therefore, leading security researchers and practitioners have called for a more nuanced understanding of insiders in respect to deterrence efforts. We answer these calls by proposing a middle-range theory of ICA that focuses on understanding the inherent tensions between insider motivations and organizational controls. Our careful review distinguishes two categories of personal motives for ICA: (1) instrumental (i.e., financial benefits) (2) and expressive (i.e., psychological contract violations) motives. Our novel theory of ICA also includes the influence of two classes of controls for ICA: (1) intrinsic (i.e., self-control) and (2) extrinsic (i.e., organizational deterrence) controls. We developed and empirically examined a research model based on our middle-range theory that explains a substantial portion of the variance in ICA (R2 = 0.462). Specifically, our results indicate that both instrumental and expressive motives were positively related to ICA. Moreover, intrinsic self-control exerted significant direct and moderating influences in our research model, whereas extrinsic organizational deterrence failed to exhibit a direct effect on ICA and significantly moderated instrumental motives’ relationship with ICA only. Not only do our results show that self-control exerted a stronger effect on the model than deterrence did (f2self-control = 0.195; f2org.det. = 0.048) but they also help us identify the limits of deterrence in ICA research.en
dc.description.versionAccepted versionen
dc.identifier.orcidLowry, Paul [0000-0002-0187-5808]en
dc.publisherInstitute for Operations Research and Management Sciencesen
dc.rightsIn Copyrighten
dc.subject0806 Information Systemsen
dc.subject1503 Business and Managementen
dc.subject1505 Marketingen
dc.subjectInformation Systemsen
dc.titleGoing beyond deterrence: A middle-range theory of motives and controls for insider computer abuseen
dc.title.serialInformation Systems Researchen
dc.typeArticle - Refereeden
pubs.organisational-group/Virginia Techen
pubs.organisational-group/Virginia Tech/Pamplin College of Businessen
pubs.organisational-group/Virginia Tech/Pamplin College of Business/Business Information Technologyen
pubs.organisational-group/Virginia Tech/All T&R Facultyen
pubs.organisational-group/Virginia Tech/Pamplin College of Business/PCOB T&R Facultyen


Original bundle
Now showing 1 - 1 of 1
Thumbnail Image
2022-March ISR theory of ICA motives POST-PROOFS + appendices.pdf
1.4 MB
Adobe Portable Document Format
Accepted version