{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,9,28]],"date-time":"2025-09-28T20:49:52Z","timestamp":1759092592417,"version":"3.41.2"},"reference-count":66,"publisher":"Emerald","issue":"4","license":[{"start":{"date-parts":[[2017,10,9]],"date-time":"2017-10-09T00:00:00Z","timestamp":1507507200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2017,10,9]]},"abstract":"<jats:sec><jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title><jats:p>The paper aims to examine the inconclusive impacts of sanction-related deterrence on employee information security policy (ISP) compliance from the extant literature. It proposes that the disparate findings can be partially explained by two factors: investigating the mediating impact of attitudes on sanction effects instead of directly on behavioral intentions and examining employees with and without previous punishment experiences separately.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title><jats:p>The paper relied upon survey data from 239 employees of a large governmental organization with a robust ISP and security education and training awareness program.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Findings<\/jats:title><jats:p>The paper provides empirical evidence that the rational estimation of sanction effects impacts the cognitive component of attitudes to develop a positive or negative attitude toward performing the ISP directed behavior. Furthermore, this attitudinal effect (created by sanction threats) will be biased depending on whether the employee has experienced, personally or vicariously, any previous punishment for violating the ISP.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Research limitations\/implications<\/jats:title><jats:p>Because of the chosen research approach (self-reported survey data) and context (single hierarchical organization and a very specific security threat), the research results may lack generalizability. Therefore, researchers are encouraged to test the proposed propositions further in different organizational and threat contexts.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Practical implications<\/jats:title><jats:p>Organizations should have a thorough understanding of how their employees\u2019 perceive sanctions in relationship to their prior experiences before implementing such policies.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title><jats:p>The paper addresses previous research calls for examining possible mediation variables for deterrence effects and impacts of punishment experiences on employee ISP compliance.<\/jats:p><\/jats:sec>","DOI":"10.1108\/ics-11-2016-0089","type":"journal-article","created":{"date-parts":[[2017,8,21]],"date-time":"2017-08-21T19:14:54Z","timestamp":1503342894000},"page":"421-436","source":"Crossref","is-referenced-by-count":29,"title":["Deterrence and punishment experience impacts on ISP compliance attitudes"],"prefix":"10.1108","volume":"25","author":[{"given":"Salvatore","family":"Aurigemma","sequence":"first","affiliation":[]},{"given":"Thomas","family":"Mattson","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"volume-title":"From Intentions to Actions: A Theory of Planned Behavior","year":"1985","key":"key2020120612191484300_ref001"},{"issue":"2","key":"key2020120612191484300_ref002","doi-asserted-by":"crossref","first-page":"179","DOI":"10.1016\/0749-5978(91)90020-T","article-title":"The theory of planned behavior","volume":"50","year":"1991","journal-title":"Organizational Behavior and Human Decision Processes"},{"issue":"1","key":"key2020120612191484300_ref003","doi-asserted-by":"crossref","first-page":"27","DOI":"10.1146\/annurev.psych.52.1.27","article-title":"Nature and operation of attitudes","volume":"52","year":"2001","journal-title":"Annual Review of Psychology"},{"issue":"3","key":"key2020120612191484300_ref004","first-page":"20","article-title":"A composite framework for behavioral compliance with information security policies","volume":"25","year":"2013","journal-title":"Journal of Organizational and End User Computing"},{"key":"key2020120612191484300_ref005","doi-asserted-by":"crossref","first-page":"145","DOI":"10.1016\/j.cose.2013.05.006","article-title":"Don\u2019t make excuses! Discouraging neutralization to reduce IT policy violation","volume":"39","year":"2013","journal-title":"Computers & Security"},{"key":"key2020120612191484300_ref006","article-title":"Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness","volume":"34","year":"2010","journal-title":"MIS Quarterly"},{"issue":"1","key":"key2020120612191484300_ref007","doi-asserted-by":"crossref","first-page":"55","DOI":"10.1207\/S15327574IJT0101_4","article-title":"Structural equation modeling with AMOS, EQS, and LISREL: comparative approaches to testing for the factorial validity of a measuring instrument","volume":"1","year":"2001","journal-title":"International Journal of Testing"},{"issue":"3","key":"key2020120612191484300_ref008","doi-asserted-by":"crossref","first-page":"11","DOI":"10.1080\/08874417.2015.11645767","article-title":"Impacts of comprehensive information security programs on information security culture","volume":"55","year":"2015","journal-title":"Journal of Computer Information Systems"},{"key":"key2020120612191484300_ref009","doi-asserted-by":"crossref","first-page":"447","DOI":"10.1016\/j.cose.2013.09.009","article-title":"Understanding the violation of IS security policy in organizations: an integrated model based on social control and deterrence theory","volume":"39","year":"2013","journal-title":"Computers & Security"},{"issue":"1","key":"key2020120612191484300_ref010","article-title":"Commentary: issues and opinion on structural equation modeling","volume":"22","year":"1998","journal-title":"JSTOR"},{"volume-title":"Insider Threats and the Need for Fast and Directed Response","year":"2015","key":"key2020120612191484300_ref011"},{"key":"key2020120612191484300_ref012","doi-asserted-by":"crossref","first-page":"90","DOI":"10.1016\/j.cose.2012.09.010","article-title":"Future directions for behavioral information security research","volume":"32","year":"2013","journal-title":"Computers & Security"},{"key":"key2020120612191484300_ref013","doi-asserted-by":"crossref","first-page":"643","DOI":"10.1057\/ejis.2011.23","article-title":"A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings","volume":"20","year":"2011","journal-title":"European Journal of Information Systems"},{"key":"key2020120612191484300_ref014","doi-asserted-by":"crossref","first-page":"79","DOI":"10.1287\/isre.1070.0160","article-title":"User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach","volume":"20","year":"2009","journal-title":"Information Systems Research"},{"volume-title":"Internet, Phone, Mail, and Mixed-Mode Surveys: The Tailored Design Method","year":"2014","key":"key2020120612191484300_ref015"},{"key":"key2020120612191484300_ref016","article-title":"The centrality of awareness in the formation of user behavioral intention toward protective information technologies","volume":"8","year":"2007","journal-title":"Journal of the Association for Information Systems"},{"volume-title":"Information Security Policy \u2013 a Development Guide for Large and Small Companies","year":"2006","key":"key2020120612191484300_ref017"},{"key":"key2020120612191484300_ref018","first-page":"3","article-title":"An update and extension to SEM guidelines for admnistrative and social science research","volume":"35","year":"2011","journal-title":"MIS Quarterly"},{"key":"key2020120612191484300_ref019","article-title":"Structural equation modeling and regression: guidelines for research practice","volume":"4","year":"2000","journal-title":"Communications of the Association for Information Systems"},{"volume-title":"Crime, Punishment, and Deterrence","year":"1975","key":"key2020120612191484300_ref020"},{"issue":"6","key":"key2020120612191484300_ref021","doi-asserted-by":"crossref","first-page":"320","DOI":"10.1016\/j.im.2012.08.001","article-title":"The effects of multilevel sanctions on information security violations: a mediating model","volume":"49","year":"2012","journal-title":"Information & Management"},{"issue":"2","key":"key2020120612191484300_ref022","doi-asserted-by":"crossref","first-page":"203","DOI":"10.2753\/MIS0742-1222280208","article-title":"Understanding nonmalicious security violations in the workplace: a composite behavior model","volume":"28","year":"2011","journal-title":"Journal of Management Information Systems"},{"issue":"12","key":"key2020120612191484300_ref023","doi-asserted-by":"crossref","first-page":"12","DOI":"10.1016\/S1361-3723(12)70122-7","article-title":"Routes to security compliance: be good or be shamed?","volume":"2012","year":"2012","journal-title":"Computer Fraud & Security"},{"key":"key2020120612191484300_ref024","first-page":"177","article-title":"Factor analysis: exploratory and confirmatory approaches","year":"1998","journal-title":"Modern Methods for Business Research"},{"issue":"2","key":"key2020120612191484300_ref025","doi-asserted-by":"crossref","first-page":"106","DOI":"10.1057\/ejis.2009.6","article-title":"Protection motivation and deterrence: a framework for security policy compliance in organisations","volume":"18","year":"2009","journal-title":"European Journal of Information Systems"},{"issue":"2","key":"key2020120612191484300_ref026","doi-asserted-by":"crossref","first-page":"99","DOI":"10.1016\/j.im.2011.12.005","article-title":"Applying an extended model of deterrence across cultures: an investigation of information systems misuse in the US and South Korea","volume":"49","year":"2012","journal-title":"Information & Management"},{"issue":"1","key":"key2020120612191484300_ref027","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1080\/10705519909540118","article-title":"Cutoff criteria for fit indexes in covariance structure analysis: conventional criteria versus new alternatives","volume":"6","year":"1999","journal-title":"Structural Equation Modeling: A Multidisciplinary Journal"},{"issue":"6","key":"key2020120612191484300_ref028","doi-asserted-by":"crossref","first-page":"54","DOI":"10.1145\/1953122.1953142","article-title":"Does deterrence work in reducing information security policy abuse by employees?","volume":"54","year":"2011","journal-title":"Communications of the ACM"},{"issue":"2","key":"key2020120612191484300_ref029","article-title":"Information technology adoption across time: a cross-sectional comparison of pre-adoption and post-adoption beliefs","volume":"23","year":"1999","journal-title":"MIS Quarterly"},{"volume-title":"Principles and Practice of Structural Equation Modeling","year":"2011","key":"key2020120612191484300_ref030"},{"issue":"5","key":"key2020120612191484300_ref031","doi-asserted-by":"crossref","first-page":"597","DOI":"10.1016\/j.im.2003.08.001","article-title":"Why there aren\u2019t more information security research studies","volume":"41","year":"2004","journal-title":"Information & Management"},{"key":"key2020120612191484300_ref032","doi-asserted-by":"crossref","first-page":"113","DOI":"10.1016\/j.jisa.2014.09.005","article-title":"Advanced social engineering attacks","volume":"22","year":"2015","journal-title":"Journal of Information Security and Applications"},{"issue":"3","key":"key2020120612191484300_ref033","doi-asserted-by":"crossref","first-page":"221","DOI":"10.1287\/isre.14.3.221.16560","article-title":"Generalizing generalizability in information systems research","volume":"14","year":"2003","journal-title":"Information Systems Research"},{"key":"key2020120612191484300_ref034","doi-asserted-by":"crossref","first-page":"49","DOI":"10.1080\/08874417.2009.11645384","article-title":"Workplace management and employee misuse: does punishment matter?","volume":"50","year":"2009","journal-title":"Journal of Computer Information Systems"},{"article-title":"Defending a new domain","volume-title":"Foreign Affairs","year":"2010","key":"key2020120612191484300_ref035"},{"issue":"3","key":"key2020120612191484300_ref036","doi-asserted-by":"crossref","first-page":"320","DOI":"10.1207\/s15328007sem1103_2","article-title":"In search of golden rules: comment on hypothesis-testing approaches to setting cutoff values for fit indexes and dangers in overgeneralizing Hu and Bentler\u2019s (1999) findings","volume":"11","year":"2004","journal-title":"Structural Equation Modeling"},{"volume-title":"The Art of Deception: Controlling the Human Element of Security","year":"2011","key":"key2020120612191484300_ref037"},{"issue":"3","key":"key2020120612191484300_ref038","doi-asserted-by":"crossref","first-page":"261","DOI":"10.1080\/08874417.2016.1153922","article-title":"The roles of awareness, sanctions, and ethics in software compliance","volume":"56","year":"2016","journal-title":"Journal of Computer Information Systems"},{"issue":"4","key":"key2020120612191484300_ref039","doi-asserted-by":"crossref","first-page":"865","DOI":"10.1111\/j.1745-9125.2001.tb00943.x","article-title":"Integrating celerity, impulsivity, and extralegal sanction threats into a model of general deterrence: theory and evidence","volume":"39","year":"2001","journal-title":"Criminology"},{"key":"key2020120612191484300_ref040","first-page":"156b","article-title":"Employees\u2019 behavior towards IS security policy compliance","volume-title":"40th Annual Hawaii International Conference on System Sciences, HICSS","year":"2007"},{"issue":"3","key":"key2020120612191484300_ref041","doi-asserted-by":"crossref","first-page":"251","DOI":"10.1177\/0022427895032003001","article-title":"Reconceptualizing deterrence: an empirical test of personal and vicarious experiences","volume":"32","year":"1995","journal-title":"Journal of Research in Crime and Delinquency"},{"article-title":"Vic Police issue warning over USB drive letterbox drops","volume-title":"ComputerWorld","year":"2016","key":"key2020120612191484300_ref042"},{"issue":"2","key":"key2020120612191484300_ref043","doi-asserted-by":"crossref","first-page":"153","DOI":"10.1177\/002242780203900202","article-title":"Beyond Stafford and Warr\u2019s reconceptualization of deterrence: personal and vicarious experiences, impulsivity, and offending behavior","volume":"39","year":"2002","journal-title":"Journal of Research in Crime and Delinquency"},{"issue":"5","key":"key2020120612191484300_ref044","doi-asserted-by":"crossref","first-page":"879","DOI":"10.1037\/0021-9010.88.5.879","article-title":"Common method biases in behavioral research: a critical review of the literature and recommended remedies","volume":"88","year":"2003","journal-title":"Journal of Applied Psychology"},{"volume-title":"A First Course in Structural Equation Modeling","year":"2006","key":"key2020120612191484300_ref045"},{"key":"key2020120612191484300_ref046","doi-asserted-by":"crossref","first-page":"442","DOI":"10.1016\/j.chb.2015.12.037","article-title":"An information security knowledge sharing model in organizations","volume":"57","year":"2016","journal-title":"Computers in Human Behavior"},{"key":"key2020120612191484300_ref047","doi-asserted-by":"crossref","first-page":"70","DOI":"10.1016\/j.cose.2015.10.006","article-title":"Information security policy compliance model in organizations","volume":"56","year":"2016","journal-title":"Computers & Security"},{"key":"key2020120612191484300_ref048","first-page":"41","article-title":"Impact of negative message framing on security adoption","volume":"51","year":"2010","journal-title":"Journal of Computer Information Systems"},{"volume-title":"Insider Threat Control: Understanding Data Loss Prevention (DLP) and Detection by Correlating Events from Multiple Sources","year":"2013","key":"key2020120612191484300_ref049"},{"issue":"1","key":"key2020120612191484300_ref050","doi-asserted-by":"crossref","first-page":"99","DOI":"10.2307\/1884852","article-title":"A behavioral model of rational choice","volume":"69","year":"1955","journal-title":"The Quarterly Journal of Economics"},{"key":"key2020120612191484300_ref051","article-title":"Nuetralization: new insights into the problem of employee information systems security policy violations","volume":"34","year":"2010","journal-title":"MIS Quarterly"},{"volume-title":"Elementary Information Security","year":"2015","key":"key2020120612191484300_ref052"},{"issue":"2","key":"key2020120612191484300_ref053","doi-asserted-by":"crossref","first-page":"123","DOI":"10.1177\/0022427893030002001","article-title":"A reconceptualization of general and specific deterrence","volume":"30","year":"1993","journal-title":"Journal of Research in Crime and Delinquency"},{"issue":"3","key":"key2020120612191484300_ref054","doi-asserted-by":"crossref","first-page":"255","DOI":"10.1287\/isre.1.3.255","article-title":"Effective IS security: an empirical study","volume":"1","year":"1990","journal-title":"Information Systems Research"},{"key":"key2020120612191484300_ref055","doi-asserted-by":"crossref","first-page":"159","DOI":"10.1016\/j.chb.2014.05.027","article-title":"Rationality-based beliefs affecting individual\u2019s attitude and intention to use privacy controls on Facebook: an empirical investigation","volume":"38","year":"2014","journal-title":"Computers in Human Behavior"},{"issue":"2","key":"key2020120612191484300_ref056","doi-asserted-by":"crossref","first-page":"144","DOI":"10.1287\/isre.6.2.144","article-title":"Understanding information technology usage: a test of competing models","volume":"6","year":"1995","journal-title":"Information Systems Research"},{"issue":"6","key":"key2020120612191484300_ref057","doi-asserted-by":"crossref","first-page":"472","DOI":"10.1016\/j.cose.2005.05.002","article-title":"The insider threat to information systems and the effectiveness of ISO17799","volume":"24","year":"2005","journal-title":"Computers & Security"},{"year":"2016","key":"key2020120612191484300_ref058","article-title":"Users really do plug in USB drives they find"},{"key":"key2020120612191484300_ref059","doi-asserted-by":"crossref","first-page":"729","DOI":"10.2307\/41703478","article-title":"Generalization and induction: misconceptions, clarifications, and a classification of induction","volume":"36","year":"2012","journal-title":"MIS Quarterly"},{"volume-title":"Criminal Deterrence and Sentence Severity: An Analysis of Recent Research","year":"1999","key":"key2020120612191484300_ref060"},{"issue":"2","key":"key2020120612191484300_ref061","doi-asserted-by":"crossref","first-page":"107","DOI":"10.1057\/sj.2012.1","article-title":"Enemies within: redefining the insider threat in organizational security policy","volume":"26","year":"2013","journal-title":"Security Journal"},{"key":"key2020120612191484300_ref062","first-page":"39","article-title":"Organizational violations of externally governed privacy and security rules: explaining and predicting selective violations under conditions of strain and excess","volume":"17","year":"2015","journal-title":"Journal of the Association for Information Systems"},{"journal-title":"PCWorld, IDG News Service","article-title":"Lost thumb drives bedevil US banking agency","year":"2016","key":"key2020120612191484300_ref063"},{"key":"key2020120612191484300_ref064","article-title":"Beyond deterrence: an expanded view of employee computer abuse","volume":"37","year":"2013","journal-title":"MIS Quarterly"},{"issue":"6","key":"key2020120612191484300_ref065","doi-asserted-by":"crossref","first-page":"2799","DOI":"10.1016\/j.chb.2008.04.005","article-title":"Security lapses and the omission of information security measures: a threat control model and empirical test","volume":"24","year":"2008","journal-title":"Computers in Human Behavior"},{"issue":"4","key":"key2020120612191484300_ref066","doi-asserted-by":"crossref","first-page":"330","DOI":"10.1108\/09685220910993980","article-title":"Impact of perceived technical protection on security behaviors","volume":"17","year":"2009","journal-title":"Information Management & Computer Security"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-11-2016-0089\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-11-2016-0089\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:23:18Z","timestamp":1753406598000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/25\/4\/421-436\/201092"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,10,9]]},"references-count":66,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2017,10,9]]}},"alternative-id":["10.1108\/ICS-11-2016-0089"],"URL":"https:\/\/doi.org\/10.1108\/ics-11-2016-0089","relation":{},"ISSN":["2056-4961"],"issn-type":[{"type":"print","value":"2056-4961"}],"subject":[],"published":{"date-parts":[[2017,10,9]]}}}