{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,13]],"date-time":"2026-01-13T23:18:10Z","timestamp":1768346290285,"version":"3.49.0"},"reference-count":82,"publisher":"IGI Global","issue":"1","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2012,1,1]]},"abstract":"<p>Employee violations of IS security policies are reported as a key concern for organizations. Although behavioral research on IS security has received increasing attention from IS scholars, little empirical research has examined this problem. To address this research gap, the authors test a model based on Rational Choice Theory (RCT)\u2014a prominent criminological theory not yet applied in IS\u2014which explains, in terms of a utilitarian calculation, an individual\u2019s decision to commit a violation. Empirical results show that the effects of informal sanctions, moral beliefs, and perceived benefits convincingly explain employee IS security policy violations, while the effect of formal sanctions is insignificant. Based on these findings, the authors discuss several implications for research and practice.<\/p>","DOI":"10.4018\/joeuc.2012010102","type":"journal-article","created":{"date-parts":[[2012,1,13]],"date-time":"2012-01-13T15:27:56Z","timestamp":1326468476000},"page":"21-41","source":"Crossref","is-referenced-by-count":90,"title":["IS Security Policy Violations"],"prefix":"10.4018","volume":"24","author":[{"given":"Anthony","family":"Vance","sequence":"first","affiliation":[{"name":"Brigham Young University, USA"}]},{"given":"Mikko T.","family":"Siponen","sequence":"additional","affiliation":[{"name":"University of Oulu, Finland"}]}],"member":"2432","reference":[{"key":"joeuc.2012010102-0","doi-asserted-by":"publisher","DOI":"10.1037\/0033-2909.127.1.142"},{"key":"joeuc.2012010102-1","unstructured":"Aytes, K., & Connolly, T. (2003, August 4\u20136). A research model for investigating human behavior related to computer security. In Proceedings of the 2003 American Conference on Information Systems, Tampa, FL."},{"key":"joeuc.2012010102-2","doi-asserted-by":"publisher","DOI":"10.4018\/joeuc.2004070102"},{"key":"joeuc.2012010102-3","doi-asserted-by":"publisher","DOI":"10.2307\/3053901"},{"key":"joeuc.2012010102-4","doi-asserted-by":"publisher","DOI":"10.2307\/249677"},{"key":"joeuc.2012010102-5","doi-asserted-by":"publisher","DOI":"10.1016\/0092-6566(91)90021-H"},{"key":"joeuc.2012010102-6","doi-asserted-by":"publisher","DOI":"10.1086\/259394"},{"key":"joeuc.2012010102-7","doi-asserted-by":"publisher","DOI":"10.1177\/1043463106063323"},{"key":"joeuc.2012010102-8","doi-asserted-by":"publisher","DOI":"10.2307\/3250956"},{"issue":"3","key":"joeuc.2012010102-9","doi-asserted-by":"crossref","first-page":"523","DOI":"10.2307\/25750690","article-title":"Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness.","volume":"34","author":"B.Bulgurcu","year":"2010","journal-title":"Management Information Systems Quarterly"},{"key":"joeuc.2012010102-10","author":"L.Cao","year":"2004","journal-title":"Major criminological theories: Concepts and measurement"},{"issue":"3","key":"joeuc.2012010102-11","doi-asserted-by":"crossref","first-page":"18","DOI":"10.1080\/15536548.2005.10855772","article-title":"Perceptions of information security in the workplace: Linking information security climate to compliant behavior.","volume":"1","author":"M.Chan","year":"2005","journal-title":"Journal of Information Privacy and Security"},{"issue":"1","key":"joeuc.2012010102-12","first-page":"vii","article-title":"Issues and opinions on structural equation modeling.","volume":"22","author":"W.Chin","year":"1998","journal-title":"Management Information Systems Quarterly"},{"key":"joeuc.2012010102-13","doi-asserted-by":"publisher","DOI":"10.1287\/isre.14.2.189.16018"},{"key":"joeuc.2012010102-14","author":"J.Cohen","year":"1988","journal-title":"Statistical power analysis for the behavioral sciences"},{"key":"joeuc.2012010102-15","author":"T. D.Cook","year":"1979","journal-title":"Quasi experimentation: Design and analytical issues for field settings"},{"key":"joeuc.2012010102-16","first-page":"1","article-title":"Introduction","author":"D.Cornish","year":"1986","journal-title":"The reasoning criminal"},{"key":"joeuc.2012010102-17","author":"W.Crain","year":"2004","journal-title":"Theories of development: Concepts and applications"},{"key":"joeuc.2012010102-18","doi-asserted-by":"publisher","DOI":"10.1287\/isre.1070.0160"},{"key":"joeuc.2012010102-19","doi-asserted-by":"publisher","DOI":"10.1111\/j.1745-9125.2005.00032.x"},{"issue":"3","key":"joeuc.2012010102-20","first-page":"233","article-title":"Informal sanction threats and corporate crime: Additive versus multiplicative models.","volume":"20","author":"L. A.Elis","year":"1995","journal-title":"Journal of Research in Crime and Delinquency"},{"key":"joeuc.2012010102-21","year":"2008","journal-title":"Ernst & Young\u2019s 2008 global information security survey"},{"key":"joeuc.2012010102-22","doi-asserted-by":"publisher","DOI":"10.2307\/3151312"},{"issue":"5","key":"joeuc.2012010102-23","first-page":"91","article-title":"A practical guide to factorial validity using PLS-graph: Tutorial and annotated example.","volume":"16","author":"D.Gefen","year":"2005","journal-title":"Communications of the AIS"},{"issue":"7","key":"joeuc.2012010102-24","first-page":"1","article-title":"Structural equation modeling and regression: Guidelines for research practice.","volume":"4","author":"D.Gefen","year":"2000","journal-title":"Communications of the AIS"},{"issue":"2","key":"joeuc.2012010102-25","doi-asserted-by":"crossref","first-page":"471","DOI":"10.2307\/2578032","article-title":"The deterrent effect of perceived severity of punishment.","volume":"59","author":"H. G.Grasmick","year":"1980","journal-title":"Social Forces"},{"key":"joeuc.2012010102-26","doi-asserted-by":"publisher","DOI":"10.2307\/3053861"},{"key":"joeuc.2012010102-27","doi-asserted-by":"publisher","DOI":"10.1177\/0022427889026003004"},{"key":"joeuc.2012010102-28","doi-asserted-by":"publisher","DOI":"10.1037\/0021-9010.75.5.561"},{"key":"joeuc.2012010102-29","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2009.92"},{"key":"joeuc.2012010102-30","doi-asserted-by":"crossref","DOI":"10.1093\/0198246609.001.0001","author":"R. M.Hare","year":"1981","journal-title":"Moral thinking: Its levels, methods and point"},{"key":"joeuc.2012010102-31","doi-asserted-by":"publisher","DOI":"10.2307\/249656"},{"key":"joeuc.2012010102-32","doi-asserted-by":"publisher","DOI":"10.1057\/ejis.2009.6"},{"key":"joeuc.2012010102-33","doi-asserted-by":"publisher","DOI":"10.1016\/j.dss.2009.02.005"},{"key":"joeuc.2012010102-34","unstructured":"Hu, Q., Xu, Z., Dinev, T., & Ling, H. (2010). The centrality of low self-control in internal computer offenses. In B. Molyneux (Ed.), Proceedings of the Dewald Roode Information Security Workshop 2010, Waltham, MA (pp. 316-345)."},{"key":"joeuc.2012010102-35","doi-asserted-by":"publisher","DOI":"10.1111\/j.1745-9125.1989.tb01052.x"},{"key":"joeuc.2012010102-36","first-page":"31","article-title":"Moral stages and moralization: The cognitive-developmental approach","author":"L.Kohlberg","year":"1976","journal-title":"Moral Development and Behavior: Theory, research, and social issues"},{"key":"joeuc.2012010102-37","author":"L.Kohlberg","year":"1984","journal-title":"The psychology of moral development"},{"key":"joeuc.2012010102-38","doi-asserted-by":"publisher","DOI":"10.1016\/j.im.2003.08.001"},{"key":"joeuc.2012010102-39","author":"K.Krippendorff","year":"2004","journal-title":"Content analysis: An introduction to its methodology"},{"issue":"4","key":"joeuc.2012010102-40","first-page":"4","article-title":"Training as part of a security awareness program.","volume":"10","author":"L. M.Lafleur","year":"1992","journal-title":"Computer Control Quarterly"},{"key":"joeuc.2012010102-41","doi-asserted-by":"publisher","DOI":"10.1016\/j.im.2003.08.008"},{"issue":"1","key":"joeuc.2012010102-42","first-page":"65","article-title":"Force of habit and information systems usage: Theory and initial validation.","volume":"4","author":"M.Limayem","year":"2003","journal-title":"Journal of the AIS"},{"key":"joeuc.2012010102-43","doi-asserted-by":"publisher","DOI":"10.1287\/mnsc.1060.0597"},{"issue":"3","key":"joeuc.2012010102-44","doi-asserted-by":"crossref","first-page":"86","DOI":"10.1145\/506724.506730","article-title":"Extending the technology acceptance model: The influence of perceived user resources.","volume":"32","author":"K.Mathieson","year":"2001","journal-title":"The Data Base for Advances in Information Systems"},{"key":"joeuc.2012010102-45","unstructured":"McLean, K. (1992). IS security awareness\u2014Selling the cause. In Proceedings of the 8th International Conference on IS Security (IFIP\/Sec \u201992)."},{"key":"joeuc.2012010102-46","doi-asserted-by":"publisher","DOI":"10.1016\/0049-089X(87)90011-1"},{"key":"joeuc.2012010102-47","doi-asserted-by":"publisher","DOI":"10.1057\/ejis.2009.10"},{"key":"joeuc.2012010102-48","doi-asserted-by":"publisher","DOI":"10.2307\/3054102"},{"key":"joeuc.2012010102-49","doi-asserted-by":"publisher","DOI":"10.1016\/j.dss.2008.11.010"},{"key":"joeuc.2012010102-50","doi-asserted-by":"publisher","DOI":"10.1207\/s15327663jcp0703_02"},{"key":"joeuc.2012010102-51","author":"J. C.Nunnally","year":"1967","journal-title":"Psychometric theory"},{"key":"joeuc.2012010102-52","doi-asserted-by":"publisher","DOI":"10.1007\/s10551-005-2929-7"},{"key":"joeuc.2012010102-53","doi-asserted-by":"crossref","unstructured":"Pahnila, S., Siponen, M. T., & Mahmood, A. (2007, July). Which factors explain employees\u2019 adherence to information security policies? An empirical study. In Proceedings of the PACIS 2007 Conference, Auckland, New Zealand.","DOI":"10.1007\/978-0-387-72367-9_12"},{"key":"joeuc.2012010102-54","author":"D. B.Parker","year":"1976","journal-title":"Crime by computer"},{"key":"joeuc.2012010102-55","doi-asserted-by":"crossref","unstructured":"Paternoster, R., & Simpson, S. (1993). A rational choice theory of corporate crime. In R. V. Clarke & M. Felson (Eds.), Advances in Criminological Theory: Vol. 5. Routine activity and rational choice (pp. 37\u201358). New Brunswick, NJ: Transaction.","DOI":"10.4324\/9781315128788-3"},{"key":"joeuc.2012010102-56","doi-asserted-by":"publisher","DOI":"10.2307\/3054128"},{"issue":"1","key":"joeuc.2012010102-57","doi-asserted-by":"crossref","first-page":"105","DOI":"10.2307\/25148783","article-title":"Understanding and mitigating uncertainty in online exchange relationships: A principal-agent perspective.","volume":"31","author":"P.Pavlou","year":"2007","journal-title":"Management Information Systems Quarterly"},{"key":"joeuc.2012010102-58","doi-asserted-by":"publisher","DOI":"10.1111\/j.1745-9125.1999.tb00488.x"},{"key":"joeuc.2012010102-59","doi-asserted-by":"publisher","DOI":"10.1080\/07418829600093061"},{"key":"joeuc.2012010102-60","doi-asserted-by":"publisher","DOI":"10.1037\/0021-9010.88.5.879"},{"key":"joeuc.2012010102-61","doi-asserted-by":"publisher","DOI":"10.1111\/j.1745-9125.2004.tb00515.x"},{"key":"joeuc.2012010102-62","doi-asserted-by":"publisher","DOI":"10.1111\/j.1745-9125.2000.tb00911.x"},{"key":"joeuc.2012010102-63","unstructured":"Puhakainen, P. (2006). Design theory for information security awareness. Unpublished doctoral dissertation, University of Oulu, Finland."},{"key":"joeuc.2012010102-64","author":"C. M.Ringle","year":"2005","journal-title":"SmartPLS"},{"key":"joeuc.2012010102-65","doi-asserted-by":"publisher","DOI":"10.1108\/09685220010371394"},{"key":"joeuc.2012010102-66","doi-asserted-by":"crossref","first-page":"255","DOI":"10.4018\/978-1-931777-15-5.ch019","article-title":"On the role of human morality in information system security: From the problems of descriptivism to non-descriptive foundations","author":"M. T.Siponen","year":"2002","journal-title":"Ethical issues of information systems"},{"issue":"7","key":"joeuc.2012010102-67","doi-asserted-by":"crossref","first-page":"445","DOI":"10.17705\/1jais.00095","article-title":"IS security design theory framework and six approaches to the application of IS security policies and guidelines.","volume":"7","author":"M. T.Siponen","year":"2006","journal-title":"Journal of the Association for Information Systems"},{"issue":"10","key":"joeuc.2012010102-68","doi-asserted-by":"crossref","first-page":"64","DOI":"10.1109\/MC.2010.35","article-title":"Why employees don\u2019t comply with information security policies: An empirical investigation.","volume":"43","author":"M. T.Siponen","year":"2010","journal-title":"IEEE Computer"},{"issue":"3","key":"joeuc.2012010102-69","doi-asserted-by":"crossref","first-page":"487","DOI":"10.2307\/25750688","article-title":"Neutralization: New insights into the problem of employee information systems security policy violations.","volume":"34","author":"M. T.Siponen","year":"2010","journal-title":"Management Information Systems Quarterly"},{"key":"joeuc.2012010102-70","doi-asserted-by":"publisher","DOI":"10.4018\/joeuc.2004070104"},{"key":"joeuc.2012010102-71","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2004.07.001"},{"key":"joeuc.2012010102-72","doi-asserted-by":"publisher","DOI":"10.2307\/248922"},{"key":"joeuc.2012010102-73","doi-asserted-by":"publisher","DOI":"10.1287\/isre.1.3.255"},{"issue":"24","key":"joeuc.2012010102-74","first-page":"380","article-title":"Validation guidelines for IS positivist research.","volume":"13","author":"D. W.Straub","year":"2004","journal-title":"Communications of the AIS"},{"key":"joeuc.2012010102-75","doi-asserted-by":"publisher","DOI":"10.1111\/j.1559-1816.1998.tb01679.x"},{"issue":"2","key":"joeuc.2012010102-76","first-page":"57","article-title":"Security awareness programs: A proactive approach.","volume":"7","author":"E.Telders","year":"1991","journal-title":"Computer Security Journal"},{"key":"joeuc.2012010102-77","doi-asserted-by":"publisher","DOI":"10.1108\/09685229810227649"},{"key":"joeuc.2012010102-78","doi-asserted-by":"publisher","DOI":"10.2307\/3857567"},{"key":"joeuc.2012010102-79","doi-asserted-by":"crossref","unstructured":"Vroom, C., & von Solms, R. (2002). A practical approach to IS security awareness in the organization. In Proceedings of the 17th International Conference on IS Security (SEC2002).","DOI":"10.1007\/978-0-387-35586-3_2"},{"key":"joeuc.2012010102-80","doi-asserted-by":"publisher","DOI":"10.1111\/j.1745-9125.1997.tb00879.x"},{"key":"joeuc.2012010102-81","doi-asserted-by":"publisher","DOI":"10.1016\/j.chb.2010.04.025"}],"container-title":["Journal of Organizational and End User Computing"],"original-title":[],"language":"ng","link":[{"URL":"https:\/\/www.igi-global.com\/viewtitle.aspx?TitleId=61411","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,6,1]],"date-time":"2022-06-01T21:23:52Z","timestamp":1654118632000},"score":1,"resource":{"primary":{"URL":"https:\/\/services.igi-global.com\/resolvedoi\/resolve.aspx?doi=10.4018\/joeuc.2012010102"}},"subtitle":["A Rational Choice Perspective"],"short-title":[],"issued":{"date-parts":[[2012,1,1]]},"references-count":82,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2012,1]]}},"URL":"https:\/\/doi.org\/10.4018\/joeuc.2012010102","relation":{},"ISSN":["1546-2234","1546-5012"],"issn-type":[{"value":"1546-2234","type":"print"},{"value":"1546-5012","type":"electronic"}],"subject":[],"published":{"date-parts":[[2012,1,1]]}}}