IDEAS home Printed from https://ideas.repec.org/a/inm/ormnsc/v68y2022i4p2914-2931.html
   My bibliography  Save this article

Circumventing Circumvention: An Economic Analysis of the Role of Education and Enforcement

Author

Listed:
  • Debabrata Dey

    (Foster School of Business, University of Washington, Seattle, Washington 98195)

  • Abhijeet Ghoshal

    (Gies College of Business, University of Illinois, Champaign, Illinois 61820)

  • Atanu Lahiri

    (Jindal School of Management, University of Texas, Dallas, Texas 75080)

Abstract

The role of education and enforcement in ensuring compliance with a law or policy has been debated for more than a century now. We reopen this debate in the context of security circumvention by employees, currently a leading cause of information security and privacy breaches. Drawing on prior literature, we develop a microeconomic framework that captures employees’ circumventing behavior in the face of security controls. This allows us to obtain interesting insights that have implications for how an organization should employ anticircumvention measures. First, unless circumvention is rampant, education and enforcement often work better in combination, and not in isolation. Second, there are incentives for an organization to tolerate circumvention to an extent, even when education and enforcement are cheap. Finally, education and enforcement may be strategic complements or substitutes in different parts of the parameter space. When they are complements, if a change in cost parameters compels the organization to increase one, it would also require an increase in the other in lockstep. In contrast, when they are substitutes, an increase in one is associated with a decrease in the other.

Suggested Citation

  • Debabrata Dey & Abhijeet Ghoshal & Atanu Lahiri, 2022. "Circumventing Circumvention: An Economic Analysis of the Role of Education and Enforcement," Management Science, INFORMS, vol. 68(4), pages 2914-2931, April.
    • Handle: RePEc:inm:ormnsc:v:68:y:2022:i:4:p:2914-2931
    DOI: 10.1287/mnsc.2021.4027
    as

    Download full text from publisher

    File URL: http://dx.doi.org/10.1287/mnsc.2021.4027
    Download Restriction: no
    File URL: https://libkey.io/10.1287/mnsc.2021.4027?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Michael Workman & John Gathegi, 2007. "Punishment and ethics deterrents: A study of insider security contravention," Journal of the American Society for Information Science and Technology, Association for Information Science & Technology, vol. 58(2), pages 212-222, January.
    2. Anastasia Danilov & Dirk Sliwka, 2017. "Can Contracts Signal Social Norms? Experimental Evidence," Management Science, INFORMS, vol. 63(2), pages 459-476, February.
    3. Soomro, Zahoor Ahmed & Shah, Mahmood Hussain & Ahmed, Javed, 2016. "Information security management needs more holistic approach: A literature review," International Journal of Information Management, Elsevier, vol. 36(2), pages 215-225.
    4. Bengt Holmstrom, 1979. "Moral Hazard and Observability," Bell Journal of Economics, The RAND Corporation, vol. 10(1), pages 74-91, Spring.
    5. Karthik Kannan & Mohammad S. Rahman & Mohit Tawarmalani, 2016. "Economic and Policy Implications of Restricted Patch Distribution," Management Science, INFORMS, vol. 62(11), pages 3161-3182, November.
    6. John D'Arcy & Anat Hovav & Dennis Galletta, 2009. "User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach," Information Systems Research, INFORMS, vol. 20(1), pages 79-98, March.
    7. Huseyin Cavusoglu & Birendra Mishra & Srinivasan Raghunathan, 2005. "The Value of Intrusion Detection Systems in Information Technology Security Architecture," Information Systems Research, INFORMS, vol. 16(1), pages 28-46, March.
    8. Atanu Lahiri & Debabrata Dey, 2018. "Versioning and Information Dissemination: A New Perspective," Information Systems Research, INFORMS, vol. 29(4), pages 965-983, December.
    9. Detmar W. Straub, 1990. "Effective IS Security: An Empirical Study," Information Systems Research, INFORMS, vol. 1(3), pages 255-276, September.
    10. Terrence August & Tunay I. Tunca, 2008. "Let the Pirates Patch? An Economic Analysis of Software Security Patch Restrictions," Information Systems Research, INFORMS, vol. 19(1), pages 48-70, March.
    11. Tejaswini Herath & H Raghav Rao, 2009. "Protection motivation and deterrence: a framework for security policy compliance in organisations," European Journal of Information Systems, Taylor & Francis Journals, vol. 18(2), pages 106-125, April.
    12. Sam Ransbotham & Sabyasachi Mitra, 2009. "Choice and Chance: A Conceptual Model of Paths to Information Security Compromise," Information Systems Research, INFORMS, vol. 20(1), pages 121-139, March.
    13. Jack Shih-Chieh Hsu & Sheng-Pao Shih & Yu Wen Hung & Paul Benjamin Lowry, 2015. "The Role of Extra-Role Behaviors and Social Controls in Information Security Policy Effectiveness," Information Systems Research, INFORMS, vol. 26(2), pages 282-300, June.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Sabyasachi Mitra & Sam Ransbotham, 2015. "Information Disclosure and the Diffusion of Information Security Attacks," Information Systems Research, INFORMS, vol. 26(3), pages 565-584, September.
    2. Carol Hsu & Jae-Nam Lee & Detmar W. Straub, 2012. "Institutional Influences on Information Systems Security Innovations," Information Systems Research, INFORMS, vol. 23(3-part-2), pages 918-939, September.
    3. A. J. Burns & Tom L. Roberts & Clay Posey & Paul Benjamin Lowry & Bryan Fuller, 2023. "Going Beyond Deterrence: A Middle-Range Theory of Motives and Controls for Insider Computer Abuse," Information Systems Research, INFORMS, vol. 34(1), pages 342-362, March.
    4. John D’Arcy & Idris Adjerid & Corey M. Angst & Ante Glavas, 2020. "Too Good to Be True: Firm Social Performance and the Risk of Data Breach," Information Systems Research, INFORMS, vol. 31(4), pages 1200-1223, December.
    5. Li, Yuanxiang John & Hoffman, Elizabeth, 2023. "Designing an incentive mechanism for information security policy compliance: An experiment," Journal of Economic Behavior & Organization, Elsevier, vol. 212(C), pages 138-159.
    6. Paul Lowry & Clay Posey & Tom Roberts & Rebecca Bennett, 2014. "Is Your Banker Leaking Your Personal Information? The Roles of Ethics and Individual-Level Cultural Characteristics in Predicting Organizational Computer Abuse," Journal of Business Ethics, Springer, vol. 121(3), pages 385-401, May.
    7. Eun Hee Park & Jongwoo Kim & Lynn Wiles, 2023. "The role of collectivism and moderating effect of IT proficiency on intention to disclose protected health information," Information Technology and Management, Springer, vol. 24(2), pages 177-193, June.
    8. Qian Tang & Andrew B. Whinston, 2020. "Do Reputational Sanctions Deter Negligence in Information Security Management? A Field Quasi‐Experiment," Production and Operations Management, Production and Operations Management Society, vol. 29(2), pages 410-427, February.
    9. Kumju Hwang & Hyemi Um, 2021. "Social Controls and Bonds of Public Information Consumer on Sustainable Utilization and Provision for Computing," Sustainability, MDPI, vol. 13(9), pages 1-20, May.
    10. Kjell Hausken, 2017. "Security Investment, Hacking, and Information Sharing between Firms and between Hackers," Games, MDPI, vol. 8(2), pages 1-23, May.
    11. Yonghua Ji & Subodha Kumar & Vijay Mookerjee, 2016. "When Being Hot Is Not Cool: Monitoring Hot Lists for Information Security," Information Systems Research, INFORMS, vol. 27(4), pages 897-918, December.
    12. Silva, Leiser & Hsu, Carol & Backhouse, James & McDonnell, Aidan, 2016. "Resistance and power in a security certification scheme: the case of c:cure," LSE Research Online Documents on Economics 68348, London School of Economics and Political Science, LSE Library.
    13. Luca Allodi & Fabio Massacci, 2017. "Security Events and Vulnerability Data for Cybersecurity Risk Estimation," Risk Analysis, John Wiley & Sons, vol. 37(8), pages 1606-1627, August.
    14. Sumantra Sarkar & Anthony Vance & Balasubramaniam Ramesh & Menelaos Demestihas & Daniel Thomas Wu, 2020. "The Influence of Professional Subculture on Information Security Policy Violations: A Field Study in a Healthcare Context," Information Systems Research, INFORMS, vol. 31(4), pages 1240-1259, December.
    15. Mengmeng Song & Joseph Ugrin & Man Li & Jinnan Wu & Shanshan Guo & Wenpei Zhang, 2021. "Do Deterrence Mechanisms Reduce Cyberloafing When It Is an Observed Workplace Norm? A Moderated Mediation Model," IJERPH, MDPI, vol. 18(13), pages 1-16, June.
    16. Yan Chen & Dennis F. Galletta & Paul Benjamin Lowry & Xin (Robert) Luo & Gregory D. Moody & Robert Willison, 2021. "Understanding Inconsistent Employee Compliance with Information Security Policies Through the Lens of the Extended Parallel Process Model," Information Systems Research, INFORMS, vol. 32(3), pages 1043-1065, September.
    17. Ahmed Abbasi & David Dobolyi & Anthony Vance & Fatemeh Mariam Zahedi, 2021. "The Phishing Funnel Model: A Design Artifact to Predict User Susceptibility to Phishing Websites," Information Systems Research, INFORMS, vol. 32(2), pages 410-436, June.
    18. A. J. Burns & Clay Posey & James F. Courtney & Tom L. Roberts & Prabhashi Nanayakkara, 0. "Organizational information security as a complex adaptive system: insights from three agent-based models," Information Systems Frontiers, Springer, vol. 0, pages 1-16.
    19. Warut Khern-am-nuai & Matthew J. Hashim & Alain Pinsonneault & Weining Yang & Ninghui Li, 2023. "Augmenting Password Strength Meter Design Using the Elaboration Likelihood Model: Evidence from Randomized Experiments," Information Systems Research, INFORMS, vol. 34(1), pages 157-177, March.
    20. Martin Eling & Michael McShane & Trung Nguyen, 2021. "Cyber risk management: History and future research directions," Risk Management and Insurance Review, American Risk and Insurance Association, vol. 24(1), pages 93-125, March.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:inm:ormnsc:v:68:y:2022:i:4:p:2914-2931. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Chris Asher (email available below). General contact details of provider: https://edirc.repec.org/data/inforea.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.