Skip to main content

Table A1 Selected literature of deterrence theory in information security context

From: Deterrence approach on the compliance with electronic medical records privacy policy: the moderating role of computer monitoring

Studies

Exogenous variable

Endogenous variable

Dependent variable

Straub [13]

Deterrent certainty, deterrent severity

 

Computer abuse

Kankanhalli et al. [42]

Deterrent efforts, deterrent severity, preventive efforts

 

IS security effectiveness

Lee et al. [43]

Security policy, security awareness, security systems

Self-defense intention

Abuse by invaders/insiders

Pahnila et al. [36]

Sanctions

Intention to comply with IS security policy

Actual compliance of IS security policy

Herath & Rao [15]

Severity of penalty, Certainty of detection

 

Policy compliance intention

Herath & Rao [16]

Punishment severity, deterrent certainty, security policy attitude

 

SPCI

D’Arcy et al. [14]

Security policy, security education, training, and awareness program, computer monitoring

Perceived certainty of sanction, Perceived severity of sanction

IS misuse intention

D’Arcy & Hovav [39]

Security policy, security education, training, and awareness program, computer monitoring

 

IS misuse intention

Li et al. [41]

Detection probability, Sanction severity

 

Internet use policy compliance intention

Siponen et al. [38]

Deterrence

 

Actual compliance of information security policy

Hu et al. [37]

Perceived certainty of sanction, perceived severity of sanction, perceived celerity of sanctions

 

Intention to commit violation

Siponen & Vance [46]

Formal sanction, Informal sanction

 

Intention to violate IS security policy

Xue et al. [56]

Actual punishment

Punishment expectancy, perceived justice of punishment

Compliance intention

Guo et al. [57]

Attitude toward security policy, perceived sanction, perceived deterrent certainty

Attitude toward non-malicious security violation

Non-malicious security violation intention

Son [58]

Perceived deterrent certainty, perceived deterrent severity

 

Compliance of IS security policy

Hovav & D’Arcy [17]

Procedural countermeasure, technical countermeasure

Perceived certainty of sanction, perceived severity of sanction, moral belief

IS misuse intention

Guo & Yuan [19]

Organizational sanction, workgroup sanction

Personal self-sanction

Intention of information security violation

D’Arcy & Devarja [59]

Certainty*severity

 

Technology misuse intention

Chen et al. [60]

Punishment, certainty of control

 

Intention to comply with IS security policy

Cheng et al. [61]

Perceived certainty, perceived severity

 

IS security policy violation intention

  1. Note:
  2. 1. An exogenous variable denotes a variable that is not caused by another variable in the model
  3. 2. An endogenous variable means a variable that is caused by one or more variable in the model