[1] Warkentin M, Willison R. Behavioral and policy issues in information systems security: the insider threat[J]. European Journal of Information Systems, 2009, 18(2): 101-105. [2] Whitman M E. Security policy: form design to maintenance[A]. Straub D W, Goodman S, Baskerville R L. Information security: policy, processes, and practices[M]. Armonk, NY: M. E. Sharpe, 2008, 6: 123-151. [3] Bulgurcu B, Cavusoglu H, Benbasat I. Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness[J]. MIS Quarterly, 2010, 34(3): 523-548. [4] Muhire B. Employee compliance with information systems security policy in retail industry. case: store level employees[D]. Honors Thesis Program in the College of Management, Boston: University of Massachusetts, Paper 12, 2012. [5] Von Solms R, Von Solms B. From policies to culture[J]. Computers & Security, 2004, 23(4): 275-279. [6] Loch K D, Carr H H, Warkentin ME. Threats to information systems: today’s reality, yesterday’s understanding[J]. MIS Quarterly, 1992, 16(2): 173-186. [7] Warkentin M, Straub D, Malimage K. Featured talk: measuring secure behavior: a research commentary[A]. Symposium on Information Assurance &SecureKnowledge Management[C]. Albany, New York, 2012: 1-8. [8] Willison R, Warkentin M. Beyond deterrence: an expanded view of employee computer abuse[J]. MIS Quarterly, 2013, 37(1): 1-20. [9] Willison R, Siponen M. Overcoming the insider: reducing employee computer crime through situational crime prevention[J]. Communications of the ACM, 2009, 52(9): 133-137. [10] Grossman S J, Hart O D. An analysis of the principal-agent problem[J]. Econometrica, 1983, 51(1): 7-45. [11] 张维迎.博弈论与信息经济学[M].上海:格致出版社,上海三联出版社,上海人民出版社,2012. [12] Watson J. Strategy: an introduction to game theory[M]. Third Edition, New York: W. W. Norton & Company, 2013. [13] Mirrlees J A. The optimal structure of authority and incentive within an organization[J]. Bell Journal of Economics, 1976,7(1): 105-131. [14] Hölmstrom B. Moral hazard and observability[J]. Bell Journal of Economics, 1979, 10: 74-91. [15] Richardson R. 15th annual 2010/2011 CSI computer crime and security survey[R/OL]. http://www.GoCSI.com, 2011. [16] The Verizon Risk Team. 2012 Data breach investigation report[R/OL]. http://www. verizon-bussiness.com. 2012. [17] The Verizon Risk Team. 2014 Data breach investigation report[R/OL]. http://www.verizon-bussiness.com. 2014. [18] The Verizon Risk Team. 2015 Data breach investigation report[R/OL]. http://www.verizon-bussiness.com. 2015. [19] Barlow J B, Warkentin M, Ormond D, Dennis A R. Don’t make excuses! discouraging neutralization to reduce IT policy violation[J]. Computers & Security, 2013, 39(Part B): 145-159. [20] Lowry P B, Posey C, Roberts T L, Bennett R. Is your banker leaking your personal information? the roles of ethics and individual-level cultural characteristics in predicting organizational computer abuse[J]. Journal of Business Ethics, 2014, 121(3): 385-401. [21] Shropshire J, Warkentin M, Sharma S. Personality, attitudes, and intentions: predicting initial adoption of information security behavior[J]. Computers & Security, 2015,49: 177-191. [22] 柳玉鹏,曲世友.组织内部员工信息安全胜任评价模型[J].运筹与管理,2014,23(1):151-156. [23] Beautement A, Sasse A, Wonham M. The compliance budget: managing security behavior in organizations[A]. Proceedings of the 2008 Workshop on New Security Paradigms[C]. Lake Tahoe, California, USA, 2008: 47-58. [24] Beautement A, Sasse A. The economics of user effort in information security[J]. Computer Fraud & Security, 2009, 10: 8-12. [25] Gibbs J P. Crime, punishment and deterrence[J]. Social Science Quarterly, 1968, 48: 515-530. [26] Bailey W C, Martin J D, Gray L N. Crime and deterrence: correlation analysis[J]. Journal of Research in Crime and Delinquency, 1974, 11(2): 124-143. [27] D’Arcy J, Herath T. A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings[J]. European Journal of Information Systems, 2011, 20(6): 643-658. [28] Johnston A C, Warkentin M, McBride M, Carter L. Dispositional and situational factors: influences on information security policy violations[J]. European Journal of Information Systems, 2016, 25: 231-251. [29] D’Arcy J , Hovav A, Galletta D. User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach[J]. Information Systems Research, 2009b, 20(1): 79-98. [30] Straub D M Jr. Effective IS security: an empirical study[J]. Information Systems Research, 1990, 1(3): 255-276. [31] Johnston A C, Warkentin M. Fear appeals and information security behaviors:an empirical study[J]. MIS Quarterly, 2010, 34(3): 649-666. [32] Bulgurcu B, Cavusoglu H, Benbasat I. Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness[J]. MIS Quarterly, 2010, 34(3): 523-548. [33] Chen Y, Ramamurthy K(R), Wen K. Organizations’ information security policy compliance: stick or carrot approach?[J]. Journal of Management Information Systems. Winter, 2012-13, 29(3): 157-188. [34] Hovav A, D’Arcy J. Applying an extended model of deterrence across cultures: an investigation of information systems misuse in the U.S. and South Korea[J]. Information & Management, 2012, 49(2): 99-110. [35] Lee S M, Lee S, Yoo S. An integrative model of computer abuse based on social control and general deterrence theories[J]. Information and Management, 2004, 41(6): 707-718. [36] Gopal R D, Sanders G L. Preventative and deterrent controls for software piracy[J]. Journal of Management Information Systems, 1997, 13(4): 29-47. [37] Hu Q, Xu Z, Dinev T, Ling H. Does deterrence work in reducing information security policy abuse by employees?[J]. Communications of the ACM, 2011, 54(6): 54-60. [38] Pahnila S, Siponen M, Mahmood A. Employees’ behavior towards IS security policy compliance[A]. Proceedings of the 40th Hawaii International Conference on System Sciences[C]. Waikoloa, Big Island, HI, USA: IEEE Computer Society, 2007. [39] Lowry P B, Posey C, Bennett R(B) J, Roberts T L. Leveraging fairness and reactance theories to deter reactive computer abuse following enhanced organisational information security policies: an empirical study of the influence of counterfactual reasoning and organisational trust[J]. Information Systems Journal, 2015, 25, 193-230. [40] Son J. Out of fear or desire? toward a better understanding of employees’ motivation to follow IS security policies[J]. Information & Management, 2011, 48: 296-302. [41] Siponen M, Vance A. Neutralization: new insights into the problem of employee information systems security policy violations[J]. MIS Quarterly, 2010, 34(3): 487-502. [42] Cheng L, Li W, Zhai Q, Smyth R. Understanding personal use of the Internet at work: an integrated model of neutralization techniques and general deterrence theory[J]. Computers in Human Behavior , 2014,38: 220-228. [43] Li H, Zhang J, Sarathy R. Understanding compliance with internet use policy from the perspective of rational choice theory[J]. Decision Support Systems, 2010, 48(4): 635-645. [44] Herath T, Rao H R. Protection motivation and deterrence: a framework for security policy compliance in organisations[J]. European Journal of Information Systems, 2009, 18(2): 106-125. [45] Herath T, Rao H R. Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness[J]. Decision Support Systems, 2009, 47(2): 154-165. [46] Zhang L, Smith W W, McDowell W C. Examining digital piracy: self-control, punishment and self-efficacy[J]. Information Resources Management Journal, 2006, 22(1): 24-44. [47] Higgins G E, Wilson A L, Fell B D. An application of deterrence theory to software piracy[J]. Journal of Criminal Justice and Popular Culture, 2005, 12(3): 166-184. [48] Hollinger R C. Crime by computer: correlates of software piracy and unauthorized account access[J]. Security Journal, 1993, 4: 2-12. [49] Cheng L, Li Y, Li W, Holm E, Zhai Q. Understanding the violation of IS security policy in organizations: an integrated model based on social control and deterrence theory[J]. Computers & Security, 2013, 39: 447-459. [50] D’Arcy J, Devaraj S. Employee misuse of information technology resources: testing a contemporary deterrence model[J]. Decision Sciences, 2012, 43(6): 1091-1124. [51] Skinner W F, Fream A M. A social learning theory analysis of computer crime among college students[J]. Journal of Research in Crime and Delinquency, 1997, 34(4): 495-518. [52] Johnson M E, Goetz E. Embedding information security into the organization[J]. IEEE Security & Privacy, 2007, 5(3): 16-24. [53] Chatterjee S, Sarker S, Valacich J S. The behavioral roots of information systems security: exploring key factors related to unethical IT use[J]. Journal of Management Information Systems, 2015, 31(4): 49-87. [54] Wall J D, Lowry P B, Barlow J B. Organizational violations of externally governed privacy and security rules: explaining and predicting selective violations under conditions of strain and excess[J]. Journal of the Association for Information Systems, 2016, 17(1): 39-76. [55] Johnston A C, Warkentin M, Siponen M. An enhanced fear appeal rhetorical framework: leveraging threats to the human asset through sanctioning rhetoric[J]. MIS Quarterly, 2015, 39(1): 113-134. [56] Guo K H, Yuan Y. The effects of multilevel sanction on information security violations: a mediating model[J]. Information & Management, 2012, 49: 320-326. [57] 鞠炜,刘宁,张正堂.组织惩罚的溢出效应研究[J].中国人力资源开发,2014,11:25-30. [58] 张正堂,李倩.组织惩罚行为决策动因与实施效应: 研究综述[J].经济管理,2014,36(4):181-191. [59] 丁绒,孙延明,叶广宇.增强惩罚的企业联盟合作规范机制: 自组织演化视角[J].管理科学,2014,27(1): 11-20. [60] 包兴,鲁其辉,牛保庄.考虑监管惩罚的两类运作系统应急运作模型[J].控制与决策,2015,30(4):677-684. [61] 桂春梅,蹇强,王怀民,吴泉源.虚拟计算环境中基于重复博弈的惩罚激励机制[J].软件学报,2010,21(12):3024-3055. [62] 张敏,张磊.数字图书馆电子资源过度下载意愿的影响因素研究——基于任务驱动与惩罚抑制的双重情境[J].图书情报工作,2016,60(7):116-122. [63] 黄湛冰,万迪昉.惩罚在长期激励中的成本优势分析[J].管理科学,2005,18(5):17-20. [64] 刘耀中,唐志文,叶海英.预期背离下奖励与惩罚的ERPs研究[J].心理科学,2012,35(4):806-810. [65] 孙磊,陈雅姗,陈绍敏.惩罚机制对影响力不同群体合作行为演化的影响[J].福州大学学报(自然科学版),2013,41(5):841-844. [66] 周晔馨,涂勤,胡必亮.惩罚、社会资本与条件合作——基于传统实验和人为田野实验的对比研究[J].经济研究,2014,10:125-138. [67] 陈红,王珂,祁慧,龙如银,刘静.基于ABMS的煤矿不安全行为惩罚制度有效性仿真[J].数学实践与认识,2014,44(1):53-71. [68] 李健,王庆山.政策企业家视角下碳配额决策及违约惩罚的演化博弈分析[J].软科学,2015,29(9):121-126. [69] 周怀峰,谢长虎.惩罚困境、社会资本与群体合作秩序[J].陕西师范大学学报(哲学社会科学版),2014,43(4):28-37. [70] 刘谞,马剑虹,朱玥.从归因视角探讨公共物品两难中惩罚系统对合作的影响[J].应用心理学,2010,16(4):332-340. [71] 刘国芳,辛自强.惩罚对信任与合作的影响: 争论与解释[J].上海师范大学学报(哲学社会科学版),2014,43(1):146-152. [72] 毛军权,孙绍荣.企业员工越轨行为惩罚机制的数学模型——一个理论框架[J].软科学,2008,22(8):18-24. [73] 王沛,陈莉.惩罚和社会价值取向对公共物品两难中人际信任与合作行为的影响[J].心理学报,2011,43(1):52-64. [74] 连洪泉,周业安,左聪颖,陈叶烽,宋紫峰.惩罚机制真能解决搭便车难题吗?——基于动态公共品实验的证据[J].管理世界,2013,4:69-81. [75] 李建标,巨龙,李政,汪敏达.董事会里的“战争”——序贯与惩罚机制下董事会决策行为的实验分析[J].南开管理评论,2009,12(5):70-76. [76] 陈欣,赵国祥,叶浩生.公共物品困境中惩罚的形式和作用[J].心理科学进展,2014,22(1):160-170. [77] 骆品亮,周勇.虚拟研发组织利益分配的分成制与团队惩罚机制研究[J].科研管理,2005,26(5):127-131. |