信息安全遵从行为的激励机制研究——惩罚的确定性与适度性

doi:10.12005/orms.2018.0069

摘要/Abstract

摘要： 关于惩罚的确定性及其严重性是否能够有效地影响组织内部雇员的信息安全遵从行为,已有的研究结论尚存在着严重分歧。为了继续探索惩罚对信息安全遵从行为的影响作用,构建了信息安全遵从博弈模型,依据该模型和存在道德风险的委托人——代理人理论,分析了惩罚的确定性以及适度的惩罚严重性对信息安全遵从行为的激励机制,并对惩罚的适度性进行了数值模拟。研究表明:(1)作为委托人的组织可以设计出包含适度惩罚的最优激励契约,并获得最优的信息安全遵从收益;作为代理人的雇员不仅将接受该契约,并且会按照组织所期望的努力水平去遵从信息安全制度。(2)惩罚的确定性和适度性两者能够有效地影响雇员的信息安全遵从行为。(3)组织可以根据雇员的风险规避测度、外部机会收益、激励报酬以及信息安全产出结果这四个因素来设置适当的惩罚额度。这些研究结果将有助于信息安全管理者深入地理解并有效地管理组织内部雇员的信息安全遵从行为。

关键词: 信息系统, 信息安全, 委托人——代理人理论, 激励机制, 信息安全遵从行为, 惩罚

Abstract: The influence of the certainty and severity of penalty on the information security compliance behaviors of employees has been an issue of debate in the previous studies. In the present work, the compliance effort level on the information security policy is viewed to be a consequence of the dynamical game between the organization and its employee individual. An information security compliance game model is proposed, and then combined with the principal-agent theory to explore the influence of penalty on the information security compliance behavior of the employee. The incentive mechanisms of the certainty and the appropriateness of penalty on the compliance behavior are first considered, and then are further analyzed by using numerical simulation. Several significant results are obtained: (1)The organization (the principal) can design an optimal incentive contract which includes appropriate penalty for motivating the employee (an agent) to comply with the information security policy; (2)The certainty and the appropriateness of penalty are effective in motivating employee’s compliance; (3)The appropriateness of penalty can be determined in terms of the risk aversion of the employee, the compensation, the external benefit and the probability of the negative outcome of non-compliance. These theoretical insights are expected to provide useful reference for managers to understand and manage the information security compliance behaviors of employees in the organizational setting.

Key words: information system, information security, principal-agent theory, incentive mechanism, information security compliance behavior, penalty

中图分类号:

C931

王小龙, 李文立. 信息安全遵从行为的激励机制研究——惩罚的确定性与适度性[J]. 运筹与管理, 2018, 27(3): 133-142.

WANG Xiao-long, LI Wen-li. The Influence of the Certainty and the Appropriateness of Penalty on Information Security Compliance Behavior[J]. Operations Research and Management Science, 2018, 27(3): 133-142.

参考文献

[1] Warkentin M, Willison R. Behavioral and policy issues in information systems security: the insider threat[J]. European Journal of Information Systems, 2009, 18(2): 101-105.
[2] Whitman M E. Security policy: form design to maintenance[A]. Straub D W, Goodman S, Baskerville R L. Information security: policy, processes, and practices[M]. Armonk, NY: M. E. Sharpe, 2008, 6: 123-151.
[3] Bulgurcu B, Cavusoglu H, Benbasat I. Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness[J]. MIS Quarterly, 2010, 34(3): 523-548.
[4] Muhire B. Employee compliance with information systems security policy in retail industry. case: store level employees[D]. Honors Thesis Program in the College of Management, Boston: University of Massachusetts, Paper 12, 2012.
[5] Von Solms R, Von Solms B. From policies to culture[J]. Computers & Security, 2004, 23(4): 275-279.
[6] Loch K D, Carr H H, Warkentin ME. Threats to information systems: today’s reality, yesterday’s understanding[J]. MIS Quarterly, 1992, 16(2): 173-186.
[7] Warkentin M, Straub D, Malimage K. Featured talk: measuring secure behavior: a research commentary[A]. Symposium on Information Assurance &SecureKnowledge Management[C]. Albany, New York, 2012: 1-8.
[8] Willison R, Warkentin M. Beyond deterrence: an expanded view of employee computer abuse[J]. MIS Quarterly, 2013, 37(1): 1-20.
[9] Willison R, Siponen M. Overcoming the insider: reducing employee computer crime through situational crime prevention[J]. Communications of the ACM, 2009, 52(9): 133-137.
[10] Grossman S J, Hart O D. An analysis of the principal-agent problem[J]. Econometrica, 1983, 51(1): 7-45.
[11] 张维迎.博弈论与信息经济学[M].上海:格致出版社,上海三联出版社,上海人民出版社,2012.
[12] Watson J. Strategy: an introduction to game theory[M]. Third Edition, New York: W. W. Norton & Company, 2013.
[13] Mirrlees J A. The optimal structure of authority and incentive within an organization[J]. Bell Journal of Economics, 1976,7(1): 105-131.
[14] Hölmstrom B. Moral hazard and observability[J]. Bell Journal of Economics, 1979, 10: 74-91.
[15] Richardson R. 15th annual 2010/2011 CSI computer crime and security survey[R/OL]. http://www.GoCSI.com, 2011.
[16] The Verizon Risk Team. 2012 Data breach investigation report[R/OL]. http://www. verizon-bussiness.com. 2012.
[17] The Verizon Risk Team. 2014 Data breach investigation report[R/OL]. http://www.verizon-bussiness.com. 2014.
[18] The Verizon Risk Team. 2015 Data breach investigation report[R/OL]. http://www.verizon-bussiness.com. 2015.
[19] Barlow J B, Warkentin M, Ormond D, Dennis A R. Don’t make excuses! discouraging neutralization to reduce IT policy violation[J]. Computers & Security, 2013, 39(Part B): 145-159.
[20] Lowry P B, Posey C, Roberts T L, Bennett R. Is your banker leaking your personal information? the roles of ethics and individual-level cultural characteristics in predicting organizational computer abuse[J]. Journal of Business Ethics, 2014, 121(3): 385-401.
[21] Shropshire J, Warkentin M, Sharma S. Personality, attitudes, and intentions: predicting initial adoption of information security behavior[J]. Computers & Security, 2015,49: 177-191.
[22] 柳玉鹏,曲世友.组织内部员工信息安全胜任评价模型[J].运筹与管理,2014,23(1):151-156.
[23] Beautement A, Sasse A, Wonham M. The compliance budget: managing security behavior in organizations[A]. Proceedings of the 2008 Workshop on New Security Paradigms[C]. Lake Tahoe, California, USA, 2008: 47-58.
[24] Beautement A, Sasse A. The economics of user effort in information security[J]. Computer Fraud & Security, 2009, 10: 8-12.
[25] Gibbs J P. Crime, punishment and deterrence[J]. Social Science Quarterly, 1968, 48: 515-530.
[26] Bailey W C, Martin J D, Gray L N. Crime and deterrence: correlation analysis[J]. Journal of Research in Crime and Delinquency, 1974, 11(2): 124-143.
[27] D’Arcy J, Herath T. A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings[J]. European Journal of Information Systems, 2011, 20(6): 643-658.
[28] Johnston A C, Warkentin M, McBride M, Carter L. Dispositional and situational factors: influences on information security policy violations[J]. European Journal of Information Systems, 2016, 25: 231-251.
[29] D’Arcy J , Hovav A, Galletta D. User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach[J]. Information Systems Research, 2009b, 20(1): 79-98.
[30] Straub D M Jr. Effective IS security: an empirical study[J]. Information Systems Research, 1990, 1(3): 255-276.
[31] Johnston A C, Warkentin M. Fear appeals and information security behaviors:an empirical study[J]. MIS Quarterly, 2010, 34(3): 649-666.
[32] Bulgurcu B, Cavusoglu H, Benbasat I. Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness[J]. MIS Quarterly, 2010, 34(3): 523-548.
[33] Chen Y, Ramamurthy K(R), Wen K. Organizations’ information security policy compliance: stick or carrot approach?[J]. Journal of Management Information Systems. Winter, 2012-13, 29(3): 157-188.
[34] Hovav A, D’Arcy J. Applying an extended model of deterrence across cultures: an investigation of information systems misuse in the U.S. and South Korea[J]. Information & Management, 2012, 49(2): 99-110.
[35] Lee S M, Lee S, Yoo S. An integrative model of computer abuse based on social control and general deterrence theories[J]. Information and Management, 2004, 41(6): 707-718.
[36] Gopal R D, Sanders G L. Preventative and deterrent controls for software piracy[J]. Journal of Management Information Systems, 1997, 13(4): 29-47.
[37] Hu Q, Xu Z, Dinev T, Ling H. Does deterrence work in reducing information security policy abuse by employees?[J]. Communications of the ACM, 2011, 54(6): 54-60.
[38] Pahnila S, Siponen M, Mahmood A. Employees’ behavior towards IS security policy compliance[A]. Proceedings of the 40th Hawaii International Conference on System Sciences[C]. Waikoloa, Big Island, HI, USA: IEEE Computer Society, 2007.
[39] Lowry P B, Posey C, Bennett R(B) J, Roberts T L. Leveraging fairness and reactance theories to deter reactive computer abuse following enhanced organisational information security policies: an empirical study of the influence of counterfactual reasoning and organisational trust[J]. Information Systems Journal, 2015, 25, 193-230.
[40] Son J. Out of fear or desire? toward a better understanding of employees’ motivation to follow IS security policies[J]. Information & Management, 2011, 48: 296-302.
[41] Siponen M, Vance A. Neutralization: new insights into the problem of employee information systems security policy violations[J]. MIS Quarterly, 2010, 34(3): 487-502.
[42] Cheng L, Li W, Zhai Q, Smyth R. Understanding personal use of the Internet at work: an integrated model of neutralization techniques and general deterrence theory[J]. Computers in Human Behavior , 2014,38: 220-228.
[43] Li H, Zhang J, Sarathy R. Understanding compliance with internet use policy from the perspective of rational choice theory[J]. Decision Support Systems, 2010, 48(4): 635-645.
[44] Herath T, Rao H R. Protection motivation and deterrence: a framework for security policy compliance in organisations[J]. European Journal of Information Systems, 2009, 18(2): 106-125.
[45] Herath T, Rao H R. Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness[J]. Decision Support Systems, 2009, 47(2): 154-165.
[46] Zhang L, Smith W W, McDowell W C. Examining digital piracy: self-control, punishment and self-efficacy[J]. Information Resources Management Journal, 2006, 22(1): 24-44.
[47] Higgins G E, Wilson A L, Fell B D. An application of deterrence theory to software piracy[J]. Journal of Criminal Justice and Popular Culture, 2005, 12(3): 166-184.
[48] Hollinger R C. Crime by computer: correlates of software piracy and unauthorized account access[J]. Security Journal, 1993, 4: 2-12.
[49] Cheng L, Li Y, Li W, Holm E, Zhai Q. Understanding the violation of IS security policy in organizations: an integrated model based on social control and deterrence theory[J]. Computers & Security, 2013, 39: 447-459.
[50] D’Arcy J, Devaraj S. Employee misuse of information technology resources: testing a contemporary deterrence model[J]. Decision Sciences, 2012, 43(6): 1091-1124.
[51] Skinner W F, Fream A M. A social learning theory analysis of computer crime among college students[J]. Journal of Research in Crime and Delinquency, 1997, 34(4): 495-518.
[52] Johnson M E, Goetz E. Embedding information security into the organization[J]. IEEE Security & Privacy, 2007, 5(3): 16-24.
[53] Chatterjee S, Sarker S, Valacich J S. The behavioral roots of information systems security: exploring key factors related to unethical IT use[J]. Journal of Management Information Systems, 2015, 31(4): 49-87.
[54] Wall J D, Lowry P B, Barlow J B. Organizational violations of externally governed privacy and security rules: explaining and predicting selective violations under conditions of strain and excess[J]. Journal of the Association for Information Systems, 2016, 17(1): 39-76.
[55] Johnston A C, Warkentin M, Siponen M. An enhanced fear appeal rhetorical framework: leveraging threats to the human asset through sanctioning rhetoric[J]. MIS Quarterly, 2015, 39(1): 113-134.
[56] Guo K H, Yuan Y. The effects of multilevel sanction on information security violations: a mediating model[J]. Information & Management, 2012, 49: 320-326.
[57] 鞠炜,刘宁,张正堂.组织惩罚的溢出效应研究[J].中国人力资源开发,2014,11:25-30.
[58] 张正堂,李倩.组织惩罚行为决策动因与实施效应: 研究综述[J].经济管理,2014,36(4):181-191.
[59] 丁绒,孙延明,叶广宇.增强惩罚的企业联盟合作规范机制: 自组织演化视角[J].管理科学,2014,27(1): 11-20.
[60] 包兴,鲁其辉,牛保庄.考虑监管惩罚的两类运作系统应急运作模型[J].控制与决策,2015,30(4):677-684.
[61] 桂春梅,蹇强,王怀民,吴泉源.虚拟计算环境中基于重复博弈的惩罚激励机制[J].软件学报,2010,21(12):3024-3055.
[62] 张敏,张磊.数字图书馆电子资源过度下载意愿的影响因素研究——基于任务驱动与惩罚抑制的双重情境[J].图书情报工作,2016,60(7):116-122.
[63] 黄湛冰,万迪昉.惩罚在长期激励中的成本优势分析[J].管理科学,2005,18(5):17-20.
[64] 刘耀中,唐志文,叶海英.预期背离下奖励与惩罚的ERPs研究[J].心理科学,2012,35(4):806-810.
[65] 孙磊,陈雅姗,陈绍敏.惩罚机制对影响力不同群体合作行为演化的影响[J].福州大学学报(自然科学版),2013,41(5):841-844.
[66] 周晔馨,涂勤,胡必亮.惩罚、社会资本与条件合作——基于传统实验和人为田野实验的对比研究[J].经济研究,2014,10:125-138.
[67] 陈红,王珂,祁慧,龙如银,刘静.基于ABMS的煤矿不安全行为惩罚制度有效性仿真[J].数学实践与认识,2014,44(1):53-71.
[68] 李健,王庆山.政策企业家视角下碳配额决策及违约惩罚的演化博弈分析[J].软科学,2015,29(9):121-126.
[69] 周怀峰,谢长虎.惩罚困境、社会资本与群体合作秩序[J].陕西师范大学学报(哲学社会科学版),2014,43(4):28-37.
[70] 刘谞,马剑虹,朱玥.从归因视角探讨公共物品两难中惩罚系统对合作的影响[J].应用心理学,2010,16(4):332-340.
[71] 刘国芳,辛自强.惩罚对信任与合作的影响: 争论与解释[J].上海师范大学学报(哲学社会科学版),2014,43(1):146-152.
[72] 毛军权,孙绍荣.企业员工越轨行为惩罚机制的数学模型——一个理论框架[J].软科学,2008,22(8):18-24.
[73] 王沛,陈莉.惩罚和社会价值取向对公共物品两难中人际信任与合作行为的影响[J].心理学报,2011,43(1):52-64.
[74] 连洪泉,周业安,左聪颖,陈叶烽,宋紫峰.惩罚机制真能解决搭便车难题吗?——基于动态公共品实验的证据[J].管理世界,2013,4:69-81.
[75] 李建标,巨龙,李政,汪敏达.董事会里的“战争”——序贯与惩罚机制下董事会决策行为的实验分析[J].南开管理评论,2009,12(5):70-76.
[76] 陈欣,赵国祥,叶浩生.公共物品困境中惩罚的形式和作用[J].心理科学进展,2014,22(1):160-170.
[77] 骆品亮,周勇.虚拟研发组织利益分配的分成制与团队惩罚机制研究[J].科研管理,2005,26(5):127-131.