A Meta-Analysis of Deterrence Theory in Information Security Policy Compliance Research

摘要

Enforcing information security policies is a key concern of information security managers. To deter employees from deviant behavior, organizations often implement sanction mechanisms. However, evidence from research regarding the efficiency of such a deterrence approach has been mixed. Drawing on this inconsistency, this paper examines the applicability of deterrence theory in information security policy compliance research. It is argued that contextual and methodological moderators play a crucial role when conceptualizing deterrence theory in security studies. Applying a meta-analysis, the results suggest that sanctions have an overall effect on deviant behavior. However, the results also indicate that this relationship is dependent on the study's context. Deterrence theory better predicts deviant behavior in malicious contexts, cultures with a high degree of power distance, and cultures with a high uncertainty avoidance. The meta-analysis also reveals no meaningful differences arising from the methodological context in terms of scenario-based and behavior-specific measurement.