Should I really do that? : using quantile regression to examine the impact of sanctions on information security policy compliance behavior

Abstract

Deterrence theory is one of the most commonly used theories to study information security policy non-compliance behavior. However, the results of studies in the information security field are ambiguous. To further address this heterogeneity, various influencing factors have been considered in the context of deterrence theory. However, a current challenge with these findings is that recent studies that quantitatively assess the effectiveness of deterrence have relied predominantly on methods that analyze the underlying data, starting from a regression-based approach. By applying quantile regression, we estimate the overall effect of deterrents, and uncover how their effect differs among employees with different inclinations toward ISP compliance behavior – a critical insight for determining security measures for specific employee groups. Based on longitudinal data gathered in the U.S., our findings show significantly different effects in the analyzed quantiles for both aspects of sanctions, namely certainty and severity.