Computer offences and crimes against corporate computer systems have increasingly become a major challenge to information security management in the Internet-enabled global economy and society. In this study, we attempt to develop a theoretical model that integrates three main stream criminology theories, i.e., general deterrence, rational choice, and individual propensity. We submit that, while the main decision process leading to an offensive act may be explained by the rational choice theory, self-control and deterrence factors could significantly alter the risk-benefit calculus assumed in the rational choice model. Using data collected from employees in multiple organizations, we tested our model using structural equation modelling techniques. We found that the perceived benefits of offensive acts dominate the rational calculus in individuals, and that the low self-control significantly impacts the perceived benefits and risks, thus playing a major role in the computer offences perpetrated by individuals in organizational settings. In addition, we found that deterrence only has limited impact on the offensive intentions through increased perceived risks. By integrating multiple theories into one seamless model, we hope to provide better understanding of computer offences and deeper insights for improving information security management practices.
Hu, Qing; Xu, Zhengchuan; Dinev, Tamara; and Ling, Hong, "Why Individuals Commit Computer Offences in Organizations: Investigating the Roles of Rational Choice, Self-Control, and Deterrence" (2010). PACIS 2010 Proceedings. 132.