信息安全遵从行为的激励机制研究——惩罚的确定性与适度性

关于惩罚的确定性及其严重性是否能够有效地影响组织内部雇员的信息安全遵从行为,已有的研究结论尚存在着严重分歧。为了继续探索惩罚对信息安全遵从行为的影响作用,构建了信息安全遵从博弈模型,依据该模型和存在道德风险的委托人——代理人理论,分析了惩罚的确定性以及适度的惩罚严重性对信息安全遵从行为的激励机制,并对惩罚的适度性进行了数值模拟。研究表明:(1)作为委托人的组织可以设计出包含适度惩罚的最优激励契约,并获得最优的信息安全遵从收益;作为代理人的雇员不仅将接受该契约,并且会按照组织所期望的努力水平去遵从信息安全制度。(2)惩罚的确定性和适度性两者能够有效地影响雇员的信息安全遵从行为。(3)组织可以根据雇员的风险规避测度、外部机会收益、激励报酬以及信息安全产出结果这四个因素来设置适当的惩罚额度。这些研究结果将有助于信息安全管理者深入地理解并有效地管理组织内部雇员的信息安全遵从行为。

The Influence of the Certainty and the Appropriateness of Penalty on Information Security Compliance Behavior

The influence of the certainty and severity of penalty on the information security compliance behaviors of employees has been an issue of debate in the previous studies. In the present work, the compliance effort level on the information security policy is viewed to be a consequence of the dynamical game between the organization and its employee individual. An information security compliance game model is proposed, and then combined with the principal-agent theory to explore the influence of penalty on the information security compliance behavior of the employee. The incentive mechanisms of the certainty and the appropriateness of penalty on the compliance behavior are first considered, and then are further analyzed by using numerical simulation. Several significant results are obtained: (1)The organization (the principal) can design an optimal incentive contract which includes appropriate penalty for motivating the employee (an agent) to comply with the information security policy; (2)The certainty and the appropriateness of penalty are effective in motivating employee’s compliance; (3)The appropriateness of penalty can be determined in terms of the risk aversion of the employee, the compensation, the external benefit and the probability of the negative outcome of non-compliance. These theoretical insights are expected to provide useful reference for managers to understand and manage the information security compliance behaviors of employees in the organizational setting.