Circumventing Circumvention: An Economic Analysis of the Role of Education and Enforcement
成果类型:
Article
署名作者:
Dey, Debabrata; Ghoshal, Abhijeet; Lahiri, Atanu
署名单位:
University of Washington; University of Washington Seattle; University of Illinois System; University of Illinois Urbana-Champaign; University of Texas System; University of Texas Dallas
刊物名称:
MANAGEMENT SCIENCE
ISSN/ISSBN:
0025-1909
DOI:
10.1287/mnsc.2021.4027
发表日期:
2022
页码:
2914-2931
关键词:
IT security
privacy
Circumvention
education
ENFORCEMENT
economics of IS
摘要:
The role of education and enforcement in ensuring compliance with a law or policy has been debated for more than a century now. We reopen this debate in the context of security circumvention by employees, currently a leading cause of information security and privacy breaches. Drawing on prior literature, we develop a microeconomic framework that captures employees' circumventing behavior in the face of security controls. This allows us to obtain interesting insights that have implications for how an organization should employ anticircumvention measures. First, unless circumvention is rampant, education and enforcement often work better in combination, and not in isolation. Second, there are incentives for an organization to tolerate circumvention to an extent, even when education and enforcement are cheap. Finally, education and enforcement may be strategic complements or substitutes in different parts of the parameter space. When they are complements, if a change in cost parameters compels the organization to increase one, it would also require an increase in the other in lockstep. In contrast, when they are substitutes, an increase in one is associated with a decrease in the other.