ABSTRACT
This two-stage longitudinal study examines how employee Internet abuse may be reduced by nontechnical deterrence methods, specifically via organizational acceptable use policies (AUPs). This study used actual employee usage and audit logs (not self-reporting survey measures) to monitor the web activity of employees. In stage 1, a mild AUP reminder sent to company employees resulted in a 12% decrease in employee Internet abuse. In stage 2, a more severe AUP reminder resulted in a 33% decrease in employee Internet abuse. For both stages, the AUP warning (regardless of severity level) resulted in an immediate and significant decrease in employee nonwork Internet use. Results indicate that the severe AUP treatment was more effective in reducing and maintaining lower levels of employee nonwork Internet use than the mild AUP treatment. Under the mild AUP treatment, employee nonwork Internet use levels returned to their pretreatment levels after only one week. However, under the severe AUP treatment, employee nonwork Internet use levels were lower than the mild AUP treatment and remained consistently lower than their pretreatment levels even after three weeks. These results suggest that nontechnical deterrence methods in the form of organizational IT use policies may constitute an effective approach to reducing employee Internet abuse, particularly if AUP policies are clear with regard to related sanctions and penalties for employee noncompliance.
Additional information
Notes on contributors
Morgan M. Shepherd
Morgan M. Shepherd is a Professor of Information Systems at the University of Colorado–Colorado Springs. He received his PhD in Management Information Systems from the University of Arizona after having worked for over 10 years in the industry. His research interests include virtual groups, distance education, and security.
Roberto J. Mejias
Roberto J. Mejias is an Assistant Professor of Computer Information Systems at Colorado State University–Pueblo. He received his PhD in Management Information Systems from the University of Arizona. He has 10 years of engineering experience with the IBM Corporation. His research interests include cyber security defense and cyber security risk management.