Understanding compliance with internet use policy from the perspective of rational choice theory

a r t i c l e i n f o Keywords: Internet abuses Internet use policy Rational choice Cost benefit analysis Current studies on compliance with security policies have largely ignored the impact of the perceived benefits of deviant behavior, personal norms, and organizational context. Drawing on the literature in criminology, this paper applies rational choice theory to examine how employees' intention to comply with Internet use policy is driven by cost–benefit assessments, personal norms and organizational context factors. The results indicate that employees' compliance intention is the result of competing influences of perceived benefits, formal sanctions, and security risks. Furthermore, the effect of sanction severity is found to be moderated by personal norms. In recent decades, companies have increasingly leveraged the Internet to enhance their internal and external connectivity. Accompanying the well-known benefits of the use of Internet technology in the workplace are new threats such as increased security risks and improper use. Internet abuses by employees at the workplace are a real concern to nearly all companies and include various non-work-related Internet activities such as checking personal e-mails, browsing non-work-related Web sites, chatting online, gaming, investing, shopping, or even getting involved in cybercrimes " The International Data Corp. estimated that 30% to 40% of employee Internet use isn't work related " [39]. Eighty-seven percent of employees have used the Internet for personal purposes while at work and, of this proportion, 53% browse the Internet for personal purposes on a daily basis [44]. It is estimated that companies lose $54 billion annually as a result of lost productivity from Web surfing [1]. These non-work-related Internet activities not only reduce the productivity of employees but also open the door to a wide spectrum of security breaches such as viruses and spywares. According to Sophos, in 2007, the Web became the primary route for the spread of malicious codes [42]. Sophos discovered one new infected webpage every 14 s, or 6000 a day in 2007. It has become critically important for companies to safeguard their Internet communications and regulate the Internet usage of their employees. An Internet use policy (IUP), an important type of security policy, is adopted by most companies to reduce Internet use for non-work-related purposes [51]. For example, Websense, Inc., an Internet access management company, surveyed 224 companies in 2001 and found that 83% of them have adopted Internet use policies [51]. Despite the wide deployment of …