Do organizational security measures contribute to the detection and reporting of IT-system abuses?

The paper presents a study of IT systems abuses, based on 390 responses from the Norwegian Computer Crime Survey 2006, and qualitative data from personal interviews of 94 employees in four enterprises required to obey the Norwegian Security Act. The aim of the study has been to shed light on a handful organizational security measures that contribute to the detection and reporting of security incidents. The results confirm significant positive correlations between organizational security measures and reporting of IT abuse incidents. But personal beliefs and judgements of the observed security breaches, however, influence the willingness to report colleagues to security management. Moreover, the results show that the reporting regime in Norwegian enterprises is too loose and the punishment too low to confirm any strong deterrent effect on employees, and most IT abuse incidents are regarded to be insignificant and not considered as criminal incidents.