A holistic model of computer abuse within
organizations
Jintae Lee
Operations and Information Systems Division, College of Business and
Administration, University of Colorado at Boulder, Boulder, Colorado, USA
Younghwa Lee
Operations and Information Systems Division, College of Business and
Administration, University of Colorado at Boulder, Boulder, Colorado, USA
Why has computer abuse not been
reduced?
As computer technology and the Internet are
rapidly dispersed, e-generation employees are
encountering more unethically attractive
situations than ever when using a computer
(Cogner et al., 1995; Gattiker and Kelley, 1999).
Despite the fact that organizations have
developed and implemented a number of
security countermeasures, computer abuse[1]
continues to be a problem (Meyer, 1995;
Straub and Welke, 1998). Moreover, the
frequency of computer abuse and the amount
of losses associated with it are expected to
grow due to highly sophisticated and
educated abusers armed with the latest
information technology (IT) (Straub and
Nance, 1990). Many studies reveal how
severely organizations are victimized by
computer abuse (Computer Security Institute,
2001; Stephen, 1998; Thompson, 1998). For
example, the Computer Security Institute
(2001) reports that 64 per cent of organizations
that responded on a survey suffered a $378
million loss in 2001. Contrary to the general
perception that computer abuse is committed
by outside hackers, the majority (60 per cent)
of computer abuse is still done by employees
within organizations (Computer Security
Institute, 2001; Meyer, 1995; Zajac, 1988).
Amid this growing problem, previous
studies have attempted to find ways to reduce
computer abuse, recommending better
enforcement and operation of security
policies, development and operation of more
secure systems, and more careful deployment
of security awareness programs. These
solutions are based on the General
Deterrence Theory (GDT), which assumes
that the deviant behavior can be deterred if
the potential deviants fear detection and
prosecution (Parker, 1998; Smith and Garton,
1989). While many organizations have tried to
implement the solutions suggested by GDT,
the frequency and volume of computer abuse
are expected to continue increasing as highly
sophisticated employees engage in computer
abuse (Straub and Nance, 1990).
Nowadays, researchers doubt that
previous GDT-based research adequately
explains the current phenomenon of
computer abuse occurring inside
organizations. They stress the need for more
attention to the relationships among people
and their computers (e.g. McCollum, 1997;
Parker, 1998). For instance, Parker (1998)
pointed out:
Computer abusers seem to be beating us right
and left, no matter what controls we put into
out systems, it is because we have failed to
understand the way they think ... Technical
experts do not understand the computer
abusers' ingenuity and perseverance or the
weaknesses or the human factors in out
systems.
Moreover, as McCollum (1997) pointed out:
... technology is not the whole solution. It
involves effectively managing people.
Thus, the need for understanding computer
abuse with a new lens has arisen.
Recently, criminology theories that
attribute the abuse to social relationships of
the computer abusers have received
considerable attention by criminologists. The
most frequently cited are the social bond
theory that views the abuse as a result of the
weakness or inexistence of social-bonds of a
delinquent and the social learning theory
examining the abuse in the context of close
relationships with delinquents. In this paper,
we propose a holistic model of computer
abuse based on the social criminology
theories, which examine the social dynamics
that affect the computer abuse decision.
Confining its scope to the computer abuse
occurring inside organizations, the model
The research register for this journal is available at
http://www.emeraldinsight.com/researchregisters
The current issue and full text archive of this journal is available at
http://www.emeraldinsight.com/0968-5227.htm
[57]
Information Management &
Computer Security
10/2 [
2002
] 57±63
# MCB UP Limited
[
ISSN 0968-5227
]
[
DOI 10.1108/09685220210424104
]
Keywords
Computers, Computer security,
Theory
Abstract
Past studies suggest that
computer security
countermeasures such as security
policies, systems, and awareness
programs would be effective in
preventing computer abuse in
organizations. They are based on
the general deterrence theory,
which posits that when an
organization implements
countermeasures that threaten
abusers, its computer abuse
problems would be deterred.
However, computer abuse
problems persist in many
organizations despite these
measures. This article proposes a
new model of computer abuse that
extends the traditional model with
the social criminology theories.
Focusing on computer abuse
within organizations, the model
explains the phenomenon through
social lenses such as social bonds
and social learning. The new
model contributes to our
theoretical body of knowledge on
computer abuse by providing a
new angle for approaching the
problem. It suggests to
practitioners that both technical
and social solutions should be
implemented to reduce the
pervasive computer abuse
problems.