A tale of two deterrents: Considering the role of absolute and restrictive deterrence to inspire new directions in behavioral and organizational security research

This research-perspective article reviews and contributes to the literature that explains how to deter internal computer abuse (ICA), which is criminal computer behavior committed by organizational insiders. ICA accounts for a large portion of insider trading, fraud, embezzlement, the selling of trade secrets, customer privacy violations, and other criminal behaviors, all of which are highly damaging to organizations. Although ICA represents a momentous threat for organizations, and despite numerous calls to examine this behavior, the academic response has thus far been lukewarm. However, a few security researchers have examined ICA’s influence in an organizational context and addressed potential means of deterring it. However, the results of these studies have been mixed, leading to a debate on the applicability of deterrence theory (DT) to ICA. We argue that more compelling opportunities will arise in DT research if security researchers more deeply study its assumptions and more carefully recontextualize it. The purpose of this article is to advance a deterrence research agenda that is grounded in the pivotal criminological deterrence literature. Drawing on the distinction between absolute and restrictive deterrence and aligning them with rational choice theory (RCT), this paper shows how deterrence can be used to mitigate the participation in and frequency of ICA. We thus propose that future research on the deterrent effects of ICA should be anchored in a more general RCT, rather than in examinations of deterrence as an isolated construct. We then explain how adopting RCT with DT opens up new avenues of research. Consequently, we propose three areas for future research, which cover not only the implications for the study of ICA deterrence, but also the potential motivations for these types of offenses and the skills required to undertake them.