Employees' failure to comply with
information systems security policies is a major concern for
information technology security managers. In efforts to
understand this problem, IS security researchers have traditionally
viewed violations of IS security policies through the lens of
deterrence theory. In this article, we show that
neutralization theory, a theory prominent in Criminology but not yet
applied in the context of IS , provides a compelling explanation for
IS security policy violations and offers new insight into how
employees rationalize this behavior. In doing so, we propose a
theoretical model in which the effects of neutralization techniques
are tested alongside those of sanctions described by deterrence
theory. Our empirical results highlight neutralization as an
important factor to take into account with regard to developing and
implementing organizational security policies and practices.
Keywords: Neutralization theory, deterrence theory, IS security
policies, IS security, compliance