Understanding the Incentive Mechanism of Penalty for Information Security Policy Compliance Behavior

A significant number of information security incidents have been attributed to the internal employees' failure to comply with the information security policy (ISP) in the organizational setting. There exists a principal-agent problem with moral hazard between the employer and the employee individual for the practical compliance effort of the employee is not observable without high costs. In this study, an ISP compliance game has been proposed to analyze the incentive mechanism of penalty on the compliance behavior of employee individual. It is shown that in a no-penalty contract, the employee will decline to comply with the ISP if the expected payoff obtained from her noncompliance is larger than that from the outside options; and in a penalty contract, an appropriate penalty will motivate her to exert the compliance effort level expected by her employer. A numerical example has been presented to show the validity of this game analysis.