Title: Control mechanisms in information security: a principal agent perspective

Authors: Tejaswini Herath, H. Raghav Rao

Addresses: Faculty of Business, Department of Finance, Operations and Information Systems, Brock University, St. Catharines, Ontario L2S 3A1, Canada. ' Department of Management Science and Systems, School of Management, State University of New York (SUNY) Buffalo, Buffalo, New York 14260, USA

Abstract: End user security behaviours are an important part of enterprise-wide information security. Although organisations have been actively using security technologies and practices, it is known that information security cannot be achieved through technological tools alone. In order to find appropriate control mechanisms to encourage employee security behaviours in organisations, we look at this problem through a principal agent perspective. Since employee security behaviours cannot be continuously monitored and employees may have conflicting views regarding security policies (moral hazard problem), we believe that the principal agent paradigm can provide insight in developing effective controls.

Keywords: principal agent theory; information security; employee security behaviour; employee monitoring; security policies; control mechanisms; business governance; business ethics; economic crime prevention.

DOI: 10.1504/IJBGE.2010.029551

International Journal of Business Governance and Ethics, 2010 Vol.5 No.1/2, pp.2 - 13

Published online: 30 Nov 2009 *

Full-text access for editors Access for subscribers Purchase this article Comment on this article