Professor John D’Arcy helps the $71 billion IT security industry manage sprawling risk

High-profile data breaches continue to drive news headlines and produce C-level fallout, all the while fueling a global IT security industry valued at more than $71 billion, according to The Gartner Worldwide IT Spending Forecast.

A recent survey by CompTIA says that human error accounts for 52 percent of root causes of security breaches, while technology errors account for 48 percent. A 2015 Intel report titled Grand Theft Data attributes 43% of data loss to internal actors, half of which was intentional, and half accidental.

John D’Arcy, Lerner College associate professor of MIS, is a leading academic expert on how corporations manage such a staggering amount of risk lingering inside their organizations. Building on research indicating that most serious technology breaches have been linked to employees’ deliberate misuse of their organizations’ IT resources, D’Arcy has compared the effects of different measures taken to stop this employee IT misuse.

In a paper published in the journal Decision Sciences, D’Arcy reveals that informal sanctions – in the form of employees’ anticipated feelings of social and self-disapproval – had a stronger deterrent effect on IT misuse than did formal sanctions such as fines and punishments.

This means that companies seeking to prevent IT misuse should keep in mind the internal characteristics of employees, creating security policies and education programs that emphasize both the formal and informal costs of engaging in IT misuse. Such programs should also discuss moral responsibilities for employees facing IT misuse opportunities.

Last year, D’Arcy also chaired the seventh annual DeWald Roode Information Systems Security Workshop, which was hosted by Lerner’s Department of Accounting and MIS.

The workshop welcomed a record number of 45 prominent information systems researchers from numerous universities in the U.S., Korea, South Africa and Finland. 18 papers were presented in a collaborative, feedback-heavy setting over the course of the two-day workshop, which focused on insider threats to security.

D’Arcy said that the workshop was a success and contributed to the working group’s mission of “boldly advancing the research discipline of information systems security.”

This work will only continue to grow in importance as information security emerges as a critical issue in today’s business environment for any organizations that store data electronically.