Circumventing Circumvention: An Economic Analysis of the Role of Education and Enforcement
Management Science
Posted: 6 Mar 2018 Last revised: 15 Apr 2021
Date Written: September 29, 2020
Abstract
The role of education and enforcement in ensuring compliance with a law or policy has been debated for more than a century now. We reopen this debate in the context of security circumvention by employees, currently a leading cause of information security and privacy breaches. Drawing upon prior literature, we develop a microeconomic framework that captures employees' circumventing behavior in the face of security controls. This allows us to obtain interesting insights that have implications for how an organization should employ anti-circumvention measures. First, unless circumvention is rampant, education and enforcement often work better in combination, and not in isolation. Second, there are incentives for an organization to tolerate circumvention to an extent, even when education and enforcement are cheap. Finally, education and enforcement may be strategic complements or substitutes in different parts of the parameter space. When they are complements, if a change in cost parameters compels the organization to increase one, it would also require an increase in the other in lockstep. In contrast, when they are substitutes, an increase in one is associated with a decrease in the other.
Keywords: Security, privacy, circumvention, education, enforcement, economics of IS
Suggested Citation: Suggested Citation