Common Misunderstandings of Deterrence Theory in Information Systems Research and Future Research Directions

In the 1980s, information systems (IS) borrowed deterrence theory (DT) from the field of criminology to explain information security behaviors (or intention). Today, DT is among the most commonly used theories in IS security research. Our review of IS research applying DT highlights that many fundamental assumptions of DT are unrecognized and therefore unexamined. This may have resulted in misunderstandings and conceptual confusions regarding some of the basic concepts of DT. For example, some IS studies confuse general deterrence with specific deterrence or do not recognize the difference between the two. Moreover, these fundamental assumptions, when directly examined, may provide important information about the applicability of DT in certain IS security contexts. This research commentary aims to identify and discuss some of the fundamental assumptions of DT and their implications for IS research. By examining these assumptions, IS researchers can study the previously unexplored aspects of DT in different IS contexts. Further, by recognizing these assumptions, IS scholars can revise them and build new variants of DT to better account for specific characteristics of IS behaviors and contexts.