在全球資訊科技發展快速的情形下，對於資安議題也更加重視，除了技術上的防護之外，近年來逐漸重視於人員上的管理，過去組織內資訊安全管理的研究大多從威嚇的角度出發，但對於威嚇後所產生的資安成果卻仍然不見得十分一致，因此本研究以控制理論為基礎，應用威嚇理論作為組織的正式控制同時加上非正式控制，探討不同的調節焦點對於組織控制與員工資訊安全政策順從意圖間關係的影響。調查對象依據天下雜誌2014與2015年5月的2000大企業調查，以紙本問卷的形式發放，總計有213份有效問卷。研究結果發現偵測確定性、懲罰嚴重性對資訊安全政策順從意圖有正向顯著影響，員工的預防焦點會正向增加偵測確定性對資訊安全政策順從意圖的影響，員工的預防焦點會正向增加懲罰嚴重性對資訊安全政策順從意圖的影響，員工的促進焦點會正向增加非正式控制對資訊安全政策順從意圖的影響，非正式控制對資訊安全政策順從意圖沒有正向顯著影響。

With the rapid development of global information technology, information security issues become more important. In addition to technical protection, organizations put emphasis on management in recent years. A great deal of literature has shown the importance of personnel management on information security. Previous information security studies mainly based on the perspective of sanctions; however, these studies have inconsistent results of deterrence effect. In view of this, based on the control theory and deterrence theory, the study tries to understand the effect of different regulatory focus on the relationships between deterrence, informal control and information security policy compliance intention. The sampling frame is the employees work in top 2000 companies listed in Common Wealth Magazine. We got a total of 213 valid questionnaires. The results found that detection certainty and punishment severity positively affects information security policy compliance intention. Prevention focus positively moderates the relationship between detection certainty and information security policy compliance intention. Prevention focus positively moderates the relationship between punishment severity and information security policy compliance intention. Promotion focus positively moderates the relationship between informal control and information security policy compliance intention. Informal control has no significant effect on information security policy compliance intention.

目錄
 第一章 緒論	1
1.1	研究背景	1
1.2	研究動機與目的	2
 第二章 文獻探討	6
2.1	控制理論(Control theory)	6
2.2	威嚇理論(Deterrence theory)	9
2.3	非正式控制(Informal control)	18
2.4	調節焦點理論(Regulatory focus theory)	19
2.5	資訊安全政策順從(Information security policy compliance)	22
 第三章 研究模型與假說	30
3.1	研究假說	31
3.1.1	偵測確定性對資訊安全政策順從意圖	31
3.1.2	懲罰嚴重性對資訊安全政策順從意圖	32
3.1.3	非正式控制對資訊安全政策順從意圖	32
3.1.4	預防焦點與偵測確定性和懲罰嚴重性對資訊安全政策順從意圖	33
3.1.5	促進焦點與非正式控制對資訊安全政策順從意圖	34
 第四章 研究方法	36
4.1	構念衡量	36
4.2	前測	39
4.3	資料蒐集	43
 第五章 資料分析	44
5.1	一般敘述性統計	44
5.2	共同方法變異(Common method variance)	47
5.3	結構方程模式	50
5.4	偏最小平方法分析	50
5.4.1	量測模式(measurement model)	51
5.4.2	結構模式(structural model)	53
 第六章 討論	55
 第七章 結論與建議	57
7.1	研究貢獻	57
7.2	研究限制與建議	58
參考文獻	60
附錄一：研究問卷(員工)	71
附錄二：研究問卷(成員互評)	75
附錄三：研究問卷(主管)	77
 
表目錄
表 2-1：與威嚇理論相關之組織資訊安全政策研究	13
表 2-2：與威嚇理論相關之組織資訊安全政策順從研究	16
表 2-3：資訊安全政策順從行為之相關文獻	26
表 4-1：操作型定義	37
表 4-2：本研究之問項	37
表 4-3：前測信度分析	39
表 4-4：前測之KMO與Bartlett球形檢定	40
表 4-5：前測之共同性	40
表 4-6：前測之因素負荷量	41
表 4-7：刪除後之共同性	42
表 4-8：刪除後之因素負荷量	42
表 5-1：公司之敘述性統計	44
表 5-2：個人之敘述性統計	45
表 5-3：哈門式單因子測試法	47
表 5-4：潛在共同方法因素1	48
表 5-5：潛在共同方法因素2	49
表 5-6：潛在變項組成信度	51
表 5-7：收斂效度	51
表 5-8：區別效度	52
表 5-9：因素負荷量與交叉負荷量	52
表 5-10：資料分析結果	54
 
圖目錄
圖 3-1：本研究模型	30
圖 5-1：研究模型結果	53

Aaker, J. L., & Lee, A. Y. (2001). "I" seek pleasures and "we" avoid pains: The role of self-regulatory goals in information processing and persuasion. Journal of Consumer Research, 28(1), 33-49. 
Ajzen, I. (1991). The theory of planned behavior. Organizational Behavior and Human Decision Processes, 50(2), 179-211. 
Akers, R. L. (1990). Rational choice, deterrence, and social learning theory in criminology: The path not taken. J. Crim. L. & Criminology, 81(3), 653-676. 
Anderson, C. L., & Agarwal, R. (2010). Practicing safe computing: A multimedia empirical examination of home computer user security behavioral intentions. MIS Quarterly, 34(3), 613-643. 
Arazy, O., & Gellatly, I. R. (2012). Corporate wikis: The effects of owners' motivation and behavior on group members' engagement. Journal of Management Information Systems, 29(3), 87-116. 
Bagozzi, R. P., & Yi, Y. (1988). On the evaluation of structural equation models. Journal of the Academy of Marketing Science 16(1), 74-94. 
Beaudry, A., & Pinsonneault, A. (2005). Understanding user responses to information technology: A coping model of user adaptation. MIS Quarterly, 29(3), 493-524. 
Beautement, A., Sasse, M. A., & Wonham, M. (2009). The compliance budget: Managing security behaviour in organisations. Paper presented at the Proceedings of the 2008 workshop on New security paradigms.
Biddle, S. J. (1999). Motivation and perceptions of control: Tracing its development and plotting its future in exercise and sport psychology. Journal of Sport & Exercise Psychology, 21(1), 1-23. 
Blumstein. (1978). Introduction. In deterrence and incapacitation: Estimating the effects of criminal sanctions on crime rates. Washington DC: National Academy of Sciences.
Boss, S. R., Kirsch, L. J., Angermeier, I., Shingler, R. A., & Boss, R. W. (2009). If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security. European Journal of Information Systems, 18(2), 151-164. 
Boudreau, M.-C., & Robey, D. (2005). Enacting integrated information technology: A human agency perspective. Organization Science, 16(1), 3-18. 
Brief, A. P., & Aldag, R. J. (1981). The “self” in work organizations: A conceptual review. Academy of Management Review, 6(1), 75-88. 
Brockner, J., & Higgins, E. T. (2001). Regulatory focus theory: Implications for the study of emotions at work. Organizational Behavior and Human Decision Processes, 86(1), 35-66. 
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2009). Roles of information security awareness and perceived fairness in information security policy compliance. Paper presented at the European and Mediterranean Conference on Information Systems 2009.
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523-548. 
Cardinal, L. B., Sitkin, S. B., & Long, C. P. (2004). Balancing and rebalancing in the creation and evolution of organizational control. Organization Science, 15(4), 411-431. 
Cesario, J., Grant, H., & Higgins, E. T. (2004). Regulatory fit and persuasion: Transfer from" feeling right.". Journal of Personality and Social Psychology, 86(3), 388-404. 
Chan, M., Woon, I., & Kankanhalli, A. (2005). Perceptions of information security at the workplace: Linking information security climate to compliant behavior. Journal of Information Privacy and Security, 1(3), 18-41. 
Chen, H., & Li, W. (2014). Understanding organization employees information security omissiom behavior: An integrated model of social norm and deterrence. Paper presented at the PACIS 2014 Proceedings.
Cheng, H. K., Sims, R. R., & Teegen, H. (1997). To purchase or to pirate software: An empirical study. Journal of Management Information Systems, 13(4), 49-60. 
Cheng, L., Li, Y., Li, W., Holm, E., & Zhai, Q. (2013). Understanding the violation of IS security policy in organizations: An integrated model based on social control and deterrence theory. Computers & Security, 39, Part B(0), 447-459. doi: http://dx.doi.org/10.1016/j.cose.2013.09.009
Chin, W. W. (1998). The partial least squares approach to structural equation modeling. In G. A. Marcoulides (Ed.), Modern Methods for Business Research (pp. 295-336). Mahwah, New Jersey: Lawrence Erlbaum Associates.
Choudhury, V., & Sabherwal, R. (2003). Portfolios of control in outsourced software development projects. Information Systems Research, 14(3), 291-314. 
Coren, M. (2005). Experts: Cyber-crime bigger threat than cyber-terror. Atlanta, GA: Cable News Network.
Covaleski, M. A., Dirsmith, M. W., Heian, J. B., & Samuel, S. (1998). The calculated and the avowed: Techniques of discipline and struggles over identity in Big Six public accounting firms. Administrative Science Quarterly, 43(2), 293-327. 
Cronbach, L. J. (1951). Coefficient alpha and the internal structure of tests. Psychometrika, 16(3), 297-334. 
D'Arcy, J., & Devaraj, S. (2012). Employee misuse of information technology resources: Testing a contemporary deterrence model. Decision Sciences, 43(6), 1091-1124. 
D'Arcy, J., & Herath, T. (2011). A review and analysis of deterrence theory in the IS security literature: Making sense of the disparate findings. European Journal of Information Systems, 20(6), 643-658. 
D'Arcy, J., & Hovav, A. (2004). The role of individual characteristics on the effectiveness of IS security countermeasures. Paper presented at the AMCIS 2004 Proceedings.
D'Arcy, J., Hovav, A., & Galletta, D. (2009). User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research, 20(1), 79-98. 
Eisenhardt, K. M. (1985). Control: Organizational and economic approaches. Management Science, 31(2), 134-149. doi: 10.2307/2631511
Eisenhardt, K. M. (1989). Agency theory: An assessment and review. Academy of Management Review, 14(1), 57-74. 
Fellner, B., Holler, M., Kirchler, E., & Schabmann, A. (2007). Regulatory focus scale (RFS): Development of a scale to record dispositional regulatory focus. Swiss Journal of Psychology/Schweizerische Zeitschrift für Psychologie/Revue Suisse de Psychologie, 66(2), 109-116. 
Fishbein, M., & Ajzen, I. (1975). Belief, attitude, intention and behavior: An introduction to theory and research. Reading, MA: Addison-Wesley.
Fornell, C. G., & Larcker, D. F. (1981). Evaluating structural equation models with unobservable variables and measurement error. Journal of Marketing Research, 18(1), 39-50. 
Galletta, D. F., & Hufnagel, E. M. (1992). A model of end-user computing policy: Context, process, content and compliance. Information & Management, 22(1), 1-18. 
Gibbs, J. P. (1975). Crime, punishment, and deterrence: Elsevier New York.
Gonzalez, J. J., & Sawicka, A. (2002). A framework for human factors in information security. Paper presented at the WSEAS International Conference on Information Security, Rio de Janeiro.
Goo, J., Yim, M.-S., & Kim, D. J. (2013, 7-10 Jan. 2013). A path way to successful management of individual intention to security compliance: A role of organizational security climate. Paper presented at the System Sciences (HICSS), 2013 46th Hawaii International Conference on.
Goo, J., Yim, M.-S., & Kim, D. J. (2014). A path to successful management of employee security compliance: An empirical study of information security climate. Professional Communication, IEEE Transactions on, 57(4), 286-308. doi: 10.1109/tpc.2014.2374011
Gorman, C. A., Meriac, J. P., Overstreet, B. L., Apodaca, S., McIntyre, A. L., Park, P., & Godbey, J. N. (2012). A meta-analysis of the regulatory focus nomological network: Work-related antecedents and consequences. Journal of Vocational Behavior, 80(1), 160-172. 
Gossett, L. (2009). Organizational Control Theory. In S. W. Littlejohn & K. A. Foss (Eds.), Encyclopedia of Communication Theory (pp. 706-710). Thousand Oaks: SAGE.
Graham, K., Ziegert, J., & Capitano, J. (2015). The effect of leadership style, framing, and promotion regulatory focus on unethical pro-organizational behavior. Journal of Business Ethics, 126(3), 423-436. doi: 10.1007/s10551-013-1952-3
Green, S. G., & Welsh, M. A. (1988). Cybernetics and dependence: Reframing the control concept. Academy of Management Review, 13(2), 287-301. 
Greene, G., & D’Arcy, J. (2010). Assessing the Impact of Security Culture and the Employee-Organization Relationship on IS Security Compliance. Paper presented at the 5th annual symposium on information assurance (ASIA’10).
Hair, J. F., Black, W. C., Babin, B. J., & Anderson, R. E. (2010). Multivariate data analysis: A global perspective (7th ed.). Upper Saddle River, NJ: Pearson Prentice Hall.
Hair, J. F., Ringle, C. M., & Sarstedt, M. (2011). PLS-SEM: indeed a silver bullet. Journal of Marketing Theory and Practice 19(2), 139-151. 
Harman, H. H. (1976). Modern factor analysis. Chicago, IL: University of Chicago Press.
Harrington, S. J. (1996). The effect of codes of ethics and personal denial of responsibility on computer abuse judgments and intentions. MIS Quarterly, 20(3), 257-278. 
Hayes, R. H., & Abernathy, W. J. (1980). Managing our way to economic decline. Harvard Business Review, 58, 67-77. 
Henseler, J., Ringle, C. M., & Sinkovics, R. R. (2009). The use of partial least squares path modeling in international marketing. Advances in international marketing, 20, 277-319. 
Herath, T., & Rao, H. R. (2009a). Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems, 47(2), 154-165. 
Herath, T., & Rao, H. R. (2009b). Protection motivation and deterrence: A framework for security policy compliance in organisations. European Journal of Information Systems, 18(2), 106-125. 
Higgins, E. T. (1997). Beyond pleasure and pain. American Psychologist, 52(12), 1280-1300. 
Higgins, E. T. (1998). Promotion and prevention: Regulatory focus as a motivational principle. Advances in Experimental Social Psychology, 30, 1-46. 
Higgins, E. T. (2000). Making a good decision: Value from fit. American Psychologist, 55(11), 1217-1230. 
Higgins, E. T. (2006). Value from hedonic experience and engagement. Psychological Review, 113(3), 439. 
Higgins, E. T., Friedman, R. S., Harlow, R. E., Idson, L. C., Ayduk, O. N., & Taylor, A. (2001). Achievement orientations from subjective histories of success: Promotion pride versus prevention pride. European Journal of Social Psychology, 31(1), 3-23. 
Hofstede, G. (1978). The poverty of management control philosophy. Academy of Management Review, 3(3), 450-461. 
Hovav, A., & D’Arcy, J. (2012). Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the US and South Korea. Information & Management, 49(2), 99-110. 
Hu, Q., Xu, Z., Dinev, T., & Ling, H. (2011). Does deterrence work in reducing information security policy abuse by employees? Communications of the ACM, 54(6), 54-60. 
Ifinedo, P. (2012). Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Computers & Security, 31(1), 83-95. 
Ifinedo, P. (2014). Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition. Information & Management, 51(1), 69-79. 
Jaworski, B. J. (1988). Toward a theory of marketing control: Environmental context, control types, and consequences. The Journal of Marketing, 52(3), 23-39. 
Jaworski, B. J., Stathakopoulos, V., & Krishnan, H. S. (1993). Control combinations in marketing: Conceptual framework and empirical evidence. The Journal of Marketing, 57(1), 57-69. 
Jensen, M. C., & Meckling, W. H. (1979). Theory of the firm: Managerial behavior, agency costs, and ownership structure: Springer.
Johnson, H. T. (1991). Relevance lost: The rise and fall of management accounting: Harvard Business Press.
Johnson, R. E., & Chang, C. (2008). Development and validation of a work-based regulatory focus scale. Paper presented at the 23rd Annual Society for Industrial and Organizational Psychology Conference, San Francisco, California.
Johnson, R. E., & Yang, L.-Q. (2010). Commitment and motivation at work: The relevance of employee identity and regulatory focus. Academy of Management Review, 35(2), 226-245. 
Johnston, A. C., Warkentin, M., & Siponen, M. (2015). An enhanced fear appeal rhetorical framework: Leveraging threats to the human asset through sanctioning rhetoric. MIS Quarterly, 39(1), 113-134. 
Joreskog, K. G. (1973). A General Method for Estimating a Linear Structural Equation System. In A. S. Goldberger & O. D. Duncan (Eds.), Structural Equation Models in the Social Sciences (pp. 85-112). New York: Seminar.
Kaiser, H. F. (1974). An index of factorial simplicity. Psychometrika, 39(1), 31-36. 
Kankanhalli, A., Teo, H.-H., Tan, B. C., & Wei, K.-K. (2003). An integrative study of information systems security effectiveness. International Journal of Information Management, 23(2), 139-154. 
Kark, R., & Van Dijk, D. (2007). Motivation to lead, motivation to follow: The role of the self-regulatory focus in leadership processes. Academy of Management Review, 32(2), 500-528. 
Ke, W., Tan, C.-H., Sia, C.-L., & Wei, K.-K. (2012). Inducing intrinsic motivation to explore the enterprise system: The supremacy of organizational levers. Journal of Management Information Systems, 29(3), 257-290. 
Kirsch, L. J. (1996). The management of complex tasks in organizations: Controlling the systems development process. Organization Science, 7(1), 1-21. 
Kirsch, L. J. (2004). Deploying common systems globally: The dynamics of control. Information Systems Research, 15(4), 374-395. 
Kirsch, L. J., & Cummings, L. L. (1996). Contextual influences on self-control of IS professionals engaged in systems development. Accounting, Management and Information Technologies, 6(3), 191-219. 
Kirsch, L. J., Sambamurthy, V., Ko, D.-G., & Purvis, R. L. (2002). Controlling information systems development projects: The view from the client. Management Science, 48(4), 484-498. doi: 10.2307/822547
Kohlberg, L. (1976). Moral stages and moralization: The cognitive-developmental approach. Moral Development and Behavior: Theory, Research, and Social Issues, 31-53. 
Kohlberg, L. (1984). The psychology of moral development. New York, NY: Harper & Row.
Kohli, R., & Kettinger, W. J. (2004). Informating the clan: Controlling physicians' costs and outcomes. MIS Quarterly, 28(3), 363-394. 
Kranz, J., & Haeussinger, F. (2014). Why deterrence is not enough: The role of endogenous motivations on employees’ information security behavior. Paper presented at the Thirty Fifth International Conference on Information Systems, Auckland.
Lapointe, L., & Rivard, S. (2005). A multilevel model of resistance to information technology implementation. MIS Quarterly, 29(3), 461-491. 
Lee, A. Y., Aaker, J. L., & Gardner, W. L. (2000). The pleasures and pains of distinct self-construals: The role of interdependence in regulatory focus. Journal of Personality and Social Psychology, 78(6), 1122-1134. 
Li, H., Zhang, J., & Sarathy, R. (2010). Understanding compliance with internet use policy from the perspective of rational choice theory. Decision Support Systems, 48(4), 635-645. 
Liang, H., Saraf, N., Hu, Q., & Xue, Y. (2007). Assimilation of enterprise systems: The effect of institutional pressures and the mediating role of top management. MIS Quarterly, 31(1), 59-87. 
Liang, H., Xue, Y., & Wu, L. (2013). Ensuring employees' IT compliance: Carrot or stick? Information Systems Research, 24(2), 279-294. 
Lockwood, P., Jordan, C. H., & Kunda, Z. (2002). Motivation by positive or negative role models: Regulatory focus determines who will best inspire us. Journal of Personality and Social Psychology, 83(4), 854-864. 
Loughry, M. L. (2010). Peer control in organizations. In L. C. SB Sitkin, and KM Bijlsma-Frankema (Eds.) (Ed.), Organizational Control (pp. 324-362). New York: Cambridge University Press.
Lowry, P. B., Posey, C., Bennett, B., & Roberts, T. (2014). Leveraging fairness and reactance theories to deter reactive computer abuse following enhanced organisational information security policies: An empirical study of the influence of counterfactual reasoning and organisational trust. Information Systems Journal, Forthcoming. 
Manz, C. C., Mossholder, K. W., & Luthanvs, F. (1987). An integrated perspective of self-control in organizations. Administration & Society, 19(1), 3-24. 
Mason, R. O. (1986). Four ethical issues of the information age. MIS Quarterly, 10(1), 5-12. 
Merhi, M., & Ahluwalia, P. (2014). The Role of Punishment and Task Dissonance in Information Security Policies Compliance. Paper presented at the Twentieth Americas Conference on Information Systems, Savannah.
Meyer, J. P., Becker, T. E., & Vandenberghe, C. (2004). Employee commitment and motivation: A conceptual analysis and integrative model. Journal of Applied Psychology, 89(6), 991. 
Mishra, S., & Dhillon, G. (2006). Information systems security governance research: A behavioral perspective. Paper presented at the 1st Annual Symposium on Information Assurance, Academic Track of 9th Annual NYS Cyber Security Conference.
Myyry, L., Siponen, M., Pahnila, S., Vartiainen, T., & Vance, A. (2009). What levels of moral reasoning and values explain adherence to information security rules? An empirical study. European Journal of Information Systems, 18(2), 126-139. 
Nagin, D. S., & Paternoster, R. (1993). Enduring individual differences and rational choice theories of crime. Law and Society Review, 27(3), 467-496. 
Neubert, M. J., Kacmar, K. M., Carlson, D. S., Chonko, L. B., & Roberts, J. A. (2008). Regulatory focus as a mediator of the influence of initiating structure and servant leadership on employee behavior. Journal of Applied Psychology, 93(6), 1220-1233. 
Niazkhani, Z., Pirnejad, H., van der Sijs, H., & Aarts, J. (2011). Evaluating the medication process in the context of CPOE use: The significance of working around the system. International Journal of Medical Informatics, 80(7), 490-506. 
Nunnally, J. (1978). Assessment of Reliability. McGraw-Hill: New York.
Ouchi, W. G. (1979). A conceptual framework for the design of organizational control mechanisms. Management Science, 25(9), 833-848. doi: 10.2307/2630236
Ouchi, W. G. (1980). Markets, bureaucracies, and clans. Administrative Science Quarterly, 25(1), 129-141. 
Ouchi, W. G., & Price, R. L. (1978). Hierarchies, clans, and Theory Z: A new perspective on organization development. Organizational Dynamics, 7(2), 25-44. 
Pahnila, S., Siponen, M., & Mahmood, A. (2007). Employees' behavior towards IS security policy compliance. Paper presented at the System Sciences, 2007. HICSS 2007. 40th Annual Hawaii International Conference on.
Paternoster, R. (2010). How much do we really know about criminal deterrence? The Journal of Criminal Law and Criminology, 100(3), 765-824. 
Paternoster, R., & Simpson, S. (1996). Sanction threats and appeals to morality: Testing a rational choice model of corporate crime. Law and Society Review, 30(3), 549-583. 
Peace, A. G., Galletta, D. F., & Thong, J. Y. (2003). Software piracy in the workplace: A model and empirical test. Journal of Management Information Systems, 20(1), 153-177. 
Pee, L. G., Woon, I. M., & Kankanhalli, A. (2008). Explaining non-work-related computing in the workplace: A comparison of alternative models. Information & Management, 45(2), 120-130. 
Podsakoff, P. M., MacKenzie, S. B., Lee, J.-Y., & Podsakoff, N. P. (2003). Common method biases in behavioral research: A critical review of the literature and recommended remedies. Journal of Applied Psychology, 88(5), 879-903. 
Ponemon, D. L. (2014). Critical infrastructure: Security preparedness and maturity, from http://www.unisys.com/unisys/inc/pdf/misc/14-0316.pdf
Posey, C., Bennett, B., Roberts, T., & Lowry, P. B. (2011). When computer monitoring backfires: Invasion of privacy and organizational injustice as precursors to computer abuse. Journal of Information System Security, 7(1), 24-47. 
Pratt, J. W., Zeckhauser, R., & Arrow, K. J. (1985). Principals and agents: The structure of business. Cambridge, MA: Harvard Business Press.
PwC. (2014). 2014 US state of cybercrime survey, from http://www.pwc.com/en_US/us/increasing-it-effectiveness/publications/assets/2014-us-state-of-cybercrime.pdf
PwC. (2015). The global state of information security survey 2015, from http://www.pwc.com/gx/en/consulting-services/information-security-survey/download.jhtml
Richards, P., & Tittle, C. R. (1981). Gender and perceived chances of arrest. Social Forces, 59(4), 1182-1199. 
Richardson, R. (2008). CSI computer crime & security survey. San Francisco: Computer Security Institute.
Richardson, R. (2009). 14th Annual CSI computer crime and security survey (pp. 1-14): Computer Security Institute.
Richardson, R. (2011). 15th annual 2010/2011 computer crime and security survey (pp. 1-44): Computer Security Institute.
Ringle, C. M., Sarstedt, M., & Straub, D. W. (2012). A Critical Look at the Use of PLS-SEM in MIS Quarterly. MIS Quarterly, 36(1), iii-xiv. 
Ringle, C. M., Wende, S., & Will, A. (2005). SmartPLS2.0 (M3). Hamburg, Germany: University of Hamburg.
Shah, J., & Higgins, E. T. (1997). Expectancy X value effects: Regulatory focus as determinant of magnitude and direction. Journal of Personality and Social Psychology, 73(3), 447-458. 
Shah, J., Higgins, T., & Friedman, R. S. (1998). Performance incentives and means: How regulatory focus influences goal attainment. Journal of Personality and Social Psychology, 74(2), 285-293. 
Sia, S. K., & Neo, B. S. (1997). Reengineering effectiveness and the redesign of organizational control: A case study of the Inland revenue authority of Singapore. Journal of Management Information Systems, 14(1), 69-92. 
Sia, S. K., Tang, M., Soh, C., & Boh, W. F. (2002). Enterprise resource planning (ERP) systems as a technology of power: Empowerment or panoptic control? ACM Sigmis Database, 33(1), 23-37. 
Siponen, M., Mahmood, A., & Pahnila, S. (2014). Employees’ adherence to information security policies: An exploratory field study. Information & Management, 51(2), 217-224. 
Siponen, M., Pahnila, S., & Mahmood, A. (2007). Employees’ adherence to information security policies: An empirical study New Approaches for Security, Privacy and Trust in Complex Environments (pp. 133-144): Springer.
Siponen, M., Pahnila, S., & Mahmood, M. A. (2010). Compliance with information security policies: An empirical investigation. Computer, 43(2), 64-71. 
Siponen, M., & Vance, A. (2010). Neutralization: New insights into the problem of employee information systems security policy violations. MIS Quarterly, 34(3), 487-502. 
Son, J.-Y. (2011). Out of fear or desire? Toward a better understanding of employees’ motivation to follow IS security policies. Information & Management, 48(7), 296-302. 
Stanton, J. M., Stam, K. R., Guzman, I., & Caldera, C. (2003). Examining the linkage between organizational commitment and information security. Paper presented at the IEEE International Conference on Systems Man and Cybernetics, Washington DC,USA.
Straub, D. W. (1990). Effective IS security: An empirical study. Information Systems Research, 1(3), 255-276. 
Straub, D. W., Carlson, P. J., & Jones, E. H. (1993). Deterring cheating by student programmers: A field experiment in computer security. Journal of Management Systems, 5(1), 33-48. 
Straub, D. W., & Nance, W. D. (1990). Discovering and disciplining computer abuse in organizations: A field study. MIS Quarterly, 14(1), 45-62. 
Straub, D. W., & Welke, R. J. (1998). Coping with systems risk: Security planning models for management decision making. MIS Quarterly, 22(4), 441-469. 
Tiwana, A. (2010). Systems development ambidexterity: Explaining the complementary and substitutive roles of formal and informal controls. Journal of Management Information Systems, 27(2), 87-126. 
Trevino, L. K. (1986). Ethical decision making in organizations: A person-situation interactionist model. Academy of Management Review, 11(3), 601-617. 
Umphress, E. E., & Bingham, J. B. (2011). When employees do bad things for good reasons: Examining unethical pro-organizational behaviors. Organization Science, 22(3), 621-640. 
Urbach, N., & Ahlemann, F. (2010). Structural Equation Modeling in Information Systems Research Using Partial Least Squares. Journal of Information Technology Theory and Application (JITTA), 11(2). 
Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating IS security compliance: Insights from habit and protection motivation theory. Information & Management, 49(3), 190-198. 
Vance, A., & Siponen, M. T. (2012). IS security policy violations: A rational choice perspective. Journal of Organizational and End User Computing (JOEUC), 24(1), 21-41. 
Vroom, C., & Von Solms, R. (2004). Towards information security behavioural compliance. Computers & Security, 23(3), 191-198. 
Wall, J. D., Palvia, P., & Lowry, P. B. (2013). Control-related motivations and information security policy compliance: The role of autonomy and efficacy. Journal of Information Privacy and Security, 9(4), 52-79. 
Wallace, C., & Chen, G. (2006). A multilevel integration of personality, climate, self-regulation, and performance. Personnel Psychology, 59(3), 529-557. 
Warkentin, M., Johnston, A. C., & Shropshire, J. (2011). The influence of the informal social learning environment on information privacy policy compliance efficacy and intention. European Journal of Information Systems, 20(3), 267-284. 
Warkentin, M., & Willison, R. (2009). Behavioral and policy issues in information systems security: The insider threat. European Journal of Information Systems, 18(2), 101-105. 
Wenzel, M. (2004). The social side of sanctions: Personal and social norms as moderators of deterrence. Law and Human Behavior, 28(5), 547-567. 
Williams, K. R., & Hawkins, R. (1986). Perceptual research on general deterrence: A critical review. Law and Society Review, 20(4), 545-572. 
Wold, H. (1966). Estimation of principal components and related models by iterative least squares. In P. R. Krishnaiaah (Ed.), Multivariate Analysis (pp. 391-420). New York: Academic Press.
Wold, H. (1975). Path Models with Latent Variables: The NIPALS Approach. In H. M. Blalock, A. Aganbegian, F. M. Borodkin, R. Boudon & V. Cappecchi (Eds.), Quantitative Sociology: International Perspectives on Mathematical and Statistical Modeling (pp. 307-357). New York: Academic Press.
Workman, M., Bommer, W. H., & Straub, D. (2008). Security lapses and the omission of information security measures: A threat control model and empirical test. Computers in Human Behavior, 24(6), 2799-2816. 
Xue, Y., Liang, H., & Wu, L. (2011). Punishment, justice, and compliance in mandatory IT settings. Information Systems Research, 22(2), 400-414. 
Yang, X., & Wang, K. (2012). An experimental study of user-customized products online: Based on regulatory focus theory. Paper presented at the Proceedings of the 14th Annual International Conference on Electronic Commerce.
Zhang, J., Reithel, B. J., & Li, H. (2009). Impact of perceived technical protection on security behaviors. Information Management & Computer Security, 17(4), 330-340. 
Zhou, Q., Hirst, G., & Shipton, H. (2012). Context matters: Combined influence of participation and intellectual stimulation on the promotion focus–employee creativity relationship. Journal of Organizational Behavior, 33(7), 894-909. 
天下雜誌. (2014). 霸不如精. 天下雜誌-第547期.
天下雜誌. (2015). 萬能物聯網　給企業神力. 天下雜誌-第572期.