Circumventing Circumvention: An Economic Analysis of the Role of Education and Enforcement

The role of education and enforcement in ensuring compliance with a law or policy has been debated for more than a century now. Some argue in favor of stronger enforcement, while others advocate education and increased awareness. We reopen this debate in the context of security circumvention by employees, which is currently a leading cause of security and privacy breaches. Drawing from prior literature in information systems, we develop a microeconomic framework that captures employees' circumventing behavior in the face of security controls. This allows us to obtain interesting insights that have implications for how an organization should employ anti-circumvention approaches. First, education and enforcement work better in combination, and not in isolation. Second, there could be motivations to tolerate security circumvention to an extent, even when neither education nor enforcement is particularly costly. Finally, depending on the context, education and enforcement may be strategic complements or substitutes — in some situations, organizations need to invest in both simultaneously, while in others, they ought to emphasize only the cheaper of the two options.