Reducing fraud in organizations through information security policy compliance: An information security controls perspective

As more business processes and information assets are digitized, computer resources are increasingly being misused to perpetrate fraudulent activities. Research shows that fraud committed by (or with) trusted insiders (called occupational fraud or internal organizational fraud) is responsible for significantly more damage than that committed by external actors (for example, cyber fraud). Current fraud research has primarily focused on the person perpetuating the fraud instead of the internal mechanisms organizations can employ in reducing fraud. The study examines the relationship between compliance with organizations' technology controls (primarily focused on information security) and its impact on computer-based occupational fraud. Based on general deterrence and fraud triangle theories, the study proposes information security control proficiency (ISCP) modeled as an integration of the quality of information security policy and its enforcement as a key factor that influences information security policy compliance. We further postulate that compliance with information security policy mediates the relationship between information security control proficiency and computer-basedoccupational fraud. Empirical assessment supports the structure of the information security control proficiency construct. Model testing shows that information security control proficiency positively impacts information security policy compliance, which further deters the use of a company's computer systems and resources to conduct fraudulent activities. Thus, if an organization establishes high-quality information security policies and supports the policies with effective enforcement, it correspondingly leads to better compliance. Furthermore, less fraud is committed when compliance with information security controls is high. We offer various managerial implications and future research extension ideas.