54 CoMM uniCAT ions of T h e AC M | j uN e 2 0 1 1 | voL . 5 4 | No. 6 practice h acK iNG iN to c o rP o r at e IT systems and individuals' computers is no longer a sport for bragging rights, but a major organized economic activity aiming for significant profits controlled largely by underground networks of criminals and organized crime on a global scale. 2 The financial impact of the computer crimes and related activities is estimated at over one trillion dollars each year worldwide. 17 Unfortunately, despite significant advances in hardware and software technologies against computer and network offenses, in the digital security ecosystem around any organization, human agents are still the weakest link in the defense against outside attacks and the most dangerous to the organizations from within. Indeed, the effectiveness of other elements in the security system, such as security technology, organizational policies and procedures, as well as government regulations, are largely dependent on the effort of the human agents, especially those who work within the organizations.While the media headlines tend to focus on the spectacular events perpetrated by external hackers, employees inside an organization often pose silent but more dangerous threats than those outside the organization, 30 due to their intimate knowledge about the organizational systems and the permissions they receive either properly or improperly for their work activities. In a recent survey of IT managers of global companies, 60% of the respondents said employee misconduct involving information systems (IS) is a top concern about information security. 11 The 2008 CSI Computer Crime and Security Survey shows that 44% of respondents reported insider abuse of computer systems, making it the second most frequent form of security breach, only slightly behind virus incidents (49%), but well above the 29% of respondents who reported unauthorized access from external sources. 22 In this study, we focus on information security policy violations by employees in organizational settings. Employee information security policy violations vary widely in motives, forms, targets, and consequences. We define information security policy violation as any act by an employee using computers that is against the established rules and policies of an organization for personal gains. By this definition, information security policy violations include but are not limited to unauthorized access to data and systems, unauthorized copying or transferring of confidential data, or selling confidential data to a third party for personal gains, and so forth. With this focus, two questions have been central to research and practice in information security in the last two decades: Why do employees go rogue and commit policy violations, and what could