Organizations have long relied upon the threat of sanctions to influence employees to follow information security policies. Unfortunately, the belief in the power of deterrence has provided mixed results in both research and in real life. This study explored the impact of sanction effects in an organization with a robust information security program. Findings indicate an employee’s perceived sanction severity has a significant impact on their intent to follow ISP guidelines while their perceived certainty of sanction imposition does not, both of which support previous research. However, this paper was unique in that it addressed the impact of punishment experiences on sanction effects and found, somewhat counter intuitively, that those with personal or vicarious punishment experiences were less likely to be influenced by the deterrent effects
of sanctions.