We proposed and empirically tested a mediating model for examining the effects of multilevel sanctions on preventing information security violations in the workplace. The results of the experiment suggested that personal self-sanctions and workgroup sanctions have significant deterrent effects on employee security violations, but that the effect of organizational sanctions becomes insignificant when the other two types of sanctions are taken into account. Theoretically, the study pointed out the importance of personal self-sanctions and informal workgroup sanctions. Practically, our results suggested that an “influencing” strategy may be more effective than an “enforcing” one in information security management.