ISSN 1536-9323 Journal of the Association for Information Systems (2020) 21(6), 1552-1593 doi: 10.17705/1jais.000646 RESEARCH ARTICLE 1552 Why Individual Employees Commit Malicious Computer Abuse: A Routine Activity Theory Perspective Xin (Robert) Luo 1 , Han Li 2 , Qing Hu 3 , Heng Xu 4 1 The University of New Mexico, USA, xinluo@unm.edu 2 The University of New Mexico, USA, hanli@unm.edu 3 Brooklyn College, The City University of New York, USA, qing.hu@brooklyn.cuny.edu 4 American University, USA, xu@american.edu Abstract Prior information security studies have largely focused on understanding employee security behavior from a policy compliance perspective. We contend that there is a pressing need to develop a comprehensive understanding of the circumstances that lead to employee commitment of deliberate and malicious acts against organizational digital assets. Drawing on routine activity theory (RAT), we seek to establish a comprehensive model of employee-committed malicious computer abuse (MCA) by investigating the motivations of the offenders, the suitability of the desired targets, and the effect of security guardianship in organizational settings. Specifically, we delineate the effects of the individual characteristics of self-control, hacking self-efficacy, and moral beliefs, as well as the organizational aspects of deterrence based on the routine activity framework of crime. We tested this research model using research participants holding a wide range of corporate positions and possessing varying degrees of computer skills. Our findings offer fresh insights on insider security threats, identify new directions for future research, and provide managers with prescriptive guidance for formulating effective security policies and management programs for preventing MCA in organizations. Keywords: Routine Activity Theory, Information Security, Insider Threat, Malicious Computer Abuse, Security Management Suprateek Sarker was the accepting senior editor. This research article was submitted on November 1, 2017 and underwent three revisions. 1 Introduction Insider threats to organizational information security are becoming increasingly significant concerns for government agencies, as epitomized, for example, by the widely publicized Chelsea Manning (Savage & Huetteman, 2013) and Edward Snowden (Gellma, Blake, & Miller, 2013) incidents. Insider security threats are also prevalent and serious in organizations of all sizes and in all industries. According to a recent survey, 89% of respondents felt that their organizations were at risk from insider attacks, and 34% felt very or extremely vulnerable (Kellett, 2015). A CERT (2016) report suggests that although only 23% of electronic crime events were suspected or known to be caused by insiders, 45% of the respondents thought that damage by insider attacks was more severe than that from outsiders. It is therefore no coincidence that many information systems (IS) scholars have studied information security from the perspectives of understanding and managing insider threats to organizations, especially regarding the information security behavior of employees who have routine access to organizational