With the rapid development of information technology, more and more information security breaches take place in the modern organizations. How to effectively reduce information security losses and vulnerabilities is now becoming a pressing issue for organizational managers; in particular, at the end-user level. This paper presents an extended deterrence theory model that combines criminology and information security management literature. We develop a theoretical model on the relationship between user awareness, deterrence impact, and user computer abuse. The results suggest that perceived certainty as well as severity of sanctions can significantly reduce the computer abuse intension. Furthermore, our empirical analysis shows that user awareness of information risk and policy can significantly reinforce the deterrence effect. Therefore, we argue that organizations should devote more effort in information security education to strengthen user's awareness, in order to effectively reduce the losses caused by internal users.