Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition

This study investigated employees' information systems security policy (ISSP) compliance behavioural intentions in organisations from the theoretical lenses of social bonding, social influence, and cognitive processing. Given that previous research on ISSP compliance has been based on deterrence theory, this study seeks to augment and diversify research on ISSP compliance through its theoretical perspective. Relevant hypotheses were developed to test the research conceptualisation. Data from a survey of business managers and IS professionals confirmed that social bonds that are formed at work largely influence attitudes towards compliance and subjective norms, with both constructs positively affecting employees' ISSP compliance. Employees' locus of control and capabilities and competence related to IS security issues also affect ISSP compliance behavioural intentions. Overall, the constructs in the research model enhance our understanding of the social-organisational and psychological factors that might encourage or accentuate employees' ISSP compliance in the workplace.

[1]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[2]  F. Nelson Ford,et al.  Information security: management's effect on culture and policy , 2006, Inf. Manag. Comput. Secur..

[3]  Noah E. Friedkin,et al.  A Structural Theory of Social Influence: List of Tables and Figures , 1998 .

[4]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[5]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[6]  Catherine E. Connelly,et al.  Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model , 2011, J. Manag. Inf. Syst..

[7]  Russell Thornton,et al.  Organizational Involvement and Commitment to Organization and Profession. , 1970 .

[8]  L. Porter,et al.  The Measurement of Organizational Commitment. , 1979 .

[9]  Lori N. K. Leonard,et al.  What influences IT ethical behavior intentions - planned behavior, reasoned action, perceived importance, or individual characteristics? , 2004, Inf. Manag..

[10]  Jacob Cohen Statistical Power Analysis for the Behavioral Sciences , 1969, The SAGE Encyclopedia of Research Design.

[11]  Rathindra Sarathy,et al.  Understanding compliance with internet use policy from the perspective of rational choice theory , 2010, Decis. Support Syst..

[12]  Gilbert A. Churchill,et al.  Marketing Research: Methodological Foundations , 1976 .

[13]  Princely Ifinedo,et al.  An empirical study of ERP success evaluations by business and IT managers , 2007, Inf. Manag. Comput. Secur..

[14]  Deborah Compeau,et al.  Computer Self-Efficacy: Development of a Measure and Initial Test , 1995, MIS Q..

[15]  A. O'Leary-Kelly,et al.  Monkey See, Monkey Do: The Influence of Work Groups on the Antisocial Behavior of Employees , 1998 .

[16]  Julie J. C. H. Ryan Information security tools and practices: what works? , 2004, IEEE Transactions on Computers.

[17]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[18]  Scott B. MacKenzie,et al.  Common method biases in behavioral research: a critical review of the literature and recommended remedies. , 2003, The Journal of applied psychology.

[19]  Christopher M. Harris,et al.  Work-life benefits and organizational attachment: Self-interest utility and signaling theory models , 2008 .

[20]  Qing Hu,et al.  Does deterrence work in reducing information security policy abuse by employees? , 2011, Commun. ACM.

[21]  Ricky W. Griffin,et al.  The power of social information in the workplace , 1989 .

[22]  Younghwa Lee,et al.  Threat or coping appraisal: determinants of SMB executives’ decision to adopt anti-malware software , 2009, Eur. J. Inf. Syst..

[23]  Sunil Hazari,et al.  An Empirical Investigation of Factors Influencing Information Security Behavior , 2008 .

[24]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[25]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[26]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[27]  Younghwa Lee,et al.  Investigating factors affecting the adoption of anti-spyware systems , 2005, CACM.

[28]  Irene M. Y. Woon,et al.  Perceptions of Information Security at the Workplace : Linking Information Security Climate to Compliant Behavior , 2006 .

[29]  R. Power CSI/FBI computer crime and security survey , 2001 .

[30]  Sang M. Lee,et al.  An integrative model of computer abuse based on social control and general deterrence theories , 2004, Inf. Manag..

[31]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[32]  George E. Higgins,et al.  Digital Piracy: Assessing the Contributions of an Integrated Self‐Control Theory and Social Learning Theory Using Structural Equation Modeling , 2006 .

[33]  Jai-Yeol Son,et al.  Out of fear or desire? Toward a better understanding of employees' motivation to follow IS security policies , 2011, Inf. Manag..

[34]  Michel Tenenhaus,et al.  PLS path modeling , 2005, Comput. Stat. Data Anal..

[35]  T. Hirschi Causes of Delinquency. , 1970, British medical journal.

[36]  Richard M. Steers Antecedents and outcomes of organizational commitment. , 1977, Administrative science quarterly.

[37]  I. Ajzen The theory of planned behavior , 1991 .

[38]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[39]  John P. Meyer,et al.  A three-component conceptualization of organizational commitment , 1991 .

[40]  A. Bandura Self-efficacy: toward a unifying theory of behavioral change. , 1977, Psychology Review.

[41]  J. Rotter Generalized expectancies for internal versus external control of reinforcement. , 1966, Psychological monographs.

[42]  Peter A. Todd,et al.  Understanding Information Technology Usage: A Test of Competing Models , 1995, Inf. Syst. Res..

[43]  Atreyi Kankanhalli,et al.  Studying users' computer security behavior: A health belief perspective , 2009, Decis. Support Syst..

[44]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[45]  Wynne W. Chin Issues and Opinion on Structural Equation Modeling by , 2009 .

[46]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[47]  Ritu Agarwal,et al.  Practicing Safe Computing: A Multimedia Empirical Examination of Home Computer User Security Behavioral Intentions , 2010, MIS Q..

[48]  Jan Guynes Clark,et al.  Why there aren't more information security research studies , 2004, Inf. Manag..

[49]  J. Hair Multivariate data analysis , 1972 .

[50]  Alexander D. Stajkovic,et al.  Self-efficacy and work-related performance: A meta-analysis. , 1998 .

[51]  Atreyi Kankanhalli,et al.  Investigation of IS professionals' intention to practise secure development of applications , 2007, Int. J. Hum. Comput. Stud..

[52]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..