Toward a Unified Model of Information Security Policy Compliance

Information systems security (ISS) behavioral research has produced different models to explain security policy compliance. This paper (1) reviews 11 theories that have served the majority of previous information security behavior models, (2) empirically compares these theories (Study 1), (3) proposes a unified model, called the unified model of information security policy compliance (UMISPC), which integrates elements across these extant theories, and (4) empirically tests the UMISPC in a new study (Study 2), which provided preliminary empirical support for the model. The 11 theories reviewed are (1) the theory of reasoned action, (2) neutralization techniques, (3) the health belief model, (4) the theory of planned behavior, (5) the theory of interpersonal behavior, (6) the protection motivation theory, (7) the extended protection motivation theory, (8) deterrence theory and rational choice theory, (9) the theory of self-regulation, (10) the extended parallel processing model, and (11) the control balance theory. The UMISPC is an initial step toward empirically examining the extent to which the existing models have similar and different constructs. Future research is needed to examine to what extent the UMISPC can explain different types of ISS behaviors (or intentions thereof). Such studies will determine the extent to which the UMISPC needs to be revised to account for different types of ISS policy violations and the extent to which the UMISPC is generalizable beyond the three types of ISS violations we examined. Finally, the UMISPC is intended to inspire future ISS research to further theorize and empirically demonstrate the important differences between rival theories in the ISS context that are not captured by current measures.

[1]  Dustin Ormond,et al.  Don't make excuses! Discouraging neutralization to reduce IT policy violation , 2013, Comput. Secur..

[2]  Qing Hu,et al.  Does deterrence work in reducing information security policy abuse by employees? , 2011, Commun. ACM.

[3]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[4]  Mikko T. Siponen,et al.  Guidelines for improving the contextual relevance of field surveys: the case of information security policy violations , 2014, Eur. J. Inf. Syst..

[5]  B. Verplanken,et al.  Reflections on past behavior: A self-report index of habit strength , 2003 .

[6]  Catherine E. Connelly,et al.  Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model , 2011, J. Manag. Inf. Syst..

[7]  Louis Raymond,et al.  Determinants of EIS use: Testing a behavioral model, , 1995, Decis. Support Syst..

[8]  K Witte,et al.  Predicting risk behaviors: development and validation of a diagnostic scale. , 1996, Journal of health communication.

[9]  I. Ajzen Residual Effects of Past on Later Behavior: Habituation and Reasoned Action Perspectives , 2002 .

[10]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[11]  P. Sheeran,et al.  Prediction and Intervention in Health-Related Behavior: A Meta-Analytic Review of Protection Motivation Theory , 2000 .

[12]  R. Rogers Cognitive and physiological processes in fear appeals and attitude change: a revised theory of prote , 1983 .

[13]  Mikko T. Siponen,et al.  IS Security Policy Violations: A Rational Choice Perspective , 2012, J. Organ. End User Comput..

[14]  Mark Shevlin,et al.  Testicular self-examination: a test of the health belief model and the theory of planned behaviour. , 2006, Health education research.

[15]  Alex R. Piquero,et al.  Control balance and exploitative corporate crime , 2006 .

[16]  Charles R. Tittle Thoughts Stimulated by Braithwaite's Analysis of Control Balance Theory , 1997 .

[17]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[18]  P. Schmidt,et al.  Incentives, Morality, Or Habit? Predicting Students’ Car Use for University Routes With the Models of Ajzen, Schwartz, and Triandis , 2003 .

[19]  R. Paternoster,et al.  Sanction threats and appeals to morality : Testing a rational choice model of corporate crime , 1996 .

[20]  P. Coffey,et al.  The International Bank for Reconstruction and Development: The World Bank , 2006 .

[21]  Moez Limayem,et al.  Force of Habit and Information Systems Usage: Theory and Initial Validation , 2003, J. Assoc. Inf. Syst..

[22]  Kenneth D. Butterfield,et al.  A Review of The Empirical Ethical Decision-Making Literature: 1996–2003 , 2005 .

[23]  Greg Pogarsky,et al.  PROJECTED OFFENDING AND CONTEMPORANEOUS RULE‐VIOLATION: IMPLICATIONS FOR HETEROTYPIC CONTINUITY* , 2004 .

[24]  Linda Klebe Trevino,et al.  Experimental Approaches to Studying Ethical-Unethical Behavior in Organizations , 1992, Business Ethics Quarterly.

[25]  Irene Woon,et al.  A Protection Motivation Theory Approach to Home Wireless Security , 2005, ICIS.

[26]  Dominic Abrams,et al.  Exploring teenagers' adaptive and maladaptive thinking in relation to the threat of hiv infection. , 1994, Psychology & health.

[27]  Marie-Pierre Gagnon,et al.  An adaptation of the theory of interpersonal behaviour to the study of telemedicine adoption by physicians , 2003, Int. J. Medical Informatics.

[28]  Theodore R. Curry Integrating Motivating and Constraining Forces in Deviance Causation: A Test of Causal Chain Hypotheses in Control Balance Theory , 2005 .

[29]  P. Ackerman,et al.  Motivation and cognitive abilities: an integrative/aptitude-treatment interaction approach to skill acquisition , 1989 .

[30]  R. Fisher Social Desirability Bias and the Validity of Indirect Questioning , 1993 .

[31]  A. Osman,et al.  The Pain Anxiety Symptoms Scale: Psychometric properties in a community sample , 1994, Journal of Behavioral Medicine.