Critical Times for Organizations: What Should Be Done to Curb Workers’ Noncompliance With IS Security Policy Guidelines?

ABSTRACT This study was designed to examine the impacts of employees’ cost–benefit analysis, deterrence considerations, and top management support and beliefs on information systems security policy compliance. Surveys of Canadian professionals’ perceptions were carried out. A research model was proposed and tested. The results confirmed that top management support and beliefs, sanction severity, and cost–benefit analysis significantly influenced employees’ information systems security policy compliance. The implications of the study findings are discussed, and conclusions are drawn.

[1]  Catherine E. Connelly,et al.  Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model , 2011, J. Manag. Inf. Syst..

[2]  Lisa T. Stickney,et al.  The trouble with sanctions: Organizational responses to deviant anger displays at work , 2011 .

[3]  Jane P. Laudon,et al.  Management Information Systems: Managing the Digital Firm , 2010 .

[4]  Keshnee Padayachee,et al.  Taxonomy of compliant information security behavior , 2012, Comput. Secur..

[5]  Gurpreet Dhillon,et al.  Organizational power and information security rule compliance , 2011, Comput. Secur..

[6]  Geoffrey R. Newman,et al.  The Strategic Approach , 2001 .

[7]  A. Jefferson Offutt,et al.  An Empirical Evaluation , 1994 .

[8]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[9]  Marilyn M. Helms,et al.  Employee Perceptions of The Relationship Between Strategy, Rewards, and Organizational Performance , 2002, Journal of Business Strategies.

[10]  George Philip,et al.  IS Strategic Planning for Operational Efficiency , 2007, Inf. Syst. Manag..

[11]  Mark A. Harris,et al.  Managing Corporate Computer Crime and the Insider Threat: The Role of Cognitive Distortion Theory , 2012 .

[12]  Jan H. P. Eloff,et al.  Feature: What Makes an Effective Information Security Policy? , 2002 .

[13]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[14]  Jai-Yeol Son,et al.  Out of fear or desire? Toward a better understanding of employees' motivation to follow IS security policies , 2011, Inf. Manag..

[15]  Humayun Zafar,et al.  Current State of Information Security Research In IS , 2009, Commun. Assoc. Inf. Syst..

[16]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[17]  Gilbert A. Churchill,et al.  Marketing Research: Methodological Foundations , 1976 .

[18]  Kety Lourdes Jáuregui Machuca,et al.  Balanced Scorecard Implementation , 2009 .

[19]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[20]  Xianggui Qu,et al.  Multivariate Data Analysis , 2007, Technometrics.

[21]  Keri E. Pearlson,et al.  Managing and Using Information Systems: A Strategic Approach , 2019 .

[22]  S. Furnell,et al.  Routes to security compliance: Be good or be shamed? , 2012 .

[23]  Princely Ifinedo,et al.  Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition , 2014, Inf. Manag..

[24]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[25]  Tejaswini Herath,et al.  A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings , 2011, Eur. J. Inf. Syst..

[26]  Anat Hovav,et al.  Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the U.S. and South Korea , 2012, Inf. Manag..

[27]  Tamara Dinev,et al.  Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture , 2012, Decis. Sci..

[28]  David M. Kennedy Does deterrence work , 2012 .

[29]  Qing Hu,et al.  Does deterrence work in reducing information security policy abuse by employees? , 2011, Commun. ACM.

[30]  Rathindra Sarathy,et al.  Understanding compliance with internet use policy from the perspective of rational choice theory , 2010, Decis. Support Syst..

[31]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[32]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[33]  William Patry Does Deterrence Work , 2012 .

[34]  Atreyi Kankanhalli,et al.  Studying users' computer security behavior: A health belief perspective , 2009, Decis. Support Syst..

[35]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[36]  Michel Tenenhaus,et al.  PLS path modeling , 2005, Comput. Stat. Data Anal..

[37]  Farid Asgari,et al.  Creating a climate and culture for sustainable organizational change , 2016 .

[38]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[39]  Qing Hu,et al.  The role of external and internal influences on information systems security - a neo-institutional perspective , 2007, J. Strateg. Inf. Syst..

[40]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[41]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[42]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[43]  P. Sheeran,et al.  Prediction and Intervention in Health-Related Behavior: A Meta-Analytic Review of Protection Motivation Theory , 2000 .

[44]  Hsing K. Cheng,et al.  To Purchase or to Pirate Software: An Empirical Study , 1997, J. Manag. Inf. Syst..

[45]  Nazmun Nahar,et al.  ERP systems success: an empirical analysis of how two organizational stakeholder groups prioritize and evaluate relevant measures , 2007, Enterp. Inf. Syst..

[46]  Wynne W. Chin Issues and Opinion on Structural Equation Modeling by , 2009 .

[47]  Jan Guynes Clark,et al.  Why there aren't more information security research studies , 2004, Inf. Manag..

[48]  Hemantha S. B. Herath,et al.  Balanced Scorecard Implementation of Security Strategies: A Framework for IT Security Performance Management , 2010, Inf. Syst. Manag..

[49]  Ted Chiricos,et al.  Punishment and Crime: An Examination of Some Empirical Evidence , 1970 .

[50]  R. Paternoster,et al.  Sanction threats and appeals to morality : Testing a rational choice model of corporate crime , 1996 .

[51]  Qing Hu,et al.  Is spyware an Internet nuisance or public menace? , 2005, CACM.

[52]  John C. Windsor,et al.  Empirical Evaluation of Information Security Planning and Integration , 2010, Commun. Assoc. Inf. Syst..

[53]  A. Boardman,et al.  Cost-Benefit Analysis: Concepts and Practice , 1996 .

[54]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[55]  Sanjay Goel,et al.  Estimating the market impact of security breach announcements on firm values , 2009, Inf. Manag..

[56]  I. Ajzen The theory of planned behavior , 1991 .

[57]  Scott B. MacKenzie,et al.  Common method biases in behavioral research: a critical review of the literature and recommended remedies. , 2003, The Journal of applied psychology.

[58]  M. Goldberg,et al.  What to Convey in Antismoking Advertisements for Adolescents: The use of Protection Motivation Theory to Identify Effective Message Themes , 2003 .

[59]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[60]  Yufei Yuan,et al.  The effects of multilevel sanctions on information security violations: A mediating model , 2012, Inf. Manag..

[61]  Mo Adam Mahmood,et al.  Technical opinionAre employees putting your company at risk by not following information security policies? , 2009, Commun. ACM.

[62]  George Westerman,et al.  IT Risk: Turning Business Threats into Competitive Advantage , 2007 .

[63]  P. Davies A strategic approach , 1991 .

[64]  Anne Powell,et al.  Information Systems Management , 1997 .

[65]  Rossouw von Solms,et al.  The 10 deadly sins of information security management , 2004, Comput. Secur..

[66]  J. Scott Armstrong,et al.  Estimating nonresponse bias in mail surveys. , 1977 .

[67]  Younghwa Lee,et al.  Threat or coping appraisal: determinants of SMB executives’ decision to adopt anti-malware software , 2009, Eur. J. Inf. Syst..

[68]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[69]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[70]  Shuchih Ernest Chang,et al.  Exploring organizational culture for information security management , 2007, Ind. Manag. Data Syst..

[71]  Mary Sumner,et al.  Information Security Threats: A Comparative Analysis of Impact, Probability, and Preparedness , 2009, Inf. Syst. Manag..

[72]  Irene M. Y. Woon,et al.  Forthcoming: Journal of Information Privacy and Security , 2022 .