Unpacking Security Policy Compliance: The Motivators and Barriers of Employees' Security Behaviors

The body of research that focuses on employees’ information Security Policy compliance is problematic as it treats compliance as a single behavior. This study explored the underlying behavioral context of information security in the workplace, exploring how individual and organizational factors influence the interplay of the motivations and barriers of security behaviors. Investigating factors that had previously been explored in security research, 20 employees from two organizations were interviewed and the data was analyzed using framework analysis. The analysis indicated that there were seven themes pertinent to information security: Response Evaluation, Threat Evaluation, Knowledge, Experience, Security Responsibility, Personal and Work Boundaries, and Security Behavior. The findings suggest that these differ by security behavior and by the nature of the behavior (e.g. on- and offline). Conclusions are discussed highlighting barriers to security actions and implications for future research and workplace practice.

[1]  I. Ajzen The theory of planned behavior , 1991 .

[2]  M. Hyman,et al.  Designing Vignette Studies in Marketing , 2002 .

[3]  Mo Adam Mahmood,et al.  Employees' adherence to information security policies: An exploratory field study , 2014, Inf. Manag..

[4]  L. Roberts,et al.  Applying the Theory of Planned Behaviour to predicting online safety behaviour , 2013 .

[5]  A. Srivastava,et al.  Framework Analysis: A Qualitative Methodology for Applied Policy Research , 2009 .

[6]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[7]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[8]  Princely Ifinedo,et al.  Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition , 2014, Inf. Manag..

[9]  Atreyi Kankanhalli,et al.  Studying users' computer security behavior: A health belief perspective , 2009, Decis. Support Syst..

[10]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[11]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[12]  Eirik Albrechtsen,et al.  A qualitative study of users' view on information security , 2007, Comput. Secur..

[13]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[14]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[15]  R. Solms,et al.  Cultivating an organizational information security culture , 2006 .

[16]  E. Renold,et al.  'I wanna tell you a story': Exploring the application of vignettes in qualitative research with children and young people , 2000 .

[17]  Anthony L. Ambrosio,et al.  Multicultural Vignettes for Teacher Preparation , 2002 .

[18]  A. Swan ORGANISATIONAL CULTURE , 2004 .

[19]  Robert P. Minch,et al.  Application of Protection Motivation Theory to Adoption of Protective Technologies , 2009, 2009 42nd Hawaii International Conference on System Sciences.

[20]  M. Angela Sasse,et al.  The compliance budget: managing security behaviour in organisations , 2009, NSPW '08.

[21]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.

[22]  Wilmar B. Schaufeli,et al.  Balancing Work and Home: How Job and Home Demands Are Related to Burnout , 2005 .

[23]  Richard D. Holowczak,et al.  Locking the door but leaving the computer vulnerable: Factors inhibiting home users' adoption of software firewalls , 2008, Decis. Support Syst..

[24]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[25]  C. B. Ferster,et al.  Schedules of reinforcement , 1957 .

[26]  A. Tenbrunsel,et al.  Organizational Behavior and Human Decision Processes , 2013 .

[27]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[28]  R. Hughes Considering the Vignette Technique and its Application to a Study of Drug Injecting and HIV Risk and Safer Behaviour , 1998 .

[29]  J. Finch The Vignette Technique in Survey Research , 1987 .

[30]  Robert LaRose,et al.  Keeping our network safe: a model of online protection behaviour , 2008, Behav. Inf. Technol..

[31]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[32]  Mark J. Martinko,et al.  Impression Management in Organizations , 1988 .

[33]  H S Wilson,et al.  Validity threats in scheduled semistructured research interviews. , 1992, Nursing research.

[34]  Danielle Symons Downs,et al.  Elicitation studies and the theory of planned behavior: a systematic review of exercise beliefs , 2003 .

[35]  P. Sheeran Intention—Behavior Relations: A Conceptual and Empirical Review , 2002 .

[36]  Hein de Vries,et al.  Self-efficacy: the third factor besides attitude and subjective norm as a predictor of behavioural intentions , 1988 .

[37]  J Topping,et al.  Analysing Qualitative Data , 1961 .

[38]  Elizabeth Sillence,et al.  Using the health belief model to explore users' perceptions of 'being safe and secure' in the world of technology mediated financial transactions , 2014, Int. J. Hum. Comput. Stud..

[39]  Mohammad Rahim,et al.  A Socio-Behavioral Study of Home Computer Users' Intention to Practice Security , 2005, PACIS.

[40]  Paul Dourish,et al.  Security in the wild: user strategies for managing security as an everyday, practical problem , 2004, Personal and Ubiquitous Computing.

[41]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[42]  Qing Hu,et al.  The Centrality of Awareness in the Formation of User Behavioral Intention toward Protective Information Technologies , 2007, J. Assoc. Inf. Syst..

[43]  Paul Norman,et al.  Compliance with eye patching in children and its psychosocial effects: A qualitative application of protection motivation theory , 2000 .

[44]  E. Renold,et al.  The use of vignettes in qualitative research , 1999 .

[45]  M. Fishbein,et al.  The Role of Theory in Developing Effective Health Communications , 2006 .

[46]  Xin Luo,et al.  Consumer motivations in taking action against spyware: an empirical investigation , 2009, Inf. Manag. Comput. Secur..

[47]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[48]  Jan Guynes Clark,et al.  Why there aren't more information security research studies , 2004, Inf. Manag..

[49]  Younghwa Lee,et al.  An empirical investigation of anti-spyware software adoption: A multitheoretical perspective , 2008, Inf. Manag..

[50]  A. Bandura Self-efficacy: toward a unifying theory of behavioral change. , 1977, Psychology Review.

[51]  Richard,et al.  Motivation through the Design of Work: Test of a Theory. , 1976 .

[52]  Sue Ziebland,et al.  Analysing qualitative data , 2000, BMJ : British Medical Journal.

[53]  S. Balasubramanian,et al.  Spyware and Adware: How Do Internet Users Defend Themselves? , 2009 .

[54]  J. Ritchie,et al.  Qualitative Research Practice: A Guide for Social Science Students and Researchers , 2013 .

[55]  D. Kasprzyk,et al.  Theory of reasoned action, theory of planned behavior, and the integrated behavioral model. , 2008 .

[56]  John M. Blythe Cyber Security in the Workplace: Understanding and Promoting Behaviour Change , 2013, CHItaly.