The Impact of Training and Social Norms on Information Security Compliance: A Pilot Study

Security training has been shown to be an important factor that impacts employees’ intentions to comply with organization’s security policies. In this study, we define and then study the impact of two sub-constructs of security training, threat appraisal and policy awareness, on intentions to comply with organizational security policies. Injunctive and descriptive norms, which are standards of behavior that recommends and forbids behavior in specific circumstances, have been hypothesized as mediators between training constructs and behavioral intention to comply. We pilot-tested our proposed set of hypotheses with survey data collected from 69 employees in a higher education institute. Results supported our proposed model. Based on the findings, implications for theory and practices are discussed.

[1]  Noah J. Goldstein,et al.  A Room with a Viewpoint: Using Social Norms to Motivate Environmental Conservation in Hotels , 2008 .

[2]  Mikko T. Siponen,et al.  Toward a New Meta-Theory for Designing Information Systems (IS) Security Training Approaches , 2011, J. Assoc. Inf. Syst..

[3]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[4]  Anthony M. Townsend,et al.  Information Systems Security and the Need for Policy , 2001 .

[5]  Rajiv N. Rimal,et al.  An Explication of Social Norms , 2005 .

[6]  Rajiv N. Rimal,et al.  How Behaviors are Influenced by Perceived Norms : A Test of the Theory of Normative Social Behavior , 2005 .

[7]  M. Deutsch,et al.  A study of normative and informational social influences upon individual judgement. , 1955, Journal of abnormal psychology.

[8]  M. Conner,et al.  Interaction effects in the theory of planned behaviour: studying cannabis use. , 1999, The British journal of social psychology.

[9]  Herbert J. Mattord,et al.  Making Users Mindful of IT Security , 2004 .

[10]  Carl A. Kallgren,et al.  A Focus Theory of Normative Conduct: When Norms Do and Do not Affect Behavior , 2000 .

[11]  Robert B. Cialdini,et al.  Descriptive Social Norms as Underappreciated Sources of Social Control , 2007 .

[12]  Mikko T. Siponen,et al.  Critical analysis of different approaches to minimizing user-related faults in information systems security: implications for research and practice , 2000, Inf. Manag. Comput. Secur..

[13]  I. Ajzen,et al.  Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research , 1977 .

[14]  P. Wesley Schultz,et al.  Changing Behavior With Normative Feedback Interventions: A Field Experiment on Curbside Recycling , 1999 .

[15]  Clayton Neighbors,et al.  Normative misperception and the impact of descriptive and injunctive norms on college student gambling. , 2003, Psychology of addictive behaviors : journal of the Society of Psychologists in Addictive Behaviors.

[16]  I. Ajzen,et al.  Predicting dishonest actions using the theory of planned behavior , 1991 .

[17]  Charles D. Barrett Understanding Attitudes and Predicting Social Behavior , 1980 .

[18]  H. Boer,et al.  The Role of Positive and Negative Signaling Communication by Strong and Weak Ties in the Shaping of Safe Sex Subjective Norms of Adolescents in South Africa , 2006 .

[19]  Merrill Warkentin,et al.  Behavioral and policy issues in information systems security: the insider threat , 2009, Eur. J. Inf. Syst..

[20]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[21]  Noah J. Goldstein,et al.  The Constructive, Destructive, and Reconstructive Power of Social Norms , 2007, Psychological science.

[22]  Carl A. Kallgren,et al.  A Focus Theory of Normative Conduct: A Theoretical Refinement and Reevaluation of the Role of Norms in Human Behavior , 1991 .

[23]  Matt Bishop,et al.  What Is Computer Security? , 2003, IEEE Secur. Priv..

[24]  Mo Adam Mahmood,et al.  Compliance with Information Security Policies: An Empirical Investigation , 2010, Computer.

[25]  D. Parker,et al.  Extending the theory of planned behaviour: The role of personal norm , 1995 .

[26]  Steven Furnell,et al.  A prototype tool for information security awareness and training , 2002 .

[27]  M. Venkatesan,et al.  Experimental Study of Consumer Behavior Conformity and Independence , 1966 .

[28]  M. Fishbein,et al.  Using theory to design effective health behavior interventions. , 2003 .

[29]  Edward Cartwright,et al.  On the Emergence of Social Norms , 2007 .

[30]  Noah J. Goldstein,et al.  Normative Social Influence is Underdetected , 2008, Personality & social psychology bulletin.

[31]  M. Fishbein The role of theory in HIV prevention , 2000, AIDS care.

[32]  Icek Ajzen,et al.  From Intentions to Actions: A Theory of Planned Behavior , 1985 .

[33]  Nils Urbach,et al.  Structural Equation Modeling in Information Systems Research Using Partial Least Squares , 2010 .

[34]  Jintae Lee,et al.  A holistic model of computer abuse within organizations , 2002, Inf. Manag. Comput. Secur..

[35]  S. Furnell End-user security culture: A lesson that will never be learnt? , 2008 .

[36]  P. Sheeran,et al.  Augmenting the Theory of Planned Behavior: Roles for Anticipated Regret and Descriptive Norms , 1999 .

[37]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[38]  Gurpreet Dhillon,et al.  Managing and controlling computer misuse , 1999, Inf. Manag. Comput. Secur..

[39]  Michael D. Wybo,et al.  Protecting Organizational Information Resources , 1989 .

[40]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[41]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[42]  Jordan Shropshire,et al.  The influence of the informal social learning environment on information privacy policy compliance efficacy and intention , 2011, Eur. J. Inf. Syst..

[43]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[44]  M. Wenzel The Social Side of Sanctions: Personal and Social Norms as Moderators of Deterrence , 2004, Law and human behavior.

[45]  Carl A. Kallgren,et al.  A focus theory of normative conduct: Recycling the concept of norms to reduce littering in public places. , 1990 .

[46]  Cism Thomas R. Peltier Cissp Implementing an Information Security Awareness Program , 2005 .

[47]  I. Ajzen,et al.  Understanding Attitudes and Predicting Social Behavior , 1980 .

[48]  Michael E. Whitman,et al.  In defense of the realm: understanding the threats to information security , 2004, Int. J. Inf. Manag..

[49]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[50]  Gordon B. Davis,et al.  User Acceptance of Information Technology: Toward a Unified View , 2003, MIS Q..

[51]  R. Cialdini Influence: Science and Practice , 1984 .

[52]  Kregg Aytes,et al.  Computer Security and Risky Computing Practices: A Rational Choice Perspective , 2004, J. Organ. End User Comput..

[53]  Detmar W. Straub,et al.  Security concerns of system users: A study of perceptions of the adequacy of security , 1991, Inf. Manag..

[54]  R. Baskerville,et al.  An information security meta‐policy for emergent organizations , 2002 .

[55]  Wynne W. Chin Issues and Opinion on Structural Equation Modeling by , 2009 .

[56]  P. Sheeran,et al.  Descriptive norms as an additional predictor in the theory of planned behaviour: A meta-analysis , 2003 .