Roles of Organizational Climate, Social Bonds, and Perceptions of Security Threats on IS Security Policy Compliance Intentions

The objective of this study was to investigate employees’ information systems security policy (ISSP) compliance behavioral intentions. Theoretical frameworks, including the Theory of Planned Behavior, the Social Bond Theory, and Organizational Climate (OC) perspective were integrated to facilitate this process. A survey of working professionals in Canada was conducted. Relevant hypotheses were formulated and data analysis was performed with the partial least square structural equation modeling technique. The results show that OC contributes indirectly to ISSP compliance intentions via the social bonding constructs, but does not have a direct effect on ISSP compliance. Of the social bonding constructs, only commitment was found not to be related to ISSP compliance intentions. OC influences employees’ perceptions of IS security threats and attitudes toward compliance, which in turn impacts ISSP compliance intentions. Additionally, employees’ perceptions of IS security threats have an insignificant effect on ISSP compliance intentions, but indirectly impact compliance via attitude and personal norms. The contributions and implications of the study for practice and research are highlighted

[1]  Tamara Dinev,et al.  Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture , 2012, Decis. Sci..

[2]  Tero Vartiainen,et al.  What levels of moral reasoning and values explain adherence to information security rules? An empirical study , 2009, Eur. J. Inf. Syst..

[3]  Paul Benjamin Lowry,et al.  Partial Least Squares (PLS) Structural Equation Modeling (SEM) for Building and Testing Behavioral Causal Theory: When to Choose It and How to Use It , 2014, IEEE Transactions on Professional Communication.

[4]  Kathleen M. Sutcliffe,et al.  Special Issue: Frontiers of Organization Science, Part 1 of 2: Organizing and the Process of Sensemaking , 2005, Organ. Sci..

[5]  Detmar W. Straub,et al.  A Practical Guide To Factorial Validity Using PLS-Graph: Tutorial And Annotated Example , 2005, Commun. Assoc. Inf. Syst..

[6]  Mikko T. Siponen,et al.  Guidelines for improving the contextual relevance of field surveys: the case of information security policy violations , 2014, Eur. J. Inf. Syst..

[7]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[8]  Kalle Lyytinen,et al.  Information systems use as strategy practice: A multi-dimensional view of strategic information system implementation and use , 2014, J. Strateg. Inf. Syst..

[9]  Rathindra Sarathy,et al.  Understanding compliance with internet use policy from the perspective of rational choice theory , 2010, Decis. Support Syst..

[10]  R. Wayne Pace,et al.  The relationship between organizational commitment and organizational climate in manufacturing , 2004 .

[11]  Princely Ifinedo,et al.  Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition , 2014, Inf. Manag..

[12]  Gerald J.S. Wilde,et al.  Critical Issues in Risk Homeostasis Theory , 1982 .

[13]  Atreyi Kankanhalli,et al.  Investigation of IS professionals' intention to practise secure development of applications , 2007, Int. J. Hum. Comput. Stud..

[14]  Michel Tenenhaus,et al.  PLS path modeling , 2005, Comput. Stat. Data Anal..

[15]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[16]  Steven Furnell,et al.  Information security policy compliance model in organizations , 2016, Comput. Secur..

[17]  Straub,et al.  Editor's Comments: An Update and Extension to SEM Guidelines for Administrative and Social Science Research , 2011 .

[18]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[19]  Ying Li,et al.  Understanding the violation of IS security policy in organizations: An integrated model based on social control and deterrence theory , 2013, Comput. Secur..

[20]  Paul Benjamin Lowry,et al.  Proposing the control‐reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policies , 2015, Inf. Syst. J..

[21]  R. Taormina,et al.  The Organizational Socialization Inventory. , 1994 .

[22]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[23]  Xia Zhao,et al.  A Framework of Using Captive Insurance to Streamline IT Control and Compliance Management , 2009 .

[24]  Irene M. Y. Woon,et al.  Forthcoming: Journal of Information Privacy and Security , 2022 .

[25]  T. L. Osterhus Pro-Social Consumer Influence Strategies: When and how do they Work? , 1997 .

[26]  Cesare Zanasi,et al.  The influence of organizational climate on sustainable relationships between organization and employees. The KION case study. , 2012 .

[27]  Nathan L. Clarke,et al.  Power to the people? The evolving recognition of human aspects of security , 2012, Comput. Secur..

[28]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[29]  J. D'Arcy,et al.  Security culture and the employment relationship as drivers of employees' security compliance , 2014, Inf. Manag. Comput. Secur..

[30]  Tom L. Roberts,et al.  The Impact of Organizational Commitment on Insiders’ Motivation to Protect Organizational Information Assets , 2015, J. Manag. Inf. Syst..

[31]  Karin Hedström,et al.  Towards analysing the rationale of information security non-compliance: Devising a Value-Based Compliance analysis method , 2017, J. Strateg. Inf. Syst..

[32]  Kuang-Wei Wen,et al.  Organizations' Information Security Policy Compliance: Stick or Carrot Approach? , 2012, J. Manag. Inf. Syst..

[33]  Scott B. MacKenzie,et al.  Common method biases in behavioral research: a critical review of the literature and recommended remedies. , 2003, The Journal of applied psychology.

[34]  Catherine E. Connelly,et al.  Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model , 2011, J. Manag. Inf. Syst..

[35]  Gaby Odekerken-Schröder,et al.  Using PLS path modeling for assessing hierarchial construct models: guidelines and impirical illustration , 2009 .

[36]  Bart Victor,et al.  The Organizational Bases of Ethical Work Climates , 1988 .

[37]  Richard M. Steers Antecedents and outcomes of organizational commitment. , 1977, Administrative science quarterly.

[38]  I. Ajzen The theory of planned behavior , 1991 .

[39]  Younghwa Lee,et al.  Threat or coping appraisal: determinants of SMB executives’ decision to adopt anti-malware software , 2009, Eur. J. Inf. Syst..

[40]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[41]  Qing Hu,et al.  The Centrality of Awareness in the Formation of User Behavioral Intention toward Protective Information Technologies , 2007, J. Assoc. Inf. Syst..

[42]  Wynne W. Chin,et al.  A Partial Least Squares Latent Variable Modeling Approach for Measuring Interaction Effects: Results from a Monte Carlo Simulation Study and an Electronic - Mail Emotion/Adoption Study , 2003, Inf. Syst. Res..

[43]  Detmar W. Straub,et al.  Validation Guidelines for IS Positivist Research , 2004, Commun. Assoc. Inf. Syst..

[44]  C. T. Kwantes,et al.  Perceptions of organizational culture, leadership effectiveness and personal effectiveness across six countries , 2007 .

[45]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[46]  Jingguo Wang,et al.  Employees' information security policy compliance: A norm activation perspective , 2016, Decis. Support Syst..

[47]  F. Nelson Ford,et al.  Information security: management's effect on culture and policy , 2006, Inf. Manag. Comput. Secur..

[48]  James Cox,et al.  Information systems user security: A structured model of the knowing-doing gap , 2012, Comput. Hum. Behav..

[49]  Mo Adam Mahmood,et al.  Employees' adherence to information security policies: An exploratory field study , 2014, Inf. Manag..

[50]  Keshnee Padayachee,et al.  Taxonomy of compliant information security behavior , 2012, Comput. Secur..

[51]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[52]  Gurpreet Dhillon,et al.  Organizational power and information security rule compliance , 2013, Comput. Secur..

[53]  Sang M. Lee,et al.  An integrative model of computer abuse based on social control and general deterrence theories , 2004, Inf. Manag..

[54]  Özlem Müge Testik,et al.  Analysis of personal information security behavior and awareness , 2016, Comput. Secur..

[55]  Tom Stafford On Cybersecurity Loafing and Cybercomplacency , 2017, Data Base.

[56]  Yufei Yuan,et al.  The effects of multilevel sanctions on information security violations: A mediating model , 2012, Inf. Manag..

[57]  Qing Hu,et al.  Does deterrence work in reducing information security policy abuse by employees? , 2011, Commun. ACM.

[58]  M. Conner,et al.  Efficacy of the Theory of Planned Behaviour: a meta-analytic review. , 2001, The British journal of social psychology.

[59]  Debi Ashenden,et al.  Information Security management: A human challenge? , 2008, Inf. Secur. Tech. Rep..

[60]  Stephen Hinde Security surveys spring crop , 2002, Comput. Secur..

[61]  Richard A. Guzzo,et al.  Creating a climate and culture for sustainable organizational change , 1996 .

[62]  Stefan Bauer,et al.  From Information Security Awareness to Reasoned Compliant Action , 2017 .

[63]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[64]  Russell Thornton,et al.  Organizational Involvement and Commitment to Organization and Profession. , 1970 .

[65]  Steven P. Brown,et al.  A new look at psychological climate and its relationship to job involvement, effort, and performance. , 1996, The Journal of applied psychology.

[66]  Teodor Sommestad,et al.  Variables influencing information security policy compliance: A systematic review of quantitative studies , 2014, Inf. Manag. Comput. Secur..

[67]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[68]  Detmar W. Straub,et al.  Specifying Formative Constructs in Information Systems Research , 2007, MIS Q..

[69]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[70]  Ricky W. Griffin,et al.  The power of social information in the workplace , 1989 .

[71]  M. Breitner,et al.  Information security awareness and behavior: a theory-based literature review , 2014 .

[72]  A. Neal,et al.  The impact of organizational climate on safety climate and individual behavior , 2000 .

[73]  A. Kinicki,et al.  Organizational climate configurations: relationships to collective attitudes, customer satisfaction, and financial performance. , 2009, The Journal of applied psychology.

[74]  Princely Ifinedo,et al.  Socio-Economic Correlates of Information Security Threats and Controls in Global Financial Services Industry: An Analysis , 2015, Int. J. Inf. Syst. Serv. Sect..

[75]  JinYoung Han,et al.  An integrative model of information security policy compliance with psychological contract: Examining a bilateral perspective , 2017, Comput. Secur..

[76]  Mark A. Shadur,et al.  The Relationship between Organizational Climate and Employee Perceptions of Involvement , 1999 .

[77]  Shahper Vodanovich,et al.  Evolvement of Information Security Research on Employees' Behavior: A Systematic Review and Future Direction , 2015, 2015 48th Hawaii International Conference on System Sciences.

[78]  Detmar W. Straub,et al.  An Update and Extension to SEM Guidelines for Admnistrative and Social Science Research , 2011 .

[79]  R. Bagozzi,et al.  On the evaluation of structural equation models , 1988 .

[80]  Jai-Yeol Son,et al.  Out of fear or desire? Toward a better understanding of employees' motivation to follow IS security policies , 2011, Inf. Manag..

[81]  Humayun Zafar,et al.  Current State of Information Security Research In IS , 2009, Commun. Assoc. Inf. Syst..

[82]  Atreyi Kankanhalli,et al.  Studying users' computer security behavior: A health belief perspective , 2009, Decis. Support Syst..

[83]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[84]  R. Rogers Cognitive and physiological processes in fear appeals and attitude change: a revised theory of prote , 1983 .

[85]  Solomon E. Asch,et al.  Opinions and Social Pressure , 1955 .

[86]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[87]  Jan Guynes Clark,et al.  Why there aren't more information security research studies , 2004, Inf. Manag..

[88]  A. O'Leary-Kelly,et al.  Monkey See, Monkey Do: The Influence of Work Groups on the Antisocial Behavior of Employees , 1998 .