Motivating IS security compliance: Insights from Habit and Protection Motivation Theory

Employees' failure to comply with IS security procedures is a key concern for organizations today. A number of socio-cognitive theories have been used to explain this. However, prior studies have not examined the influence of past and automatic behavior on employee decisions to comply. This is an important omission because past behavior has been assumed to strongly affect decision-making. To address this gap, we integrated habit (a routinized form of past behavior) with Protection Motivation Theory (PMT), to explain compliance. An empirical test showed that habitual IS security compliance strongly reinforced the cognitive processes theorized by PMT, as well as employee intention for future compliance. We also found that nearly all components of PMT significantly impacted employee intention to comply with IS security policies. Together, these results highlighted the importance of addressing employees' past and automatic behavior in order to improve compliance.

[1]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[2]  Detmar W. Straub,et al.  A Practical Guide To Factorial Validity Using PLS-Graph: Tutorial And Annotated Example , 2005, Commun. Assoc. Inf. Syst..

[3]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[4]  Alex R. Piquero,et al.  Control balance and exploitative corporate crime , 2006 .

[5]  Greg Pogarsky,et al.  PROJECTED OFFENDING AND CONTEMPORANEOUS RULE‐VIOLATION: IMPLICATIONS FOR HETEROTYPIC CONTINUITY* , 2004 .

[6]  Mikko T. Siponen,et al.  Information security management standards: Problems and solutions , 2009, Inf. Manag..

[7]  Sang M. Lee,et al.  An integrative model of computer abuse based on social control and general deterrence theories , 2004, Inf. Manag..

[8]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[9]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[10]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[11]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[12]  Jai-Yeol Son,et al.  Out of fear or desire? Toward a better understanding of employees' motivation to follow IS security policies , 2011, Inf. Manag..

[13]  Moez Limayem,et al.  Force of Habit and Information Systems Usage: Theory and Initial Validation , 2003, J. Assoc. Inf. Syst..

[14]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[15]  Ronald T. Cenfetelli,et al.  Interpretation of Formative Measurement in Information Systems Research , 2009, MIS Q..

[16]  Jan Guynes Clark,et al.  Why there aren't more information security research studies , 2004, Inf. Manag..

[17]  Kallol Kumar Bagchi,et al.  An Analysis of the Growth of Computer and Internet Security Breaches , 2003, Commun. Assoc. Inf. Syst..

[18]  Anat Hovav,et al.  Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the U.S. and South Korea , 2012, Inf. Manag..

[19]  Ana Ortiz de Guinea,et al.  Why break the habit of a lifetime? rethinking the roles of intention, habit, and emotion in continuing information technology use , 2009 .

[20]  B. Verplanken,et al.  Reflections on past behavior: A self-report index of habit strength , 2003 .

[21]  Tero Vartiainen,et al.  What levels of moral reasoning and values explain adherence to information security rules? An empirical study , 2009, Eur. J. Inf. Syst..

[22]  Irene Woon,et al.  A Protection Motivation Theory Approach to Home Wireless Security , 2005, ICIS.