Which Factors Explain Employees' Adherence to Information Security Policies? An Empirical Study

It is widely agreed that a key threat to information security is caused by careless employees who do not adhere to the information security policies of their organizations. In order to ensure that employees comply with the organization’s information security procedures, a number of information security policy compliance measures have been proposed in the past. Prior research has, however, criticized these measures as lacking theoretically and empirically grounded principles. To fill this gap in research, the present study advances a novel model that explains employees’ adherence to information security policies. This model modifies and combines the Protection Motivation Theory, the General Deterrence Theory, the Theory of Reasoned Action, the Innovation Diffusion Theory and Rewards. In order to empirically validate this model, we collected data (N=917) from four different companies. The findings show that direct paths from threat appraisal, self-efficacy, normative beliefs, and visibility to the intention to comply with IS security policies were significant. Response efficacy, on the other hand, did not have a significant effect on the intention to comply with IS security policies. Sanctions have a significant effect on actual compliance with IS security policies, whereas rewards did not have a significant effect on actual compliance with the IS security policies. Finally, the intention to comply with IS security policies has a significant effect on actual compliance with the IS security policies.

[1]  George E. Higgins,et al.  An Application of Deterrence Theory to Software Piracy , 2005 .

[2]  P. S. Greenlaw,et al.  Management decision making , 1966 .

[3]  Rolph E. Anderson,et al.  Multivariate Data Analysis: Text and Readings , 1979 .

[4]  Young-Gul Kim,et al.  Extending the TAM for a World-Wide-Web context , 2000, Inf. Manag..

[5]  I. Ajzen,et al.  Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research , 1977 .

[6]  Jianyi Lin,et al.  Computer crime and security survey , 2002 .

[7]  Kregg Aytes,et al.  Computer Security and Risky Computing Practices: A Rational Choice Perspective , 2004, J. Organ. End User Comput..

[8]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[9]  Kallol Kumar Bagchi,et al.  An Analysis of the Growth of Computer and Internet Security Breaches , 2003, Commun. Assoc. Inf. Syst..

[10]  Kevin McLean,et al.  Information Security Awareness - Selling the Cause , 1992, IFIP International Information Security Conference.

[11]  David Thompson,et al.  1997 Computer Crime and Security Survey , 1998, Inf. Manag. Comput. Secur..

[12]  Donn B. Parker,et al.  Fighting computer crime - a new framework for protecting information , 1998 .

[13]  Stephen Hinde Security surveys spring crop , 2002, Comput. Secur..

[14]  Charles R. Hudson,et al.  Establishing a Successful Security Awareness Program , 2006 .

[15]  Mikko T. Siponen,et al.  Analysis of modern IS security development approaches: towards the next generation of social and adaptable ISS methods , 2005, Inf. Organ..

[16]  Guy G. Gable,et al.  IT Security: The Need for International Cooperation, Proceedings of the IFIP TC11, Eigth International Conference on Information Security, IFIP/Sec '92, Singapore, 27-29 May 1992 , 1992, SEC.

[17]  Sokratis K. Katsikas Health care management and information systems security: awareness, training or education? , 2000, Int. J. Medical Informatics.

[18]  James Backhouse,et al.  Current directions in IS security research: towards socio‐organizational perspectives , 2001, Inf. Syst. J..

[19]  Phil Spurling,et al.  Promoting security awareness and commitment , 1995, Inf. Manag. Comput. Secur..

[20]  Richard G. Lomax,et al.  A Beginner's Guide to Structural Equation Modeling , 2022 .

[21]  Petri Puhakainen,et al.  A design theory for information security awareness , 2006 .

[22]  Rossouw von Solms,et al.  Information security awareness: educating your users effectively , 1998, Inf. Manag. Comput. Secur..

[23]  Detmar W. Straub,et al.  Validating Instruments in MIS Research , 1989, MIS Q..

[24]  I. Ajzen The theory of planned behavior , 1991 .

[25]  R. W. Rogers,et al.  Protection motivation and self-efficacy: A revised theory of fear appeals and attitude change , 1983 .

[26]  Carrie McCoy,et al.  "You are the key to security": establishing a successful security awareness program , 2004, SIGUCCS '04.

[27]  Kregg Aytes,et al.  A Research Model for Investigating Human Behavior Related to Computer Security , 2003, AMCIS.

[28]  S Furnell,et al.  Addressing information security training and awareness within the European healthcare community. , 1997, Studies in health technology and informatics.

[29]  Nick Gaunt,et al.  Installing an appropriate information security policy , 1998, Int. J. Medical Informatics.

[30]  Irene Woon,et al.  A Protection Motivation Theory Approach to Home Wireless Security , 2005, ICIS.

[31]  Jintae Lee,et al.  A holistic model of computer abuse within organizations , 2002, Inf. Manag. Comput. Secur..

[32]  J. Teasdale Self-efficacy: Toward a unifying theory of behavioural change? , 1978 .

[33]  R. Hoyle Structural equation modeling: concepts, issues, and applications , 1997 .

[34]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[35]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[36]  R. W. Rogers,et al.  Effects of components of protection-motivation theory on adaptive and maladaptive coping with a health threat. , 1987, Journal of personality and social psychology.

[37]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[38]  Kay Sommers,et al.  Security awareness training for students at virginia commonwealth university , 2004, SIGUCCS '04.

[39]  Steven Furnell,et al.  A prototype tool for information security awareness and training , 2002 .

[40]  Hans van der Heijden,et al.  Factors influencing the usage of websites: the case of a generic portal in The Netherlands , 2003, Inf. Manag..

[41]  William E. Perry,et al.  Management Strategies for Computer Security , 1985 .

[42]  Detmar W. Straub,et al.  Validation in Information Systems Research: A State-of-the-Art Assessment , 2001, MIS Q..

[43]  Ritu Agarwal,et al.  A Conceptual and Operational Definition of Personal Innovativeness in the Domain of Information Technology , 1998, Inf. Syst. Res..

[44]  Charles Cresson Wood,et al.  Information Security Awareness Raising Methods , 1995 .

[45]  Steven Prentice-Dunn,et al.  Protection motivation theory. , 1997 .

[46]  Izak Benbasat,et al.  Development of an Instrument to Measure the Perceptions of Adopting an Information Technology Innovation , 1991, Inf. Syst. Res..

[47]  Gordon B. Davis,et al.  User Acceptance of Information Technology: Toward a Unified View , 2003, MIS Q..

[48]  Moez Limayem,et al.  Force of Habit and Information Systems Usage: Theory and Initial Validation , 2003, J. Assoc. Inf. Syst..

[49]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[50]  A. Bandura Self-efficacy: toward a unifying theory of behavioral change. , 1977, Psychological review.

[51]  Detmar W. Straub,et al.  Information Technology Adoption Across Time: A Cross-Sectional Comparison of Pre-Adoption and Post-Adoption Beliefs , 1999, MIS Q..

[52]  Mario Piattini,et al.  Secure information systems development - a survey and comparison , 2005, Comput. Secur..

[53]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[54]  R. Rogers Cognitive and physiological processes in fear appeals and attitude change: a revised theory of prote , 1983 .