Cybersecurity compliance behavior: Exploring the influences of individual decision style and other antecedents

Abstract Recent information and cybersecurity research have focused on improving individuals’ security compliance behavior. However, improved security performance remains a challenge since individuals often fail to comply with security best practices. In this study, we investigate a new individual cybersecurity compliance behavior model proposed by Donalds and Osei-Bryson (2017) . Specifically, we investigate the influence of individual decision styles on their cybersecurity compliance behavior and other antecedents of such behavior. To empirically validate the hypotheses in the Donalds & Osei-Bryson model, we used data collected from 248 individuals and then use multiple regression to examine the assertions of the model. Our findings confirm that individual’s decision styles, specifically, dominant orientation and dominant decision style, influence their individual cybersecurity compliance behavior and other antecedents of such behavior. Our research offers new dimensions for investigating individual cybersecurity compliance behavior and new insights into factors that may influence individual’s cybersecurity compliance behavior.

[1]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[2]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[3]  Neil F. Doherty,et al.  The information security policy unpacked: A critical study of the content of university policies , 2009, Int. J. Inf. Manag..

[4]  A. Burns,et al.  The antecedents of preventive health care behavior: An empirical study , 1998 .

[5]  Izak Benbasat,et al.  Roles of Information Security Awareness and Perceived Fairness in Information Security Policy Compliance , 2009, AMCIS.

[6]  W. Bruin,et al.  Individual Differences in Decision‐making Competence , 2012 .

[7]  I. Ajzen The theory of planned behavior , 1991 .

[8]  Alan J. Rowe,et al.  Decision Styles — A Perspective , 1983 .

[9]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[10]  Princely Ifinedo,et al.  Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition , 2014, Inf. Manag..

[11]  Deborah Compeau,et al.  Computer Self-Efficacy: Development of a Measure and Initial Test , 1995, MIS Q..

[12]  Tanya J. McGill,et al.  Improving Compliance with Password Guidelines: How User Perceptions of Passwords and Security Threats Affect Compliance with Guidelines , 2014, 2014 47th Hawaii International Conference on System Sciences.

[13]  Yogesh Kumar Dwivedi,et al.  Service delivery through mobile-government (mGov): Driving factors and cultural impacts , 2014, Information Systems Frontiers.

[14]  Steven Furnell,et al.  Information security conscious care behaviour formation in organizations , 2015, Comput. Secur..

[15]  Mikko T. Siponen,et al.  Which Factors Explain Employees' Adherence to Information Security Policies? An Empirical Study , 2007, PACIS.

[16]  E. Mckenna Individual Decision Making and Creativity , 2020 .

[17]  J. Dawes Do Data Characteristics Change According to the Number of Scale Points Used? An Experiment Using 5-Point, 7-Point and 10-Point Scales , 2008 .

[18]  Robert E. Crossler,et al.  An Extended Perspective on Individual Security Behaviors: Protection Motivation Theory and a Unified Security Practices (USP) Instrument , 2014, DATB.

[19]  Sen Liu,et al.  Understanding the effect of cloud computing on organizational agility: An empirical examination , 2018, Int. J. Inf. Manag..

[20]  Peter Thunholm,et al.  Decision-making style : habit, style or both? , 2004 .

[21]  Vincent A. Harren A Model of Career Decision Making for College Students. , 1979 .

[22]  I. Ajzen,et al.  Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research , 1977 .

[23]  J. C. Henderson,et al.  The Influence of Decision Style on Decision Making Behavior , 1980 .

[24]  Susan D. Hansche Designing a Security Awareness Program: Part 1 , 2001, Inf. Secur. J. A Glob. Perspect..

[25]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[26]  Serpil Aytac,et al.  Factors influencing information security management in small- and medium-sized enterprises: A case study from Turkey , 2011, Int. J. Inf. Manag..

[27]  Abbas J. Ali Decision-Making Style, Individualism, and Attitudes toward Risk of Arab Executives , 1993 .

[28]  Edward L. Deci,et al.  Intrinsic Motivation and Self-Determination in Human Behavior , 1975, Perspectives in Social Psychology.

[29]  Yang Lu,et al.  Cybersecurity Research: A Review of Current Research Topics , 2018, Journal of Industrial Integration and Management.

[30]  D. French,et al.  Decision-making style, driving style, and self-reported involvement in road traffic accidents. , 1993, Ergonomics.

[31]  Wynne W. Chin Issues and Opinion on Structural Equation Modeling by , 2009 .

[32]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[33]  Young U. Ryu,et al.  Self-efficacy in information security: Its influence on end users' information security practice behavior , 2009, Comput. Secur..

[34]  J. Wayne Spence,et al.  The effect of decision style on the use of a project management tool: an empirical laboratory study , 2005, DATB.

[35]  Mikko T. Siponen,et al.  Guidelines for improving the contextual relevance of field surveys: the case of information security policy violations , 2014, Eur. J. Inf. Syst..

[36]  Kweku-Muata Osei-Bryson,et al.  A hybrid decision tree based methodology for event studies and its application to e-commerce initiative announcements , 2012, DATB.

[37]  Scott Highhouse,et al.  Relation of job search and choice process with subsequent satisfaction , 2005 .

[38]  Ram D. Gopal,et al.  Would you like to play? A comparison of a gamified survey with a traditional online survey method , 2019, Int. J. Inf. Manag..

[39]  Jeffrey D. Wall,et al.  Control-Related Motivations and Information Security Policy Compliance: The Role of Autonomy and Efficacy , 2013 .

[40]  Paul Benjamin Lowry,et al.  Cognitive‐affective drivers of employees' daily compliance with information security policies: A multilevel, longitudinal study , 2019, Inf. Syst. J..

[41]  Laurie J. Kirsch,et al.  If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security , 2009, Eur. J. Inf. Syst..

[42]  E. Deci,et al.  Self-determination theory and the facilitation of intrinsic motivation, social development, and well-being. , 2000, The American psychologist.

[43]  Kweku-Muata Osei-Bryson,et al.  Exploring the Impacts of Individual Styles on Security Compliance Behavior: A Preliminary Analysis , 2017 .

[44]  Jozef Bavoľár,et al.  Decision-making styles and their associations with decision-making competencies and mental health , 2015, Judgment and Decision Making.

[45]  Qing Hu,et al.  Does deterrence work in reducing information security policy abuse by employees? , 2011, Commun. ACM.

[46]  Yogesh Kumar Dwivedi,et al.  RFID systems in libraries: An empirical examination of factors affecting system use and user satisfaction , 2013, Int. J. Inf. Manag..

[47]  A. Picot,et al.  Information Security Management (ISM) Practices: Lessons from Select Cases from India and Germany , 2013 .

[48]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[49]  Reginald A. Bruce,et al.  Decision-Making Style: The Development and Assessment of a New Measure , 1995 .

[50]  Atreyi Kankanhalli,et al.  Studying users' computer security behavior: A health belief perspective , 2009, Decis. Support Syst..

[51]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[52]  A. Bandura Self-efficacy: toward a unifying theory of behavioral change. , 1977, Psychological review.

[53]  Mikko T. Siponen,et al.  Toward a Unified Model of Information Security Policy Compliance , 2018, MIS Q..

[54]  Jitendra V. Singh Performance, Slack, and Risk Taking in Organizational Decision Making , 1986 .

[55]  Kweku-Muata Osei-Bryson,et al.  Using decision tree modelling to support Peircian abduction in IS research: a systematic approach for generating and evaluating hypotheses for systematic theory development , 2011, Inf. Syst. J..

[56]  Robert M. Davison,et al.  Context is king! Considering particularism in research design and reporting , 2016, J. Inf. Technol..

[57]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[58]  Alan J. Rowe,et al.  Managerial Decision Making: A Guide to Successful Business Decisions , 1992 .

[59]  KositanuritBoontaree,et al.  Re-examining information systems user performance , 2011 .

[60]  Marko Sarstedt,et al.  Partial least squares structural equation modeling (PLS-SEM): An emerging tool in business research , 2014 .

[61]  Merrill Warkentin,et al.  Behavioral and policy issues in information systems security: the insider threat , 2009, Eur. J. Inf. Syst..

[62]  Jeffrey H. Greenhaus,et al.  The relation between career decision-making strategies and person–job fit: A study of job changers , 2004 .

[63]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[64]  Kweku-Muata Osei-Bryson,et al.  Re-examining information systems user performance: Using data mining to identify properties of IS that lead to highest levels of user performance , 2011, Expert Syst. Appl..

[65]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[66]  Omar D. Cardona,et al.  The Need for Rethinking the Concepts of Vulnerability and Risk from a Holistic Perspective: A Necessary Review and Criticism for Effective Risk Management , 2013 .

[67]  Stanislav Mamonov,et al.  The impact of information security threat awareness on privacy-protective behaviors , 2018, Comput. Hum. Behav..

[68]  Nathan L. Clarke,et al.  Power to the people? The evolving recognition of human aspects of security , 2012, Comput. Secur..

[69]  Detmar W. Straub,et al.  Structural Equation Modeling and Regression: Guidelines for Research Practice , 2000, Commun. Assoc. Inf. Syst..

[70]  Kuang-Wei Wen,et al.  Organizations' Information Security Policy Compliance: Stick or Carrot Approach? , 2012, J. Manag. Inf. Syst..

[71]  Dustin Ormond,et al.  Don't make excuses! Discouraging neutralization to reduce IT policy violation , 2013, Comput. Secur..

[72]  Richard O. Mason,et al.  Managing with Style: A Guide to Understanding, Assessing, and Improving Decision Making , 1987 .

[73]  Wu He,et al.  Investigating the impact of cybersecurity policy awareness on employees' cybersecurity behavior , 2019, Int. J. Inf. Manag..

[74]  Wu He,et al.  Gender difference and employees' cybersecurity behaviors , 2017, Comput. Hum. Behav..

[75]  J. R. Larson,et al.  Leadership Style and the Discussion of Shared and Unshared Information in Decision-Making Groups , 1998 .

[76]  Roberto Baiocco,et al.  Decision-making style among adolescents: relationship with sensation seeking and locus of control. , 2009, Journal of adolescence.

[77]  Irene M. Y. Woon,et al.  Perceptions of Information Security at the Workplace : Linking Information Security Climate to Compliant Behavior , 2006 .

[78]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[79]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[80]  T. Mech The Managerial Decision Styles of Academic Library Directors. , 1993 .

[81]  Michael E. Whitman,et al.  In defense of the realm: understanding the threats to information security , 2004, Int. J. Inf. Manag..

[82]  Mikko T. Siponen,et al.  IS Security Policy Violations: A Rational Choice Perspective , 2012, J. Organ. End User Comput..

[83]  Benjamin Yeo,et al.  Predicting service industry performance using decision tree analysis , 2018, Int. J. Inf. Manag..

[84]  Hock-Hai Teo,et al.  An integrative study of information systems security effectiveness , 2003, Int. J. Inf. Manag..

[85]  Robert M. Davison,et al.  Strategic decision making and support systems: Comparing American, Japanese and Chinese management , 2007, Decis. Support Syst..