Effects of Individual and Organization Based Beliefs and the Moderating Role of Work Experience on Insiders' Good Security Behaviors

This research aims to identify the factors that drive an employee to comply with requirements of the Information Security Policy (ISP) with regard to protecting her organization’s information and technology resources. Two different research models are proposed for an employee’s individual based beliefs and organization based beliefs. An employee’s attitude is traced to its underlying foundational beliefs in each model, namely, benefit of compliance, cost of non-compliance, and cost of compliance, which are beliefs that represent the perceived effects of compliance or non-compliance. It is also postulated that these beliefs along with an employee’s attitude are affected by her Information Security Awareness (ISA). Besides the structural model testing of individual and organizational models of compliance, the moderating role of an employee’s work experience is investigated. Our results show that, while individual benefit of compliance and cost of compliance are not significant in the low experience group, all individual based beliefs are significant in the high experience group. Similarly, organizational benefit of compliance is not significant in the low experience group, while all organization based beliefs are significant in the high experience group. Furthermore, ISA is found to affect an employee’s attitude and all her individual and organization based beliefs. As organizations strive to get their employees to follow their information security rules and regulations, our study mainly sheds light on the moderating role of an employee’s work experience in changing the strength of individual and organization based beliefs on employees’ attitude as well as her ISA.

[1]  James Backhouse,et al.  Current directions in IS security research: towards socio‐organizational perspectives , 2001, Inf. Syst. J..

[2]  Mikko T. Siponen,et al.  A Critical Assessment of IS Security Research between 1990-2004 , 2007, ECIS.

[3]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[4]  E. Rogers,et al.  Diffusion of innovations , 1964, Encyclopedia of Sport Management.

[5]  Fred A. Mael,et al.  Social identity theory and the organization , 1989 .

[6]  H. Tajfel Social identity and intergroup behaviour , 1974 .

[7]  H. Tajfel,et al.  An integrative theory of intergroup conflict. , 1979 .

[8]  Robert Willison,et al.  Understanding the perpetration of employee computer crime in the organisational context , 2006, Inf. Organ..

[9]  Laurie J. Kirsch,et al.  The Last Line of Defense: Motivating Employees to Follow Corporate Security Guidelines , 2007, ICIS.

[10]  I. Ajzen,et al.  Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research , 1977 .

[11]  Mikko T. Siponen,et al.  An analysis of the traditional IS security approaches: implications for research and practice , 2005, Eur. J. Inf. Syst..

[12]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[13]  I. Ajzen The theory of planned behavior , 1991 .

[14]  Jintae Lee,et al.  A holistic model of computer abuse within organizations , 2002, Inf. Manag. Comput. Secur..

[15]  Robert Willison,et al.  A Critical assesment if IS Security Research Between , 2007 .

[16]  Detmar W. Straub,et al.  Discovering and Disciplining Computer Abuse in Organizations: A Field Study , 1990, MIS Q..

[17]  Sang M. Lee,et al.  An integrative model of computer abuse based on social control and general deterrence theories , 2004, Inf. Manag..