The sufficiency of the theory of planned behavior for explaining information security policy compliance

Purpose – This paper aims to challenge the assumption that the theory of planned behaviour (TPB) includes all constructs that explain information security policy compliance and investigates if anticipated regret or constructs from the protection motivation theory add explanatory power. The TPB is an established theory that has been found to predict compliance with information security policies well. Design/methodology/approach – Responses from 306 respondents at a research organization were collected using a questionnaire-based survey. Extensions in terms of anticipated regret and constructs drawn from the protection motivation theory are tested using hierarchical regression analysis. Findings – Adding anticipated regret and the threat appraisal process results in improvements of the predictions of intentions. The improvements are of sufficient magnitude to warrant adjustments of the model of the TPB when it is used in the area of information security policy compliance. Originality/value – This study is t...

[1]  Detmar W. Straub,et al.  Structural Equation Modeling and Regression: Guidelines for Research Practice , 2000, Commun. Assoc. Inf. Syst..

[2]  P. Sheeran,et al.  Prediction and Intervention in Health-Related Behavior: A Meta-Analytic Review of Protection Motivation Theory , 2000 .

[3]  Teodor Sommestad,et al.  Variables influencing information security policy compliance: A systematic review of quantitative studies , 2014, Inf. Manag. Comput. Secur..

[4]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[5]  M. Fishbein A theory of reasoned action: some applications and implications. , 1980, Nebraska Symposium on Motivation. Nebraska Symposium on Motivation.

[6]  M. Conner,et al.  Anticipated regret as an additional predictor in the theory of planned behaviour: a meta-analysis. , 2008, The British journal of social psychology.

[7]  I. Ajzen The theory of planned behaviour: Reactions and reflections , 2011, Psychology & health.

[8]  R. Peterson A Meta-analysis of Cronbach's Coefficient Alpha , 1994 .

[9]  E. Seydel,et al.  Protection Motivation Theory , 2022 .

[10]  M. Conner,et al.  Efficacy of the Theory of Planned Behaviour: a meta-analytic review. , 2001, The British journal of social psychology.

[11]  Jong-Long Guo,et al.  Efficacy of the theory of planned behavior in predicting breastfeeding: Meta-analysis and structural equation modeling. , 2016, Applied nursing research : ANR.

[12]  R. W. Rogers,et al.  Protection motivation and self-efficacy: A revised theory of fear appeals and attitude change , 1983 .

[13]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[14]  Jerold L. Hale,et al.  The Theory of Reasoned Action , 2002 .

[15]  Steven Prentice-Dunn,et al.  Protection motivation theory. , 1997 .

[16]  R. Power CSI/FBI computer crime and security survey , 2001 .

[17]  Emanuel Schmider,et al.  Is It Really Robust , 2010 .

[18]  Teodor Sommestad,et al.  A Review of the Theory of Planned Behaviour in the Context of Information Security Policy Compliance , 2013, SEC.

[19]  R. Rogers Cognitive and physiological processes in fear appeals and attitude change: a revised theory of prote , 1983 .

[20]  I. Ajzen The theory of planned behavior , 1991 .

[21]  David Gefen,et al.  Structural Equation Modeling Techniques and Regression: Guidelines for Research Practice , 2000 .

[22]  Rob Horne,et al.  Statistical guidelines for studies of the theory of reasoned action and the theory of planned behaviour , 2000 .

[23]  M. Conner,et al.  Predicting health behaviour : research and practice with social cognition models , 2005 .

[24]  I. Ajzen,et al.  Predicting and Changing Behavior: The Reasoned Action Approach , 2009 .

[25]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..