Information Security Awareness: Its Antecedents and Mediating Effects on Security Compliant Behavior

Abstract Information security awareness (ISA) is referred to as a state of consciousness and knowledge about security issues and is frequently found to impact security compliant behavior. However, to date we know little about the factors influencing ISA and its mediating effect on behavior. Our study addresses these gaps. We propose a research model that studies ISA’s institutional, individual, and environmental antecedents and investigates the mediating role of ISA. The model was empirically tested with survey data from 475 employees. The model explains a substantial proportion of the variance of ISA (.50) and intention to comply (.41). The results imply that the provision of security policies and employees’ knowledge on information systems are the most influential antecedents of ISA. The study shows that ISA mediates the relationship between ISA’s antecedents and behavioral intention. The findings will be useful for stakeholders interested in encouraging employees’ information security policy compliant behavior.

[1]  Sang M. Lee,et al.  An integrative model of computer abuse based on social control and general deterrence theories , 2004, Inf. Manag..

[2]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[3]  Laurie J. Kirsch,et al.  If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security , 2009, Eur. J. Inf. Syst..

[4]  Detmar W. Straub,et al.  Diffusing the Internet in the Arab world: the role of social norms and technological culturation , 2003, IEEE Trans. Engineering Management.

[5]  Yacine Rezgui,et al.  Information security awareness in higher education: An exploratory study , 2008, Comput. Secur..

[6]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[7]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[8]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[9]  Detmar W. Straub,et al.  Specifying Formative Constructs in Information Systems Research , 2007, MIS Q..

[10]  Janine L. Spears The effects of user participation in identifying information security risk in business processes , 2006, SIGMIS CPR '06.

[11]  I. Ajzen,et al.  Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research , 1977 .

[12]  Mo Adam Mahmood,et al.  Technical opinionAre employees putting your company at risk by not following information security policies? , 2009, Commun. ACM.

[13]  Izak Benbasat,et al.  Development of an Instrument to Measure the Perceptions of Adopting an Information Technology Innovation , 1991, Inf. Syst. Res..

[14]  John Leach,et al.  Improving user security behaviour , 2003, Comput. Secur..

[15]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[16]  Viswanath Venkatesh,et al.  Model of Adoption and Technology in Households: A Baseline Model Test and Extension Incorporating Household Life Cycle , 2005, MIS Q..

[17]  S. J. Gaston Information security : strategies for successful management , 1996 .

[18]  I. Ajzen The theory of planned behavior , 1991 .

[19]  Izak Benbasat,et al.  The Influence of Business Managers' IT Competence on Championing IT , 2003, Inf. Syst. Res..

[20]  M. Lindell,et al.  Accounting for common method variance in cross-sectional research designs. , 2001, The Journal of applied psychology.

[21]  Evangelos A. Kiountouzis,et al.  Aligning Security Awareness With Information Systems Security Management , 2009, MCIS.

[22]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[23]  Indira R. Guzman,et al.  Identifying Factors that Influence Corporate Information Security Behavior , 2009, AMCIS.

[24]  Steven Furnell Remote PC Security: Securing the home worker , 2006 .

[25]  Qing Hu,et al.  The Centrality of Awareness in the Formation of User Behavioral Intention toward Protective Information Technologies , 2007, J. Assoc. Inf. Syst..

[26]  H. Winklhofer,et al.  Index Construction with Formative Indicators: An Alternative to Scale Development , 2001 .

[27]  James C. Anderson,et al.  STRUCTURAL EQUATION MODELING IN PRACTICE: A REVIEW AND RECOMMENDED TWO-STEP APPROACH , 1988 .

[28]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[29]  Evangelos A. Kiountouzis,et al.  Investigating Information Security Awareness: Research and Practice Gaps , 2008, Inf. Secur. J. A Glob. Perspect..

[30]  Scott B. MacKenzie,et al.  Common method biases in behavioral research: a critical review of the literature and recommended remedies. , 2003, The Journal of applied psychology.

[31]  Henri Barki,et al.  User Participation in Information Systems Security Risk Management , 2010, MIS Q..

[32]  Anol Bhattacherjee,et al.  Understanding Changes in Belief and Attitude Toward Information Technology Usage: A Theoretical Model and Longitudinal Test , 2004, MIS Q..

[33]  Huseyin Cavusoglu,et al.  Model for Evaluating , 2022 .

[34]  Keum-Suk Lee,et al.  A mobile agent security management , 2004, 18th International Conference on Advanced Information Networking and Applications, 2004. AINA 2004..

[35]  Detmar W. Straub,et al.  A Practical Guide To Factorial Validity Using PLS-Graph: Tutorial And Annotated Example , 2005, Commun. Assoc. Inf. Syst..

[36]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[37]  Mohammad Rahim,et al.  A Socio-Behavioral Study of Home Computer Users' Intention to Practice Security , 2005, PACIS.

[38]  Robert E. Crossler,et al.  The effect of computer self-efficacy on security training effectiveness , 2006, InfoSecCD '06.

[39]  Young U. Ryu,et al.  Self-efficacy in information security: Its influence on end users' information security practice behavior , 2009, Comput. Secur..

[40]  Xianggui Qu,et al.  Multivariate Data Analysis , 2007, Technometrics.

[41]  Jintae Lee,et al.  A holistic model of computer abuse within organizations , 2002, Inf. Manag. Comput. Secur..

[42]  Irene M. Y. Woon,et al.  Forthcoming: Journal of Information Privacy and Security , 2022 .

[43]  C. Steinfield,et al.  A Social Information Processing Model of Media Use in Organizations , 1987 .

[44]  A. Bandura Social Foundations of Thought and Action: A Social Cognitive Theory , 1985 .

[45]  D. A. Kenny,et al.  The moderator-mediator variable distinction in social psychological research: conceptual, strategic, and statistical considerations. , 1986, Journal of personality and social psychology.

[46]  Rossouw von Solms,et al.  Information security awareness: educating your users effectively , 1998, Inf. Manag. Comput. Secur..

[47]  Radia Perlman,et al.  Network Security , 2002 .

[48]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[49]  Joan Hash,et al.  Building an Information Technology Security Awareness and Training Program , 2003 .

[50]  Rolph E. Anderson,et al.  Nederlandse samenvatting en bewerking van 'Multivariate data analysis, 4th Edition, 1995' , 1998 .

[51]  Boas Shamir,et al.  Security-related behavior of PC users in organizations , 1991, Inf. Manag..

[52]  Wynne W. Chin The partial least squares approach for structural equation modeling. , 1998 .

[53]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[54]  Cheryl Burke Jarvis,et al.  A Critical Review of Construct Indicators and Measurement Model Misspecification in Marketing and Consumer Research , 2003 .