Motivating Information Security Policy Compliance: Insights from Perceived Organizational Formalization

ABSTRACT Psychological and behavioral characteristics are among the most important factors that instigate information security incidents. Although many previous studies have discussed the influencing factors of information security policy compliance behavior in an organization, few have considered the influence of organizational structures. In this study, the mechanism by which information security policy compliance behavioral intention is formed was studied by integrating the theory of planned behavior (TPB) and perceived organizational formalization. Data analysis was performed using the structural equation modeling (SEM) with data obtained from a survey of 261 company employees. The empirical results reveal that perceived organizational formalization significant affected cognitive processes theorized by TPB, behavioral habits, and deterrent certainty. This study suggests that formalized rules, procedures, and communications should be designed to improve employee information security policy compliance behavioral habits and intentions.

[1]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[2]  John Leach,et al.  Improving user security behaviour , 2003, Comput. Secur..

[3]  Nathan L. Clarke,et al.  Power to the people? The evolving recognition of human aspects of security , 2012, Comput. Secur..

[4]  JinYoung Han,et al.  An integrative model of information security policy compliance with psychological contract: Examining a bilateral perspective , 2017, Comput. Secur..

[5]  M. Hyman,et al.  Designing Vignette Studies in Marketing , 2002 .

[6]  I. Ajzen,et al.  Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research , 1977 .

[7]  J. Inman,et al.  Habitual Behavior in American Eating Patterns: The Role of Meal Occasions , 2006 .

[8]  Arne L. Kalleberg,et al.  Culture, Control and Commitment: A Study of Work Organization and Work Attitudes in the United States and Japan. , 1990 .

[9]  B. Verplanken,et al.  Reflections on past behavior: A self-report index of habit strength , 2003 .

[10]  Nadine Guhr,et al.  The impact of leadership on employees' intended information security behaviour: An examination of the full‐range leadership theory , 2019, Inf. Syst. J..

[11]  A. Bandura,et al.  Differential engagement of self-reactive influences in cognitive motivation , 1986, Organizational Behavior and Human Decision Processes.

[12]  H. Aarts,et al.  Habits as knowledge structures: automaticity in goal-directed behavior. , 2000, Journal of personality and social psychology.

[13]  Mikko T. Siponen,et al.  Toward a Unified Model of Information Security Policy Compliance , 2018, MIS Q..

[14]  Michael L. Tushman,et al.  Managing Strategic Innovation and Change , 2012 .

[15]  Atreyi Kankanhalli,et al.  Studying users' computer security behavior: A health belief perspective , 2009, Decis. Support Syst..

[16]  Younghwa Lee,et al.  Threat or coping appraisal: determinants of SMB executives’ decision to adopt anti-malware software , 2009, Eur. J. Inf. Syst..

[17]  Eulogio Cordón-Pozo,et al.  Inter-departmental collaboration and new product development success: a study on the collaboration between marketing and R&D in Spanish high-technology firms , 2006, Int. J. Technol. Manag..

[18]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[19]  James C. Anderson,et al.  STRUCTURAL EQUATION MODELING IN PRACTICE: A REVIEW AND RECOMMENDED TWO-STEP APPROACH , 1988 .

[20]  I. Ajzen The theory of planned behavior , 1991 .

[21]  P. Adler,et al.  Two Types of Bureaucracy: Enabling and Coercive , 1996 .

[22]  Henk W. Volberda,et al.  Exploratory Innovation, Exploitative Innovation and Peformance: Effects of Organizational Antecedents and Environmental Moderators , 2006, Manag. Sci..

[23]  Jan Guynes Clark,et al.  Why there aren't more information security research studies , 2004, Inf. Manag..

[24]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[25]  Wendy Wood,et al.  Habit and intention in everyday life: The multiple processes by which past behavior predicts future behavior. , 1998 .

[26]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[27]  C. L. Hull Behavior postulates and corollaries--1949. , 1950, Psychological review.

[28]  Kathleen M. Eisenhardt,et al.  Integrating Knowledge in Groups: How Formal Interventions Enable Flexibility , 2002, Organ. Sci..

[29]  A. Blumstein,et al.  Deterrence and incapacitation : estimating the effects of criminal sanctions on crime rates , 1980 .

[30]  D. De Clercq,et al.  Organizational Social Capital, Formalization, and Internal Knowledge Sharing in Entrepreneurial Orientation Formation , 2013 .

[31]  Qing Hu,et al.  The Centrality of Awareness in the Formation of User Behavioral Intention toward Protective Information Technologies , 2007, J. Assoc. Inf. Syst..

[32]  I. Ajzen Perceived behavioral control, self-efficacy, locus of control, and the theory of planned behavior. , 2002 .

[33]  P. Patterson,et al.  The Roles of Habit, Self-Efficacy, and Satisfaction in Driving Continued Use of Self-Service Technologies , 2013 .

[34]  Tamara Dinev,et al.  Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture , 2012, Decis. Sci..

[35]  Jeffrey M. Quinn,et al.  Social Motivation: Habits and the Structure of Motivation in Everyday Life , 2004 .

[36]  Jordan Shropshire,et al.  The influence of the informal social learning environment on information privacy policy compliance efficacy and intention , 2011, Eur. J. Inf. Syst..

[37]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[38]  Eva M. Pertusa-Ortega,et al.  Can formalization, complexity, and centralization influence knowledge performance? , 2010 .

[39]  Teodor Sommestad,et al.  The Theory of Planned Behavior and Information Security Policy Compliance , 2019, J. Comput. Inf. Syst..

[40]  James Cox,et al.  Information systems user security: A structured model of the knowing-doing gap , 2012, Comput. Hum. Behav..

[41]  Teodor Sommestad,et al.  The sufficiency of the theory of planned behavior for explaining information security policy compliance , 2015, Inf. Comput. Secur..

[42]  B. Gardner,et al.  Promoting habit formation , 2013 .

[43]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[44]  L. V. Dyne,et al.  Helping and Voice Extra-Role Behaviors: Evidence of Construct and Predictive Validity , 1998 .

[45]  Hock-Hai Teo,et al.  An integrative study of information systems security effectiveness , 2003, Int. J. Inf. Manag..

[46]  Jie Zhang,et al.  Impact of perceived technical protection on security behaviors , 2009, Inf. Manag. Comput. Secur..

[47]  Young U. Ryu,et al.  Self-efficacy in information security: Its influence on end users' information security practice behavior , 2009, Comput. Secur..

[48]  Changhong Yuan,et al.  Bottom‐up learning, organizational formalization, and ambidextrous innovation , 2011 .

[49]  M. Chang Predicting Unethical Behavior: A Comparison of the Theory of Reasoned Action and the Theory of Planned Behavior , 1998 .

[50]  W. L. Cron,et al.  Influence of Formalization on the Organizational Commitment and Work Alienation of Salespeople and Industrial Buyers , 1988 .

[51]  Cynthia R. Cook,et al.  Organizational Structures , 1994 .

[52]  Daniel S. Nagin,et al.  INTEGRATING CELERITY, IMPULSIVITY, AND EXTRALEGAL SANCTION THREATS INTO A MODEL OF GENERAL DETERRENCE: THEORY AND EVIDENCE* , 2001 .

[53]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[54]  A. Bandura Social cognitive theory of self-regulation☆ , 1991 .

[55]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[56]  C. L. Hull Principles of behavior : an introduction to behavior theory , 1943 .

[57]  Michael Foth,et al.  Factors influencing the intention to comply with data protection regulations in hospitals: based on gender differences in behaviour and deterrence , 2016, Eur. J. Inf. Syst..

[58]  Steven Furnell,et al.  Organizational formalization and employee information security behavioral intentions based on an extended TPB model , 2019, 2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security).

[59]  John G. Lynch,et al.  Reconsidering Baron and Kenny: Myths and Truths about Mediation Analysis , 2010 .

[60]  Linda K. Stroh,et al.  Organizational behavior. , 1970, Physical therapy.

[61]  Henry Mintzberg,et al.  The structuring of organizations : a synthesis of the research , 1980 .

[62]  Robert LaRose,et al.  Understanding online safety behaviors: A protection motivation theory perspective , 2016, Comput. Secur..

[63]  Catherine E. Connelly,et al.  Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model , 2011, J. Manag. Inf. Syst..

[64]  Ortwin Renn,et al.  The role of risk perception for risk management , 1998 .

[65]  Moez Limayem,et al.  How Habit Limits the Predictive Power of Intention: The Case of Information Systems Continuance , 2007, MIS Q..

[66]  Shuchih Ernest Chang,et al.  Exploring organizational culture for information security management , 2007, Ind. Manag. Data Syst..