Information Security Behavior: Towards Multi-Stage Models

In order to ensure that employees abide by their organizations’ Information Security Policies (ISP), a number of information security policy compliance measures have been proposed in the past. If different factors can explain/predict the information security behavior of those employees who do know the ISP and of those who do not know the ISP, such as is suggested by stage theories, and the existing studies do not control for this issue, then the practical relevance of the existing models will be decreased. In order to test whether different factors explain/predict the information security behavior of those employees who do know the ISP and of those who do not know the ISP, we designed a study using the Protection Motivation Theory (PMT) as the baseline theory. Employees’ ISP knowledge was tested by asking a few questions related to their organization’s ISP. We divided the data (N=513) into that related to a low knowledge group (regarding the organizations’ ISP) and that of a high knowledge group. The results show that the findings between the low knowledge group and the high knowledge group differ substantially. Our results provide an explanation for the inconsistent results in previous IS security research.

[1]  Mikko T. Siponen,et al.  Which Factors Explain Employees' Adherence to Information Security Policies? An Empirical Study , 2007, PACIS.

[2]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[3]  Ian Watt,et al.  Systematic review of the effectiveness of health behavior interventions based on the transtheoretical model , 2005 .

[4]  Wynne W. Chin,et al.  Structural equation modeling analysis with small samples using partial least squares , 1999 .

[5]  A. Mahmood,et al.  Factors Influencing Protection Motivation and IS Security Policy Compliance , 2006, 2006 Innovations in Information Technology.

[6]  J. Nunnally Psychometric Theory (2nd ed), New York: McGraw-Hill. , 1978 .

[7]  Steven Prentice-Dunn,et al.  Protection motivation theory. , 1997 .

[8]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[9]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[10]  J. Teasdale Self-efficacy: Toward a unifying theory of behavioural change? , 1978 .

[11]  Catherine E. Connelly,et al.  Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model , 2011, J. Manag. Inf. Syst..

[12]  Michael D. Myers,et al.  The qualitative interview in IS research: Examining the craft , 2007, Inf. Organ..

[13]  I. Ajzen,et al.  Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research , 1977 .

[14]  Irene M. Y. Woon,et al.  Forthcoming: Journal of Information Privacy and Security , 2022 .

[15]  Rolph E. Anderson,et al.  Multivariate Data Analysis: Text and Readings , 1979 .

[16]  Young-Gul Kim,et al.  Extending the TAM for a World-Wide-Web context , 2000, Inf. Manag..

[17]  Tero Vartiainen,et al.  What levels of moral reasoning and values explain adherence to information security rules? An empirical study , 2009, Eur. J. Inf. Syst..

[18]  Tejaswini Herath,et al.  A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings , 2011, Eur. J. Inf. Syst..

[19]  R. Hoyle Statistical Strategies for Small Sample Research , 1999 .

[20]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[21]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[22]  Detmar W. Straub,et al.  Validating Instruments in MIS Research , 1989, MIS Q..

[23]  Jan H. P. Eloff,et al.  New Approaches for Security, Privacy and Trust in Complex Environments: Proceedings of the Ifip Tc 11 22nd International Information Security Conference ... Federation for Information Processing) , 2007 .

[24]  T. P. Thornberry,et al.  TOWARD AN INTERACTIONAL THEORY OF DELINQUENCY , 1987 .

[25]  Irene Woon,et al.  A Protection Motivation Theory Approach to Home Wireless Security , 2005, ICIS.

[26]  R. W. Rogers,et al.  Effects of components of protection-motivation theory on adaptive and maladaptive coping with a health threat. , 1987, Journal of personality and social psychology.

[27]  L. Kohlberg Essays On Moral Development , 1981 .

[28]  Alexander J. Rothman,et al.  Stage theories of health behavior: conceptual and methodological issues. , 1998, Health psychology : official journal of the Division of Health Psychology, American Psychological Association.

[29]  Michael E. Holmes,et al.  Organizational Change and Innovation Processes: Theory and Methods for Research , 2000 .

[30]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[31]  Diane M. Strong,et al.  Data quality in context , 1997, CACM.

[32]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[33]  Gordon B. Davis,et al.  User Acceptance of Information Technology: Toward a Unified View , 2003, MIS Q..

[34]  R W Rogers,et al.  Preventive health psychology from a developmental perspective: an extension of protection motivation theory. , 1996, Health psychology : official journal of the Division of Health Psychology, American Psychological Association.

[35]  William J. Doll,et al.  The Measurement of End-User Computing Satisfaction , 1988, MIS Q..

[36]  Merrill Warkentin,et al.  The Influence of Perceived Source Credibility on End User Attitudes and Intentions to Comply with Recommended IT Actions , 2010, J. Organ. End User Comput..

[37]  A. Bandura Self-efficacy: toward a unifying theory of behavioral change. , 1977, Psychological review.

[38]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[39]  Ernest T. Stringer Action Research Second Edition , 1999 .

[40]  Lawrence B. Mohr,et al.  Explaining organizational behavior , 1982 .

[41]  Merrill Warkentin,et al.  Behavioral and policy issues in information systems security: the insider threat , 2009, Eur. J. Inf. Syst..

[42]  J. Prochaska,et al.  Stages and processes of self-change of smoking: toward an integrative model of change. , 1983, Journal of consulting and clinical psychology.

[43]  Jai-Yeol Son,et al.  Out of fear or desire? Toward a better understanding of employees' motivation to follow IS security policies , 2011, Inf. Manag..

[44]  P. Sheeran,et al.  Prediction and Intervention in Health-Related Behavior: A Meta-Analytic Review of Protection Motivation Theory , 2000 .

[45]  Laurie J. Kirsch,et al.  If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security , 2009, Eur. J. Inf. Syst..

[46]  Mo Adam Mahmood,et al.  Compliance with Information Security Policies: An Empirical Investigation , 2010, Computer.

[47]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[48]  Diane M. Strong,et al.  AIMQ: a methodology for information quality assessment , 2002, Inf. Manag..

[49]  Industrial Strategy Information security breaches survey , 2013 .

[50]  Detmar W. Straub,et al.  Validation in Information Systems Research: A State-of-the-Art Assessment , 2001, MIS Q..

[51]  Atreyi Kankanhalli,et al.  Studying users' computer security behavior: A health belief perspective , 2009, Decis. Support Syst..

[52]  R. Rogers Cognitive and physiological processes in fear appeals and attitude change: a revised theory of prote , 1983 .