Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture

We develop an individual behavioral model that integrates the role of top management and organizational culture into the theory of planned behavior in an attempt to better understand how top management can influence security compliance behavior of employees. Using survey data and structural equation modeling, we test hypotheses on the relationships among top management participation, organizational culture, and key determinants of employee compliance with information security policies. We find that top management participation in information security initiatives has significant direct and indirect influences on employees’ attitudes towards, subjective norm of, and perceived behavioral control over compliance with information security policies. We also find that the top management participation strongly influences organizational culture which in turn impacts employees’ attitudes towards and perceived behavioral control over compliance with information security policies. Furthermore, we find that the effects of top management participation and organizational culture on employee behavioral intentions are fully mediated by employee cognitive beliefs about compliance with information security policies. Our findings extend information security research literature by showing how top management can play a proactive role in shaping employee compliance behavior in addition to the deterrence oriented remedies advocated in the extant literature. Our findings also refine the theories about the role of organizational culture in shaping employee compliance behavior. Significant theoretical and practical implications of these findings are discussed.

[1]  Richard L. Daft,et al.  Competing Values in Organizations: Contextual Influences and Structural Consequences , 1996 .

[2]  Christopher Krügel,et al.  Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.

[3]  Paul Schrodt,et al.  The relationship between organizational identification and organizational culture: Employee perceptions of culture and identification in a retail sales organization , 2002 .

[4]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[5]  Daniel R. Denison,et al.  WHAT IS THE DIFFERENCE BETWEEN ORGANIZATIONAL CULTURE AND ORGANIZATIONAL CLIMATE? A NATIVE'S POINT OF VIEW ON A DECADE OF PARADIGM WARS. , 1993 .

[6]  Ritu Agarwal,et al.  Adoption of Electronic Health Records in the Presence of Privacy Concerns: The Elaboration Likelihood Model and Individual Persuasion , 2009, MIS Q..

[7]  Stephanie C Payne,et al.  A meta-analytic examination of the goal orientation nomological net. , 2007, The Journal of applied psychology.

[8]  J. Mathieu,et al.  Goal Orientation in Organizational Research: A Conceptual and Empirical Foundation , 1996 .

[9]  Laurie J. Kirsch,et al.  If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security , 2009, Eur. J. Inf. Syst..

[10]  Shu‐chi Lin,et al.  Goal orientation and organizational commitment as explanatory factors of employees' mobility , 2005 .

[11]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[12]  In-Sue Oh,et al.  INCREMENTAL VALIDITY OF PERCEPTUAL SPEED AND ACCURACY OVER GENERAL MENTAL ABILITY , 2008 .

[13]  Marcia J. Simmering,et al.  Conscientiousness, goal orientation, and motivation to learn during the learning process: A longitudinal study. , 1998 .

[14]  John Hulland,et al.  Use of partial least squares (PLS) in strategic management research: a review of four recent studies , 1999 .

[15]  B. Bass,et al.  Transformational Leadership And Organizational Culture , 1993 .

[16]  Timothy W. Smith,et al.  Personality and patient adherence: Correlates of the five-factor model in renal dialysis , 1995, Journal of Behavioral Medicine.

[17]  D. Sadono THE LEADERSHIP CHALLENGE: How to Get Extraordinary Things Done in Organizations , 2008 .

[18]  B. Mark Organizational culture. , 1996, Annual review of nursing research.

[19]  Christian Vandenberghe,et al.  Organizational and individual values: Their main and combined effects on work attitudes and perceptions. , 1999 .

[20]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[21]  Harvey S. JamesJr,et al.  Reinforcing Ethical Decision Making Through Organizational Structure , 2000 .

[22]  John Rohrbaugh,et al.  A Spatial Model of Effectiveness Criteria: Towards a Competing Values Approach to Organizational Analysis , 1983 .

[23]  Faculteit der Psychologie en Pedagogiek,et al.  Organizational Culture: The Focus Questionnaire , 1999 .

[24]  Linda Klebe Trevino,et al.  Compliance and Values Oriented Ethics Programs , 1999 .

[25]  Carol S. Dweck,et al.  Motivational processes affecting learning. , 1986 .

[26]  Qing Hu,et al.  Does deterrence work in reducing information security policy abuse by employees? , 2011, Commun. ACM.

[27]  Kristina Jaskyte,et al.  Transformational Leadership, Organizational Culture, and Innovativeness in Nonprofit Organizations , 2004 .

[28]  Tero Vartiainen,et al.  What levels of moral reasoning and values explain adherence to information security rules? An empirical study , 2009, Eur. J. Inf. Syst..

[29]  Qing Hu,et al.  The Role of External Influences on Organizational Information Security Practices: An Institutional Perspective , 2006, Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS'06).

[30]  Qing Hu,et al.  The role of external and internal influences on information systems security - a neo-institutional perspective , 2007, J. Strateg. Inf. Syst..

[31]  Rajeev Sharma,et al.  The Contingent Effects of Management Support and Task Interdependence on Successful Information Systems Implementation , 2003, MIS Q..

[32]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[33]  D. A. Kenny,et al.  The moderator-mediator variable distinction in social psychological research: conceptual, strategic, and statistical considerations. , 1986, Journal of personality and social psychology.

[34]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[35]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[36]  Eirik Albrechtsen,et al.  A qualitative study of users' view on information security , 2007, Comput. Secur..

[37]  J O'Byrne,et al.  Armed and dangerous. , 1988, Nursing standard (Royal College of Nursing (Great Britain) : 1987).

[38]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[39]  I. Ajzen Attitudes, Personality and Behavior , 1988 .

[40]  R. Bagozzi,et al.  On the evaluation of structural equation models , 1988 .

[41]  Qing Hu,et al.  The Centrality of Awareness in the Formation of User Behavioral Intention toward Protective Information Technologies , 2007, J. Assoc. Inf. Syst..

[42]  C. Butler,et al.  Transformational Leadership: Industrial, Military, and Educational Impact , 1999 .

[43]  Deborah Bunker,et al.  Circuits of Power: A Study of Mandated Compliance to an Information Systems Security De Jure Standard in a Government Organization , 2010, MIS Q..

[44]  P. Douglas,et al.  The Effect of Organizational Culture and Ethical Orientation on Accountants' Ethical Judgments , 2001 .

[45]  Gail D. Heyman,et al.  Achievement goals and intrinsic motivation: Their relation and their role in adaptive motivation , 1992 .

[46]  Detmar W. Straub,et al.  Structural Equation Modeling and Regression: Guidelines for Research Practice , 2000, Commun. Assoc. Inf. Syst..

[47]  Scott B. MacKenzie,et al.  Common method biases in behavioral research: a critical review of the literature and recommended remedies. , 2003, The Journal of applied psychology.

[48]  Fredrik Björck,et al.  Institutional Theory: A New Perspective for Research into IS/IT Security in Organisations , 2004, HICSS.

[49]  Rossouw von Solms,et al.  From policies to culture , 2004, Comput. Secur..

[50]  Qing Hu,et al.  From transactional user to VIP: how organizational and cognitive factors affect ERP assimilation at individual level , 2011, Eur. J. Inf. Syst..

[51]  Weidong Xia,et al.  Toward Agile: An Integrated Analysis of Quantitative and Qualitative Field Data , 2010, MIS Q..

[52]  V. Sambamurthy,et al.  Information Technology Assimilation in Firms: The Influence of Senior Leadership and IT Infrastructures , 1999, Inf. Syst. Res..

[53]  N. Jimmieson,et al.  The Impact of Organizational Culture and Reshaping Capabilities on Change Implementation Success: The Mediating Role of Readiness for Change , 2005 .

[54]  S. West,et al.  A comparison of methods to test mediation and other intervening variable effects. , 2002, Psychological methods.

[55]  John O. Wylder,et al.  Improving Security from the Ground Up , 2003, Inf. Secur. J. A Glob. Perspect..

[56]  Stanley G. Harris,et al.  Organizational Culture and Individual Sensemaking: A Schema-Based Perspective , 1994 .

[57]  G. Hofstede,et al.  Measuring organizational cultures: A qualitative and quantitative study across twenty cases. , 1990 .

[58]  Paul A. Pavlou,et al.  Understanding and Predicting Electronic Commerce Adoption: An Extension of the Theory of Planned Behavior , 2006, MIS Q..

[59]  Matthew F. Muldoon,et al.  Psychological and cognitive function: Predictors of adherence with cholesterol lowering treatment , 2004, Annals of behavioral medicine : a publication of the Society of Behavioral Medicine.

[60]  John C. Windsor,et al.  Empirical Evaluation of Information Security Planning and Integration , 2010, Commun. Assoc. Inf. Syst..

[61]  Daulatram B. Lund Organizational culture and job satisfaction , 2003 .

[62]  L. Smircich Concepts of Culture and Organizational Analysis. , 1983 .

[63]  F. Bjorck,et al.  Institutional theory: a new perspective for research into IS/IT security in organisations , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.

[64]  Juhani Iivari,et al.  The Relationship Between Organisational Culture and the Deployment of Systems Development Methodologies , 2001, CAiSE.

[65]  Shuchih Ernest Chang,et al.  Exploring organizational culture for information security management , 2007, Ind. Manag. Data Syst..

[66]  Jeffrey R Frost,et al.  Armed, and Dangerous (?): Motivating Rule Adherence Among Agents of Social Control. , 2007 .

[67]  Tenko Raykov,et al.  Coefficient Alpha and Composite Reliability With Interrelated Nonhomogeneous Items , 1998 .

[68]  Qing Hu,et al.  Assimilation of Enterprise Systems: The Effect of Institutional Pressures and the Mediating Role of Top Management , 2007, MIS Q..

[69]  Wynne W. Chin The partial least squares approach for structural equation modeling. , 1998 .

[70]  Detmar W. Straub,et al.  Trust and TAM in Online Shopping: An Integrated Model , 2003, MIS Q..

[71]  Cynthia K. Riemenschneider,et al.  Executive Decisions About Adoption of Information Technology in Small Business: Theory and Empirical Tests , 1997, Inf. Syst. Res..

[72]  Dorothy E. Leidner,et al.  Review: A Review of Culture in Information Systems Research: Toward a Theory of Information Technology Culture Conflict , 2006, MIS Q..

[73]  Ben Shneiderman,et al.  Realizing the value of social media requires innovative computing research , 2011, Commun. ACM.

[74]  Rossouw von Solms,et al.  The 10 deadly sins of information security management , 2004, Comput. Secur..

[75]  Detmar W. Straub,et al.  Validation Guidelines for IS Positivist Research , 2004, Commun. Assoc. Inf. Syst..

[76]  P. Costa,et al.  Domains and facets: hierarchical personality assessment using the revised NEO personality inventory. , 1995, Journal of personality assessment.

[77]  Peter A. Todd,et al.  Understanding Information Technology Usage: A Test of Competing Models , 1995, Inf. Syst. Res..

[78]  Paul L. Koopman,et al.  Linking Transformational Leadership and Organizational Culture , 1996 .

[79]  Blake Ives,et al.  Executive Involvement and Participation in the Management of Information Technology , 1991, MIS Q..

[80]  J. E. Sheridan Organizational Culture and Employee Retention , 1992 .

[81]  James C. Anderson,et al.  STRUCTURAL EQUATION MODELING IN PRACTICE: A REVIEW AND RECOMMENDED TWO-STEP APPROACH , 1988 .

[82]  Tom R. Tyler,et al.  Can Businesses Effectively Regulate Employee Conduct? The Antecedents of Rule Following in Work Settings , 2005 .

[83]  K. Cameron,et al.  Diagnosing and changing organizational culture , 1999 .

[84]  James Backhouse,et al.  Opportunities for computer crime: considering systems risk from a criminological perspective , 2006, Eur. J. Inf. Syst..

[85]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[86]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[87]  Kwok Kee Wei,et al.  Organizational culture and leadership in ERP implementation , 2008, Decis. Support Syst..

[88]  A. Tsui,et al.  Unpacking the relationship between CEO leadership behavior and organizational culture , 2006 .

[89]  Mark Srite,et al.  The Role of Espoused National Cultural Values in Technology Acceptance , 2006, MIS Q..