Factors That Influence Employees’ Security Policy Compliance: An Awareness-Motivation-Capability Perspective

ABSTRACT Information security policy (ISP) plays an important role in information security management in organizations. Past research investigated various factors that may impact employee behavior toward security policy compliance from the perspective of general deterrence theory (GDT), protection and motivation Theory (PMT), and rational choice theory (RCT). However, there is no unifying foundation/framework that examines all of those factors in a harmonic way so that the research findings can guide information security practices and research into the employee ISP compliance management context. Additionally, prior findings provided mixed results. This study proposes a research model based on the awareness-motivation-capability (AMC) framework, aiming to unify the factors to predict employee ISP compliance intention. We believe that a harmonic approach in managing employee ISP compliance can create optimal outcomes.

[1]  Qing Hu,et al.  Does deterrence work in reducing information security policy abuse by employees? , 2011, Commun. ACM.

[2]  Sang M. Lee,et al.  An integrative model of computer abuse based on social control and general deterrence theories , 2004, Inf. Manag..

[3]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[4]  Laurie J. Kirsch,et al.  If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security , 2009, Eur. J. Inf. Syst..

[5]  Mo Adam Mahmood,et al.  Compliance with Information Security Policies: An Empirical Investigation , 2010, Computer.

[6]  J. Nunnally Psychometric Theory (2nd ed), New York: McGraw-Hill. , 1978 .

[7]  S. Kiesler,et al.  Managerial Response to Changing Environments: Perspectives on Problem Sensing from Social Cognition. , 1982 .

[8]  Gaby Odekerken-Schröder,et al.  Using PLS path modeling for assessing hierarchial construct models: guidelines and impirical illustration , 2009 .

[9]  Kuang-Wei Wen,et al.  Organizations' Information Security Policy Compliance: Stick or Carrot Approach? , 2012, J. Manag. Inf. Syst..

[10]  Tom L. Roberts,et al.  Leveraging fairness and reactance theories to deter reactive computer abuse following enhanced organisational information security policies: an empirical study of the influence of counterfactual reasoning and organisational trust , 2015, Inf. Syst. J..

[11]  I. Ajzen Perceived behavioral control, self-efficacy, locus of control, and the theory of planned behavior. , 2002 .

[12]  Merrill Warkentin,et al.  An Enhanced Fear Appeal Rhetorical Framework: Leveraging Threats to the Human Asset Through Sanctioning Rhetoric , 2015, MIS Q..

[13]  Paul Benjamin Lowry,et al.  The Role of Extra-Role Behaviors and Social Controls in Information Security Policy Effectiveness , 2015, Inf. Syst. Res..

[14]  Richard,et al.  Extrinsic and Intrinsic Motivation to Use Computers in the Workplace , 2022 .

[15]  Bruce A. Jacobs,et al.  DETERRENCE AND DETERRABILITY , 2010 .

[16]  Ping Zhang,et al.  The Effects of Extrinsic Motivations and Satisfaction in Open Source Software Development , 2010, J. Assoc. Inf. Syst..

[17]  Walter J. Ferrier,et al.  Competitive Dynamics Research , 2017 .

[18]  Frances J. Milliken,et al.  The role of managerial learning and interpretation in strategic persistence and reorientation: An empirical exploration , 1992 .

[19]  Princely Ifinedo,et al.  Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition , 2014, Inf. Manag..

[20]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[21]  Tejaswini Herath,et al.  Understanding Employee Responses to Stressful Information Security Requirements: A Coping Perspective , 2014, J. Manag. Inf. Syst..

[22]  Ying Li,et al.  Understanding the violation of IS security policy in organizations: An integrated model based on social control and deterrence theory , 2013, Comput. Secur..

[23]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[24]  Teodor Sommestad,et al.  Variables influencing information security policy compliance: A systematic review of quantitative studies , 2014, Inf. Manag. Comput. Secur..

[25]  Rex B. Kline,et al.  Principles and Practice of Structural Equation Modeling , 1998 .

[26]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[27]  Ken G. Smith,et al.  COMPETITIVE DYNAMICS RESEARCH: CRITIQUE AND FUTURE DIRECTIONS , 2002 .

[28]  Wynne W. Chin,et al.  A Partial Least Squares Latent Variable Modeling Approach for Measuring Interaction Effects: Results from a Monte Carlo Simulation Study and an Electronic - Mail Emotion/Adoption Study , 2003, Inf. Syst. Res..

[29]  Javier Gimeno,et al.  Reciprocal threats in multimarket rivalry: staking out ‘spheres of influence’ in the U.S. airline industry , 1999 .

[30]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[31]  Evangelos A. Kiountouzis,et al.  The insider threat to information systems and the effectiveness of ISO17799 , 2005, Comput. Secur..

[32]  Anthony M. Townsend,et al.  Information Systems Security and the Need for Policy , 2001 .

[33]  Detmar W. Straub,et al.  A Practical Guide To Factorial Validity Using PLS-Graph: Tutorial And Annotated Example , 2005, Commun. Assoc. Inf. Syst..

[34]  Max Chen Competitor analysis and interfirm riva-lry: toward a theoretical integration , 1996 .

[35]  Detmar W. Straub,et al.  Discovering and Disciplining Computer Abuse in Organizations: A Field Study , 1990, MIS Q..

[36]  Sarv Devaraj,et al.  Employee Misuse of Information Technology Resources: Testing a Contemporary Deterrence Model , 2012, Decis. Sci..

[37]  R. Rogers Cognitive and physiological processes in fear appeals and attitude change: a revised theory of prote , 1983 .

[38]  E. Deci,et al.  A meta-analytic review of experiments examining the effects of extrinsic rewards on intrinsic motivation. , 1999, Psychological bulletin.

[39]  J. Edwards Multidimensional Constructs in Organizational Behavior Research: An Integrative Analytical Framework , 2001 .

[40]  J. Dutton,et al.  Categorizing Strategic Issues: Links to Organizational Action , 1987 .

[41]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[42]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[43]  Tapabrata Maiti,et al.  Principles and Practice of Structural Equation Modeling (2nd ed.) , 2006 .

[44]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[45]  R. Paternoster,et al.  Rational Choice, Agency and Thoughtfully Reflective Decision Making: The Short and Long-Term Consequences of Making Good Choices , 2009 .

[46]  Qing Hu,et al.  The Centrality of Awareness in the Formation of User Behavioral Intention toward Protective Information Technologies , 2007, J. Assoc. Inf. Syst..

[47]  Ken G. Smith,et al.  Organizational Information Processing, Competitive Responses, and Performance in the U.S. Domestic Airline Industry , 1991 .

[48]  Rudolf R. Sinkovics,et al.  The Use of Partial Least Squares Path Modeling in International Marketing , 2009 .

[49]  Tejaswini Herath,et al.  A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings , 2011, Eur. J. Inf. Syst..

[50]  Fred D. Davis,et al.  Extrinsic and Intrinsic Motivation to Use Computers in the Workplace1 , 1992 .

[51]  Rathindra Sarathy,et al.  Understanding compliance with internet use policy from the perspective of rational choice theory , 2010, Decis. Support Syst..

[52]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[53]  K. Williams,et al.  Perceptual research on general deterrence: A critical review. , 1986 .

[54]  Wenpin Tsai,et al.  Competitive Tension: The Awareness-Motivation-Capability Perspective , 2007 .

[55]  Stephen Hinde The law, cybercrime, risk assessment and cyber protection , 2003, Comput. Secur..

[56]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[57]  I. Ajzen Nature and operation of attitudes. , 2001, Annual review of psychology.

[58]  Dennis F. Galletta,et al.  What Do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear that Motivate Protective Security Behaviors , 2015, MIS Q..

[59]  Gurpreet Dhillon,et al.  Information Systems Security Governance Research : A Behavioral Perspective , 2006 .