Elsevier

Computers & Security

Volume 31, Issue 1, February 2012, Pages 83-95
Computers & Security

Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory

https://doi.org/10.1016/j.cose.2011.10.007Get rights and content

Abstract

This research investigated information systems security policy (ISSP) compliance by drawing upon two relevant theories i.e. the theory of planned behavior (TPB) and the protection motivation theory (PMT). A research model that fused constituents of the aforementioned theories was proposed and validated. Relevant hypotheses were developed to test the research conceptualization. Data analysis was performed using the partial least squares (PLS) technique. Using a survey of 124 business managers and IS professionals, this study showed that factors such as self-efficacy, attitude toward compliance, subjective norms, response efficacy and perceived vulnerability positively influence ISSP behavioral compliance intentions of employees. The data analysis did not support perceived severity and response cost as being predictors of ISSP behavioral compliance intentions. The study’s implications for research and practice are discussed.

Introduction

Modern organizations rely on information systems (IS) for their survival; this is because such systems often hold valuable organizational data resources (Cavusoglu et al., 2004, Richardson, 2011, Ifinedo, 2009, Ifinedo, 2011). To safeguard the critical IS assets held in such systems from misuse, abuse and destruction; organizations often utilize a variety of tools and measures such as installing firewalls, updating anti-virus software, backing up their systems, maintaining and restricting access controls, using encryption keys, using surge protectors, and using comprehensive monitoring systems (Ryan, 2004, Workman et al., 2008, Lee and Larsen, 2009). However, the aforementioned tools and measures offer a technological or technical solution to the problem, and are rarely sufficient in providing total protection of IS organizational resources (Rhodes, 2001, Sasse et al., 2004, Stanton et al., 2005, Herath and Rao, 2009a).

Researchers including Vroom and von Solms, 2004, Stanton et al., 2005, and Pahnila et al. (2007) have noted that organizations that pay attention to technical as well as non-technical means of protecting their IS assets and resources are likely to be more successful in their attempts to protect their key IS assets. The onus is therefore on organizations to utilize multi-perspective approaches for protecting their IS assets and resources (Herath and Rao, 2009b). Indeed, several researchers have indicated that socio-organizational imperatives are equally considered important to organizations with desires to safeguard their IS resources (Vroom and von Solms, 2004, Stanton et al., 2005, Pahnila et al., 2007, Bulgurcu et al., 2010). In fact, it has been reported that one of the reasons why IS security incidents and abuses continue to plague organizations is that organizational employees are the weakest link in ensuring IS security; they constitute an insider threat to their organizations (Vroom and von Solms, 2004, Stanton et al., 2005, Post and Kagan, 2007, Warkentin and Willison, 2009, Richardson, 2011). For instance, a study that evaluated the tradeoffs between computer security protection and accessibility concluded that employees are more likely to bypass security measures in order to complete a task (Post and Kagan, 2007). Against such a backdrop, it would be a beneficial approach for organizations to focus on their own employees’ intentions and behaviors.

Recently, studies have emerged to signify the pertinence of employees’ compliance with organizational rules, guidelines, and requirements laid out in their information systems security policy (ISSP) as a useful mechanism for shaping or influencing the behaviors of their employees with respect to how organizational IS resource are used (Cavusoglu et al., 2004, Knapp and Marshall, 2006, Pahnila et al., 2007, Post and Kagan, 2007, LaRose et al., 2008, Bulgurcu et al., 2010, Ifinedo, 2009, Ifinedo, 2011). The same stream of literature also suggests that where such ISSPs are in place to help safeguard against misuse, abuse, and destruction of IS assets, employees often do not readily comply with such documents (Pahnila et al., 2007, Siponen and Vance, 2010). Thus, studies designed to increase of knowledge of the sorts of issues that may be inhibiting or encouraging the compliance of ISSP in organizations will be welcoming to the extant literature. Insights in this area of study have started to surface in the relevant literature (Cavusoglu et al., 2004, Vroom and von Solms, 2004, Siponen and Willison, 2009, Bulgurcu et al., 2010, Anderson and Agarwal, 2010). This current research is designed to complement the growing body of knowledge in the area.

Two relevant theories i.e. theory of planed behavior (TPB) (Ajzen, 1991) and the protection motivation theory (PMT) (Rogers, 1983) will be integrated to increase our knowledge of ISSP compliance by employees in modern organizations. Previous works have used research frameworks that integrated PMT and TPB with other theories (e.g. Bulgurcu et al., 2010, Pahnila et al., 2007, Herath and Rao, 2009a, Herath and Rao, 2009b, Lee and Kozar, 2005, Lee and Larsen, 2009). To the best of knowledge, no prior research has used both theories in a single study. Anderson and Agarwal’s (2010) review of the literature in this area indicated that the two foregoing theories have been used by ISSP compliance research.

With respect to the PMT, which emphasizes the fear appeal perspective, Siponen and Vance (2010) asserted that ISSP compliance research using fear appeal theories often do not always explicate noncompliance behaviors. Others (e.g. Herath and Rao, 2009b) provided support for the view espoused by Siponen and Vance (2010). Thus, by incorporating the PMT with the TPB, an enduring behavior-intention theory, this research aims at engendering our knowledge in the area. Further to this, compliance, being a complex concept, should be studied from differing perspectives to enhance knowledge (Aronson et al., 2010).

The remainder of the paper is organized as follows: First, information about the study’s theoretical foundations is presented. Second, the research model and hypotheses then follows Third, the research methodology is presented. Next, information about the analyses and results are presented. The paper concludes by discussing its findings, implications, limitations and avenues for further research.

Section snippets

Protection motivation theory

Protection Motivation Theory (PMT), which developed by Rogers (1983) expanded the health-related belief model in the social psychology and health domains (Rippetoe and Rogers, 1987, Milne et al., 2000). Drawing from the expectancy-value theories and the cognitive processing theories, PMT was developed to help clarify fear appeals. PMT has been noted as one of the most powerful explanatory theories for predicting an individual’s intention to engage in protective actions (Anderson and Agarwal,

The research model and hypotheses

Following the preceding discussion, the research model is presented in Fig. 1. It can be seen that both the TPB and PMT are fused as both theories have one common element i.e. self-efficacy, which as noted above is the same concept encapsulated by Ajzen’s (1991) perceived behavioral control. The dependent construct is the ISS behavioral intention. Discussions on the research hypotheses are presented next.

Subjective norms are normative stimuli, beliefs and motivations to comply with a particular

Data collection procedure

The research model was tested using a field survey. To that end, we used two approaches in collecting our data. First, we purchased a directory containing the names of non-IS managers in Canadian organizations from InfoCANADA. Half of the names list which constituted 1000 names was used for this study. Each participant received a cover letter, questionnaire, and self-addressed, stamped envelope. Of the 1000 questionnaires mailed, 106 were undelivered. 76 responses were received reflecting an

Data analysis and results

The Partial Least Squares (PLS) technique of structural equation modeling, which utilizes a principle component-based for estimation, was used for analysis. The approach is suitable for validating predictive models especially those with small size samples (Chin, 1998). The specific tool used was SmartPLS 2.0, which was created by Ringle et al. (2005). The PLS supports two measurement models: (a) the assessment of the measurement model and (b) the assessment of the structural model.

Discussions

By integrating two relevant theories i.e. PMT and TPB, this current research proposed and validated a research model that was designed to enrich our understanding of the ISSP compliance in organizations. The study’s results show that a significant amount of variance in the proposed model’s dependent variable i.e. ISSP compliance behavioral intention was explained by the model’s independent variables.

The two constituents of subjective norms and attitude toward compliance from TPB were found to

Conclusions

This current research was conceived against the backdrop of efforts made by organizations to protect their IS assets. Organizations sometimes procure technological tools to help them achieve success on such fronts. At times, organization’s focus is on instituting ISSP in their contexts. What good are such policies and guidelines if employees do not comply with such requirements and guidelines? To enrich knowledge in the area, this research drew from two relevant behavioral intention and

Acknowledgments

Funding for this research was provided by ORAI Grant #8271 of Cape Breton University, Canada. The author acknowledges the work of Research Assistant, Lindsay McDonald. The author appreciates the efforts of all the participants of this research project. Special thanks go to Ringle, C.M., Wende, S. and Will, A. for the use of their software, SmartPLS 2.0. The comments and suggestions received from two anonymous reviewers of an earlier draft of this paper are valued.

Princely Ifinedo is an Associate Professor in the Shannon School of Business at Cape Breton University, Canada. He holds a doctoral degree in Information Systems Science from the University of Jyväskylä (Eximia Cum Laude Approbatur) and master’s degrees from the University of London and Tallinn University of Technology. He has authored (and co-authored) over 80 publications. Dr. Ifinedo’s current research interests include ERP system success measurement, global IT management, IT adoption in

References (48)

  • I.M.Y. Woon et al.

    Investigation of IS professionals’ intention to practise secure development of applications

    International Journal of Human-Computer Studies

    (2007)
  • M. Workman et al.

    Security lapses and the omission of information security measures: a threat control model and empirical test

    Computers in Human Behavior

    (2008)
  • C.L. Anderson et al.

    Practicing safe computing: a multimethod empirical examination of home computer user security behavioral intentions

    MIS Quarterly

    (2010)
  • E. Aronson et al.

    Social psychology

    (2010)
  • A. Bandura

    Self-efficacy: toward a unifying theory of behavioral change

    Psychological Review

    (1977)
  • B. Bulgurcu et al.

    Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness

    MIS Quarterly

    (2010)
  • H. Cavusoglu et al.

    A model for evaluating IT security investments

    Communications of the ACM

    (2004)
  • M. Chan et al.

    Perceptions of information security at the workplace: linking information security climate to compliant behavior

    Journal of Information Privacy and Security

    (2005)
  • W. Chin

    Issues and opinion on structural equation modeling

    MIS Quarterly

    (1998)
  • D.R. Compeau et al.

    Computer self-efficacy: development of a measure and initial test

    MIS Quarterly

    (1995)
  • C. Fornell et al.

    Evaluating structural equations models with unobservable variables and measurement error

    Journal of Marketing Research

    (1981)
  • J.F. Hair et al.

    Multivariate data analysis

    (1998)
  • T. Herath et al.

    Protection motivation and deterrence: a framework for security policy compliance in organizations

    European Journal of Information Systems

    (2009)
  • M.-H. Hsu et al.

    An investigation of volitional control in information ethics

    Behavior and Information Technology

    (2003)
  • Cited by (582)

    View all citing articles on Scopus

    Princely Ifinedo is an Associate Professor in the Shannon School of Business at Cape Breton University, Canada. He holds a doctoral degree in Information Systems Science from the University of Jyväskylä (Eximia Cum Laude Approbatur) and master’s degrees from the University of London and Tallinn University of Technology. He has authored (and co-authored) over 80 publications. Dr. Ifinedo’s current research interests include ERP system success measurement, global IT management, IT adoption in SMEs and healthcare, cross-cultural issues in IS, IS security and privacy issues. He is affiliated with AIS, ISACA, IEEE, and DSI.

    View full text