Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory
Introduction
Modern organizations rely on information systems (IS) for their survival; this is because such systems often hold valuable organizational data resources (Cavusoglu et al., 2004, Richardson, 2011, Ifinedo, 2009, Ifinedo, 2011). To safeguard the critical IS assets held in such systems from misuse, abuse and destruction; organizations often utilize a variety of tools and measures such as installing firewalls, updating anti-virus software, backing up their systems, maintaining and restricting access controls, using encryption keys, using surge protectors, and using comprehensive monitoring systems (Ryan, 2004, Workman et al., 2008, Lee and Larsen, 2009). However, the aforementioned tools and measures offer a technological or technical solution to the problem, and are rarely sufficient in providing total protection of IS organizational resources (Rhodes, 2001, Sasse et al., 2004, Stanton et al., 2005, Herath and Rao, 2009a).
Researchers including Vroom and von Solms, 2004, Stanton et al., 2005, and Pahnila et al. (2007) have noted that organizations that pay attention to technical as well as non-technical means of protecting their IS assets and resources are likely to be more successful in their attempts to protect their key IS assets. The onus is therefore on organizations to utilize multi-perspective approaches for protecting their IS assets and resources (Herath and Rao, 2009b). Indeed, several researchers have indicated that socio-organizational imperatives are equally considered important to organizations with desires to safeguard their IS resources (Vroom and von Solms, 2004, Stanton et al., 2005, Pahnila et al., 2007, Bulgurcu et al., 2010). In fact, it has been reported that one of the reasons why IS security incidents and abuses continue to plague organizations is that organizational employees are the weakest link in ensuring IS security; they constitute an insider threat to their organizations (Vroom and von Solms, 2004, Stanton et al., 2005, Post and Kagan, 2007, Warkentin and Willison, 2009, Richardson, 2011). For instance, a study that evaluated the tradeoffs between computer security protection and accessibility concluded that employees are more likely to bypass security measures in order to complete a task (Post and Kagan, 2007). Against such a backdrop, it would be a beneficial approach for organizations to focus on their own employees’ intentions and behaviors.
Recently, studies have emerged to signify the pertinence of employees’ compliance with organizational rules, guidelines, and requirements laid out in their information systems security policy (ISSP) as a useful mechanism for shaping or influencing the behaviors of their employees with respect to how organizational IS resource are used (Cavusoglu et al., 2004, Knapp and Marshall, 2006, Pahnila et al., 2007, Post and Kagan, 2007, LaRose et al., 2008, Bulgurcu et al., 2010, Ifinedo, 2009, Ifinedo, 2011). The same stream of literature also suggests that where such ISSPs are in place to help safeguard against misuse, abuse, and destruction of IS assets, employees often do not readily comply with such documents (Pahnila et al., 2007, Siponen and Vance, 2010). Thus, studies designed to increase of knowledge of the sorts of issues that may be inhibiting or encouraging the compliance of ISSP in organizations will be welcoming to the extant literature. Insights in this area of study have started to surface in the relevant literature (Cavusoglu et al., 2004, Vroom and von Solms, 2004, Siponen and Willison, 2009, Bulgurcu et al., 2010, Anderson and Agarwal, 2010). This current research is designed to complement the growing body of knowledge in the area.
Two relevant theories i.e. theory of planed behavior (TPB) (Ajzen, 1991) and the protection motivation theory (PMT) (Rogers, 1983) will be integrated to increase our knowledge of ISSP compliance by employees in modern organizations. Previous works have used research frameworks that integrated PMT and TPB with other theories (e.g. Bulgurcu et al., 2010, Pahnila et al., 2007, Herath and Rao, 2009a, Herath and Rao, 2009b, Lee and Kozar, 2005, Lee and Larsen, 2009). To the best of knowledge, no prior research has used both theories in a single study. Anderson and Agarwal’s (2010) review of the literature in this area indicated that the two foregoing theories have been used by ISSP compliance research.
With respect to the PMT, which emphasizes the fear appeal perspective, Siponen and Vance (2010) asserted that ISSP compliance research using fear appeal theories often do not always explicate noncompliance behaviors. Others (e.g. Herath and Rao, 2009b) provided support for the view espoused by Siponen and Vance (2010). Thus, by incorporating the PMT with the TPB, an enduring behavior-intention theory, this research aims at engendering our knowledge in the area. Further to this, compliance, being a complex concept, should be studied from differing perspectives to enhance knowledge (Aronson et al., 2010).
The remainder of the paper is organized as follows: First, information about the study’s theoretical foundations is presented. Second, the research model and hypotheses then follows Third, the research methodology is presented. Next, information about the analyses and results are presented. The paper concludes by discussing its findings, implications, limitations and avenues for further research.
Section snippets
Protection motivation theory
Protection Motivation Theory (PMT), which developed by Rogers (1983) expanded the health-related belief model in the social psychology and health domains (Rippetoe and Rogers, 1987, Milne et al., 2000). Drawing from the expectancy-value theories and the cognitive processing theories, PMT was developed to help clarify fear appeals. PMT has been noted as one of the most powerful explanatory theories for predicting an individual’s intention to engage in protective actions (Anderson and Agarwal,
The research model and hypotheses
Following the preceding discussion, the research model is presented in Fig. 1. It can be seen that both the TPB and PMT are fused as both theories have one common element i.e. self-efficacy, which as noted above is the same concept encapsulated by Ajzen’s (1991) perceived behavioral control. The dependent construct is the ISS behavioral intention. Discussions on the research hypotheses are presented next.
Subjective norms are normative stimuli, beliefs and motivations to comply with a particular
Data collection procedure
The research model was tested using a field survey. To that end, we used two approaches in collecting our data. First, we purchased a directory containing the names of non-IS managers in Canadian organizations from InfoCANADA. Half of the names list which constituted 1000 names was used for this study. Each participant received a cover letter, questionnaire, and self-addressed, stamped envelope. Of the 1000 questionnaires mailed, 106 were undelivered. 76 responses were received reflecting an
Data analysis and results
The Partial Least Squares (PLS) technique of structural equation modeling, which utilizes a principle component-based for estimation, was used for analysis. The approach is suitable for validating predictive models especially those with small size samples (Chin, 1998). The specific tool used was SmartPLS 2.0, which was created by Ringle et al. (2005). The PLS supports two measurement models: (a) the assessment of the measurement model and (b) the assessment of the structural model.
Discussions
By integrating two relevant theories i.e. PMT and TPB, this current research proposed and validated a research model that was designed to enrich our understanding of the ISSP compliance in organizations. The study’s results show that a significant amount of variance in the proposed model’s dependent variable i.e. ISSP compliance behavioral intention was explained by the model’s independent variables.
The two constituents of subjective norms and attitude toward compliance from TPB were found to
Conclusions
This current research was conceived against the backdrop of efforts made by organizations to protect their IS assets. Organizations sometimes procure technological tools to help them achieve success on such fronts. At times, organization’s focus is on instituting ISSP in their contexts. What good are such policies and guidelines if employees do not comply with such requirements and guidelines? To enrich knowledge in the area, this research drew from two relevant behavioral intention and
Acknowledgments
Funding for this research was provided by ORAI Grant #8271 of Cape Breton University, Canada. The author acknowledges the work of Research Assistant, Lindsay McDonald. The author appreciates the efforts of all the participants of this research project. Special thanks go to Ringle, C.M., Wende, S. and Will, A. for the use of their software, SmartPLS 2.0. The comments and suggestions received from two anonymous reviewers of an earlier draft of this paper are valued.
Princely Ifinedo is an Associate Professor in the Shannon School of Business at Cape Breton University, Canada. He holds a doctoral degree in Information Systems Science from the University of Jyväskylä (Eximia Cum Laude Approbatur) and master’s degrees from the University of London and Tallinn University of Technology. He has authored (and co-authored) over 80 publications. Dr. Ifinedo’s current research interests include ERP system success measurement, global IT management, IT adoption in
References (48)
The theory of planned behavior
Organizational Behavior and Human Decision Processes
(1991)Social cognitive theory of self-regulation
Organizational Behavior and Human Decision Processes
(1991)- et al.
Encouraging information security behaviors: role of penalties, pressures and perceived effectiveness
Decision Support Systems
(2009) - et al.
Why there aren’t more information security research studies
Information & Management
(2004) - et al.
What influences IT ethical behavior intentions-planned behavior, reasoned action, perceived importance, or individual characteristics?
Information & Management
(2004) - et al.
Studying users’ computer security behavior: a health belief perspective
Decision Support Systems
(2009) - et al.
Evaluating information security tradeoffs: restricting access can interfere with user tasks
Computer & Security
(2007) - et al.
Information security management standards: problems and solutions
Information & Management
(2009) - et al.
Analysis of end user security behaviors
Computers & Security
(2005) - et al.
Towards information security behavioural compliance
Computers and Security
(2004)
Investigation of IS professionals’ intention to practise secure development of applications
International Journal of Human-Computer Studies
Security lapses and the omission of information security measures: a threat control model and empirical test
Computers in Human Behavior
Practicing safe computing: a multimethod empirical examination of home computer user security behavioral intentions
MIS Quarterly
Social psychology
Self-efficacy: toward a unifying theory of behavioral change
Psychological Review
Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness
MIS Quarterly
A model for evaluating IT security investments
Communications of the ACM
Perceptions of information security at the workplace: linking information security climate to compliant behavior
Journal of Information Privacy and Security
Issues and opinion on structural equation modeling
MIS Quarterly
Computer self-efficacy: development of a measure and initial test
MIS Quarterly
Evaluating structural equations models with unobservable variables and measurement error
Journal of Marketing Research
Multivariate data analysis
Protection motivation and deterrence: a framework for security policy compliance in organizations
European Journal of Information Systems
An investigation of volitional control in information ethics
Behavior and Information Technology
Cited by (582)
Information security threats and organizational readiness in nWFH scenarios
2024, Computers and SecurityUnderstanding users' protective behavior and its suppressor effect on the perceived risk in M-wallet/banking use: An Indian urban-rural comparison
2024, Technological Forecasting and Social ChangeMandatory adoption of technology: Can UTAUT2 model capture managers behavioral intention?
2024, Technological Forecasting and Social ChangeThe mediating role of security anxiety in internet threat avoidance behavior
2023, Computers and SecurityResistance to information security due to users’ information safety behaviors: Empirical research on the emerging markets
2023, Computers in Human Behavior
Princely Ifinedo is an Associate Professor in the Shannon School of Business at Cape Breton University, Canada. He holds a doctoral degree in Information Systems Science from the University of Jyväskylä (Eximia Cum Laude Approbatur) and master’s degrees from the University of London and Tallinn University of Technology. He has authored (and co-authored) over 80 publications. Dr. Ifinedo’s current research interests include ERP system success measurement, global IT management, IT adoption in SMEs and healthcare, cross-cultural issues in IS, IS security and privacy issues. He is affiliated with AIS, ISACA, IEEE, and DSI.