ABSTRACT
Employees’ non-compliance with organizational information security policies poses a significant threat to organizations. Enhancing our understanding of compliance behavior is crucial for improving security. Although research has identified numerous psychological factors that affect intentions to comply with security policies, how such intentions map onto actual compliance behavior is not well understood. Building on a well-supported model of security policy compliance intentions, we evaluate compliance with each of six types of information security policies using decision vignettes, and compare parameters across models. The study contributes to information security compliance research by examining each risk separately and exploring heterogeneity across risk types.
Acknowledgements
This research was supported by the National Science Foundation funding under Award no. 1314644.
Additional information
Notes on contributors
Tatyana Ryutov
Tatyana Ryutov, PhD, has worked in the field of information security for over 15 years as a researcher and developer. She currently is a senior lecturer in the Informatics Cybersecurity Engineering program at the University of Southern California. Her work focuses on access control and authorization, security policies, automated trust negotiation and human/social factors in security and privacy related decision making, game theory applications for cyber security.
Nicole Sintov
Nicole Sintov is Assistant Professor of Behavior, Decision-Making, and Sustainability at The Ohio State University’s School of Environment and Natural Resources. At the time this article was written, she was Assistant Professor of Research at the Price School of Public Policy and Research Lead at the Information Sciences Institute at the University of Southern California (USC) as an environmental psychologist, her research focuses on developing and evaluating behavioral intervention programs designed to promote sustainable behavior (e.g., energy and water conservation). Much of this work focuses on understanding the processes by which people adopt and use sustainable innovations.
Mengtian Zhao
Mengtian Zhao is a PhD student in quantitative psychology at USC, her research is focused on using risk and decision analytic techniques in applied contexts and modeling decision-making process.
Richard S. John
Richard S. John is currently Associate Professor in the Department of Psychology at the University of Southern California and Associate Director for Research and Strategic Planning at the Center for Risk and Economic Analysis of Terrorism Events (CREATE). His research focuses on normative and descriptive models of human judgment and decision making and methodological issues in the application of decision analysis and probabilistic risk analysis (PRA). Richard has consulted on a number of large projects involving expert elicitation, including analysis of nuclear power plant risks (NUREG 1150) and analysis of cost and schedule risk for tritium supply alternatives. Richard’s current research focuses on adversary risk analysis and the psychology of deterrence. Recent work includes study of adversary values and motivations using Value Focused Thinking (VFT) and Multi-Attribute Utility (MAU) Analysis to identify conflicting adversary objectives. Richard received his PhD. in quantitative psychology from the University of Southern California in 1984, M.S. in applied mathematics from the University of Southern California in 1983, and B.S. in applied mathematics (summa cum laude) from the Georgia Institute of Technology in 1976.