Abstract
Enterprises establish computer security policies to ensure the security of information resources; however, if employees and end-users of organisational information systems (IS) are not keen or are unwilling to follow security policies, then these efforts are in vain. Our study is informed by the literature on IS adoption, protection-motivation theory, deterrence theory, and organisational behaviour, and is motivated by the fundamental premise that the adoption of information security practices and policies is affected by organisational, environmental, and behavioural factors. We develop an Integrated Protection Motivation and Deterrence model of security policy compliance under the umbrella of Taylor-Todd's Decomposed Theory of Planned Behaviour. Furthermore, we evaluate the effect of organisational commitment on employee security compliance intentions. Finally, we empirically test the theoretical model with a data set representing the survey responses of 312 employees from 78 organisations. Our results suggest that (a) threat perceptions about the severity of breaches and response perceptions of response efficacy, self-efficacy, and response costs are likely to affect policy attitudes; (b) organisational commitment and social influence have a significant impact on compliance intentions; and (c) resource availability is a significant factor in enhancing self-efficacy, which in turn, is a significant predictor of policy compliance intentions. We find that employees in our sample underestimate the probability of security breaches.
Acknowledgements
We appreciate the support and collaboration on this project by the Cyber Task Force, Buffalo Division, FBI. This research is funded in part by NSF under grant #0402388 and MDRF grant #F0630. The research of the second author is also supported in part by NSF under grant #0809186. The usual disclaimer applies.
Additional information
Notes on contributors
Tejaswini Herath
Tejaswini Herath, Ph.D., is an assistant professor in the Faculty of Business at Brock University, Canada. She graduated from Department of Management Science and Systems at State University of New York, Buffalo (UB). Previously she worked as a systems analyst and a part-time lecturer at UNBC, Canada. Her research interests are in Information Assurance and include topics such as information security and privacy, diffusion of information assurance practices, economics of information security, and risk management. Her work has been accepted or published in the Journal of Management Information Systems, Decision Support Systems, Information Systems Management, and International Journal of E-Government Research. She was the recipient of the Best Paper Award at the 30th McMaster World Congress (2009) on E-Crime Prevention, and the recipient of the UB Ph.D. Student Achievement Award (2007–2008).
H Raghav Rao
H. Raghav Rao, Ph.D., graduated from Krannert Graduate School of Management at Purdue University. He has chaired sessions at international conferences and presented numerous papers. He also has co-edited four books of which one is on Information Assurance in Financial Services. He has authored or co-authored more than 150 technical papers, of which more than 75 are published in archival journals. His work has received best paper and best paper runner up awards at AMCIS and ICIS. Dr. Rao has received funding for his research from the National Science Foundation, the Department of Defense, and the Canadian Embassy and he has received the University's prestigious Teaching Fellowship. He has also received the Fulbright fellowship in 2004. He is a co-editor of a special issue of The Annals of Operations Research, The Communications of ACM; and associate editor of Decision Support Systems, Information Systems Research, and IEEE Transactions in Systems, Man and Cybernetics; and co-editor-in-chief of Information Systems Frontiers. Dr. Rao also has a courtesy appointment with Computer Science and Engineering as an adjunct professor. He is the recipient of the 2007 SUNY Chancellor's award for excellence.