Advanced search
Publication Cover
Behaviour & Information Technology Volume 39, 2020 - Issue 8
Submit an article Journal homepage
1,516
Views
21
CrossRef citations to date
0
Altmetric
Original Articles

Factors influencing the information security behaviour of IT employees

Val Hoopera School of Marketing and International Business, Victoria University of Wellington, Wellington, New ZealandCorrespondence[email protected]
&
Chris Bluntb Axenic Ltd, Wellington, New Zealand
Pages 862-874 | Received 24 Feb 2017, Accepted 19 May 2019, Published online: 29 May 2019

References

  • Ajzen, I. 1991. “The Theory of Planned Behavior.” Organizational Behavior and Human Decision Processes 50 (2): 179–211.
  • Ajzen, I., and M. Fishbein. 1980. Understanding Attitudes and Predicting Social Behaviour. Upper Saddle River, NJ: Prentice-Hall.
  • Anderson, C. L., and R. Argawal. 2010. “Practicing Safe Computing: A Multimethod Empirical Examination of Home Computer User Security Behavioral Intentions.” MIS Quarterly 34 (3): 613–643.
  • Bagozzi, R. P., F. D. Davis, and P. R. Warshaw. 1992. “Development and Test of a Theory of Technological Learning and Usage.” Human Relations 45 (7): 659–686.
  • Bandura, A. 1977. “Self-efficacy: Toward a Unifying Theory of Behavioral Change.” Psychological Review 84 (2): 191–215.
  • Boss, S. R., D. F. Galletta, P. B. Lowry, G. Moody, and P. Polak. 2015. “What do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear That Motivate Protective Security Behaviors.” MIS Quarterly 39 (4): 837–864.
  • Brehm, J. W. 1966. A Theory of Psychological Reactance. Oxford, UK: Academic Press.
  • Bulgurcu, B., H. Cavusoglu, and I. Benbasat. 2010. “Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness.” MIS Quarterly 34 (3): 523–548.
  • Burns, A. J., C. Posey, T. L. Roberts, and P. B. Lowry. 2017. “Examining the Relationship of Organizational Insiders’ Psychological Capital with Information Security Threat and Coping Appraisals.” Computers in Human Behavior 68: 190–209.
  • Chin, W. W. 1998. “Issues and Opinion on Structural Equation Modelling.” MIS Quarterly 22 (1): vii–xvii.
  • D’Arcy, J., A. Hovav, and D. Galletta. 2009. “User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach.” Information Systems Research 20 (1): 79–98.
  • Deci, E. L. 1975. Intrinsic Motivation. Berlin: Plenum Press.
  • Deci, E. L., and R. M. Ryan. 1985. Intrinsic Motivation and Self-Determination in Human Behaviour. Berlin: Plenum Press.
  • Fishbein, M., and I. Ajzen. 1975. Belief, Attitude, Intention, and Behavior: an Introduction to Theory and Research. Boston: Addison-Wesley.
  • Fornell, C., and D. F. Larcker. 1981. “Evaluating Structural Equation Models with Unobservable Variables and Measurement Error.” Journal of Marketing Research 18: 39–50.
  • Glanz, K., B. K. Rimer, and K. Viswanath. 2008. Health Behavior and Health Education: Theory, Research, and Practice. Hoboken, NJ: Jossey-Bass.
  • Gliner, J. A., G. A. Morgan, and N. L. Leech. 2000. Research Methods in Applied Settings: an Integrated Approach to Design and Analysis. Hove: Psychology Press.
  • Hair, J. F., R. E. Anderson, R. L. Tatham, and W. C. Black. 1998. Multivariate Data Analysis. 5th ed. Upper Saddle River, NJ: Prentice Hall.
  • Hair, J. F., G. T. M. Hult, C. Ringle, and M. Sarstedt. 2013. A Primer on Partial Least Squares Structural Equation Modeling (PLS-SEM). London: Sage Publications.
  • Harrison, R. 2005. “The 10 Most Important Things an IT Person Must Understand About Security Across the Enterprise.” Information Systems Audit and Control Association Journal 3.
  • Herath, T., and H. R. Rao. 2009a. “Encouraging Information Security Behaviors in Organizations: Role of Penalties, Pressures and Perceived Effectiveness.” Decision Support Systems 47: 154–165.
  • Herath, T., and H. R. Rao. 2009b. “Protection Motivation and Deterrence: A Framework for Security Policy Compliance in Organisations.” European Journal of Information Systems 18: 106–125.
  • Hinkin, T. R. 1998. “A Brief Tutorial on the Development of Measures for use in Survey Questionnaires.” Organizational Research Methods 1 (1): 104–121.
  • Hovav, A., and J. D’Arcy. 2012. “Applying an Extended Model of Deterrence Across Cultures: an Investigation of Information Systems Misuse in the U.S. and South Korea.” Information & Management 49: 99–110.
  • Hsu, J. S.-C., S.-P. Shih, Y. W. Hung, and P. B. Lowry. 2015. “The Role of Extra-Role Behaviors and Social Controls in Information Security Policy Effectiveness.” Information Systems Research 26 (2): 282–300.
  • Ifinedo, P. 2012. “Understanding Information Systems Security Policy Compliance: An Integration of the Theory of Planned Behavior and the Protection Motivation Theory.” Computers & Security 31: 83–95.
  • Ifinedo, P. 2014. “Information Systems Security Policy Compliance: An Empirical Study of the Effects of Socialisation, Influence, and Cognition.” Information & Management 51: 69–79.
  • Igbaria, M., T. Guimaraes, and G. B. Davis. 1995. “Testing the Determinants of Microcomputer Usage via a Structural Equation Model.” Journal of Management Information Systems 11 (4): 87–114.
  • Janz, N. K., and M. H. Becker. 1984. “The Health Belief Model: A Decade Later.” Health Education Behavior 11 (1): 1–47.
  • Johnston, A. C., and M. Warkentin. 2010. “Fear Appeals and Information Security Behaviors: An Empirical Study.” MIS Quarterly 34 (3): 549–566.
  • Johnston, A. C., M. Warkentin, and M. Siponen. 2015. “An Enhanced Fear Appeal Rhetorical Framework: Leveraging Threats to the Human Asset Through Sanctioning Rhetoric.” MIS Quarterly 39 (1): 113–134.
  • Kankanhalli, A., H. H. Teo, B. C. Tan, and K. K. Wei. 2003. “An Integrative Study of Information Systems Security Effectiveness.” International Journal of Information Management 23 (2): 139–154.
  • Lee, Y., and K. R. Larsen. 2009. “Threat or Coping Appraisal: Determinants of SMB Executives’ Decision to Adopt Anti-Malware Software.” European Journal of Information Systems 18: 177–187.
  • Lowry, P. B., and G. D. Moody. 2015. “Proposing the Control-Reactance Compliance Model (CRCM) to Explain Opposing Motivations to Comply with Organisational Information Security Policies.” Information Systems Journal 25: 433–463.
  • Lowry, P. B., C. Posey, R. J. Bennett, and T. L. Roberts. 2015. “Leveraging Fairness and Reactance Theories to Deter Reactive Computer Abuse Following Enhanced Organisational Information Security Policies: An Empirical Study of the Influence of Counterfactual Reasoning and Organisational Trust.” Information Systems Journal 25: 193–273.
  • Maddux, J. E., and R. W. Rogers. 1983. “Protection Motivation and Self-Efficacy: A Revised Theory of Fear Appeals and Attitude Change.” Journal of Experimental Social Psychology 19 (5): 469–479.
  • McAdams, R. H. 1997. “The Origin, Development and Regulation of Norms.” Michigan Law Review 96 (2): 338–433.
  • Milne, S., P. Sheeran, and S. Orbell. 2000. “Prediction and Intervention in Health-Related Behavior: A Meta-Analytic Review of Protection Motivation Theory.” Journal of Applied Social Psychology 30 (1): 106–143.
  • Moody, G. D., M. Siponen, and S. Pahnila. 2018. “Toward a Unified Model of Information Security Policy Compliance.” MIS Quarterly 42 (1): 285–311.
  • Neuwirth, K., S. Dunwoody, and R. J. Griffin. 2000. “Protection Motivation and Risk Communication.” Risk Analysis 20 (5): 721–734.
  • Ng, B.-Y., A. Kankanhalli, and Y. Xu. 2009. “Studying Users’ Computer Security Behavior: A Health Belief Perspective.” Decision Support Systems 46 (4): 815–825.
  • Nunnally, J. 1978. Psychometric Methods. New York: McGraw.
  • Pahnila, S., M. Karjalainen, and M. Siponen. 2013. “Information Security Behaviour: Towards a Multi-Stage Model.” PACIS 2013 Proceedings, Jeju Island, Korea
  • Pahnila, S., M. Siponen, and A. Mahmood. 2007. “Employees’ Behaviour Towards IS Security Compliance.” Wiakoloa, Big Island, Hawaii
  • Paternoster, R., and S. Simpson. 1996. “Sanction Threats and Appeals to Morality: Testing a Rational Choice Model of Corporate Crime.” Law and Society Review 30 (3): 549–584.
  • Podsakoff, P. M., S. B. MacKenzie, J.-Y. Lee, and N. P. Podsakoff. 2003. “Common Method Biases in Behavioral Research: A Critical Review of the Literature and Recommended Remedies..” Journal of Applied Psychology 88 (5): 879–903.
  • Posey, C., T. L. Roberts, P. B. Lowry, and R. T. Hightower. 2014. “Bridging the Divide: A Qualitative Comparison of Information Security Thought Patterns Between Information Security Professionals and Ordinary Organizational Insiders.” Information & Management 51: 551–567.
  • Prentice-Dunn, S., and R. W. Rogers. 1986. “Protection Motivation Theory and Preventive Health: Beyond the Health Belief Model.” Health Education Research 1 (3): 153–161.
  • Ringle, C., S. Wende, and A. Will. 2017. SmartPLS 3 Professional.
  • Rogers, R. W. 1975. “A Protection Motivation Theory of Fear Appeals and Attitude Change.” The Journal of Psychology 91 (1): 93–114.
  • Rogers, R. W. 1983. “Cognitive and Physiological Processes in Fear Appeals and Attitude Change: A Revised Theory of Protection Motivation.” In Social Psychology: A Sourcebook, edited by J. R. Cacioppo, and R. E. Petty, 153–176. New York, NY: Guilford Press.
  • Schultz, E. 2005. “The Human Factor in Security.” Computers & Security 24 (6): 425–426.
  • Shostack, A., and A. Stewart. 2008. The New School of Information Security. Boston: Addison Wesley.
  • Siponen, M. T. 2000. “A Conceptual Foundation for Organizational Information Security Awareness.” Information Management & Computer Security 8 (1): 31–41.
  • Siponen, M., M. A. Mahmood, and S. Pahnila. 2014. “Employees’ Adherence to Information Security Policies: An Exploratory Field Study.” Information & Management 51: 217–224.
  • Siponen, M., S. Pahnila, and A. Mahmood. 2006. “Factors Influencing Protection Motivation and IS Security Policy Compliance.” Innovations in Information Technology November: 1–5.
  • Siponen, M., S. Pahnila, and M. A. Mahmood. 2007. “Employees’ Adherence to Information Security Policies: an Empirical Study.” New Approaches for Security, Privacy and Trust in Complex Environments 232: 133–144.
  • Siponen, M., and A. Vance. 2010. “Neutralization: New Insights Into the Problem of Employee Information Systems Security Policy Violations.” MIS Quarterly 34 (3): 487–502.
  • Siponen, M., A. Vance, and R. Willison. 2012. “New Insights Into the Problem of Software Piracy: the Effects of Neutralization, Shame, and Moral Beliefs.” Information & Management 49: 334–341.
  • Son, J.-Y. 2011. “Out of Fear or Desire? Toward a Better Understanding of Employees’ Motivation to Follow IS Security Policies.” Information & Management 48: 296–302.
  • Straub, D. 1990. “Effective IS Security: An Empirical Study.” Information Systems Research 1 (3): 255–276.
  • Straub, D. W., and R. J. Welke. 1998. “Coping with Systems Risk: Security Planning Models for Management Decision Making.” MIS Quarterly 22 (4): 441–469.
  • Ungerman, M. 2005. “Creating and Enforcing an Effective Information Security Policy.” Information Systems Control Journal 6: 1–2.
  • Urbach, N., and F. Ahlemann. 2010. “Structural Equation Modeling in Information Systems Research Using Partial Least Squares.” Journal of Information Technology Theory and Application 11 (2): 5–40.
  • Vance, A., and M. Siponen. 2012. “IS Security Policy Violations.” Journal of Organizational and End User Computing 24 (1): 21–41.
  • Vance, A., M. Siponen, and S. Pahnila. 2012. “Motivating IS Security Compliance: Insights From Habit and Protection Motivation Theory.” Information & Management 49: 190–198.
  • Verizon. Data Breach Investigations Report 2018. 11th ed. Accessed May 2018. https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdf.
  • Willison, R. 2002. Opportunities for Computer Abuse: Assessing a Crime Specific Approach in the Case of Barings Bank: PhD Thesis. London, England: London School of Economics & Political Science.
  • Willison, R., and J. Backhouse. 2006. “Opportunities for Computer Crime: Considering Systems Risk From a Criminological Perspective.” European Journal of Information Systems 15 (4): 403–414.
  • Willison, R., and M. Warkentin. 2013. “Beyond Deterrence: An Expanded View of Employee Computer Abuse.” MIS Quarterly 37 (1): 1–20.
  • Wood, C. C. 1997. “Policies Alone do not Constitute a Sufficient Awareness Effort.” Computer Fraud & Security 12: 14–19.
  • Wood, C. C., and W. W. Banks Jr. 1993. “Human Error: An Overlooked but Significant Information Security Problem.” Computers and Security 12 (1): 51–60.
  • Workman, M., W. H. Bommer, and D. Straub. 2008. “Security Lapses and the Omission of Information Security Measures: A Threat Control Model and Empirical Test.” Computers in Human Behavior 24 (6): 2799–2816.

Reprints and Corporate Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

To request a reprint or corporate permissions for this article, please click on the relevant link below:

Order Reprints Request Corporate Permissions

Academic Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

Obtain permissions instantly via Rightslink by clicking on the button below:

Request Academic Permissions

If you are unable to obtain permissions via Rightslink, please complete and submit this Permissions form. For more information, please visit our Permissions help page.

Related research

People also read lists articles that other readers of this article have read.

Recommended articles lists articles that we recommend and is powered by our AI driven recommendation engine.

Cited by lists all citing articles based on Crossref citations.
Articles with the Crossref icon will open in a new tab.