Advanced search
Publication Cover
Behaviour & Information Technology Volume 41, 2022 - Issue 3
Submit an article Journal homepage
1,691
Views
2
CrossRef citations to date
0
Altmetric
Original Articles

More honour'd in the breach: predicting non-compliant behaviour through individual, situational and habitual factors

Alex Leeringa Communication and Information Studies, Radboud University, Nijmegen, The NetherlandsORCID Iconhttps://orcid.org/0000-0002-8587-932X
ORCID Icon,
Lidwien van de Wijngaerta Communication and Information Studies, Radboud University, Nijmegen, The NetherlandsCorrespondence[email protected]
ORCID Iconhttps://orcid.org/0000-0002-6714-4389
ORCID Icon &
Shahrokh Nikoub Faculty of Social Sciences, Business and Economics, Åbo Akademi University, Turku, Finland;c Department of Computer and Systems Sciences, Stockholm University, Stockholm, SwedenORCID Iconhttps://orcid.org/0000-0002-0029-5852
ORCID Icon
Pages 519-534 | Received 10 Apr 2020, Accepted 06 Sep 2020, Published online: 22 Sep 2020

References

  • Abawajy, J. 2014. “User Preference of Cyber Security Awareness Delivery Methods.” Behaviour & Information Technology 33 (3): 237–248.
  • Awang, Z. 2012. Structural Equation Modeling Using Amos Graphic. Shah Alam: UiTM Press.
  • Bandura, A. 1977. “Self-efficacy: Toward a Unifying Theory of Behavioural Change.” Psychological Review 84 (2): 191–215.
  • Bauer, S., E. W. Bernroider, and K. Chudzikowski. 2017. “Prevention is Better Than Cure! Designing Information Security Awareness Programs to Overcome Users’ Non-compliance with Information Security Policies in Banks.” Computers & Security 68: 145–159.
  • Beautement, A., M. A. Sasse, and M. Wonham. 2009. “The Compliance Budget: Managing Security Behaviour in Organisations.” In Proceedings of the 2008 Workshop on New Security Paradigms, 47–58. New York, USA: ACM.
  • Besedeš, T., C. Deck, S. Sarangi, and M. Shor. 2015. “Reducing Choice Overload Without Reducing Choices.” Review of Economics and Statistics 97 (4): 793–802.
  • Best, M., and E. K. Papies. 2017. “Right Here, Right Now: Situated Interventions to Change Consumer Habits.” Journal of the Association for Consumer Research 2 (3): 333–358.
  • Bouwman, H., and L. Van De Wijngaert. 2002. “Content and Context: An Exploration of the Basic Characteristics of Information Needs.” New Media & Society 4 (3): 329–353.
  • Bouwman, H., and L. Van de Wijngaert. 2009. “Coppers, Context and Conjoints: A Reassessment of TAM.” Journal of Information Technology 24: 186–201.
  • Bryan, S., L. Gold, R. Sheldon, and M. Buxton. 2000. “Preference Measurement Using Conjoint Methods: An Empirical Investigation of Reliability.” Health Economics 9 (5): 385–395.
  • Bryman, A., and E. Bell. 2014. Research Methodology: Business and Management Contexts. Cape Town, South Africa: Oxford University Press Southern Africa.
  • Bulgurcu, B., H. Cavusoglu, and I. Benbasat. 2010. “Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness.” MIS Quarterly 34 (3): 523–548.
  • Cavusoglu, H., H. Cavusoglu, J. Y. Son, and I. Benbasat. 2009. “Information Security Control Resources in Organizations: A Multidimensional View and their Key Drivers.” UBC Working Paper.
  • Chan, M., I. Woon, and A. Kankanhalli. 2005. “Perceptions of Information Security in the Workplace: Linking Information Security Climate to Compliant Behaviour.” Journal of Information Privacy and Security 1 (3): 18–41.
  • Chen, Y., K. Ramamurthy, and K.-W. Wen. 2012. “Organizations’ Information Security Policy Compliance: Stick or Carrot Approach?” Journal of Management Information Systems 29 (3): 157–188.
  • Choobineh, J., G. Dhillon, M. R. Grimaila, and J. Rees. 2007. “Management of Information Security: Challenges and Research Directions.” Communications of the Association for Information Systems 20 (1): 57.
  • Clancey, W. J. 1993. “Situated Action: A Neuropsychological Interpretation Response to Vera and Simon.” Cognitive Science 17 (1): 87–116.
  • Compeau, D. R., and C. A. Higgins. 1995. “Computer Self-Efficacy: Development of a Measure and Initial Test.” MIS Quarterly 19: 189–211.
  • Cooksey, R. W. 1996. Judgment Analysis: Theory, Methods, and Applications. San Diego, CA: Academic Press.
  • Corbett, P. B. 2012. “Mangled Shakespeare.” Ney York Times, January, 17. After deadline blogs. https://afterdeadline.blogs.nytimes.com/2012/01/17/mangled-shakespeare/.
  • Crossler, R. E., A. C. Johnston, P. B. Lowry, Q. Hu, M. Warkentin, and R. Baskerville. 2013. “Future Directions for Behavioral Information Security Research.” Computers & Security 32: 90–101.
  • Custers, R., and H. Aarts. 2010. “The Unconscious Will: How the Pursuit of Goals Operates Outside of Conscious Awareness.” Science 329 (5987): 47–50.
  • Debab, R., and W. K. Hidouci. 2018. “Boosting the Cloud Meta-Operating System with Heterogeneous Kernels. A Novel Approach Based on Containers and Microservices.” Journal of Engineering Science and Technology Review 11 (1): 103–108.
  • Dhillon, G., and J. Backhouse. 2001. “Current Directions in IS Security Research: Towards Socio- Organizational Perspectives.” Information Systems Journal 11 (2): 127–153.
  • Dijksterhuis, A., and H. Aarts. 2010. “Goals, Attention, and (un) Consciousness.” Annual Review of Psychology 61: 467–490.
  • Di Pietro, R., and L. V. Mancini. 2003. “Security and Privacy Issues of Handheld and Wearable Wireless Devices.” Communications of the ACM 46 (9): 74–79.
  • Ebata, A. T., and R. H. Moos. 1994. “Personal, Situational, and Contextual Correlates of Coping in Adolescence.” Journal of Research on Adolescence 4 (1): 99–125.
  • Fishbein, M., and I. Ajzen. 1975. Belief, Attitude, Intention, and Behaviour: An Introduction to Theory and Research.
  • Foth, M. 2016. “Factors Influencing the Intention to Comply with Data Protection Regulations in Hospitals: Based on Gender Differences in Behaviour and Deterrence.” European Journal of Information Systems 25 (2): 91–109.
  • Gonzalez, J. J., and A. Sawicka. 2002. “A Framework for Human Factors in Information Security.” In Wseas International Conference on Information Security, Rio de Janeiro, 448–187. Rio de Janeiro, Brazil.
  • Greifeneder, R., B. Scheibehenne, and N. Kleber. 2010. “Less may be More When Choosing is Difficult: Choice Complexity and too Much Choice.” Acta Psychologica 133 (1): 45–50.
  • Hair, J. F., C. M. Ringle, and M. Sarstedt. 2011. “PLS-SEM: Indeed a Silver Bullet.” Journal of Marketing Theory and Practice 19 (2): 139–152.
  • Hansman, S., and R. Hunt. 2005. “A Taxonomy of Network and Computer Attacks.” Computers & Security 24 (1): 31–43.
  • Hayes, B. E., J. Perander, T. Smecko, and J. Trask. 1998. “Measuring Perceptions of Workplace Safety: Development and Validation of the Work Safety Scale.” Journal of Safety Research 29 (3): 145–161.
  • Heiss, F., A. Leive, D. McFadden, and J. Winter. 2013. “Plan Selection in Medicare Part D: Evidence From Administrative Data.” Journal of Health Economics 32 (6): 1325–1344.
  • Henseler, J., C. M. Ringle, and M. Sarstedt. 2015. “A New Criterion for Assessing Discriminant Validity in Variance-Based Structural Equation Modelling.” Journal of the Academy of Marketing Science 43 (1): 115–135.
  • Herath, T., and H. R. Rao. 2009a. “Encouraging Information Security Behaviours in Organizations: Role of Penalties, Pressures and Perceived Effectiveness.” Decision Support Systems 47 (2): 154–165.
  • Herath, T., and H. R. Rao. 2009b. “Protection Motivation and Deterrence: A Framework for Security Policy Compliance in Organisations.” European Journal of Information Systems 18 (2): 106–125.
  • Hsu, J. S. C., S. P. Shih, Y. W. Hung, and P. B. Lowry. 2015. “The Role of Extra-Role Behaviors and Social Controls in Information Security Policy Effectiveness.” Information Systems Research 26 (2): 282–300.
  • Hu, Q., T. Dinev, P. Hart, and D. Cooke. 2012. “Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture.” Decision Sciences 43 (4): 615–660.
  • Hughes, R. 1998. “Considering the Vignette Technique and its Application to a Study of Drug Injecting and HIV Risk and Safer Behaviour.” Sociology of Health & Illness 20 (3): 381–400.
  • Humaidi, N., and V. Balakrishnan. 2015. “Leadership Styles and Information Security Compliance Behaviour: The Mediator Effect of Information Security Awareness.” International Journal of Information and Education Technology 5 (4): 311.
  • Hwang, I., D. Kim, T. Kim, and S. Kim. 2017. “Why Not Comply with Information Security? An Empirical Approach for the Causes of Non-Compliance.” Online Information Review 41 (1): 2–18.
  • Ifinedo, P. 2012. “Understanding Information Systems Security Policy Compliance: An Integration of the Theory of Planned Behaviour and the Protection Motivation Theory.” Computers & Security 31 (1): 83–95.
  • ISO/IEC. 2005. ISO/IEC 27002:2005: Information Technology – Security Techniques – Code of Practice for Information Security Management. Geneva: ISO/IEC.
  • Jasso, G. 2006. “Factorial Survey Methods for Studying Beliefs and Judgments.” Sociological Methods & Research 34 (3): 334–423.
  • Johnston, A. C., and M. Warkentin. 2010. “Fear Appeals and Information Security Behaviours: An Empirical Study.” MIS Quarterly 34: 549–566.
  • Karahanna, E., D. W. Straub, and N. L. Chervany. 1999. “Information Technology Adoption Across Time: A Cross-Sectional Comparison of pre-Adoption and Post-Adoption Beliefs.” MIS Quarterly 23: 183–213.
  • Kim, S. S., and Y. J. Kim. 2017. “The Effect of Compliance Knowledge and Compliance Support Systems on Information Security Compliance Behaviour.” Journal of Knowledge Management 21 (4): 986–1010.
  • Labrecque, J. S., W. Wood, D. T. Neal, and N. Harrington. 2017. “Habit Slips: When Consumers Unintentionally Resist New Products.” Journal of the Academy of Marketing Science 45 (1): 119–133.
  • Lee, C., C. C. Lee, and S. Kim. 2016. “Understanding Information Security Stress: Focusing on the Type of Information Security Compliance Activity.” Computers & Security 59: 60–70.
  • Limayem, M., S. G. Hirt, and C. M. Cheung. 2007. “How Habit Limits the Predictive Power of Intention: The Case of Information Systems Continuance.” MIS Quarterly 31:4: 705–737.
  • Malhotra, N. K., S. S. Kim, and J. Agarwal. 2004. “Internet Users’ Information Privacy Concerns (IUIPC): The Construct, the Scale, and a Causal Model.” Information Systems Research 15 (4): 336–355.
  • Mead, G. H. 1934. Mind, Self and Society. Vol. 111. Chicago: University of Chicago Press.
  • Mishra, S., and G. Dhillon. 2006. “Information Systems Security Governance Research: A Behavioural Perspective.” In 1st Annual Symposium on Information Assurance, Academic Track of 9th Annual NYS Cyber Security Conference, 27–35. New York, USA: ACSAC.
  • Neal, A., and M. A. Griffin. 1997, April. “Perceptions of Safety at Work: Developing a Model to Link Organizational Safety Climate and Individual Behaviour.” In 12th Annual Conference of the Society for Industrial and Organizational Psychology. St. Louis, MO.
  • Neal, D. T., W. Wood, M. Wu, and D. Kurlander. 2011. “The Pull of the Past: When do Habits Persist Despite Conflict with Motives?” Personality and Social Psychology Bulletin 37 (11): 1428–1437.
  • Ning, P., Y. Cui, D. S. Reeves, and D. Xu. 2004. “Techniques and Tools for Analysing Intrusion Alerts.” ACM Transactions on Information and System Security (TISSEC) 7 (2): 274–318.
  • Nunnally, J. C., and I. H. Bernstein. 1994. Psychometric Theory (3eme Edition).
  • Pahnila, S., M. Siponen, and A. Mahmood. 2007. “Employees’ Behaviour Towards IS Security Policy Compliance.” In HICSS 2007. 40Th Annual Hawaii International Conference on System Sciences, 2007, 156b–156b. Waikoloa, Hawaii, USA: IEEE.
  • Papies, E. K. 2016. “Health Goal Priming as a Situated Intervention Tool: How to Benefit From Nonconscious Motivational Routes to Health Behaviour.” Health Psychology Review 10 (4): 408–424.
  • Parsons, K., A. McCormac, M. Butavicius, M. Pattinson, and C. Jerram. 2014. “Determining Employee Awareness Using the Human Aspects of Information Security Questionnaire (HAIS-Q).” Computers & Security 42 (2): 165–176.
  • Pfleeger, S., and D. D. Caputo. 2012. “Leveraging Behavioural Science to Mitigate Cyber Security Risk.” Computers & Security 31 (4): 597–611.
  • Ponemon Institute. 2017. 2017 Cost of Data Breach Study: Global Overview. http://info.resilientsystems.com/hubfs/IBM_Resilient_Branded_Content/White_Papers/2017_Global_CODB_Report_Final.pdf
  • Porter, M. E. 2008. Competitive Advantage: Creating and Sustaining Superior Performance. New York, USA: Simon and Schuster.
  • Randle, O. A., and M. Y. Solange. 2017. “Critical Factors Influencing Employees Compliance with Information Security Policies of an Organization: Systematic Review and Meta-Analysis.” In 2017 International Conference on Information Society (i-Society), 28–33. Dublin, Ireland: IEEE.
  • Rossi, P. H., and S. L. Nock. 1982. Measuring Social Judgments: The Factorial Survey Approach. Beverly Hills, USA: SAGE Publications, Incorporated.
  • Rynes, S. L., D. P. Schwab, and H. G. Heneman, III. 1983. “The Role of Pay and Market Pay Variability in Job Applicant Decisions.” Organizational Behaviour and Human Performance 31: 353–364.
  • Safa, N. S., and M. A. Ismail. 2013. “A Customer Loyalty Formation Model in Electronic Commerce.” Economic Modelling 35: 559–564.
  • Safa, N. S., and R. Von Solms. 2016. “An Information Security Knowledge Sharing Model in Organizations.” Computers in Human Behaviour 57: 442–451.
  • Safa, N. S., R. Von Solms, and L. Futcher. 2016. “Human Aspects of Information Security in Organisations.” Computer Fraud & Security 2016 (2): 15–18.
  • Sarathy, R., and K. Muralidhar. 2002. “The Security of Confidential Numerical Data in Databases.” Information Systems Research 13 (4): 389–403.
  • Simons, D., and M. S. Jensen. 2009. “The Effects of Individual Differences and Task Difficulty on Inattentional Blindness.” Psychonomic Bulletin & Review 16 (2): 398–403.
  • Siponen, M. T. 2005. “An Analysis of the Traditional IS Security Approaches: Implications for Research and Practice.” European Journal of Information Systems 14 (3): 303–315.
  • Sommestad, T., J. Hallberg, K. Lundholm, and J. Bengtsson. 2014. “Variables Influencing Information Security Policy Compliance: A Systematic Review of Quantitative Studies.” Information Management & Computer Security 22 (1): 42–75.
  • Soomro, Z. A., M. H. Shah, and J. Ahmed. 2016. “Information Security Management Needs More Holistic Approach: A Literature Review.” International Journal of Information Management 36 (2): 215–225.
  • Soror, A. A., B. I. Hammer, Z. R. Steelman, F. D. Davis, and M. M. Limayem. 2015. “Good Habits Gone Bad: Explaining Negative Consequences Associated with the Use of Mobile Phones From a Dual-Systems Perspective.” Information Systems Journal 25 (4): 403–427.
  • Suchman, L. A. 1985. Plans and Situated Actions; The Problem of Human-machine Interaction. Xerox Corporation. Paolo Alto Research Centres, white paper.
  • Torten, R., C. Reaiche, and S. Boyle. 2018. “The Impact of Security Awarness on Information Technology Professionals’ Behaviour.” Computers & Security 79: 68–79.
  • Triandis, H. C. 1979. “Values, Attitudes, and Interpersonal Behaviour.” In Nebraska Symposium on Motivation, edited by H. Howe and M. Page, 195–259. Lincoln, USA: University of Nebraska Press.
  • Urbach, N., and F. Ahlemann. 2010. “Structural Equation Modelling in Information Systems Research Using Partial Least Squares.” Journal of Information Technology Theory and Application 11 (2): 5–40.
  • Vance, A., M. Siponen, and S. Pahnila. 2012. “Motivating IS Security Compliance: Insights From Habit and Protection Motivation Theory.” Information & Management 49 (3): 190–198.
  • Van de Wijngaert, L. 1999. Information Needs and New Media Choice. Enschede: Utrecht University/Telematica Instituut.
  • Van de Wijngaert, L., and H. Bouwman. 2009. “Would You Share? Predicting the Potential Use of a New Technology.” Telematics and Informatics 26 (1): 85–102.
  • Vermaas, K., and L. van de Wijngaert. 2005. “Seeking Health Information on the Internet-Different Genders, Different Uses, Different Risks.” In ECIS 2005 Proceedings. Vol. 1, 361–372. European Conference on Information Systems.
  • Verplanken, B., H. Aarts, and A. van Knippenberg. 1997. “Habit, Information Acquisition, and the Process of Making Travel Mode Choices.” European Journal of Social Psychology 27: 539–560.
  • Verplanken, B., and W. Wood. 2006. “Interventions to Break and Create Consumer Habits.” Journal of Public Policy & Marketing 25 (1): 90–103.
  • Von Solms, R., and J. van Niekerk. 2013. “From Information Security to Cyber Security.” Compuetrs & Security 38 (1): 97–102.
  • Vroom, C., and R. Von Solms. 2004. “Towards Information Security Behavioural Compliance.” Computers & Security 23 (3): 191–198.
  • Wood, W., and D. T. Neal. 2009. “The Habitual Consumer.” Journal of Consumer Psychology 19 (4): 579–592.
  • Yang, S., and K. Wang. 2009. “The Influence of Information Sensitivity Compensation on Privacy Concern and Behavioural Intention.” ACM SIGMIS Database: the DATABASE for Advances in Information Systems 40 (1): 38–51.
  • Yazdanmehr, A., and J. Wang. 2016. “Employees’ Information Security Policy Compliance: A Norm Activation Perspective.” Decision Support Systems 92: 36–46.

Related research

People also read lists articles that other readers of this article have read.

Recommended articles lists articles that we recommend and is powered by our AI driven recommendation engine.

Cited by lists all citing articles based on Crossref citations.
Articles with the Crossref icon will open in a new tab.