Advanced search
Publication Cover
Information Systems Management Volume 33, 2016 - Issue 1
Submit an article Journal homepage
629
Views
26
CrossRef citations to date
0
Altmetric
Original Articles

Critical Times for Organizations: What Should Be Done to Curb Workers’ Noncompliance With IS Security Policy Guidelines?

Princely IfinedoDepartment of Financial and Information Management, Shannon School of Business, Cape Breton University, Sydney, Nova Scotia, CanadaCorrespondence[email protected]
View further author information
Pages 30-41 | Published online: 28 Jan 2016

References

  • Ajzen, I. (1991). The theory of planned behavior. Organizational Behavior and Human Decision Processes, 50(2), 179–211. doi:10.1016/0749-5978(91)90020-T
  • Allen, R., & Helms, M. (2002). Employee perceptions of relationships between strategy rewards and organizational performance. Journal of Business Strategies, 19(2), 115–139.
  • Armstrong, S. J., & Overton, T. S. (1977). Estimating non-response bias in mail surveys. Journal of Marketing Research, 14(3), 396–402. doi:10.2307/3150783
  • Becker, G. S. (1968). Crime and punishment: An economic approach. Journal of Political Economy, 76(2), 169–217. doi:10.1086/jpe.1968.76.issue-2
  • Boardman, N. E. (2006). Cost–benefit analysis: Concepts and practice (3rd ed.). Upper Saddle River, NJ: Prentice Hall.
  • Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523–548.
  • Chan, M., Woon, I. M. Y., & Kankanhalli, A. (2005). Perceptions of information security in the workplace: Linking information security climate to compliant behavior. Journal of Information Privacy and Security, 1(3), 18–41. doi:10.1080/15536548.2005.10855772
  • Chang, S. E., & Lin, C.-S. (2007). Exploring organizational culture for information security management. Industrial Management & Data Systems, 107(3), 438–458. doi:10.1108/02635570710734316
  • Cheng, H., Sims, R., & Teegen, H. (1997). To purchase or to pirate software: An empirical study. Journal of Management Information Systems, 13(4), 49–60.
  • Chin, W. (1998). Issues and opinion on structural equation modeling. MIS Quarterly, 22(1), vii–xvi.
  • Chiricos, T. G., & Waldo, G. P. (1970). Punishment and crime: An examination of some empirical evidence. Social Problems, 18(2), 200–217. doi:10.2307/799582
  • Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M., & Baskerville, R. (2013). Future directions for behavioral information security research. Computers & Security, 32(1), 90–101. doi:10.1016/j.cose.2012.09.010
  • D’Arcy, J., & Herath, T. (2011). A review and analysis of deterrence theory in the IS security literature: Making sense of the disparate findings. European Journal of Information Systems, 20(6), 643–658. doi:10.1057/ejis.2011.23
  • D’Arcy, J., Hovav, A., & Galletta, D. (2009). User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach, Information Systems Research, 20(1), 79–98.
  • Fornell, C., & Larcker, D. F. (1981). Evaluating structural equation models with unobservable variables and measurement error. Journal of Marketing Research, 18(1), 39–50. doi:10.2307/3151312
  • Geddes, D., & Stickney, L. T. (2010). The trouble with sanctions: Organizational responses to deviant anger displays at work. Human Relations, 64(2), 201–230. doi:10.1177/0018726710375482
  • Goel, S., & Shawky, H. A. (2009). Estimating the market impact of security breach announcements on firm values. Information & Management, 46(7), 404–410. doi:10.1016/j.im.2009.06.005
  • Guo, K. H., & Yuan, Y. (2012). The effects of multilevel sanctions on information security violations: A mediating model. Information & Management, 49, 320–326. doi:10.1016/j.im.2012.08.001
  • Guo, K. H., Yuan, Y., Archer, N. P., & Connelly, C. E. (2011). Understanding nonmalicious security violations in the workplace: A composite behavior model. Journal of Management Information Systems, 28(2), 203–236. doi:10.2753/MIS0742-1222280208
  • Hair Jr., J. F., Anderson, R. E., & Thatham, R. L. (1998). Multivariate data analysis. Upper Saddle River, NJ: Prentice-Hall International, Inc.
  • Harris, M. A. (2012). Managing corporate computer crime and the insider threat: The role of cognitive distortion theory. Journal of Information Systems Security, 8(2), 19–41.
  • Harris, M. A., & Furnell, S. (2012). Routes to security compliance: Be good or be shamed. Computer Fraud and Security, 12, 12–20. doi:10.1016/S1361-3723(12)70122-7
  • Herath, T., Herath, H., & Bremser, W. G. (2010). Balanced scorecard implementation of security strategies: A framework for IT security performance management. Information Systems Management, 27(1), 72–81. doi:10.1080/10580530903455247
  • Herath, T., & Rao, H. R. (2009a). Protection motivation and deterrence: A framework for security policy compliance in organisations. European Journal of Information Systems, 18(2), 106–125. doi:10.1057/ejis.2009.6
  • Herath, T., & Rao, H. R. (2009b). Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems, 47(2), 154–165. doi:10.1016/j.dss.2009.02.005
  • Hone, K., & Eloff, J. H. P. (2002). What makes an effective information security policy. Network Security, 20(6), 14–16. doi:10.1016/S1353-4858(02)06011-7
  • Hovav, A., & D’Arcy, J. (2012). Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the U.S. and South Korea. Information & Management, 49(2), 99–110. doi:10.1016/j.im.2011.12.005
  • Hu, Q., & Dinev, T. (2005). Is spyware an internet nuisance or public menace? Communications of the ACM, 48(8), 61–66. doi:10.1145/1076211
  • Hu, Q., Dinev, T., Hart, P., & Cooke, D. (2012). Managing employee compliance with information security policies: The critical role of top management and organizational culture. Decision Sciences, 43(4), 615–660. doi:10.1111/deci.2012.43.issue-4
  • Hu, Q., Hart, P., & Cooke, D. (2007). The role of external and internal influences on information systems security—a neo-institutional perspective. The Journal of Strategic Information Systems, 16(2), 153–172. doi:10.1016/j.jsis.2007.05.004
  • Hu, Q., Xu, Z., Dinev, T., & Ling, H. (2011). Does deterrence work in reducing information security policy abuse by employees? Communications of the ACM, 54(6), 54–60. doi:10.1145/1953122
  • Iacobucci, D., & Churchill G.A. (2009). Marketing research: Methodological foundations (with Qualtrics Card) (10th. ed), Cincinnati, OH: South-Western College Publishing.
  • Ifinedo, P. (2012). Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Computers & Security, 31(1), 83–95. doi:10.1016/j.cose.2011.10.007
  • Ifinedo, P. (2014). Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition. Information & Management, 51(1), 69–79. doi:10.1016/j.im.2013.10.001
  • Ifinedo, P., & Nahar, N. (2007). ERP systems success: An empirical analysis of how two organizational stakeholder groups prioritize and evaluate relevant measures. Enterprise Information Systems, 1(1), 25–48. doi:10.1080/17517570601088539
  • Keller, J. (2006). Handbook of human performance technology. In H. D. Stolovitch & E. J. Keeps (Eds.), Motivational systems (pp. 373–394). San Francisco, CA: Jossey-Bass Pfeiffer.
  • Keller, S., Powell, A., Horstmann, B., Predmore, C., & Crawford, M. (2005). Information security threats and practices in small businesses. Information Systems Management, 22(2), 7–19. doi:10.1201/1078/45099.22.2.20050301/87273.2
  • Kolkowska, E., & Dhillon, G. (2013). Organizational power and information security rule compliance. Computers & Security, 33, 3–11. doi:10.1016/j.cose.2012.07.001
  • Kotulic, A. G., & Clark, J. G. (2004). Why there aren’t more information security research studies. Information & Management, 41(5), 597–607. doi:10.1016/j.im.2003.08.001
  • Laudon, K., & Laudon, J. (2010). Management information systems: Managing the digital firm. Upper Saddle River, NJ: Pearson Prentice Hall.
  • Lee, Y., & Larsen, K. R. (2009). Threat or coping appraisal: Determinants of SMB executives’ decision to adopt anti-malware software. European Journal of Information Systems, 18(2), 177–187. doi:10.1057/ejis.2009.11
  • Li, H., Zhang, J., & Sarathy, R. (2010). Understanding compliance with internet use policy from the perspective of rational choice theory. Decision Support Systems, 48(4), 635–645. doi:10.1016/j.dss.2009.12.005
  • Milner, S., Sheeran, P., & Orbell, S. (2000). Prediction and intervention in health-related behavior: A meta-analytic of protection motivation theory. Journal of Applied Social Psychology, 30(1), 106–143. doi:10.1111/j.1559-1816.2000.tb02308.x
  • Ng, B.-Y., Kankanhalli, A., & Xu, Y. C. (2009). Studying users’ computer security behavior: A health belief perspective. Decision Support Systems, 46(4), 815–825. doi:10.1016/j.dss.2008.11.010
  • Padayachee, K. (2012). Taxonomy of compliant information security behavior. Computers & Security, 31, 673–680. doi:10.1016/j.cose.2012.04.004
  • Pahnila, S., Siponen, M., & Mahomood, A. (2007, January). Employees’ Behavior towards IS Security Policy Compliance. In H. Sprague (Ed.), Proceedings of the 40th Hawaii International Conference on System Sciences, Waikoloa, HI.
  • Paternoster, R., & Simpson, S. (1996). Sanction threats and appeals to morality: Testing a rational choice model of corporate crime. Law & Society Review, 30(3), 549–583. doi:10.2307/3054128
  • Pearlson, K. E., & Saunders, C. S. (2010). Managing and using information systems: A strategic approach. Hoboken, NJ: John Wiley & Sons.
  • Pechmann, C., Zhao, G., Goldberg, M., & Reibling, E. T. (2003). What to convey in antismoking advertisements for adolescents: The use of protection motivation theory to identify effective message themes. Journal of Marketing, 67, 1–18. doi:10.1509/jmkg.67.2.1.18607
  • Philip, G. (2007). IS strategic planning for operational efficiency. Information Systems Management, 24(3), 247–264. doi:10.1080/10580530701404504
  • Podsakoff, P. M., MacKenzie, S. B., Lee, J.-Y., & Podsakoff, N. P. (2003). Common method biases in behavioral research: A critical review of the literature and recommended remedies. Journal of Applied Psychology, 88(5), 879–903. doi:10.1037/0021-9010.88.5.879
  • Puhakainen, P., & Siponen, M. (2010). Improving employees’ compliance through information systems security training: An action research study. MIS Quarterly, 34(4), 757–778.
  • Richardson, R. (2011). 2010 CSI/FBI computer crime and security survey. Computer Security Institute. Retrieved from http://www.gocsi.com/survey.
  • Ringle, C. M., Wende, S., & Will, A. (2005). SmartPLS 2.0 (M3) beta, Hamburg, Germany. Retrieved from: http://www.smartpls.de.
  • Schneider, B., Brief, A. P., & Guzzo, R. A. (1996). Creating a climate and culture for sustainable organizational change. Organizational Dynamics, 24(4), 7–19. doi:10.1016/S0090-2616(96)90010-8
  • Siponen, M., & Vance, A. (2010). Neutralization: New insights into the problem of employee information systems security policy violations. MIS Quarterly, 34(3), 487–502.
  • Siponen, M. T., Mahmood, A., & Pahnila, S. (2009). Technical opinion: Are employees putting your company at risk by not following information security policies? Communications of the ACM, 52(12), 145–147. doi:10.1145/1610252
  • Son, J.-Y. (2011). Out of fear or desire? Toward a better understanding of employees’ motivation to follow IS security policies. Information & Management, 48(7), 296–302. doi:10.1016/j.im.2011.07.002
  • Stanton, J. M., Stam, K. R., Mastrangelo, P. M., & Jolton, J. (2005). Analysis of end user security behaviors. Computers & Security, 24(2), 124–133. doi:10.1016/j.cose.2004.07.001
  • Straub, D. W. (1990). Effective IS security: An empirical study. Information Systems Research, 1(3), 255–276. doi:10.1287/isre.1.3.255
  • Straub, D. W., & Welke, R. J. (1998). Coping with systems risk: Security planning models for management decision making. Management Information Systems Quarterly, 22(4), 441.
  • Sumner, M. (2009). Information security threats: A comparative analysis of impact, probability, and preparedness. Information Systems Management, 26(1), 2–12. doi:10.1080/10580530802384639
  • Tenenhaus, M., Esposito Vinzi, V., Chatelinc, Y.-M., & Lauro, C. (2005). PLS path modeling. Computational Statistics & Data Analysis, 48(1), 159–205. doi:10.1016/j.csda.2004.03.005
  • U.S. General Accounting Office (U.S. GAO). (1998). Executive Guide: Information Security Management Learning From Leading Organizations. Retrieved from http://www.gao.gov/special.pubs/ai9868.pdf
  • Von Solms, B., & Von Solms, R. (2004). The 10 deadly sins of information security management. Computers & Security, 23(5), 371–376.
  • Vroom, C., & von Solms, R. (2004). Towards information security behavioural compliance. Computers & Security, 23(3), 191–198. doi:10.1016/j.cose.2004.01.012
  • Westerman, G., & Hunter, R. (2007). IT risk: Turning business threats into competitive advantage. Watertown, MA: Hovered School of Business Press.
  • Workman, M., Bommer, W. H., & Straub, D. (2008). Security lapses and the omission of information security measures: A threat control model and empirical test. Computers in Human Behavior, 24(6), 2799–2816. doi:10.1016/j.chb.2008.04.005
  • Young, R. F., & Windsor, J. (2010). Empirical evaluation of information security planning and integration. Communications of the AIS, 26(13), 245–266.
  • Zafar, H., & Clark, J. G. (2009). Current state of information security research in IS. Communications of the Association for Information Systems, 24(34), 557–596.

Reprints and Corporate Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

To request a reprint or corporate permissions for this article, please click on the relevant link below:

Order Reprints Request Corporate Permissions

Academic Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

Obtain permissions instantly via Rightslink by clicking on the button below:

Request Academic Permissions

If you are unable to obtain permissions via Rightslink, please complete and submit this Permissions form. For more information, please visit our Permissions help page.

Related research

People also read lists articles that other readers of this article have read.

Recommended articles lists articles that we recommend and is powered by our AI driven recommendation engine.

Cited by lists all citing articles based on Crossref citations.
Articles with the Crossref icon will open in a new tab.