Advanced search
Publication Cover
Journal of Information Privacy and Security Volume 13, 2017 - Issue 4
Journal homepage
107
Views
0
CrossRef citations to date
0
Altmetric
Original Articles

Predicting information security policy compliance intentions and behavior for six employee-based risks

Tatyana RyutovDepartment of Computer Science, University of Southern California, Los Angeles, CA, USACorrespondence[email protected]
View further author information
,
Nicole SintovSchool of Environment and Natural Resources, The Ohio State University, Columbus, OH, USAView further author information
,
Mengtian ZhaoSchool of Environment and Natural Resources, University of Southern California, Los Angeles, CA, USAView further author information
&
Richard S. JohnDepartment of Psychology, University of Southern California, Los Angeles, CA, USAView further author information
Pages 260-281 | Received 10 Nov 2016, Accepted 07 Dec 2017, Published online: 29 Jan 2018

References

  • Advisen. (2011). Social media risks of healthcare organizations. Retrieved from http://www.cica.ca/focus-on-practice-areas/governance-strategy-and-risk/directors-series/directoralerts/item63118.pdf
  • Ajzen, I. (1991). The theory of planned behavior. Organizational Behavior and Human Decision Processes, 50(2), 179–211.
  • Ajzen, I., & Fishbein, M. (1975). Belief, attitude, intention and behavior: An introduction to theory and research.
  • Albrechtsen, E. (2007). A qualitative study of users’ view on information security. Computers & Security, 26(4), 276–289.
  • AlKalbani, A., Deng, H., & Kam, B. (2014). A conceptual framework for information security in public. Auckland, New Zealand: ACIS.
  • Anderson, C. L., & Agarwal, R. (2010). Practicing safe computing: A multimedia empirical examination of home computer user security behavioral intentions. Mis Quarterly, 34(3), 613–643.
  • Banerjee, A., Banerjee, C., & Poonia, A. S. (2014). Security threats of social networking sites: An analytical approach. International Journal of Enhanced Research in Management & Computer Applications, 3(12), 1–4. .
  • Berinsky, A. J., Huber, G. A., & Lenz, G. S. (2012). Evaluating online labor markets for experimental research: Amazon. com’s Mechanical Turk. Political Analysis, 20(3), 351–368.
  • Blythe, J. M., Coventry, L., & Little, L. (2015). Unpacking security policy compliance: The motivators and barriers of employees’ security behaviors eleventh symposium on usable privacy and security. Eleventh Symposium On Usable Privacy and Security, SOUPS.Ottawa, ON: USENIX Association.
  • Boss, S. R., & Kirsch, L. J. (2007). The last line of defense: Motivating employees to follow corporate security guideliness. Proceedings of the 28th International Conference on Information Systems, Montreal.
  • Bulgurcu, B., Cavusoglu, H., and Benbasat, I. (2010). Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness, MIS quarterly 34(3), 523–548.
  • Carroll, M., Van Der Merwe, A., & Kotze, P. (2011, August). Secure cloud computing: Benefits, risks and controls. In: Information Security South Africa (ISSA) (pp. 1–9). Johannesburg, South Africa: IEEE.
  • Chan, M., Woon, I., & Kankanhalli, A. (2005). Perceptions of information security in the workplace: Linking information security climate to compliant behavior. Journal of Information Privacy and Security, 1(3), 18–41.
  • Cheng, L., Li, Y., Li, W., Holm, E., & Zhai, Q. (2013). Understanding the violation of IS security policy in organizations: An integrated model based on social control and deterrence theory. Computers & Security, 39, 447–459.
  • Chi, M. (2011). Reducing the risks of social media to your organization. M, SANS Institute IndoSec Reading Room.
  • Chin, W. W., & Newsted, P. R. (1999). Structural equation modeling analysis with small samples using partial least squares. In: R. Hoyle (Ed.), Statistical strategies for small sample research (pp. 1307–1341). Thousand Oaks, CA, USA: Sage Publications.
  • CNN. (2014). CNN Twitter account hacked. Retrieved from http://www.politico.com/blogs/media/2014/01/cnn-twitter-account-hacked-181781.html
  • Computerworld. (2012). Nearly half of firms supporting BYOD report data breaches. Retrieved from http://www.computerweekly.com/news/2240161202/Nearly-half-of-firms-supporting-BYOD-report-data-breaches
  • Cramer, R. D., III. (1993). Partial least squares (PLS): Its strengths and limitations. Perspectives in DrugDiscovery and Design, 1(2), 269–278.
  • Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M., & Baskerville, R. (2013). Future directions for behavioral information security research. computers & security, 32, 90–101.
  • D’arcy, J., Hovav, A., & Galletta, D. (2009). User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research, 20(1), 79–98.
  • Dropbox. (2016). Dropbox hack leads to leaking of 68m user passwords on the internet. Retrieved from https://www.theguardian.com/technology/2016/aug/31/dropbox-hack-passwords-68m-data-breach
  • El-Harmeel, M. (2009). Humans… the overlooked asset. Retrieved from https://www.sans.org/reading-room/whitepapers/iso17799/humans-overlooked-asset-33257
  • Florencio, D., & Herley, C. (2007, May). A large-scale study of web password habits. Proceedings of the 16th international conference on World Wide Web, (pp. 657–666). ACM.
  • Floyd, D. L., Prentice-Dunn, S., & Rogers, R. W. (2000). A meta analysis of research on protection motivation theory. Journal of Applied Social Psychology, 30(2), 407–429.
  • Forbes. (2014). eBay suffers massive security breach, all users must change their passwords. Retrieved from http://www.forbes.com/sites/gordonkelly/2014/05/21/ebay-suffers-massive-security-breach-all-users-must-their-change-passwords/#736db5ab3c15
  • Fornell, C., & Bookstein, F. (1982). Two structural equation models: LISREL and PLS applied to consumer exit-voice theory. Journal of Marketing Research, 19, 440–452.
  • Furnell, S. (2005). Authenticating ourselves: Will we ever escape the password? Network Security, 2005(3), 8–13.
  • Gefen, D., & Straub, D. W. (2005). A practical guide to factorial validity using PLS-graph: Tutorial and annotated example. Communications of the Association for Information Systems, 16, 91–109.
  • Gefen, D., Straub, D. W., & Boudreau, M. C. (2000). Structural equation modelling and regression: Guidelines for research practice. Communications of the Association for Information Systems, 4, 1–77.
  • Gerbing, D. W., & Anderson, J. C. (1988). An updated paradigm for scale development incorporating unidimensionality and its assessment. Journal of Marketing Research, 25(2), 186–192.
  • Gogrid. (2011). Security breach. Retrieved from http://cloudsecurity.org/blog/2011/03/30/gogrid-security-breach.html
  • Hair, M. (2014). A primer on partial least squares structural equation modeling. Thousand Oaks, CA, USA: Sage.
  • Hashizume, K., Rosado, D., Fernández-Medina, E., & Fernandez, E. (2013). An analysis of security issues for cloud computing. Journal of Internet Services and Applications, 4(5), 1–13.
  • Hauser, D. J., & Schwarz, N. (2016). Attentive Turkers: MTurk participants perform better on online attention checks than do subject pool participants. Behavior Research Methods, 48(1), 400–407.
  • Herath, T., & Rao, H. R. (2009). Protection motivation and deterrence: A framework for security policy compliance in organisations. European Journal of Information Systems, 18(2), 106–125.
  • Ifinedo, P. (2012). Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Computers & Security, 31(1), 83–95.
  • Infosec. (2014). BYOD and mobile security. Elmwood Park, IL, USA: InfoSec Institute.
  • Johnston, A. C., & Warkentin, M. (2010). Fear appeals and information security behaviors: an empirical study. MIS quarterly, 549–566.
  • Johnston, A. C., Warkentin, M., & Siponen, M. (2015). An enhanced fear appeal rhetorical framework: Leveraging threats to the human asset through sanctioning rhetoric. MIS Quarterly, 39(1), 113–134.
  • Jöreskog, K. G., & Wold, H. (1982). The ML and PLS techniques for modelling with latent variables. Systems under Indirect Observation, 263–270.
  • Kabay, M. E. (2009). Computer security handbook, set (5th ed., pp. 2040). (S. Bosworth, & E. Whyne, Eds.). Hoboken, NJ: Wiley. ISBN: 978-0-471-71652-5.
  • Kovach, S. (2014). We still don’t have assurance from apple that icloud is safe, business insider. Retrieved from http://www.businessinsider.com/apple-statement-on-icloud-hack-2014-9
  • LaRose, R., Rifon, N. J., & Enbody, R. (2008). Promoting personal responsibility for internet safety. Communications of the ACM, 51(3), 71–76.
  • Lesk, M. (2011). Cybersecurity and economics. Security and Privacy, IEEE, 9(6), 76–79.
  • Liang, H., & Xue, Y. (2010). Understanding security behaviors in personal computer usage: A threat avoidance perspective. Journal of the Association for Information Systems, 11(7), 394.
  • Lowry, P. B., & Gaskin, J. (2014). Partial least squares (PLS) structural equation modeling (SEM) for building and testing behavioral causal theory: When to choose it and how to use it. IEEE. Transactions on Professional Communication, 57(2), 123–146.
  • Maddux, J. E., & Rogers, R. W. (1983). Protection motivation and self-efficacy: A revised theory of fear appeals and attitude change. Journal of Experimental Social Psychology, 19(5), 469–479.
  • Marinelli, E. E. (2009). Hyrax: Cloud computing on mobile devices using MapReduce (No. CMU-CS-09-164). Pittsburgh, PA, USA: Carnegie Mellon University, School of Computer Science.
  • McAfee. (2013). The economic impact of cybercrime and cyber espionage. Retrieved from http://www.mcafee.com/sg/resources/reports/rp-economic-impact-cybercrime.pdf
  • Miller, K. W., Voas, J., & Hurlburt, G. F. (2012). BYOD: Security and privacy considerations. IT Professional, 14(5), 53–55.
  • Milne, S., Sheeran, P., & Orbell, S. (2000). Prediction and intervention in health‐related behavior: A meta analytic review of protection motivation theory. Journal of Applied Social Psychology, 30(1), 106–143.
  • Morrow, B. (2012). BYOD security challenges: Control and protect your most sensitive data. Network Security, 2012(12), 5–8.
  • Myyry, L., Siponen, M., Pahnila, S., Vartiainen, T., & Vance, A. (2009). What levels of moral reasoning and values explain adherence to information security rules and quest; an empirical study. European Journal of Information Systems, 18(2), 126–139.
  • New York Times. (2014). EBay urges new passwords after breach. Retrieved from http://www.nytimes.com/2014/05/22/technology/ebay-reports-attack-on-its-computer-network.html?_r=1
  • Notoatmodjo, G., & Thomborson, C. (2009, January). Passwords and perceptions. In Proceedings of the Seventh Australasian Conference on Information Security-Volume 98, (pp. 71–78). Australian Computer Society, Inc.
  • Pahnila, S., Siponen, M., & Mahmood, A. (2007). Employees’ behavior towards IS security policy compliance,System Sciences, HICSS 2007. 40th Annual Hawaii International Conference, IEEE2007, (pp.156b–156b).
  • Paulhus, D. L. (2002). Socially desirable responding: The evolution of a construct. In: H. Braun, D. N. Jackson, & D. E. Wiley (Eds.), The role of constructs in psychological and educational measurement (pp. 67–88). Hillsdale, NJ: Erlbaum.
  • Posey, C., Roberts, T., Lowry, P. B., Bennett, B., & Courtney, J. (2013). Insiders’ protection of organizational information assets: Development of a systematics-based taxonomy and theory of diversity for protection-motivated behaviors. Cambridge, MA, USA: Management Information Systems Research Center.
  • Pring, B., Brown, R. H., Frank, A., Hayward, S., & Leong, L. (2009). Forecast: Sizing the cloud; understanding the opportunities in cloud services. Gartner, Inc., Research Report G. 166525.
  • Putchala, S. K., Bhat, K., & Anitha, R. (2013). Information security challenges in social media interactions: Strategies to normalize practices across physical and virtual worlds. DSCI - Best Practices Meet, 2013. doi:10.1109/bpm.2013.6615012
  • Rapid7. 2013. The unwitting danger within - understanding and mitigating user-based risk. In: Ebook. Retrieved from http://www.infosecurityeurope.com/__novadocuments/58466?v=635430226306770000
  • Rochwerger, B., Breitgand, D., Levy, E., Galis, A., Nagin, K., Llorente, I. M., … Ben-Yehuda, M. (2009). The reservoir model and architecture for open federated cloud computing. IBM Journal of Research and Development, 53(4), 4–11.
  • Rogers, R. W. (1975). A protection motivation theory of fear appeals and attitude change1. The Journal of Psychology, 91(1), 93–114.
  • Safa, N. S., & Ismail, M. A. (2013). A customer loyalty formation model in electronic commerce. Economic Modelling, 35, 559–564.
  • SANS Institute. (2012). Risk Assessment of Social Media. Retrieved from https://www.sans.org/reading-room/whitepapers/riskmanagement/risk-assessment-social-media-33940
  • Scholtz, J. T. (1997). Enforcement policy and corporate misconduct: The changing perspective of deterrence theory. Law and Contemporary Problems, 60(3), 253.
  • Sheeran, P. (2002). Intention—behavior relations: A conceptual and empirical review. European review of social psychology, 12(1),1–36.
  • Siponen, M., & Vance, A. (2010). Neutralization: New insights into the problem of employee information systems security policy violations. MIS Quarterly, 34(3), 487–502.
  • Sommestad, T., Hallberg, J., Lundholm, K., & Bengtsson, J. (2014). Variables influencing information security policy compliance: a systematic review of quantitative studies. Information Management & Computer Security, 22(1), 42–75.
  • Sqalli, M. H., Al-Haidari, F., & Salah, K. (2011, December). Edos-shield-a two-steps mitigation technique against edos attacks in cloud computing. In Utility and Cloud Computing (UCC), 2011 Fourth IEEE International Conference, (pp. 49–56). IEEE.
  • Subashini, S., & Kavitha, V. (2011). A survey on security issues in service delivery models of cloud computing. Journal of Network and Computer Applications, 34(1), 1–11.
  • Tam, L., Glassman, M., & Vandenwauver, M. (2010). The psychology of password management: A tradeoff between security and convenience. Behaviour & Information Technology, 29(3), 233–244.
  • Target. (2014). Email attack on vendor set up breach at target. Retrieved from http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/
  • Theoharidou, M., Kokolakis, S., Karyda, M., & Kiountouzis, E. (2005). The insider threat to information systems and the effectiveness of ISO17799. Computers & Security, 24(6), 472–484.
  • Ullah, K. W., Ahmed, A. S., & Ylitalo, J. (2013). Towards building an automated security compliance tool for the cloud, trust, security and privacy in computing and communications (TrustCom). 12th IEEE International Conference, IEEE2013, (pp. 1587–1593).
  • Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating IS security compliance: Insights from habit and protection motivation theory. Information & Management, 49(3), 190–198.
  • Wang, Y., Wei, J., & Vangury, K. (2014). Bring your own device security issues and challenges. Proceedings of the 11th Annual IEEE Consumer Communications & Networking Conference (CCNC), (pp. 80–85). IEEE Computer Society, Washington, DC.
  • Warkentin, M., Johnston, A. C., & Shropshire, J. (2011). The influence of the informal social learning environment on information privacy policy compliance efficacy and intention. European Journal of Information Systems, 20(3), 267–284.
  • Wold, H. (1982). Soft modeling: The basic design and some extensions. Systems under Indirect Observation, Part II, 36–37.
  • Wold, H. (1985). Partial least squares. Encyclopedia of Statistical Sciences, 6, 581–591.
  • Xiao, Z., & Xiao, Y. (2014). Security and privacy in cloud computing. IEEE Communications Surveys & Tutorials, 15(2).
  • Zhang, X., Wuwong, N., Li, H., & Zhang, X. (2010, June). Information security risk management framework for the cloud computing environments. In Computer and Information Technology (CIT), 2010 IEEE 10th International Conference (pp. 1328–1334). IEEE.

Reprints and Corporate Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

To request a reprint or corporate permissions for this article, please click on the relevant link below:

Order Reprints Request Corporate Permissions

Academic Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

Obtain permissions instantly via Rightslink by clicking on the button below:

Request Academic Permissions

If you are unable to obtain permissions via Rightslink, please complete and submit this Permissions form. For more information, please visit our Permissions help page.

Related research

People also read lists articles that other readers of this article have read.

Recommended articles lists articles that we recommend and is powered by our AI driven recommendation engine.

Cited by lists all citing articles based on Crossref citations.
Articles with the Crossref icon will open in a new tab.