Abstract
The key threat to information security is constituted by careless employees who do not comply with information security policies. To ensure that employees comply with organizations’ information security procedures, a number of information security policy compliance measures have been proposed in the past. Prior research has criticized these measures as lacking theoretically and empirically grounded principles to ensure that employees comply with information security policies. To fill this gap in research, this paper advances a new model that explains employees’ adherence to information security policies. In this model, we extend the Protection Motivation Theory (PMT) by integrating the General Deterrence Theory (GDT) and the Theory of Reasoned Action (TRA) with PMT. To test this model, we collected data (N = 917) from four different companies. The results show that threat appraisal, self-efficacy and response efficacy have a significant impact on intention to comply with information security policies. Sanctions have a significant impact on actual compliance with information security policies. Intention to comply with information security policies also has a significant impact on actual compliance with information security policies.
Please use the following format when citing this chapter: Siponen, M., Pahnila, S., and Mahmood, A., 2007, in IFIP International Federation for Information Processing, Volume 232, New Approaches for Security, Privacy and Trust in Complex Environments, eds. Venter, H.. Eloff, M., Labuschagne, L., Eloff, J., von Solms, R., (Boston: Springer), pp. 133–144.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Agarwal, R. and J. Prasad, Conceptual and Operational Definition of Personal Innovativeness in the Domain of Information Technology. Information Systems Research, 1998. 9(2): p. 204–215.
Ajzen, I., “The Theory of Planned Behavior”, Organizational Behavior and Human Decision Processes 50,2, 1991, 179–211.
Aytes, K. and Connolly, T., “A Research Model for Investigating Human Behavior Related to Computer Security”, Proceedings of the 2003 American Conference On Information Systems, Tampa, FL, August 4-6. 2003.
Aytes, K. and Connolly, T., “Computer and Risky Computing Practices: A Rational Choice Perspective”, Journal of Organizational and End User Computing, 16,2, 2004, 22–40.
Bagchi, K. and Udo, G., “An analysis of the growth of computer and Internet security breaches”, Communications of AIS 12, 2003, 684–700.
Bandura, A., “Self-Efficacy: Toward a Unifying Theory of Behaviour Change”, Psychological Review 84,2, 1977, 191–215.
Boudreau, M.-C, Gefen, D. and Straub, D. W., “Validation in information systems research: A state-of-the-art assessment.” MIS Quarterly 25,1, 2001, 1–16.
Fishbein, M. and Ajzen, I., Belief, Attitude, Intention and Behavior: An Introduction to Theory and Research. MA, Addison-Wesley. 1975.
Furnell, S. M., Gennatou, M. and Dowland P. S., “A prototype tool for information security awareness and training”, International Journal of Logistics Information Management, 15,5, 2002, 352–357.
Furnell, S., Sanders, P. W. and Warren, M. J., “Addressing information security training and awareness within the European healthcare community”, in Proceedings of Medical Informatics Europe’97. 1997.
Gaunt, N., “Installing an appropriate information security policy in hospitals”, Internationaljournal of Medical Informatics, 49,1, 1998, 131–134.
Hair, J.F.J., Anderson, R.E., Tatham, R.L., and Black, W. C, Multivariate data analysis. 5 ed: Upper Saddle River, New Jersey, Prentice Hall Inc. 1998.
Hair, J.F.J., Black, W.C, Babin, B.J, Anderson, R.E., Tatham, R.L., Multivariate data analysis. Sixth ed. 2006: Pearson Prentice Hall.
Higgins, G.E., Wilson, A.L. and Fell, B.D., “An Application of Deterrence Theory to Software Piracy”, Journal of Criminal Justice and Popular Culture, 12,3, 2005, 166–184.
Hoyle, R.H., Structural Equation Model. Conceprts, Issues, and Applications., ed. H. Rick Hoyle. 1995: SAGE publications, Inc.
Katsikas, S. K., “Health care management and information system security: awareness, training or education”, International Journal of Medical Informatics, 60,2, 2000, 129–135.
Lee, J. and Lee, Y., “A holistic model of computer abuse within organizations”, Information management & computer security, 10,2, 2002, 57–63.
Limayem, M., and Hirt, S.G., “Force of Habit and Information Systems Usage: Theory and Initial Validation”, Journal of Association for Information Systems, 4, 2003, 65–97.
Maddux, J.E. and R.W. Rogers, Protection Motivation and Self-Efficacy: A Revised Theory of Fear Appeals and Attitude Change. Journal of experimental social psychology, 1983. 19: p. 469–479.
McCoy, C. and Fowler, R.T., “You are the key to security”: establishing a successful security awareness program. In the proceedings of the SIGUCCS’04, Baltimore, Maryland, October 10-13, 2004, 346–349.
McLean, K., “Information security awareness — selling the cause”, in Proceedings of the IFIP TC11, Eighth International Conference on information security, IFIP/Sec’ 92. 1992.
Parker, D. B., Fighting Computer Crime: A new Framework for Protecting Information, John Wiley & Sons, USA. 1998.
Perry, W. E., Management Strategies for Computer Security, Butterworth Publishers, USA. 1985.
Puhakainen, P. Design Theory for Information Security Awareness, 2006. Ph.D Thesis, the University of Oulu, Finland.
Rippetoe, S. and Rogers, R. W., “Effects of Components of Protection — Motivation Theory on Adaptive and Maladaptive Coping with a Health Threat”, Journal of Personality and Social Psychology, 52,3, 1987, 596–604.
Rogers, R. W., “Cognitive and Physiological Processes in Fear Appeals and Attitude Change: A Revised Theory of Protection Motivation Theory”, in Social Psychophysiology, J. Cacioppo and R. Petty (Eds.), Guilford, New York, 1983.
Rogers, R. W. and Prentice-Dunn, S., “Protection motivation theory”, In D. S. Gochman (Ed.), Handbook of Health Behavior Research I: Personal and Social Determinants, New York, NY: Plenum Press, 1997, 113–132.
Schumacker, R.E. and R.G. Lomax, A Beginner’s Guide to Structural Equation Modeling. 1996, Mahwah, New Jersey: Lawrence Erlbaum Associates. 288.
Siponen, M., “A Conceptual Foundation for Organizational Information Security Awareness”, Information Management & Computer Security, 8,1, 2000, 31–41.
Sommers, K. and Robinson, B., “Security awareness training for students at Virginia Commonwealth University”, In the proceedings of the SIGUCCS’04, Baltimore, Maryland, October 10-13, 2004, 379–380.
Spurling, P., “Promoting security awareness and commitment”, Information Management & Computer Security, 3,2, 1995, 20–26.
Stanton, J. M., Stam, K. R., Mastrangelo, P. and Jolton, J., “An analysis of end user security behaviors”, Computers & Security, 24, 2005, 124–133
Sträub, D. W., “Validating Instruments in MIS Research”, MIS Quarterly, 13,2, 1989, 147–169.
Sträub, D.W., “Effective IS Security: An Empirical Study”, Information Systems Research, 1,3, 1990, 255–276.
Sträub, D.W. and Welke, R.J., “Coping with Systems Risk: Security Planning Models for. Management Decision-Making”, MIS Quarterly, 22,4, 1998, 441–469.
Thomson, M.E. and von Solms, R., “An effective information security awareness program for industry”, in proceedings of the WG 11.2 and WG 11.1 ofthe TC-11 IFIP, 1997.
Thomson, M. E. and von Solms, R., “Information security Awareness: educating your users effectively”, Information Management & Computer Security, 6,4, 1998, 167–173.
Venkatesh, V., Morris, M. G., Davis, G. B. and Davis, F. D., “User Acceptance of Information Technology: Toward a Unified View”, MIS Quarterly, 27,3, 2003, 425–478
Wood, C. C, “Information Security Awareness Raising Methods”, Computer Fraud & Security Bulletin, Elsevier Science Publishers, Oxford, England, June 1995, pp 13–15.
Woon, I. M. Y., Tan, G. W. and Low, R. T., “A Protection Motivation Theory Approach to Home Wireless Security”, Proceedings of the Twenty-Sixth International Conference on Information Systems, Las Vegas, 2005, 367–380.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 International Federation for Information Processing
About this paper
Cite this paper
Siponen, M., Pahnila, S., Mahmood, A. (2007). Employees’ Adherence to Information Security Policies: An Empirical Study. In: Venter, H., Eloff, M., Labuschagne, L., Eloff, J., von Solms, R. (eds) New Approaches for Security, Privacy and Trust in Complex Environments. SEC 2007. IFIP International Federation for Information Processing, vol 232. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-72367-9_12
Download citation
DOI: https://doi.org/10.1007/978-0-387-72367-9_12
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-72366-2
Online ISBN: 978-0-387-72367-9
eBook Packages: Computer ScienceComputer Science (R0)