Conference PaperPDF Available

Which Factors Explain Employees' Adherence to Information Security Policies? An Empirical Study.

  • January 2007
  • Conference: Pacific Asia Conference on Information Systems, PACIS 2007, Auckland, New Zealand, July 4-6, 2007
Authors:
Seppo Pahnila
Seppo Pahnila
Seppo Pahnila
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Mikko Siponen at University of Alabama
Mikko Siponen
M. Adam Mahmood
M. Adam Mahmood
M. Adam Mahmood
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Download full-text PDF
Read full-text
Download citation

Abstract and Figures

It is widely agreed that a key threat to information security is caused by careless employees who do not adhere to the information security policies of their organizations. In order to ensure that employees comply with the organization’s information security procedures, a number of information security policy compliance measures have been proposed in the past. Prior research has, however, criticized these measures as lacking theoretically and empirically grounded principles. To fill this gap in research, the present study advances a novel model that explains employees’ adherence to information security policies. This model modifies and combines the Protection Motivation Theory, the General Deterrence Theory, the Theory of Reasoned Action, the Innovation Diffusion Theory and Rewards. In order to empirically validate this model, we collected data (N=917) from four different companies. The findings show that direct paths from threat appraisal, self-efficacy, normative beliefs, and visibility to the intention to comply with IS security policies were significant. Response efficacy, on the other hand, did not have a significant effect on the intention to comply with IS security policies. Sanctions have a significant effect on actual compliance with IS security policies, whereas rewards did not have a significant effect on actual compliance with the IS security policies. Finally, the intention to comply with IS security policies has a significant effect on actual compliance with the IS security policies.
Figures - uploaded by Mikko Siponen
Author content
All figure content in this area was uploaded by Mikko Siponen
Content may be subject to copyright.
Content uploaded by Mikko Siponen
Author content
All content in this area was uploaded by Mikko Siponen on Apr 30, 2015
Content may be subject to copyright.
87. Which Factors Explain Employees’ Adherence to Information Security
Policies? An Empirical Study
Seppo Pahnila
University of Oulu, Finland
seppo.pahnila@oulu.fi
Mikko Siponen
University of Oulu, Finland
mikko.siponen@oulu.fi
Adam Mahmood
University of Texas,USA
mmahmood@utep.edu
Abstract
It is widely agreed that a key threat to information security is caused by careless employees
who do not adhere to the information security policies of their organizations. In order to
ensure that employees comply with the organization’s information security procedures, a
number of information security policy compliance measures have been proposed in the past.
Prior research has, however, criticized these measures as lacking theoretically and
empirically grounded principles. To fill this gap in research, the present study advances a
novel model that explains employees’ adherence to information security policies. This model
modifies and combines the Protection Motivation Theory, the General Deterrence Theory,
the Theory of Reasoned Action, the Innovation Diffusion Theory and Rewards. In order to
empirically validate this model, we collected data (N=917) from four different companies.
The findings show that direct paths from threat appraisal, self-efficacy, normative beliefs,
and visibility to the intention to comply with IS security policies were significant. Response
efficacy, on the other hand, did not have a significant effect on the intention to comply with IS
security policies. Sanctions have a significant effect on actual compliance with IS security
policies, whereas rewards did not have a significant effect on actual compliance with the IS
security policies. Finally, the intention to comply with IS security policies has a significant
effect on actual compliance with the IS security policies.
Keywords: information security compliance, protection motivation theory, general
deterrence theory.
Introduction
Information security incidents that organizations have confronted within the last few years
have increased. While in 1997-1999 surveys, 37-50% of the organizations were victims of
information security breaches (Thompson, 1997), the same numbers in the years 2001-2003
ranged from 75% to 91% (Bagchi & Udo, 2003, p. 684; Gordon & Loeb, 2002 p. 438-439;
Hinde 2002 p. 310).
In order to cope with increased information security threats, not only different technical
protection means (e.g., anti-virus software tools) but also information security policies
(Dhillon & Backhouse, 2001; Siponen, 2005; Villarroel et al. 2005) have been suggested in
the literature. Employees in organizations, unfortunately, seldom comply with these
information security techniques and policies, placing their organization’s assets and interests
in serious jeopardy (Stanton et al. 2005 p. 125). Effective information security, therefore,
requires that employees comply with information security (IS) policies and guidelines. In
order to address this crucial information security concern, several IS security policy
compliance measures, often referred to as information security awareness, education, and
enforcement approaches, have been proposed in the information security literature. Aytes and
Connolly (2003), Pahnila et al. (2007), Puhakainen (2006), Siponen (2000) and Siponen et al.
(2007) have criticized existing information security awareness approaches as lacking not only
theoretically grounded methods, but also there is no empirical evidence on their effectiveness.
These studies show that while 30 information security awareness, education and enforcement
approaches exist, only four approaches incorporate a theoretically and empirically grounded
model. Of these four, Woon et al. (2005) studied wireless network users, while Straub (1990)
and Straub and Welke (1998) focused on classical deterrence theory, and Aytes and Connolly
(2004) apply the Rational Choice Model. Thus, with the exception of the studies by Straub
(1990), Straub and Welke (1998), and Aytes and Connolly (2004), the existing information
security awareness, education and enforcement approaches do not offer a theoretical model
combined with evidence that explains why employees in organizations do not comply with
information security guidelines, nor do they consider what factors affect employees’
information security policy compliance. This paper fills this gap in research by first building
a new theoretical model, derived from the Protection Motivation Theory, the General
Deterrence Theory, the Theory of Reasoned Action, The Innovation Diffusion Theory and
Rewards, aimed at explaining how employees’ compliance with information security policies
and guidelines can be improved. The model is then empirically validated using a quantitative
survey.
The results of this study are of relevance to researchers and practitioners. Since the existing
studies on information security policy compliance present only anecdotal information as to
which factors explain employees’ adherence to information security policies (with the three
exceptions; see Aytes & Connolly, 2004; Straub, 1990; Straub & Welke, 1998; Woon et al.
(2005), is it of the utmost importance to study this matter. This information is also useful for
practitioners who want to obtain empirically validated information as to how they can
improve their employees’ adherence to information security policies, and in the process,
enhance the security of their organization’s information.
The second section of the paper proposes the research model and third part discusses the
research methodology. The empirical findings are presented in the fourth section. The fifth
section discusses the implications of the study for practice.
The Research Model to Explain Employees’ Adherence to IS security policies
In this section, we present the theoretical model (Fig 1) which is derived from the Protection
Motivation Theory, the Theory of Reasoned Action, the Innovation Diffusion Theory, the
General Deterrence Theory and Rewards. We next we discuss each element of the theoretical
model in detail.
Normative beliefs means expectations of colleagues, peers and superiors, which may have a
persuasive influence on whether or not an employee will adhere to a specific behavior norm
(Ajzen, 1991). In the context of IS security policy compliance, we suggest, based on the idea
of normative beliefs, that the behavior of managers, IS security staff and peers will have a
persuasive effect on employees’ IS security policy compliance. Hence, we hypothesize:
H1: Normative beliefs affect employees’ intention to comply with information security
policies.
Threat appraisal
Threat appraisal consists of two dimensions: perceived vulnerability and perceived severity.
Perceived vulnerability means conditional probability that a negative event will take place if
no measures are taken to counter it (Rippetoe and Rogers, 1987). In the context of our study,
the negative event is any information security threat. Therefore also in the context of our
study, perceived vulnerability refers to employees’ perceived assessment of whether their
organization is vulnerable to information security threats, and the immediacy of such threats
if no measures are undertaken to counter them.
In turn, perceived severity encompasses both psychological and physical harm the threat can
cause (Rippetoe and Rogers, 1987). In the context of our study, it means potential negative
consequences caused by information security breaches for the organization.
Figure 2. The research model explaining compliance with information security policies.
Here our assumption is that if an organization’s employees do not realize that they are really
confronted by information security threats (threat appraisal) and if they do not feel that these
threats can cause consequences with a destructive impact for the organization (perceived
severity), they will not comply with information security policies. Therefore, we hypothesize:
H2: Threat appraisal affects employees’ intention to comply with information security
policies.
Self-efficacy and response efficacy
Response efficacy and self-efficacy come from a coping appraisal, which is a component of
the Protection Motivation Theory (Rogers 1983; Rogers and Prentice-Dunn, 1997). Response
efficacy relates to the belief in the perceived benefits of coping action (Rogers, 1983). That
is, carrying out the coping action removes the threat. In our study, it means that adherence to
information security policies is an effective mechanism for detecting an information security
threat. Self-efficacy emphasizes the individual’s ability or judgment of their capabilities to
perform the coping response actions (Bandura 1977). To place self-efficacy theory in the
context of our study, it refers to the situation whereby workers’ beliefs on whether they can
apply and adhere to IS security policies will lead to compliance with these policies. Maddux
and Rogers (1982) found in their study that self-efficacy was the most powerful predictor of
intention. Therefore, we hypothesize:
H3: Self-efficacy affects employees’ intention to comply with information security
H4
H8
H7
H6
H5
H3
H2
H1
Sanctions
Threat appraisal
Intention to comply w ith
informat ion secu rity
policies
Actual complianc e with
informat ion secu rity
policies
Visibility
Rewards
Normative beliefs
Self-efficacy
Response efficacy
policies.
H4: Response efficacy affects employees’ intention to comply with information security
policies.
Visibility. In technology acceptance literature, visibility refers to the degree to which one can see
others using the system (Moore and Benbasat, 1991). In the computer abuse context, it refers to the
overall visibility of IS security in an organization which, through different IS security actions
(enforcement of IS security policies), reduces computer abuse within the organization (Straub, 1990).
In our study, visibility represents environmental information which has persuasive effect on the
cognitive process. Accordingly, IS security visibility refers to the degree to which one can see not
only IS security actions, campaigns, advertisements, and formal or informal information
communications within the organization, but also security measures outside the organization via
media. Hence, we hypothesize:
H5: Visibility affects employees’ intention to comply with information security policies.
Sanctions. The concept of deterrence has been a key focus of criminological theories for
more than thirty years. A leading theory in the field is the General Deterrence Theory,
originally developed for controlling criminal behaviour (Higgins et al. 2005). Traditionally,
the classical deterrence theory suggests that certainty, severity, and celerity of punishment,
affect people’s decision on whether to commit a crime or not (Higgins et al. 2005). Certainty
means that an individual believes that his or her criminal behavior will be detected, while
severity means that it will be harshly punished. In turn, celerity signifies that the detection
will occur at once. Straub (1990) found that stating penalties for information security policy
non-compliance increases proper information security behavior. However, studies by Straub
(1990) and Straub and Welke (1998) employ what Higgins et al. (2005) call the classical
deterrence theory. Therefore, these seminal studies by Straub (1990, Straub and Welke 1998)
do not address three important components of contemporary General Deterrence Theory:
social disapproval, self-disapproval and impulsivity. Social disapproval refers to the degree to
which family members, friends and co-workers disapprove of an action. Self-disapproval
refers to an individual’s feeling of shame, guilt, and embarrassment about an action, while
impulsivity means low self-control, that is, the inability of an individual to resist a temptation
toward criminal behavior when an opportunity for it exists. This leads to the following
hypothesis:
H6. Sanctions affect employees’ actual compliance with information security policies.
Rewards. Rewards can be used as effective means for cultivating interest and increasing motivation
and performance (Cameron and Pierce 2002 p. 20). Rewards can be tangible (e.g., money, gold stars,
medals, and awards) or intangible (praise by peers) - the use of rewards is individual: what may work
as reinforcement for one person may not work for another person (Cameron and Pierce 2002 p. 24).
Considering employees’ attitudes and intentions toward actual compliance, we can hypothesize:
H7. Rewards affect employees’ actual compliance of the security policies
Intention
Intention to comply with information security policies and actual compliance with
information security policies are based on the Theory of Reasoned Action (TRA) (Fishbein
and Ajzen 1975). Attitude indicates a person’s positive or negative feelings toward some
stimulus object (Ajzen 1991). According to Ajzen (1991), intentions capture the motivational
factors that have an influence on behavior, and they indicate how hard people are willing to
try to perform the behavior in question. According to TRA, the stronger the intention to
commit oneself to a form of behavior, the more likely the behavior will be carried out.
According to our model, the stronger the intention to comply with information security
policies is, the more likely the individual will actually comply with the information security
policies. Rogers and Prentice-Dunn (1997) suggest that the intentions are the most applicable
measure of protection motivation. Previous research on technology acceptance, for instance,
shows that intentions are good predictors of actual behavior (e.g., Venkatesh et al., 2003),
which is adherence to information security policies in the context of our study. In our study,
behavioral intention is an indicator of the effects of persuasion related to information security
policies. Thus, we can hypothesize:
H8. Employees’ intention to comply with information security policies has a significant
impact on actual compliance with information security policies.
Research methodology
According to Straub (1989) and Boudreau et al. (2001), using validated and tested questions will
improve the reliability of constructs and results. Accordingly, we used items that have been tried and
tested by previous studies, when available (Table 1).
Table 1. Summary of research constructs.
Construct Theoretical background Measures modified from
Intention to comply The Theory of Reasoned Action Agarwal and Prasad (1998)
Moon and Kim (2001)
Actual compliance The Theory of Reasoned Action Limayem and Hirt (2003), Heijden (2003)
Normative belief The Theory of Reasoned Action Karahanna, Straub and Chervany (1999)
Threat appraisal and copying
appraisal
Protection Motivation theory Roger and Prentice-Dunn (1997)
Visibility Innovation Diffusion Theory Moore and Benbasat (1991), Straub (1990)
Sanctions The General Deterrence Theory Higgins, Wilson and Fell (2005)
Rewards Rewards Cameron and Pierce (2002)
All the items are measured using a standard seven-point Likert scale (strongly disagree – strongly
agree). Since the measures presented in table 2 are not previously tested in the context of information
security policy compliance, the present research tests these measures in that context. Hence, the
questions were pilot tested using 15 people. Based on their feedback, the readability factor of the
questions was improved. The data was collected from four Finnish companies. A total 3130
respondents were asked to fill out the web-based questionnaire. Taking into consideration missing
data and invalid responses, we had a total of 917 reliable responses. Thus, the response rate of the
survey was 29.3 %, which can be deemed to be acceptable. One company did not include in their
questionnaire the measure “years in service”, as shown in Table 2.
In this study, the data analysis was conducted using SPSS 14.0 and AMOS 6.0 structural equation
modeling software (SEM). The use of a SEM should be based on theory and on the researcher’s clear
view of the suggested model, since SEMs do not include sophisticated methods for model
specification. AMOS is a tool based on covariance which can be used for confirmatory factor
analysis.
As mentioned earlier, the content validity of the instrument was ensured by using experts and
practitioners who assessed the used items. Convergent validity was ensured by assessing the factor
loadings and by calculating variance extracted. We conducted a single confirmatory factor analysis
for each of the constructs. As Table 3 shows, nearly all the model items loaded well, exceeding the
0.50 (Hair et al. 1998). There were two items which where slightly below 0.50, but they are
acceptable, exceeding the threshold 0.40. Divergent validity was assessed by computing the
correlations between constructs. Correlations between all pairs of constructs were below the threshold
value of 0.90. Variance extracted from all the constructs exceeded 0.5 (Hair et al. 2006). Internal
consistency reliability among the items was assessed by calculating Cronbach’s alpha. As Table 3
shows, Cronbach’s alpha exceeded the suggested value of 0.60 for all constructs. Hence, according to
results it seems that the reliability and validity of the constructs in the model are acceptable.
Results
The number of males (56.1%) and females (43.9%) are fairly equally distributed. Most of the
respondents are middle-aged, 31.3% representing the age group 31-40 and 30.0%
representing the age group 41-50 (Table 2).
Table 2. Descriptive statistics of the respondents
Frequen cy Percen t
Gender (N=917)
Male 514 56.1
Female 403 43.9
Age (N=919)
<30 135 14.7
31-40 288 31.4
41-50 276 30.0
>50 220 23.9
Years in service in the existing company (N=670)
<5 202 30.1
5-10 155 23.1
>10 313 46.8
Most respondents have long working experience. Over forty six percent of the respondents
(46.7 %) have served in their company for more than ten years. Quite often selection bias,
which simply means that the respondents of a study are not relevant representatives of the
sample, limits the generalizability of the results (Hair, 1998). In our study, gender and age
groups of the respondents were fairly equally distributed, and they covered a wide
geographical area. While these issues are important to minimizing bias (Hair, 1998),
nevertheless the selection bias has to be mentioned as a potential limitation in generalizing
the results of the present study.
Table 3. Mean and standard deviation of the constructs.
Construct Mean Standard deviation Min Max
Actual compliance 6.16 0.98 1 7
Intention to comply 6.35 0.88 1 7
Normative beliefs 6.29 0.97 1 7
Threat appraisal 5.72 0.99 1 7
Response efficacy 4.75 1.43 1 7
Self-efficacy 5.89 1.02 1 7
Visibility 4.55 0.82 1 7
Sanctions 3.80 1.58 1 7
Rewards 2.67 1.44 1 7
Table 4. Convergent validity and internal consistency and reliability
Construct Items Factor loading Variance extracted
Cronbach’s alpha
Actual compliance Actcomp1 0.65 0.81
0.84
Actcomp2 0.88
Actcomp3 0.89
Intention to
comply
Intcomp1 0.71 0.80
0.85
Intcomp2 0.86
Intcomp3 0.84
Normative beliefs Normbel1 0.80 0.77
0.87
Normbel2 0.92
Normbel3 0.73
Normbel4 0.70
Threat appraisal Thrappr1 0.54 0.62
0.76
Thrappr2 0.65
Thrappr3 0.60
Thrappr4 0.61
Thrappr5 0.70
Thrappr6 Dropped
Response efficacy Respeffi1 0.73 0.75
0.80
Respeffi2 0.88
Respeffi3 0.66
Self-efficacy Selfeffi1 Dropped 0.85
0.83
Selfeffi2 0.89
Selfeffi3 0.80
Visib ility Visibi1 0.54 0.54
0.61
Visib i2 0.4 5
Visib i3 0.5 6
Visib i4 0.5 9
Sanctions Sanctio1 0.91 0.83
0.90
Sanctio2 0.96
Sanctio3 0.89
Sanctio4 Dropped
Sanctio5 0.59
Sanctio6 Dropped
Rewards Reward1 0.46 0.74
0.77
Reward2 0.91
Reward3 0.84
The model was estimated using the maximum likelihood method. The fitness of the model
was tested using the goodness-of-fit statistics, which indicate the degree of compatibility
between the proposed model and the observed covariances and correlations. The fit indices
chosen for this study are based on the literature, and represent two different fit characteristics:
absolute fit and comparative fit. The chi-square test (2) with degrees of freedom, p-value and
sample size is commonly used as an absolute model fit criteria (Hoyle, 1995; Schumacker &
Lomax, 1996). The root-mean-square residual index (RMSEA) is used to assess the error due
to simplification of the hypothesized model. The Tucker-Lewis Index (TLI) and Comparative
Fit Index (CFI) are recommended for comparing the hypothesized model to the independent
model (Hoyle, 1995; Schumacker & Lomax, 1996). The fit indices indicate that the research
model provides a good fit with the data. The recommended fit criteria and the result of our
analysis are presented in Table 5.
Table 5. Fit criteria.
Model Criteria
212.717
df 6
p0.048
TLI 0.980 >0.9
CFI 0.997 >0.9
RMSEA 0.035 <0.05
The findings indicate that the direct paths from threat appraisal, self-efficacy, normative
beliefs and visibility to the intention to comply with IS security policies were significant.
Response efficacy, in turn, does not have a significant effect on intention to comply with IS
security policies (see table 6). Sanctions have significant effect on actual compliance with the
policies, whereas rewards did not have a significant effect on actual compliance. Intention to
comply with IS security policies has a significant effect on actual compliance with IS security
policies. The model accounts for 72 % (R2= 0.72) of the variance in intention to comply.
Standardized beta weight (ß) from intention to comply with IS security policies to actual
compliance with IS security policies was 0.40; p
0.05.
Table 6. Summary of hypotheses
Hypothesis Support
Intcomp Actcomp Supported
Thrappr Intcomp Supported
Respeffi Intcomp Not supported
Selfeffi Intcomp Supported
Normbel Intcomp Supported
Visib i Intcomp Supported
Sanctio Actcomp Supported
Reward Actcomp Not supported
Concluding discussion
The literature agrees that the major threat to information security is constituted by careless
employees who do not comply with organizations’ information security policies and
procedures. Hence, employees not only have to be aware of, but will also have to comply
with organizations’ information security policies and procedures. To address this important
concern, different information security awareness, education and enforcement approaches
have been proposed. Prior research on information security policy compliance has criticized
these extant information security policy compliance approaches as lacking theoretically
grounded and empirically validated principles to ensure that employees comply with
information security policies. In order to address these two problems in the literature, the
present research put forth a novel model in order to explain employees’ information security
compliance. The model combined the Protection Motivation Theory, the General Deterrence
Theory, the Theory of Reasoned Action, The Innovation Diffusion Theory and Rewards. The
proposed model was then empirically validated using data (N=917) collected from four
companies.
The findings of the present research indicated that the direct paths from threat appraisal, self-
efficacy, normative beliefs and visibility to intention to comply with IS security policies were
significant. Response efficacy, on the other hand, did not have a significant effect on
intention to comply with IS security policies. Sanctions also had a significant effect on actual
compliance with IS security policies whereas rewards did not have a significant effect on
actual compliance with them. Finally, intention to comply with IS security policies had a
significant effect on actual compliance.
The findings regarding threat appraisal suggest that employees should be made aware of the
information security threats and their severity and celerity for the organization by information
security staff. To be more precise, our findings regarding threat appraisal suggest that
information security personnel of an organization should emphasize to the employees that not
only are information security breaches becoming increasingly serious for the organization,
but also their severity with regard to conducting the normal business of the organization is
increasing.
Self-efficacy, as stated earlier, refers to the employees’ beliefs about whether they can apply
and adhere to information security policies. The present research empirically showed that
self-efficacy had a significant impact on intention to comply with information security
policies. The respondents do not see that the existence of security staff or IS security policies
as such keep the IS security breaches down. Instead, what is required, according to the results
of our study, is the respondents’ own actions in complying with IS security policies. This
finding also stresses the perceived relevance of information security policies. If information
security policies are not perceived as being relevant and sufficiently up-to-date for their work
by employees, they do not adhere to them. Yet, the finding also suggests that it is important
to ensure that, throughinformation security education, for example, employees really can use
information security measures.
Our results show that response efficacy does not have a significant effect on intention to
comply with information security policies. Sanctions have a significant impact on actual
compliance with information security policies. This is consistent with previous findings on IS
security that highlight the role of sanctions (Hoffer & Straub, 1989). This finding regarding
sanctions means in practice that practitioners need to state the sanctions for information
security policy non-compliance in a visible manner. In particular, it is important to get
employees to believe that their non-compliance with information security policies will be
detected and severe legal sanctions will take place. The findings suggest that the detection
must occur quickly. Also, on the basis of our findings regarding sanctions (social
disapproval) and normative beliefs, information security practitioners should realize that
social pressure towards information security policy compliance from top management,
immediate supervisor, peers and information security staff is important for ensuring
employees’ information security policy compliance. This is consistent with the findings that
the social environment has an effect on an individual’s behavior (Ajzen, 1991). To ensure
such social pressure, top management, immediate supervisors and information security staff
should explicitly make clear the importance of complying with information security policies
to their employees. This finding has implications for the information security education
strategy of organizations. In the light of our findings, organizations should pay special
attention to educating top management, immediate supervisors and information security staff
in order that they can spread the word on the importance of adhering to information security
policies, and in that way, create social pressure towards information security policy
compliance. This is definitely good news for large corporations who may have difficulty in
educating all their employees for practical reasons.
Our results suggest that visibility has a significant effect on intention to comply with IS
security policies. For practitioners, this means that IS security must be advocated in the
organization through education and campaigns in a visible manner. In other words, here the
importance is on the visibility, not the exact means by which the security matters are
advocated in organizations. External IS security visibility also has an impact on the cognitive
process of PMT. Potential sources of external visibility include news or commercials in
media such as newspapers, radio, the Internet or TV. For practitioners, this means that IS
security incidents reported in the media should be made visible to employees and these
should be discussed in organizations.
One possible explanation for rewards not having a significant effect on actual behavior is that
there may not be a tangible award system used in the organization. It is also possible that our
respondents did not receive any form of appreciation or positive acknowledgement for
complying with IS security policies from their organizations. Future research is needed to
study organizations that use both tangible and intangible reward systems to facilitate
adherence to IS security policy compliance.
Finally, intention to comply with information security policies had a significant impact on
actual compliance with information security policies. This is consistent with the literature in
the area of technology acceptance: the intention to use a form of technology is shown to
correlate with the actual use of that technology (Venkatesh et al., 2003).
References
Agarwal, R. and J. Prasad. "Conceptual and Operational Definition of Personal
Innovativeness in the Domain of Information Technology." Information Systems
Research, 1998, 9:2, pp. 204-215.
Ajzen, I. "The Theory of Planned Behavior", Organizational Behavior and Human Decision
Processes 50:2, 1991, pp.179-211.
Aytes, K. and Connolly, T. “A Research Model for Investigating Human Behavior Related to
Computer Security”, Proceedings of the 2003 American Conference On Information
Systems, Tampa, FL, August 4-6. 2003.
Aytes, K. and Connolly, T. “Computer and Risky Computing Practices: A Rational Choice
Perspective”, Journal of Organizational and End User Computing, 16:2, 2004, pp. 22-40.
Bagchi, K. and Udo, G. “An analysis of the growth of computer and Internet security
breaches”, Communications of AIS 12, 2003, pp. 684–700.
Bandura, A. "Self-Efficacy: Toward a Unifying Theory of Behaviour Change", Psychological
Review 84:2, 1977, pp. 191-215.
Boudreau, M.-C., Gefen, D. and Straub, D. W. "Validation in information systems research:
A state-of-the-art assessment." MIS Quarterly 25:1, 2001, pp. 1-16.
Cameron, J. and Pierce, W. Rewards and intrinsic motivation. Westport, Conn: Bergin &
Garvey, 2002.
Dhillon, G. and Backhouse, J. “Current directions in information security research: toward
socio-organizational perspectives”, Information Systems Journal, 2001, 11:2.
Fishbein,M.andAjzen,I.Belief,Attitude, Intention and Behavior: An Introduction to
Theory and Research. MA, Addison-Wesley. 1975.
Gordon, L & Loeb, M. The economics of information security investment. ACM
Transactions on Information and System Security, 2002, 5:4, pp. 438-457.
Hair, J.F.J., Anderson, R.E., Tatham, R.L., and Black, W. C. Multivariate data analysis.5th
ed: Upper Saddle River, New Jersey, Prentice Hall Inc, 1998.
Hair,J.F.J.,Black,W.C.,Babin,B.J.Anderson,R.E.,Tatham,R.L.Multivariate data
analysis. 6th ed. Pearson Prentice Hall, 2006.
Heijden, H. V. D. "Factors influencing the usage of websites: the case of a generic portal in
The Netherlands." Information & Management, 2003, 40, pp. 541-549.
Hoffer, J. A. and D. W. Straub. "The 9 to 5 Underground: Are you Policing Computer
Crimes." Sloan Management Review, 1989, 30:4, pp. 35-43.
Hoyle, R.H. Structural Equation Model. Concepts, Issues, and Applications,H.R.Hoyle
(ed.), SAGE publications, Inc, 1995.
Higgins, G.E., Wilson, A.L. and Fell, B.D. “An Application of Deterrence Theory to
Software Piracy”, Journal of Criminal Justice and Popular Culture, 2005, 12:3, pp. 166-
184.
Hinde, S. “Security surveys spring crop”, Computers & Security, 2002, 21:4, pp. 310-321.
Karahanna, E., Straub, D. W. and Chervany, N. L. "Information technology adoption across
time: A cross-sectional comparison of pre-adoption and post-adoption beliefs", MIS
Quarterly, 1999, 23:2, pp. 183-213.
Limayem, M., and Hirt, S.G. “Force of Habit and Information Systems Usage: Theory and
Initial Validation”, Journal of Association for Information Systems, 2003, 4, pp. 65-97.
Moon, J.-W. and Y.-G. Kim. "Extending the TAM for a World-Wide-Web context."
Information & Management, 2001, 38, pp. 217-230.
Moore, G.C. and Benbasat, I. “Development of an Instrument to Measure the Perceptions of
Adopting an Information Technology Innovation”. Information Systems Research, 1991,
2:3, pp. 191-222.
Pahnila, S., Siponen, M., Mahmood, A. ”Employees’ Behavior Towards IS Security Policy
Compliance”. Proceedings of 2007 Hawaii International Conference on System Sciences,
2007.
Puhakainen, P. A design theory for information security awareness. Unpublished Ph.D.
Thesis, Oulu, Finland, 2006.
Rippetoe, S. and Rogers, R. W., “Effects of Components of Protection - Motivation Theory
on Adaptive and Maladaptive Coping with a Health Threat”, Journal of Personality and
Social Psychology, 1987, 52:3, pp. 596-604.
Rogers, R. W. “Cognitive and Physiological Processes in Fear Appeals and Attitude Change:
A Revised Theory of Protection Motivation Theory”, in Social Psychophysiology,J.
Cacioppo and R. Petty (Eds.), Guilford, New York, 1983.
Rogers, R. W. and Prentice-Dunn, S. “Protection motivation theory”, In D. S. Gochman
(Ed.), Handbook of Health Behavior Research I: Personal and Social Determinants,New
York, NY, Plenum Press, 1997, pp. 113-132.
Schumacker, R.E. and R.G. Lomax, A Beginner's Guide to Structural Equation Modeling,
Mahwah, New Jersey: Lawrence Erlbaum Associates, 1996, pp. 288.
Siponen, M. “A Conceptual Foundation for Organizational Information Security Awareness”,
Information Management & Computer Security, 2000, 8:1, pp. 31-41.
Siponen, M.T. “Analysis of modern information security development approaches: towards
the next generation of social and adaptable ISS methods”, Information and organization,
2005, 15:4, pp. 339-375.
Siponen, M. T., Pahnila, S., Mahmood, A. Adherence to Information Security Policies: An
Empirical Study. Proceedings of the IFIP SEC2007, Sandton, Gauteng, South Africa,
2007.
Stanton, J. M., Stam, K. R., Mastrangelo, P. and Jolton, J. “An analysis of end user security
behaviors”, Computers & Security, 2005, 24, pp. 124-133
Straub, D. W. “Validating Instruments in MIS Research", MIS Quarterly, 1989, 13:2, pp.
147-169.
Straub, D.W. "Effective IS Security: An Empirical Study", Information Systems Research,
1990, 1:3, pp. 255-276.
Straub, D.W. and Welke, R.J. "Coping with Systems Risk: Security Planning Models for.
Management Decision-Making", MIS Quarterly, 1998, 22:4, pp. 441-469.
Thompson, D. “1997 Computer crime and security survey”, Information Management &
Computer Security, 1998, 6:2, pp. 78–101.
Venkatesh, V., Morris, M. G., Davis, G. B. and Davis, F. D. "User Acceptance of
Information Technology: Toward a Unified View", MIS Quarterly, 2003, 27:3, pp. 425-
478
Villarroel, R., Fernández-Medina, E. and Piattini, M. “Secure information systems
development – a survey and comparison”, Computers & Security, 2005, 24:4, pp. 308-
321.
Woon, I. M. Y., Tan, G. W. and Low, R. T. “A Protection Motivation Theory Approach to
Home Wireless Security”, Proceedings of the Twenty-Sixth International Conference on
Information Systems, Las Vegas, 2005, pp. 367-380.
... Sanctions and rewards are common mechanisms of behaviour influence, however their effectiveness in influencing ISSP compliance has accumulated mixed evidence. While some authors showed that sanctions have a significant effect on actual compliance (e.g., Ref. [79]) or intention to comply (e.g., Ref. [16]), others showed the opposite (e.g., Refs. [80], [81]). ...
... For example, in their laboratory study, Liu et al. [59] showed that monetary incentives were effective in encouraging risk-avoiding behaviours in freshmen students; however, the generalizability of these results to workplace behaviour in the real world remains to be shown. On the other hand, Parsons et al. [85] found that rewards did not contribute to effective information security decision making, and Pahnila et al. [79] and Pahnila et al. [80] showed that rewards did not have a significant effect on compliance with ISSPs. In their review, Sommestad et al. [15] concluded that sanctions and rewards were poor predictors of compliance. ...
... Even though there is considerable evidence that supports the link between intention and behaviour (e.g., Refs. [79], [106], [15]), there has been some contradictory evidence, e.g., Gerber et al. [19] found that intention to comply was a poor predictor of actual security compliance. While acknowledging the challenges in measuring the actual compliance behaviour, Crossler et al. [107] argued against relying on measuring intentions instead of the actual behaviour pointing out that intentions do not always lead to actions and that intention without action can lead to a security breach. ...
Human Systems Integration Approach to Cyber Security NATO STO Technical Report
Technical Report
Full-text available
  • Jun 2020
Human Systems Integration Approach to Cyber Security (STO-TR-HFM-259) Executive Summary PURPOSE The NATO Science and Technology Organization (STO) Human Factors and Medicine (HFM) Panel 259 Research Task Group (RTG), titled Human Systems Integration Approach to Cyber Security, was established to promote cooperative human-centred research activities in a NATO framework on the complex phenomenon of cyber security as a socio-technical system. The idea was to implement a common research perspective to study cyber security that focuses on the interrelatedness between technology and software developments, concepts, strategies and doctrines, organizational processes improvement and human performance. More precisely, the goals of the HFM-259 RTG were: • Identification and mitigation of potential cyber security vulnerabilities due to the role of people in the system; • To study specific issues related to selection, education, training and retention of cyber force, and to identify the spectrum of Knowledge, Skills, and Abilities that IT experts need for efficient performance; • To suggest possible approaches to improve resilience to cyber attacks at individual, team and organization level; • To develop human factors support tools for enhancing individual and group cyber security sensitivity; and • Improving human-machine interfaces in cyber security. RESULTS, SIGNIFICANCE TO NATO AND PRACTICAL IMPLICATIONS The foundation for the application of the Human Systems Integration (HSI) approach to cyber security is laid out in Chapter 2. The chapter defines the general human system integration approach and its domains and discusses how these domains apply to cyber security. The central point in the NATO STO HFM-259 Program of Work was the development of the Human Systems Integration Framework for Cyber Security. This framework was a necessary step to gather and collate available information (reports, papers, concepts, doctrines, strategies, etc.) with respect to human factors involved in cyber security. The underlying assumption was that humans are significant nodes in cyber system, and therefore their behaviour influences the (in)security of this system. As a next step we tested the developed framework via subject-matter-expert interviews in each participating nation and implemented the ontology into software system (database and tool), which included populating with collected sources. The primary step in the development of the HSI framework to study cyber security was the actual coding process. ES - 2 STO-TR-HFM-259 The team coded 230 information sources. At the final stage we used the developed knowledge base and analytical tool to study interrelationships among different concepts, factors, actors, etc. and to write this Technical Report. Chapter 3 describes the development of the HSI Framework for Cyber Security, its structure, validation, and population with information sources. Chapter 3 also discusses the types of analyses that could be conducted using the framework. The analyses provide useful insights into how different aspects of user behaviour and cognition increase or decrease cyber security. The following four chapters, i.e., Chapters 4 – 7, discuss some of these theoretical and practical insights in more detail. Chapter 4 focuses on the individual perspective and examines how understanding of various aspects of human cognition, decision making and resulting behaviour can inform our understanding of cyber security. Chapter 5 takes on an organizational focus and examines factors associated with security policy management and its effectiveness, i.e., Information Systems Security Policy compliance. Chapter 6 presents some initial recommendations for how to recruit, select, train, and retain cyber security personnel. Chapter 7 discusses the general overarching cyber security considerations for learning and education. The last three chapters discuss the efforts to disseminate the work (Chapter 8), offer a general discussion of the findings (Chapter 9) and provide a list of the sources used to inform this work (Chapter 10). In brief, the NATO STO HFM-259 team developed and tested an HSI framework to study cyber security, knowledge base and used sophisticated software tooling to analyse the role of human factors in cyber security. The products of our work (database and tool) are available to be used by NATO STO and interested national institutions of the contributing nations: Bulgaria, Canada, Germany, the Netherlands, Sweden, Ukraine and the USA. We believe that our report will be useful for both cyber security experts and military commanders for better understanding of individual and organizational factors influencing cyber security, raising cyber security awareness and building cyber security culture, mitigating insider threats, as well as improving selection, education, training and retention of cyber force. STO-TR-HFM-259 ES - 3 Démarche d’intégration humain-systèmes appliquée à la cybersécurité (STO-TR-HFM-259) Synthèse OBJET Commission sur les facteurs humains et la médecine (HFM) de l’Organisation pour la recherche et la technologie (RTO) de l’OTAN. Le groupe de travail (RTG) 259, intitulé « Démarche d’intégration humain-systèmes appliquée à la cybersécurité », a été créé pour favoriser les activités coopératives de recherche axée sur l’humain dans le cadre OTAN, à propos du phénomène complexe qu’est la cybersécurité en tant que système sociotechnique. L’idée était d’appliquer une perspective de recherche commune à la cybersécurité, qui se concentre sur l’interdépendance entre les progrès de la technologie et des logiciels, les concepts, stratégies et doctrines, l’amélioration des processus organisationnels et les performances humaines. Plus précisément, les objectifs du RTG HFM-259 étaient les suivants : • Identification et atténuation des vulnérabilités potentielles de cybersécurité, dues au rôle des personnes dans le système ; • Étude de questions particulières liées à la sélection, l’éducation, la formation et la conservation de la cyberforce et identification du spectre des connaissances, compétences et aptitudes dont les spécialistes des technologies de l’information ont besoin pour être performants ; • Suggestion de démarches possibles pour améliorer la résilience face aux cyberattaques au niveau individuel, de l’équipe et de l’organisation ; • Mise au point d’outils de soutien des facteurs humains, améliorant la sensibilité des individus et des groupes à la cybersécurité ; • Amélioration des interfaces humain-machine dans le domaine de la cybersécurité. RÉSULTATS, IMPORTANCE POUR L’OTAN ET IMPLICATIONS PRATIQUES Le fondement de l’application de la démarche d’intégration humain-systèmes (HSI) à la cybersécurité est exposé au chapitre 2. Ce chapitre définit la démarche générale d’intégration humain-systèmes et ses domaines et discute de l’application de ces domaines à la cybersécurité. L’élaboration d’un cadre d’intégration humain-systèmes pour la cybersécurité était au cœur du programme des travaux du HFM-259 de la STO de l’OTAN. Ce cadre constituait une étape nécessaire pour réunir et collationner les informations disponibles (rapports, articles, concepts, doctrines, stratégies, etc.) au sujet des facteurs humains impliqués dans la cybersécurité. Selon l’hypothèse sous-jacente, les humains représentaient des nœuds importants du cybersystème et leur comportement influençait la sécurité ou l’insécurité de ce système. Nous avons ensuite testé le cadre élaboré en interrogeant des spécialistes de chaque pays participant et avons mis en œuvre l’ontologie dans le système logiciel (base de données ES - 4 STO-TR-HFM-259 et outil), ce qui incluait de l’alimenter avec les sources collectées. L’étape principale d’élaboration du cadre HSI visant à étudier la cybersécurité était le processus de codage réel. L’équipe a codé 230 sources d’information. À l’étape finale, nous avons utilisé la base de connaissances et l’outil d’analyse mis au point pour étudier les interrelations entre les différents concepts, facteurs, acteurs, etc., et pour rédiger le présent rapport technique. Le chapitre 3 décrit l’élaboration du cadre HSI destiné à la cybersécurité, sa structure, sa validation et son remplissage à l’aide des sources d’information. Le chapitre 3 traite également des types d’analyses qui ont pu être menées à l’aide du cadre. Les analyses en question fournissent de précieuses connaissances sur la manière dont les différents aspects du comportement et de la cognition de l’utilisateur augmentent ou diminuent la cybersécurité. Les quatre chapitres suivants, autrement dit, les chapitres 4 à 7, détaillent quelques-unes de ces connaissances théoriques et pratiques. Le chapitre 4 se focalise sur l’individu et examine en quoi la compréhension des divers aspects de la cognition humaine, de la prise de décision et du comportement qui en résulte peut éclairer notre compréhension de la cybersécurité. Le chapitre 5 adopte un point de vue organisationnel et étudie les facteurs associés à la gestion de la politique de sécurité et à son efficacité, autrement dit, le respect de la politique de sécurité des systèmes d’information. Le chapitre 6 présente quelques recommandations initiales en matière de recrutement, sélection, formation et conservation du personnel de cybersécurité. Le chapitre 7 discute des considérations générales de cybersécurité relatives à l’apprentissage et à l’éducation. Les trois derniers chapitres traitent des actions de diffusion des travaux (chapitre 8), présentent les conclusions de manière générale (chapitre 9) et fournissent une liste des sources utilisées pour les présents travaux (chapitre 10). En bref, l’équipe du HFM-259 de la STO de l’OTAN a mis au point et testé une base de connaissances et un cadre de HSI pour étudier la cybersécurité et s’est servi d’outils logiciels sophistiqués pour analyser le rôle des facteurs humains dans la cybersécurité. Les produits de nos travaux (base de données et outil) sont à la disposition de la STO de l’OTAN et des institutions nationales intéressées au sein des pays contributeurs (Bulgarie, Canada, Allemagne, Pays-Bas, Suède, Ukraine et États-Unis). Nous estimons que notre rapport sera utile à la fois aux spécialistes en cybersécurité et aux commandants militaires et leur permettra (i) de mieux comprendre les facteurs individuels et organisationnels qui influencent la cybersécurité ; (ii) d’améliorer la sensibilisation à la cybersécurité ; (iii) d’établir une culture de la cybersécurité, en atténuant la menace interne ; et (iv) d’améliorer la sélection, l’éducation, la formation et la conservation de la cyberforce.
View
... Yet, they found formal sanctions to be fully or partially effective (as demonstrated in Figure 1 and Appendix 2). For example, sanctions have been reported to deter cyberloafing or the non-work-related use of Internet (e.g., Ugrin et al., 2007;Pahnila et al., 2007;Peace et al., 2008). Another example is a meta-analysis (Trang & Brendel, 2019) suggesting that sanction certainty has a higher correlation with good behavior (e.g., ISP compliance) than with bad behavior (ISP non-compliance). ...
... • 1 article incorporates the assumption in the study design (Guo et al., 2011). • 2 articles invoke the assumption (post-hoc) to explain the non-significant results (Chen et al., 2018;Moody et al., 2018 (Balozian & Leidner, 2017;Bulgurcu et al., 2010;D'Arcy & Hovav, 2009;D'Arcy et al., 2009;Harrington, 1996;Hovav & D'Arcy, 2007;Knapp et al., 2007;Lee & Lee, 2002;Lee et al., 2004;Lowry et al., 2017;Pahnila et al., 2007;Peace et al., 2003;Siponen et al., 2007;Straub, 1990;Straub & Welke, 1998;Theoharidou et al., 2005;. ...
Common Misunderstandings of Deterrence Theory in Information Systems Research and Future Research Directions
Article
Full-text available
  • Jan 2021
In the 1980s, information systems (IS) borrowed deterrence theory (DT) from the field of criminology to explain information security behaviors (or intention). Today, DT is among the most commonly used theories in IS security research. Our review of IS research applying DT highlights that many fundamental assumptions of DT are unrecognized and therefore unexamined. This may have resulted in misunderstandings and conceptual confusions regarding some of the basic concepts of DT. For example, some IS studies confuse general deterrence with specific deterrence or do not recognize the difference between the two. Moreover, these fundamental assumptions, when directly examined, may provide important information about the applicability of DT in certain IS security contexts. This research commentary aims to identify and discuss some of the fundamental assumptions of DT and their implications for IS research. By examining these assumptions, IS researchers can study the previously unexplored aspects of DT in different IS contexts. Further, by recognizing these assumptions, IS scholars can revise them and build new variants of DT to better account for specific characteristics of IS behaviors and contexts.
View
... To address violation of information security policies, the extant literature in information security favours the use of sanctions and rewards with assumption that users of information system intentionally chose to violate the policies (Bulgurcu, Cavusoglu, & Benbasat, 2010;D'Arcy, Hovav, & Galletta, 2009;Pahnila, Siponen, & Mahmood, 2007) and ignored the role played by other factors such as employee's organization commitment. Paine (1994) argue that over-emphasis on sanctions may be superfluous and counterproductive; causing employees to rebel against the control measures. ...
... Past studies focused on acceptance or intention to comply or compliance with security policies in organizations (Bulgurcu, Cavusoglu, & Benbasat, 2010;D'Arcy, Hovav, & Galletta, 2009;Hu et al., 2012;Ifinedo, 2012Ifinedo, , 2014Pahnila, Siponen, & Mahmood, 2007). However, initial intention or acceptance of information systems does not necessarily imply that users will continue to use the information system (Bhattacherjee, 2001;Zhao, Stylianou, & Zheng, 2013), the same applies to security policy. ...
SECURITY POLICY COMPLIANCE IN PUBLIC INSTITUTIONS: AN INTEGRATIVE APPROACH
Article
  • Jan 2018
The success of organizational information security policies depends on employee’s continuous compliance from the time when it was first introduced into the organization. Hence, the purpose of this study is to investigate continuous compliance with information security policy among public organizations. Data were collected from 265 employees working in Tanzania public organizations. Data analysis employed a Structural Equation Modelling (SEM) approach. The study found that the effects of organizational commitment, perceived susceptibility and perceived severity have a positive influence on employee’s continuance intention to comply with security policies, while perceived barriers have a negative influence. Moreover, the effects of perceived benefits, self-efficacy, cues and information security awareness have no significant influence. Based on these findings, recommendations were given. There is a paucity of empirical research which investigates key issues that may influence information security policy continuous compliance in organizations. This study addresses this research gap, by integrating the Health Belief Model (HBM) with employee’s organizational commitment and information security awareness constructs to investigate information security policy continuance compliance in organizations.
View
... The interdisciplinary nature of cybersecurity SE research has led from a "general scarcity of theoretical models to guide IT researchers" (Henry and Stone, 1997, p. 526) to broad construct definitions across scientific disciplines and communities, and in consequence, a blurred terminology of self-efficacy has emerged (e.g., computer self-efficacy (Marakas, Johnson and Clay, 2007); internet self-efficacy (Eastin and LaRose, 2000); privacy self-efficacy (Youn, 2009); self-efficacy in information security (Rhee et al., 2009); security self-efficacy (McGill and Thompson, 2017); cybersecurity SE (Anwar, He, Ash, Yuan, Li and Xu, 2017); self-efficacy to comply with information security policy (Bulgurcu, Cavusoglu and Benbasat, 2010); coping self-efficacy (Siponen, Pahnila and Mahmood, 2007)). Hence, there is a risk that the cybersecurity SE literature suffers from the jingle-jangle fallacy (Flake and Fried, 2020): The jingle fallacy refers to the belief that two instruments measure the same constructs because they share a similar name, whereas a jangle fallacy would be the similarly incorrect belief that differently named instruments indeed measure distinct constructs (Flake and Fried, 2020). ...
A Decade of Dividedness: A Preregistered Systematic Review of the Cybersecurity Self-Efficacy Methods
Preprint
  • Jan 2023
Recent challenges in IT security and privacy have heightened interest in cybersecurity Self-Efficacy (SE) as means to influence security-related behaviors. Based on diverging definitions and underlying theories, research methods vary considerably in the field of cybersecurity SE. This may hinder building a replicable evidence base that serves practitioners to effectively foster cybersecurity SE. We report a preregistered systematic literature review investigating (a) instruments constructed to measure cybersecurity SE, (b) proposed roles of self-efficacy, and (c) methods utilized for manipulative interventions. In addition, special emphasis is placed on smart home research to explore the relevant boundaries of the cybersecurity SE literature in terms of IT context-dependent research methods. The final sample included 174 empirical studies from 18 databases with a combined sample size of 55,758 subjects that were published in English between 2010 and 2021 and measured cybersecurity SE. Effects of selection bias were minimized by detailed exclusion criteria, interdisciplinary search strategy, randomization process, double coding, and transparency scope. Results were synthesized narratively and thematically on a level of descriptive statistics and network analyses. We counted 173 different cybersecurity SE measures and analyzed their psychometric quality with respect to reliability and validity. 276 variables were assumed to be causes and/or outcomes of cybersecurity SE. This review demonstrates the current extent of dividedness in cybersecurity SE research methods. We conclude our review with six recommendations that might inspire our research community toward standardization.
View
... Sanctions and penalties can be used to reinforce security behavior ( Beautement et al., 2009 ). Finally, upper management can encourage users to adhere to security recommendations through creating a pro-security culture ( Pahnila et al., 2007 ). CSEs and professionals also highlighted the importance of creating a culture that motivates and appreciates security behavior -even and especially under time pressure. ...
Time Pressure in Human Cybersecurity Behavior: Theoretical Framework and Countermeasures
Article
Cybersecurity is a growing concern for private individuals and professional entities. Reports have shown that the majority of cybersecurity incidents occur because users fail to behave securely. Research on human cybersecurity (HCS) behavior suggests that time pressure is one of the important driving factors behind non-secure HCS behavior. However, there is limited conceptual work to guide researchers and practitioners in this regard. Against this backdrop, we investigate how the impact of time pressure on HCS behavior can be conceptualized within an integrative framework and which countermeasures can be used to reduce its negative impact. Altogether, we conducted 35 interviews with cybersecurity experts, non-security professionals, and private users. The results of our study shed light on the theoretical pathways through which time pressure can affect different types of security behaviors and identify a range of operational, human, technical, and physical countermeasures with important implications for research and practice.
View
... Sanctions and penalties can be used to reinforce security behavior ( Beautement et al., 2009 ). Finally, upper management can encourage users to adhere to security recommendations through creating a pro-security culture ( Pahnila et al., 2007 ). CSEs and professionals also highlighted the importance of creating a culture that motivates and appreciates security behavior -even and especially under time pressure. ...
Time Pressure in Human Cybersecurity Behavior: Theoretical Framework and Countermeasures
Article
Cybersecurity is a growing concern for private individuals and professional entities. Reports have shown that the majority of cybersecurity incidents occur because users fail to behave securely. Research on human cybersecurity (HCS) behavior suggests that time pressure is one of the important driving factors behind non-secure HCS behavior. However, there is limited conceptual work to guide researchers and practitioners in this regard. Against this backdrop, we investigate how the impact of time pressure on HCS behavior can be conceptualized within an integrative framework and which countermeasures can be used to reduce its negative impact. Altogether, we conducted 35 interviews with cybersecurity experts, non-security professionals, and private users. The results of our study shed light on the theoretical pathways through which time pressure can affect different types of security behaviors and identify a range of operational, human, technical, and physical countermeasures with important implications for research and practice.
View
Privacy concerns and protection behavior during the Covid-19 pandemic
Article
Full-text available
  • Apr 2022
This paper aims to analyze the protection behavior of employees while working remotely during the Covid-19 pandemic using online video chat software. This pandemic changed the way organizations work, managers meet with employees, and employees communicate. An e-mail-based survey among computer users who use video chat software for remote working is employed in this study. Using 306 responses, structural equation modeling explores the relationship between privacy concerns, protection behavior, and antecedents. The technological changes induced due to Covid-19 influence privacy concerns and protection behavior. Privacy efficacy increases privacy concerns and protection behavior. Perceived vulnerability increases privacy concerns. Perceived effectiveness of organization software affects privacy concerns but does not affect protection behavior. There is a positive relationship between privacy concerns and protection behavior; however, this positive relation is negatively moderated by a propensity to trust. A finding of threat severity measure using Covid-19 factors concludes that both privacy concerns and protection behavior increased for online video chat software users. The theoretical model explicates 75% of variances in privacy concerns and 57% of variances in protection behavior. Every one-unit increase in Covid-19 induced changes regarding the work environment increases the privacy concern by 35%, and every one-unit increase in perceived effectiveness of organization software increases privacy concern by 22%. Every one-unit increase in the privacy concern increases the protection behavior by 48%, and every one-unit increase in privacy efficacy increases protection behavior by 59%. AcknowledgmentThe assistance provided by Arun Thottath in reaching out to survey participants was greatly appreciated.
View
Fear Assessment in Information Security Dialog Box based on Hybrid Kansei Engineering and KJ Method
Article
Full-text available
  • Sep 2021
Emotion is one of the predetermined aspects that lead to non-compliance behaviour by a user in the Information Security (IS) domain. Four prominent emotions have been recognized in IS, which are fear, stress, trust, and rage. In this study, fear will be highlighted as the scope to explain fear in IS through design concept. This paper discusses how to characterize fear as stimuli for user emotional assessment in IS through the design concept of information security dialog user interface design (UID). Recent research made by other researchers shows that too low and too high levels of fear lead to user reluctance and resistance behaviour. Thus, it is essential to conduct a study to suggest methodology and procedural details in measuring fear and propose the relationship between the level of fear and user compliance behaviour toward IS procedures and policies. This study adopted part of Kansei Engineering, and KJ Method in measuring fear towards IS dialog box UID as the artefact. This study characterizes fear emotion in the IS domain based on users’ compliance response towards the artefacts. Findings from this study will give a new perspective on emotion, particularly for fear toward design in the IS domain and serve as the foundation of emotion in the IS field concerning Kansei and Affective Sciences.
View
Protection Motivation Theory in Information Systems Security Research: A Review of the Past and a Road Map for the Future
Article
Full-text available
  • Apr 2021
Protection motivation theory (PMT) is one of the most commonly used theories to examine information security behaviors. Our systematic review of the application of PMT in information systems (IS) security and the comparison with its application for decades in psychology identified five categories of important issues that have not yet been examined in IS security research. Discussing these issues in terms of why they are relevant and important for IS security, and to what extent IS research has not considered them, offers new research opportunities associated with the study of PMT and IS security threats. We suggest how future studies can approach each of the open issues to provide a new road map for quantitative and qualitative IS scholars.
View
Experience Matters: The Role of Vicarious Experience in Secure Actions
Article
  • Apr 2020
Information systems security is a major organizational concern. This study examines the role of vicarious experience on an individual's behavioral intent to perform a secure recommended response. The protection motivation theory model is expanded to include vicarious experience, which was examined through the separate constructs of vicarious threat experience and vicarious response experience. This study closes a gap in the literature by including vicarious experience in the PMT model and confirming its role as a significant direct influence on the PMT threat and coping constructs, and thus on the PMT model's ability to explain the variance of an individual's intent to perform secure behaviors. Additionally, vicarious experience measures were multi-item reflective scales rather than the single item measures that are more typically used to measure experience. Implications for theory and practice are discussed.
View
The Economics of Information Security Investment
Article
Full-text available
  • Jan 2002
This article presents an economic model that determines the optimal amount to invest to protect a given set of information. The model takes into account the vulnerability of the information to a security breach and the potential loss should such a breach occur. It is shown that for a given potential loss, a firm should not necessarily focus its investments on information sets with the highest vulnerability. Since extremely vulnerable information sets may be inordinately expensive to protect, a firm may be better off concentrating its efforts on information sets with midrange vulnerabilities. The analysis further suggests that to maximize the expected benefit from investment to protect information, a firm should spend at most a small fraction (1/e) of the expected loss due to a security breach.
View
Conceptual foundation for organizational information security awareness
Article
Full-text available
The current approaches in terms of information security awareness and education are descriptive (i.e. they are not accomplishment-oriented nor do they recognize the factual/normative dualism); and current research has not explored the possibilities offered by motivation/behavioural theories. The first situation, level of descriptiveness, is deemed to be questionable because it may prove eventually that end-users fail to internalize target goals and do not follow security guidelines, for example - which is inadequate. Moreover, the role of motivation in the area of information security is not considered seriously enough, even though its role has been widely recognized. To tackle such weaknesses, this paper constructs a conceptual foundation for information systems/organizational security awareness. The normative and prescriptive nature of end-user guidelines will be considered. In order to understand human behaviour, the behavioural science framework, consisting in intrinsic motivation, a theory of planned behaviour and a technology acceptance model, will be depicted and applied. Current approaches (such as the campaign) in the area of information security awareness and education will be analyzed from the viewpoint of the theoretical framework, resulting in information on their strengths and weaknesses. Finally, a novel persuasion strategy aimed at increasing users' commitment to security guidelines is presented.
View
The Theory of Planned Behavior
Article
Full-text available
  • Dec 1991
Research dealing with various aspects of* the theory of planned behavior (Ajzen, 1985, 1987) is reviewed, and some unresolved issues are discussed. In broad terms, the theory is found to be well supported by empirical evidence. Intentions to perform behaviors of different kinds can be predicted with high accuracy from attitudes toward the behavior, subjective norms, and perceived behavioral control; and these intentions, together with perceptions of behavioral control, account for considerable variance in actual behavior. Attitudes, subjective norms, and perceived behavioral control are shown to be related to appropriate sets of salient behavioral, normative, and control beliefs about the behavior, but the exact nature of these relations is still uncertain. Expectancy— value formulations are found to be only partly successful in dealing with these relations. Optimal rescaling of expectancy and value measures is offered as a means of dealing with measurement limitations. Finally, inclusion of past behavior in the prediction equation is shown to provide a means of testing the theory*s sufficiency, another issue that remains unresolved. The limited available evidence concerning this question shows that the theory is predicting behavior quite well in comparison to the ceiling imposed by behavioral reliability.
View
Self-Efficacy: Toward a Unifying Theory of Behavioral Change
Article
  • Jan 1977
Presents an integrative theoretical framework to explain and to predict psychological changes achieved by different modes of treatment. This theory states that psychological procedures, whatever their form, alter the level and strength of self-efficacy. It is hypothesized that expectations of personal efficacy determine whether coping behavior will be initiated, how much effort will be expended, and how long it will be sustained in the face of obstacles and aversive experiences. Persistence in activities that are subjectively threatening but in fact relatively safe produces, through experiences of mastery, further enhancement of self-efficacy and corresponding reductions in defensive behavior. In the proposed model, expectations of personal efficacy are derived from 4 principal sources of information: performance accomplishments, vicarious experience, verbal persuasion, and physiological states. Factors influencing the cognitive processing of efficacy information arise from enactive, vicarious, exhortative, and emotive sources. The differential power of diverse therapeutic procedures is analyzed in terms of the postulated cognitive mechanism of operation. Findings are reported from microanalyses of enactive, vicarious, and emotive modes of treatment that support the hypothesized relationship between perceived self-efficacy and behavioral changes. (21/2 p ref)
View
View
View
View
Effective IS security: An empirical study
Article
  • Jan 1990
Information security has not been a high priority for most managers. Many permit their installations to be either lightly protected or wholly unprotected, apparently willing to risk major losses from computer abuse. This study, based on the criminological theory of general deterrence, investigates whether a management decision to invest in IS security results in more effective control of computer abuse. Data gathered through a survey of 1, 211 randomly selected organizations indicates that security countermeasures that include deterrent administrative procedures and preventive security software will result in significantly lower computer abuse. Knowledge about these relationships is useful for making key decisions about the security function.
View
View
An Application of Deterrence Theory to Software Piracy
Article
  • Dec 2005
Although the research on software piracy is growing, criminologists have not examined the role of deterrence in software piracy. Using data collected from 382 undergraduate students attending a southeastern university, this study examined the role of deterrence in reducing instances of software piracy using a factorial design. The findings from the analysis showed that certainty and not severity was important in reducing software piracy. The study also found that contemporary parts of deterrence theory (i.e., shame and family discovery) were important in deterring software piracy. Policy implications of these findings are discussed.
View