Content uploaded by Mikko Siponen
Author content
All content in this area was uploaded by Mikko Siponen on Sep 20, 2022
Content may be subject to copyright.
Factors
Influencing
Protection
Motivation
and
IS
Security
Policy
Compliance
Mikko
Siponena,
Seppo
Pahnilaa
and
Adam
Mahmoodb
aUniversity
of
Oulu,
Department
of
Information
Processing
Science,
FINLAND.
E-mail.
tMikko.Siponen,
Seppo.Pahnila}@oulu.fi
bDepartment
of
Information
and
Decision
Sciences,
University
of
Texas
at
El
Paso
E-mail.
mmahmood@utep.edu
Abstract
The
key
threat
to
IS
security
is
constituted
by
careless
employees
who
do
not
comply
with
ISsecurity
policies.
To
ensure
that
employees
comply
with
organizations'
IS
security
procedures,
a
number
of
IS
security
policy
compliance
means
have been
proposed
in
the
past.
Prior
research
has
criticized
these
means
as
lacking
theoretically
and
empirically
grounded
principles
to
ensure
that
employees
comply
with
IS
security
policies.
This
paper
advances
a
new
model
that
explain
employees
'
IS
security
compliance.
In
this
model,
we
extend
protection
motivation
theory
(PMT)
by
introducing
preceding
factors
(e.g.,
visibility
and
normative
beliefs)
of
the
protection
motivation
process.
To
test
this
model,
we
collected
data
(N=919)
from
five
companies.
The
results
suggest
that
the
preceding
factors
have
significant
effect
on
hreat
appraisal,
self-efficacy
and
response
efficacy.
Threat
appraisal
have
significant
effect
on
intention
to
comply
with
IS
security
policies.
Intention
to
comply
has
significant
effect
on
actual
compliance
towards
IS
security
policies.
1.
Introduction
Most
of
the
organizations
encounter
more
than
one
IS
security
incidents
within
ayear
[4,10].
IS
security
literature
suggest
that
91
%
of
organizations
own
employees
frequently
fail
to
adhere
to
IS
security
procedures
[10],
paving
the
way
for
IS
security
incidents
to
occur
[16,3].
To
handle
this
situation,
a
number
of
means
to
ensure
that
employees
comply
with
IS
security
policies
have been
proposed.
Researchers
have
pointed
out
two
serious
we
aknesses
across
these
existing
approaches:
first,
they
are
atheoretical
and
second,
they
lack
empirical
evidence
on
their
effectiveness
in
practice
[3,13,16].
There
are,
however,
some
exceptions
in
the
literature
[3,18,19].
To
explain
IS
security
policy
compliance,
we
find
PMT
useful,
theoretically
solid,
and
empirically
testable.
PMT
was
originally
developed
for
communicating
fear
in
people.
It
was
later
used
to
motivate
people
to
avoid
unhealthy
behavior.
It
is
applicable
to
any
attitude-change
[14].
Recently,
PMT
has
also
applied
in
IS
field
[21].
However,
it
is
not
applied
to
explain
IS
security
policy
compliance
in
organizations.
Also,
its
preceding
factors
like
verbal
persuasion
have
not
been
studied
R5
p.
114].
This
paper
contributes
to
the
literature
in
the
area
by
first
extending
the
PMT
to
explain
employees'
IS
security
compliance.
The
extended
PMT
model
is
then
validated
using
an
empirical
study.
The
rest
of
the
paper
is
presented
as
follows:
the
second
section
discusses
prior
research.
The
third
section
present
the
research
model
while
fourth
discusses
the
data
collection.
The
empirical
results
of
the
study
are
presented
in
the
fifth
section.
Finally,
the
implications
of
the
findings
for
practice
and
research
are
outlined
in
the
sixth
section.
2.
The
theoretical
model
The
research
model
consists
of
Protection
Motivation
Theory
[15]
and
the
Theory
of
Reasoned
Action
(TRA)
[13]
(Fig
1).
The
protection
motivation
theory
focuses
on
threat
and
coping
appraisal
(cognitive
nediating
processes).
Environmental
effects
(normative
beliefs
and
visibility)
and
intrapersonal
variables
may
initiate
these
components
which
may
lead
to
the
protection
motivation.
Following
TRA
[8],
this
is
assumed
to
lead
to
intention
to
comply,
which,
in
turn,
is
assumed
to
lead
to
the
actual
compliance
IS
security
policy
compliance.
14244-0674-9/06/$20.00
C
2006
IEEE.
Authorized licensed use limited to: Jyvaskylan Yliopisto. Downloaded on November 08,2020 at 19:28:54 UTC from IEEE Xplore. Restrictions apply.
appraisal
Actual
compliance
Self-efficacy
with
IS
H
3
security
Response
efficacy
|
nolicies
Behavioral
change
Cognitive
in
protection
mediating
process
motivation
arch
model
Threat
appraisal
consists
of
perceived
vulnerability
and
perceives
severity
[15].
The
former
refers
to
conditional
probability
that
a
negative
event
will
take
place
if
no
measures
are
taken
to
encounter
it
[14].
In
the
context
of
our
study,
perceived
vulnerability
refer
to
employees'
assessment
of
whether
their
organization
is
vulnerable
to
IS
security
threats.
Perceived
severity
encompasses
the
degree
of
both
physical
and
psychological
harm.
In
our
study,
it
refers
to
harms
caused by
security
breaches
[21].
We
assume
that
if
workers
do
not
realize
that
they
are
truly
confronted
by
IS
security
threats
(threat
appraisal)
and
if
they
don't
feel
that
these
threats
can
cause
negative
consequences
(perceived
severity),
they
will
simply
not
comply
with
IS
security
policies.
HI:
Threat
appraisal
affects
employees'
intention
to
comply
with
IS
security
policies.
Coping
appraisal
consists
of
response
efficacy,
self
efficacy,
and
response
cost
[15].
Response
efficacy
relates
to
the
belief
that
the
coping
effect
is
effective
[14].
In
our
study,
it
means
that
adherence
to
IS
security
policies
is
an
effective
mechanism
for
detecting
an
IS
security
threat.
Self-efficacy,
originally
taken
from
[5],
refers
to
the
degree
to
which
one
can
successfully
take
the
coping
response
action
[15].
In
our
context,
self-efficacy
theory
suggests
that
employees'
beliefs
on
whether
they
can
apply
and
adhere
to
IS
security
policies
will
lead
to
compliance
with
these
policies.
The
response
costs
were
not
studied
in
this
paper.
Therefore,
we
hypothesize:
H2:
Selfefficacy
affects
employees'
intention
to
comply
with
IS
security
policies.
H3:
Response
efficacy
affects
employees'
intention
to
comply
with
IS
security
policies.
Normative
beliefs
refer
to
normative
expectations
of
colleagues
and
superiors,
which
may
have
a
persuasive
influence
on
whether
or
not
an
employee
will
carry
out
a
specific
behavior
[8].
In
this
study,
we
regard
normative
belief
as
an
environmental
factor,
which
initiates
the
cognitive
process
(Fig
1).
Environmental
information,
such
as
verbal
persuasion
or
the
behavior
of
others,
may
have
nifluence
on
cognitive
process
[15].
To
be
more
specific,
we
suggest
that
the
behavior
of
managers,
IS
security
staff
and
peers
will
have
a
persuasive
effect
on
employees'
IS
security
policy
compliance.
Visibility.
In
technology
acceptance
literature,
visibility
refers
to
the
degree
to
which
one
can
see
others
using
the
system
[12].
In
computer
abuse
content,
it
refers
to
the
overall
visibility
of
IS
security
in
an
organization
which,
through
different
IS
security
actions
(enforcement
of
IS
security
policies),
reduces
computer
abuse
in
organizations
[18].
In
our
study,
visibility
represents
environmental
information,
which
has
persuasive
effect
on
cognitive
process.
Accordingly,
IS
security
visibility
refers
to
the
degree
to
which
one
can
see
not
only
IS
security
actions,
campaigns,
advertisements,
and
formal
or
informal
information
communications
in
the
organization,
but
also
security
measures
outside
the
organization
via
media
[13].
Hence,
we
hypothesize:
H4,
H5,
H6:
Normative
beliefs
and
visibility
affect
employees'
threat
appraisal
and
coping
appraisal
processes.
Intention
indicates
what
one
plans
to
do
[1],
whether
one
plans
to
comply
with
IS
security
policies
in
this
case.
It
is
suggested
that
the
intentions
are
the
most
applicable
measure
of
protection
motivation
[37].
Prior
research
has
shown
that
intentions
are
good
predictors
of
actual
behavior,
adherence
to
IS
security
policies
in
this
case.
These
lead
to
the
following
hypothesis:
H7.
Employees'
intention
to
comply
with
IS
security
policies
have
a
significant
impact
on
actual
compliance
with
IS
security
policies.
3.
Research
design
The
use
of
previously
validated
and
tested
questions
is
reported
to
improve
the
reliability
of
constructs
and
results
[17].
Accordingly,
we
used
items
that
have
been
tried
and
tested
by
previous
studies,
Environmental
effect
Figure
1.
The
rese
Authorized licensed use limited to: Jyvaskylan Yliopisto. Downloaded on November 08,2020 at 19:28:54 UTC from IEEE Xplore. Restrictions apply.
when
available.
Normative
beliefs
are
taken
from
[11]
and
threat
appraisal
and
copying
appraisal
are
generated
from
[15].
All
the
items
are
measured
using
seven-point
Likert
scale
(strongly
disagree
-
strongly
agree).
Since
these
measures
are
not
previously
tested
in
the
context
of
IS
security
policy
compliance,
the
present
research
tests
these
measures
IS
security
context
in
the
Finnish
culture.
Hence,
the
questions
were
pilot
tested
using
15
people.
Based
on
their
feedback,
the
readability
factor
of
the
questions
was
improved.
The
data
was
collected
from
five
Finnish
companies.
The
respondents
were
asked
to
fill
out
the
web-based
questionnaire.
919
responses
were
returned.
Table
1.
Mean
and
standard
deviation
of
the
all
variables.
4.
Results
The
number
of
males
(56.1%)
and
females
(43.9%)
are
about
equally
distributed.
Most
of
the
respondents
are
middle-aged,
31.3%
representing
the
age
group
31-
40
and
30.0%
representing
the
age
group
41-50
(Table
1).
Table
1.
Descriptive
statistics
of
the
respondents
Most
respondents
have
long
working
experience.
Over
forty
six
percent
of
the
respondents
46.7
%)
have
served
the
company
for
more
than
ten
years.
Quite
often
selection
bias
(meaning
that
the
respondents
of
a
study
are
not
relevant
representatives
of
the
sample)
limits
the
generalizability
of
the
results
[6].
In
our
study,
gender
and
age
groups
of
the
respondents
were
fairly
equally
distributed,
and
they
covered
a
wide
geographical
area.
While
these
issues
are
important
to
minimizing
bias
[20],
nevertheless
the
selection
bias
has
to
be
mentioned
as
a
potential
limitation
in
generalizing
the
results
of
the
present
study.
Factor
analysis
is
used
to
reveal
the
latent
structure
of
the
independent
variables.
Five
independent
factors
accounted
for
63.4%
of
the
total
variance
(Table
2).
Analyses
were
conducted
using
the
principal
component
extraction
method
followed
by
Varimax
rotation.
The
convergent
validity
was
assessed
by
using
Cronbach's
alpha
and
factor
analysis
was
used
to
ascertain
the
discriminant
validity.
All
the
factor
loadings
are
acceptable.
There
was
no
cross-construct
loading
that
exceeded
0.50.
Two
items
were
dropped
due
to
high
cross
loadings.
Reliability
analysis
was
used
to
assess
the
consistency
of
the
factors.
Research
suggests
that
a
value
above
0.70
for
Cronbach's
alpha
is
desirable
[9].
Although,
the
Cronbach's
alpha
value
of
the
factor
visibility
is
not
desirable,
it
is
regarded
acceptable.
Table
2.
Factor
analysis
results.
Variable
Mean
Standard
Min
Max
deviation
Actual
compliance
6.1562
0.98422
1.00
7.00
Intention
to
6.3467
0.88287
1.00
7.00
comply
Threat
appraisal
5.7197
0.99238
1.00
7.00
Response
efficacy
4.7541
1.43380
1.00
7.00
Self-efficacy
5.8850
1.02419
1.00
7.00
Normative
beliefs
6.2852
0.96943
1.00
7.00
Visibility
4.5469
0.82113
1.00
7.00
Measure
Items
Frequency
Percent
Gender
(N=917)
Male
514
56.1
Female
403
43.9
Age
(N=919)
<30
135
14.7
31-40
288
31.3
41-50
276
30.0
>50
220
23.9
Years
in
service
in
the
existing
company
(N=670)
<5
202
30.1
5-10
155
23.1
>10
313
46.7
F
actors
Items
Factor
Cronbach's
loading
alpha
Threat
thrapprl
0.459
0.755
appraisal
thrappr2
0.5
65
thrappr3
0.656
thrappr4
0.812
thrappr5
0.797
thrappr6
dropped
Response
respeffi
1
0.840
0.797
efficacy
respeffi2
0.864
respeffi3
0.755
Self-efficacy
selfeffi
1
0.882 0.834
selfefi2
0.
885
selfeffi3
dropped
Normative
normbel
1
0.807 0.867
beliefs
normbel2
0.863
normbel3
0.783
normbel4
0.722
Visibility
visibil
0.728
0.607
visibi2
0.695
visibi3
0.584
visibi4
0.628
Authorized licensed use limited to: Jyvaskylan Yliopisto. Downloaded on November 08,2020 at 19:28:54 UTC from IEEE Xplore. Restrictions apply.
The
intercorrelation
among
the
factors
was
assessed.
All
the
correlation
coefficients
were
less
than
0.80,
which
is
normally
considered
as
a
critical
value
[3],
as
higher
correlation
coefficient
may
indicate
the
problem
of
multicollinearity.
Multiple
regression
analysis
was
used
to
find
a
predictive
model
that
describes
the
phenomena
as
comprehensively
as
possible
and
estimates
the
compatibility
of
the
research
model
and
the
collected
data.
Our
results
suggest
that
the
data
fully
supported
the
model,
and
all
the
hypotheses
were
supported
(Table
3).
Table
3.
Results
of
the
multiple
regressions.
First
variable
of
each
test
is
dependent
variable.
Regression
test
R'
F-value
Standardized
B
t
-value
Sig.
Hypothesis
result
coefficient
1.
Threat
appraisal
0.161
88.092(*
Normative
beliefs
0.297
9.186
0.000
supported
Visibility
0.191
5.897
0.000
supported
2.
Response
efficacy
0.111
57.268(*
Normative
beliefs
0.208
6.232
0.000
supported
Visibility
0.202
6.0669
0.000
supported
3.
Self-efficacy
0.174
95.869(*
Normative
beliefs
0.356
11.061
0.000
supported
Visibility
0.131
4.069
0.000
supported
4.
Intention
to
comply
0.221
86.319(*
Threat
appraisal
0.253
8.065
0.000
supported
Response
efficacy
0.071
2.300
0.022
supported
Self-efficacy
_______
___________
0.295
9.283
0.000
supported
5.
Actual
compliance
0.722
2360.713(
Intention
to
comply
e
0.850
48.587
0.000
supported
(=
P=0.001
The
first
three
models
depict
the
explanatory
power
of
the
preceding
variables
of
the
PMT
process
(Table
3).
Normative
beliefs
and
visibility
explain
16.1
percent
(R2
=
0.161)
of
the
variance
of
threat
appraisal.
Normative
beliefs
(13=0.297,
t-value
9.186,
p=0.001)
and
visibility
(B3-0.191,
t-value
-5.897,
p=0.001)
have
a
significant
direct
effect
on
threat
appraisal.
Normative
beliefs
(B=0.297,
t-value
9.186,
p=0.001)
and
visibility
(B=-0.191,
t-value
-5.897,
p=0.001)
also
have
a
significant
direct
effect
on
response
efficacy.
Variables
explain
1
1.1
percent
(R2
=
0.1
1
1)
of
the
variance
of
the
model.
The
third
model
explains
17.4
percent
of
the
variance.
Normative
beliefs
and
visibility
have
a
significant
effect
on
self-efficacy.
Threat
appraisal,
response
efficacy
and
self-efficacy
explains
22.1
(R2
=
0.221)
percent
of
the
total
variance
of
the
intention.
These
variables
have
also
a
significant
direct
impact
on
intention
to
comply.
Finally,
intention
to
comply
with
IS
security
policies
explains
72.2
percent
(R2
=
0.722)
of
the
total
variance
of
actual
compliance.
The
results
show
that
intention
has
a
strong
significant
impact
on
actual
compliance
(B=0.850,
t-value
48.587,
p=0.001).
5.
Conclusive
discussion
Prior
research
on
IS
security
compliance
has
criticized
that
extant
IS
security
policy
compliance
approaches
are
not
theoretically
and
empirically
grounded.
To
this
end,
we
extended
the
protection
motivation
theory
to
cover
preceding
factors
of
the
cognitive
mediating
processes
of
PMT.
This
model
was
empirically
tested
(N=919).
The
results
suggest
that
the
preceding
factors
(e.g.,
visibility
and
normative
beliefs)
have
a
significant
effect
on
threat
appraisal,
self-efficacy
and
response
efficacy.
Threat
appraisal,
in
turn,
have
a
significant
effect
on
intention
to
comply
with
IS
security
policies.
Intention
to
comply
with
IS
security
policies,
in
turn,
has
a
significant
effect
on
actual
compliance
towards
IS
security
policies.
These
findings
have
implications
for
practice.
First,
the
findings
suggest
that
social
pressure
within
the
organization
and
the
employees'
awareness
about
the
threats
of
IS
security
have
influence
on
cognitive
process
of
PMT.
For
practitioners,
this
means
that
IS
secufity
must
be
advocated
in
the
organization
through
education
and
campaigns
in
a
visible
manner.
External
IS
security
visibility
also
has
an
impact
on
cognitive
process
of
PMT.
Potential
sources
of
external
visibility
include
news
or
commercials
in
media.
For
practitioners,
this
means
that
IS
security
incidents
reported
in
media
should
be
made
visible
to
employees
and
these
should
be
discussed
in
organizations.
The
results
also
suggest
that
negative
social
reactions
towards
IS
security
policy
violations
create
IS
security
visibility,
which
may
increase
the
interest
of
users
on
IS
Authorized licensed use limited to: Jyvaskylan Yliopisto. Downloaded on November 08,2020 at 19:28:54 UTC from IEEE Xplore. Restrictions apply.
security.
These
findings
are
supported
by
[7],
who
found
that
social
reactions
explain
illegal
activities:
the
weaker
the
social
reactions
to
a
crime,
the
easier
it
is
to
commit
the
crime
[7
p.
285].
In
our
study,
threat
appraisal
has
a
significant
effect
on
intention
to
comply
with
IS
security
policies.
This
finding
stresses
the
need
to
emphasize
to
the
employees
that
not
only
IS
security
breaches
are
increasingly
becoming
more
and
more
serious
for
the
business
of
the
organizations,
but
also
their
severity
to
the
business
of
the
organization
is
increasing.
6.
References
[1]
Ajzen,
I.,
"The
Theory
of
Planned
Behavior",
Organizational
Behavior
and
Human
Decision
Processes
50,2,
1991,
179-211.
[2]
Aytes,
K.
and
Connolly,
T.,
"A
Research
Model
for
Investigating
Human
Behavior
Related
to
Computer
Security",
Proceedings
of
the
2003
American
Conference
On
Information
Systems,
Tampa,
FL,
August
4-6.
2003.
[3]
Aytes,
K.
and
Connolly,
T,
"Computer
and
Risky
Computing
Practices:
A
Rational
Choice
Perspective",
Journal
of
Organizational
and
End
User
Computing,
16,2,
2004,
22-40.
[4]
Bagchi,
K.
and Udo,
G.,
"An
analysis
of
the
growth
of
computer
and
Internet
security
breaches",
Communications
of
AIS
12,
2003,
684-700.
[5]
Bandura,
A.,
"Self-Efficacy:
Toward
a
Unifying
Theory
of
Behaviour
Change",
Psychological
Review
84,
2,
1977,
191
-215.
[6]
Eysenbach,
G.
and
J.
Wyatt,
Using
the
Internet
for
Surveys
and
Health
Research.
Journal
of
Medical
Internet
Research,
2002.
4(2).
[7]
Finney,
H.C.
&
Lesieur,
H.R.,
(1992),
A
Contingency
theory
of
organizational
crime.
Research
in
the
Sociology
of
Organizations,
vol.
1,
pp.
255-299.
[8]
Fishbein,
M.
and
Ajzen,
I.,
Belief,
Attitude,
Intention
and
Behavior:
An
Introduction
to
Theory
and
Research.
MA,
Addison-Wesley.
1975.
[9]
Hair,
J.F.J.,
Anderson,
R.E.,
Tatham,
R.L.,
and
Black,
W.
C.,
Multivariate
data
analysis.
5
ed:
Upper
Saddle
River,
New
Jersey,
Prentice
Hall
Inc.
1998.
[10]
Hinde,
S.,
"Security
surveys
spring
crop",
Computers
&
Security,
21,
4,
2002,
310-321.
[11]
Karahanna,
E.,
Straub,
D.
W.
aid
Chervany,
N.
L.,
"Information
technology
adoption
across
time:
A
cross-
sectional
comparison
of
pre-adoption
and
post-adoption
beliefs",
MIS
Quarterly,
23,
2,
1999,
183-213.
[12]
Moore,
G.C.
and
Benbasat,
I.,
"Development
of
an
Instrument
to
Measure
the
Perceptions
of
Adopting
an
Information
Technology
Innovation".
Information
Systems
Research,
1991.
2(3):
p.
191-222.
[13]
Pahnila,
S.,
Siponen,
M.,
Mahmood,
A.,
"Employees'
Behavior
towards
IS
Security
Policy
Compliance",
in
Proceedings
of
the
2007
Hawaii
International
Conference
on
System
Sciences
(HICSS
40),
January
3-6,
2007,
Hilton
Waikoloa
Village
on
the
Big
Island,
HI,
USA.
[14]
Rogers,
R.
W.,
"Cognitive
and
Physiological
Processes
in
Fear
Appeals
and
Attitude
Change:
A
Revised
Theory
of
Protection
Motivation
Theory",
in
Social
Psychophysiology,
J.
Cacioppo
and
R.
Petty
(Eds.),
Guilford,
New
York,
1983.
[15]
Rogers,
R.
W.
and
Prentice-Dunn,
S.,
"Protection
motivation
theory",
In
D.
S.
Gochman
(Ed.),
Handbook
of
Health
Behavior
Research
I:
Personal
and
Social
Determinants,
New
York,
NY:
Plenum
Press,
1997,
113-132.
[16]
Siponen,
M.,
"A
Conceptual
Foundation
for
Organizational
Information
Security
Awareness",
Information
Management
&
Computer
Security,
8,
1,
2000,
31
-41.
[17]
Straub,
D.
W.,
"Validating
Instruments
in
MIS
Research",
MIS
Quarterly,
13,
2,
1989,
147-169.
[18]
Straub,
D.W.,
"Effective
IS
Security:
An
Empirical
Study",
Information
Systems
Research,
1,
3,
1990,
255-276.
[19]
Straub,
DW.
and
Welke,
RJ.,
"Coping
with
Systems
Risk:
Security
Planning
Models
Br.
Management
Decision-
Making",
MIS
Quarterly,
22,
4,
1998,
441-469.
[20]
Wyatt,
J.,
When
to
Use
Web-based
Surveys.
Journal
of
the
American
Medical
Informatics
Association,
2000.
7(4):
p.
426-430.
[21]
Woon,
I.
M.
Y.,
Tan,
G.
W.
and
Low,
R.
T.,
"A
Protection
Motivation
Theory
Approach
to
Home
Wireless
Security",
Proceedings
of
the
Twenty-Sixth
International
Conference
on
Information
Systems,
Las
Vegas,
2005,
367-
380.
Authorized licensed use limited to: Jyvaskylan Yliopisto. Downloaded on November 08,2020 at 19:28:54 UTC from IEEE Xplore. Restrictions apply.