Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition

https://doi.org/10.1016/j.im.2013.10.001Get rights and content

Abstract

This study investigated employees’ information systems security policy (ISSP) compliance behavioural intentions in organisations from the theoretical lenses of social bonding, social influence, and cognitive processing. Given that previous research on ISSP compliance has been based on deterrence theory, this study seeks to augment and diversify research on ISSP compliance through its theoretical perspective. Relevant hypotheses were developed to test the research conceptualisation. Data from a survey of business managers and IS professionals confirmed that social bonds that are formed at work largely influence attitudes towards compliance and subjective norms, with both constructs positively affecting employees’ ISSP compliance. Employees’ locus of control and capabilities and competence related to IS security issues also affect ISSP compliance behavioural intentions. Overall, the constructs in the research model enhance our understanding of the social-organisational and psychological factors that might encourage or accentuate employees’ ISSP compliance in the workplace.

Introduction

To compete and survive in today's turbulent operating environments, organisations (public and private) continue to rely on and invest heavily in information systems (IS) [22], [39]. The protection of the information and other data assets that are held in such systems is a major concern for practitioners and has emerged as a key managerial priority [13], [28], [33], [51]. To protect critical IS assets, organisations often deploy security technologies, such as firewalls for perimeter defence and comprehensive monitoring systems (e.g., log management, data leak prevention, content monitoring technologies). These tools offer a technological or technical solution to the problem but are rarely sufficient in providing total protection of organisational IS resources [17], [36], [51]. This is because socio-organisational imperatives are considered relevant in fostering desired outcomes for organisations in such issues [36], [42], [45], [52].

The onus is therefore on organisations to utilise multi-perspective approaches for protecting their IS assets and resources [17]. Researchers have indicated that organisations that fail to focus on individual and other organisational issues, alongside technology-based solutions, may fail to achieve success in their efforts [30], [36], [45], [51], [52]. Despite the huge investments that organisations make in procuring IS security tools, failings related to security incidents and breaches continue to be a significant problem [23], [32], [37]. One of the reasons why IS security incidents and abuses continue to plague organisations is that organisational employees are the weakest link in ensuring IS security; they constitute an insider threat to their organisations [13], [42], [45], [52]. Thus, a beneficial approach to safeguarding IS resources requires that organisations focus on their own employees’ intentions and behaviours.

One of the mechanisms that organisations use in shaping or influencing the behaviours of their employees with respect to how an IS is efficiently used is through the rules, guidelines, and requirements laid out in their information systems security policy (ISSP) [5], [20], [24], [33], [43]. However, the literature suggests that even if an ISSP is in place to help safeguard an organisation against the misuse, abuse, and destruction of IS assets, its employees often do not readily comply with such documents [13], [23], [33], [51]. Studies are needed to enhance our understanding of issues that may serve to inhibit or encourage ISSP compliance in organisations. Research on ISSP compliance in organisations is beginning to receive increased attention in the extant literature [2], [5], [51], [52], [53].

Anderson and Agarwal's [2] review of the literature in this area indicated that the majority of previous ISSP compliance research was carried out from the perspectives of criminological theories (i.e., general deterrence theory, rational choice theory, situational crime prevention theory) and the health belief model (i.e., protection motivation theory). While previous research efforts favouring these perspectives have advanced knowledge in the area, we contend that other theoretical underpinnings could further provide insight into ISSP compliance. We argue that organisational issues rooted in socialisation and social influence, as well as personal beliefs and cognition, can equally influence ISSP compliance behavioural intentions; others have provided similar arguments [5], [15], [17].

Research focusing on criminology has tended to accept sanctions and penalties as the only means by which IS misuse and abuse can be deterred [16], [17], [28], [30]. Such studies implicitly have suggested that when violations and misbehaviours are severely punished, employees will cease to engage in such unacceptable behaviours. However, new insights have emerged that call this viewpoint into question. For instance, Vance et al. [51], Son [43], and Hu et al. [20] showed that ISSP compliance research using criminology and fear appeal theories do not always explicate noncompliance behaviours. According to these researchers, when employees err, they may use neutralisation techniques to circumvent or minimise the effects of reprisals from their organisations.

To increase knowledge, this research was designed to complement the few evolving studies based on socialisation and social psychology theories in understanding ISSP compliance in organisations [2], [7], [13], [15], [27]. Compliance, being a complex concept, should be studied from differing perspectives to enhance knowledge [3]. That said, it is axiomatic among scholars across disciplines that the Theory of Planned Behaviour (TPB), which encompasses Social Cognitive Theory (SCT), can explain innumerable behaviours, including ISSP compliance-related behaviours [15], [27]. In this study, we integrated the recomposed TPB with Social Bond Theory (SBT), given that the latter may be suitable for adapting the former to working environments where social bonds might influence job-related perceptions and behaviours [7], [13].

Section snippets

Theory of planned behaviour

Social influence refers to the change in an individual's thoughts, actions, feelings, attitudes, or behaviours that results from their interactions with another individual or group [1], [12]. The Theory of Reasoned Action, from which the theory of planned behaviour (TPB) was developed, underscores the social influence perspective. The TPB, which was proposed by Ajzen [1], postulates that individual behaviour is influenced by attitude, subjective norms, and perceived behavioural control.

Research model and hypotheses

Following the preceding discussion, the research model is presented in Fig. 1. The decision to model the effects of SBT's constructs on attitude towards compliance and subjective norms is consistent with similar research conceptualisations in the area [2], [5]. For instance, the TPB suggests that normative beliefs determine subjective norms, i.e., social influence or pressure. That is, if people believed that their referent individuals or groups (i.e., supervisors, coworkers) approved the

Data collection procedure

The research model was tested using a field survey. To that end, we used two approaches in collecting our data. First, we purchased a directory containing the names of non-IS managers in Canadian organisations from a marketing and data research firm, i.e., InfoCanada. Half of the names on the list, which constituted 1000 names, were used for this study. Each participant received a cover letter, questionnaire, and self-addressed, stamped envelope. Of the 1000 questionnaires that were mailed, 106

Data analysis and results

The partial least squares (PLS) technique of structural equation modelling, which uses a principle component-based estimation, was used for the analysis. The approach is suitable for validating predictive models, particularly those with small size samples [8]. The specific tool that was used was SmartPLS 2.0, which was created by Ringle et al. [38]. PLS supports two measurement models: (a) the assessment of the measurement model and (b) the assessment of the structural model.

Research contributions and implications

This study offers several contributions to the IS security management literature. To the best of our knowledge, it is among the first studies to integrate the theory of planned behaviour – which encompasses social cognitive theory – with social bond theory for use in IS security discourse. This integrative conceptualisation offers a new perspective in understanding employees’ ISSP compliance behavioural intentions, which we believe supplements research based on other, widely publicised

Conclusions

Prior research on ISSP compliance and computer security behaviours in organisations has adopted the perspectives of criminological theories and health belief theory. While such perspectives are important, we argue that the literature can benefit from other relevant theoretical underpinnings. To that end, we proposed and empirically tested a research model that drew from the influences of socialisation, group influences, personal beliefs, self-efficacy, and cognition. Our findings showed that

Acknowledgements

This research project was sponsored by a grant (ORAI – #8271) provided by Cape Breton University, Canada. I am grateful to C. M. Ringle, S. Wende, and A. Will for the use of their software, SmartPLS 2.0. Special thanks go to all the study's participants and the project's Research Assistants: Lindsay McDonald and Cindy Butler. I appreciate the comments and suggestions provided by anonymous reviewers of earlier drafts of this paper.

Princely Ifinedo is an Associate Professor in the Shannon School of Business at Cape Breton University, Canada. He holds a doctoral degree in Information Systems Science from the University of Jyväskylä, Finland and master's degrees from the Royal Holloway University of London, UK and Tallinn University of Technology, Estonia. He has presented research at various international IS conferences, contributed chapters to several books/encyclopedias, and published in several reputable journals

References (54)

  • J.G. Thomas et al.

    The power of social information in the workplace

    Organizational Dynamics

    (1989)
  • A. Vance et al.

    Motivating IS security compliance: insights from habit and protection motivation theory

    Information & Management

    (2012)
  • C. Vroom et al.

    Towards information security behavioural compliance

    Computers and Security

    (2004)
  • I.M.Y. Woon et al.

    Investigation of IS professionals’ intention to practise secure development of applications

    International Journal of Human-Computer Studies

    (2007)
  • M. Workman et al.

    Security lapses and the omission of information security measures: a threat control model and empirical test

    Computers in Human Behavior

    (2008)
  • C.L. Anderson et al.

    Practicing safe computing: a multimethod empirical examination of home computer user security behavioral intentions

    MIS Quarterly

    (2010)
  • E. Aronson et al.

    Social Psychology

    (2010)
  • A. Bandura

    Self-Efficacy: toward a unifying theory of behavioral change

    Psychological Review

    (1977)
  • B. Bulgurcu et al.

    Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness

    MIS Quarterly

    (2010)
  • W.J. Casper et al.

    Work-life benefits and organizational attachment: Self-interest utility and signaling theory models

    Journal of Vocational Behavior

    (2007)
  • M. Chan et al.

    Perceptions of information security at the workplace: linking information security climate to compliant behavior

    Journal of Information Privacy and Security

    (2005)
  • W. Chin

    Issues and opinion on structural equation modeling

    MIS Quarterly

    (1998)
  • J. Cohen

    Statistical Power Analysis for the Behavioral Sciences

    (1988)
  • D.R. Compeau et al.

    Computer self-efficacy: development of a measure and initial test

    MIS Quarterly

    (1995)
  • C. Fornell et al.

    Evaluating structural equations models with unobservable variables and measurement error

    Journal of Marketing Research

    (1981)
  • N. Friedkin

    A Structural Theory of Social Influence

    (1998)
  • K.H. Guo et al.

    Understanding nonmalicious security violations in the workplace: a composite behavior model

    Journal of Management Information Systems

    (2011)
  • Cited by (302)

    View all citing articles on Scopus

    Princely Ifinedo is an Associate Professor in the Shannon School of Business at Cape Breton University, Canada. He holds a doctoral degree in Information Systems Science from the University of Jyväskylä, Finland and master's degrees from the Royal Holloway University of London, UK and Tallinn University of Technology, Estonia. He has presented research at various international IS conferences, contributed chapters to several books/encyclopedias, and published in several reputable journals including JCIS, C&S, JSS, DATA BASE, CHB, JOCEC, JITM, IMDS, EIS, IJITDM, JITD, JITM, JGTIM, EG, JISP, and Internet Research. He has authored (and co-authored) over 90 peer-reviewed publications. He is affiliated with AIS, IEEE, ISACA, and CIPS.

    View full text