Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition
Introduction
To compete and survive in today's turbulent operating environments, organisations (public and private) continue to rely on and invest heavily in information systems (IS) [22], [39]. The protection of the information and other data assets that are held in such systems is a major concern for practitioners and has emerged as a key managerial priority [13], [28], [33], [51]. To protect critical IS assets, organisations often deploy security technologies, such as firewalls for perimeter defence and comprehensive monitoring systems (e.g., log management, data leak prevention, content monitoring technologies). These tools offer a technological or technical solution to the problem but are rarely sufficient in providing total protection of organisational IS resources [17], [36], [51]. This is because socio-organisational imperatives are considered relevant in fostering desired outcomes for organisations in such issues [36], [42], [45], [52].
The onus is therefore on organisations to utilise multi-perspective approaches for protecting their IS assets and resources [17]. Researchers have indicated that organisations that fail to focus on individual and other organisational issues, alongside technology-based solutions, may fail to achieve success in their efforts [30], [36], [45], [51], [52]. Despite the huge investments that organisations make in procuring IS security tools, failings related to security incidents and breaches continue to be a significant problem [23], [32], [37]. One of the reasons why IS security incidents and abuses continue to plague organisations is that organisational employees are the weakest link in ensuring IS security; they constitute an insider threat to their organisations [13], [42], [45], [52]. Thus, a beneficial approach to safeguarding IS resources requires that organisations focus on their own employees’ intentions and behaviours.
One of the mechanisms that organisations use in shaping or influencing the behaviours of their employees with respect to how an IS is efficiently used is through the rules, guidelines, and requirements laid out in their information systems security policy (ISSP) [5], [20], [24], [33], [43]. However, the literature suggests that even if an ISSP is in place to help safeguard an organisation against the misuse, abuse, and destruction of IS assets, its employees often do not readily comply with such documents [13], [23], [33], [51]. Studies are needed to enhance our understanding of issues that may serve to inhibit or encourage ISSP compliance in organisations. Research on ISSP compliance in organisations is beginning to receive increased attention in the extant literature [2], [5], [51], [52], [53].
Anderson and Agarwal's [2] review of the literature in this area indicated that the majority of previous ISSP compliance research was carried out from the perspectives of criminological theories (i.e., general deterrence theory, rational choice theory, situational crime prevention theory) and the health belief model (i.e., protection motivation theory). While previous research efforts favouring these perspectives have advanced knowledge in the area, we contend that other theoretical underpinnings could further provide insight into ISSP compliance. We argue that organisational issues rooted in socialisation and social influence, as well as personal beliefs and cognition, can equally influence ISSP compliance behavioural intentions; others have provided similar arguments [5], [15], [17].
Research focusing on criminology has tended to accept sanctions and penalties as the only means by which IS misuse and abuse can be deterred [16], [17], [28], [30]. Such studies implicitly have suggested that when violations and misbehaviours are severely punished, employees will cease to engage in such unacceptable behaviours. However, new insights have emerged that call this viewpoint into question. For instance, Vance et al. [51], Son [43], and Hu et al. [20] showed that ISSP compliance research using criminology and fear appeal theories do not always explicate noncompliance behaviours. According to these researchers, when employees err, they may use neutralisation techniques to circumvent or minimise the effects of reprisals from their organisations.
To increase knowledge, this research was designed to complement the few evolving studies based on socialisation and social psychology theories in understanding ISSP compliance in organisations [2], [7], [13], [15], [27]. Compliance, being a complex concept, should be studied from differing perspectives to enhance knowledge [3]. That said, it is axiomatic among scholars across disciplines that the Theory of Planned Behaviour (TPB), which encompasses Social Cognitive Theory (SCT), can explain innumerable behaviours, including ISSP compliance-related behaviours [15], [27]. In this study, we integrated the recomposed TPB with Social Bond Theory (SBT), given that the latter may be suitable for adapting the former to working environments where social bonds might influence job-related perceptions and behaviours [7], [13].
Section snippets
Theory of planned behaviour
Social influence refers to the change in an individual's thoughts, actions, feelings, attitudes, or behaviours that results from their interactions with another individual or group [1], [12]. The Theory of Reasoned Action, from which the theory of planned behaviour (TPB) was developed, underscores the social influence perspective. The TPB, which was proposed by Ajzen [1], postulates that individual behaviour is influenced by attitude, subjective norms, and perceived behavioural control.
Research model and hypotheses
Following the preceding discussion, the research model is presented in Fig. 1. The decision to model the effects of SBT's constructs on attitude towards compliance and subjective norms is consistent with similar research conceptualisations in the area [2], [5]. For instance, the TPB suggests that normative beliefs determine subjective norms, i.e., social influence or pressure. That is, if people believed that their referent individuals or groups (i.e., supervisors, coworkers) approved the
Data collection procedure
The research model was tested using a field survey. To that end, we used two approaches in collecting our data. First, we purchased a directory containing the names of non-IS managers in Canadian organisations from a marketing and data research firm, i.e., InfoCanada. Half of the names on the list, which constituted 1000 names, were used for this study. Each participant received a cover letter, questionnaire, and self-addressed, stamped envelope. Of the 1000 questionnaires that were mailed, 106
Data analysis and results
The partial least squares (PLS) technique of structural equation modelling, which uses a principle component-based estimation, was used for the analysis. The approach is suitable for validating predictive models, particularly those with small size samples [8]. The specific tool that was used was SmartPLS 2.0, which was created by Ringle et al. [38]. PLS supports two measurement models: (a) the assessment of the measurement model and (b) the assessment of the structural model.
Research contributions and implications
This study offers several contributions to the IS security management literature. To the best of our knowledge, it is among the first studies to integrate the theory of planned behaviour – which encompasses social cognitive theory – with social bond theory for use in IS security discourse. This integrative conceptualisation offers a new perspective in understanding employees’ ISSP compliance behavioural intentions, which we believe supplements research based on other, widely publicised
Conclusions
Prior research on ISSP compliance and computer security behaviours in organisations has adopted the perspectives of criminological theories and health belief theory. While such perspectives are important, we argue that the literature can benefit from other relevant theoretical underpinnings. To that end, we proposed and empirically tested a research model that drew from the influences of socialisation, group influences, personal beliefs, self-efficacy, and cognition. Our findings showed that
Acknowledgements
This research project was sponsored by a grant (ORAI – #8271) provided by Cape Breton University, Canada. I am grateful to C. M. Ringle, S. Wende, and A. Will for the use of their software, SmartPLS 2.0. Special thanks go to all the study's participants and the project's Research Assistants: Lindsay McDonald and Cindy Butler. I appreciate the comments and suggestions provided by anonymous reviewers of earlier drafts of this paper.
Princely Ifinedo is an Associate Professor in the Shannon School of Business at Cape Breton University, Canada. He holds a doctoral degree in Information Systems Science from the University of Jyväskylä, Finland and master's degrees from the Royal Holloway University of London, UK and Tallinn University of Technology, Estonia. He has presented research at various international IS conferences, contributed chapters to several books/encyclopedias, and published in several reputable journals
References (54)
The theory of planned behavior
Organizational Behavior and Human Decision Processes
(1991)- et al.
Encouraging information security behaviors: role of penalties, pressures and perceived effectiveness
Decision Support Systems
(2009) Understanding information systems security policy compliance: an integration of the theory of planned behavior and the protection motivation theory
Computer & Security
(2012)- et al.
Why there aren’t more information security research studies
Information & Management
(2004) - et al.
What influences IT ethical behavior intentions-planned behavior, reasoned action, perceived importance, or individual characteristics?
Information & Management
(2004) - et al.
Understanding compliance with internet use policy from the perspective of rational choice theory
Decision Support Systems
(2010) - et al.
Studying users’ computer security behavior: a health belief perspective
Decision Support Systems
(2009) Out of fear or desire? Toward a better understanding of employees’ motivation to follow IS security policies
Information & Management
(2011)- et al.
Analysis of end user security behaviors
Computers & Security
(2005) - et al.
PLS path modeling
Computational Statistics & Data Analysis
(2005)
The power of social information in the workplace
Organizational Dynamics
Motivating IS security compliance: insights from habit and protection motivation theory
Information & Management
Towards information security behavioural compliance
Computers and Security
Investigation of IS professionals’ intention to practise secure development of applications
International Journal of Human-Computer Studies
Security lapses and the omission of information security measures: a threat control model and empirical test
Computers in Human Behavior
Practicing safe computing: a multimethod empirical examination of home computer user security behavioral intentions
MIS Quarterly
Social Psychology
Self-Efficacy: toward a unifying theory of behavioral change
Psychological Review
Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness
MIS Quarterly
Work-life benefits and organizational attachment: Self-interest utility and signaling theory models
Journal of Vocational Behavior
Perceptions of information security at the workplace: linking information security climate to compliant behavior
Journal of Information Privacy and Security
Issues and opinion on structural equation modeling
MIS Quarterly
Statistical Power Analysis for the Behavioral Sciences
Computer self-efficacy: development of a measure and initial test
MIS Quarterly
Evaluating structural equations models with unobservable variables and measurement error
Journal of Marketing Research
A Structural Theory of Social Influence
Understanding nonmalicious security violations in the workplace: a composite behavior model
Journal of Management Information Systems
Cited by (302)
Facilitating and impeding factors to insiders’ prosocial rule breaking in South Korea
2024, Computers and SecurityEmployees' in-role and extra-role information security behaviors from the P-E fit perspective
2023, Computers and SecuritySocial influence research in consumer behavior: What we learned and what we need to learn? – A hybrid systematic literature review
2023, Journal of Business ResearchWhat are the trend and core knowledge of information security? A citation and co-citation analysis
2023, Information and ManagementInformation security challenges during digital transformation
2023, Procedia Computer Science
Princely Ifinedo is an Associate Professor in the Shannon School of Business at Cape Breton University, Canada. He holds a doctoral degree in Information Systems Science from the University of Jyväskylä, Finland and master's degrees from the Royal Holloway University of London, UK and Tallinn University of Technology, Estonia. He has presented research at various international IS conferences, contributed chapters to several books/encyclopedias, and published in several reputable journals including JCIS, C&S, JSS, DATA BASE, CHB, JOCEC, JITM, IMDS, EIS, IJITDM, JITD, JITM, JGTIM, EG, JISP, and Internet Research. He has authored (and co-authored) over 90 peer-reviewed publications. He is affiliated with AIS, IEEE, ISACA, and CIPS.