skip to main content
research-article

From Information Security Awareness to Reasoned Compliant Action: Analyzing Information Security Policy Compliance in a Large Banking Organization

Published: 02 August 2017 Publication History

Abstract

Despite the importance of information security, far too many organizations, in particular banks, are facing behavioral information security incidents. In the context given by the headquarters of a large European banking organization, this single case study investigates whether individual behavioral compliance with the information security policy is influenced by accumulated security information and information security awareness embedded within the theory of reasoned action in an extended norms approach. We collected empirical data through a three-staged process in which we conducted semi-structured interviews, implemented a survey to test the developed research hypotheses, and engaged in interactive presentations to discuss the results. In particular, the qualitative interviews strengthened internal validity of survey constructs related to neutralization techniques and internal channel use for information acquisition. We found that the attitude toward information security policy compliance, and not only social norms but also personal norms related to neutralization techniques, are all significant variables potentially mitigating the knowing-doing gap reported in related information security research. Besides emphasizing the importance of extended norms, which should be accounted for in information security awareness programs, we also highlight the use of internal and external channels to acquire information as initial drivers of awareness. The empirical findings provide implications to practice and advance theoretical development by generally supporting the developed model that accounts for compliant information security behavior at an international bank.

References

[1]
Abawajy, J. (2012). "User Preference of Cyber Security Awareness Delivery Methods." Behaviour & Info. Technology, Vol. 33, No. 3: pp. 237--248.
[2]
Abu-Musa, A. A. (2006). "Perceived Security Threats of Computerized Accounting Information Systems in the Egyptian Banking Industry." Journal of Information Systems, Vol. 20, No. 1: pp. 187--203.
[3]
Ajzen, I. (1985). "From Intentions to Actions: A Theory of Planned Behavior," in Action-control: From Cognition to Behavior. Heidelberg: Springer, pp. 11--39.
[4]
Ajzen, I. (1991). "The Theory of Planned Behavior." Organizational Behavior and Human Decision Processes, Vol. 50, No. 2: pp. 179--211.
[5]
Albrechtsen, E. & Hovden, J. (2010). "Improving Information Security Awareness and Behaviour through Dialogue, Participation and Collective Reflection. An Intervention Study." Computers & Security, Vol. 29, No. 4: pp. 432--445.
[6]
Allport, G. W. (1935). "Attitudes," in Handbook of Social Psychology. Worcester, MA: Clark University Press, pp. 798--844.
[7]
Armitage, C. J. & Conner, M. (2001). "Efficacy of the Theory of Planned Behavior: A Meta-analytic Review." British Journal of Social Psychology, Vol. 40: pp. 471--499.
[8]
Baranowski, T., Cullen, K. W., Nicklas, T., Thompson, D. & Baranowski, J. (2003). "Are Current Health Behavioral Change Models Helpful in Guiding Prevention of Weight Gain Efforts"? Obesity Research, Vol. 11, No. S10: pp. 23--43.
[9]
Barclay, D., Higgins, C. & Thompson, R. (1995). "The Partial Least Squares (PLS) Approach to Causal Modeling: Personal Computer Adoption and Use as an Illustration." Technology Studies, Vol. 2, No. 2: pp. 285--309.
[10]
Barlow, J. B., Warkentin, M., Ormond, D. & Dennis, A. R. (2013). "Don't Make Excuses! Discouraging Neutralization to Reduce IT Policy Violation." Computers & Security, Vol. 39: pp. 145--159.
[11]
Baron, R. M., & Kenny, D. A. (1986). "The Moderator-Mediator Variable Distinction in Social Psychological Research: Conceptual, Strategic, and Statistical Considerations." Journal of Personality and Social Psychology, Vol. 51, No. 6: pp. 1173--1182.
[12]
Bauer, S., & Bernroider, E. W. N. (2013). "IT Operational Risk Management Practices in Austrian Banks: Preliminary Results from Exploratory Case Study." Proceedings of the International Conference Information Systems (IADIS), Lisbon, Portugal, pp. 30--38.
[13]
Bauer, S. & Bernroider, E. W. N. (2015). "The Effects of Awareness Programs on Information Security in Banks: The Roles of Protection Motivation and Monitoring," in Human Aspects of Information Security, Privacy, and Trust, Springer International Publishing, Vol. 9190: pp. 154--164.
[14]
Bauer, S., Bernroider, E. W. N. & Chudzikowski, K. (2013). "End User Information Security Awareness Programs for Improving Information Security in Banking Organizations: Preliminary Results from an Exploratory Study." AIS SIGSEC Workshop on Information Security & Privacy (WISP'13), Milano.
[15]
Bernroider, E. W. N., Margiol S., & Taudes A. (2016). "Towards a General Information Security Management Assessment Framework to Compare Cyber-Security of Critical Infrastructure Organizations." Proceedings of the 10th IFIP WG 8.9 Working Conference (CONFENIS), Vienna, Austria, pp. 127--141.
[16]
Boss, S. R., Kirsch, L. J., Angermeier, I., Shingler, R. A. & Boss, R. W. (2009). "If Someone Is Watching, I'll Do What I'm Asked: Mandatoriness, Control, and Information Security." European Journal of Information Systems, Vol. 18, No. 2: pp. 151--164.
[17]
Bulgurcu, B., Cavusoglu, H. & Benbasat, I. (2010). "Information Security Policy Compliance: An Empirical Study of Rationality-based Beliefs and Information Security Awareness." MIS Quarterly, Vol. 34, No. 3: pp. 523--548.
[18]
Campbell, D. T. (1963). "Social Attitudes and Other Acquired Behavioral Dispositions," in Psychology: A Study of a Science, Vol. 6. New York: McGraw-Hill, pp. 94--172.
[19]
Cenfetelli, R. T. & Bassellier, G. (2009). "Interpretation of Formative Measurement in Information Systems Research." MIS Quarterly, Vol. 33, No. 4: pp. 689--707.
[20]
Cenfetelli, R. T., Bassellier, G. & Posey, C. (2013). "The Analysis of Formative Measurement in IS Research: Choosing between Component- and Covariance-based Techniques." The DATA BASE for Advances in Information Systems, Vol. 44, No. 4: pp. 66--79.
[21]
Chaffee, S. H. & Roser, C. (1986). "Involvement and the Consistency of Knowledge, Attitudes, and Behaviors." Communication Research, Vol. 13, No. 3: pp. 373--399.
[22]
Cheng, L., Li, W., Zhai, Q. & Smyth, R. (2014). "Understanding Personal Use of the Internet at Work: An Integrated Model of Neutralization Techniques and General Deterrence Theory," Computers in Human Behavior, Vol. 38: pp. 220--228.
[23]
Chin, W. W. (1998). "The Partial Least Squares Approach to Structural Equation Modeling," in Modern Methods for Business Research, Vol. 8. New Jersey: Lawrence Erlbaum Associates, pp. 295--336.
[24]
Ciborra, C. (2006). "Imbrication of Representations: Risk and Digital Technologies." The Journal of Management Studies, Vol. 43, No. 6: pp. 1339--1356.
[25]
Connelly, C. E., Archer, N. P., Yuan, Y. & Guo, K. H. (2011). "Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model." Journal of Management Information Systems, Vol. 28, No. 2: pp. 203--236.
[26]
Cox, J. (2012). "Information Systems User Security: A Structured Model of the Knowing--Doing Gap." Computers in Human Behavior, Vol. 28, No. 5: pp. 1849--1858.
[27]
Craig, A. C. & Allen, W. M. (2013). "Sustainability Information Sources: Employee Knowledge, Perceptions, and Learning." Journal of Communication Management, Vol. 17, No. 4: pp. 292--307.
[28]
Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M. & Baskerville, R. (2013). "Future Directions for Behavioral Information Security Research." Computers & Security, V32: pp. 90--101.
[29]
D'Arcy, J., Hovav, A. & Galletta, D. (2009). "User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach." Information Systems Research, Vol. 20, No. 1: pp. 79--98.
[30]
Davidson, A. R., Yantis, S., Norwood, M. & Montano, D. E. (1985). "Amount of Information about the Attitude Object and Attitude--Behavior Consistency." Journal of Personality and Social Psychology, Vol. 49, No. 5: pp. 1184--1198.
[31]
Dhillon, G. (1999). "Managing and Controlling Computer Misuse." Information Management & Computer Security, Vol. 7, No. 4: pp. 171--175.
[32]
Dinev, T., Goo, J., Hu, Q. & Nam, K. (2009). "User Behaviour towards Protective Information Technologies: The Role of National Cultural Differences." Information Systems Journal, Vol. 19, No. 4: pp. 391--412.
[33]
Donovan, R. (2011). "Theoretical Models of Behaviour Change," in The SAGE Handbook of Social Marketing, pp. 15--31.
[34]
Eisenhardt, K. M. (1989). "Building Theories from Case Study Research." Academy of Management Review, Vol. 14, No. 4: pp. 532--550.
[35]
Eminaăaoălu, M., Uçar, E. & Eren, Ş. (2009). "The Positive Outcomes of Information Security Awareness Training in Companies -- A Case Study." Information Security Technical Report, Vol. 14, No. 4: pp. 223--229.
[36]
Fabrigar, L. R., Petty, R. E., Smith, S. M. & Crites Jr., S. L. (2006). "Understanding Knowledge Effects on Attitude-Behavior Consistency: The Role of Relevance, Complexity, and Amount of Knowledge." Journal of Personality and Social Psychology, Vol. 90, No. 4: pp. 556--577.
[37]
Fink, L. & Neumann, S. (2009). "Exploring the Perceived Business Value of the Flexibility Enabled by Information Technology Infrastructure." Info. & Management, Vol. 46, No. 2: pp. 90--99.
[38]
Fishbein, M. (2000). "The Role of Theory in HIV Prevention." AIDS Care, Vol. 12, No. 3: pp. 273--278.
[39]
Fishbein, M. & Ajzen, I. (1975). Belief, Attitude, Intention and Behavior. Reading, MA: Addison-Wesley.
[40]
Fishbein, M. & Ajzen, I. (2010). Predicting and Changing Behavior: The Reasoned Action Approach. Psychology Press, Taylor & Francis Group.
[41]
Gefen, D., Straub, D. W. & Boudreau, M.-C. (2000). "Structural Equation Modeling and Regression: Guidelines for Research Practice." Communications of the Association for Information Systems, Vol. 4, No. 7: pp. 1--79.
[42]
Goldstein, J., Chernobai, A. & Benaroch, M. (2011). "An Event Study Analysis of the Economic Impact of IT Operational Risk and its Subcategories." Journal of the Association for Information Systems, Vol. 12, No. 9: pp. 606--631.
[43]
Guo, K. H. (2013). "Security-related Behavior in Using Information Systems in the Workplace: A Review and Synthesis." Computers & Security, Vol. 32: pp. 242--251.
[44]
Guo, K. H., Yuan, Y., Archer, N. P. & Connelly, C. E. (2011). "Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model." Journal of Management Information Systems, Vol. 28, No. 2: pp. 203--236.
[45]
Hagen, J., Albrechtsen, E. & Johnsen, S. O. (2011). "The Long-term Effects of Information Security E-learning on Organizational Learning." Information Management & Computer Security, Vol. 19, No. 3: pp. 140--154.
[46]
Hagen, J. M., Albrechtsen, E. & Hovden, J. (2008). "Implementation and Effectiveness of Organizational Information Security Measures." Information Management & Computer Security, Vol. 16, No. 4: pp. 377--397.
[47]
Hair, J. F., Hult, G. T. M., Ringle, C. M. & Sarstedt, M. (2014). A Primer on Partial Least Squares Structural Equation Modeling (PLS-SEM). Thousand Oaks: SAGE Publications Ltd.
[48]
Hair, J. F., Sarstedt, M., Ringle, C. M. & Mena, J. A. (2011). "An Assessment of the Use of Partial Least Squares Structural Equation Modeling in Marketing Research." Journal of the Academy of Marketing Science, Vol. 40, No. 3: pp. 414--433.
[49]
Harrington, S. J. (1996). "The Effect of Codes of Ethics and Personal Denial of Responsibility on Computer Abuse Judgments and Intentions." MIS Quarterly, Vol. 20, No. 3: pp. 257--278.
[50]
Herath, T., Chen, R., Wang, J., Banjara, K., Wilbur, J. & Rao, H. R. (2014). "Security Services as Coping Mechanisms: An Investigation into User Intention to Adopt an Email Authentication Service." Information Systems Journal, Vol. 24, No. 1: pp. 61--84.
[51]
Herath, T. & Rao, H. R. (2009a). "Encouraging Information Security Behaviors in Organizations: Role of Penalties, Pressures and Perceived Effectiveness." Decision Support Systems, Vol. 47, No. 2: pp. 154--165.
[52]
Herath, T. & Rao, H. R. (2009b). "Protection Motivation and Deterrence: A Framework for Security Policy Compliance in Organisations." European Journal of Information Systems, Vol. 18, No. 2: pp. 106--125.
[53]
Hsu, C., Backhouse, J. & Silva, L. (2013). "Institutionalizing Operational Risk Management: An Empirical Study." Journal of Information Technology, Vol. 29, No. 1: pp. 59--72.
[54]
Hu, Q., Dinev, T., Hart, P. & Cooke, D. (2012). "Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture." Decision Sciences, Vol. 43, No. 4: pp. 615--659.
[55]
Ifinedo, P. (2012). "Understanding Information Systems Security Policy Compliance: An Integration of the Theory of Planned Behavior and the Protection Motivation Theory." Computers & Security, Vol. 31, No. 1: pp. 83--95.
[56]
Ifinedo, P. (2014). "Information Systems Security Policy Compliance: An Empirical Study of the Effects of Socialisation, Influence, and Cognition." Information & Management, Vol. 51, No. 1: pp. 69--79.
[57]
Im, G. P. & Baskerville, R. (2005). "A Longitudinal Study of Information System Threat Categories: The Enduring Problem of Human Error." The DATA BASE for Advances in Information Systems, Vol. 36, No. 4: pp. 68--79.
[58]
Johnston, A. C. & Warkentin, M. (2010). "Fear Appeals and Information Security Behaviors: An Empirical Study." MIS Quarterly, Vol. 34, No. 3: pp. 549--566.
[59]
Kajzer, M., D'Arcy, J., Crowell, C. R., Striegel, A. & Van Bruggen, D. (2014). "An Exploratory Investigation of Message-Person Congruence in Information Security Awareness Campaigns." Computers & Security, Vol. 43: pp. 64--76.
[60]
Khan, B., Alghathbar, K. S., Nabi, S. I. & Khan, M. K. (2011). "Effectiveness of Information Security Awareness Methods Based on Psychological Theories." African Journal of Business Management, Vol. 5, No. 26: pp. 10862--10868.
[61]
Lanier, M., Henry, S. & Desire'JM, A. (2004). Essential Criminology (4 ed.). Boulder: Perseus Books Group.
[62]
Lebek, B., Uffen, J., Neumann, M., Hohler, B. & Breitner, M. H. (2014). "Information Security Awareness and Behavior: A Theory-based Literature Review." Management Research Review, Vol. 37, No. 12: pp. 1049--1092.
[63]
Li, H., Zhang, J. & Sarathy, R. (2010). "Understanding Compliance with Internet Use Policy from the Perspective of Rational Choice Theory." Decision Support Systems, Vol. 48, No. 4: pp. 635--645.
[64]
Lim, V. K. G. (2002). "The IT Way of Loafing on the Job: Cyberloafing, Neutralizing and Organizational Justice." Journal of Organizational Behavior, Vol. 23, No. 5: pp. 675--694.
[65]
Liu, Q. & Vasarhelyi, M. (2014). "Big Questions in AIS Research: Measurement, Information Processing, Data Analysis, and Reporting." Journal of Information Systems, Vol. 28, No. 1: pp. 1--17.
[66]
Lowry, P. B. & Gaskin, J. (2014). "Partial Least Squares (PLS) Structural Equation Modeling (SEM) for Building and Testing Behavioral Causal Theory: When to Choose It and How to Use It." IEEE Transactions on Professional Communication, Vol. 57, No. 2: pp. 123--146.
[67]
Malhotra, N. K., Kim, S. S. & Patil, A. (2006). "Common Method Variance in IS Research: A Comparison of Alternative Approaches and a Reanalysis of Past Research." Management Science, Vol. 52, No. 12: pp. 1865--1883.
[68]
Maruna, S. & Copes, H. (2005). "What Have We Learned from Five Decades of Neutralization Research"? Crime and Justice, V 32: pp. 221--320.
[69]
Merhi, M. I. & Midha, V. (2012). "The Impact of Training and Social Norms on Information Security Compliance: A Pilot Study." Proceedings of the International Conference on Information Systems (ICIS), Orlando, pp. 1--11.
[70]
Minor, W. W. (1981). "Techniques of Neutralization: A Reconceptualization and Empirical Examination." Journal of Research in Crime and Delinquency, Vol. 18, No. 2: pp. 295--318.
[71]
Modell, S. (2005). "Triangulation between Case Study and Survey Methods in Management Accounting Research: An Assessment of Validity Implications." Management Accounting Research, Vol. 16, No. 2: pp. 231--254.
[72]
Moore, D. L. & Tarnai, J. (2002). "Evaluating Nonresponse Error in Mail Surveys," in Survey Nonresponse. New York: John Wiley & Sons, pp. 197--211.
[73]
Pahnila, S., Karjalainen, M. & Siponen, M. (2013). "Information Security Behavior: Towards Multi-stage Models." Proceedings of the Pacific Asia Conference on Information Systems (PACIS), Jeju Island (Korea).
[74]
Pahnila, S., Siponen, M. & Mahmood, M. A. (2007). "Employees' Behavior towards IS Security Policy Compliance." Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS), Hawaii.
[75]
Pare, G. (2004). "Investigating Information Systems with Positivist Case Research." The Communications of the Association for Information Systems, Vol. 13, No. 1: pp. 233--264.
[76]
Parker, D., Manstead, A. S. & Stradling, S. G. (1995). "Extending the Theory of Planned Behaviour: The Role of Personal Norm." British Journal of Social Psychology, Vol. 34, No. 2: pp. 127--138.
[77]
Parsons, K., McCormac, A., Butavicius, M., Pattinson, M. & Jerram, C. (2014). "Determining Employee Awareness Using the Human Aspects of Information Security Questionnaire (HAIS-Q)." Computers & Security, Vol. 42: pp. 165--176.
[78]
Pfleeger, S. L. & Caputo, D. D. (2012). "Leveraging Behavioral Science to Mitigate Cyber Security Risk." Computers & Security, Vol. 31, No. 4: pp. 597--611.
[79]
Podsakoff, P. M., MacKenzie, S. B., Lee, J.-Y. & Podsakoff, N. P. (2003). "Common Method Biases in Behavioral Research: A Critical Review of the Literature and Recommended Remedies." Journal of Applied Psychology, Vol. 88, No. 5: pp. 879--903.
[80]
Podsakoff, P. M. & Organ, D. W. (1986). "Self-reports in Organizational Research: Problems and Prospects." Journal of Management, Vol., No. 12: pp. 69--82.
[81]
PricewaterhouseCoopers. (2014). "Information Security Breaches Survey." The Department for Business, Innovation and Skills, BIS/14/767.
[82]
Quagliata, K. (2011). "Impact of Security Awareness Training Components on Perceived Security Effectiveness." ISACA Journal [Online Exclusive], 4. Retrieved from http://www.isaca.org/Journal/archives/2011/Volume-4/Pages/JOnline-Impact-of-Security-Awareness-Training-Components-on-Perceived-Security-Effectiveness.aspx [accessed 31 December 2015]
[83]
Riege, A. M. (2003). "Validity and Reliability Tests in Case Study Research: A Literature Review with "Hands-on" Applications for each Research Phase." Qualitative Market Research: An International Journal, Vol. 6, No. 2: pp. 75--86.
[84]
Ringle, C., Wende, S. & Will, A. (2005). SmartPLS 2.0 (beta). Retrieved 12.1.2012, from University of Hamburg http://www.smartpls.de
[85]
Rivis, A. & Sheeran, P. (2003). "Descriptive Norms as an Additional Predictor in the Theory of Planned Behaviour: A Meta-analysis." Current Psychology, Vol. 22, No. 3: pp. 218--233.
[86]
Roberts, P. & Henderson, R. (2000). "Information Technology Acceptance in a Sample of Government Employees: A Test of the Technology Acceptance Model." Interacting with Computers, Vol. 12, No. 5: pp. 427--443.
[87]
Rocha Flores, W. & Antonsen, E. (2013). "The Development of an Instrument for Assessing Information Security in Organizations: Examining the Content Validity Using Quantitative Methods." Proceedings of the International Conference on Information Resource Management 2013 (Conf-IRM), Natal, Brazil, pp. 1--15.
[88]
Sarstedt, M., Ringle, C. M. & Hair, J. F. (2011). "PLS-SEM: Indeed a Silver Bullet." The Journal of Marketing Theory and Practice, Vol. 19, No. 2: pp. 139--152.
[89]
Shrout, P. E. & Bolger, N. (2002). "Mediation in Experimental and Nonexperimental Studies: New Procedures and Recommendations." Psychological Methods, Vol. 7, No. 4: pp. 422--445.
[90]
Siponen, M. (2000). "A Conceptual Foundation for Organizational Information Security Awareness." Information Management & Computer Security, Vol. 8, No. 1: pp. 31--41.
[91]
Siponen, M., Mahmood, M. A. & Pahnila, S. (2014). "Employees" Adherence to Information Security Policies: An Exploratory Field Study." Information & Management, Vol. 51, No. 2: pp. 217--224.
[92]
Siponen, M., Pahnila, S. & Mahmood, M. A. (2010). "Compliance with Information Security Policies: An Empirical Investigation." IEEE Computer, Vol. 43, No. 2: pp. 64--71.
[93]
Siponen, M. & Vance, A. (2010). "Neutralization: New Insights into the Problem of Employee Information Systems Security Policy Violations." MIS Quarterly, Vol. 34, No. 3: pp. 487--502.
[94]
Siponen, M. & Vance, A. (2013). "Guidelines for Improving the Contextual Relevance of Field Surveys: The Case of Information Security Policy Violations." European Journal of Information Systems, Vol. 23, No. 3: pp. 289--305.
[95]
Sobel, M. E. (1982). "Asymptotic Confidence Intervals for Indirect Effects in Structural Equation Models," in Sociological Methodology. Washington DC: American Sociological Association, pp. 290--312.
[96]
Sommestad, T. & Hallberg, J. (2013). "A Review of the Theory of Planned Behaviour in the Context of Information Security Policy Compliance." International Information Security and Privacy Conference, Auckland, New Zealand.
[97]
Stuart, I., McCutcheon, D., Handfield, R., McLachlin, R. & Samson, D. (2002). "Effective Case Research in Operations Management: A Process Perspective." Journal of Operations Management, Vol. 20, No. 5: pp. 419--433.
[98]
Sykes, G. M. & Matza, D. (1957). "Techniques of Neutralization: A Theory of Delinquency." American Sociological Association, Vol. 22, No. 6: pp. 664--670.
[99]
Thomson, M. E. & von Solms, R. (1998). "Information Security Awareness: Educating the Users Effectively." Information Management & Computer Security, Vol. 6, No. 4: pp. 167--173.
[100]
Tsohou, A., Karyda, M., Kokolakis, S. & Kiountouzis, E. (2015). "Managing the Introduction of Information Security Awareness Programmes in Organisations." European Journal of Information Systems, Vol. 24, No. 1: pp. 38--58.
[101]
Van der Stede, W. A., Mark Young, S. & Xiaoling Chen, C. (2006). "Doing Management Accounting Survey Research," In Handbooks of Management Accounting Research, Vol. 1. Elsevier, pp. 445--478.
[102]
Van Niekerk, J. F. & von Solms, R. (2010). "Information Security Culture: A Management Perspective." Computers & Security, Vol. 29, No. 4: pp. 476--486.
[103]
Warkentin, M., Johnston, A. C. & Shropshire, J. (2011). "The Influence of the Informal Social Learning Environment on Information Privacy Policy Compliance Efficacy and Intention." European Journal of Information Systems, Vol. 20, No. 3: pp. 267--284.
[104]
Warkentin, M. & Willison, R. (2009). "Behavioral and Policy Issues in Information Systems Security: The Insider Threat." European Journal of Information Systems, Vol. 18, No. 2: pp. 101--105.
[105]
White, K. M., Smith, J. R., Terry, D. J., Greenslade, J. H. & McKimmie, B. M. (2009). "Social Influence in the Theory of Planned Behaviour: The Role of Descriptive, Injunctive, and Ingroup Norms." British Journal of Social Psychology, Vol. 48, No. 1: pp. 135--158.
[106]
Wicker, A. W. (1969). "Attitudes Versus Actions: The Relationship of Verbal and Overt Behavioral Responses to Attitude Objects." Journal of Social Issues, Vol. 25, No. 4: pp. 41--78.
[107]
Willison, R. & Warkentin, M. (2013). "Beyond Deterrrence: An Expanded View of Employee Computer Abuse." MIS Quarterly, Vol. 37, No. 1: pp. 1--20.
[108]
Wilson, M. & Hash, J. 2003. "Building an Information Technology Security Awareness and Training Program." National Institute of Standards and Technology (NIST) Special Publication 800--50, Gaithersburg.
[109]
Wold, H. (1982). "Soft Modeling: The Basic Design and some Extensions," in Systems under Indirect Observations: Causality, Structure, Prediction, Part 2. Amsterdam: North-Holland, pp. 1--54.
[110]
Yin, R. K. (2014). Case Study Research: Design and Methods. 5 ed. Thousand Oaks: Sage Publications, Inc.

Cited By

View all

Index Terms

  1. From Information Security Awareness to Reasoned Compliant Action: Analyzing Information Security Policy Compliance in a Large Banking Organization

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM SIGMIS Database: the DATABASE for Advances in Information Systems
      ACM SIGMIS Database: the DATABASE for Advances in Information Systems  Volume 48, Issue 3
      August 2017
      130 pages
      ISSN:0095-0033
      EISSN:1532-0936
      DOI:10.1145/3130515
      Issue’s Table of Contents
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 02 August 2017
      Published in SIGMIS Volume 48, Issue 3

      Check for updates

      Author Tags

      1. banking
      2. compliant information security behavior
      3. information security awareness
      4. information security policy
      5. neutralization theory
      6. theory of reasoned action

      Qualifiers

      • Research-article

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)204
      • Downloads (Last 6 weeks)13
      Reflects downloads up to 20 Feb 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2025)Towards a cybersecurity culture-behaviour frameworkComputers and Security10.1016/j.cose.2024.104110148:COnline publication date: 1-Jan-2025
      • (2025)Navigating cybersecurity training: A comprehensive reviewComputers and Electrical Engineering10.1016/j.compeleceng.2025.110097123(110097)Online publication date: Apr-2025
      • (2024)Devising and Detecting Phishing Emails Using Large Language ModelsIEEE Access10.1109/ACCESS.2024.337588212(42131-42146)Online publication date: 2024
      • (2024)From awareness to behaviour: understanding cybersecurity compliance in VietnamInternational Journal of Organizational Analysis10.1108/IJOA-12-2023-4147Online publication date: 7-May-2024
      • (2024)Exploring the critical success factors of information security management: a mixed-method approachInformation & Computer Security10.1108/ICS-03-2023-003432:5(545-572)Online publication date: 23-Jan-2024
      • (2024)Synthesizing Information Security Policy Compliance And Non-compliance: A Comprehensive Study And Unified FrameworkJournal of Organizational Computing and Electronic Commerce10.1080/10919392.2024.238130334:4(338-369)Online publication date: 24-Jul-2024
      • (2024)Cybersecurity end-user compliance: Password management versus update complianceInformation & Management10.1016/j.im.2024.10406061:8(104060)Online publication date: Dec-2024
      • (2024)Fostering information security compliance as organizational citizenship behaviorInformation & Management10.1016/j.im.2024.10396861:5(103968)Online publication date: Jul-2024
      • (2024)Impact of information security awareness on information security compliance of academic library staff in TürkiyeThe Journal of Academic Librarianship10.1016/j.acalib.2024.10293750:5(102937)Online publication date: Sep-2024
      • (2023)Assessing Information Security Governance in Public Sector Banks of Indiainternational journal of engineering technology and management sciences10.46647/ijetms.2023.v07i05.0127:5(103-116)Online publication date: 2023
      • Show More Cited By

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media