Kholekile L. Gwebu,Jing Wang,Michael Y. Hu

DOI: https://doi.org/10.1111/isj.12257

2020-01-01

Abstract:Despite the significant advancements made in understanding the factors that drive employees' compliance and noncompliance behaviours with information security policy (ISP), less is known about how different factors interact to impact such behaviours. Having been drawn on the social information processing theory, this research develops an integrative model that investigates how ethical work climate, beliefs, and neutralization interact to jointly explain ISP noncompliance. The model is tested via a survey of a broad cross section of employees. Neutralization, perceived cost of compliance, and perceived cost of noncompliance are found to significantly impact ISP noncompliance. Egoistic, benevolent, and principled climates are found to differentially influence neutralization and individuals' cognitive beliefs about the cost and benefit of ISP compliance versus noncompliance. Neutralization appears to be a more important moderator of the belief‐noncompliance relationship than the principled climate.

Xiaofeng Chen,Liqiang Chen,Dazhong Wu

DOI: https://doi.org/10.1080/08874417.2016.1258679

2016-12-27

Journal of Computer Information Systems

Abstract:Information security policy (ISP) plays an important role in information security management in organizations. Past research investigated various factors that may impact employee behavior toward security policy compliance from the perspective of general deterrence theory (GDT), protection and motivation Theory (PMT), and rational choice theory (RCT). However, there is no unifying foundation/framework that examines all of those factors in a harmonic way so that the research findings can guide information security practices and research into the employee ISP compliance management context. Additionally, prior findings provided mixed results. This study proposes a research model based on the awareness-motivation-capability (AMC) framework, aiming to unify the factors to predict employee ISP compliance intention. We believe that a harmonic approach in managing employee ISP compliance can create optimal outcomes.

computer science, information systems

Chao-Min Chiu,Hsiang-Lan Cheng,Jack Shih-Chieh Hsu,Chiew Mei Tan,Chiung Hui Huang

DOI: https://doi.org/10.1080/10447318.2024.2422757

IF: 4.92

2024-11-20

International Journal of Human-Computer Interaction

Abstract:Drawing upon the attitude theory, this study theorizes that commitment affects loafing behaviors and ISP compliance. Further, drawing upon the transfer theory, this study adopts the concepts of loafing and commitment transfer in order to explore whether social loafing will enhance employee cyberloafing and whether organizational commitment can enhance ISP commitment, both of which, in turn, influence ISP compliance intention. This study utilized structural equation modeling (SEM) to analyze survey data collected in July 2023 from 361 Taiwanese individuals affiliated with organizations or companies. The results show that social loafing has a strong positive effect on cyberloafing, which, in turn, has a strong negative effect on ISP compliance intention. Organizational commitment has a strong positive effect on ISP commitment, which, in turn, has a strong positive effect on ISP compliance intention. In addition, distortion of consequences moderates the relationship between social loafing and cyberloafing. Advantageous comparison moderates the relationship between cyberloafing and ISP compliance intention.

computer science, cybernetics,ergonomics

Jiaqing Zhao,Yuxiang Hong,Wenqing Chen,Chouyong Chen

DOI: https://doi.org/10.1080/08874417.2024.2403571

2024-09-19

Journal of Computer Information Systems

Abstract:Combining cognitive and affective influences, as well as considering role-breadth constructs is critical to the study of employees' information security policy (ISP) compliance. This paper presents an improved model by integrating psychological capital (PsyCap), psychological ownership (PsyOwn), and the theory of planned behavior (TPB) based on the Conservation of Resources (COR) theory. A valid sample of 382 Chinese employees was used for model testing. The results imply that PsyCap is an important motivational antecedent to the cognitive decision-making processes theorized by the TPB. Also, PsyOwn moderates the effect of PsyCap on subjective norms, along with ISP compliance attitudes and behavioral intentions. Finally, theoretical contributions and managerial implications are addressed.

computer science, information systems

Ying Li,Ting Pan,Nan Zhang,Nan (Andy) Zhang

DOI: https://doi.org/10.1108/jeim-01-2019-0018

2019-09-23

Journal of Enterprise Information Management

Abstract:Purpose This paper is to investigate how employees respond to information security policies (ISPs) when they view the policies as a challenge rather than a hindrance to work. Specifically, the authors examine the roles of challenge security demands (i.e. continuity and mandatory) and psychological resources (i.e. personal and job resources) in influencing employees’ ISP non-compliance. Design/methodology/approach Applying a hypothetical scenario-based survey method, the authors tested our proposed model in six typical ISPs violation scenarios. In sum, 347 responses were collected from a global company. The data were analyzed using partial least square-based structural equation model. Findings Findings indicated that continuity and mandatory demands increased employees’ level of perseverance of effort, which, in turn, decreased their ISPs non-compliance intention. In addition, job resources, such as the trust enhancement gained from co-workers and the opportunities for professional development, enhanced the perseverance of effort. Practical implications The findings offer implications to practice by suggesting that organizations should design training programs to persuade employees to understand the ISPs in a positive way. Meanwhile, organizations should encourage employees to invest more personal resources by creating a trusting atmosphere and providing them opportunities to learn security knowledge and skills. Originality/value This study is among the few to empirically explore how employees respond and behave when they view the security policies as challenge stressors. The paper also provides a novel understanding of how psychological resources contribute to buffering ISP non-compliance.

information science & library science,management

Qiuyu Chen,Yuxiang Hong

DOI: https://doi.org/10.1080/08874417.2023.2300637

2024-01-06

Journal of Computer Information Systems

Abstract:This study aims to explore the mechanisms by which training influences employees' information security policy compliance (ISPC) through the mediating roles of compliance knowledge and social pressure. An empirical model is conceptualized on the theoretical basis of the Elaboration Likelihood Model (ELM). Based on a survey conducted in China, a sample of 304 participants was used to test the impact of training on ISPC as well as the mediating effects of compliance knowlgedge (as a central route) and social pressure (as a peripheral route). The results revealed that training had a positive effect on ISPC, and the mediating effects of compliance knowledge and social pressure were both positive and complementary. The results also indicated that the mediating effect of compliance knowledge was stronger than that of social pressure, which was consistent with the judgment of ELM.

computer science, information systems

Wenqin Li,Rongmin Liu,Linhui Sun,Zigu Guo,Jie Gao

DOI: https://doi.org/10.3390/ijerph192316038

IF: 4.614

2022-12-01

International Journal of Environmental Research and Public Health

Abstract:Employee security compliance behavior has become an important safeguard to protect the security of corporate information assets. Focusing on human factors, this paper discusses how to regulate and guide employees' compliance with information security systems through effective methods. Based on protection motivation theory (PMT), a model of employees' intention to comply with the information security system was constructed. A questionnaire survey was adopted to obtain 224 valid data points, and SPSS 26.0 was applied to verify the hypotheses underlying the research model. Then, based on the results of a regression analysis, fuzzy set qualitative comparative analysis (fsQCA) was used to explore the conditional configurations that affect employees' intention to comply with the information security system from a holistic perspective. The empirical results demonstrated that perceived severity, perceived vulnerability, response efficacy, and self-efficacy all positively influenced the employees' intention to comply with the information security system; while rewards and response costs had a negative effect. Threat appraisal had a greater effect on employees' intention to comply with the information security system compared to response appraisal. The fsQCA results showed that individual antecedent conditions are not necessary to influence employees' intention to comply with an information security system. Seven pathways exist that influence an employees' intention to comply with an information security system, with reward, self-efficacy, and response cost being the core conditions having the highest probability of occurring in each configuration of pathways, and with perceived severity and self-efficacy appearing in the core conditions of configurations with an original coverage greater than 40%. Theoretically, this study discusses the influence of the elements of PMT on employees' intention to comply with an information security system, reveals the mechanism of influence of the combination of the influencing factors on the outcome variables, and identifies the core factors and auxiliary factors in the condition configurations, providing a new broader perspective for the study of information security compliance behavior and providing some theoretical support for strengthening enterprise security management. Practically, targeted suggestions are proposed based on the research results, to increase the intention of enterprise employees to comply with information security systems, thereby improving the effectiveness of enterprise information security management and the degree of information security in enterprises.

public, environmental & occupational health,environmental sciences

Hung-Pin Shih,Kee-hung Lai,Xitong Guo,T. C. E. Cheng

DOI: https://doi.org/10.4018/JGIM.294329

2021-01-01

Journal of Global Information Management

Abstract:Most theories of information security policy (ISP), except a few focused on the insider-centric view, are grounded in the control-centric perspective, and most ISP compliance models stem from Western countries. Regulatory focus theory (RFT) proposes two modes of motivational regulation, promotion, and prevention are supposed to motivate employee compliance in a trade-off. Culture is crucial to the study of ISP that puts control over human connections. Chinese guanxi, a specific dimension of Chinese culture, is better understood underlying the trust-distrust frame. To bridge the theoretical gap between the control-centric and the insider-centric perspectives, the authors develop an ISP behavioral model by taking an integrated approach from RFT and the trust-distrust frame. They employed scenario-based events about information security misconduct in the workplace to examine employees' compliance intention and non-violation choice of ISP upon counterfactual thinking. The empirical results improve the theoretical and practical implications of security practices.

Hung-Pin Shih,Kee-hung Lai,Xitong Guo,T. C. E. Cheng

DOI: https://doi.org/10.1109/infoman.2016.7477543

2016-01-01

Abstract:Deterrence and rational choice calculus theories can regulate or motivate employees' compliance with information systems security policy (ISSP). However, the two well-developed theories may not fully induce compliance behavior of ISSP given the growing trend of IS security violation in China. Deterrence and rational choice calculus employ an assumption of general awareness of ISSP to address compliance behavior. However, employees may judge their compliance behavior of ISSP in terms of positive and negative emotions but not the trade-off of benefits and costs (risks) only in the compliance. Grounded in regulatory focus theory (RFT), we propose a research model that addresses the motivational mechanisms for employees to comply with ISSP. We adopt a scenario-based questionnaire to survey employees of Chinese SMEs for model testing. The empirical results indicate that promotion-approach is better than promotion-avoidance in motivating compliance intention when employees are aware of the ISSP in their companies. However, promotion-approach and promotion-avoidance are ineffective in inducing compliance intention when employees are unaware of ISSP in Chinese SMEs. Information security awareness is not a necessary condition of the compliance of ISSP. Additionally, prevention-approach is better than prevention-avoidance in motivating compliance intention regardless of whether employees are aware or unaware of ISSP in the workplace. Our empirical results can provide meaningful implications for academics and practitioners.

Adel Yazdanmehr,Yuan Li,Jingguo Wang

DOI: https://doi.org/10.1111/isj.12417

2022-01-01

Abstract:Studies on employee responses to the information security policy (ISP) demands to show that employees who experience stress over the demands would resort to emotion-focused coping to alleviate the stress and subsequently violate the ISP. However, their intent to engage in problem-focused coping to meet the ISP demands and possibly reduce ISP violations has yet to be analysed. We argue that both types of coping responses coexist in employee responses to ISP demands and they together influence ISP violation intention. Drawing upon the Transactional Model of Stress and Coping, we examine how security-related stress (SRS) triggers inward and outward emotion-focused coping, and problem-focused coping to the ISP demands, which together influence employee ISP violations. We also examine how ISP-related self-efficacy and organisational support moderate the effects of SRS on coping responses. We surveyed 200 employees in the United States to test our model. The results indicate that SRS triggers all three coping responses, and ISP-related self-efficacy and organisational support reduce the effects of SRS on inward and outward emotion-focused coping. Problem-focused coping then decreases ISP violation intention, whereas inward and outward emotion-focused coping increases it. The model was further verified with ISP compliance as the outcome construct, which yielded consistent results. Understanding various coping responses to SRS and the factors that facilitate or inhibit the responses can assist managers in effectively designing and implementing the ISP to reduce employee ISP violations.

Chenhui Liu,Huigang Liang,Nengmin Wang,Yajiong Xue

DOI: https://doi.org/10.1108/itp-09-2019-0452

2021-01-01

Information Technology and People

Abstract:PurposeEmployees’ information security policy (ISP) compliance exerts a significant strain on information security management. Drawing upon the compliance theory and control theory, this study attempts to examine the moderating roles of organizational commitment and gender in the relationships between reward/punishment expectancy and employees' ISP compliance.Design/methodology/approachUsing survey data collected from 310 employees in Chinese organizations that have formally adopted information security policies, the authors applied the partial least square method to test hypotheses.FindingsPunishment expectancy positively affects ISP compliance, but reward expectancy has no significant impact on ISP compliance. Compared with committed employees, both reward expectancy and punishment expectancy have stronger impacts on low-commitment employees' ISP compliance. As for gender differences, punishment expectancy exerts a stronger effect on females' ISP compliance than it does on males.Originality/valueBy investigating the moderating roles of organizational commitment and gender, this paper offers a deeper understanding of reward and punishment in the context of ISP compliance. The findings reveal that efforts in building organizational commitment will reduce the reliance on reward and punishment, and further controls rather than the carrot and stick should be applied to ensure male employees' ISP compliance.

Xiaofeng Chen,Craig K. Tyran

DOI: https://doi.org/10.1080/08874417.2022.2161024

2023-01-01

Journal of Computer Information Systems

Abstract:Even though abundant research has been done on the factors that may impact employee information security policy (ISP) compliance intention, the results are mixed. To more fully capture the dimensions which may influence employee ISP compliance, this paper introduces a framework that is based on the synthesis of the theories of motivation and behavior. The framework was tested with survey data. Key findings of the study are 1) employee ISP compliance intention is influenced by factors involving four distinct dimensions of action: awareness, motivation, capability, and organizational culture; and 2) The factors from the capability and organizational culture dimension may significantly moderate the strength of the relationship between motivation and ISP compliance intention. The implications of the study regarding the theoretical and practical contributions of this study are discussed.

Ashraf Mady,Saurabh Gupta,Merrill Warkentin

DOI: https://doi.org/10.1111/isj.12424

IF: 7.767

2023-01-11

Information Systems Journal

Abstract:Organisations implement a variety of knowledge mechanisms such as information security education, training and awareness (SETA) programs and information security policies, to influence employees' secure behaviour. Despite increased efforts to provide information systems (IS) security knowledge to employees, data breaches and other security incidents resulting from insider behaviour continue. Recent IS security research, primarily grounded on assumptions of employees' rational assessment of numerous factors, has yielded inconsistent results. Challenging this paradigm, we model secure behaviour on security knowledge mechanisms, which focuses on the multidimensional nature of security knowledge breadth, depth and finesse to represent the full array of managerial levers. We further draw on construal level theory to conceptualise users' perceptual judgements of security messages. Two studies support our model, with the second building on the first. Study 1, an experiment with 312 participants, focused on validating the treatments. Study 2, a survey with 219 participants, validated the entire model. Results showed that our model has significantly more explanatory and predictive power than the orthodox paradigm. Our results have practical implications for optimising the organisation of knowledge mechanisms by emphasising the personal relevance of threats and defining the factors that lead to secure behaviour. We also contribute to the discourse on information security research and provide a template for integrating theories, thus opening new avenues for future research.

information science & library science

Kuang-Ming Kuo,Paul C. Talley,Dyi-Yih Michael Lin

DOI: https://doi.org/10.1177/00469580211029599

2021-01-01

Abstract:Information security has come to the forefront as an organizational priority since information systems are considered as some of the most important assets for achieving competitive advantages. Despite huge capital expenditures devoted to information security, the occurrence of security breaches is still very much on the rise. More studies are thus required to inform organizations with a better insight on how to adequately promote information security. To address this issue, this study investigates important factors influencing hospital staff’s adherence to Information Security Policy (ISP). Deterrence theory is adopted as the theoretical underpinning, in which punishment severity and punishment certainty are recognized as the most significant predictors of ISP adherence. Further, this study attempts to identify the antecedents of punishment severity and punishment certainty by drawing from upper echelon theory and well-acknowledged international standards of IS security practices. A survey approach was used to collect 299 valid responses from a large Taiwanese healthcare system, and hypotheses were tested by applying partial least squares-based structural equation modeling. Our empirical results show that Security Education, Training, and Awareness (SETA) programs, combined with internal auditing effectiveness are significant predictors of punishment severity and punishment certainty, while top management support is not. Further, punishment severity and punishment certainty are significant predictors of hospital staff’s ISP adherence intention. Our study highlights the importance of SETA programs and internal auditing for reinforcing hospital staff’s perceptions on punishment concerning ISP violation, hospitals can thus propose better internal strategies to improve their staff’s ISP compliance intention accordingly.

Aristotle Onumo,Irfan Ullah-Awan,Andrea Cullen

DOI: https://doi.org/10.1145/3424282

2021-06-01

ACM Transactions on Management Information Systems

Abstract:The increase in cybersecurity threats and the challenges for organisations to protect their information technology assets has made adherence to organisational security control processes and procedures a critical issue that needs to be adequately addressed. Drawing insight from organisational theory literature, we develop a multi-theory model, combining the elements of the theory of planned behaviour, competing value framework, and technology—organisational and environmental theory to examine how the organisational mechanisms interact with espoused cultural values and employee cognitive belief to influence cybersecurity control procedures. Using a structured questionnaire, we deployed structural equation modelling (SEM) to analyse the survey data obtained from public sector information technology organisations in Nigeria to test the hypothesis on the relationship of socio-organisational mechanisms and techno-cultural factors with other key determinants of employee security behaviour. The results showed that knowledge of cybersecurity and employee cognitive belief significantly influence the employees’ intentions to comply with organisational cybersecurity control mechanisms. The research further noted that the influence of organisational elements such as leadership on employee security behaviour is mediated by espoused cultural values while the impact of employee cognitive belief is moderated by security technologies. For effective cybersecurity compliance, leaders and policymakers are therefore to promote organisational security initiatives that ensure incorporation of cybersecurity principles and practices into job descriptions, routines, and processes. This study contributes to behavioural security research by highlighting the critical role of leadership and cultural values in fostering organisational adherence to prescribed security control mechanisms.

Jie Zhen,Kunxiang Dong,Zongxiao Xie,Lin Chen

DOI: https://doi.org/10.3390/electronics11213458

IF: 2.9

2022-01-01

Electronics

Abstract:This study aims to identify and examine factors influencing employees' information security awareness (ISA) in the telework environment. Specifically, the authors identify and examine the influence factors rooted in the knowledge-attitude-behavior (KAB) model (i.e., knowledge, attitude, and behavior) and knowledge inertia theory (i.e., experience and learning inertia). This study uses online survey data from 305 employees who have telework experience. We apply the structural equation modeling technique to assess the proposed research model. This research is among the pioneering studies that identify and examine the factors influencing employees' ISA in the telework environment. Our study is also one of the first to investigate antecedents to employees' ISA rooted in the KAB model and knowledge inertia theory in a telework environment. Results show that employees' ISA in the telework environment is significantly influenced by their knowledge, behavior toward following security guidelines, and learning inertia, whereas attitude and experience inertia have no significant effect on employees' ISA.

Mansour Naser Alraja,Usman Javed Butt,Maysam Abbod

DOI: https://doi.org/10.1016/j.cose.2023.103208

IF: 5.105

2023-06-01

Computers & Security

Abstract:Information security threats have a severe negative impact on enterprises. Organizations rely on employee compliance with information security policies to eliminate or reduce these hazards. The Unified Model of Information Security Policies Compliance (UMISPC) is employed to identify the factors that may affect employees' intention towards compliance with information systems security policy and reactance in a global setting. The study was assessed in two phases. The model's validity and measurement reliability were evaluated in the first phase, while in the second phase, all preliminary model relationships were appraised. This was achieved utilizing structural equation modelling to establish whether the proposed constructs, i.e. neutralization, response efficacy, fear, threat, habit and role values were good predictors for intention or reactance towards compliance with information systems security policy. Participants included 348 employees from 7 nations, i.e. the USA, the UK, Oman, India, Pakistan, Malaysia, and the Philippines. SmartPLS v. 3.3.9 was used for data analysis. The models' measurement reliability and validity were affirmed. Fear and role values have a significant influence on intention toward ISPC. RE significantly predicted threat which in turn significantly predicted fear, and the latter demonstrated a significant effect on reactance as well as Neutralization predicted reactance. In contrast, habit failed to reach a significant influence on intention towards ISPC. The implications are presented, together with proposals for further studies. Our findings are helpful for ISS literature and application by supporting the crucial functions of role values in encouraging employees to behave in a compliant manner. Additionally, it is regarded as the first empirical attempt to estimate intended compliance concerning ISPs in higher education from a worldwide viewpoint.

computer science, information systems

John D'Arcy,Paul Benjamin Lowry

DOI: https://doi.org/10.1111/isj.12173

IF: 7.767

2017-11-08

Information Systems Journal

Abstract:We present a model of employee compliance with information security policy (ISP) that (1) explicates stable, cognitive beliefs regarding the consequences of compliance and noncompliance as well as state‐based affective constructs, namely, positive and negative mood states and episodic, security‐related work‐impediment events, and (2) provides an expanded conceptualisation of moral considerations and normative influences regarding employees' ISP compliance. Because affect is central to this theorisation, we ensure that the model captures and explains differences in day‐to‐day affective constructs to account for the often fleeting nature of affective states. We test our multilevel model using an experience‐sampling methodology design, in which employees completed daily surveys over a 2‐week period, followed by a hierarchal linear modelling statistical assessment. Our contribution to theory is a unique account of ISP compliance that integrates affective factors with constructs from rational choice theory and theory of planned behaviour and that diverges from prior conceptualisations of ISP compliance as a purely stable and reason‐based phenomenon. For practitioners, our results suggest that a combination of cognitive and affective influences may produce discrete episodes of ISP compliance that do not coincide with prior behavioural trends.

information science & library science

Han Li,R. Sarathy,Jie Zhang,X. Luo

DOI: https://doi.org/10.1111/isj.12037

IF: 7.767

2014-11-01

Information Systems Journal

Abstract:Internet security risks, the leading security threats confronting today's organizations, often result from employees' non‐compliance with the internet use policy (IUP). Extant studies on compliance with security policies have largely ignored the impact of intrinsic motivation on employees' compliance intention. This paper proposes a theoretical model that integrates an intrinsic self‐regulatory approach with an extrinsic sanction‐based command‐and‐control approach to examine employees' IUP compliance intention. The self‐regulatory approach centers on the effect of organizational justice and personal ethical objections against internet abuses. The results of this study suggest that the self‐regulatory approach is more effective than the sanction‐based command‐and‐control approach. Based on the self‐regulatory approach, organizational justice not only influences IUP compliance intention directly but also indirectly through fostering ethical objections against internet abuses. This research provides empirical evidence of two additional effective levers for enhancing security policy compliance: organizational justice and personal ethics.

Computer Science

Derrick Ganye,Kane Smith

DOI: https://doi.org/10.1108/intr-04-2023-0329

IF: 5.9

2024-05-25

Internet Research

Abstract:Purpose Enforcing employee compliance with information systems security policies (ISSP) is a herculean task for organizations as security breaches due to non-compliance continue to soar. To improve this situation, researchers have employed fear appeals that are based on protection motivation theory (PMT) to induce compliance behavior. However, extant research on fear appeals has yielded mixed findings. To help explain these mixed findings, the authors contend that efficacy formation is a cognitive process that is impacted by the cognitive load exerted by the design of fear appeal messages. Design/methodology/approach The study draws on cognitive load theory (CLT) to examine the effects of intrinsic cognitive load, extraneous cognitive load and germane cognitive load on stimulating an individual's efficacy and coping appraisals. The authors designed a survey to collect data from 359 respondents and tested the model using partial least squares. Findings The analysis showed significant relationships between cognitive load (intrinsic, extraneous, and germane) and fear, maladaptive rewards, response costs, self-efficacy and response efficacy. Originality/value This provides support for the assertion that fear appeals impact the cognitive processes of individuals that then in turn can potentially affect the efficacy of fear and coping appraisals. These findings demonstrate the need to further investigate how individual cognition is impacted by fear appeal design and the resulting effects on compliance intention and behavior.

computer science, information systems,telecommunications,business