Kholekile L. Gwebu,Jing Wang,Michael Y. Hu

DOI: https://doi.org/10.1111/isj.12257

2020-01-01

Abstract:Despite the significant advancements made in understanding the factors that drive employees' compliance and noncompliance behaviours with information security policy (ISP), less is known about how different factors interact to impact such behaviours. Having been drawn on the social information processing theory, this research develops an integrative model that investigates how ethical work climate, beliefs, and neutralization interact to jointly explain ISP noncompliance. The model is tested via a survey of a broad cross section of employees. Neutralization, perceived cost of compliance, and perceived cost of noncompliance are found to significantly impact ISP noncompliance. Egoistic, benevolent, and principled climates are found to differentially influence neutralization and individuals' cognitive beliefs about the cost and benefit of ISP compliance versus noncompliance. Neutralization appears to be a more important moderator of the belief‐noncompliance relationship than the principled climate.

Xiaofeng Chen,Liqiang Chen,Dazhong Wu

DOI: https://doi.org/10.1080/08874417.2016.1258679

2016-12-27

Journal of Computer Information Systems

Abstract:Information security policy (ISP) plays an important role in information security management in organizations. Past research investigated various factors that may impact employee behavior toward security policy compliance from the perspective of general deterrence theory (GDT), protection and motivation Theory (PMT), and rational choice theory (RCT). However, there is no unifying foundation/framework that examines all of those factors in a harmonic way so that the research findings can guide information security practices and research into the employee ISP compliance management context. Additionally, prior findings provided mixed results. This study proposes a research model based on the awareness-motivation-capability (AMC) framework, aiming to unify the factors to predict employee ISP compliance intention. We believe that a harmonic approach in managing employee ISP compliance can create optimal outcomes.

computer science, information systems

John D'Arcy,Paul Benjamin Lowry

DOI: https://doi.org/10.1111/isj.12173

IF: 7.767

2017-11-08

Information Systems Journal

Abstract:We present a model of employee compliance with information security policy (ISP) that (1) explicates stable, cognitive beliefs regarding the consequences of compliance and noncompliance as well as state‐based affective constructs, namely, positive and negative mood states and episodic, security‐related work‐impediment events, and (2) provides an expanded conceptualisation of moral considerations and normative influences regarding employees' ISP compliance. Because affect is central to this theorisation, we ensure that the model captures and explains differences in day‐to‐day affective constructs to account for the often fleeting nature of affective states. We test our multilevel model using an experience‐sampling methodology design, in which employees completed daily surveys over a 2‐week period, followed by a hierarchal linear modelling statistical assessment. Our contribution to theory is a unique account of ISP compliance that integrates affective factors with constructs from rational choice theory and theory of planned behaviour and that diverges from prior conceptualisations of ISP compliance as a purely stable and reason‐based phenomenon. For practitioners, our results suggest that a combination of cognitive and affective influences may produce discrete episodes of ISP compliance that do not coincide with prior behavioural trends.

information science & library science

Ying Li,Ting Pan,Nan Zhang,Nan (Andy) Zhang

DOI: https://doi.org/10.1108/jeim-01-2019-0018

2019-09-23

Journal of Enterprise Information Management

Abstract:Purpose This paper is to investigate how employees respond to information security policies (ISPs) when they view the policies as a challenge rather than a hindrance to work. Specifically, the authors examine the roles of challenge security demands (i.e. continuity and mandatory) and psychological resources (i.e. personal and job resources) in influencing employees’ ISP non-compliance. Design/methodology/approach Applying a hypothetical scenario-based survey method, the authors tested our proposed model in six typical ISPs violation scenarios. In sum, 347 responses were collected from a global company. The data were analyzed using partial least square-based structural equation model. Findings Findings indicated that continuity and mandatory demands increased employees’ level of perseverance of effort, which, in turn, decreased their ISPs non-compliance intention. In addition, job resources, such as the trust enhancement gained from co-workers and the opportunities for professional development, enhanced the perseverance of effort. Practical implications The findings offer implications to practice by suggesting that organizations should design training programs to persuade employees to understand the ISPs in a positive way. Meanwhile, organizations should encourage employees to invest more personal resources by creating a trusting atmosphere and providing them opportunities to learn security knowledge and skills. Originality/value This study is among the few to empirically explore how employees respond and behave when they view the security policies as challenge stressors. The paper also provides a novel understanding of how psychological resources contribute to buffering ISP non-compliance.

information science & library science,management

Mansour Naser Alraja,Usman Javed Butt,Maysam Abbod

DOI: https://doi.org/10.1016/j.cose.2023.103208

IF: 5.105

2023-06-01

Computers & Security

Abstract:Information security threats have a severe negative impact on enterprises. Organizations rely on employee compliance with information security policies to eliminate or reduce these hazards. The Unified Model of Information Security Policies Compliance (UMISPC) is employed to identify the factors that may affect employees' intention towards compliance with information systems security policy and reactance in a global setting. The study was assessed in two phases. The model's validity and measurement reliability were evaluated in the first phase, while in the second phase, all preliminary model relationships were appraised. This was achieved utilizing structural equation modelling to establish whether the proposed constructs, i.e. neutralization, response efficacy, fear, threat, habit and role values were good predictors for intention or reactance towards compliance with information systems security policy. Participants included 348 employees from 7 nations, i.e. the USA, the UK, Oman, India, Pakistan, Malaysia, and the Philippines. SmartPLS v. 3.3.9 was used for data analysis. The models' measurement reliability and validity were affirmed. Fear and role values have a significant influence on intention toward ISPC. RE significantly predicted threat which in turn significantly predicted fear, and the latter demonstrated a significant effect on reactance as well as Neutralization predicted reactance. In contrast, habit failed to reach a significant influence on intention towards ISPC. The implications are presented, together with proposals for further studies. Our findings are helpful for ISS literature and application by supporting the crucial functions of role values in encouraging employees to behave in a compliant manner. Additionally, it is regarded as the first empirical attempt to estimate intended compliance concerning ISPs in higher education from a worldwide viewpoint.

computer science, information systems

Chao-Min Chiu,Hsiang-Lan Cheng,Jack Shih-Chieh Hsu,Chiew Mei Tan,Chiung Hui Huang

DOI: https://doi.org/10.1080/10447318.2024.2422757

IF: 4.92

2024-11-20

International Journal of Human-Computer Interaction

Abstract:Drawing upon the attitude theory, this study theorizes that commitment affects loafing behaviors and ISP compliance. Further, drawing upon the transfer theory, this study adopts the concepts of loafing and commitment transfer in order to explore whether social loafing will enhance employee cyberloafing and whether organizational commitment can enhance ISP commitment, both of which, in turn, influence ISP compliance intention. This study utilized structural equation modeling (SEM) to analyze survey data collected in July 2023 from 361 Taiwanese individuals affiliated with organizations or companies. The results show that social loafing has a strong positive effect on cyberloafing, which, in turn, has a strong negative effect on ISP compliance intention. Organizational commitment has a strong positive effect on ISP commitment, which, in turn, has a strong positive effect on ISP compliance intention. In addition, distortion of consequences moderates the relationship between social loafing and cyberloafing. Advantageous comparison moderates the relationship between cyberloafing and ISP compliance intention.

computer science, cybernetics,ergonomics

Xue Yang,Wei T. Yue,Choon Lin Sia

DOI: https://doi.org/10.1007/978-3-642-29873-8_17

2012-01-01

Abstract:IS security policy is one of the essential tools to ensure the secure use of information systems and technological assets. To enhance the effectiveness of policy implementation, organizations rely on security training, education and awareness (STEA) programs to help employees understand the IS security issues of the organization. However, different levels of STEA informativeness may have conflicting effects on employees' compliance decisions. In addition, the urgency of a task may also lead employees to abandon the compliance decision occasionally. The existing corporate information security policy (ISP) could also serve as a deterrence message that would influence compliance decisions. An experimental survey was conducted to examine this phenomenon and test the related hypotheses. The results of this study can be used to inform and guide researchers and practitioners as to how to better enforce an IS security policy through better implementation of STEA programs and improved design of ISP in different task scenarios.

Maurizio Cavallari

DOI: https://doi.org/10.36941/ajis-2023-0151

2023-11-05

Academic Journal of Interdisciplinary Studies

Abstract:In the advanced field of Information and Communication Technology (ICT) within modern corporate frameworks, the pressing issue of non-compliance becomes increasingly crucial. Achieving the ideal balance—where one fosters consistent employee commitment without resorting to overly harsh penalties for possible violations—presents a complex problem. Such a nuanced relationship calls for a synchronized coordination among the company’s underlying factors, the principles of the Information Security Plan (ISP), and overarching compliance mandates. As companies step into a period where digital environments are in constant flux, the importance of securing information systems rises to a critical level. Against this backdrop, compliance stands out as a vital component, functioning as a stringent safeguard in the ongoing mission to protect precious digital assets—a mission comprehensively detailed within the ISP. This in-depth academic study sets out to rigorously explore and scrutinize the diverse opinions and beliefs of committed employees and insightful management concerning unwavering company alignment with the ISP. This is accomplished by defining a construct that centers on key dimensions: Organizational Culture, Personal Attitudes, Actors, Behavioral Intentions, and Motivational Dynamics. Eleven Hypotheses are outlined and represent the materialisation of the model. This model form a starting point from which future empirical exploration will be able to take place, propelling us towards a deeper understanding of the phenomena under scrutiny. Received: 15 September 2023 / Accepted: 23 October 2023 / Published: 5 November 2023

Jiaqing Zhao,Yuxiang Hong,Wenqing Chen,Chouyong Chen

DOI: https://doi.org/10.1080/08874417.2024.2403571

2024-09-19

Journal of Computer Information Systems

Abstract:Combining cognitive and affective influences, as well as considering role-breadth constructs is critical to the study of employees' information security policy (ISP) compliance. This paper presents an improved model by integrating psychological capital (PsyCap), psychological ownership (PsyOwn), and the theory of planned behavior (TPB) based on the Conservation of Resources (COR) theory. A valid sample of 382 Chinese employees was used for model testing. The results imply that PsyCap is an important motivational antecedent to the cognitive decision-making processes theorized by the TPB. Also, PsyOwn moderates the effect of PsyCap on subjective norms, along with ISP compliance attitudes and behavioral intentions. Finally, theoretical contributions and managerial implications are addressed.

computer science, information systems

Soohyun Jeon,Insoo Son,Jinyoung Han

DOI: https://doi.org/10.1108/itp-05-2018-0256

2020-05-12

Information Technology and People

Abstract:Purpose Employee compliance with information system security policies (ISSPs) has been emphasized as a key factor in protecting information assets against insider threats. Even though previous studies have identified extrinsic factors (in the form of external pressure, rewards and social norms) influencing employee compliance, the functioning of employees' intrinsic motivation has not been clearly analyzed. Thus, the aim of this study is to explore the influence of intrinsic motivations on employees' ISSP compliance. Design/methodology/approach This study follows a survey approach and conducts structural equation modeling using WarpPLS 5.0 to test the research model and hypotheses. The survey respondents are users of an enterprise digital rights management (EDRM) system. Findings The analysis results demonstrate that work impediments, perceived responsibility and self-efficacy significantly influence the intention to comply with ISSP. Additionally, autonomy significantly affects self-efficacy and perceived responsibility. Furthermore, autonomy plays a moderating role in the relationship between work impediment and ISSP compliance intentions. Originality/value This study initiatively explores the effect of intrinsic motivations on ISSP compliance intention of employees for a specific information security system (i.e. the EDRM system). This study clarifies the enabling role of intrinsic motivations in ISSP compliance and helps organizations to understand that employee's self-motivated intention, i.e. autonomy, is an essential factor that achieves a higher level of ISSP compliance in the workplace.

information science & library science

Adel Yazdanmehr,Jingguo Wang

DOI: https://doi.org/10.1080/0960085X.2021.1980444

2021-09-23

European Journal of Information Systems

Abstract:Peers may help others avoid violating organisational information security policies (ISPs). This study explores how peer monitoring reduces employee ISP violation intention. We propose that peer monitoring discourages employees from violating ISP. Moreover, trust plays an important role. Trust not only facilitates peer monitoring, but also moderates the effect of peer monitoring on employee ISP violation intention. In addition, collective responsibility leads to peer monitoring. We test our research model with data from two waves of surveys of 254 employees in the United States conducted two weeks apart. We utilise four scenarios in the second wave of surveys capturing the dependent variable and measure all other constructs in the first wave of surveys. Our results suggest that peer monitoring decreases one's intention to violate ISPs. Furthermore, both collective responsibility and trust contribute to peer monitoring. Finally, trust amplifies the effect of peer monitoring on employees' intention to violate ISPs. We discuss the theoretical contributions and practical implications.

information science & library science,management,computer science, information systems

Nirav Ajmeri,Shubham Goyal,Munindar P. Singh

DOI: https://doi.org/10.48550/arXiv.2003.11170

2020-03-25

Multiagent Systems

Abstract:Many cybersecurity breaches occur due to users not following good cybersecurity practices, chief among them being regulations for applying software patches to operating systems, updating applications, and maintaining strong passwords. We capture cybersecurity expectations on users as norms. We empirically investigate sanctioning mechanisms in promoting compliance with those norms as well as the detrimental effect of sanctions on the ability of users to complete their work. We realize these ideas in a game that emulates the decision making of workers in a research lab. Through a human-subject study, we find that whereas individual sanctions are more effective than group sanctions in achieving compliance and less detrimental on the ability of users to complete their work, individual sanctions offer significantly lower resilience especially for organizations comprising risk seekers. Our findings have implications for workforce training in cybersecurity.

Carlos I. Torres,Robert E. Crossler

DOI: https://doi.org/10.1287/isre.2021.0563

IF: 4.9

2024-07-01

Information Systems Research

Abstract:Organizations worldwide face critical concerns related to cybersecurity threats and information security policy (ISP) compliance. Even though humans are the weakest link in the cybersecurity chain, information security professionals understand the importance of promoting individual information security behaviors because employees are also the first line of defense against ever-increasing cyber threats. Despite a recent trend of working from home, organizations do not make significant differences in their information security interventions for remote workers, relying mainly on VPNs as the only used tool, essentially making employees follow in-office standard information security policies because they are “virtually in-office.” Our study suggests that organizations need to recognize the unique context of remote work and consider personal motivations when shaping information security practices. Furthermore, our study indicates that in order to motivate remote employees to follow secure information security practices, organizations should consider personal characteristics instead of focusing on generic interventions. For instance, our study compares onsite and remote workers, suggesting that personal values are more relevant in remote work settings. Our findings exemplify just one of the many potential personal characteristics to be considered, highlighting how personal values are important motivators for ISP compliance and how they differ for onsite and remote workers in their importance when following information security rules.

information science & library science,management

Alex Koohang,Alojzy Nowak,Joanna Paliszkiewicz,Jeretta Horn Nord

DOI: https://doi.org/10.1080/08874417.2019.1668738

2019-12-19

Journal of Computer Information Systems

Abstract:The purpose of this study was to find out which one of the four selected predictor variables, i.e., leadership, trusting beliefs, role values, and information security policy awareness are most influential in predicting employees' intention to comply with organizational information security policy. An instrument with five constructs was administered to subjects from a higher-education university in the USA. Collected data were methodically examined through multiple regression analysis. Results indicated that all four predictor variables were influential in predicting employees' intention to comply with organizational information security policy requirements. Implications of the findings are discussed and recommendations for future research are made.

computer science, information systems

Wenqin Li,Rongmin Liu,Linhui Sun,Zigu Guo,Jie Gao

DOI: https://doi.org/10.3390/ijerph192316038

IF: 4.614

2022-12-01

International Journal of Environmental Research and Public Health

Abstract:Employee security compliance behavior has become an important safeguard to protect the security of corporate information assets. Focusing on human factors, this paper discusses how to regulate and guide employees' compliance with information security systems through effective methods. Based on protection motivation theory (PMT), a model of employees' intention to comply with the information security system was constructed. A questionnaire survey was adopted to obtain 224 valid data points, and SPSS 26.0 was applied to verify the hypotheses underlying the research model. Then, based on the results of a regression analysis, fuzzy set qualitative comparative analysis (fsQCA) was used to explore the conditional configurations that affect employees' intention to comply with the information security system from a holistic perspective. The empirical results demonstrated that perceived severity, perceived vulnerability, response efficacy, and self-efficacy all positively influenced the employees' intention to comply with the information security system; while rewards and response costs had a negative effect. Threat appraisal had a greater effect on employees' intention to comply with the information security system compared to response appraisal. The fsQCA results showed that individual antecedent conditions are not necessary to influence employees' intention to comply with an information security system. Seven pathways exist that influence an employees' intention to comply with an information security system, with reward, self-efficacy, and response cost being the core conditions having the highest probability of occurring in each configuration of pathways, and with perceived severity and self-efficacy appearing in the core conditions of configurations with an original coverage greater than 40%. Theoretically, this study discusses the influence of the elements of PMT on employees' intention to comply with an information security system, reveals the mechanism of influence of the combination of the influencing factors on the outcome variables, and identifies the core factors and auxiliary factors in the condition configurations, providing a new broader perspective for the study of information security compliance behavior and providing some theoretical support for strengthening enterprise security management. Practically, targeted suggestions are proposed based on the research results, to increase the intention of enterprise employees to comply with information security systems, thereby improving the effectiveness of enterprise information security management and the degree of information security in enterprises.

public, environmental & occupational health,environmental sciences

Daeun Lee,Harjinder Singh Lallie,Nadine Michaelides

2023-07-06

Abstract:Despite the rapid rise in social engineering attacks, not all employees are as compliant with information security policies (ISPs) to the extent that organisations expect them to be. ISP non-compliance is caused by a variety of psychological motivation. This study investigates the effect of psychological contract breach (PCB) of employees on ISP compliance intention (ICI) by dividing them into intrinsic and extrinsic motivation using the theory of planned behaviour (TPB) and the general deterrence theory (GDT). Data analysis from UK employees (\textit{n=206}) showed that the higher the PCB, the lower the ICI. The study also found that PCBs significantly reduced intrinsic motivation (attitude and perceived fairness) for ICI, whereas PCBs did not moderate the relationship between extrinsic motivation (sanction severity and sanctions certainty) and ICI. As a result, this study successfully addresses the risks of PCBs in the field of IS security and proposes effective solutions for employees with high PCBs.

Computers and Society

Ahmed Alkalbani,Hepu Deng,Booi Kam

DOI: https://doi.org/10.48550/arXiv.1606.00875

2016-05-28

Computers and Society

Abstract:The increase reliance on information systems has created unprecedented challenges for organizations to protect their critical information from different security threats that have direct consequences on the corporate liability, loss of credibility, and monetary damage. As a result, the security of information has become a top priority in many organizations. This study investigates the role of socio-organizational factors by drawing the insights from the organizational theory literature in the adoption of information security compliance in organizations. Based on the analysis of the survey data collected from 294 employees from different organizations, the study indicates management commitment, awareness and training, accountability, technology capability, technology compatibility, processes integration, and audit and monitoring have a significant positive impact on the adoption of information security compliance in organizations. The study contributes to the information security compliance research by exploring the criticality of socio-organizational factors at the organizational level for information security compliance.

Adel Yazdanmehr,Yuan Li,Jingguo Wang

DOI: https://doi.org/10.1080/0960085X.2022.2099767

2022-07-24

European Journal of Information Systems

Abstract:Past research suggests that the demands of information security policies (ISPs) cause stress upon employees, leading them to violate the policies. It emphasises the distress process but overlooks a possible positive process that may arise from the ISP demands (i.e., the eustress process) and motivate employees to reduce ISP violations. This study explores both the distress and eustress processes. It proposes that the challenge and hindrance aspects of ISP demands induce these processes and subsequently affect ISP violations. Besides, employees' ISP-related self-efficacy may facilitate or impede these processes. To test the research model, a survey was conducted on 375 employees in the U.S. The results show that the challenge aspect of ISP demands elicits a positive psychological response of employees, which in turn triggers their planful problem-solving to deal with these demands. In contrast, the hindrance aspect of ISP demands provokes a negative psychological response that triggers employees' wishful thinking about ISP demands. Meanwhile, employees' self-efficacy strengthens the effect of positive psychological response on planful problem-solving. Subsequently, planful problem-solving reduces employees' intention to violate the ISP, while wishful thinking increases their intention. This dual-process view sheds new light on the connection between ISP demands and ISP violation intention.

information science & library science,management,computer science, information systems

Aristotle Onumo,Irfan Ullah-Awan,Andrea Cullen

DOI: https://doi.org/10.1145/3424282

2021-06-01

ACM Transactions on Management Information Systems

Abstract:The increase in cybersecurity threats and the challenges for organisations to protect their information technology assets has made adherence to organisational security control processes and procedures a critical issue that needs to be adequately addressed. Drawing insight from organisational theory literature, we develop a multi-theory model, combining the elements of the theory of planned behaviour, competing value framework, and technology—organisational and environmental theory to examine how the organisational mechanisms interact with espoused cultural values and employee cognitive belief to influence cybersecurity control procedures. Using a structured questionnaire, we deployed structural equation modelling (SEM) to analyse the survey data obtained from public sector information technology organisations in Nigeria to test the hypothesis on the relationship of socio-organisational mechanisms and techno-cultural factors with other key determinants of employee security behaviour. The results showed that knowledge of cybersecurity and employee cognitive belief significantly influence the employees’ intentions to comply with organisational cybersecurity control mechanisms. The research further noted that the influence of organisational elements such as leadership on employee security behaviour is mediated by espoused cultural values while the impact of employee cognitive belief is moderated by security technologies. For effective cybersecurity compliance, leaders and policymakers are therefore to promote organisational security initiatives that ensure incorporation of cybersecurity principles and practices into job descriptions, routines, and processes. This study contributes to behavioural security research by highlighting the critical role of leadership and cultural values in fostering organisational adherence to prescribed security control mechanisms.

Randi Jiang,Jianru Zhang

DOI: https://doi.org/10.1016/j.cose.2023.103253

Abstract:As businesses have had to change how they operate due to the coronavirus pandemic, the need for remote work has risen. With the continuous advancements in technology and increases in typical job demands, employees need to increase their work productivity beyond regular work hours in the office. This type of work environment creates even more opportunities for security breaches due to employees intentionally violating information security policy violations. Although explicitly prohibited by information security policies (ISP), organizations have observed that employees bring critical data out of the office to complete their work responsibilities remotely. Consequently, developing a deeper understanding of how work pressure may influence employees to violate ISPs intentionally is crucial for organizations to protect their critical information better. Based upon the fraud triangle theory, this study proposes the opportunity to copy critical data, work pressure, and work completion justification as the primary motivational factors behind why employees copy critical company data to unsecured storage devices to work at home. A survey was conducted of 207 employees from a marketing research firm. The results suggest that opportunity, work pressure, and work completion justification are positively related to nonmalicious ISP violation intentions. Furthermore, the interaction effect between work completion justification and work pressure on the ISP violation intention is significant and positive. This study provides new insights into our understanding of the roles of work pressure and work completion justification on intentional nonmalicious ISP violation behaviors.