INFORMATION SECURITY POLICY COMPLIANCE: AN EMPIRICAL STUDY OF RATIONALITY-BASED BELIEFS AND INFORMATION SECURITY AWARENESS

被引:4
作者
Bulgurcu, Burcu [1 ]
Cavusoglu, Hasan [1 ]
Benbasat, Izak [1 ]
机构
[1] Univ British Columbia, Sauder Sch Business, Vancouver, BC V6T 1Z2, Canada
关键词
Information security awareness; information security management; compliance; information security policy; behavioral issues of information security; theory of planned behavior; SYSTEMS SECURITY; PROTECTION MOTIVATION; PLANNED BEHAVIOR; SELF-EFFICACY; CHOICE; TECHNOLOGY; MANAGEMENT; MODEL; DETERRENCE; PUNISHMENT;
D O I
暂无
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 ;
摘要
Many organizations recognize that their employees, who are often considered the weakest link in information security, can also be great assets in the effort to reduce risk related to information security. Since employees who comply with the information security rules and regulations of the organization are the key to strengthening information security, understanding compliance behavior is crucial for organizations that want to leverage their human capital. This research identifies the antecedents of employee compliance with the information security policy (ISP) of an organization. Specifically, we investigate the rationality-based factors that drive an employee to comply with requirements of the ISP with regard to protecting the organization's information and technology resources. Drawing on the theory of planned behavior, we posit that, along with normative belief and self-efficacy, an employee's attitude toward compliance determines intention to comply with the ISP. As a key contribution, we posit that an employee's attitude is influenced by benefit of compliance, cost of compliance, and cost of noncompliance, which are beliefs about the overall assessment of consequences of compliance or noncompliance. We then postulate that these beliefs are shaped by the employee's outcome beliefs concerning the events that follow compliance or noncompliance: benefit of compliance is shaped by intrinsic benefit, safety of resources, and rewards, while cost of compliance is shaped by work impediment; and cost of noncompliance is shaped by intrinsic cost, vulnerability of resources, and sanctions. We also investigate the impact of information security awareness (ISA) on outcome beliefs and an employee's attitude toward compliance with the ISP. Our results show that an employee's intention to comply with the ISP is significantly influenced by attitude, normative beliefs, and self-efficacy to comply. Outcome beliefs significantly affect beliefs about overall assessment of consequences, and they, in turn, significantly affect an employee's attitude. Furthermore, ISA positively affects both attitude and outcome beliefs. As the importance of employees' following their organizations' information security rules and regulations increases, our study sheds light on the role of ISA and compliance-related beliefs in an organization's efforts to encourage compliance.
引用
收藏
页码:523 / 548
页数:26
相关论文
共 50 条
[31]   Impact of information security awareness on information security compliance of academic library staff in Turkiye [J].
Kavak, Ali .
JOURNAL OF ACADEMIC LIBRARIANSHIP, 2024, 50 (05)
[32]   Technostress and its influence on employee information security policy compliance [J].
Nasirpouri Shadbad, Forough ;
Biros, David .
INFORMATION TECHNOLOGY & PEOPLE, 2022, 35 (01) :119-141
[33]   Factors Impacting Users' Compliance with Information Security Policies: An Empirical Study [J].
Alzahrani, Latifa .
INTERNATIONAL JOURNAL OF ADVANCED COMPUTER SCIENCE AND APPLICATIONS, 2021, 12 (10) :437-447
[34]   Organizations' Information Security Policy Compliance: Stick or Carrot Approach? [J].
Chen, Yan ;
Ramamurthy, K. ;
Wen, Kuang-Wei .
JOURNAL OF MANAGEMENT INFORMATION SYSTEMS, 2012, 29 (03) :157-188
[35]   Integrating Cognition with an Affective Lens to Better Understand Information Security Policy Compliance [J].
Ormond, Dustin ;
Warkentin, Merrill ;
Crossler, Robert E. .
JOURNAL OF THE ASSOCIATION FOR INFORMATION SYSTEMS, 2019, 20 (12) :1794-1843
[36]   The Formulation of Comprehensive Information Security Culture Dimensions for Information Security Policy Compliance Study [J].
Nasir, Akhyari ;
Arshah, Ruzaini Abdullah ;
Ab Hamid, Mohd Rashid .
ADVANCED SCIENCE LETTERS, 2018, 24 (10) :7690-7695
[37]   Information Security Policy Compliance: Systematic Literature Review [J].
Angraini ;
Alias, Rose Alinda ;
Okfalisa .
FIFTH INFORMATION SYSTEMS INTERNATIONAL CONFERENCE, 2019, 161 :1216-1224
[38]   Impact of employees' demographic characteristics on the awareness and compliance of information security policy in organizations [J].
Chua, Hui Na ;
Wong, Siew Fan ;
Low, Yeh Ching ;
Chang, Younghoon .
TELEMATICS AND INFORMATICS, 2018, 35 (06) :1770-1780
[39]   Exploring factors that influence information security awareness implementation and maintenance [J].
Beranek, Ladislav .
PROCEEDINGS OF THE 11TH INTERNATIONAL CONFERENCE ON STRATEGIC MANAGEMENT AND ITS SUPPORT BY INFORMATION SYSTEMS, 2015, :348-355
[40]   Nurse Information Security Policy Compliance, Information Competence, and Information Security Attitudes Predict Information Security Behavior [J].
Kang, Purum ;
Kang, Jiwon ;
Monsen, Karen A. .
CIN-COMPUTERS INFORMATICS NURSING, 2023, 41 (08) :595-602