Generally Speaking, Context Matters: Making the Case for a Change from Universal to Particular ISP Research

被引:29
作者
Aurigemma, Sal [1 ]
Mattson, Thomas [2 ]
机构
[1] Univ Tulsa, Tulsa, OK 74104 USA
[2] Univ Richmond, Richmond, VA 23173 USA
来源
JOURNAL OF THE ASSOCIATION FOR INFORMATION SYSTEMS | 2019年 / 20卷 / 12期
关键词
Universalism; Particularism; Theory of Planned Behavior; Protection Motivation Theory; Deterrence Theory; Rational Choice Theory; Behavioral Information Security; Compliance; PROTECTION-MOTIVATION THEORY; SECURITY POLICY COMPLIANCE; INFORMATION-SYSTEMS RESEARCH; INTERNET SECURITY; RESEARCH DESIGN; FEAR APPEALS; BEHAVIORS; MODEL; TECHNOLOGY; DETERRENCE;
D O I
10.17705/1jais.00583
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 ;
摘要
The objective of our paper is to conceptually and empirically challenge the idea of general information security policy (ISP) compliance. Conceptually, we argue that general ISP compliance is an ill-defined concept that has minimal theoretical usefulness because the policy-directed security actions vary considerably from threat to threat in terms of time, difficulty, diligence, knowledge, and effort. Yet, our senior IS scholars' basket of journals has a strong preference to publish models in which the authors speculate that their findings are generalizable across all (or many) threats and controls contained in an organization's ISP document. In our paper, we argue that compliance with each of the mandatory threat-specific security actions may require different (as opposed to similar) explanatory models, which makes constructing a universal model of ISP compliance problematic. Therefore, we argue that future ISP compliance literature will be more valuable if it focuses on the mechanisms, treatments, and behavioral antecedents associated with the required actions around specific threats instead of attempting to build a model that purportedly covers all (or many) threat-specific security actions (or intentions thereof). To support this claim empirically, we conducted two studies comparing general compliance intentions (i.e., undefined security action) and threat-specific compliance intentions. In both studies, our data show that compliance intentions vary significantly across general compliance measures and multiple threat-specific security measures or scenarios. Our results indicate that it is problematic to generalize about the behavioral antecedents from general compliance intentions to threat-specific security compliance intentions, from one threat-specific security action to other threat-specific security actions, and from one threat-specific security action to general compliance intentions.
引用
收藏
页码:1700 / 1742
页数:43
相关论文
共 88 条