From the weakest link to the best defense : exploring the factors that affect employee intention to comply with information security policies

Aurigemma, Salvatore
Journal Title
Journal ISSN
Volume Title
[Honolulu] : [University of Hawaii at Manoa], [May 2013]
Information and information systems have become embedded in the fabric of contemporary organizations throughout the world. As the reliance on information technology has increased, so too have the threats and costs associated with protecting organizational information resources. To combat potential information security threats, organizations rely upon information security policies to guide employee actions. Unfortunately, employee violations of such policies are common and costly enough that users are often considered the weakest link in information security. The challenge for researchers and practitioners alike is to help transform employees from the weakest link to the best line of information security defense. Building upon recent empirical research in information security policy behavioral compliance, this study provides a composite theoretical framework that captures key factors shown to impact an employee's behavioral intent to comply with related policies. The theoretical framework is tested and validated in a real organizational context employing a robust and well-defined set of information security policies, a first in this burgeoning line of research. This study also evaluates how behavioral intent to follow security policies varies for employees for both the general specter of information security policy compliance and specific guidance for three common security threats. This study found that the primary factors affecting behavioral intent (subjective norms, organizational commitment, attitude, perceived behavioral control, and selfefficacy) had strong, positive relationships with intent to comply with information security policies when examined at a high level of general compliance. However, when the factors affecting behavioral intent and attitude towards a security behavior were evaluated for specific information security threat contexts, individual factor importance and significance varied greatly. These results indicate that threat context plays an essential role in clarifying the roles of specific behavioral antecedents; there may be limited value in future research focusing on general information security threats. This study failed to establish a significant relationship between behavioral compliance intent and an employee's perception of his or her ability to enforce the mandatory information security policy requirements on coworkers. However, the study did highlight a potential gap in the composite theoretical framework for this important phenomenon, which should be addressed in future research.
Ph.D. University of Hawaii at Manoa 2013.
Includes bibliographical references.
information security policies
Access Rights
Email if you need this content in ADA-compliant format.