From the weakest link to the best defense: exploring the factors that affect employee intention to comply with information security policies
Date
2013-05
Authors
Contributor
Advisor
Department
Instructor
Depositor
Speaker
Researcher
Consultant
Interviewer
Narrator
Transcriber
Annotator
Journal Title
Journal ISSN
Volume Title
Publisher
University of Hawaii at Manoa
Volume
Number/Issue
Starting Page
Ending Page
Alternative Title
Abstract
Information and information systems have become embedded in the fabric of contemporary organizations throughout the world. As the reliance on information technology has increased, so too have the threats and costs associated with protecting organizational information resources. To combat potential information security threats, organizations rely upon information security policies to guide employee actions. Unfortunately, employee violations of such policies are common and costly enough that users are often considered the weakest link in information security. The challenge for researchers and practitioners alike is to help transform employees from the weakest link to the best line of information security defense. Building upon recent empirical research in information security policy behavioral compliance, this study provides a composite theoretical framework that captures key factors shown to impact an employee's behavioral intent to comply with related policies. The theoretical framework is tested and validated in a real organizational context employing a robust and well-defined set of information security policies, a first in this burgeoning line of research. This study also evaluates how behavioral intent to follow security policies varies for employees for both the general specter of information security policy compliance and specific guidance for three common security threats. This study found that the primary factors affecting behavioral intent (subjective norms, organizational commitment, attitude, perceived behavioral control, and selfefficacy) had strong, positive relationships with intent to comply with information security policies when examined at a high level of general compliance. However, when the factors affecting behavioral intent and attitude towards a security behavior were evaluated for specific information security threat contexts, individual factor importance and significance varied greatly. These results indicate that threat context plays an essential role in clarifying the roles of specific behavioral antecedents; there may be limited value in future research focusing on general information security threats. This study failed to establish a significant relationship between behavioral compliance intent and an employee's perception of his or her ability to enforce the mandatory information security policy requirements on coworkers. However, the study did highlight a potential gap in the composite theoretical framework for this important phenomenon, which should be addressed in future research.
Description
Keywords
information security policies
Citation
Extent
Format
Geographic Location
Time Period
Related To
Theses for the degree of Doctor of Philosophy (University of Hawaii at Manoa). Communication and Information Sciences.
Related To (URI)
Table of Contents
Rights
Rights Holder
Local Contexts
Email libraryada-l@lists.hawaii.edu if you need this content in ADA-compliant format.