1. ¹Department of Finance, Operations and Information Systems, Brock University, Canada
2. ²Management Science and Systems, School of Management, The State University of New York at Buffalo, U.S.A.
3. ³Computer Science and Engineering, College of Engineering, The State University of New York at Buffalo, U.S.A.

Correspondence: Tejaswini Herath, Department of Finance, Operations and Information Systems, Brock University, St. Catharines ON L2S 3A1, Canada. Tel: +905 688 5550, ext. 4179; Fax: +905 378 5723; E-mail: teju.herath@brocku.ca

Received 21 February 2008; Revised 15 August 2008; Re-revised 31 January 2009; Accepted 23 February 2009; Published online 21 April 2009.

Abstract

Enterprises establish computer security policies to ensure the security of information resources; however, if employees and end-users of organisational information systems (IS) are not keen or are unwilling to follow security policies, then these efforts are in vain. Our study is informed by the literature on IS adoption, protection-motivation theory, deterrence theory, and organisational behaviour, and is motivated by the fundamental premise that the adoption of information security practices and policies is affected by organisational, environmental, and behavioural factors. We develop an Integrated Protection Motivation and Deterrence model of security policy compliance under the umbrella of Taylor-Todd's Decomposed Theory of Planned Behaviour. Furthermore, we evaluate the effect of organisational commitment on employee security compliance intentions. Finally, we empirically test the theoretical model with a data set representing the survey responses of 312 employees from 78 organisations. Our results suggest that (a) threat perceptions about the severity of breaches and response perceptions of response efficacy, self-efficacy, and response costs are likely to affect policy attitudes; (b) organisational commitment and social influence have a significant impact on compliance intentions; and (c) resource availability is a significant factor in enhancing self-efficacy, which in turn, is a significant predictor of policy compliance intentions. We find that employees in our sample underestimate the probability of security breaches.