Abstract
Enterprises establish computer security policies to ensure the security of information resources; however, if employees and end-users of organisational information systems (IS) are not keen or are unwilling to follow security policies, then these efforts are in vain. Our study is informed by the literature on IS adoption, protection-motivation theory, deterrence theory, and organisational behaviour, and is motivated by the fundamental premise that the adoption of information security practices and policies is affected by organisational, environmental, and behavioural factors. We develop an Integrated Protection Motivation and Deterrence model of security policy compliance under the umbrella of Taylor-Todd's Decomposed Theory of Planned Behaviour. Furthermore, we evaluate the effect of organisational commitment on employee security compliance intentions. Finally, we empirically test the theoretical model with a data set representing the survey responses of 312 employees from 78 organisations. Our results suggest that (a) threat perceptions about the severity of breaches and response perceptions of response efficacy, self-efficacy, and response costs are likely to affect policy attitudes; (b) organisational commitment and social influence have a significant impact on compliance intentions; and (c) resource availability is a significant factor in enhancing self-efficacy, which in turn, is a significant predictor of policy compliance intentions. We find that employees in our sample underestimate the probability of security breaches.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Ajzen I (1991) Theory of planned behavior. Organizational Behavior and Human Decision Processes 50 (2), 179–211.
Ajzen I and Fishbein M (1980) Prediction of goal-directed behavior: attitudes, intentions, and perceived behavioral control. Journal of Experimental Social Psychology 22, 453–474.
Akers R (1990) Rational choice, deterrence, and social learning theory in criminology: the path not taken. The Journal of Criminal Law and Criminology 81 (3), 653–676.
Albrechtsen E (2007) A qualitative study of users’ view on information security. Computers & Security 26 (4), 276–289.
Anderson C (2005) Creating the conscientious cybercitizen: an examination of home computer user attitudes and intentions towards security. In Tenth INFORMS Conference on Information Systems and Technology (CIST) San Francisco, California, USA.
Armitage C and Conner M (2000) Social cognition models and health behaviour: a structured review. Psychology and Health 15 (2), 173–189.
Axelrod LJ and Newton JW (1991) Preventing nuclear war: beliefs and attitudes as predictors of disarmist and deterrentist behavior. Journal of Applied Social Psychology 21 (1), 29–40.
Bagozii RP (1992) The self-regulation of attitudes, intentions and behavior. Social Psychology Quarterly 55 (2), 178–204.
Bandura A, Adams NE, Hardy AB and Howell GN (1980) Tests of the generality of self-efficacy theory. Cognitive Theory And Research 4 (1), 39–66.
Barge JK and Schlueter D (1988) A critical evaluation of organizational commitment and identification. Management 2 (1), 116–133.
Bollen K and Lennox R (1991) Conventional wisdom on measurement: a structural equation perspective. Psychological Bulletin 110 (2), 305–314.
CERT/CC (2004) 2004 e-Crime watch survey summary of findings. Computer Emergency Response Team Coordination Center (CERT/CC). Available at http://www.cert.org/archive/pdf/2004eCrimeWatchSummary.pdf. Accessed 15 January 2007.
Chan M, Woon I and Kankanhalli A (2005) Perceptions of information security at the workplace: linking information security climate to compliant behavior. Journal of Information Privacy and Security 1 (3), 18–41.
Cheng H, Sims R and Teegen H (1997) To purchase or to pirate software: an empirical study. Journal of Management Information Systems 13 (4), 49–60.
Chin WW and Marcolin B (1995) A holistic approach to construct validation in is research: examples of the interplay between theory and measurement. In Administrative Sciences Association of Canada – 23rd Conference (CAMPEAU D, Ed.), Windsor, Ontario.
Cialdini RB, Kallgren CA and Reno RR (1991) A focus theory of normative conduct: a theoretical refinement and reevaluation of the role of norms in human behavior. In Advances in Experimental Social Psychology (ZANNA MP, Ed.), pp 201–234, Academic Press, San Diego, CA.
Compeau DR and Higgins CA (1995) Computer self-efficacy: development of a measure and initial test. MIS Quarterly 19 (2), 189–211.
Culnan M (2004) Bentley survey on consumers and internet security: summary of findings. [WWW document] http://www.bentley.edu/events/iscw2004/survey_findings.pdf (accessed on 31 January 2009).
D’arcy J and Hovav A (2004) The role of individual characteristics on the effectiveness of IS security countermeasures. In Tenth Americas Conference on Information Systems New York.
Dhillon G and Backhouse J (2001) Current directions in IS security research: towards socio-organizational perspectives. Information Systems Journal 11 (2), 127–153.
Dhillon G and Torkzadeh G (2006) Value-focused assessment of information system security in organizations. Information Systems Journal 16 (3), 293–314.
Ehrlich I (1996) Crime, punishment, and the market for offenses. Journal of Economic Perspectives 10 (1), 43–67.
Ellen PS, Wiener JL and Cobb-Walgren C (1991) The role of perceived consumer effectiveness in motivating environmentally conscious behaviors. Journal of Public Policy & Marketing 10 (2), 102–117.
Finch J, Furnell S and Dowland P (2003) Assessing IT security culture: system administrator and end-user perspectives. In Proceedings of ISOneWorld 2003 Conference and Convention Las Vegas, Nevada, USA.
Floyd DL, Prentice-Dunn S and Rogers RW (2000) A meta-analysis of research on protection motivation theory. Journal of Applied Social Psychology 30 (2), 407–429.
Furnell SM, Bryant P and Phippen AD (2007) Assessing the security perceptions of personal internet users. Computers & Security 26 (5), 410–417.
Gefen D and Straub DW (2005) A practical guide to factorial validity using PLS-graph: tutorial and annotated example. Communications of the Association for Information Systems 16, 91–109.
Gefen D, Straub DW and Boudreau M-C (2000) Structural equation modelling and regression: guidelines for research practice. Communications of the Association for Information Systems 4, 1–77.
Gist M (1987) Self-efficacy: implications for organizational behavior and human resource management. Academy of Management, The Academy of Management Review 12 (3), 472–485.
Gordon LA, Loeb MP, Lucyshyn W and Richardson R (2006) 2006 CSI/FBI computer crime and security survey. Computer Security Institute.
Grube JW, Morgan M and Mcgree ST (1986) Attitudes and normative beliefs as predictors of smoking intentions and behaviours: a test of three models. British Journal of Social Psychology 25, 81–93.
Igbaria M and Iivari J (1995) The effects of self-efficacy on computer usage. International Journal of Management Science 23 (6), 587–605.
Kankanhalli A, Teo H-H, Tan BCY and Wei K-K (2003) An integrative study of information systems security effectiveness. International Journal of Information Management 23 (2), 139–154.
Karahanna E, Straub DW and Chervany NL (1999) Information technology adoption across time: a cross-sectional comparison of pre-adoption and post-adoption beliefs. MIS Quarterly 23 (2), 183–213.
Knapp KJ, Marshall TE, Rainer RK and Ford FN (2005) Managerial Dimensions in Information Security: A Theoretical Model of Organizational Effectiveness (ISC)2 Inc., Palm Harbor, Florida and Auburn University, Auburn, Alabama.
Lee SM, Lee S-G and Yoo S (2004) An integrative model of computer abuse based on social control and general deterrence theories. Information and Management 41 (6), 707–718.
Loch KD, Carr HH and Warkentin ME (1992) Threats to information systems: today's reality, yesterday's understanding. MIS Quarterly 16 (2), 173.
Loch KD, Conger S and Oz E (1998) Ownership, privacy and monitoring in the workplace: a debate on technology and ethics. Journal of Business Ethics 17 (6), 653–663.
Loch KD, Straub DW and Kamel S (2003) Diffusing the internet in the Arab world: the role of social norms and technological culturation. IEEE Transactions on Engineering Management 50 (1), 45–63.
Ma Q and Pearson JM (2005) ISO 17799: ‘Best practices’ in information security management? Communications of the Association for Information Systems 15, 577–591.
Maddux JE and Rogers RW (1983) Protection motivation and self-efficacy: a revised theory of fear appeals and attitude change. Journal of Experimental Social Psychology 19 (5), 469–479.
Melamed S, Rabinowitz S, Feiner S, Weisberg E and Ribak J (1996) Usefulness of the protection motivation theory in explaining hearing protection device use among male industrial workers. Health Psychology 15 (3), 209–215.
Milne S, Sheeran P and Orbell S (2000) Prediction and intervention in health-related behavior: a meta-analytic review of protection motivation theory. Journal of Applied Social Psychology 10 (1), 106–143.
Mishra S and Dhillon G (2006) Information systems security governance research: a behavioral perspective. In 1st Annual Symposium on Information Assurance, Academic Track of 9th Annual NYS Cyber Security Conference pp 27–35 New York, USA.
Mowday R (1998) Reflections on the study and relevance of organizational commitment. Human Resources Management Review 8 (4), 387–401.
Neuwirth K, Dunwoody S and Griffin RJ (2000) Protection motivation and risk communication. Risk Analysis 20 (5), 721–734.
Pahnila S, Siponen M and Mahmood A (2007) Employees’ behavior towards IS security policy compliance. In 40th Hawaii International Conference on System Sciences (HICSS 07) Hawaii, USA.
Palardy N, Greening L, Ott J, Dolderby A and Atchison J (1998) Adolescents’ health attitudes and adherence to treatment for insulin-dependent diabetes mellitus. Developmental and Behavioral Pediatrics 19 (1), 31–37.
Peace AG, Galletta D and Thong J (2003) Software piracy in the workplace: a model and empirical test. Journal of Management Information Systems 20 (1), 153–177.
Petter S, Straub D and Rai A (2007) Specifying formative constructs in information systems research. MIS Quarterly 31 (4), 623–656.
Post GV and Kagan A (2007) Evaluating information security tradeoffs: restricting access can interfere with user tasks. Computers & Security 26 (3), 229–237.
Privacyrights.Org (2005) A chronology of data breaches. Available at http://www.privacyrights.org/ar/chronDataBreaches.htm, accessed 21 January 2007.
Privacyrights.Org (2006) 2006 disclosures of U.S. data incidents. Available at http://www.privacyrights.org/ar/chronDataBreaches.htm, accessed 21 January 2007.
Randall D (1987) Commitment and the organization: the organization man revisited. Academy of Management Review 12 (3), 460–471.
Riemenschneider CK, Harrisson D and Mykytyn PP (2003) Understanding IT adoption decisions in small business: integrating current theories. Information and Management 40, 269–285.
Rivis A and Sheeran P (2003) Social influences and the theory of planned behavior: evidence for a direct relationship between prototypes and young people's exercise behavior. Psychology and Health 18 (5), 567–583.
Rogers RW (1975) A protection motivation theory of fear appeals and attitude change. The Journal of Psychology 91, 93–114.
Rogers RW (1983) Cognitive and physiological processes in fear appeals and attitude change: a revised theory of protected motivation. In Social Psychophysiology: A Sourcebook (CACIOPPO JT and PETTY RE, Eds), pp 153–176, The Guilford Press, New York.
Saks A and Belcourt M (2006) An investigation of training activities and transfer of training in organizations. Human Resources Management 45 (4), 629–648.
Sheeran P and Orbell S (1999) Augmenting the theory of planned behavior: roles for anticipated regret and descriptive norms. Journal of Applied Social Psychology 29 (10), 2107–2142.
Shropshire J, Warkentin M, Johnston AC and Schmidt MB (2006) Personality and it security: an application of the five-factor model. In Proceedings of the Americas Conference on Information Systems pp 3443–3449.
Siponen MT (2000) A conceptual foundation for organizational information security awareness. Information Management and Computer Security 8 (1), 31–41.
Stajkovic A and Luthans F (1998) Self-efficacy and work-related performance: a meta analysis. Psychological Bulletin 124 (2), 240–261.
Stanley MA and Maddux JE (1986) Cognitive processes in health enhancement: investigation of a combined protection motivation and self-efficacy model. Basic and Applied Social Psychology 7 (2), 101–113.
Stanton JM, Stam K, Guzman I and Caldera C (2003) Examining the linkages between organizational commitment and information security. In IEEE Systems, Man, and Cybernetics Conference Washington DC, USA.
Stanton JM, Stam KR, Mastrangelo P and Jolton J (2005) Analysis of end user security behaviors. Computers & Security 24 (2), 124–133.
Steffen VJ (1990) Men's motivation to perform the testicle self-exam: effects of prior knowledge and an educational brochure. Journal of Applied Social Psychology 20 (8), 681–702.
Straub DW (1989) Validating instruments in MIS research. MIS Quarterly 13 (2), 147–169.
Straub DW (1990) Effective is security: an empirical study. Information Systems Research 1 (3), 255–276.
Straub DW and Collins RW (1990) Key information issues facing managers: software piracy, proprietary databases, and individual rights to privacy. MIS Quarterly 14 (2), 143–156.
Straub DW and Nance WD (1990) Discovering and disciplining computer abuse in organization. MIS Quarterly 14 (1), 45–60.
Tanner JF, Hunt JB and Eppright DR (1991) The protection motivation model: a normative model of fear appeals. Journal of Marketing 55 (3), 36–45.
Taylor S and Todd PA (1995) Understanding information technology usage – a test of competing models. Information Systems Research 6 (2), 144–176.
Thompson RL, Higgins CA and Howell JM (1991) Personal computing: toward a conceptual model of utilization. MIS Quarterly 15 (1), 124–143.
Thompson RL, Higgins CA and Howell JM (1994) Influence of experience on personal computer utilization. Journal of Management Information Systems 11 (1), 167–187.
Thomson KL and Von Solms R (1998) Information security awareness: educating your users effectively. Information Management & Computers Security 6 (4), 167–173.
Torkzadeh R, Pflughoeft K and Hall L (1999) Computer self-efficacy, training effectiveness and user attitudes: an empirical study. Behaviour and Information Technology 18 (4), 299–309.
Venkatesh V and Brown S (2001) A longitudinal investigation of personal computers in homes: adoption determinants and emerging challenges. MIS Quarterly 25 (1), 71–102.
Venkatesh V, Morris MG, Davis GB and Davis FD (2003) User acceptance of information technology: toward a unified view. MIS Quarterly 27 (3), 425–478.
Von Solms B (2001) Information security – a multidimensional discipline. Computers & Security 20 (6), 504–508.
Von Solms R and Von Solms B (2004) From policies to culture. Computers & Security 23 (4), 275–279.
Vroom C and Von Solms R (2004) Towards information security behavioural compliance. Computers & Security 23 (3), 191–198.
Wiener Y (1982) Commitment in organizations: a normative view. Academy of Management Review 7 (3), 418.
Williams K and Hawkins R (1986) Perceptual research on general deterrence: a critical review. Law and Society Review 20 (4), 545–572.
Witte K and Allen M (2000) A meta-analysis of fear appeals: implications for effective public health campaigns. Health Education & Behavior 27 (5), 591–615.
Woon IMY, Tan GW and Low RT (2005) A protection motivation theory approach to home wireless security. In International Conference on Information Systems pp 367–380 Las Vegas, USA.
Zhang X (2005) What do consumers really know about spyware. Communications of the ACM 48 (8), 44–48.
Acknowledgements
We appreciate the support and collaboration on this project by the Cyber Task Force, Buffalo Division, FBI. This research is funded in part by NSF under grant #0402388 and MDRF grant #F0630. The research of the second author is also supported in part by NSF under grant #0809186. The usual disclaimer applies.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Herath, T., Rao, H. Protection motivation and deterrence: a framework for security policy compliance in organisations. Eur J Inf Syst 18, 106–125 (2009). https://doi.org/10.1057/ejis.2009.6
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1057/ejis.2009.6