Protection motivation and deterrence: a framework for security policy compliance in organisations

被引:775
作者
Herath, Tejaswini [1 ]
Rao, H. Raghav [2 ,3 ]
机构
[1] Brock Univ, Dept Finance Operat & Informat Syst, St Catharines, ON L2S 3A1, Canada
[2] SUNY Buffalo, Sch Management, Buffalo, NY 14260 USA
[3] SUNY Buffalo, Coll Engn, Buffalo, NY 14260 USA
基金
美国国家科学基金会;
关键词
security policy compliance; protection motivation; deterrence; organisational commitment; COMPUTER SELF-EFFICACY; INFORMATION-TECHNOLOGY; FEAR APPEALS; GENERAL DETERRENCE; PLANNED BEHAVIOR; SOFTWARE PIRACY; ATTITUDES; ADOPTION; SYSTEMS; MODEL;
D O I
10.1057/ejis.2009.6
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 ;
摘要
Enterprises establish computer security policies to ensure the security of information resources; however, if employees and end-users of organisational information systems (IS) are not keen or are unwilling to follow security policies, then these efforts are in vain. Our study is informed by the literature on IS adoption, protection-motivation theory, deterrence theory, and organisational behaviour, and is motivated by the fundamental premise that the adoption of information security practices and policies is affected by organisational, environmental, and behavioural factors. We develop an Integrated Protection Motivation and Deterrence model of security policy compliance under the umbrella of Taylor-Todd's Decomposed Theory of Planned Behaviour. Furthermore, we evaluate the effect of organisational commitment on employee security compliance intentions. Finally, we empirically test the theoretical model with a data set representing the survey responses of 312 employees from 78 organisations. Our results suggest that (a) threat perceptions about the severity of breaches and response perceptions of response efficacy, self-efficacy, and response costs are likely to affect policy attitudes; (b) organisational commitment and social influence have a significant impact on compliance intentions; and (c) resource availability is a significant factor in enhancing self-efficacy, which in turn, is a significant predictor of policy compliance intentions. We find that employees in our sample underestimate the probability of security breaches. European Journal of Information Systems (2009) 18, 106-125. doi:10.1057/ejis.2009.6; published online 21 April 2009
引用
收藏
页码:106 / 125
页数:20
相关论文
共 87 条
[61]  
Shropshire J., 2006, Proceedings of the Americas Conference on Information Systems, Acapulco, Mexico, P3443
[62]  
Siponen M. T., 2000, Information Management & Computer Security, V8, P31, DOI 10.1108/09685220010371394
[63]   Self-efficacy and work-related performance: A meta-analysis [J].
Stajkovic, AD ;
Luthans, F .
PSYCHOLOGICAL BULLETIN, 1998, 124 (02) :240-261
[64]   COGNITIVE-PROCESSES IN HEALTH ENHANCEMENT - INVESTIGATION OF A COMBINED PROTECTION MOTIVATION AND SELF-EFFICACY MODEL [J].
STANLEY, MA ;
MADDUX, JE .
BASIC AND APPLIED SOCIAL PSYCHOLOGY, 1986, 7 (02) :101-113
[65]  
STANTON J, 2003, IEEE SYST MAN CYB C
[66]   Analysis of end user security behaviors [J].
Stanton, JM ;
Stam, KR ;
Mastrangelo, P ;
Jolton, J .
COMPUTERS & SECURITY, 2005, 24 (02) :124-133
[68]   Effective IS Security: An Empirical Study [J].
Straub, Detmar W., Jr. .
INFORMATION SYSTEMS RESEARCH, 1990, 1 (03) :255-276
[69]   DISCOVERING AND DISCIPLINING COMPUTER ABUSE IN ORGANIZATIONS - A FIELD-STUDY [J].
STRAUB, DW ;
NANCE, WD .
MIS QUARTERLY, 1990, 14 (01) :45-60
[70]   VALIDATING INSTRUMENTS IN MIS RESEARCH [J].
STRAUB, DW .
MIS QUARTERLY, 1989, 13 (02) :147-169