Employees’ Adherence to Information Security Policies: An Empirical Study

  • Mikko Siponen
  • Seppo Pahnila
  • Adam Mahmood
Part of the IFIP International Federation for Information Processing book series (IFIPAICT, volume 232)


The key threat to information security is constituted by careless employees who do not comply with information security policies. To ensure that employees comply with organizations’ information security procedures, a number of information security policy compliance measures have been proposed in the past. Prior research has criticized these measures as lacking theoretically and empirically grounded principles to ensure that employees comply with information security policies. To fill this gap in research, this paper advances a new model that explains employees’ adherence to information security policies. In this model, we extend the Protection Motivation Theory (PMT) by integrating the General Deterrence Theory (GDT) and the Theory of Reasoned Action (TRA) with PMT. To test this model, we collected data (N = 917) from four different companies. The results show that threat appraisal, self-efficacy and response efficacy have a significant impact on intention to comply with information security policies. Sanctions have a significant impact on actual compliance with information security policies. Intention to comply with information security policies also has a significant impact on actual compliance with information security policies.


Information Security Security Policy Actual Compliance Response Efficacy Threat Appraisal 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Agarwal, R. and J. Prasad, Conceptual and Operational Definition of Personal Innovativeness in the Domain of Information Technology. Information Systems Research, 1998. 9(2): p. 204–215.Google Scholar
  2. 2.
    Ajzen, I., “The Theory of Planned Behavior”, Organizational Behavior and Human Decision Processes 50,2, 1991, 179–211.CrossRefGoogle Scholar
  3. 3.
    Aytes, K. and Connolly, T., “A Research Model for Investigating Human Behavior Related to Computer Security”, Proceedings of the 2003 American Conference On Information Systems, Tampa, FL, August 4-6. 2003.Google Scholar
  4. 4.
    Aytes, K. and Connolly, T., “Computer and Risky Computing Practices: A Rational Choice Perspective”, Journal of Organizational and End User Computing, 16,2, 2004, 22–40.Google Scholar
  5. 5.
    Bagchi, K. and Udo, G., “An analysis of the growth of computer and Internet security breaches”, Communications of AIS 12, 2003, 684–700.Google Scholar
  6. 6.
    Bandura, A., “Self-Efficacy: Toward a Unifying Theory of Behaviour Change”, Psychological Review 84,2, 1977, 191–215.CrossRefGoogle Scholar
  7. 7.
    Boudreau, M.-C, Gefen, D. and Straub, D. W., “Validation in information systems research: A state-of-the-art assessment.” MIS Quarterly 25,1, 2001, 1–16.CrossRefGoogle Scholar
  8. 8.
    Fishbein, M. and Ajzen, I., Belief, Attitude, Intention and Behavior: An Introduction to Theory and Research. MA, Addison-Wesley. 1975.Google Scholar
  9. 9.
    Furnell, S. M., Gennatou, M. and Dowland P. S., “A prototype tool for information security awareness and training”, International Journal of Logistics Information Management, 15,5, 2002, 352–357.CrossRefGoogle Scholar
  10. 10.
    Furnell, S., Sanders, P. W. and Warren, M. J., “Addressing information security training and awareness within the European healthcare community”, in Proceedings of Medical Informatics Europe’97. 1997.Google Scholar
  11. 11.
    Gaunt, N., “Installing an appropriate information security policy in hospitals”, Internationaljournal of Medical Informatics, 49,1, 1998, 131–134.CrossRefGoogle Scholar
  12. 12.
    Hair, J.F.J., Anderson, R.E., Tatham, R.L., and Black, W. C, Multivariate data analysis. 5 ed: Upper Saddle River, New Jersey, Prentice Hall Inc. 1998.Google Scholar
  13. 13.
    Hair, J.F.J., Black, W.C, Babin, B.J, Anderson, R.E., Tatham, R.L., Multivariate data analysis. Sixth ed. 2006: Pearson Prentice Hall.Google Scholar
  14. 14.
    Higgins, G.E., Wilson, A.L. and Fell, B.D., “An Application of Deterrence Theory to Software Piracy”, Journal of Criminal Justice and Popular Culture, 12,3, 2005, 166–184.Google Scholar
  15. 15.
    Hoyle, R.H., Structural Equation Model. Conceprts, Issues, and Applications., ed. H. Rick Hoyle. 1995: SAGE publications, Inc.Google Scholar
  16. 16.
    Katsikas, S. K., “Health care management and information system security: awareness, training or education”, International Journal of Medical Informatics, 60,2, 2000, 129–135.CrossRefMathSciNetGoogle Scholar
  17. 17.
    Lee, J. and Lee, Y., “A holistic model of computer abuse within organizations”, Information management & computer security, 10,2, 2002, 57–63.CrossRefGoogle Scholar
  18. 18.
    Limayem, M., and Hirt, S.G., “Force of Habit and Information Systems Usage: Theory and Initial Validation”, Journal of Association for Information Systems, 4, 2003, 65–97.Google Scholar
  19. 19.
    Maddux, J.E. and R.W. Rogers, Protection Motivation and Self-Efficacy: A Revised Theory of Fear Appeals and Attitude Change. Journal of experimental social psychology, 1983. 19: p. 469–479.CrossRefGoogle Scholar
  20. 20.
    McCoy, C. and Fowler, R.T., “You are the key to security”: establishing a successful security awareness program. In the proceedings of the SIGUCCS’04, Baltimore, Maryland, October 10-13, 2004, 346–349.Google Scholar
  21. 21.
    McLean, K., “Information security awareness — selling the cause”, in Proceedings of the IFIP TC11, Eighth International Conference on information security, IFIP/Sec’ 92. 1992.Google Scholar
  22. 22.
    Parker, D. B., Fighting Computer Crime: A new Framework for Protecting Information, John Wiley & Sons, USA. 1998.Google Scholar
  23. 23.
    Perry, W. E., Management Strategies for Computer Security, Butterworth Publishers, USA. 1985.Google Scholar
  24. 24.
    Puhakainen, P. Design Theory for Information Security Awareness, 2006. Ph.D Thesis, the University of Oulu, Finland.Google Scholar
  25. 25.
    Rippetoe, S. and Rogers, R. W., “Effects of Components of Protection — Motivation Theory on Adaptive and Maladaptive Coping with a Health Threat”, Journal of Personality and Social Psychology, 52,3, 1987, 596–604.CrossRefGoogle Scholar
  26. 26.
    Rogers, R. W., “Cognitive and Physiological Processes in Fear Appeals and Attitude Change: A Revised Theory of Protection Motivation Theory”, in Social Psychophysiology, J. Cacioppo and R. Petty (Eds.), Guilford, New York, 1983.Google Scholar
  27. 27.
    Rogers, R. W. and Prentice-Dunn, S., “Protection motivation theory”, In D. S. Gochman (Ed.), Handbook of Health Behavior Research I: Personal and Social Determinants, New York, NY: Plenum Press, 1997, 113–132.Google Scholar
  28. 28.
    Schumacker, R.E. and R.G. Lomax, A Beginner’s Guide to Structural Equation Modeling. 1996, Mahwah, New Jersey: Lawrence Erlbaum Associates. 288.MATHGoogle Scholar
  29. 29.
    Siponen, M., “A Conceptual Foundation for Organizational Information Security Awareness”, Information Management & Computer Security, 8,1, 2000, 31–41.CrossRefGoogle Scholar
  30. 30.
    Sommers, K. and Robinson, B., “Security awareness training for students at Virginia Commonwealth University”, In the proceedings of the SIGUCCS’04, Baltimore, Maryland, October 10-13, 2004, 379–380.Google Scholar
  31. 31.
    Spurling, P., “Promoting security awareness and commitment”, Information Management & Computer Security, 3,2, 1995, 20–26.CrossRefGoogle Scholar
  32. 32.
    Stanton, J. M., Stam, K. R., Mastrangelo, P. and Jolton, J., “An analysis of end user security behaviors”, Computers & Security, 24, 2005, 124–133CrossRefGoogle Scholar
  33. 33.
    Sträub, D. W., “Validating Instruments in MIS Research”, MIS Quarterly, 13,2, 1989, 147–169.CrossRefGoogle Scholar
  34. 34.
    Sträub, D.W., “Effective IS Security: An Empirical Study”, Information Systems Research, 1,3, 1990, 255–276.CrossRefGoogle Scholar
  35. 35.
    Sträub, D.W. and Welke, R.J., “Coping with Systems Risk: Security Planning Models for. Management Decision-Making”, MIS Quarterly, 22,4, 1998, 441–469.CrossRefGoogle Scholar
  36. 36.
    Thomson, M.E. and von Solms, R., “An effective information security awareness program for industry”, in proceedings of the WG 11.2 and WG 11.1 ofthe TC-11 IFIP, 1997.Google Scholar
  37. 37.
    Thomson, M. E. and von Solms, R., “Information security Awareness: educating your users effectively”, Information Management & Computer Security, 6,4, 1998, 167–173.CrossRefGoogle Scholar
  38. 38.
    Venkatesh, V., Morris, M. G., Davis, G. B. and Davis, F. D., “User Acceptance of Information Technology: Toward a Unified View”, MIS Quarterly, 27,3, 2003, 425–478Google Scholar
  39. 39.
    Wood, C. C, “Information Security Awareness Raising Methods”, Computer Fraud & Security Bulletin, Elsevier Science Publishers, Oxford, England, June 1995, pp 13–15.Google Scholar
  40. 40.
    Woon, I. M. Y., Tan, G. W. and Low, R. T., “A Protection Motivation Theory Approach to Home Wireless Security”, Proceedings of the Twenty-Sixth International Conference on Information Systems, Las Vegas, 2005, 367–380.Google Scholar

Copyright information

© International Federation for Information Processing 2007

Authors and Affiliations

  • Mikko Siponen
    • 1
  • Seppo Pahnila
    • 1
  • Adam Mahmood
    • 2
  1. 1.Department of Information Processing ScienceThe University of OuluFinland
  2. 2.Department of Information and Decision SciencesUniversity of Texas at El PasoUSA

Personalised recommendations