Abstract
Organizations apply information security policies to foster secure use of information systems but very often employees fail to comply with them. Employees’ security behavior has been the unit of analysis of research from different theoretical approaches, in an effort to identify the factors that influence security policy compliance. Through a systematic analysis of extant literature this paper identifies and categorizes critical factors that shape employee security behavior and proposes security management practices that can enhance security compliance. Research findings inform theory by identifying research gaps and support security management.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Akers, R.: Rational choice, deterrence, and social learning theory in criminology: the path not taken. J. Crim. Law Criminol. 81, 653 (1990)
Al-Omari, A., El-Gayar, O., Deokar, A.: Security policy compliance: user acceptance perspective. In: System Science (HICSS), 45th Hawaii International Conference on System Sciences, IEEE (2012)
Albrechtsen, E., Hovden, J.: Improving information security awareness and behavior through dialogue, participation and collective reflection. An invention study. Comput. Secur. 29(4), 432–445 (2010)
Zhang, J., Reithel, B.J., Li, H.: Impact of perceived technical protection on security behaviors. Inf. Manag. Comput. Secur. 17(4), 330–340 (2009)
Bulgurcu, B., Cavusoglu, H., Benbasat, I.: Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Q. 34(3), 523–548 (2010)
D’Arcy, J., Hovav, A., Galletta, D.: User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Inf. Syst. Res. 20(1), 79–98 (2009)
Davis, F.D., Bagozzi, R.P., Warshaw, P.R.: User acceptance of computer technology: a comparison of two theoretical models. Manage. Sci. 35(8), 982–1003 (1989)
Dinev, T., Hu, Q.: The centrality of awareness in the formation of user behavioral intention toward protective information technologies. J. Assoc. Inf. Syst. 8(7), 23 (2007)
Herath, T., Rao, H.R.: Protection motivation and deterrence: a framework for security policy compliance in organisations. Eur. J. Inf. Syst. 18(2), 106–125 (2009)
Herath, T., Rao, H.R.: Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness. Decis. Support Syst. 47(2), 154–165 (2009)
Sommestad, T., Hallberg, J., Lundholm, K., Bengtsson, J.: Variables influencing information security policy compliance: a systematic review of quantitative studies. Inf. Manage. Comput. Secur. 22(1), 42–75 (2014)
Pahnila, S., Karjalainen, M., Siponen, M.: Information security behavior: towards multi-stage models. In: PACIS (2013)
Pahnila, S., Siponen, M., Mahmood, A.: Employees’ behavior towards IS security policy compliance. In: System Sciences 40th Annual Hawaii International Conference on System Sciences, pp. 156b–156b. IEEE (2007)
Payne, B.D., Edwards, W.K.: A brief introduction to usable security. Internet Comput. IEEE 12(3), 13–21 (2008)
Siponen, M., Mahmood, A., Pahnila, S.: Employees’ adherence to information security policies: an exploratory field study. Inf. Manage. 51(2), 217–224 (2014)
Siponen, M., Pahnila, S., Mahmood, A.: Factors influencing protection motivation and IS security policy compliance. In: Innovations in Information Technology, IEEE (2006)
Vance, A., Siponen, M., Pahnila, S.: Motivating IS security compliance: insights from habit and protection motivation theory. Inf. Manage. 49(3), 190–198 (2012)
Von Solms, R., Von Solms, B.: From policies to culture. Comput. Secur. 23(4), 275–279 (2004)
Vroom, C., Von Solms, R.: Towards information security behavioral compliance. Comput. Secur. 23(3), 191–198 (2004)
Lebek, B., Uffen, J., Neumann, M., Hohler, B., Breitner, H.M.: Information security awareness and behavior: a theory-based literature review. Manage. Res. Rev. 37(12), 1049–1092 (2014)
Crossler, R.E., Johnston, A.C., Lowry, P.B., Hu, Q., Warkentin, M., Baskerville, R.: Future directions for behavioral information security research. Comput. Secur. 32, 90–101 (2013)
Padayachee, K.: Taxonomy of compliant information security behavior. Comput. Secur. 31(5), 673–680 (2012)
Hu, Q., Dinev, T., Hart, P., Cooke, D.: Managing employee compliance with information security policies: the critical role of top management and organizational culture*. Decis. Sci. 43(4), 615–660 (2012)
Ifinedo, P.: Understanding information systems security policy compliance: an integration of the theory of planned behavior and the protection motivation theory. Comput. Secur. 31(1), 83–95 (2012)
Son, J.Y.: Out of fear or desire? Toward a better understanding of employees’ motivation to follow IS security policies. Inf. Manage. 48(7), 296–302 (2011)
Chipperfield, C., Furnell, S.: From security policy to practice: sending the right messages. Comput. Fraud Secur. 2010(3), 13–19 (2010)
Herath, T., Chen, R., Wang, J., Banjara, K., Wilbur, J., Rao, H.R.: Security services as coping mechanisms: an investigation into user intention to adopt an email authentication service. Inf. Syst. J. 24(1), 61–84 (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Topa, I., Karyda, M. (2015). Identifying Factors that Influence Employees’ Security Behavior for Enhancing ISP Compliance. In: Fischer-Hübner, S., Lambrinoudakis, C., López, J. (eds) Trust, Privacy and Security in Digital Business. TrustBus 2015. Lecture Notes in Computer Science(), vol 9264. Springer, Cham. https://doi.org/10.1007/978-3-319-22906-5_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-22906-5_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-22905-8
Online ISBN: 978-3-319-22906-5
eBook Packages: Computer ScienceComputer Science (R0)