Employee Security Behaviour: The Importance of Education and Policies in Organisational Settings

  • Lena Y. ConnollyEmail author
  • Michael Lang
  • Doug J. Tygar
Conference paper
Part of the Lecture Notes in Information Systems and Organisation book series (LNISO, volume 26)


The growing number of information security breaches in organisations presents a serious risk to the confidentiality of personal and commercially sensitive data. Current research studies indicate that humans are the weakest link in the information security chain and the root cause of numerous security incidents in organisations. Based on literature gaps, this study investigates how procedural security countermeasures tend to affect employee security behaviour. Data for this study was collected in organisations located in the United States and Ireland. Results suggest that procedural security countermeasures are inclined to promote security-cautious behaviour, while their absence tends to lead to non-compliant behaviour.


Employee security behaviour Procedural security countermeasures Information security policy Security education 


  1. 1.
    Bulgurcu, B., Cavusoglu, H., Benbasat, I.: Information security policy compliance: an empirical study of rationally-based beliefs and information security awareness. MIS Q. 34(3), 523–548 (2010)CrossRefGoogle Scholar
  2. 2.
    Crossler, R.E., Johnston, A.C., Lowry, P.B., Hu, Q., Warkentin, M., Baskerville, R.: Future directions for behavioral information security research. Comput. Secur. 32, 90–101 (2013)CrossRefGoogle Scholar
  3. 3.
    D’Arcy, J., Hovav, A.: Deterring internal information systems misuse. Commun. ACM 50(10), 113–117 (2007)CrossRefGoogle Scholar
  4. 4.
    Lee, Y., Larsen, K.R.: Threat or coping appraisal: determinants of SMB executives’ decision to adopt anti-malware software. Eur. J. Inform. Syst. 18(2), 177–187 (2009)CrossRefGoogle Scholar
  5. 5.
    Boss, S.R., Kirsch, L.J., Angermeier, I., Shingler, R.A., Ross, R.W.: If someone is watching, I’ll do what I’m asked: mandatoriness, control, and information security. Eur. J. Inform. Syst. 18(2), 151–164 (2009)CrossRefGoogle Scholar
  6. 6.
    D’Arcy, J., Hovav, A., Galletta, D.: User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Inform. Syst. Res. 20(1), 1–20 (2009)CrossRefGoogle Scholar
  7. 7.
    Straub, D.W.: Effective IS security: an empirical study. Inform. Syst. Res. 1(3), 255–276 (1990)CrossRefGoogle Scholar
  8. 8.
    Straub, D.W., Welke, R.J.: Coping with systems risk: security planning models for management decision making. MIS Q. 22(4), 441–469 (1998)CrossRefGoogle Scholar
  9. 9.
    Hovav, A., D’Arcy, J.: Applying an extended model of deterrence across cultures: an investigation of information systems misuse in the U.S. and South Korea. Inf. Manag. 49(2), 99–110 (2012)CrossRefGoogle Scholar
  10. 10.
    Cheng, L., Ying, L., Wenli, L., Holm, E., Zhai, Q.: Understanding the violation of IS security policy in organizations: an integrated model based on social control and deterrence theory. Comput. Secur. 39, 447–459 (2013)CrossRefGoogle Scholar
  11. 11.
    Siponen, M., Mahmood, M.A., Pahnila, S.: Are employees putting your company at risk by not following information security policies? Commun. ACM 52(12), 145–147 (2009)CrossRefGoogle Scholar
  12. 12.
    Lee, S.M., Lee, S.G., Yoo, S.: An integrative model of computer abuse based on social control and general deterrence theories. Inf. Manag. 41(6), 707–718 (2004)CrossRefGoogle Scholar
  13. 13.
    Barlow, J.B., Warkentin, M., Ormond, D., Dennis, A.R.: Don’t make excuses! Discouraging neutralization to reduce IT policy violation. Comput. Secur. 39 (Part B), 145–159 (2013)Google Scholar
  14. 14.
    Blumstein, A., Cohen, J., Nagin, D.: Deterrence and incapacitation: Estimating the effects of criminal sanctions on crime rates. In: Bridges, G., Crutchfield, R., Weis, R.L. (eds.) Crime and Society: Reading in Criminal Justice, vol. 3, pp. 96–100. Pine Forge Press, Thousand Oaks (1996)Google Scholar
  15. 15.
    Guo, K.H.: Security-related behavior in using information systems in the workplace: a review and synthesis. Comput. Secur. 32, 242–251 (2013)CrossRefGoogle Scholar
  16. 16.
    Sacco, V.F.: Shoplifting prevention: the role of communication-based intervention strategies. Can. J. Criminol. 27(1), 15–29 (1985)Google Scholar
  17. 17.
    Quazi, M.M.: Effective drug-free workplace plan uses worker testing as deterrent. Occup. Health Saf. 62(6), 26–31 (1993)Google Scholar
  18. 18.
    Matavire, R., Brown, I.: Profiling grounded theory approaches in information systems research. Eur. J. Inform. Syst. 22(1), 119–129 (2013)CrossRefGoogle Scholar
  19. 19.
    Maykut, P., Morehouse, R.: Beginning Qualitative Research: A Philosophic and Practical Guide. The Falmer Press, London (1994)Google Scholar
  20. 20.
    Eisenhardt, K.M.: Building theories from case study research. Acad. Manag. Rev. 14(4), 532–550 (1989)Google Scholar
  21. 21.
    Furnell, S.M., Gennatou, M., Dowland, P.S.: A prototype tool for IS security awareness and training. Int. J. Logistics Inform. Manag. 15(5), 352–357 (2002)CrossRefGoogle Scholar
  22. 22.
    Chan, M., Woon, I., Kankanhalli, A.: Perceptions of information security at the workplace: linking information security climate to compliant behaviour. J. Inform. Priv. Secur. 1(3), 18–41 (2005)CrossRefGoogle Scholar
  23. 23.
    Bulgurcu, B., Cavusoglu, H., Benbasat, I.: Quality and fairness of an information security policy as antecedents of employees’ security engagement in the workplace: an empirical investigation. In: 43rd Annual Hawaii International Conference on System Sciences, pp. 1–7. IEEE Press (2010)Google Scholar
  24. 24.
    D’Arcy, J., Herath, T.: A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings. Eur. J. Inform. Syst. 20(6), 643–658 (2011)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Lena Y. Connolly
    • 1
    Email author
  • Michael Lang
    • 1
  • Doug J. Tygar
    • 2
  1. 1.National University of Ireland GalwayGalwayIreland
  2. 2.University of CaliforniaBerkeleyUSA

Personalised recommendations