Predicting compliance with prescribed organizational information security protocols

Shropshire, Jordan Douglas

13 December 2008

Why do some employees go out of their way to follow prescribed information security protocols, while others all but ignore organizational information security measures? A body of research known as organizational citizenship behavior provides insight into this issue. Theories of organizational citizenship behavior draw mainly from the psychological and sociological disciplines. They are used to explain the behaviors of employees who act in the best interest of the company, even when they don’t have to. Examples of citizenship behaviors include information sharing, voluntary reduction of compensation, and relinquishment of power for the benefit of the organization (Nathanson & Becker 1973). Although organizational citizenship behavior has seen little exposure in the area of organizational information security compliance, it stands to provide exceptional explanatory power in this area. Information security practices, such as creating difficult passwords or conducting virus scans, are generally seen as additional tasks which require extra effort while offering no gains in personal productivity (Shropshire et al., 2006; Warkentin et al., 2004; Warkentin et al., 2006). These activities could be construed as out-of-role-behaviors because employee compliance may not be mandatory. Furthermore, it is difficult to enforce information security standards (Whitman, 2003). Thus, it would appear that those who follow information security protocols are motivated by something other than financial compensation. Currently, there has been little work toward integrating endpoint security with theories of organizational citizenship behavior. This may be due to two reasons: although it embodies a relatively mature stream of research, organizational citizenship behavior has seen little exposure within the information systems context; secondly, the behavioral aspects of endpoint security remain a critical but overlooked aspect of organizational information security. Therefore, the purpose of this research is to develop a theoretical model for predicting individual compliance with organizational information security practices. The results could be used by managers to more accurately predict adherence to information security practices and to better manage and motivate employees. Such a model might also be of utility in the area of employee selection and screening; recent political and economic events have caused an increase in demand for employees who can be trusted to safeguard sensitive information. This study provides a substantial contribution to knowledge by empirically testing a predictive model for information security compliance among employees. The findings associated with this research are offered in the form of recommendations for future theoretical and empirical research. Practical implications for entrepreneurs and policymakers are also discussed.

Protocol Compliance

End User Behavior

Endpoint Security

Organizational Citizenship Behavior