Return to search

The antecedents of information security policy compliance

Information security is one of the major challenges for organizations that critically depend on information systems to conduct their businesses. Ensuring safety of information and technology resources has become the top priority for many organizations since the consequences of failure can be devastating. Many organizations recognize that their employees, who are often considered as the weakest link in information security, can be a great resource as well to fight against information security-related risks. The key, however, is to ensure that employees comply with information security related rules and regulations of the organization. Therefore, understanding of compliance behavior of an employee is crucial for organizations to effectively leverage their human capital to strengthen their information security.

This research aims at identifying antecedences of an employee’s compliance with the information security policy (ISP) of his/her organization. Specifically, we address how employees without any malicious intent choose to comply with requirements of the ISP with regards to protecting the information and technology resources of their organizations. Drawing on the Theory of Planned Behavior, we show an employee’s attitude towards compliance results in his/her intention to comply with the ISP. Of those, Benefit of Compliance and Cost of Non-Compliance are shown to be shaped by positive and negative reinforcing factors; such as, Intrinsic Benefit, Safety of Resources, Rewards and Intrinsic Cost, Vulnerability of Resources, and Sanctions, respectively. We also investigate the role of information security awareness on an employee’s ISP compliance behavior. As expected, we show that information security awareness positively influences attitude towards compliance. We also show that information security awareness positively influences the perception of reinforcing factors and negatively increases perception of the Cost of Compliance. As organizations strive to get their employees to follow their information security rules and regulations, our study sheds light on the role of an employee’s information security awareness and his/her beliefs about the rationality of compliance and non-compliance with the ISP.
Date11 1900
CreatorsBulgurcu, Burcu
PublisherUniversity of British Columbia
Source SetsLibrary and Archives Canada ETDs Repository / Centre d'archives des thèses électroniques de Bibliothèque et Archives Canada
Detected LanguageEnglish
TypeElectronic Thesis or Dissertation
Format246815 bytes, application/pdf

Page generated in 0.0026 seconds