Unpacking security policy compliance: The motivators and barriers of employees' security behaviors

SOUPS 2015 - Proceedings of the 11th Symposium on Usable Privacy and Security

Volumn , Issue , 2019, Pages 103-122

  Blythe, John M ^a   Coventry, Lynne ^a   Little, Linda ^a  

^a NORTHUMBRIA UNIVERSITY   (United Kingdom)

Author keywords

[No Author keywords available]

Indexed keywords

PERSONNEL; SECURITY OF DATA; SECURITY SYSTEMS;

IMPLICATIONS FOR FUTURES; INFORMATION SECURITY POLICIES; OFFLINE; ORGANIZATIONAL FACTORS; SECURITY POLICY; SECURITY RESEARCH; THREAT EVALUATION; WORKPLACE PRACTICES;

BEHAVIORAL RESEARCH;

EID: 85075940742     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (59)

1. 2014 Information security breaches survey: Full technical report: 2014. http://www.pwc.co.uk/auditassurance/publications/2014-information-securitybreaches-survey.jhtml.
2. Adams, A. and Sasse, M.A. 1999. Users are not the enemy. Communications of the ACM. 42, 12 (1999), 41-46.
3. Ajzen, I. 1991. The theory of planned behavior. Organizational Behavior and Human Decision Processes. 50, 2 (Dec. 1991), 179-211.
4. Albrechtsen, E. 2007. A qualitative study of users' view on information security. Computers & Security. 26, 4 (Jun. 2007), 276-289.
5. Bandura, A. 1977. Self-efficacy: toward a unifying theory of behavioral change. Psychological review. (1977).
6. Barter, C. and Renold, E. 2000. “I wanna tell you a story”: exploring the application of vignettes in qualitative research with children and young people. International Journal of Social Research Methodology. 3, 4 (2000), 307-323.
7. Barter, C. and Renold, E. 1999. The use of vignettes in qualitative research. Social research update. 25, 9 (1999), 1-6.
8. Beautement, A., Sasse, M. and Wonham, M. 2009. The compliance budget: managing security behaviour in organisations. In Proceedings of the 2008 workshop on New security paradigms (2009), 47-58.
9. Blythe, J.M. 2013. Cyber security in the workplace: Understanding and promoting behaviour change. Proceedings of CHItaly 2013 Doctoral Consortium (2013), 92-101.
10. Bring your own device: Agility through consistent delivery: 2012. http://www.pwc.com/en_US/us/increasing-iteffectiveness/assets/byod-1-25-2012.pdf.
11. Brown, A. 1998. Organisational Culture. Pitman Publishing.
12. Bulgurcu, B., Cavusoglu, H. and Benbasat, I. 2010. Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Quarterly. 34, 3 (2010), 523-548.
13. Burns, S. and Roberts, L. 2013. Applying the Theory of Planned Behaviour to predicting online safety behaviour. Crime Prevention and Community Safety. 15, 1 (Feb. 2013), 48-64.
14. Chenoweth, T., Minch, R. and Gattiker, T. 2009. Application of protection motivation theory to adoption of protective technologies. Proceedings of the 42nd Hawaii International Conference on System Sciences (2009), 1-10.
15. Davinson, N. and Sillence, E. 2014. Using the health belief model to explore users' perceptions of “being safe and secure” in the world of technology mediated financial transactions. International Journal of Human-Computer Studies. 72, 2 (Feb. 2014), 154-168.
16. Dinev, T. and Hu, Q. 2007. The Centrality of Awareness in the Formation of User Behavioral Intention toward Protective Information Technologies. Journal of the Association for Information System. 8, 7 (2007), 386-408.
17. Dourish, P., Grinter, R.E., De La Flor, J.D. and Joseph, M. 2004. Security in the wild: User strategies for managing security as an everyday, practical problem. Personal and Ubiquitous Computing. 8, 6 (2004), 391-401.
18. Downs, D.S. and Hausenblas, H.A. 2005. Elicitation studies and the theory of planned behavior: a systematic review of exercise beliefs. Psychology of Sport and Exercise. 6, 1 (Jan. 2005), 1-31.
19. Finch, J. 1987. The vignette technique in survey research. Sociology. 21, 1 (1987), 105-114.
20. Fishbein, M. and Cappella, J. 2006. The role of theory in developing effective health communications. Journal of Communication. 56, (2006), 1-17.
21. Gardner, W. and Martinko, M. 1988. Impression management in organizations. Journal of management. 14, 2 (1988), 321-338.
22. Gurung, A., Luo, X. and Liao, Q. 2009. Consumer motivations in taking action against spyware: an empirical investigation. Information Management & Computer Security. 17, 3 (2009), 276-289.
23. Hackman, J. and Oldham, G. 1976. Motivation through the design of work: Test of a theory. Organizational Behavior and Human Performance. 16, 2 (1976), 250-279.
24. Herath, T. and Rao, H.R. 2009. Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems. 47, 2 (May 2009), 154-165.
25. Herath, T. and Rao, H.R. 2009. Protection motivation and deterrence: a framework for security policy compliance in organisations. European Journal of Information Systems. 18, 2 (Apr. 2009), 106-125.
26. Hughes, R. 1998. Considering the vignette technique and its application to a study of drug injecting and HIV risk and safer behaviour. Sociology of Health and Illness. 20, (1998), 381-400.
27. Hutchinson, S. and Wilson, H.S. 1992. Validity threats in scheduled semistructured research interviews. Nursing Research. 41, 2 (1992), 117-119.
28. ICO 2013. Sony Fined £250, 000 after millions of UK gamers details compromised. https://ico.org.uk/aboutthe-ico/news-and-events/news-and-blogs/2013/01/sonyfined-250-000-after-millions-of-uk-gamers-detailscompromised/.
29. Ifinedo, P. 2014. Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition. Information and Management. 51, 1 (2014), 69-79.
30. Ifinedo, P. 2011. Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Computers & Security. 31, 1 (Nov. 2011), 83-95.
31. Inglesant, P. and Sasse, M. 2010. The true cost of unusable password policies: password use in the wild. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (2010), 383-392.
32. Institute, P. 2010. 2009 annual study: UK cost of a data breach. Ponemon Institute.
33. Johnston, A.C. and Warkentin, M. 2010. Fear appeals and information security behavior: An empircal study. MIS Quarterly. 34, 3 (2010), 549-566.
34. Kotulic, A.G. and Clark, J.G. 2004. Why there aren't more information security research studies. Information & Management. 41, 5 (May 2004), 597-607.
35. Kumar, N., Mohan, K. and Holowczak, R. 2008. Locking the door but leaving the computer vulnerable: Factors inhibiting home users' adoption of software firewalls. Decision Support Systems. 46, 1 (Dec. 2008), 254-264.
36. Lee, D., Larose, R. and Rifon, N. 2008. Keeping our network safe: a model of online protection behaviour. Behaviour & Information Technology. 27, 5 (Sep. 2008), 445-454.
37. Lee, Y. and Kozar, K. 2008. An empirical investigation of anti-spyware software adoption: A multitheoretical perspective. Information & Management. 45, 2 (2008), 109-119.
38. Montaño, D.E. and Kasprzyk, D. 2008. Theory of reasoned action, theory of planned behavior, and the integrated behavioral model. Health behavior and health education: theory, research, and practice. K. Glanz, B. Rimer, and K. Viswanath, eds. Jossey Bass. 67-96.
39. Ng, B. and Rahim, M. 2005. A socio-behavioral study of home computer users' intention to practice security. PACIS 2005 Proceedings (2005), 234-247.
40. Ng, B.-Y., Kankanhalli, A. and Xu, Y. 2009. Studying users' computer security behavior: A health belief perspective. Decision Support Systems. 46, 4 (Mar. 2009), 815-825.
41. Pahnila, S., Siponen, M. and Mahmood, A. 2007. Employees'behavior towards is security policy compliance. Proceedings of the 40th Annual Hawaii International Conference on System Sciences (2007), 156b-156b.
42. Peeters, M., Montgomery, A., Bakker, A. and Schaufeli, W. 2005. Balancing Work and Home: How Job and Home Demands Are Related to Burnout. International Journal of Stress Management. 12, 1 (2005), 43-61.
43. Ritchie, J., Lewis, J. and Elam, G. 2003. Qualitative Research Practice: A Guide for Social Science Students and Researchers. Sage: London; Thousand Oaks; New Delhi.
44. Ritchie, J., Spencer, L., Bryman, A. and Burgess, R. 1994. Analysing qualitative data. London: Routledge. (1994).
45. Rogers, R.W. 1975. A protection motivation theory of fear appeals and attitude change. Journal of Psychology. 91, (1975), 93-114.
46. Searle, A., Vedhara, K., Norman, P., Frost, A. and Harrad, R. 2000. Compliance with eye patching in children and its psychosocial effects: a qualitative application of protection motivation theory. Psychology, Health & Medicine. 5, 1 (2000), 43-54.
47. Seguin, C.A. and Ambrosio, A. 2002. Multicultural vignettes for teacher preparation. Multicultural Perspectives. 4, 4 (2002), 10-16.
48. Sheeran, P. 2002. Intention - Behavior Relations: A Conceptual and Empirical Review. European Review of Social Psychology. 12, 1 (2002), 1-36.
49. Siponen, M., Mahmood, M.A. and Pahnila, S. 2014. Employees' adherence to information security policies: An exploratory field study. Information & Management. 51, 2 (Dec. 2014), 217-224.
50. Skinner, B. and Ferster, C. 1997. Schedules of reinforcement. Massachusetts: Copley Publishing Group.
51. Sriramachandramurthy, R., Balasubramanian, S.K. and Hodis, M.A. 2009. Spyware and adware: how do internet users defend themselves? American Journal of Business. 24, 2 (2009), 41-52.
52. Srivastava, A. and Thomson, S. 2009. Framework analysis: a qualitative methodology for applied policy research. Joaag. (2009).
53. Stanton, J., Stam, K., Mastrangelo, P. and Jolton, J. 2005. Analysis of end user security behaviors. Computers & Security. 24, 2 (Mar. 2005), 124-133.
54. Thomson, K., Solms, R. von and Louw, L. 2006. Cultivating an organizational information security culture. Computer Fraud & Security. (2006).
55. Vance, A., Siponen, M. and Pahnila, S. 2012. Motivating IS security compliance: Insights from Habit and Protection Motivation Theory. Information & Management. 49, 3-4 (May 2012), 190-198.
56. Vries, H. de, Dijkstra, M. and Kuhlman, P. 1988. Self-efficacy: the third factor besides attitude and subjective norm as a predictor of behavioural intentions. Health education research. (1988).
57. Wason, K., Polonsky, M. and Hyman, M. 2002. Designing vignette studies in marketing. Australasian Marketing Journal (AMJ). 10, 3 (2002), 41-58.
58. Workman, M., Bommer, W. and Straub, D. 2008. Security lapses and the omission of information security measures: A threat control model and empirical test. Computers in Human Behavior. 24, 6 (Sep. 2008), 2799-2816.
59. Yao, M.Z. and Linz, D.G. 2008. Predicting self-protections of online privacy. Cyberpsychology & behavior: the impact of the Internet, multimedia and virtual reality on behavior and society. 11, 5 (Oct. 2008), 615-7.