Motivational Factors & Information Security Compliance

Companies increasingly rely on information technology (IT) to remain competitive. Organizations invest heavily in technologies designed to protect valuable IT and information assets. The technological defenses include intrusion detection and prevention systems, anti-malware, firewalls, data loss prevention, authentication systems, and activity monitoring systems. Despite the investment in security technology, criminals continue to succeed in infiltrating IT systems. Technological solutions have not proven sufficient for securing IT assets [1,2,3]. (Ifinedo, 2014; Safaa, Solms, & Furnell, 2015; Wall, Palvia, & Lowry, 2013).

Employees remain the weak link in security for many organizations [1,3]. Employees cause unintentional harm through negligent behaviors such as using weak passwords, opening questionable links in emails, and failing to log out of systems [1]. Hackers often bypass many layers of technological security defenses by exploiting the vulnerabilities created by negligent users. Attackers use social engineering techniques, such as email phishing, to obtain access or to deliver malware [2].

In addition to the technological defenses, organizations must focus on employees and the employees’ behaviors and intentions related to security compliance [1,2]. An information security policy (ISP) outlines expected behaviors related to securing information assets. Companies develop and institute ISPs to encourage positive behavior and deter negative behaviors in employees [3]. Organizations develop security awareness programs to help address concerns that users are not aware of security risks, do not comprehend the implications of ISP violations, or do not know how to practice secure behaviors [4]. Despite ISPs and security awareness programs, employees continue to violate security policies putting their organizations at risk [2]. One area of research gaining increasing attention centers on what motivates employees to comply or not to comply with information security policies by applying various behavior theories [1,3,5]. Researchers seek to understand how the application of behavior theories may influence an individual’s intention to comply with an ISP.

Early research on this topic focused on criminological theories such as general deterrence theory (GDT) [1]. Deterrence theory studies investigate how the certainty and severity of punishments may affect an individual’s willingness to comply with ISPs [5]. Studies of GDT examine whether or not employees will cease to engage in a noncompliant behavior when companies severely punish violators. Recent studies have called into question the efficacy of deterrence theory to motivate employees to comply with ISPs [1]. New research has looked at several behavior theories beyond GDT in an attempt to understand how to improve employee compliance with ISPs. The following sections examine several of these recent studies.

Theory of Planned Behavior, Social Cognitive Theory, and Social Bond Theory

Ifinedo researched ISP compliance using the theory of planned behavior (TPB), social cognitive theory (SCT), and social bond theory (SBT) [1]. The TPB posits that attitude and subjective norms influence an individual’s behavior. Within this context, attitude refers to the person’s positive and negative feelings concerning the behavior. Subjective norms relate to the individual’s perceptions of what people important to the individual think about the behavior. Social cognitive theory looks at the degree to which an individual perceives that he can control events. Self-efficacy, or the individual’s belief in his or her capabilities, is a significant component of SCT. The SBT posits that when people develop relationships, they are less inclined to indulge in antisocial or deviant behavior. Social bond theory includes four types of bonds – attachment, commitment, involvement, and personal norms [1].

Ifinedo developed a research model to test whether the four types of bonds in SBT have a positive effect towards ISP compliance intention [1]. The research model also examined if these four types of bonds had a positive effect on subjective norms from TPB. Ifinedo examined the influence of subjective norms and attitude on ISP compliance intention. Finally, the study investigated the impact of SCT, including locus of control and self-efficacy, on intent to comply. The researcher used a quantitative methodology to survey both IS managers and non-IS managers in Canada.

The research supported the applicability of TPB to ISP compliance behavior [1]. The study also supported the hypothesis that employees form social bonds at work and that these relationships influence attitude towards compliance. An employee who perceives control over issues affecting them in the workplace may more readily comply with an ISP. Also, an employee who feels capable and competent to deal with security matters will more likely choose to comply with an ISP. Ifinedo’s research calls into question the use of deterrence theory as a central component to increase ISP compliance behavior [1]. According to Ifinedo, an employee’s decision whether or not to comply with an ISP does not largely depend on perceived sanctions and penalties. The research into TPB, SCT, and SBT suggests that organizations can increase compliance with an ISP through co-worker socialization. Organizational bonding concerning IS security issues can increase ISP compliance [1].

Autonomy and Efficacy

Wall, Palvia, and Lowry researched the effects of autonomy and self-efficacy on the intention to comply [3]. The researchers based their study on ISP compliance behaviors on self-determination theory (SDT), reactance theory, and self-efficacy. The researchers examined whether SDT behaviors included protection behaviors essential to information security. To supplement self-determination, the researchers also looked at reactance theory. The combination of SDT and reactance provided a complete view of autonomy and the effects of autonomy on intent to comply with an ISP. According to SDT, an individual’s belief that his or her actions are self-guided increases the individual’s motivation to accomplish tasks. Reactance is an individual’s belief in his or her right to freedom from external control. Reactance theory maintains that a person will react to attacks on his or her autonomy by reasserting independence [3].

The study sought to discover how autonomy and efficacy relate and how each affects ISP compliance intentions [3]. The study looked at self-efficacy and response efficacy. Self-efficacy refers to an individual’s perception of his or her capabilities to execute a course of action. Response efficacy refers to the person’s belief that the course of action will result in the desired outcome. The researchers developed a conceptual model to explore the interactions between self-determination and reactance with self-efficacy and response efficacy [3].

The study found that self-determination increases perceptions of self-efficacy and response efficacy [3]. Reactance decreased the perceptions of response efficacy. These findings show that, in addition to measures directly aimed at efficacy, managers can increase efficacy indirectly by increasing perceptions of autonomy. The study also demonstrates the necessity of a security program that minimizes reactive episodes.

The study confirmed that response efficacy is a predictor of security behavior and intent to comply [3]. The findings show that employees are more likely to comply with an ISP if the employees believe compliance will lead to positive outcomes. The study did not find evidence that self-efficacy effects an individual’s intent to comply. Another key finding of the study showed that certainty of, and severity of, penalties do not affect intention to comply with an ISP. This result confirms the belief that GDT does not explain the motivation to comply with rules [3].

The findings from Wall, Palvia, and Lowry suggest that managers need to consider employees’ perceptions of efficacy and autonomy [3]. Controls that increase self-determination may lead to better employee compliance with ISPs. Attempts to control employees’ security behaviors may result in reactance. Reactance could decrease employees’ intentions to comply with ISPs. The study demonstrates that proactive security behaviors that encourage autonomy may have more influence on behavior than does punishing noncompliance [3].

Psychological Ownership and Self-Efficacy

Another research examined the effects of psychological ownership and self-efficacy on the intentions to comply with an ISP [5]. Psychological ownership refers to the degree to which an individual feels a sense of ownership over the specified item. According to psychological ownership theory, there are three routes to psychological ownership [5]. People develop ownership when they control who can access the object and the use of the item. The second route to psychological ownership is by investing significant effort in the creation or maintenance of the item. The final route is through familiarity with the item. The researchers sought to understand how psychological ownership might influence intention to comply with ISPs. To cover the three routes to psychological ownership, the researchers looked at control over the information, investment in the creation or maintenance of the information, and knowledge or familiarity with the information [5].

The findings showed that individuals developed psychological ownership over data only via the control route [5]. Individuals that had control over the use of the data developed a sense of ownership. However, personal investment into the creation or maintenance of the data and familiarity with the data did not result in psychological ownership. The study found that having experiences with security incidents did not increase self-efficacy. The researchers offer as an explanation that individuals with experience in dealing with security incidents may believe that security incidents continue to happen despite countermeasures. The most intriguing finding was that psychological ownership had an adverse impact on compliance behavior. Perhaps an individual’s psychological ownership over data makes him believe that he can use the information in whatever manner he wants [5].

Social Bond Theory and Involvement Theory

Safa, Solms, and Furnell studied how organizations can use the concepts of involvement, attachment, commitment, and personal norms from SBT to increase compliance intentions [2]. Within SBT, involvement, attachment, commitment, and personal norms describe the degree of bonding to an organization. The social bond theory holds that an individual with strong ties to a group will be less likely to demonstrate behaviors that deviate from the group’s policies. The researchers used involvement theory to refine the involvement component of SBT. Involvement theory describes the amount of time, energy, and participation an individual has in a particular activity. The researchers considered that information security knowledge sharing, collaboration, intervention, and experience demonstrate the involvement of an employee in protecting information assets within an organization. The study investigated whether involvement, attachment, commitment, and personal norms positively affected an individual’s intention to comply with an ISP [2]. The study divided involvement into information knowledge sharing, collaboration, intervention, and experience.

The study found that information security knowledge sharing, collaboration, intervention, and experience demonstrate involvement and increase security awareness among employees [2]. The results revealed that sharing of information security knowledge strongly affects employees’ attitudes towards ISP compliance. Collaboration creates a shared goal of protecting assets resulting in collaboration having a positive impact on compliance attitudes. Intervention, such as training, and experience also demonstrated positive impacts on employees’ intentions to comply with ISPs. The study showed that both commitment and personal norms had a significant positive relationship with intention to comply [2]. However, the study found no significant relationship between attachment and intention to comply.

Based on the findings from Safaa, Solms, and Furnell, companies should encourage information security knowledge sharing and collaboration. By increasing knowledge sharing and collaboration, companies may improve compliance with ISPs. Increasing knowledge sharing and collaboration will increase the overall training and experience related to information security. Training and experience related to information security may also increase employees’ intentions to comply [2].

Future Research

Many opportunities exist for future research into motivating individuals to comply with ISPs. Despite security awareness training, formal ISPs, and penalties for security violations, companies still struggle with ISP compliance [2]. Each of the studies reviewed has limitations, which offer research opportunities. Researchers could examine additional behavior theories to determine if they offer promise for improving ISP compliance. Finally, opportunities exist to investigate the interrelationships between the various theories studied in previous research.

One area of interest is to combine the SBT research conducted by Safas, Solms, and Purnell with the efficacy research conducted by Wall, Palvia, and Lowry. The proposed study would investigate whether a relationship exists between SBT concepts of involvement, attachment, commitment, and personal norms and self-efficacy in relation to intention to comply with security policies. This research will require a more in-depth investigation and understanding of SBT and self-efficacy theory. To conduct this research, I would develop a conceptual model to show the expected interactions and the associated hypotheses.

To conduct the study, I will first need to identify the population. Several of the previous studies noted limitations regarding the sample populations. Ifinedo included respondents from organizations that have formal ISPs and respondents from companies that do not have formal ISPs [1]. Safa, Solms, and Furnell included only companies that have defined ISPs, and that operate in Malaysia [2]. The researchers noted the paucity of such organizations. Wall, Palvia, and Lowry surveyed municipal government employees in the United States (US) municipalities of 5,000 citizens or more [3]. My research would focus on employees within the financial sector, and only include respondents from companies that have formal ISPs.

Humans remain the weak link in information security. Companies invest heavily in technological solutions to improve security. Criminals often bypass layers of security by exploiting vulnerabilities caused by negligent user behavior. Social engineering attacks target unsuspecting or careless users to gain entry into systems. Even the certainty and severity of punishment for violating ISPs does not appear to motivate employees to comply [1,3]. More research is required to understand what drives users to comply with ISPs and how to increase intention to comply.

About the author: Donnie Wendt is an information security professional focused on designing and engineering security controls and monitoring solutions. Also, Donnie is an adjunct professor of cybersecurity at Utica College. Donnie is currently pursuing a Doctorate of Science in Computer Science with a research focus on security automation and orchestration.

References

[1] Ifinedo, P. (2014). Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition. Information & Management(51), 69-79. doi:10.1016/j.im.2013.10.001

[2] Safaa, N. S., Solms, R. V., & Furnell, S. (2015). Information security policy compliance model in organizations. Computers & Security, 56, 70-82. doi:10.1016/j.cose.2015.10.006

[3] Wall, J. D., Palvia, P., & Lowry, P. B. (2013). Control-related motivations and information security policy compliance: The role of autonomy and efficacy. Journal of Information Privacy and Security, 9(4), 52-79. doi:10.1080/15536548.2013.10845690

[4] Tsohou, A., Karyda, M., & Kokolakis, S. (2015). Analyzing the role of cognitive and cultural biases in the internalization of information security policies: Recommendations for information security awareness programs. Computers & Security, 52, 128-141. doi:10.1016/j.cose.2015.04.006

[5] Huang, H.-W., Parolia, N., & Cheng, K.-T. (2016). Willingness and ability to perform information security compliance behavior: Psychological ownership and self-efficacy perspective. Pacific Asia Conference on Information Systems. AIS Electronic Library. Retrieved October 20, 2016, from http://aisel.aisnet.org/cgi/viewcontent.cgi?article=1079&context=pacis2016