From the weakest link to the best defense: Exploring the factors that affect employee intention to comply with information security policies .

摘要

Information and information systems have become embedded in the fabric of contemporary organizations throughout the world. As the reliance on information technology has increased, so too have the threats and costs associated with protecting organizational information resources. To combat potential information security threats, organizations rely upon information security policies to guide employee actions. Unfortunately, employee violations of such policies are common and costly enough that users are often considered the weakest link in information security. The challenge for researchers and practitioners alike is to help transform employees from the weakest link to the best line of information security defense.;Building upon recent empirical research in information security policy behavioral compliance, this study provides a composite theoretical framework that captures key factors shown to impact an employee’s behavioral intent to comply with related policies. The theoretical framework is tested and validated in a real organizational context employing a robust and well-defined set of information security policies, a first in this burgeoning line of research. This study also evaluates how behavioral intent to follow security policies varies for employees for both the general specter of information security policy compliance and specific guidance for three common security threats.;This study found that the primary factors affecting behavioral intent (subjective norms, organizational commitment, attitude, perceived behavioral control, and self-efficacy) had strong, positive relationships with intent to comply with information security policies when examined at a high level of general compliance. However, when the factors affecting behavioral intent and attitude towards a security behavior were evaluated for specific information security threat contexts, individual factor importance and significance varied greatly. These results indicate that threat context plays an essential role in clarifying the roles of specific behavioral antecedents; there may be limited value in future research focusing on general information security threats. Finally, while this study failed to establish a significant relationship between behavioral compliance intent and an employee’s perception of their ability to enforce of mandatory information security policy requirements on coworkers, it did highlight a potential gap in the composite theoretical framework for this important phenomenon that should be addressed in future research.