An employee’s intention to comply with the information security policy (ISP) is significantly influenced by attitude, normative beliefs, and self-efficacy to comply. Outcome beliefs significantly affect beliefs about overall assessment of consequences, and they, in turn, significantly affect an employee’s attitude. Furthermore, information security awareness (ISA) positively affects both attitude and outcome beliefs.
| Construct | Cites | Category | Questions given? | Content validity | Pretests | Response type | Notes |
|---|---|---|---|---|---|---|---|
| Information Security Awareness | NEW | yes | expert review and 2 rounds of card sorting game (moore_development_1991) | pilot | 7-point likert scale | ||
| Perceived Benefit of Compliance | NEW | yes | expert review and 2 rounds of card sorting game (moore_development_1991) | pilot | 7-point likert scale | ||
| Intrinsic Benefit | NEW | yes | expert review and 2 rounds of card sorting game (moore_development_1991) | pilot | 7-point likert scale | ||
| Safety of Resources | NEW | yes | expert review and 2 rounds of card sorting game (moore_development_1991) | pilot | 7-point likert scale | ||
| Rewards | Kirsch, 2007 | yes | expert review and 2 rounds of card sorting game (moore_development_1991) | pilot | 7-point likert scale | ||
| Perceived Cost of Compliance | NEW | yes | expert review and 2 rounds of card sorting game (moore_development_1991) | pilot | 7-point likert scale | ||
| Work Impediment | NEW | yes | expert review and 2 rounds of card sorting game (moore_development_1991) | pilot | 7-point likert scale | ||
| Perceived Cost of Noncompliance | NEW | yes | expert review and 2 rounds of card sorting game (moore_development_1991) | pilot | 7-point likert scale | ||
| Intrinsic Cost | NEW | yes | expert review and 2 rounds of card sorting game (moore_development_1991) | pilot | 7-point likert scale | ||
| Vulnerability of Resources | NEW | yes | expert review and 2 rounds of card sorting game (moore_development_1991) | pilot | 7-point likert scale | ||
| Sanctions | Kirsch, 2007 | yes | expert review and 2 rounds of card sorting game (moore_development_1991) | pilot | 7-point likert scale | ||
| Attitude | Ajzen, 1991 | theory of planned behavior | yes | expert review and 2 rounds of card sorting game (moore_development_1991) | pilot | 7-point likert scale | |
| Normative Beliefs | Ajzen, 1991 | theory of planned behavior | yes | expert review and 2 rounds of card sorting game (moore_development_1991) | pilot | 7-point likert scale | |
| Self-Efficacy to Comply | NEW | theory of planned behavior | yes | expert review and 2 rounds of card sorting game (moore_development_1991) | pilot | 7-point likert scale | |
| Intention to Comply | Ajzen, 1991 | theory of planned behavior | yes | expert review and 2 rounds of card sorting game (moore_development_1991) | pilot | 7-point likert scale |
Burcu Bulgurcu, Hasan Cavusoglu, and Izak Benbasat. Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS quarterly, 34(3):523–548, 2010.
@article{bulgurcu_information_2010,
abstract = {Many organizations recognize that their employees, who are often considered the weakest link in information security, can also be great assets in the effort to reduce risk related to information security. Since employees who comply with the information security rules and regulations of the organization are the key to strengthening information security, under-standing compliance behavior is crucial for organizations that want to leverage their human capital. This research identifies the antecedents of employee com-pliance with the information security policy (ISP) of an organization. Specifically, we investigate the rationality-based factors that drive an employee to comply with require-ments of the ISP with regard to protecting the organization's information and technology resources. Drawing on the theory of planned behavior, we posit that, along with norma-tive belief and self-efficacy, an employee's attitude toward compliance determines intention to comply with the ISP. As a key contribution, we posit that an employee's attitude is influenced by benefit of compliance, cost of compliance, and cost of noncompliance, which are beliefs about the overall assessment of consequences of compliance or noncom-pliance. We then postulate that these beliefs are shaped by the employee's outcome beliefs concerning the events that follow compliance or noncompliance: benefit of compliance is shaped by intrinsic benefit, safety of resources, and rewards, while cost of compliance is shaped by work impediment; and cost of noncompliance is shaped by intrinsic cost, vulnerability of resources, and sanctions. We also investigate the impact of information security awareness (ISA) on outcome beliefs and an employee's attitude toward compliance with the ISP. Our results show that an employee's intention to comply with the ISP is significantly influenced by attitude, normative beliefs, and self-efficacy to comply. Outcome beliefs significantly affect beliefs about overall assessment of conse-quences, and they, in turn, significantly affect an employee's attitude. Furthermore, ISA positively affects both attitude and outcome beliefs. As the importance of employees' following their organizations' information security rules and regulations increases, our study sheds light on the role of ISA and compliance-related beliefs in an organization's efforts to encourage compliance.},
author = {Bulgurcu, Burcu and Cavusoglu, Hasan and Benbasat, Izak},
journal = {MIS quarterly},
keywords = {Information security management,Compliance,Behavioral issues of information security,Information security awareness,Information security policy,Theory of planned behavior},
number = {3},
pages = {523-548},
shorttitle = {Information Security Policy Compliance},
title = {Information Security Policy Compliance: {{An}} Empirical Study of Rationality-Based Beliefs and Information Security Awareness},
volume = {34},
year = {2010}
}