Security behaviors can be influenced by both intrinsic and extrinsic motivators. Pressures exerted by subjective norms and peer behaviors influence employee information security behaviors. Intrinsic motivation of employee perceived effectiveness of their actions was also found to play an important role in security policy compliance intentions. In analyzing the penalties, certainty of detection was found to be significant while surprisingly, severity of punishment was found to have a negative effect on security behavior intentions.
| Construct | Cites | Category | Questions given? | Content validity | Pretests | Response type | Notes |
|---|---|---|---|---|---|---|---|
| Severity of penalty | Peace et al., 2003, Knapp et al., 2005 | Penalty | yes | three rounds of expert panel | pilot | 7 point likert scale | |
| Certainty of detection | Peace et al., 2003, Knapp et al., 2005 | Penalty | yes | three rounds of expert panel | pilot | 7 point likert scale | |
| Normative beliefs | Karahanna et al., 1999 | Social pressure | yes | three rounds of expert panel | pilot | 7 point likert scale | |
| Peer behaviour | Anderson, 2005 | Social pressure | yes | three rounds of expert panel | pilot | 7 point likert scale | |
| Perceived effectiveness | Anderson, 2005 | Intrinsic motivation | yes | three rounds of expert panel | pilot | 7 point likert scale | |
| Compliance intention | Anderson, 2005, Chan et al., 2005, Pahnila et al., 2007 | yes | three rounds of expert panel | pilot | 7 point likert scale |
Tejaswini Herath and H. Raghav Rao. Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems, 47(2):154–165, May 2009. doi:10.1016/j.dss.2009.02.005.
@article{herath_encouraging_2009,
abstract = {Secure management of information systems is crucially important in information intensive organizations. Although most organizations have long been using security technologies, it is well known that technology tools alone are not sufficient. Thus, the area of end-user security behaviors in organizations has gained an increased attention. In information security observing end-user security behaviors is challenging. Moreover, recent studies have shown that the end users have divergent security views. The inability to monitor employee IT security behaviors and divergent views regarding security policies, in our view, provide a setting where the principal agent paradigm applies. In this paper, we develop and test a theoretical model of the incentive effects of penalties, pressures and perceived effectiveness of employee actions that enhances our understanding of employee compliance to information security policies. Based on 312 employee responses from 77 organizations, we empirically validate and test the model. Our findings suggest that security behaviors can be influenced by both intrinsic and extrinsic motivators. Pressures exerted by subjective norms and peer behaviors influence employee information security behaviors. Intrinsic motivation of employee perceived effectiveness of their actions was also found to play an important role in security policy compliance intentions. In analyzing the penalties, certainty of detection was found to be significant while surprisingly, severity of punishment was found to have a negative effect on security behavior intentions. We discuss the implications of our findings for theory and practice.},
author = {Herath, Tejaswini and Rao, H. Raghav},
doi = {10.1016/j.dss.2009.02.005},
issn = {0167-9236},
journal = {Decision Support Systems},
keywords = {Information Security,Principal agent theory,End-user security behaviors,Security policy compliance},
month = {May},
number = {2},
pages = {154-165},
shorttitle = {Encouraging Information Security Behaviors in Organizations},
title = {Encouraging Information Security Behaviors in Organizations: {{Role}} of Penalties, Pressures and Perceived Effectiveness},
volume = {47},
year = {2009}
}