Herath, 2009: Protection Motivation and Deterrence: A Framework for Security Policy Compliance in Organisations

Topic:

(a) threat perceptions about the severity of breaches and response perceptions of response efficacy, self-efficacy, and response costs are likely to affect policy attitudes; (b) organisational commitment and social influence have a significant impact on compliance intentions; and (c) resource availability is a significant factor in enhancing self-efficacy, which in turn, is a significant predictor of policy compliance intentions. We find that employees in our sample underestimate the probability of security breaches.

survey, 312 employees from 78 organisations

Constructs in this publication:

Construct Cites Category Questions given? Content validity Pretests Response type Notes
Perceived probability of security breach Ellen et al., 1991, Anderson, 2005 protection motivation yes three rounds of expert panel pilot 7 point likert scale
Perceived severity of security breach Ellen et al., 1991, Anderson, 2005 protection motivation yes three rounds of expert panel pilot 7 point likert scale
Security breach concern level Ellen et al., 1991, Anderson, 2005 protection motivation yes three rounds of expert panel pilot 7 point likert scale
Response efficacy Ellen et al., 1991, Anderson, 2005 protection motivation yes three rounds of expert panel pilot 7 point likert scale
Cost Anderson, 2005 yes three rounds of expert panel pilot 7 point likert scale
Resource availability Taylor, 1995 yes three rounds of expert panel pilot 7 point likert scale
Self-efficacy Taylor, 1995 yes three rounds of expert panel pilot 7 point likert scale
Security policy attitude Peace et al., 2003, Riemenschneider et al., 2003 yes three rounds of expert panel pilot 7 point likert scale
Organisational commitment Barge, 1988 yes three rounds of expert panel pilot 7 point likert scale
Punishment severity Peace et al., 2003, Knapp et al., 2005 deterrence yes three rounds of expert panel pilot 7 point likert scale
Detection certainty Peace et al., 2003, Knapp et al., 2005 deterrence yes three rounds of expert panel pilot 7 point likert scale
Subjective norm Karahanna et al., 1999 social influence yes three rounds of expert panel pilot 7 point likert scale
Descriptive norm Karahanna et al., 1999 social influence yes three rounds of expert panel pilot 7 point likert scale
Security policy compliance intention Anderson, 2005, Chan et al., 2005 yes three rounds of expert panel pilot 7 point likert scale

This publication is cited by the following publications:

Citation:

Tejaswini Herath and H. Raghav Rao. Protection motivation and deterrence: a framework for security policy compliance in organisations. European Journal of Information Systems, 18(2):106–125, April 2009. doi:10.1057/ejis.2009.6.

Bibtex


@article{herath_protection_2009,
 abstract = {Enterprises establish computer security policies to ensure the security of information resources; however, if employees and end-users of organisational information systems (IS) are not keen or are unwilling to follow security policies, then these efforts are in vain. Our study is informed by the literature on IS adoption, protection-motivation theory, deterrence theory, and organisational behaviour, and is motivated by the fundamental premise that the adoption of information security practices and policies is affected by organisational, environmental, and behavioural factors. We develop an Integrated Protection Motivation and Deterrence model of security policy compliance under the umbrella of Taylor-Todd's Decomposed Theory of Planned Behaviour. Furthermore, we evaluate the effect of organisational commitment on employee security compliance intentions. Finally, we empirically test the theoretical model with a data set representing the survey responses of 312 employees from 78 organisations. Our results suggest that (a) threat perceptions about the severity of breaches and response perceptions of response efficacy, self-efficacy, and response costs are likely to affect policy attitudes; (b) organisational commitment and social influence have a significant impact on compliance intentions; and (c) resource availability is a significant factor in enhancing self-efficacy, which in turn, is a significant predictor of policy compliance intentions. We find that employees in our sample underestimate the probability of security breaches.},
 author = {Herath, Tejaswini and Rao, H. Raghav},
 doi = {10.1057/ejis.2009.6},
 issn = {0960-085X, 1476-9344},
 journal = {European Journal of Information Systems},
 language = {en},
 month = {April},
 number = {2},
 pages = {106-125},
 shorttitle = {Protection Motivation and Deterrence},
 title = {Protection Motivation and Deterrence: A Framework for Security Policy Compliance in Organisations},
 volume = {18},
 year = {2009}
}