Herath, 2009: Protection Motivation and Deterrence: A Framework for Security Policy Compliance in Organisations

Topic:

(a) threat perceptions about the severity of breaches and response perceptions of response efficacy, self-efficacy, and response costs are likely to affect policy attitudes; (b) organisational commitment and social influence have a significant impact on compliance intentions; and (c) resource availability is a significant factor in enhancing self-efficacy, which in turn, is a significant predictor of policy compliance intentions. We find that employees in our sample underestimate the probability of security breaches.

survey, 312 employees from 78 organisations

Constructs in this publication:

Construct	Cites	Category	Questions given?	Content validity	Pretests	Response type	Notes
Perceived probability of security breach	Ellen et al., 1991, Anderson, 2005	protection motivation	yes	three rounds of expert panel	pilot	7 point likert scale
Perceived severity of security breach	Ellen et al., 1991, Anderson, 2005	protection motivation	yes	three rounds of expert panel	pilot	7 point likert scale
Security breach concern level	Ellen et al., 1991, Anderson, 2005	protection motivation	yes	three rounds of expert panel	pilot	7 point likert scale
Response efficacy	Ellen et al., 1991, Anderson, 2005	protection motivation	yes	three rounds of expert panel	pilot	7 point likert scale
Cost	Anderson, 2005		yes	three rounds of expert panel	pilot	7 point likert scale
Resource availability	Taylor, 1995		yes	three rounds of expert panel	pilot	7 point likert scale
Self-efficacy	Taylor, 1995		yes	three rounds of expert panel	pilot	7 point likert scale
Security policy attitude	Peace et al., 2003, Riemenschneider et al., 2003		yes	three rounds of expert panel	pilot	7 point likert scale
Organisational commitment	Barge, 1988		yes	three rounds of expert panel	pilot	7 point likert scale
Punishment severity	Peace et al., 2003, Knapp et al., 2005	deterrence	yes	three rounds of expert panel	pilot	7 point likert scale
Detection certainty	Peace et al., 2003, Knapp et al., 2005	deterrence	yes	three rounds of expert panel	pilot	7 point likert scale
Subjective norm	Karahanna et al., 1999	social influence	yes	three rounds of expert panel	pilot	7 point likert scale
Descriptive norm	Karahanna et al., 1999	social influence	yes	three rounds of expert panel	pilot	7 point likert scale
Security policy compliance intention	Anderson, 2005, Chan et al., 2005		yes	three rounds of expert panel	pilot	7 point likert scale

This publication is cited by the following publications:

• Ifinedo, 2014: Commitment
• Ifinedo, 2014: Attitude toward ISSP compliance
• Ifinedo, 2014: ISSP compliance behavioral intentions
• Ifinedo, 2014: Detection probability
• Ifinedo, 2014: Sanction severity
• Al-Omari et al., 2013: Intention to Comply
• Al-Omari et al., 2013: Self-Efficacy
• Al-Omari et al., 2013: Subjective Norm
• Al-Omari et al., 2013: Moral Obligation
• Al-Omari et al., 2013: Utilitarianism
• Al-Omari et al., 2013: Formalism
• Al-Omari et al., 2013: Ethical Egoism
• Al-Omari et al., 2013: Attitude
• Sommestad et al., 2014: Attitude towards compliance
• Sommestad et al., 2014: Descriptive norm
• Sommestad et al., 2014: Intention to comply
• Sommestad et al., 2014: Normative beliefs
• Sommestad et al., 2014: Organizational commitment
• Sommestad et al., 2014: Perceived severity of sanctions
• Sommestad et al., 2014: Perceived Certainty of Sanctions
• Sommestad et al., 2014: Response cost
• Sommestad et al., 2014: Response efficacy
• Sommestad et al., 2014: Self-efficacy
• Sommestad et al., 2014: Threat appraisal
• Haeussinger, 2013: Information Security Policy Provision
• Ifinedo, 2012: Attitude toward ISSP compliance
• Ifinedo, 2012: Subjective norms
• Ifinedo, 2012: ISSP compliance behavioral intentions

Citation:

Tejaswini Herath and H. Raghav Rao. Protection motivation and deterrence: a framework for security policy compliance in organisations. European Journal of Information Systems, 18(2):106–125, April 2009. doi:10.1057/ejis.2009.6.

Bibtex

@article{herath_protection_2009,
 abstract = {Enterprises establish computer security policies to ensure the security of information resources; however, if employees and end-users of organisational information systems (IS) are not keen or are unwilling to follow security policies, then these efforts are in vain. Our study is informed by the literature on IS adoption, protection-motivation theory, deterrence theory, and organisational behaviour, and is motivated by the fundamental premise that the adoption of information security practices and policies is affected by organisational, environmental, and behavioural factors. We develop an Integrated Protection Motivation and Deterrence model of security policy compliance under the umbrella of Taylor-Todd's Decomposed Theory of Planned Behaviour. Furthermore, we evaluate the effect of organisational commitment on employee security compliance intentions. Finally, we empirically test the theoretical model with a data set representing the survey responses of 312 employees from 78 organisations. Our results suggest that (a) threat perceptions about the severity of breaches and response perceptions of response efficacy, self-efficacy, and response costs are likely to affect policy attitudes; (b) organisational commitment and social influence have a significant impact on compliance intentions; and (c) resource availability is a significant factor in enhancing self-efficacy, which in turn, is a significant predictor of policy compliance intentions. We find that employees in our sample underestimate the probability of security breaches.},
 author = {Herath, Tejaswini and Rao, H. Raghav},
 doi = {10.1057/ejis.2009.6},
 issn = {0960-085X, 1476-9344},
 journal = {European Journal of Information Systems},
 language = {en},
 month = {April},
 number = {2},
 pages = {106-125},
 shorttitle = {Protection Motivation and Deterrence},
 title = {Protection Motivation and Deterrence: A Framework for Security Policy Compliance in Organisations},
 volume = {18},
 year = {2009}
}

---