Careless employees, who do not follow information security policies, constitute a serious threat to their organization. We conducted a field survey in order to understand which factors help towards employees' compliance with these security policies. Our research shows that the visibility of the desired practices and normative expectations of peers will provide a solid foundation towards employees complying with these policies. Our research also shows that if employees realize how vulnerable their organization is to security threats and the severity of these threats, they are likely to have a strong intention to comply with information security policies. Finally, employees' self-efficacy and response efficacy motivate them to comply with these policies. This article provides an information security strategic plan that puts together various best practices we found in our survey and that shows how these practices can be used to alleviate employees' non-compliance with organizational security policies.
Information security breaches can cause serious damage to organizations. Such breaches can harm irreparably by shutting down computers forcing businesses to loose potential revenues or by leaking corporate confidential information and customer data possibly making corporations vulnerable to legal and regulatory problems and bad publicity.4,5 Most organizations encounter more than one information security breaches in a given year.2 Prior information security research studies suggest that 91% of organizations' own employees frequently fail to adhere to information security policies2 paving the way for such breaches. To tackle this situation, a number of suggestions have been made in the literature to help ensure employees' compliance with security policies. Commentators have, however, pointed out a serious of weaknesses in the existing approaches. They suggest that these approaches lack empirical evidence on their effectiveness in practice. Because practitioners need empirically validated information, it is extremely important that we study employees' non-compliance with information security policies using field research. In order to understand why employees are careless about following security policies and which factors are important toward employees' compliance with these policies, we conducted a field survey of information security professionals from five Finnish companies operating in different lines of business. The survey instrument was developed based on a theoretical model developed from behavioral theories including the Theory of Reasoned Action1 and the Protection Motivation Theory.3 Since employees' compliance with information security policies is ultimately a psychological phenomenon; we find these theories useful in understanding how organizations can help their employees comply with these security policies. We show how these theories can be useful in offering a new and practical insight into what motivates employees to comply with these policies.
Some 3130 employees from four Finnish corporations were asked to fill out a Web-based information security instrument. Of these, 919 filled out the questionnaire resulting in a 29.4% response rate. The demographic data, among the respondents, show that the number of male (56.1%) and female (43.1%) are fairly evenly distributed. In order to test our model, we analyzed the field survey responses using factor analysis and multiple regression analysis.a All constructs were found to have an acceptable level of reliability and validity confirming soundness of the measuring instrument.
We find the following major reasons for employees' compliance with information security policies:
Positive social pressure and visibility provide a solid foundation towards employees' compliance with information security policies. Our study shows that the visibility of information security policies has a significant effect on employees' adherence to these policies. In addition, in order to ensure that employees comply with security policies, normative expectations of peers are vital. Our data show that information security must be promoted in the organization through education and campaigns in a visible manner. External information security visibility also has an impact on employees' behavior.
Potential sources of external visibility include news and commercials in media such as newspapers, radio, the Internet, and TV. For practitioners, this means information security breaches reported in the media should be made visible to employees and these should be discussed in meetings and training sessions in their organization. For practitioners, this also means that the behavior of managers, information security staff, and peers should be persuasive enough for employees to take compliance with information security policies seriously.
If employees do not understand the vulnerability and severity of the situation, they do not comply with information security policies. We found that perceived vulnerability and perceived severity have a direct effect on employees' intention to comply with information security policies. Perceived vulnerability refers to employees' assessment of whether their organization is susceptible to information security threats, while perceived severity encompasses the degree of potential physical and psychological harms emanating from these threats. In our study, it refers to harms caused by information security breaches.6 If employees realize the existence of security threats and the severity of these threats to their organization, they are likely to have a strong intention to comply with information security policies. For practitioners, this means managers must convince the employees that they truly face information security threats and must make employees realize that these threats can cause serious negative consequences to their organization. Verbal persuasion plays a key role toward convincing employees. Possible security breach examples from their own organization and other organizations, for this purpose, will play a critical role. High-level managers should participate in delivering these messages in order to make these convincing to the rank and file employees. Departmental meetings and training sessions are good places where employees should be reminded of complying with information security policies.
Self-efficacy and response efficacy motivate employees to comply with information security policies. We found that self-efficacy, referring to whether employees believe that they can apply and adhere to information security policies, has a significant effect on employees' intention to comply with these policies. For practitioners, it is important that they ensure employees truly believe they can use these security policies. This can be done through information security education and training. We also found that response efficacy has a significant impact on employees' intention to comply with information security policies. Response efficacy refers to employees' belief that complying with security policies is an effective way to prevent security threats. If employees do not believe that adherence of these policies removes information security threats, they are not likely to abide by these policies. For practitioners, this means managers and information security staff must ensure that employees believe complying with security policies will deter information security threats. This can be done through hands-on training showing the efficiency and effectiveness of these policies in preventing security breaches.
Summary of our findings: Our findings could be used as a significant part of an overall information security strategic plan. The strategic plan should encourage high-level managers to convince employees that information security threats are real and these threats can cause irreparable damages to their organization. This could be done using training sessions and organizational meetings that would include examples of past high-profile security breaches from within and outside their organization.
The information security strategic plan should also ensure that employees are provided with adequate hands-on education and guidance to show the user-friendliness and effectiveness of information security policies. This is mainly to ensure that employees truly believe that they can carry out these security policies and they are convinced that abiding by these policies will prevent information security breaches.
Finally, the information security strategic plan should include a set of behavioral guidance for managers and information security staff. They must ensure that their behavior and their expectation are convincing enough for employees to take information security seriously. The strategic plan should also include a provision for the visibility of information security policies. Strategic managers should ensure that these security policies are promoted widely, through proper education campaign, in the organization. Security incidences reported outside the organization, via advertising media, should also be discussed in organizational meetings and training sessions.
1. Fishbein, M. and Ajzen, I., Belief, Attitude, Intention and Behavior: An Introduction to Theory and Research. Addison-Wesley, MA. 1975.
2. Hinde, S. Security surveys spring crop. Computers & Security 21, 4, (2002), 310321.
3. Rogers, R. W. and Prentice-Dunn, S. Protection motivation theory. In D. S. Gochman (Ed.), Handbook of Health Behavior Research I: Personal and Social Determinants, NY: Plenum Press, NY, (1997), 113132.
4. Siponen, M.T. Analysis of modern IS security development approaches: towards the next generation of social and adaptable ISS methods. Information and Organization 15, 4, (2005), 339375.
5. Straub, D.W. Effective IS security: An empirical study. Information Systems Research 1, 3, (1990), 255276.
6. Woon, I. M. Y., Tan, G. W. and Low, R. T. A Protection Motivation Theory Approach to Home Wireless Security. In Proceedings of the 26th International Conference on Information Systems, Las Vegas, 2005, 367380.
a. Factor analysis and regression results are available on request
DOI: http://doi.acm.org/10.1145/1610252.1610289
©2009 ACM 0001-0782/09/1200 $10.00
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
No entries found