A Composite Framework for Behavioral Compliance with Information Security Policies

  title={A Composite Framework for Behavioral Compliance with Information Security Policies},
  author={Salvatore Aurigemma},
  journal={2012 45th Hawaii International Conference on System Sciences},
  • Salvatore Aurigemma
  • Published 4 January 2012
  • Computer Science
  • 2012 45th Hawaii International Conference on System Sciences
To combat potential security threats, organizations rely upon information security policies to guide employee actions. Unfortunately, employee violations of such policies are common and costly enough that users are often considered the weakest link in information security. This paper presents a composite theoretical framework for understanding employee behavioral compliance with organizational information security policies. Building off of the theory of planned benefits, a composite model is… 

Figures and Tables from this paper

Motivating Employees to Comply with Information Security Policies

This theoretical model provides a framework for how organizations can intrinsically motivate their employees to comply with organizational information security policies through a supportive organizational culture, training, and job design.

Factors Influencing Information Security Policy Compliance Behavior

Results from the study show that security education training and awareness, top-management's commitment for information security, and peer non-compliance behavior affect the information security climate in an organization.

Factors Influencing Information Security Policy Compliance Behavior

The model results showed that perceived threat, vulnerability, response cost, and efficiency had a significant effect on compliance but interestingly not for Self-Efficacy.

A Self-Regulatory Approach to Behavioral Compliance with IS Security Policies – “Come on, Baby, do the Locomotion”

The theory of self-regulation and the theory ofSelf-determination are introduced to identify what factors cause some individuals to maintain compliance with security policies and others not, and what roles motivation and organizational reward and punishment structures play in the initiation and retention of security compliance behavior.

A Composite Framework to Promote Information Security Policy Compliance in Organizations

The paper synthesizes the existing literature and groups relevant ISP compliance factors into user involvement, personality types, security awareness and training, behavioral factors, and information security culture to develop a composite ISP compliance framework that proposes the establishment of ISP compliance as a culture in organizations.

Need for Compliance With Information Security Policy In Universities: a Preliminary survey

This research founded management realized the importance of compliance with information security policies to reduce information security incidents and need appropriate model to evaluate information security policy compliance.

Information Security Policy Compliance Behavior Based on Comprehensive Dimensions of Information Security Culture: A Conceptual Framework

An enhanced conceptual framework of ISP compliance behavior is discussed by addressing ISC as a multidimensional concept which consist of seven comprehensive dimensions which are aligned with the widely accepted concept of organizational culture and ISC.

A Thematic Review of User Compliance with Information Security Policies Literature

For over two decades, the information systems research community has published a sizable body of research on user compliance with information security policies, which has been divided into three categories: conceptual principles or studies without theoretical basis, theoretical models without empirical support; and empirical support grounded upon theories.


Analysis of data collected from 270 employees in banking organizations shows that employees’ perceived satisfaction and perceived usefulness directly influence continuance intention to comply with IS security policies.

Enforcing Information Security Protection: Risk Propensity and Self-Efficacy Perspectives

The study proposes a research model to explain individuals’ intention to reinforce their InfoSec protection and empirically validates the proposed model to provide a deeper understanding of the relationships among risk propensity, self-efficacy, risk perception, Info Sec protection efforts, and InfoSec reinforcement intention.



Security Policy Compliance: User Acceptance Perspective

The study is the first to address compliance intention from a users' perspective and indicates strong support for the proposed instrument and represents an early confirmation for the validation of the underlying theoretical model.

Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations

This article shows that neutralization theory, a theory prominent in Criminology but not yet applied in the context of IS, provides a compelling explanation for IS security policy violations and offers new insight into how employees rationalize this behavior.

Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness

The results show that an employee's intention to comply with the ISP is significantly influenced by attitude, normative beliefs, and self-efficacy to comply, and the role of ISA and compliance-related beliefs in an organization's efforts to encourage compliance is shed.

Impact of perceived technical protection on security behaviors

Perceived technical protection affects behavioral intentions both indirectly, through PBC, and directly, and suggests possible risk compensation effects in the information security context.

Protection motivation and deterrence: a framework for security policy compliance in organisations

An Integrated Protection Motivation and Deterrence model of security policy compliance under the umbrella of Taylor-Todd's Decomposed Theory of Planned Behaviour is developed and it is found that employees in the sample underestimate the probability of security breaches.

Employees' Behavior towards IS Security Policy Compliance

  • S. PahnilaM. SiponenM. Mahmood
  • Computer Science, Political Science
    2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07)
  • 2007
A theoretical model that contains the factors that explain employees' IS security policy compliance is proposed and suggests that information quality has a significant effect on actual IS security Policy compliance.