• Corpus ID: 6401922

Information Security Behavior: Towards Multi-Stage Models

  title={Information Security Behavior: Towards Multi-Stage Models},
  author={Seppo Pahnila and Mari Karjalainen and Mikko T. Siponen},
  booktitle={Pacific Asia Conference on Information Systems},
In order to ensure that employees abide by their organizations’ Information Security Policies (ISP), a number of information security policy compliance measures have been proposed in the past. If different factors can explain/predict the information security behavior of those employees who do know the ISP and of those who do not know the ISP, such as is suggested by stage theories, and the existing studies do not control for this issue, then the practical relevance of the existing models will… 

Figures and Tables from this paper

From Information Security Awareness to Reasoned Compliant Action

It is found that the attitude toward information security policy compliance, and not only social norms but also personal norms related to neutralization techniques, are all significant variables potentially mitigating the knowing-doing gap reported in related information security research.

Exploring the Influence of Direct and Indirect Factors on Information Security Policy Compliance: A Systematic Literature Review

A systematic literature review synthesizing the psychological theories, organizational theories, and other internal and external factors on information security policy compliance researches shows that the general deterrence theory, theory of planned behavior, and protection motivation theory are the most frequently used theories.

Enacting Information Security Policies in Practice: Three Modes of Policy Compliance

To protect their information, organizations devote much time and resources to implement information security policies (hereafter InfoSec policies), which form the core of organization’s information security efforts by documenting guidelines for employees’ expected behaviour.

Information Security Behavior and Information Security Policy Compliance: A Systematic Literature Review for Identifying the Transformation Process from Noncompliance to Compliance

A systematic literature review of the literature on ISPC and ISB identified the behavioral transformation process from noncompliance to compliance, providing a behavior transformation process model based on the existing ISPC literature.

From theory to practice: guidelines for enhancing information security management

The authors uncover the factors shaping security behaviour barely or partly considered in the ISO information security standards ISO 27001, 27002, 27003 and 27005, including top management participation, accommodating individual characteristics, embracing the cultural context and considering the cost of compliance.

A study of information security awareness program effectiveness in predicting end-user security behavior

This study focused on testing the effectiveness of ISA programs on enduser security behavior and indicated that ISA does cause change in security behavior, but the data also showed no significance, and fails to reject the null hypothesis.

Protection Motivation Theory in Information Systems Security Research

A systematic review of the application of PMT in information systems (IS) security and the comparison with its application for decades in psychology identified five categories of important issues that have not yet been examined in IS security research.

The awareness of security breach among IT users in Kolej PolyTech

This study can be used to assist the IT Officer in Batu Pahat and others branches in KPTM to monitor the awareness level of users towards information security, thus enabling them to design an effective information security awareness programs such as campaign, seminar and case study.



Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness

The results show that an employee's intention to comply with the ISP is significantly influenced by attitude, normative beliefs, and self-efficacy to comply, and the role of ISA and compliance-related beliefs in an organization's efforts to encourage compliance is shed.

Which Factors Explain Employees' Adherence to Information Security Policies? An Empirical Study

The findings show that direct paths from threat appraisal, self-efficacy, normative beliefs, and visibility to the intention to comply with IS security policies were significant and Sanctions have a significant effect on actual compliance with Islamic State security policies.

Perceptions of Information Security in the Workplace: Linking Information Security Climate to Compliant Behavior

Abstract A large number of information security breaches in the workplace result from employees’ failure to comply with organizational information security guidelines. Recent surveys report that 78%

If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security

A model to explain individual information security precaution-taking behavior is built and it is found that the acts of specifying policies and evaluating behaviors are effective in convincing individuals that security policies are mandatory.

Protection motivation and deterrence: a framework for security policy compliance in organisations

An Integrated Protection Motivation and Deterrence model of security policy compliance under the umbrella of Taylor-Todd's Decomposed Theory of Planned Behaviour is developed and it is found that employees in the sample underestimate the probability of security breaches.

Employees' Behavior towards IS Security Policy Compliance

  • S. PahnilaM. SiponenM. Mahmood
  • Computer Science, Political Science
    2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07)
  • 2007
A theoretical model that contains the factors that explain employees' IS security policy compliance is proposed and suggests that information quality has a significant effect on actual IS security Policy compliance.

Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model

This study proposes and test empirically a nonmalicious security violation (NMSV) model with data from a survey of end users at work, and suggests that utilitarian outcomes, normative outcomes, and self-identity outcomes are key determinants of end user intentions to engage in NMSVs.

Compliance with Information Security Policies: An Empirical Investigation

The author mentions that the insignificant relationship between rewards and actual compliance with information security policies does not make sense and quite possibly this relationship results from not applying rewards for security compliance.