From Information Security Awareness to Reasoned Compliant Action: Analyzing Information Security Policy Compliance in a Large Banking Organization
In order to ensure that employees abide by their organizations’ Information Security Policies (ISP), a number of information security policy compliance measures have been proposed in the past. If different factors can explain/predict the information security behavior of those employees who do know the ISP and of those who do not know the ISP, such as is suggested by stage theories, and the existing studies do not control for this issue, then the practical relevance of the existing models will be decreased. In order to test whether different factors explain/predict the information security behavior of those employees who do know the ISP and of those who do not know the ISP, we designed a study using the Protection Motivation Theory (PMT) as the baseline theory. Employees’ ISP knowledge was tested by asking a few questions related to their organization’s ISP. We divided the data (N=513) into that related to a low knowledge group (regarding the organizations’ ISP) and that of a high knowledge group. The results show that the findings between the low knowledge group and the high knowledge group differ substantially. Our results provide an explanation for the inconsistent results in previous IS security research.