research-article

From Information Security Awareness to Reasoned Compliant Action: Analyzing Information Security Policy Compliance in a Large Banking Organization

Authors:
Stefan Bauer

WU-Vienna University of Economics and Business, Vienna, Austria

WU-Vienna University of Economics and Business, Vienna, Austria
View Profile

,
Edward W.N. Bernroider

WU-Vienna University of Economics and Business, Vienna, Austria

WU-Vienna University of Economics and Business, Vienna, Austria
View Profile

ACM SIGMIS Database: the DATABASE for Advances in Information Systems Volume 48 Issue 3August 2017pp 44–68https://doi.org/10.1145/3130515.3130519

Published:02 August 2017Publication History

ACM SIGMIS Database: the DATABASE for Advances in Information Systems

Abstract

Despite the importance of information security, far too many organizations, in particular banks, are facing behavioral information security incidents. In the context given by the headquarters of a large European banking organization, this single case study investigates whether individual behavioral compliance with the information security policy is influenced by accumulated security information and information security awareness embedded within the theory of reasoned action in an extended norms approach. We collected empirical data through a three-staged process in which we conducted semi-structured interviews, implemented a survey to test the developed research hypotheses, and engaged in interactive presentations to discuss the results. In particular, the qualitative interviews strengthened internal validity of survey constructs related to neutralization techniques and internal channel use for information acquisition. We found that the attitude toward information security policy compliance, and not only social norms but also personal norms related to neutralization techniques, are all significant variables potentially mitigating the knowing-doing gap reported in related information security research. Besides emphasizing the importance of extended norms, which should be accounted for in information security awareness programs, we also highlight the use of internal and external channels to acquire information as initial drivers of awareness. The empirical findings provide implications to practice and advance theoretical development by generally supporting the developed model that accounts for compliant information security behavior at an international bank.

References

Abawajy, J. (2012). "User Preference of Cyber Security Awareness Delivery Methods." Behaviour & Info. Technology, Vol. 33, No. 3: pp. 237--248. Google ScholarDigital Library
Abu-Musa, A. A. (2006). "Perceived Security Threats of Computerized Accounting Information Systems in the Egyptian Banking Industry." Journal of Information Systems, Vol. 20, No. 1: pp. 187--203. Google ScholarCross Ref
Ajzen, I. (1985). "From Intentions to Actions: A Theory of Planned Behavior," in Action-control: From Cognition to Behavior. Heidelberg: Springer, pp. 11--39.Google Scholar
Ajzen, I. (1991). "The Theory of Planned Behavior." Organizational Behavior and Human Decision Processes, Vol. 50, No. 2: pp. 179--211. Google ScholarCross Ref
Albrechtsen, E. & Hovden, J. (2010). "Improving Information Security Awareness and Behaviour through Dialogue, Participation and Collective Reflection. An Intervention Study." Computers & Security, Vol. 29, No. 4: pp. 432--445. Google ScholarDigital Library
Allport, G. W. (1935). "Attitudes," in Handbook of Social Psychology. Worcester, MA: Clark University Press, pp. 798--844.Google Scholar
Armitage, C. J. & Conner, M. (2001). "Efficacy of the Theory of Planned Behavior: A Meta-analytic Review." British Journal of Social Psychology, Vol. 40: pp. 471--499. Google ScholarCross Ref
Baranowski, T., Cullen, K. W., Nicklas, T., Thompson, D. & Baranowski, J. (2003). "Are Current Health Behavioral Change Models Helpful in Guiding Prevention of Weight Gain Efforts"? Obesity Research, Vol. 11, No. S10: pp. 23--43. Google ScholarCross Ref
Barclay, D., Higgins, C. & Thompson, R. (1995). "The Partial Least Squares (PLS) Approach to Causal Modeling: Personal Computer Adoption and Use as an Illustration." Technology Studies, Vol. 2, No. 2: pp. 285--309.Google Scholar
Barlow, J. B., Warkentin, M., Ormond, D. & Dennis, A. R. (2013). "Don't Make Excuses! Discouraging Neutralization to Reduce IT Policy Violation." Computers & Security, Vol. 39: pp. 145--159. Google ScholarDigital Library
Baron, R. M., & Kenny, D. A. (1986). "The Moderator-Mediator Variable Distinction in Social Psychological Research: Conceptual, Strategic, and Statistical Considerations." Journal of Personality and Social Psychology, Vol. 51, No. 6: pp. 1173--1182. Google ScholarCross Ref
Bauer, S., & Bernroider, E. W. N. (2013). "IT Operational Risk Management Practices in Austrian Banks: Preliminary Results from Exploratory Case Study." Proceedings of the International Conference Information Systems (IADIS), Lisbon, Portugal, pp. 30--38.Google Scholar
Bauer, S. & Bernroider, E. W. N. (2015). "The Effects of Awareness Programs on Information Security in Banks: The Roles of Protection Motivation and Monitoring," in Human Aspects of Information Security, Privacy, and Trust, Springer International Publishing, Vol. 9190: pp. 154--164.Google Scholar
Bauer, S., Bernroider, E. W. N. & Chudzikowski, K. (2013). "End User Information Security Awareness Programs for Improving Information Security in Banking Organizations: Preliminary Results from an Exploratory Study." AIS SIGSEC Workshop on Information Security & Privacy (WISP'13), Milano.Google Scholar
Bernroider, E. W. N., Margiol S., & Taudes A. (2016). "Towards a General Information Security Management Assessment Framework to Compare Cyber-Security of Critical Infrastructure Organizations." Proceedings of the 10th IFIP WG 8.9 Working Conference (CONFENIS), Vienna, Austria, pp. 127--141. Google ScholarCross Ref
Boss, S. R., Kirsch, L. J., Angermeier, I., Shingler, R. A. & Boss, R. W. (2009). "If Someone Is Watching, I'll Do What I'm Asked: Mandatoriness, Control, and Information Security." European Journal of Information Systems, Vol. 18, No. 2: pp. 151--164. Google ScholarCross Ref
Bulgurcu, B., Cavusoglu, H. & Benbasat, I. (2010). "Information Security Policy Compliance: An Empirical Study of Rationality-based Beliefs and Information Security Awareness." MIS Quarterly, Vol. 34, No. 3: pp. 523--548.Google ScholarCross Ref
Campbell, D. T. (1963). "Social Attitudes and Other Acquired Behavioral Dispositions," in Psychology: A Study of a Science, Vol. 6. New York: McGraw-Hill, pp. 94--172.Google Scholar
Cenfetelli, R. T. & Bassellier, G. (2009). "Interpretation of Formative Measurement in Information Systems Research." MIS Quarterly, Vol. 33, No. 4: pp. 689--707.Google ScholarCross Ref
Cenfetelli, R. T., Bassellier, G. & Posey, C. (2013). "The Analysis of Formative Measurement in IS Research: Choosing between Component- and Covariance-based Techniques." The DATA BASE for Advances in Information Systems, Vol. 44, No. 4: pp. 66--79. Google ScholarDigital Library
Chaffee, S. H. & Roser, C. (1986). "Involvement and the Consistency of Knowledge, Attitudes, and Behaviors." Communication Research, Vol. 13, No. 3: pp. 373--399. Google ScholarCross Ref
Cheng, L., Li, W., Zhai, Q. & Smyth, R. (2014). "Understanding Personal Use of the Internet at Work: An Integrated Model of Neutralization Techniques and General Deterrence Theory," Computers in Human Behavior, Vol. 38: pp. 220--228. Google ScholarDigital Library
Chin, W. W. (1998). "The Partial Least Squares Approach to Structural Equation Modeling," in Modern Methods for Business Research, Vol. 8. New Jersey: Lawrence Erlbaum Associates, pp. 295--336.Google Scholar
Ciborra, C. (2006). "Imbrication of Representations: Risk and Digital Technologies." The Journal of Management Studies, Vol. 43, No. 6: pp. 1339--1356. Google ScholarCross Ref
Connelly, C. E., Archer, N. P., Yuan, Y. & Guo, K. H. (2011). "Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model." Journal of Management Information Systems, Vol. 28, No. 2: pp. 203--236.Google ScholarDigital Library
Cox, J. (2012). "Information Systems User Security: A Structured Model of the Knowing--Doing Gap." Computers in Human Behavior, Vol. 28, No. 5: pp. 1849--1858. Google ScholarDigital Library
Craig, A. C. & Allen, W. M. (2013). "Sustainability Information Sources: Employee Knowledge, Perceptions, and Learning." Journal of Communication Management, Vol. 17, No. 4: pp. 292--307. Google ScholarCross Ref
Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M. & Baskerville, R. (2013). "Future Directions for Behavioral Information Security Research." Computers & Security, V32: pp. 90--101. Google ScholarDigital Library
D'Arcy, J., Hovav, A. & Galletta, D. (2009). "User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach." Information Systems Research, Vol. 20, No. 1: pp. 79--98. Google ScholarDigital Library
Davidson, A. R., Yantis, S., Norwood, M. & Montano, D. E. (1985). "Amount of Information about the Attitude Object and Attitude--Behavior Consistency." Journal of Personality and Social Psychology, Vol. 49, No. 5: pp. 1184--1198. Google ScholarCross Ref
Dhillon, G. (1999). "Managing and Controlling Computer Misuse." Information Management & Computer Security, Vol. 7, No. 4: pp. 171--175. Google ScholarCross Ref
Dinev, T., Goo, J., Hu, Q. & Nam, K. (2009). "User Behaviour towards Protective Information Technologies: The Role of National Cultural Differences." Information Systems Journal, Vol. 19, No. 4: pp. 391--412. Google ScholarCross Ref
Donovan, R. (2011). "Theoretical Models of Behaviour Change," in The SAGE Handbook of Social Marketing, pp. 15--31. Google ScholarCross Ref
Eisenhardt, K. M. (1989). "Building Theories from Case Study Research." Academy of Management Review, Vol. 14, No. 4: pp. 532--550.Google ScholarCross Ref
Eminaăaoălu, M., Uçar, E. & Eren, Ş. (2009). "The Positive Outcomes of Information Security Awareness Training in Companies -- A Case Study." Information Security Technical Report, Vol. 14, No. 4: pp. 223--229. Google ScholarDigital Library
Fabrigar, L. R., Petty, R. E., Smith, S. M. & Crites Jr., S. L. (2006). "Understanding Knowledge Effects on Attitude-Behavior Consistency: The Role of Relevance, Complexity, and Amount of Knowledge." Journal of Personality and Social Psychology, Vol. 90, No. 4: pp. 556--577. Google ScholarCross Ref
Fink, L. & Neumann, S. (2009). "Exploring the Perceived Business Value of the Flexibility Enabled by Information Technology Infrastructure." Info. & Management, Vol. 46, No. 2: pp. 90--99. Google ScholarDigital Library
Fishbein, M. (2000). "The Role of Theory in HIV Prevention." AIDS Care, Vol. 12, No. 3: pp. 273--278. Google ScholarCross Ref
Fishbein, M. & Ajzen, I. (1975). Belief, Attitude, Intention and Behavior. Reading, MA: Addison-Wesley.Google Scholar
Fishbein, M. & Ajzen, I. (2010). Predicting and Changing Behavior: The Reasoned Action Approach. Psychology Press, Taylor & Francis Group.Google Scholar
Gefen, D., Straub, D. W. & Boudreau, M.-C. (2000). "Structural Equation Modeling and Regression: Guidelines for Research Practice." Communications of the Association for Information Systems, Vol. 4, No. 7: pp. 1--79.Google Scholar
Goldstein, J., Chernobai, A. & Benaroch, M. (2011). "An Event Study Analysis of the Economic Impact of IT Operational Risk and its Subcategories." Journal of the Association for Information Systems, Vol. 12, No. 9: pp. 606--631.Google ScholarCross Ref
Guo, K. H. (2013). "Security-related Behavior in Using Information Systems in the Workplace: A Review and Synthesis." Computers & Security, Vol. 32: pp. 242--251. Google ScholarDigital Library
Guo, K. H., Yuan, Y., Archer, N. P. & Connelly, C. E. (2011). "Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model." Journal of Management Information Systems, Vol. 28, No. 2: pp. 203--236. Google ScholarDigital Library
Hagen, J., Albrechtsen, E. & Johnsen, S. O. (2011). "The Long-term Effects of Information Security E-learning on Organizational Learning." Information Management & Computer Security, Vol. 19, No. 3: pp. 140--154. Google ScholarCross Ref
Hagen, J. M., Albrechtsen, E. & Hovden, J. (2008). "Implementation and Effectiveness of Organizational Information Security Measures." Information Management & Computer Security, Vol. 16, No. 4: pp. 377--397. Google ScholarCross Ref
Hair, J. F., Hult, G. T. M., Ringle, C. M. & Sarstedt, M. (2014). A Primer on Partial Least Squares Structural Equation Modeling (PLS-SEM). Thousand Oaks: SAGE Publications Ltd.Google Scholar
Hair, J. F., Sarstedt, M., Ringle, C. M. & Mena, J. A. (2011). "An Assessment of the Use of Partial Least Squares Structural Equation Modeling in Marketing Research." Journal of the Academy of Marketing Science, Vol. 40, No. 3: pp. 414--433. Google ScholarCross Ref
Harrington, S. J. (1996). "The Effect of Codes of Ethics and Personal Denial of Responsibility on Computer Abuse Judgments and Intentions." MIS Quarterly, Vol. 20, No. 3: pp. 257--278. Google ScholarDigital Library
Herath, T., Chen, R., Wang, J., Banjara, K., Wilbur, J. & Rao, H. R. (2014). "Security Services as Coping Mechanisms: An Investigation into User Intention to Adopt an Email Authentication Service." Information Systems Journal, Vol. 24, No. 1: pp. 61--84. Google ScholarDigital Library
Herath, T. & Rao, H. R. (2009a). "Encouraging Information Security Behaviors in Organizations: Role of Penalties, Pressures and Perceived Effectiveness." Decision Support Systems, Vol. 47, No. 2: pp. 154--165. Google ScholarDigital Library
Herath, T. & Rao, H. R. (2009b). "Protection Motivation and Deterrence: A Framework for Security Policy Compliance in Organisations." European Journal of Information Systems, Vol. 18, No. 2: pp. 106--125. Google Scholar
Hsu, C., Backhouse, J. & Silva, L. (2013). "Institutionalizing Operational Risk Management: An Empirical Study." Journal of Information Technology, Vol. 29, No. 1: pp. 59--72. Google ScholarCross Ref
Hu, Q., Dinev, T., Hart, P. & Cooke, D. (2012). "Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture." Decision Sciences, Vol. 43, No. 4: pp. 615--659. Google ScholarCross Ref
Ifinedo, P. (2012). "Understanding Information Systems Security Policy Compliance: An Integration of the Theory of Planned Behavior and the Protection Motivation Theory." Computers & Security, Vol. 31, No. 1: pp. 83--95. Google ScholarDigital Library
Ifinedo, P. (2014). "Information Systems Security Policy Compliance: An Empirical Study of the Effects of Socialisation, Influence, and Cognition." Information & Management, Vol. 51, No. 1: pp. 69--79. Google ScholarDigital Library
Im, G. P. & Baskerville, R. (2005). "A Longitudinal Study of Information System Threat Categories: The Enduring Problem of Human Error." The DATA BASE for Advances in Information Systems, Vol. 36, No. 4: pp. 68--79. Google ScholarDigital Library
Johnston, A. C. & Warkentin, M. (2010). "Fear Appeals and Information Security Behaviors: An Empirical Study." MIS Quarterly, Vol. 34, No. 3: pp. 549--566.Google ScholarCross Ref
Kajzer, M., D'Arcy, J., Crowell, C. R., Striegel, A. & Van Bruggen, D. (2014). "An Exploratory Investigation of Message-Person Congruence in Information Security Awareness Campaigns." Computers & Security, Vol. 43: pp. 64--76. Google ScholarCross Ref
Khan, B., Alghathbar, K. S., Nabi, S. I. & Khan, M. K. (2011). "Effectiveness of Information Security Awareness Methods Based on Psychological Theories." African Journal of Business Management, Vol. 5, No. 26: pp. 10862--10868.Google Scholar
Lanier, M., Henry, S. & Desire'JM, A. (2004). Essential Criminology (4 ed.). Boulder: Perseus Books Group.Google Scholar
Lebek, B., Uffen, J., Neumann, M., Hohler, B. & Breitner, M. H. (2014). "Information Security Awareness and Behavior: A Theory-based Literature Review." Management Research Review, Vol. 37, No. 12: pp. 1049--1092. Google ScholarCross Ref
Li, H., Zhang, J. & Sarathy, R. (2010). "Understanding Compliance with Internet Use Policy from the Perspective of Rational Choice Theory." Decision Support Systems, Vol. 48, No. 4: pp. 635--645. Google ScholarDigital Library
Lim, V. K. G. (2002). "The IT Way of Loafing on the Job: Cyberloafing, Neutralizing and Organizational Justice." Journal of Organizational Behavior, Vol. 23, No. 5: pp. 675--694. Google ScholarCross Ref
Liu, Q. & Vasarhelyi, M. (2014). "Big Questions in AIS Research: Measurement, Information Processing, Data Analysis, and Reporting." Journal of Information Systems, Vol. 28, No. 1: pp. 1--17. Google ScholarCross Ref
Lowry, P. B. & Gaskin, J. (2014). "Partial Least Squares (PLS) Structural Equation Modeling (SEM) for Building and Testing Behavioral Causal Theory: When to Choose It and How to Use It." IEEE Transactions on Professional Communication, Vol. 57, No. 2: pp. 123--146. Google ScholarCross Ref
Malhotra, N. K., Kim, S. S. & Patil, A. (2006). "Common Method Variance in IS Research: A Comparison of Alternative Approaches and a Reanalysis of Past Research." Management Science, Vol. 52, No. 12: pp. 1865--1883. Google ScholarDigital Library
Maruna, S. & Copes, H. (2005). "What Have We Learned from Five Decades of Neutralization Research"? Crime and Justice, V 32: pp. 221--320. Google ScholarCross Ref
Merhi, M. I. & Midha, V. (2012). "The Impact of Training and Social Norms on Information Security Compliance: A Pilot Study." Proceedings of the International Conference on Information Systems (ICIS), Orlando, pp. 1--11.Google Scholar
Minor, W. W. (1981). "Techniques of Neutralization: A Reconceptualization and Empirical Examination." Journal of Research in Crime and Delinquency, Vol. 18, No. 2: pp. 295--318. Google ScholarCross Ref
Modell, S. (2005). "Triangulation between Case Study and Survey Methods in Management Accounting Research: An Assessment of Validity Implications." Management Accounting Research, Vol. 16, No. 2: pp. 231--254. Google ScholarCross Ref
Moore, D. L. & Tarnai, J. (2002). "Evaluating Nonresponse Error in Mail Surveys," in Survey Nonresponse. New York: John Wiley & Sons, pp. 197--211.Google Scholar
Pahnila, S., Karjalainen, M. & Siponen, M. (2013). "Information Security Behavior: Towards Multi-stage Models." Proceedings of the Pacific Asia Conference on Information Systems (PACIS), Jeju Island (Korea).Google Scholar
Pahnila, S., Siponen, M. & Mahmood, M. A. (2007). "Employees' Behavior towards IS Security Policy Compliance." Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS), Hawaii. Google ScholarDigital Library
Pare, G. (2004). "Investigating Information Systems with Positivist Case Research." The Communications of the Association for Information Systems, Vol. 13, No. 1: pp. 233--264.Google Scholar
Parker, D., Manstead, A. S. & Stradling, S. G. (1995). "Extending the Theory of Planned Behaviour: The Role of Personal Norm." British Journal of Social Psychology, Vol. 34, No. 2: pp. 127--138. Google ScholarCross Ref
Parsons, K., McCormac, A., Butavicius, M., Pattinson, M. & Jerram, C. (2014). "Determining Employee Awareness Using the Human Aspects of Information Security Questionnaire (HAIS-Q)." Computers & Security, Vol. 42: pp. 165--176. Google Scholar
Pfleeger, S. L. & Caputo, D. D. (2012). "Leveraging Behavioral Science to Mitigate Cyber Security Risk." Computers & Security, Vol. 31, No. 4: pp. 597--611. Google ScholarDigital Library
Podsakoff, P. M., MacKenzie, S. B., Lee, J.-Y. & Podsakoff, N. P. (2003). "Common Method Biases in Behavioral Research: A Critical Review of the Literature and Recommended Remedies." Journal of Applied Psychology, Vol. 88, No. 5: pp. 879--903. Google ScholarCross Ref
Podsakoff, P. M. & Organ, D. W. (1986). "Self-reports in Organizational Research: Problems and Prospects." Journal of Management, Vol., No. 12: pp. 69--82.Google Scholar
PricewaterhouseCoopers. (2014). "Information Security Breaches Survey." The Department for Business, Innovation and Skills, BIS/14/767.Google Scholar
Quagliata, K. (2011). "Impact of Security Awareness Training Components on Perceived Security Effectiveness." ISACA Journal [Online Exclusive], 4. Retrieved from http://www.isaca.org/Journal/archives/2011/Volume-4/Pages/JOnline-Impact-of-Security-Awareness-Training-Components-on-Perceived-Security-Effectiveness.aspx [accessed 31 December 2015]Google Scholar
Riege, A. M. (2003). "Validity and Reliability Tests in Case Study Research: A Literature Review with "Hands-on" Applications for each Research Phase." Qualitative Market Research: An International Journal, Vol. 6, No. 2: pp. 75--86. Google ScholarCross Ref
Ringle, C., Wende, S. & Will, A. (2005). SmartPLS 2.0 (beta). Retrieved 12.1.2012, from University of Hamburg http://www.smartpls.deGoogle Scholar
Rivis, A. & Sheeran, P. (2003). "Descriptive Norms as an Additional Predictor in the Theory of Planned Behaviour: A Meta-analysis." Current Psychology, Vol. 22, No. 3: pp. 218--233. Google ScholarCross Ref
Roberts, P. & Henderson, R. (2000). "Information Technology Acceptance in a Sample of Government Employees: A Test of the Technology Acceptance Model." Interacting with Computers, Vol. 12, No. 5: pp. 427--443. Google ScholarCross Ref
Rocha Flores, W. & Antonsen, E. (2013). "The Development of an Instrument for Assessing Information Security in Organizations: Examining the Content Validity Using Quantitative Methods." Proceedings of the International Conference on Information Resource Management 2013 (Conf-IRM), Natal, Brazil, pp. 1--15.Google Scholar
Sarstedt, M., Ringle, C. M. & Hair, J. F. (2011). "PLS-SEM: Indeed a Silver Bullet." The Journal of Marketing Theory and Practice, Vol. 19, No. 2: pp. 139--152. Google ScholarCross Ref
Shrout, P. E. & Bolger, N. (2002). "Mediation in Experimental and Nonexperimental Studies: New Procedures and Recommendations." Psychological Methods, Vol. 7, No. 4: pp. 422--445. Google ScholarCross Ref
Siponen, M. (2000). "A Conceptual Foundation for Organizational Information Security Awareness." Information Management & Computer Security, Vol. 8, No. 1: pp. 31--41. Google ScholarCross Ref
Siponen, M., Mahmood, M. A. & Pahnila, S. (2014). "Employees" Adherence to Information Security Policies: An Exploratory Field Study." Information & Management, Vol. 51, No. 2: pp. 217--224. Google ScholarDigital Library
Siponen, M., Pahnila, S. & Mahmood, M. A. (2010). "Compliance with Information Security Policies: An Empirical Investigation." IEEE Computer, Vol. 43, No. 2: pp. 64--71. Google ScholarDigital Library
Siponen, M. & Vance, A. (2010). "Neutralization: New Insights into the Problem of Employee Information Systems Security Policy Violations." MIS Quarterly, Vol. 34, No. 3: pp. 487--502.Google ScholarCross Ref
Siponen, M. & Vance, A. (2013). "Guidelines for Improving the Contextual Relevance of Field Surveys: The Case of Information Security Policy Violations." European Journal of Information Systems, Vol. 23, No. 3: pp. 289--305. Google ScholarCross Ref
Sobel, M. E. (1982). "Asymptotic Confidence Intervals for Indirect Effects in Structural Equation Models," in Sociological Methodology. Washington DC: American Sociological Association, pp. 290--312.Google Scholar
Sommestad, T. & Hallberg, J. (2013). "A Review of the Theory of Planned Behaviour in the Context of Information Security Policy Compliance." International Information Security and Privacy Conference, Auckland, New Zealand. Google ScholarCross Ref
Stuart, I., McCutcheon, D., Handfield, R., McLachlin, R. & Samson, D. (2002). "Effective Case Research in Operations Management: A Process Perspective." Journal of Operations Management, Vol. 20, No. 5: pp. 419--433. Google ScholarDigital Library
Sykes, G. M. & Matza, D. (1957). "Techniques of Neutralization: A Theory of Delinquency." American Sociological Association, Vol. 22, No. 6: pp. 664--670. Google ScholarCross Ref
Thomson, M. E. & von Solms, R. (1998). "Information Security Awareness: Educating the Users Effectively." Information Management & Computer Security, Vol. 6, No. 4: pp. 167--173. Google ScholarCross Ref
Tsohou, A., Karyda, M., Kokolakis, S. & Kiountouzis, E. (2015). "Managing the Introduction of Information Security Awareness Programmes in Organisations." European Journal of Information Systems, Vol. 24, No. 1: pp. 38--58. Google ScholarCross Ref
Van der Stede, W. A., Mark Young, S. & Xiaoling Chen, C. (2006). "Doing Management Accounting Survey Research," In Handbooks of Management Accounting Research, Vol. 1. Elsevier, pp. 445--478.Google ScholarCross Ref
Van Niekerk, J. F. & von Solms, R. (2010). "Information Security Culture: A Management Perspective." Computers & Security, Vol. 29, No. 4: pp. 476--486. Google ScholarDigital Library
Warkentin, M., Johnston, A. C. & Shropshire, J. (2011). "The Influence of the Informal Social Learning Environment on Information Privacy Policy Compliance Efficacy and Intention." European Journal of Information Systems, Vol. 20, No. 3: pp. 267--284. Google ScholarCross Ref
Warkentin, M. & Willison, R. (2009). "Behavioral and Policy Issues in Information Systems Security: The Insider Threat." European Journal of Information Systems, Vol. 18, No. 2: pp. 101--105. Google ScholarCross Ref
White, K. M., Smith, J. R., Terry, D. J., Greenslade, J. H. & McKimmie, B. M. (2009). "Social Influence in the Theory of Planned Behaviour: The Role of Descriptive, Injunctive, and Ingroup Norms." British Journal of Social Psychology, Vol. 48, No. 1: pp. 135--158. Google ScholarCross Ref
Wicker, A. W. (1969). "Attitudes Versus Actions: The Relationship of Verbal and Overt Behavioral Responses to Attitude Objects." Journal of Social Issues, Vol. 25, No. 4: pp. 41--78. Google ScholarCross Ref
Willison, R. & Warkentin, M. (2013). "Beyond Deterrrence: An Expanded View of Employee Computer Abuse." MIS Quarterly, Vol. 37, No. 1: pp. 1--20.Google ScholarDigital Library
Wilson, M. & Hash, J. 2003. "Building an Information Technology Security Awareness and Training Program." National Institute of Standards and Technology (NIST) Special Publication 800--50, Gaithersburg. Google ScholarCross Ref
Wold, H. (1982). "Soft Modeling: The Basic Design and some Extensions," in Systems under Indirect Observations: Causality, Structure, Prediction, Part 2. Amsterdam: North-Holland, pp. 1--54.Google Scholar
Yin, R. K. (2014). Case Study Research: Design and Methods. 5 ed. Thousand Oaks: Sage Publications, Inc.Google Scholar

Index Terms

From Information Security Awareness to Reasoned Compliant Action: Analyzing Information Security Policy Compliance in a Large Banking Organization
1. Security and privacy
  1. Formal methods and theory of security
  2. Human and societal aspects of security and privacy

Recommendations

Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness

Many organizations recognize that their employees, who are often considered the weakest link in information security, can also be great assets in the effort to reduce risk related to information security. Since employees who comply with the information ...
Read More
Employees' adherence to information security policies: An exploratory field study

The key threat to information security comes from employees who do not comply with information security policies. We developed a new multi-theory based model that explained employees' adherence to security policies. The paradigm combines elements from ...
Read More
Prevention is better than cure! Designing information security awareness programs to overcome users' non-compliance with information security policies in banks

In organizations, users' compliance with information security policies (ISP) is crucial for minimizing information security (IS) incidents. To improve users' compliance, IS managers have implemented IS awareness (ISA) programs, which are systematically ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM SIGMIS Database: the DATABASE for Advances in Information Systems Volume 48, Issue 3
August 2017
130 pages
ISSN:0095-0033
EISSN:1532-0936
DOI:10.1145/3130515
Editors:
Stacie Petter
Baylor Universitym Waco, TX
,
Tom Stafford
Louisiana Tech University, Ruston, LA
,
Xihui "Paul" Zhang
Northern Alabama University, Florence, AL
,
Heidi Seward
Baylor University, Waco, TX
Issue’s Table of Contents
Copyright © 2017 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 2 August 2017
Check for updates
Author Tags
banking
compliant information security behavior
information security awareness
information security policy
neutralization theory
theory of reasoned action
Qualifiers
- research-article
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 56
  Total Citations
  View Citations
- 2,152
  Total Downloads
- Downloads (Last 12 months)227
- Downloads (Last 6 weeks)50
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

From Information Security Awareness to Reasoned Compliant Action: Analyzing Information Security Policy Compliance in a Large Banking Organization

ACM SIGMIS Database: the DATABASE for Advances in Information Systems

Abstract

References

Cited By

Index Terms

Recommendations

Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness

Employees' adherence to information security policies: An exploratory field study

Prevention is better than cure! Designing information security awareness programs to overcome users' non-compliance with information security policies in banks

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Check for updates

Author Tags

Qualifiers

Conference

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Caption

From Information Security Awareness to Reasoned Compliant Action: Analyzing Information Security Policy Compliance in a Large Banking Organization

ACM SIGMIS Database: the DATABASE for Advances in Information Systems

Abstract

References

Cited By

Index Terms

Recommendations

Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness

Employees' adherence to information security policies: An exploratory field study

Prevention is better than cure! Designing information security awareness programs to overcome users' non-compliance with information security policies in banks

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Check for updates

Author Tags

Qualifiers

Conference

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media