Why don’t employees follow security policy ?

Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness

Burcu Bulgurcu and researchers from the Saunders School of Business at the University of British Colombia looked into the problem of employees not complying with security policy.  Security policy is (generally) put in place to protect the company from attacks directed at its employees, so it is important to the security of an organization that it is followed. Using the lens of the Theory of Planned Behaviour they hoped to shed some light as to why an employee would not follow a policy that exists for their benefit. 

They collected data from  464 employees who had some familiarity with the requirements of their organizations’ Information Security Policies. They found that the effects of attitude, normative beliefs, and self-efficacy with regards to policy compliance were important factors for judging the likelihood of employees complying with security policy. They suggest that security practitioners should design their information security awareness programs to reinforce employees’ beliefs about intrinsic cost and make clear their benefits, safety, and vulnerability.  They also suggested that that organizations create  security awareness programs that ensure employees have the ability, and the confidence in that ability to comply with security policy.  

This work introduced concepts from Rational Choice Theory and the Theory of Planned behaviour which offer additional tools for practitioners designing awareness programs that go beyond deterrence.



Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness. MIS Quarterly, 34(3), 523-548. doi:10.2307/25750690




  1. Post

    This paper is from 2010, but if you are thinking about security awareness training, its a good piece to have read.

  2. Lynn Smith

    Excellent article Michael, and a topic that is at the heart of many discussions held by the Security Awareness Working Group (SAWG) in the Government of Canada. The psychology of security is so very interesting, and important as one considers evolving cyber security incidents.

    Recently, I came across a report from the Saskatchewan branch of the Better Business Bureau (BBB) where their research found the number one reason people choose to report a scam is to help warn others, not to recoup a loss or bring justice to the perpetrator. This was discovered through analysis of their Scam Tracker application (https://www.bbb.org/scamtracker/). This motivation is so ‘Canadian’ and interesting as it speaks to the important role psychology plays in designing security policies, programs, and of course public awareness campaigns.

    Thanks again,
    Lynn 

Comments are closed.