Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness
Burcu Bulgurcu and researchers from the Saunders School of Business at the University of British Colombia looked into the problem of employees not complying with security policy. Security policy is (generally) put in place to protect the company from attacks directed at its employees, so it is important to the security of an organization that it is followed. Using the lens of the Theory of Planned Behaviour they hoped to shed some light as to why an employee would not follow a policy that exists for their benefit.
They collected data from 464 employees who had some familiarity with the requirements of their organizations’ Information Security Policies. They found that the effects of attitude, normative beliefs, and self-efficacy with regards to policy compliance were important factors for judging the likelihood of employees complying with security policy. They suggest that security practitioners should design their information security awareness programs to reinforce employees’ beliefs about intrinsic cost and make clear their benefits, safety, and vulnerability. They also suggested that that organizations create security awareness programs that ensure employees have the ability, and the confidence in that ability to comply with security policy.
This work introduced concepts from Rational Choice Theory and the Theory of Planned behaviour which offer additional tools for practitioners designing awareness programs that go beyond deterrence.
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness. MIS Quarterly, 34(3), 523-548. doi:10.2307/25750690