End users are often the weakest link in ensuring information system security (ISS) in organizations. Numerous studies showed that employees’ behaviour remains a significant challenge for successfully implementing ISS policies in organizations.
In a Ponemon Institute survey of IT security practitioners, nearly 56% of the participants attributed employees’ resistance to comply with ISS policies as the most significant barrier to implementing effective security strategies in their organizations.
The implementation of ISS policies requires behavioural changes in the way users interact with IT systems. For example, enforcement of stricter authentication policy in an organization may provoke resistance leading some employees to write down their passwords on post-it even though the security policy prohibits such actions. In organizational settings, people are generally not extensively policed for their IT use; therefore, punishment deterrents may not directly affect their behaviour towards security policy compliance.
In situations where monitoring of all actions of all the people may not be feasible, social norms may have a stronger influence on people’s behaviour than the effect of punitive deterrents.
Subjective norms and descriptive norms influence individual behaviour and can be a more effective means of regulating individual behaviour compared to enforcing punishment deterrents. Subjective norms refer to people’s behaviour that is “in accordance with what they believe others think they should do.” Descriptive norms refer to the perceptions about whether others are or are not performing the behaviour in question. Additionally, in situations involving ethical dimensions, moral norms, which apply to an individual’s feelings of moral obligation or responsibility to perform, or refuse to perform, a certain behaviour, is a significant predictor of behaviour.
This paper examined the effect of norms on employees’ resistance towards complying with ISS policies. The authors posited that moral and descriptive norms act as mediators between the punishment factors and resistance. Thus, they examined the indirect role of punishment as a potential management practice to reduce resistance towards ISS policies in organizations.
The results showed that punishment factors (punishment severity and certainty of detection) exerted an indirect influence on resistance to ISS through normative factors; namely, the descriptive and moral norms. The analysis of the data confirmed the relationships between the certainty of detection and descriptive norms, and the certainty of detection and moral norms. Because moral norms are grounded in ethical dimensions, they are more affected by the certainty of detection instead of the severity of punishment. People are conscious about doing the right thing; moreover, they also want to be seen as doing the right thing. Therefore, the certainty of detection, rather than the severity of punishment, affects the moral norms.
The results on the effects of punishment severity and punishment certainty on normative factors have important implications for organizations. By widely communicating policies that clearly state the consequences of violating required behaviour, employees will know what is expected from them, and a large number of them will comply with ISS policies.
Cite: Merhi, M. I and Ahluwalia, P. (2019). Examining the impact of deterrence factors and norms on resistance to T Information Systems Security. Computers in Human Behavior, 92, 37-46.