انگیزش انطباق امنیتی : دیدگاه هایی از عادت و نظریه انگیزش حفاظت

Employees’ failure to comply with IS security procedures is a key concern for organizations today. A number of socio-cognitive theories have been used to explain this. However, prior studies have not examined the influence of past and automatic behavior on employee decisions to comply. This is an important omission because past behavior has been assumed to strongly affect decision-making. To address this gap, we integrated habit (a routinized form of past behavior) with Protection Motivation Theory (PMT), to explain compliance. An empirical test showed that habitual IS security compliance strongly reinforced the cognitive processes theorized by PMT, as well as employee intention for future compliance. We also found that nearly all components of PMT significantly impacted employee intention to comply with IS security policies. Together, these results highlighted the importance of addressing employees’ past and automatic behavior in order to improve compliance.

Organizations typically encounter at least one breach of security due to an information security policy violation per year [1]. Furthermore, it has been estimated that over half of all IS security breaches are indirectly or directly caused by employee failure to comply with IS security procedures [19]. It is not surprising that a critical concern for organizations is the extent to which employees comply with information security policies [6] and [18]. A number of behavioral approaches have been proposed in the literature for either improving employees’ compliance with the security procedures of their organizations or to explain their reasons for computer abuse [16]. Many of behavioral approaches draw upon theories of Criminology and Psychology, such as Deterrence Theory [9], Neutralization Techniques [17] and socio-cognitive [11]. These, while valuable, have not resulted in examination of the influence of past compliance behavior on appraisals of information security threats and coping responses. This is an important omission, since Protection Motivation Theory (PMT) suggests that past behavior strongly influences the process of assessing threats and one's ability to cope with them. To address this gap, we integrated the full PMT model with habit, a routinized form of past and automatic behavior [10]. Research on the theory of habit has highlighted the pervasive effect of habit on human behavior. This allowed us to examine the influence of routinized past IS security compliance behavior on the threat appraisal and coping mechanisms theorized in PMT. To evaluate our model, we performed an empirical study in an organization in Finland (with a population of 210 employees). Our results offer relevant insights for both practitioners and researchers.

Employees’ adherence to IS security policies is important in ensuring the information security of organizations. Prior work examining IS security policy compliance has not applied the full model of PMT. Moreover, the influence of past and automatic IS security compliance behavior on the threat appraisal and coping responses of PMT has not been fully examined in prior research. We integrate the full PMT model with the Theory of Habit. To evaluate our model, we performed an empirical study in Finland. Our results strongly support our integrated model. A number of implications for practice were highlighted. First, practitioners need to ensure that employees recognize information security threats and the risks that these threats pose to their organization. Also, it is important to tell employees that their organization is likely to be subjected to information security threats if they do not take IS security techniques and practices seriously and comply with the policies. Second, employees should know that compliance with IS security policies is part of their work responsibility. Third, organizations need to ensure that information security practices and procedures are not difficult to use. Finally, it is important to make sure that employees comply with IS security policies.