IEEE Transactions on Professional Communication Dec 2014

A Path to Successful Management of Employee Security Compliance: An Empirical Study of Information Security Climate

Jahyun Goo Florida Atlantic University ; Myung-Seong Yim Sahmyook University ; Dan J. Kim University of North Texas

Abstract

Research problem: Although organizations have been exerting a significant effort to leverage policies and procedures to improve information security, their impact and effectiveness is under scrutiny as employees' compliance with information security procedures remains problematic. Research questions: (1) What is the role of information security climate (ISC) in cultivating individual's compliance with security policy? (2) Do individual affective and normative states mediate the effect of ISC to increase security policy compliance intention while thwarting employees' security avoidance? Literature review: Drawing upon Griffin and Neal's safety climate model, which states the effect of safety climate on individual safety behaviors that lead to specific performance outcomes, we develop an ISC model to empirically examine the efficacy of security climate in governing employee's policy compliance. The literature suggests that there could be practical reasons for employees not to observe the security policies and procedures. These go beyond the simple lack of use or negligence, and include rationalizing security violation, particularly in light of the fact that they are under pressure to get something done without delays in daily work. To empirically address such employee behavior, we employed the term, security avoidance in this study-an employee's deliberate intention to avoid security policies or procedures in daily work despite the need and opportunity to do so. Methodology: We surveyed IT users in South Korea about individuals' perception about various organizational/managerial information security practices in the work environment. Results and discussion: The results from 581 participants strongly support the fundamental proposition that the information security climate has a significant positive impact on employee's conformity with the security policy. The study also reveals that the security climate nurtures the employee's affective and cognitive states through affective commitment and normative commitment. These, in turn, mediate the influence of security climate on employee policy compliance by facilitating rule adherence among employees while, at the same time, inspiring self-adjusted behaviors to neutralize their deliberate intents of negligence. Overall, the findings support our view that the creation of strong security climate is the adequate alternative to a sanction-based deterrence to employees' security policy compliance, which limits the presence of security avoidance. The implications to theory are the multidimensional nature of ISC construct and its linkage to a systematic view of individual level information security activities. The implications to practice are the ISC's favorable role of discouraging employee's security avoidance while inducing the security policy compliance intention at the same time, given the limit of sanctions.

Journal
IEEE Transactions on Professional Communication
Published
2014-12-01
DOI
10.1109/tpc.2014.2374011
CompPile
Open Access
Closed
Topics
empirical research book reviews
Export
BibTeX RIS

Citation Context

Cited by in this index (0)

No articles in this index cite this work.

References (144)

  1. 10.1046/j.1365-2575.2001.00099.x
  2. 10.1016/j.cose.2009.05.008
  3. 10.1111/j.1365-2575.2006.00219.x
  4. 10.1016/j.cose.2006.10.004
  5. 10.1145/1076211.1076238
Show all 144 →
  1. 10.1016/j.cose.2004.07.001
  2. johnston (2010)
    Fear appeals and information security behaviors: An empirical study
    MIS Quart  
  3. 10.1086/227168
  4. 10.1016/j.cose.2006.11.004
  5. ma (2005)
    ?Best practices? in information security management?
    Commun Assoc Inf Syst
  6. 10.2307/248772
  7. 10.1109/ICSMC.2003.1244259
  8. 10.2307/249574
  9. 10.1037/0021-9010.74.5.739
  10. 10.2307/2392563
  11. 10.1080/15536548.2005.10855772
  12. 10.1108/09685229810227649
  13. 10.1037/1076-8998.5.3.347
  14. 10.1016/j.im.2003.08.008
  15. 10.1016/S0167-4048(01)00507-7
  16. 10.2307/257334
  17. 10.1108/09685229510792988
  18. 10.2307/255959
  19. meyer (1997)
    Commitment in the Workplace
  20. campbell (0)
    Organizational climate: Its measurement and relationship to work group performance
    Annual Meet Amer Psychological Assoc
  21. reichers (1990)
    Organizational Climate and Culture
  22. 10.1037/0021-9010.88.4.605
  23. 10.1016/j.cose.2005.05.002
  24. hirschi (1969)
    Causes of Delinquency
  25. 10.2307/30040635
  26. 10.1016/1053-4822(91)90011-Z
  27. 10.1002/hrdq.1038
  28. falcione (1988)
    Handbook of Organizational Communication
  29. 10.1287/isre.1.3.255
  30. 10.1057/ejis.2011.23
  31. 10.1057/ejis.2009.6
  32. 10.1287/isre.1070.0160
  33. bulgurcu (2010)
    Information security policy compliance: An empirical study of rationality-based beliefs a…
    MIS Quart  
  34. 10.1057/ejis.2009.8
  35. 10.2307/256962
  36. dinev (2007)
    The centrality of awareness in the formation of user behavioral intention toward protecti…
    J Assoc Inf Syst
  37. 10.1037/0021-9010.87.2.220
  38. 10.1037/0021-9010.65.1.96
  39. 10.1177/0092070303031003005
  40. 10.2307/2786945
  41. 10.1023/A:1025089819456
  42. 10.1037/0021-9010.89.2.322
  43. 10.1016/0022-4375(91)90017-P
  44. 10.1016/j.jbusres.2006.03.004
  45. 10.1057/ejis.2011.10
  46. mackenzie (2011)
    Construct measurement and validation procedures in mis and behavioral research: Integrati…
    MIS Quart  
  47. tabachnick (1996)
    Using Multivariate Statistics
  48. 10.2307/3151312
  49. greene (2010)
    Assessing the impact of security culture and the employee-organization relationship on IS…
    5th Annu Symp Inf Assurance New York USA
  50. 10.1016/S0268-4012(02)00105-6
  51. 10.1016/0167-4048(88)90007-7
  52. tanriverdi (2005)
    Information technology relatedness, knowledge management capability, and performance of m…
    MIS Quart  
  53. 10.1108/09685220610648355
  54. 10.1509/jmkr.38.2.269.18845
  55. 10.1016/j.jsis.2010.10.002
  56. 10.2307/2393203
  57. 10.1108/02635570810883969
  58. 10.1016/S0167-4048(03)00007-5
  59. 10.1016/j.cose.2006.02.008
  60. 10.1037/0033-2909.97.3.562
  61. 10.1037/0021-9010.88.5.879
  62. 10.1287/mnsc.33.4.525
  63. 10.1016/j.cose.2004.10.005
  64. 10.1287/isre.1.4.377
  65. 10.1002/job.372
  66. sobel (1982)
    10.2307/270723
    Sociological Methodology  
  67. 10.1037/0021-9010.86.1.114
  68. 10.1111/j.2044-8325.1990.tb00525.x
  69. 10.2307/256188
  70. campbell (1970)
    Managerial Behaviour Performance and Effectiveness
  71. 10.1037/0033-2909.108.2.171
  72. 10.1017/CBO9780511615139
  73. 10.1037/0021-9010.81.4.358
  74. 10.2307/2667123
  75. 10.1145/287831.287843
  76. 10.2307/249541
  77. 10.1037/h0037511
  78. 10.2307/256406
  79. 10.2307/258997
  80. lewis (2003)
    Sources of influcence on beliefs about information technology use: An empirical study of …
    MIS Quart  
  81. ostroff (2003)
    Comprehensive Handbook of Psychology
  82. 10.2307/249393
  83. ajzen (1980)
    Understanding Attitudes and Predicting Social Behavior
  84. 10.1111/j.1540-5915.2012.00361.x
  85. (0)
  86. van maanen (1979)
    Towards a theory of organizational socialization
    Res Organiz Behav
  87. 10.1016/j.cose.2004.01.012
  88. grigg (2001)
    IT services contracts?Strategic objective statement
    Gartner Group COM-14-3318
  89. 10.1037/0033-2909.110.1.67
  90. fox (1974)
    Beyond Contract Work Power and Trust Relations
  91. 10.1037/h0029874
  92. 10.1037/0022-3514.58.6.1015
  93. reichers (1990)
    Organizational Climate and Culture
  94. 10.1287/mnsc.46.2.186.11926
  95. 10.1016/0001-8791(79)90072-1
  96. 10.2307/249751
  97. 10.1006/obhd.1993.1045
  98. 10.1111/j.1559-1816.1999.tb02298.x
  99. 10.1016/S0148-2963(00)00125-9
  100. 10.1111/j.1365-2575.2007.00289.x
  101. viswanath (2003)
    User acceptance of information technology: Toward a unified view
    MIS Quart  
  102. halstead (2002)
    Negative word of mouth: Substitute for or supplement to consumer complaints
    Consumer Satisfaction Dissatisfaction and Complaining Behavior
  103. 10.2307/3250921
  104. 10.5465/AMR.2006.21318920
  105. 10.2307/258513
  106. wipawayangkool (2009)
    Security awareness and security training: An attitudinal perspective
    SWDSI Proceedings
  107. 10.1016/0749-5978(91)90020-T
  108. 10.1023/A:1005155903801
  109. 10.1016/j.jsis.2007.05.004
  110. 10.1287/isre.1110.0393
  111. johnston (2010)
    Fear appeals and information security behaviors: An empirical study
    MIS Quart  
  112. puhakainen (2010)
    Improving employees' compliance through information systems security training: An action …
    MIS Quart  
  113. 10.1057/palgrave.ejis.3000592
  114. 10.1145/1953122.1953142
  115. 10.1016/j.ijinfomgt.2008.01.011
  116. siponen (2010)
    Neutralization: New insights into the problem of employee information systems security po…
    MIS Quart  
  117. kim (2009)
    Investigating user resistance to information systems implementation: A status quo bias pe…
    MIS Quart  
  118. 10.1007/s10551-010-0687-7
  119. 10.1016/S0268-4012(02)00105-6
  120. rest (1984)
    Morality Moral Behavior and Moral Development
  121. 10.1016/j.dss.2009.02.005
  122. 10.1080/014492996120094
  123. 10.1016/0378-7206(92)90046-I
  124. 10.1057/ejis.1991.16
  125. lapointe (2005)
    A multilevel model of resistance to information technology implementation
    MIS Quart  
  126. 10.1287/orsc.12.2.117.10115
  127. 10.1145/1346325.1346328
  128. 10.1111/j.2044-8325.1990.tb00506.x
  129. 10.1177/001872678103401205
  130. 10.2307/4132321
  131. ringle (2005)
    SmartPLS
  132. 10.1037//0021-9010.71.3.492
  133. chin (1998)
    Issues and opinion on structural equation modeling
    MIS Quart
  134. nunnally (1978)
    Psychometric Theory
  135. johnson (2007)
    Applied multivariate statistical analysis
  136. alavi (1985)
    Managing the risks associated with end-user computing
    J Manage Inf Syst  
  137. 10.1287/isre.1100.0314
  138. 10.2307/258140
  139. ma�ada (0)
    The influence of human factors on vulnerability to information security breaches
    AMCIS
CrossRef global citation count: 67 View in citation network → Build reading path →

Related Articles

  1. Communication Design Quarterly Dec 2024
    Review of "Data Justice and the Right to the City by Morgan Currie, Jeremy Knox and Callum McGreggor (Eds.)," Currie, M., Knox, J. & McGregor, C. (Ed). (2022). Data justice and the right to the city. Edinburgh University Press.
    Nathan R. Johnson
    discourse analysis empirical research book reviews
  2. Journal of Technical Writing and Communication Oct 2024
    Generative AI in Technical Communication: A Review of Research from 2023 to 2024
    Carol Reeves; J.J. Sylvia
    teacher development assessment technical communication empirical research artificial intelligence book reviews
  3. Rhetoric & Public Affairs Jun 2024
    The Evolution of Pragmatism in India: Ambedkar, Dewey, and the Rhetoric of Reconstruction
    Isaac James Richards
    modern rhetorical theory rhetorical criticism discourse analysis argument archival research empirical research race and writing affect and writing body and rhetoric book reviews
  4. Journal of Writing Research Oct 2023
    Book review | Technology in second language writing: Advances in composing, translation, writing pedagogy and data-driven learning
    Yu Du; Junju Wang
    writing pedagogy teacher development empirical research multilingual writers book reviews
  5. The Peer Review Apr 2023
    Writing Center Theory and Research: A Review
    Rebecca Babcock
    discourse analysis collaborative writing transfer threshold concepts writing centers technical communication archival research empirical research qualitative research quantitative research gender and writing book reviews