IEEE Transactions on Professional Communication Dec 2014

A Path to Successful Management of Employee Security Compliance: An Empirical Study of Information Security Climate

Jahyun Goo Florida Atlantic University ; Myung-Seong Yim Sahmyook University ; Dan J. Kim University of North Texas

Abstract

Research problem: Although organizations have been exerting a significant effort to leverage policies and procedures to improve information security, their impact and effectiveness is under scrutiny as employees' compliance with information security procedures remains problematic. Research questions: (1) What is the role of information security climate (ISC) in cultivating individual's compliance with security policy? (2) Do individual affective and normative states mediate the effect of ISC to increase security policy compliance intention while thwarting employees' security avoidance? Literature review: Drawing upon Griffin and Neal's safety climate model, which states the effect of safety climate on individual safety behaviors that lead to specific performance outcomes, we develop an ISC model to empirically examine the efficacy of security climate in governing employee's policy compliance. The literature suggests that there could be practical reasons for employees not to observe the security policies and procedures. These go beyond the simple lack of use or negligence, and include rationalizing security violation, particularly in light of the fact that they are under pressure to get something done without delays in daily work. To empirically address such employee behavior, we employed the term, security avoidance in this study-an employee's deliberate intention to avoid security policies or procedures in daily work despite the need and opportunity to do so. Methodology: We surveyed IT users in South Korea about individuals' perception about various organizational/managerial information security practices in the work environment. Results and discussion: The results from 581 participants strongly support the fundamental proposition that the information security climate has a significant positive impact on employee's conformity with the security policy. The study also reveals that the security climate nurtures the employee's affective and cognitive states through affective commitment and normative commitment. These, in turn, mediate the influence of security climate on employee policy compliance by facilitating rule adherence among employees while, at the same time, inspiring self-adjusted behaviors to neutralize their deliberate intents of negligence. Overall, the findings support our view that the creation of strong security climate is the adequate alternative to a sanction-based deterrence to employees' security policy compliance, which limits the presence of security avoidance. The implications to theory are the multidimensional nature of ISC construct and its linkage to a systematic view of individual level information security activities. The implications to practice are the ISC's favorable role of discouraging employee's security avoidance while inducing the security policy compliance intention at the same time, given the limit of sanctions.

Journal
IEEE Transactions on Professional Communication
Published
2014-12-01
DOI
10.1109/tpc.2014.2374011
CompPile
Search in CompPile ↗
Open Access
Closed
Topics
empirical research book reviews
Export
BibTeX RIS

Citation Context

Cited by in this index (0)

No articles in this index cite this work.

Cites in this index (0)

No references match articles in this index.

Also cites 117 works outside this index ↓
  1. 10.1046/j.1365-2575.2001.00099.x
  2. 10.1016/j.cose.2009.05.008
  3. 10.1111/j.1365-2575.2006.00219.x
  4. 10.1016/j.cose.2006.10.004
  5. 10.1145/1076211.1076238
  6. 10.1016/j.cose.2004.07.001
  7. johnston (2010)
    Fear appeals and information security behaviors: An empirical study
    MIS Quart  
  8. 10.1086/227168
  9. 10.1016/j.cose.2006.11.004
  10. 10.2307/248772
  11. 10.1109/ICSMC.2003.1244259
  12. 10.2307/249574
  13. 10.1037/0021-9010.74.5.739
  14. 10.2307/2392563
  15. 10.1080/15536548.2005.10855772
  16. 10.1108/09685229810227649
  17. 10.1037/1076-8998.5.3.347
  18. 10.1016/j.im.2003.08.008
  19. 10.1016/S0167-4048(01)00507-7
  20. 10.2307/257334
  21. 10.1108/09685229510792988
  22. 10.2307/255959
  23. 10.1037/0021-9010.88.4.605
  24. 10.1016/j.cose.2005.05.002
  25. 10.2307/30040635
  26. 10.1016/1053-4822(91)90011-Z
  27. 10.1002/hrdq.1038
  28. 10.1287/isre.1.3.255
  29. 10.1057/ejis.2011.23
  30. 10.1057/ejis.2009.6
  31. 10.1287/isre.1070.0160
  32. bulgurcu (2010)
    Information security policy compliance: An empirical study of rationality-based beliefs a…
    MIS Quart  
  33. 10.1057/ejis.2009.8
  34. 10.2307/256962
  35. 10.1037/0021-9010.87.2.220
  36. 10.1037/0021-9010.65.1.96
  37. 10.1177/0092070303031003005
  38. 10.2307/2786945
  39. 10.1023/A:1025089819456
  40. 10.1037/0021-9010.89.2.322
  41. 10.1016/0022-4375(91)90017-P
  42. 10.1016/j.jbusres.2006.03.004
  43. 10.1057/ejis.2011.10
  44. mackenzie (2011)
    Construct measurement and validation procedures in mis and behavioral research: Integrati…
    MIS Quart  
  45. 10.2307/3151312
  46. 10.1016/S0268-4012(02)00105-6
  47. 10.1016/0167-4048(88)90007-7
  48. tanriverdi (2005)
    Information technology relatedness, knowledge management capability, and performance of m…
    MIS Quart  
  49. 10.1108/09685220610648355
  50. 10.1509/jmkr.38.2.269.18845
  51. 10.1016/j.jsis.2010.10.002
  52. 10.2307/2393203
  53. 10.1108/02635570810883969
  54. 10.1016/S0167-4048(03)00007-5
  55. 10.1016/j.cose.2006.02.008
  56. 10.1037/0033-2909.97.3.562
  57. 10.1037/0021-9010.88.5.879
  58. 10.1287/mnsc.33.4.525
  59. 10.1016/j.cose.2004.10.005
  60. 10.1287/isre.1.4.377
  61. 10.1002/job.372
  62. sobel (1982)
    10.2307/270723
    Sociological Methodology  
  63. 10.1037/0021-9010.86.1.114
  64. 10.1111/j.2044-8325.1990.tb00525.x
  65. 10.2307/256188
  66. 10.1037/0033-2909.108.2.171
  67. 10.1017/CBO9780511615139
  68. 10.1037/0021-9010.81.4.358
  69. 10.2307/2667123
  70. 10.1145/287831.287843
  71. 10.2307/249541
  72. 10.1037/h0037511
  73. 10.2307/256406
  74. 10.2307/258997
  75. lewis (2003)
    Sources of influcence on beliefs about information technology use: An empirical study of …
    MIS Quart  
  76. 10.2307/249393
  77. 10.1111/j.1540-5915.2012.00361.x
  78. 10.1016/j.cose.2004.01.012
  79. 10.1037/0033-2909.110.1.67
  80. 10.1037/h0029874
  81. 10.1037/0022-3514.58.6.1015
  82. 10.1287/mnsc.46.2.186.11926
  83. 10.1016/0001-8791(79)90072-1
  84. 10.2307/249751
  85. 10.1006/obhd.1993.1045
  86. 10.1111/j.1559-1816.1999.tb02298.x
  87. 10.1016/S0148-2963(00)00125-9
  88. 10.1111/j.1365-2575.2007.00289.x
  89. viswanath (2003)
    User acceptance of information technology: Toward a unified view
    MIS Quart  
  90. 10.2307/3250921
  91. 10.5465/AMR.2006.21318920
  92. 10.2307/258513
  93. 10.1016/0749-5978(91)90020-T
  94. 10.1023/A:1005155903801
  95. 10.1016/j.jsis.2007.05.004
  96. 10.1287/isre.1110.0393
  97. puhakainen (2010)
    Improving employees' compliance through information systems security training: An action …
    MIS Quart  
  98. 10.1057/palgrave.ejis.3000592
  99. 10.1145/1953122.1953142
  100. 10.1016/j.ijinfomgt.2008.01.011
  101. siponen (2010)
    Neutralization: New insights into the problem of employee information systems security po…
    MIS Quart  
  102. kim (2009)
    Investigating user resistance to information systems implementation: A status quo bias pe…
    MIS Quart  
  103. 10.1007/s10551-010-0687-7
  104. 10.1016/j.dss.2009.02.005
  105. 10.1080/014492996120094
  106. 10.1016/0378-7206(92)90046-I
  107. 10.1057/ejis.1991.16
  108. lapointe (2005)
    A multilevel model of resistance to information technology implementation
    MIS Quart  
  109. 10.1287/orsc.12.2.117.10115
  110. 10.1145/1346325.1346328
  111. 10.1111/j.2044-8325.1990.tb00506.x
  112. 10.1177/001872678103401205
  113. 10.2307/4132321
  114. 10.1037//0021-9010.71.3.492
  115. alavi (1985)
    Managing the risks associated with end-user computing
    J Manage Inf Syst  
  116. 10.1287/isre.1100.0314
  117. 10.2307/258140
CrossRef global citation count: 66 View in citation network → Build reading path →

Related Articles

  1. Communication Design Quarterly Dec 2024
    Review of "Data Justice and the Right to the City by Morgan Currie, Jeremy Knox and Callum McGreggor (Eds.)," Currie, M., Knox, J. & McGregor, C. (Ed). (2022). Data justice and the right to the city. Edinburgh University Press.
    Nathan R. Johnson
    discourse analysis empirical research book reviews
  2. Journal of Technical Writing and Communication Oct 2024
    Generative AI in Technical Communication: A Review of Research from 2023 to 2024
    Carol Reeves; J.J. Sylvia
    teacher development assessment technical communication empirical research artificial intelligence book reviews
  3. Rhetoric & Public Affairs Jun 2024
    The Evolution of Pragmatism in India: Ambedkar, Dewey, and the Rhetoric of Reconstruction
    Isaac James Richards
    modern rhetorical theory rhetorical criticism discourse analysis argument archival research empirical research race and writing affect and writing body and rhetoric book reviews
  4. Journal of Writing Research Oct 2023
    Book review | Technology in second language writing: Advances in composing, translation, writing pedagogy and data-driven learning
    Yu Du; Junju Wang
    writing pedagogy teacher development empirical research multilingual writers book reviews
  5. The Peer Review Apr 2023
    Writing Center Theory and Research: A Review
    Rebecca Babcock
    discourse analysis collaborative writing transfer threshold concepts writing centers technical communication archival research empirical research qualitative research quantitative research gender and writing book reviews