Why not comply with information security? An empirical approach for the causes of non-compliance

Published date13 February 2017
DOIhttps://doi.org/10.1108/OIR-11-2015-0358
Date13 February 2017
Pages2-18
AuthorInho Hwang,Daejin Kim,Taeha Kim,Sanghyun Kim
Subject MatterLibrary & information science,Information behaviour & retrieval,Collection building & management,Bibliometrics,Databases,Information & knowledge management,Information & communications technology,Internet,Records management & preservation,Document management
Why not comply with information
security? An empirical approach
for the causes of non-compliance
Inho Hwang, Daejin Kim and Taeha Kim
College of Business and Economics, Chung-Ang University, Seoul, Korea, and
Sanghyun Kim
School of Business, Kyungpook National University, Daegu, Korea
Abstract
Purpose The purpose of this paper is to empirically investigate the negative casual relationships between
organizational security factors (security systems, security education, and security visibility) and individual
non-compliance causes (work impediment, security system anxiety, and non-compliance behaviors of peers),
which have negative influences on compliance intention.
Design/methodology/approach Based on literature review, the authors propose a research model
together with hypotheses. The survey questionnaires were developed to collect data, which then validated the
measurement model. The authors collected 415 responses from employees at manufacturing and service firms
that had already implemented security policies. The hypothesized relationships were tested using the
structural equation model approach with AMOS 18.0.
Findings Survey results validate that work impediment, security system anxiety, and non-compliance peer
behaviors are the causes of employee non-compliance. In addition, the authors found that security systems,
security education, and security visibility decrease instances of non-compliance.
Research limitations/implications Organizations should establish a mixture of security investment in
their systems, education, and visibility in order to effectively reduce employeesnon-compliance. In addition,
organizations should recognize the importance of minimizing the particular causes of employees
non-compliance to positively increase intentions to comply with information security.
Originality/value An important issue in information security management is employee compliance.
Understanding the reasons behind employeesnon-compliance is a critical issue. This paper investigates
empirically why employees do not comply, and how organizations can induce employees to comply by a
mixture of investments in security systems, education, and visibility.
Keywords Compliance intention, Peer behaviour, Security education, Security systems, Security visibility,
Work impediment
Paper type Research paper
1. Introduction
Global spending on IT security in 2014 has increased to $71.1 billion at a growth rate of
7.9 percent, double the rate of IT budgets over the last two years (Gartner, 2014). Firms
invest in IT security to protect critical information resources as well as to sustain their
business processes. In addition to this growing investment in technological prevention,
managerial approaches to increase employee compliance have received much attention from
industries and academics. Loch et al. (1992) provided 2 ×2 dimensions of security incidents
by perpetrators (human vs non-human) and sources (internal vs external). Among the
classification of security incidents, the case of human perpetrators from internal sources is
widely accepted to be the most difficult and prevent; that is, managing employees to follow
the information security policy is the most difficult aspect of IT security (Warkentin and
Willison, 2009). According to Verizon (2013), 14 percent of organizationsinformation
exposures originated from insiders, and these perpetrators were those who most often had
no relation to IT system tasks such as office employees, engineers, and board members.
Extant research has been investigating the reasons behind non-compliance of information
security (e.g. Bulgurcu et al., 2010; Chen and Zahedi, 2016; DArcy et al., 2009; Herath and Rao,
2009; Ifinedo, 2012; Johnston and Warkentin, 2010; Siponen and Vance, 2010; West, 2008).
Online Information Review
Vol. 41 No. 1, 2017
pp. 2-18
© Emerald PublishingLimited
1468-4527
DOI 10.1108/OIR-11-2015-0358
Received 9 November 2015
Revised 11 April 2016
Accepted 15 April 2016
The current issue and full text archive of this journal is available on Emerald Insight at:
www.emeraldinsight.com/1468-4527.htm
2
OIR
41,1
According to these studies, employees think that information security policies may reduce the
efficiency of their work. Information security often conflicts with the efficiency of information
systems such as active sharing of critical information resources, standardization of business
processes, and downloading applications or components to complete a certain task. Employees
may recognize security policy to be ambiguous while too severe in penalty, which may cause an
anxietyinusinginformationsystems with security policies in place.
In addition, employees follow the nor ms of their peers. If ones coworkersdo not completely
comply with the organizations security policy, there is a high chance that one may act
similarlyin not following the firms securitypolicy. A new approach in information securityis
needed to considerinformation security jointly with tasks, anxiety,and the peer behaviors of
employees.Based on the theoretical explanationof West (2008), this study attempts to answer
the question of employee compliance in a situation where information security and task goal
conflict. West (2008) explains based on prospect theory why employees do not comply with
security policy but rather try to accomplish their tasks. In the proposed situation, employees
consider either comply ($5 return) or not to comply ($0 or $10 with a 50 percent chance,
respectively). Risk-averse employee in this situation would prefer $5 return, i.e. comply with
the policy rather than trying to accomplish their tasks. West (2008) proposes that security
investment is moreof a losing situation,employees consider two options:comply ($5) or not
to comply ($0 or $10with respective probability of 50 percent).For this case, prospect theory
proposes that employees would prefer an option of $0 or $10 with respective probability of
50 percent,i.e. not to comply with the policy. Thisexplains why employees do not complywith
security policy but rather try to accomplish their tasks.
Typically, information security policy, which is not much different from other policies,
often accompanies punishment. Punishment frequently occurs in organizational
environments (Chen et al., 2012) and the use of punishment might result in employees
anxiety. Such anxiety may be the cause of employees not complying with security policy
(Gabriel and Furnell, 2011). Employees often take actions based on the actions of their peers,
thus employeesnon-compliance is often motivated by peer behavior (Herath and Rao, 2009).
In other words, if employees feel that their peers do not comply with security policy, they
may think that it is sensible not to comply.
The purpose of thisstudy is to investigate the causal relationships between organizational
information security efforts and causes of individual non-compliance, which negatively leads
to compliance intention. In order for an organization to efficiently enhance the security
compliance of employees, two research questions are proposed in this study:
RQ1. What are the causes of employeesnon-compliance with information security?
RQ2. How can an organization minimize individual non-compliance?
Our approach takes the following steps. Through literature review, we attempted to find
individual factors that may affect the compliance intention of employees. Then, we sought
to identify what organizations can do to control these individual factors for better
compliance of employees. Based on this understanding of individual and organizational
contexts of employeessecurity compliance intention, we propose a research model with
hypotheses, and empirically validate the research model.
2. Literature review
2.1 Information security of the organization and employee
Information security incidents in an organization may occur at any time and place when a
person has access to an information system (Bulgurcu et al., 2010). Therefore, an
organization should develop strategies to reduce information security threats by employees
(Straub and Welke, 1998).
3
Causes of
non-compliance

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT