IDEAS home Printed from https://ideas.repec.org/a/taf/tjisxx/v18y2009i2p106-125.html
   My bibliography  Save this article

Protection motivation and deterrence: a framework for security policy compliance in organisations

Author

Listed:
  • Tejaswini Herath
  • H Raghav Rao

Abstract

Enterprises establish computer security policies to ensure the security of information resources; however, if employees and end-users of organisational information systems (IS) are not keen or are unwilling to follow security policies, then these efforts are in vain. Our study is informed by the literature on IS adoption, protection-motivation theory, deterrence theory, and organisational behaviour, and is motivated by the fundamental premise that the adoption of information security practices and policies is affected by organisational, environmental, and behavioural factors. We develop an Integrated Protection Motivation and Deterrence model of security policy compliance under the umbrella of Taylor-Todd's Decomposed Theory of Planned Behaviour. Furthermore, we evaluate the effect of organisational commitment on employee security compliance intentions. Finally, we empirically test the theoretical model with a data set representing the survey responses of 312 employees from 78 organisations. Our results suggest that (a) threat perceptions about the severity of breaches and response perceptions of response efficacy, self-efficacy, and response costs are likely to affect policy attitudes; (b) organisational commitment and social influence have a significant impact on compliance intentions; and (c) resource availability is a significant factor in enhancing self-efficacy, which in turn, is a significant predictor of policy compliance intentions. We find that employees in our sample underestimate the probability of security breaches.

Suggested Citation

  • Tejaswini Herath & H Raghav Rao, 2009. "Protection motivation and deterrence: a framework for security policy compliance in organisations," European Journal of Information Systems, Taylor & Francis Journals, vol. 18(2), pages 106-125, April.
    • Handle: RePEc:taf:tjisxx:v:18:y:2009:i:2:p:106-125
    DOI: 10.1057/ejis.2009.6
    as

    Download full text from publisher

    File URL: http://hdl.handle.net/10.1057/ejis.2009.6
    Download Restriction: Access to full text is restricted to subscribers.
    File URL: https://libkey.io/10.1057/ejis.2009.6?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Victoria Kisekka & Sanjay Goel, 2023. "An Investigation of the Factors that Influence Job Performance During Extreme Events: The Role of Information Security Policies," Information Systems Frontiers, Springer, vol. 25(4), pages 1439-1458, August.
    2. Fu, Shixuan & Zheng, Xiaojiang & Wang, Hongpeng & Luo, Yunzhong, 2023. "Fear appeals and coping appeals for health product promotion: Impulsive purchasing or psychological distancing?," Journal of Retailing and Consumer Services, Elsevier, vol. 74(C).
    3. Debabrata Dey & Abhijeet Ghoshal & Atanu Lahiri, 2022. "Circumventing Circumvention: An Economic Analysis of the Role of Education and Enforcement," Management Science, INFORMS, vol. 68(4), pages 2914-2931, April.
    4. Li, Yuanxiang John & Hoffman, Elizabeth, 2023. "Designing an incentive mechanism for information security policy compliance: An experiment," Journal of Economic Behavior & Organization, Elsevier, vol. 212(C), pages 138-159.
    5. Bosse, Douglas & Thompson, Steven & Ekman, Peter, 2023. "In consilium apparatus: Artificial intelligence, stakeholder reciprocity, and firm performance," Journal of Business Research, Elsevier, vol. 155(PA).
    6. A. J. Burns & Tom L. Roberts & Clay Posey & Paul Benjamin Lowry & Bryan Fuller, 2023. "Going Beyond Deterrence: A Middle-Range Theory of Motives and Controls for Insider Computer Abuse," Information Systems Research, INFORMS, vol. 34(1), pages 342-362, March.
    7. Frederik Ahlemann & Sven Dittes & Tim Fillbrunn & Kevin Rehring & Stefan Reining & Nils Urbach, 2023. "Managing In-Company IT Standardization: A Design Theory," Information Systems Frontiers, Springer, vol. 25(3), pages 1161-1178, June.
    8. Bhukya, Ramulu & Paul, Justin, 2023. "Social influence research in consumer behavior: What we learned and what we need to learn? – A hybrid systematic literature review," Journal of Business Research, Elsevier, vol. 162(C).
    9. Bitrián, Paula & Buil, Isabel & Catalán, Sara & Merli, Dominik, 2024. "Gamification in workforce training: Improving employees’ self-efficacy and information security and data protection behaviours," Journal of Business Research, Elsevier, vol. 179(C).
    10. Yan Chen & Dennis F. Galletta & Paul Benjamin Lowry & Xin (Robert) Luo & Gregory D. Moody & Robert Willison, 2021. "Understanding Inconsistent Employee Compliance with Information Security Policies Through the Lens of the Extended Parallel Process Model," Information Systems Research, INFORMS, vol. 32(3), pages 1043-1065, September.
    11. Kay-Yut Chen & Jingguo Wang & Yan Lang, 2022. "Coping with Digital Extortion: An Experimental Study of Benefit Appeals and Normative Appeals," Management Science, INFORMS, vol. 68(7), pages 5269-5286, July.
    12. Eun Hee Park & Jongwoo Kim & Lynn Wiles, 2023. "The role of collectivism and moderating effect of IT proficiency on intention to disclose protected health information," Information Technology and Management, Springer, vol. 24(2), pages 177-193, June.
    13. Maurizio Cavallari, 2023. "Organizational Determinants and Compliance Behavior to Shape Information Security Plan," Academic Journal of Interdisciplinary Studies, Richtmann Publishing Ltd, vol. 12, November.
    14. Supunmali Ahangama, 2023. "Relating Social Media Diffusion, Education Level and Cybersecurity Protection Mechanisms to E-Participation Initiatives: Insights from a Cross-Country Analysis," Information Systems Frontiers, Springer, vol. 25(5), pages 1695-1711, October.
    15. Fedorenko, Ivan & Berthon, Pierre & Edelman, Linda, 2023. "Top secret: Integrating 20 years of research on secrecy," Technovation, Elsevier, vol. 123(C).
    16. Warut Khern-am-nuai & Matthew J. Hashim & Alain Pinsonneault & Weining Yang & Ninghui Li, 2023. "Augmenting Password Strength Meter Design Using the Elaboration Likelihood Model: Evidence from Randomized Experiments," Information Systems Research, INFORMS, vol. 34(1), pages 157-177, March.

    More about this item

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:taf:tjisxx:v:18:y:2009:i:2:p:106-125. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    We have no bibliographic references for this item. You can help adding them by using this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Chris Longhurst (email available below). General contact details of provider: http://www.tandfonline.com/tjis .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.