Many organizations recognize that their employees,
who are often considered the weakest link in information security,
can also be great assets in the effort to reduce risk related to
information security. Since the key is employees who comply with the
information security rules and regulations of the organization,
understanding compliance behavior is crucial for organizations that
want to leverage their human capital to strengthen information
security.
This research identifies the antecedents of employee
compliance with the information security policy (ISP) of an
organization. Specifically, we investigate the rationality-based
factors that drive an employee to comply with requirements of the
ISP with regard to protecting the organization’s information and
technology resources. Drawing on the theory of planned behavior, we
posit that, along with normative belief and self-efficacy, an
employee’s attitude toward compliance determines intention to comply
with the ISP. As a key contribution, we posit that an employee’s
attitude is influenced by benefit of compliance, cost of
compliance, and cost of noncompliance, which are
beliefs about the overall assessment of consequences of
compliance or noncompliance. We then postulate that these beliefs
are shaped by the employee’s outcome beliefs concerning the
events that follow compliance or noncompliance: benefit of
compliance is shaped by intrinsic benefit, safety of
resources, and rewards, while cost of compliance is
shaped by work impediment; and cost of noncompliance is
shaped by intrinsic cost, vulnerability of resources, and
sanctions. We also investigate the impact of information
security awareness (ISA) on outcome beliefs and an
employee’s attitude toward compliance with the ISP.
Our results show that an employee’s intention to
comply with the ISP is significantly influenced by attitude,
normative beliefs, and self-efficacy to comply. Outcome beliefs
significantly affect beliefs about overall assessment of
consequences, and they, in turn, significantly affect an employee’s
attitude. Furthermore, ISA positively affects both attitude and
outcome beliefs. As the importance of employees’ following their
organizations’ information security rules and regulations increases,
our study sheds light on the role of ISA and compliance-related
beliefs in an organization’s efforts to encourage compliance.
Keywords: Information security awareness, information
security management, compliance, information security policy,
behavioral issues of information security, theory of planned
behavior