Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness

  • Authors:
  • Tejaswini Herath;H. R. Rao

  • Affiliations:
  • Department of Finance, Operations and Information Systems, Faculty of Business, Brock University, St. Catharines, Ontario, Canada;Management Science and Systems, School of Management, State University of New York at Buffalo, USA and Computer Science and Engineering, College of Engineering, State University of New York at Buf ...

  • Venue:
  • Decision Support Systems
  • Year:
  • 2009

Quantified Score

Hi-index 0.00

Visualization

Abstract

Secure management of information systems is crucially important in information intensive organizations. Although most organizations have long been using security technologies, it is well known that technology tools alone are not sufficient. Thus, the area of end-user security behaviors in organizations has gained an increased attention. In information security observing end-user security behaviors is challenging. Moreover, recent studies have shown that the end users have divergent security views. The inability to monitor employee IT security behaviors and divergent views regarding security policies, in our view, provide a setting where the principal agent paradigm applies. In this paper, we develop and test a theoretical model of the incentive effects of penalties, pressures and perceived effectiveness of employee actions that enhances our understanding of employee compliance to information security policies. Based on 312 employee responses from 77 organizations, we empirically validate and test the model. Our findings suggest that security behaviors can be influenced by both intrinsic and extrinsic motivators. Pressures exerted by subjective norms and peer behaviors influence employee information security behaviors. Intrinsic motivation of employee perceived effectiveness of their actions was also found to play an important role in security policy compliance intentions. In analyzing the penalties, certainty of detection was found to be significant while surprisingly, severity of punishment was found to have a negative effect on security behavior intentions. We discuss the implications of our findings for theory and practice.