IT security policies play an important role in outlining employees’ secure behavior that supports organizations’ strategic and competitive goals. However, history is full of examples of employees engaging in behaviors contrary to their organization’s security policy often resulting in undesirable outcomes. This research-in-progress presents a dual-processing model explaining and predicting secure behavior while interacting with strategic information systems. The model posits that the number of security layers (technical controls), the manifestation of managerial attitudes of compliance (managerial controls), and training (educational controls) influence secure behavior directly and also indirectly through system satisfaction. We will test our model in an experiment utilizing a realistic corporate environment that captures user’s security-policy compliance. We suspect to find that managerial controls and educational controls will positively influence secure behavior while technical controls will negatively influence secure behavior directly and also indirectly through system satisfaction.
Ross, Gray and Jenkins, Jeffrey, "How Secure is Your System? Examining the Influence of Technical, Managerial, and Educational Controls on Users’ Secure Behavior" (2010). AMCIS 2010 Proceedings. 236.