Start Date
11-8-2016
Description
IS Security research has historically concentrated on evaluating phenomenas’ effects on behavioral intention rather than actual behavior. We believe an air-gap exists between behavioral intention and actual behavior - particularly as it relates to information security policy compliance. We show through input from a panel of 12 information security experts that intention to comply with security policy may be interrupted for many different reasons. Using a ranking-Delphi method, we quantify information security expert opinion regarding what sort of scenarios are most likely to disrupt one’s desire (attitude) and intention to comply with information security policy. While our panel did not reach consensus, their experience and insight reinforced the notion that behavioral intention is not an absolute predictor of actual behavior. As such IS security research should not culminate in evaluating impact to behavioral intention, but should attempt to understand a phenomena’s correlation to actual behavior whenever possible.
Recommended Citation
Merritt, Chris and Dhillon, Gurpreet, "What Interrupts Intention to Comply with IS-Security Policy?" (2016). AMCIS 2016 Proceedings. 3.
https://aisel.aisnet.org/amcis2016/ISSec/Presentations/3
What Interrupts Intention to Comply with IS-Security Policy?
IS Security research has historically concentrated on evaluating phenomenas’ effects on behavioral intention rather than actual behavior. We believe an air-gap exists between behavioral intention and actual behavior - particularly as it relates to information security policy compliance. We show through input from a panel of 12 information security experts that intention to comply with security policy may be interrupted for many different reasons. Using a ranking-Delphi method, we quantify information security expert opinion regarding what sort of scenarios are most likely to disrupt one’s desire (attitude) and intention to comply with information security policy. While our panel did not reach consensus, their experience and insight reinforced the notion that behavioral intention is not an absolute predictor of actual behavior. As such IS security research should not culminate in evaluating impact to behavioral intention, but should attempt to understand a phenomena’s correlation to actual behavior whenever possible.