Description

Information security is among the top organizational priorities. Theoretically, information security in socio-technical networks is as much of a behavioral issue as it is of a technical issue. Protection motivation theory (PMT), the dominant theory used to investigate end-user security behavior, though has shown conflicting results - primarily due to lack of contextualizing the theory to information security context from a healthcare context. In this paper, we outline a theoretically grounded conceptual model of the major factors influencing information security policy compliance. The model contextualizes the two independent variables of PMT. Threat appraisal evaluation is viewed as construal evaluation based on construal level theory, while coping appraisal evaluation is viewed as an outcome of training based on social cognitive theory. Overall, the model provides a well-grounded nomological network to better explain information security compliance behavior. The paper also outlines key managerial levers that can be used to influence end-user behavior.

Share

COinS
 
Aug 10th, 12:00 AM

Behavioral Approach to Information Security Policy Compliance

Information security is among the top organizational priorities. Theoretically, information security in socio-technical networks is as much of a behavioral issue as it is of a technical issue. Protection motivation theory (PMT), the dominant theory used to investigate end-user security behavior, though has shown conflicting results - primarily due to lack of contextualizing the theory to information security context from a healthcare context. In this paper, we outline a theoretically grounded conceptual model of the major factors influencing information security policy compliance. The model contextualizes the two independent variables of PMT. Threat appraisal evaluation is viewed as construal evaluation based on construal level theory, while coping appraisal evaluation is viewed as an outcome of training based on social cognitive theory. Overall, the model provides a well-grounded nomological network to better explain information security compliance behavior. The paper also outlines key managerial levers that can be used to influence end-user behavior.