Abstract

Information systems (IS) security is a major concern in organizations and the society as a whole. Organizational insiders, consisting of full-time or part-time employees, temporary workers, board members and others with authorization to access computer resources have been found to be a major risk to organizational IS security. A common and highly regarded response to this risk is to formulate and promulgate IS security policies. The IS security academic research community has followed suit and carried out extensive studies on the formation, implementation, and effectiveness of security policies in organizations. A sizable number of these studies have focused on the relationship between IS security and the behavior of employees. Protection motivation theory (PMT) which builds on the theory of fear appeals has also been applied widely in these studies. Unfortunately, the findings presented in these studies have made it difficult for practitioners and academics to comprehend the state of knowledge in this domain. These studies provide inconsistent and sometimes contradictory findings in the information systems security context. The objective of this study is to examine the role played by the definition of the term “security policy” in IS security policy compliance studies based on the protection motivation theory (PMT). The term “security policy” has various meanings depending on the context of its usage. A common classification is the three-level division of security policies. At the highest level is the enterprise IS security level, followed by issue specific security policies, and at the lowest level the technical security policies that relate to the security architecture of technological systems. Thus, the main research question is does the definition of the term “security policy” impact PMT findings about employee compliance with IS security policies? To answer this question, a meta-analysis of quantitative studies of compliance with information security policies that have used PMT as a theoretical basis will be carried out.

Share

COinS
 

Compliance with Information Security Policies: A Meta-Analysis of the role of the definition of the term “Security Policies”

Information systems (IS) security is a major concern in organizations and the society as a whole. Organizational insiders, consisting of full-time or part-time employees, temporary workers, board members and others with authorization to access computer resources have been found to be a major risk to organizational IS security. A common and highly regarded response to this risk is to formulate and promulgate IS security policies. The IS security academic research community has followed suit and carried out extensive studies on the formation, implementation, and effectiveness of security policies in organizations. A sizable number of these studies have focused on the relationship between IS security and the behavior of employees. Protection motivation theory (PMT) which builds on the theory of fear appeals has also been applied widely in these studies. Unfortunately, the findings presented in these studies have made it difficult for practitioners and academics to comprehend the state of knowledge in this domain. These studies provide inconsistent and sometimes contradictory findings in the information systems security context. The objective of this study is to examine the role played by the definition of the term “security policy” in IS security policy compliance studies based on the protection motivation theory (PMT). The term “security policy” has various meanings depending on the context of its usage. A common classification is the three-level division of security policies. At the highest level is the enterprise IS security level, followed by issue specific security policies, and at the lowest level the technical security policies that relate to the security architecture of technological systems. Thus, the main research question is does the definition of the term “security policy” impact PMT findings about employee compliance with IS security policies? To answer this question, a meta-analysis of quantitative studies of compliance with information security policies that have used PMT as a theoretical basis will be carried out.