The human is frequently referred to as the weakest link of security. Employees who engage in behaviors contrary to their organization’s security policy often cause undesirable outcomes. This research presents a dual-processing model explaining and predicting secure behavior in relation to password policies. The model posits that the number of password security layers (technical controls), training (educational controls), and manager attitude toward secure behavior (managerial controls) influence secure behavior directly and also indirectly through security policy satisfaction. An experiment was designed to test our model utilizing a realistic corporate environment that captures users’ security policy compliance. The results show that the combination of low technical controls and the presence of training significantly increase new employees’ compliance with the security policy. Positive managerial controls and low technical controls increase satisfaction with the security policy; however, satisfaction with the security policy was not significantly related to secure behavior for new employees.
Jenkins, Jeffrey L.; Durcikova, Alexandra; Ross, Grayson; and Nunamaker, Jay F. Jr., "Encouraging Users to Behave Securely: Examining the Influence of Technical, Managerial, and Educational Controls on Users’ Secure Behavior" (2010). ICIS 2010 Proceedings. 150.