This paper contains a conceptual replication of Herath and Rao (2009), who tested the Integrated Protection Motivation Theory (PMT) and General Deterrence Theory (GDT) model of security policy compliance under the umbrella of the Decomposed Theory of Planned Behavior (DTPB). This study replicates their research model except for the Response Cost construct. In contrast to the original study, all data for this replication comes from a single organization, and the survey instrument references a security policy specific to this organization, not generic security policies in multiple organizations. Our results, based on 437 observations, confirm some of the original findings but not all. Relationships stemming from Organizational Commitment, Resource Availability, Security Breach concern level and Subjective Norms are similar across both studies. The findings for other relationships drawn from PMT, GDT, and TPB are mixed. We believe that the evidence provided in this conceptual replication of the Integrated Model (Herath & Rao, 2009) supports the robustness of parts of the model. We encourage future research and practice to focus on replicating and confirming the parts of the model that are similar in both studies.
Sikolia, David; Twitchell, Douglas; and Sagers, Glen
"Protection Motivation and Deterrence: Evidence from a Fortune 100 Company,"
AIS Transactions on Replication Research: Vol. 4
, Article 7.
Available at: https://aisel.aisnet.org/trr/vol4/iss1/7