Personal and Contextual Predictors of Information Security Policy Compliance: Evidence from a Low-Fidelity Simulation

• Published in: Journal of business and psychology Vol. 39; no. 3; pp. 657 - 677
• Main Authors: Brooks, Ricardo R., Williams, Kevin J., Lee, So-Yun
• Format: Journal Article
• Language: English
• Published: New York Springer US 01.06.2024; Springer Nature B.V
• Subjects: Behavioral Science and Psychology; Business and Management; Community and Environmental Psychology; Compliance; Cybersecurity; Employee behavior; Industrial and Organizational Psychology; Information control; Information policies; Network security; Occupational psychology; Personality and Social Psychology; Psychology; Simulation; Social Sciences; Theory of planned behavior; Low-fidelity simulation; Organizational cybersecurity; Compliance threshold; Theory of planned behavior; Information security compliance; Organizational security climate
• ISSN: 0889-3268; 1573-353X
• DOI: 10.1007/s10869-023-09878-8

The objective of this study was to examine the roles that organizational security climate and perceived costs and rewards of compliance play in predicting the extent to which people endorse compliance or violation of specific information security policies (ISP). A low-fidelity simulation placed participants in either a strong or weak information security climate and presented them with four cybersecurity scenarios that assessed their judgments of complying with or violating security policies in those situations. Results indicated that information security climate relates to intent to comply with a company’s security policies via attitudes, subjective norms, and perceived behavioral control, in line with the predictions of the theory of planned behavior (Ajzen, 1991). Strong intentions to comply with policies, in turn, were associated with greater endorsement of compliant behaviors and decreased endorsement of policy violations in the specific scenarios. However, whether or not individuals chose to endorse compliance with or violation of specific policies, after initial intentions were formed, was also influenced by their perceived costs and rewards of compliance. The effects of costs were particularly strong: as perceived costs increased, participants were more likely to endorse ISP violations. Our findings suggest that establishing a strong information security climate may reduce the chances of security breaches, but that organizations should also intervene to reduce the perceived burden and inconvenience of security tasks.