Employees’ Adherence to Information Security Policies: An Exploratory Field Study

Mikko Siponen, Universirty of Oulu, Finland
Seppo Pahnila, University of Oulu, Finland
M A. Mahmood, University of Texas at El Paso

Abstract

The key threat to information security comes mainly from careless employees who do not comply with information security policies. The present research advances a new multi-theory based model that explains employees’ adherence to security policies. The paradigm combines elements from the Protection Motivation Theory, Theory of Reasoned Action, and Cognitive Evaluation Theory. The proposed paradigm is then validated using a sample of 669 responses from four different corporations in Finland. The SEM-based results show that perceived severity of potential information security threats, employees’ belief of whether they can apply and adhere to information security policies, perceived vulnerability to potential security threats, employees’ attitude towards complying with information security policies, and social norms toward complying with these policies have a significant and positive affect on the employees’ intention to comply with information security policies. The employees’ intention to comply with information security policies also has a significant impact on their actual compliance with these policies. High level managers, from a managerial implications point of view, must emphasize to employees about importance of information security and why it is important to carry out these policies. In addition, employees must be provided with security education and hands on training.