Applied Information Management

Identification of Behavioral Factors Within Organizations That Can Improve Information Systems Security Compliance

Information is considered a valuable asset to organizations and thus requires protection, which is enacted through management and governance plans (Herath & Rao, 2009; Thomson & von Solms, 2005). Information assets, knowledge assets, and information capital all provide value to organizations (Berzkalne, & Zelgalve, 2014; Glazer, 1991; Kakabadse, Kouzmin, & Kakabadse, 2001; Wiig, 1997). The amount of value that these assets provide is considered significant, although the value may be difficult to quantify; developing accurate measures and accounting of such value is an evolving field of research (Bontis, 2001; Wilson & Stenson, 2008).

Organizational failures to secure information assets can result in a variety of negative outcomes. For example, a survey conducted by the Ponemon Institute, LLC (2013) reports that security breaches, such as disclosure of protected personal data, can cost companies millions of dollars. A company's market value may be significantly impacted from the public announcements of security breaches (Acquisti, Friedman, & Telang, 2006; Campbell, Gordon, Loeb, & Zhou, 2003; Goel & Shawky, 2009). Response costs, such as labor costs, to identify, eliminate, and recover from security breaches can also be incurred (Lee, Fan, Miller, Stolfo, & Zadok, 2002).

The purpose of this annotated bibliography is to identify behavioral factors within organizations that can improve information systems security compliance (ISSP), defined by Ifinedo (2012) as a “mechanism for shaping or influencing the behaviors of their employees with respect to how organizational IS resource [sic] are used” (p. 84). Sources that identify the human factors that directly affect compliance, such as human error, the ability to perceive risk, and the rewarding of positive behavior are examined (Australian Government, Department of Defence, Command, Control, Communications and Intelligence Division, Defence Science and Technology Organization, 2010). The effectiveness of intrinsic and extrinsic motivations as they relate to human factors with regards to ISSP compliance is also evaluated (Herath & Rao, 2009; Ruighaver, Maynard, & Chang, 2007; Son, 2011). Finally, sources are included that focus on the specific case of agency literature as applied to ISSP compliance using incentive and disincentive mechanisms (Herath & Rao, 2009), as well as literature that explores the larger context of agency relationships, defined by Herath and Rao (2009) as “whenever one party (principal) entrusts some decision making authority to another party (agent)” (p. 155).

The target audience for this annotated bibliography is therefore organizational managers. Managers benefit from this annotated bibliography by learning techniques for improving ISSP compliance in behavioral and social contexts. In addition, managers explore literature that describes the lack of success that traditional methods, e.g., sanctions and penalties, may have on compliance (Ifinedo, 2014).

Employee behavior is often considered the ‘weakest link’ in information security.

Employee behavior is often considered the "weakest link" in information security (Huang, Rau, & Salvendy, 2007; Ifinedo, 2014; Warkentin & Willison, 2009). Addressing employee behaviors is important, as information security cannot be achieved exclusively by technological means (Herath & Rao, 2009). ISSP allows for the influence of employee behaviors as they pertain to the use of organizational information systems (Ifinedo, 2012). Managers play a key role in supporting organizational ISSP compliance due to their influence (Ifinedo, 2014; Pahnila, Siponen, & Mahmood, 2007; Ruighaver, Maynard, & Chang, 2007). Managers can improve ISSP compliance by focusing on the following behavioral constructs and social contexts.

Human factors, such as perception biases, are not completely avoidable; therefore, the best course of action is to acknowledge their potential effects and develop mitigation strategies to improve ISSP compliance. Liginlal, Sim, and Khansa (2009) suggest using a three-part defense- in-depth error management strategy to address causes of human error: (1) error avoidance focusing on employee training and enhancing the usability of the systems susceptible to misuse; (2) error interception focusing on frequent audits, better control of workflows with additional security checks and cross-verification by peers or supervisors, and introducing artificial delays to allow employees to self-detect errors they have committed; and (3) error correction focusing on timely feedback, root-cause analysis, and computer-based decision support systems to assist in decision making.

Employees who perceive ISSP compliance as interfering with their daily job or as a burden may be less motivated to comply (Bulgurcu, Cavusoglu, & Benbasat, 2010). Managers can increase compliance by clearly allocating a portion of employee time to achieve compliance and reducing the perception that compliance activities interfere with job duties (Bulgurcu, Cavusoglu, & Benbasat, 2010). Managers can also increase ISSP compliance by promoting usability reviews to ensure that organizational ISSP is streamlined, efficient, relevant, and not perceived as cumbersome (Bulgurcu, Cavusoglu, & Benbasat, 2010; Vance, Siponen, & Pahnila, 2012).

Employees who feel personal responsibility to comply with ISSP are shown to have reduced intentions to violate ISSP (Guo & Yuan, 2012). Managers can increase feelings of responsibility by focusing on ISSP training as it directly relates to business risks as opposed to ISSP training with little or no business context (Guo & Yuan, 2012). Workgroups influence individual employees by expressing disapproval of an individual’s intentions to violate ISSP (Guo & Yuan, 2012). Managers can increase the positive influence of workgroups by training security role models who advocate behaviors related to ISSP compliance (Guo & Yuan, 2012).

Selected References

  • Bontis, N. (2001). Assessing knowledge assets: a review of the models used to measure intellectual capital. International journal of management reviews, 3(1), 41-60. doi: 10.1111/1468-2370.00053 Retrieved from Wiley Online Library.
  • Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS quarterly, 34(3). Retrieved from
  • Goel, S., & Shawky, H. A. (2009). Estimating the market impact of security breach announcements on firm values. Information & Management, 46(7), 404-410. doi: 10.1016/ Retrieved from
  • Guo, K. H., & Yuan, Y. (2012). The effects of multilevel sanctions on information security violations: A mediating model. Information & Management, 49(6), 320-326. doi: 10.1016/ Retrieved from
  • Herath, T., & Rao, H.R. (2009). Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems, 47(2), 154-165. doi:10.1016/j.dss.2009.02.005 Retrieved from
  • Ifinedo, P. (2014). Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition. Information & Management, 51(1), 69-79. doi:10.1016/ Retrieved from
  • Liginlal, D., Sim, I., & Khansa, L. (2009). How significant is human error as a cause of privacy breaches? An empirical study and a framework for error management. Computers & Security, 28(3), 215-228. doi: 10.1016/j.cose.2008.11.003 Retrieved from
  • Ruighaver, A., Maynard, S., & Chang, S. (2007). Organisational security culture: Extending the end-user perspective. Computers & Security, 26(1), 56-62. doi:10.1016/j.cose.2006.10.008 Retrieved from
  • Wilson, R. M., & Stenson, J. A. (2008). Valuation of information assets on the balance sheet: The recognition and approaches to the valuation of intangible assets. Business Information Review, 25(3), 167-182. doi: 10.1177/0266382108095039 Retrieved from Sage Publications
AIM alumnus Matthew Peterson

Research Paper Author: Matthew Peterson, faculty research assistant, Oregon State University. 2014 AIM Graduate.

Abstract: Organizational information assets require protection and cannot be secured by technological means alone. This annotated bibliography, reviewing literature from 2004 to 2014, identifies the employee behavioral factors on which managers should focus to improve information systems security policy (ISSP) compliance within their organizations. The categories of biases, beliefs, perceptions, and motivations are discussed. Specific recommendations for managers include addressing human error, attitudes, social context, self-efficacy, and extrinsic motivations.