The Significance of Main Constructs of Theory of Planned Behavior in Recent Information Security Policy Compliance Behavior Study: A Comparison among Top Three Behavioral Theories

  • Authors

    • Akhyari Nasir
    • Ruzaini Abdullah Arshah
    • Mohd Rashid Ab Hamid
    2018-05-22
    https://doi.org/10.14419/ijet.v7i2.29.14008
  • Behavioral Theory, Theory of Planned Behavior, Information Security Policy Compliance, Security Behavior

  • For a decade since year of 2000 until 2010, Theory of Planned Behavior [TPB] and its main construct of Attitude, Normative belief and Self-efficacy have been considered as a significant theory and factors in the area ISP compliance behaviour study. However, there are still some questions exist particularly on to what extent this theory is significant in recent studies compared to other competing theories. This paper presents a comparison on main constructs of top three behavioral theories in predicting and explaining the recent ISP compliance studies. The studies on ISP compliance published from 2010 until 2016 will be used to analyse the significance of this TPB compared to General Deterrence Theory [GDT] and Protection Motivation Theory [PMT]. Criteria of comparisons are based on the significance of main constructs towards dependent variable and the comprehensiveness of a theory’s main constructs usage in a research model from the selected studies. The results have confirmed that TPB is still relevant as the most significant in the area of ISP compliance study and its main constructs are the strongest predictors of dependent variables in most of ISP compliance models compare to GDT and PMT. This paper provides a clear status on the significance of TPB and its main constructs of Attitude, Normative belief and Self-efficacy in predicting and explaining ISP compliance behavior in recent studies. It could be used by academicians as references for statistical evidences on the comparison of the top behavioral theories.

     

     

  • References

    1. [1] Sommestad T, Hallberg J, Lundholm K, Bengtsson J. Variables influencing information security policy compliance. Inf Manag Comput Secur. 2014;22[1]:42–75.

      [2] Lebek B, Uffen J, Neumann M, Hohler B, H. Breitner M. Information security awareness and behavior: a theory-based literature review. Manag Res Rev. 2014;37[12]:1049–92.

      [3] Sommestad T, Hallberg J. A Review of the Theory of Planned Behaviour in the Context of Information Security Policy Compliance. 2013;257–71.

      [4] von Brocke J, Simons A, Niehaves B, Riemer K, Plattfaut R, Cleven A, et al. Reconstructing the Giant: On the Importance of Rigour in Documenting the Literature Search Process. 17th Eur Conf Inf Syst. 2009;2206–2217.

      [5] Ajzen I. The Theory of Planned Behavior. Organ Behav Hum Decis Process. 1991;211[50]:179–211.

      [6] Bulgurcu B, Cavusoglu H, Benbasat I. Information security policy compliance : the role of fairness , commitment , and cost beliefs. MCIS 2011 Proc. 2011;

      [7] Kajtazi M, Bulgurcu B. Information Security Policy Compliance : An Empirical Study on Escalation of Commitment. 19th Am Conf Inf Syst AMCIS 2013 - Hyperconnected World Anything, Anywhere, Anytime. 2013;3:2011–20.

      [8] Kim SH, Yang KH, Park S. An integrative behavioral model of information security policy compliance. ScientificWorldJournal. 2014;2014:463870.

      [9] Borena B., Bélanger F. Religiosity and information security policy compliance. 19th Am Conf Inf Syst AMCIS 2013 - Hyperconnected World Anything, Anywhere, Anytime. 2013;4:2848–55.

      [10] 1Li H, Zhang J, Sarathy R. Understanding compliance with internet use policy from the perspective of rational choice theory. Decis Support Syst. 2010;48[4]:635–45.

      [11] Siponen M, Pahnila S, Mahmood MA. Compliance with information security policies: An empirical investigation. Computer [Long Beach Calif]. 2010;43[2]:64–71.

      [12] 1Hu Q, Xu Z, Dinev T, Ling H. Does deterrence work in reducing information security policy abuse by employees? Commun ACM. 2011;54[6]:54.

      [13] Son J-Y. Out of fear or desire? Toward a better understanding of employees’ motivation to follow IS security policies. Inf Manag. 2011;48[7]:296–302.

      [14] Cheng L, Li Y, Li W, Holm E, Zhai Q. Understanding the violation of IS security policy in organizations: An integrated model based on social control and deterrence theory. Comput Secur. 2013;39:447–59.

      [15] Aurigemma S, Mattson T. Do it OR ELSE ! Exploring the Effectiveness of Deterrence on Employee Compliance with Information Security Policies. Amcis 2014. 2014;1–12.

      [16] Chen Y, Ramamurthy KR, Wen K. Organizations ’ Information Security Policy Compliance : Stick or Carrot Approach ? 2013;29[3]:157–88.

      [17] Li H, Sarathy R, Zhang J. Understanding Compliance with Internet Use Policy : An Integrative Model Based on Command- and- Control and Self-Regulatory Approaches Understanding Compliance with Internet Use Policy : An Integrative Model Based on Command-and- Control and Self-Regulato. 2010;

      [18] Guo KH, Yuan Y. The effects of multilevel sanctions on information security violations: A mediating model. Inf Manag. 2012;49[6]:320–6.

      [19] Siponen M, Vance A. Neutralizaiton: New Insights into the Problem of Employee Information Systems Security. MIS Q. 2010;34[3]:487–502.

      [20] Ifinedo P. Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Comput Secur. 2012;31[1]:83–95.

      [21] 21. Vance A, Siponen M, Pahnila S. Motivating IS security compliance: Insights from Habit and Protection Motivation Theory. Inf Manag. 2012;49[3–4]:190–8.

      [22] Sommestad T, Karlzén H, Hallberg J. The sufficiency of the theory of planned behavior for explaining information security policy compliance. 2014;

      [23] Vance A. IS Security Policy Violations : 2012;24[March]:21–41.

      [24] Guo KH, Yuan Y, Archer NP, Connelly CE. Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model. J Manag Inf Syst. 2011;28[2]:203–36.

      [25] Hu Q, Dinev T, Hart P, Cooke D. Managing Employee Compliance with Information Security Policies : The Critical Role of Top Management and Organizational Culture ∗. Decis Sci J Innov Educ. 2012;43[4]:615–60.

      [26] Bulgurcu B, Cavusoglu H, Benbasat I. Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness. Br J Anaesth. 2010;106[2]:199–201.

      [27] Kranz JJ, Haeussinger FJ. Why Deterrence is not Enough: The Role of Endogenous Motivations on Employees’ Information Security Behavior. nternational Conf Inf Syst. 2014;[October]:1–14.

      [28] Al-Omari A, Deokar A, El-Gayar O, Walters J, Aleassa H. Information Security Policy Compliance: An Empirical Study of Ethical Ideology. 2013 46th Hawaii Int Conf Syst Sci. 2013;3018–27.

      [29] Ifinedo P. Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition. Inf Manag. 2014;51[1]:69–79.

      [30] Cox J. Information systems user security: A structured model of the knowing-doing gap. Comput Human Behav. 2012;28[5]:1849–58.

      [31] Al-Omari A, El-Gayar O, Deokar A. nformation Security Policy Compliance: The Role of Information Security Awareness. In 2012.

      [32] Aurigemma S, Mattson T. The Role of Social Status and Controllability on Employee Intent to Follow Organizational Information Security Requirements. In: 2015 48th Hawaii International Conference on System Sciences. IEEE; 2015. p. 3527–36.

      [33] Hovav A, D’Arcy J. Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the U.S. and South Korea. Inf Manag. 2012;49[2]:99–110.

      [34] Johnston AC, Warkentin M. F EAR A PPEALS AND I NFORMATION S ECURITY B EHAVIORS : A N E MPIRICAL S TUDY 1. 2010;34[3]:549–66.

      [35] Lee C, Lee CC, Kim S. Understanding information security stress: Focusing on the type of information security compliance activity. 2016;

      [36] Hovav A, Putri FF. This is my device! Why should I follow your rules? Employees’ compliance with BYOD security policy. Pervasive Mob Comput. 2016;32:35–49.

  • Downloads

  • How to Cite

    Nasir, A., Abdullah Arshah, R., & Rashid Ab Hamid, M. (2018). The Significance of Main Constructs of Theory of Planned Behavior in Recent Information Security Policy Compliance Behavior Study: A Comparison among Top Three Behavioral Theories. International Journal of Engineering & Technology, 7(2.29), 737-741. https://doi.org/10.14419/ijet.v7i2.29.14008