Perceptions of Information Security at the Workplace: Linking Information Security Climate to Compliant Behavior

A large number of information security breaches at the workplace result from employees’ failure to comply with organizational information security guidelines. Recent surveys report that 78% of computer attacks appear in the form of viruses embedded in email attachments. Employees who open e-mail attachments from unknown sources risk infecting their own computers as well as other computers sharing the same network. Therefore more attention needs to be paid to understanding why non-compliant behavior takes place such that appropriate measures for curbing the occurrence of such behavior can be found. With such motivation in mind, this study examines the effects of social contextual factors on employees’ compliance with organizational security policies. The research model is developed based on concepts adapted from safety climate literature that has been used to explain the safe behavior of employees in organizations. Data was collected from a sample of 140 employees from two large IT intensive organizations using a 28-item survey instrument and analyzed using structured equation modeling. Management practices, supervisory practices, and coworker’s socialization were found to be positively related to employees’ perception of information security climate in the organization. Perception of security climate and self-efficacy had positive impacts on compliant behavior. Implications of this study for research and practice are discussed. Perceptions of Information Security at the Workplace: Linking Information Security Climate to Compliant Behavior INTRODUCTION In recent years, organizations have increased spending on both physical and IT security technologies (Computer Security Institute 2004). Despite the increased expenditure, organizations encounter a number of security incidents as a result of staff errors and misdemeanors. Contrary to the general perception that organizations are mainly vulnerable to external threats, a majority of misuse incidents are in fact committed by employees. Survey reports suggest that 78 % of computer attacks occur in the form of viruses (Computer Security Institute 2004), which are activated through e-mail attachments that have been opened by employees (PriceWaterHouseCoopers 2004). Since these information security incidents occur as a result of employees’ failure to observe work procedures according to information security guidelines, it is important for organizations to identify and employ measures that facilitate employee's compliance with suggested guidelines. Past research on employees’ information security related behavior has focused mainly on employee computer abuse in the organization (Limayem, Khalifa & Chin 1999; Anandarajan 2002; Galletta & Polak 2003). However, employee computer abuse is not able to explain all information security incidents that are caused by employees. For example, factors such as the lack of information security awareness or performance pressure could be contributing factors. In general, it has been suggested that the assurance of information security will require a multifaceted approach encompassing both social and technical factors (Straub & Welke 1998; Dhillon & Backhouse 2001). Based on the above practical and theoretical motivations, this research proposes to study employees’ behavior towards complying with information security guidelines in an attempt to develop a more comprehensive understanding of causes of information security incidents. This study is based on the social information processing approach, which suggests that contextual factors of the organization are significant in explaining job perceptions of individuals (Salancik & Pfeffer 1977). In accordance with this approach, past research suggests that organizational climate perceptions are crucial determinants of individual behavior in organizations (Campbell, Dunnette, Lawler & Wick 1970; Payne & Mansfield 1978). This study develops a model that considers organizational (climate) and individual (self-efficacy) antecedents of compliant behavior. Further, social contextual factors (management practices, supervisory practices and co-workers’ socialization) are identified that are likely to impact organizational climate perceptions. The model is tested using a survey of employees in two large IT intensive organizations. The theoretical and practical implications of the findings are