Which Factors Explain Employees' Adherence to Information Security Policies? An Empirical Study

It is widely agreed that a key threat to information security is caused by careless employees who do not adhere to the information security policies of their organizations. In order to ensure that employees comply with the organization’s information security procedures, a number of information security policy compliance measures have been proposed in the past. Prior research has, however, criticized these measures as lacking theoretically and empirically grounded principles. To fill this gap in research, the present study advances a novel model that explains employees’ adherence to information security policies. This model modifies and combines the Protection Motivation Theory, the General Deterrence Theory, the Theory of Reasoned Action, the Innovation Diffusion Theory and Rewards. In order to empirically validate this model, we collected data (N=917) from four different companies. The findings show that direct paths from threat appraisal, self-efficacy, normative beliefs, and visibility to the intention to comply with IS security policies were significant. Response efficacy, on the other hand, did not have a significant effect on the intention to comply with IS security policies. Sanctions have a significant effect on actual compliance with IS security policies, whereas rewards did not have a significant effect on actual compliance with the IS security policies. Finally, the intention to comply with IS security policies has a significant effect on actual compliance with the IS security policies.