Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness

a r t i c l e i n f o Keywords: Principal agent theory Information security End-user security behaviors Security policy compliance Secure management of information systems is crucially important in information intensive organizations. Although most organizations have long been using security technologies, it is well known that technology tools alone are not sufficient. Thus, the area of end-user security behaviors in organizations has gained an increased attention. In information security observing end-user security behaviors is challenging. Moreover, recent studies have shown that the end users have divergent security views. The inability to monitor employee IT security behaviors and divergent views regarding security policies, in our view, provide a setting where the principal agent paradigm applies. In this paper, we develop and test a theoretical model of the incentive effects of penalties, pressures and perceived effectiveness of employee actions that enhances our understanding of employee compliance to information security policies. Based on 312 employee responses from 77 organizations, we empirically validate and test the model. Our findings suggest that security behaviors can be influenced by both intrinsic and extrinsic motivators. Pressures exerted by subjective norms and peer behaviors influence employee information security behaviors. Intrinsic motivation of employee perceived effectiveness of their actions was also found to play an important role in security policy compliance intentions. In analyzing the penalties, certainty of detection was found to be significant while surprisingly, severity of punishment was found to have a negative effect on security behavior intentions. We discuss the implications of our findings for theory and practice. In information intensive organizations secured management of information has become an important issue. Organizations have been actively using security technologies. Extant research in information security has been focused on the use technology (e.g., [27,69]). However more recently, practitioners and academics have started to realize that information security cannot be achieved through only technological tools and effective organizational information security depends on all three components, namely: people, processes and technology [34]. However, empirical research on end-user security behaviors and factors influencing them is still in its infancy. With the advances in security technologies, many computing behaviors such as patch management and antivirus updates are now being automated to reduce the task knowledge and time burdens on end users. However, behaviors such as appropriate use of computer and network resources, appropriate password habits etc., that cannot be addressed by security technologies are often dealt through organizational computer …