Employees' Adherence to Information Security Policies: An Empirical Study

The key threat to information security is constituted by careless employees who do not comply with information security policies. To ensure that employees comply with organizations’ information security procedures, a number of information security policy compliance measures have been proposed in the past. Prior research has criticized these measures as lacking theoretically and empirically grounded principles to ensure that employees comply with information security policies. To fill this gap in research, this paper advances a new model that explains employees’ adherence to information security policies. In this model, we extend the Protection Motivation Theory (PMT) by integrating the General Deterrence Theory (GDT) and the Theory of Reasoned Action (TRA) with PMT. To test this model, we collected data (N = 917) from four different companies. The results show that threat appraisal, self-efficacy and response efficacy have a significant impact on intention to comply with information security policies. Sanctions have a significant impact on actual compliance with information security policies. Intention to comply with information security policies also has a significant impact on actual compliance with information security policies.