A Composite Framework for Behavioral Compliance with Information Security Policies

A Composite Framework for Behavioral Compliance with Information Security Policies

Salvatore Aurigemma (Communication and Information Sciences (CIS) PhD Program, University of Hawaii at Manoa, Honolulu, HI, USA)
Copyright: © 2013 |Pages: 20
DOI: 10.4018/joeuc.2013070103
OnDemand PDF Download:
No Current Special Offers


To combat potential security threats, organizations rely upon information security policies to guide employee actions. Unfortunately, employee violations of such policies are common and costly enough that users are often considered the weakest link in information security. This paper presents a composite theoretical framework for understanding employee behavioral compliance with organizational information security policies. Building off of the theory of planned behavior, a composite model is presented that incorporates the strengths of previous studies while minimizing theoretical gaps present in other behavioral compliance models. In building the framework, related operational constructs are examined and normalized to allow better comparison of past studies and help focus future research efforts.
Article Preview


Information systems are pervasive throughout the spectrum of modern international organizations including the education, military, government and commercial sectors. Worldwide spending on information technologies and services by the year 2014 is estimated to be $4 trillion (Hardcastle et al., 2012). Unfortunately, with the increased reliance of the U.S. economy on information and information systems come increased information security threats and associated costs. Information security concerns are not isolated to the U.S.; information security compromises occur internationally on a daily basis with losses potentially in the range of hundreds of billions a year (United Nations, 2005).

Capturing the true cost and occurrence of information security incidents is a difficult task. It is estimated that organizations only discover a fraction of actual security incidents (Whitman, 2003). Additionally, many organizations are reluctant to admit security breaches due to a variety of reasons, such as negative publicity or reputation damage (Richardson, 2011; Hoffer & Straub, 1989; Panko, 2009). This information dilemma is not limited to small organizations with limited information security resources. Since 2010, RSA Inc., Verisign Inc. (both companies at the forefront of digital encryption and security technology), and Google were hacked by what is now being called Advanced Persistent Threats (APTs) (Andress, 2011; Reeder, 2012). APTs are defined as a technologically sophisticated entity engaged in information warfare (use of IT to gain an advantage over an adversary) in support of long-term goals (Cloppert, 2009). While the damage done to RSA and Google was primarily conducted by complex computer software remotely operated via computer networks, it was human error that opened the organizations to attack. Specifically, the recent successful APT attacks against RSA Inc. and Internet giant Google both started with spear-phishing attacks that successfully tricked employees to open email attachments that included unknown software vulnerabilities (Andress, 2012).

The importance of employees on information security. There are numerous threats to the confidentiality, integrity, and availability of organizational information and information systems (Panko, 2009). While there are many security mechanisms designed to mitigate the information security risks from relevant threats, it is often incumbent upon users to utilize the technologies and/or procedures faithfully and properly for them to be effective; information security depends on the effective behavior of humans (Siponen, 2005; Stanton et al., 2005; Vroom & von Solms, 2004; Workman, 2007; Panko, 2009). In a report by the U.S. National Security Telecommunications and Information Systems Security Committee (NSTISSC), the greatest potential threat to government information resources is said to come from “insiders with legitimate access to those systems” (NSTISSAM, 1999).

There is ample and important research on the information security dangers of organizational insiders. There are generally two types of insider security risks – those from malicious and non-malicious employees (NSTISSAM, 1999; Brackney & Anderson, 2004). In the well-respected 2010/2011 Computer Security Institute (CSI) Computer Crime and Security Survey, over 60% of respondents reported losses due to security compromises from non-malicious insiders, compared to 41% from malicious insiders (Richardson, 2011).

Complete Article List

Search this Journal:
Volume 33: 6 Issues (2021): 4 Released, 2 Forthcoming
Volume 32: 4 Issues (2020)
Volume 31: 4 Issues (2019)
Volume 30: 4 Issues (2018)
Volume 29: 4 Issues (2017)
Volume 28: 4 Issues (2016)
Volume 27: 4 Issues (2015)
Volume 26: 4 Issues (2014)
Volume 25: 4 Issues (2013)
Volume 24: 4 Issues (2012)
Volume 23: 4 Issues (2011)
Volume 22: 4 Issues (2010)
Volume 21: 4 Issues (2009)
Volume 20: 4 Issues (2008)
Volume 19: 4 Issues (2007)
Volume 18: 4 Issues (2006)
Volume 17: 4 Issues (2005)
Volume 16: 4 Issues (2004)
Volume 15: 4 Issues (2003)
Volume 14: 4 Issues (2002)
Volume 13: 4 Issues (2001)
Volume 12: 4 Issues (2000)
Volume 11: 4 Issues (1999)
Volume 10: 4 Issues (1998)
Volume 9: 4 Issues (1997)
Volume 8: 4 Issues (1996)
Volume 7: 4 Issues (1995)
Volume 6: 4 Issues (1994)
Volume 5: 4 Issues (1993)
Volume 4: 4 Issues (1992)
Volume 3: 4 Issues (1991)
Volume 2: 4 Issues (1990)
Volume 1: 3 Issues (1989)
View Complete Journal Contents Listing