Article Preview
TopIntroduction
To counter continually evolving information security threats, organizations develop formal information security policies (ISPs) to reduce data risks and strengthen data security (Yildirim, 2016). If information assurance professionals do not comply with the ISP’s, the firm’s data risks are increased (Aloul, 2012; Pfleeger, Sasse, & Furnham, 2014) where it has been shown that noncompliant information security behavior of employees is a significant information security risk for organizations (Alqahtani, 2017; Kolkowska, Karlsson, & Hedström, 2017). Despite the importance of information security and ISP compliance, previous researchers have primarily focused on compliance among general employees with little attention has been given to the compliance behaviors of information assurance professionals (Kolkowska et al., 2017; Fourtané, 2018) and this study will explore this gap.
The phenomenon of interest in the present study is ISP compliance among information assurance professionals. ISP compliance is important to the success of an organization’s information security program (Alqahtani, 2017; Kolkowska et al., 2017). ISP compliance is especially relevant in the context of information assurance professionals, as these individuals are tasked with “protecting information from theft, destruction, or manipulation” (Sadiku, Alam, & Musa, 2017, p. 1).
Organizations spend millions of dollars on security training and ISP awareness (Mejias & Balthazard, 2015). Despite investments in information security, ISP noncompliance among information assurance professionals constitutes a significant data security risk for organizations (Kolkowska et al., 2017). Research has shown that employees’ failure to comply with an ISP can expose an organization to regulatory fines and loss of reputation due to data breaches (Hina & Dominic, 2018). Lord (2018) specifically noted that when information assurance professionals do not comply with ISPs, they expose organizational data to unnecessary risks. The scholarly literature lacks clarity regarding the factors that significantly influence information assurance professionals’ behavioral intentions to comply with ISPs (Alqahtani, 2017; Kolkowska et al., 2017; Quigley, Burns, & Stallard, 2015).
Review of the Literature
The UTAUT2 model uses seven key factors to explain behavioral intentions to adopt or use technology (Venkatesh et al., 2012) – performance expectancy, effort expectancy, social influence, facilitating conditions, hedonic motivation, price value, and habit. Hedonic motivation is the motivation driving an individual to take action due to the satisfaction inherent in the action (Tomasik, 2017; Huizinga, 1950). Several studies revealed that in the consumer context, hedonic motivation is a significant determinant of technology acceptance and use (Haryoto & Haryoto, 2015; Masa’deh et al., 2016). Price value is the perceived benefit of using technology measured against the cost of the technology (Ul-Ain et al., 2016). Habit is a perceptual construct that reflects the results of prior experiences and habit is a strong predictor of future technology use (De Moura et al., 2017; Slade, Dwivedi, Piercy, & Williams, 2015).
Performance expectancy refers to an individual’s perception that using technology has advantages in certain circumstances as the technology will improve performance (Venkatesh et al., 2012). Research using the UTAUT as a theoretical framework has consistently demonstrated that a statistically significant relationship exists between performance expectancy and users’ behavioral intentions to adopt technology (Oh & Yoon, 2014).